From f2cbde43bee0da523717b65f10f95defc4ad6f60 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 1 Jul 2025 10:54:06 +0200 Subject: [PATCH 001/265] Update codeql action to v3 --- .github/workflows/codeql-analysis.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 031ba56d..d45b16a3 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -36,7 +36,7 @@ jobs: strategy: fail-fast: false matrix: - language: [ 'java' ] + language: [ 'java-kotlin' ] # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ] # Learn more about CodeQL language support at https://git.io/codeql-language-support @@ -46,7 +46,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v2 + uses: github/codeql-action/init@v3 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -57,7 +57,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@v2 + uses: github/codeql-action/autobuild@v3 # ℹī¸ Command-line programs to run using the OS shell. # 📚 https://git.io/JvXDl @@ -71,4 +71,4 @@ jobs: # make release - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 + uses: github/codeql-action/analyze@v3 From 0ee31b232ac7b4beda0940bcbd52fc078209dfc4 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 23 Jul 2025 11:23:34 +0200 Subject: [PATCH 002/265] Allow UserIDs with trailing/leading whitespace and escape newlines in ASCII armor --- .../org/pgpainless/key/generation/KeyRingBuilder.kt | 2 +- .../modification/secretkeyring/SecretKeyRingEditor.kt | 7 ++++--- .../src/main/kotlin/org/pgpainless/util/ArmorUtils.kt | 3 ++- .../test/java/org/pgpainless/sop/GenerateKeyTest.java | 10 ++++++++++ 4 files changed, 17 insertions(+), 5 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingBuilder.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingBuilder.kt index 05adf7d9..aacfcceb 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingBuilder.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingBuilder.kt @@ -45,7 +45,7 @@ class KeyRingBuilder : KeyRingBuilderInterface { } override fun addUserId(userId: CharSequence): KeyRingBuilder = apply { - userIds[userId.toString().trim()] = null + userIds[userId.toString()] = null } override fun addUserId(userId: ByteArray): KeyRingBuilder = diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.kt index ec93c6d6..56fb7695 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.kt @@ -569,9 +569,10 @@ class SecretKeyRingEditor( } private fun sanitizeUserId(userId: CharSequence): CharSequence = - // TODO: Further research how to sanitize user IDs. - // e.g. what about newlines? - userId.toString().trim() + // I'm not sure, what kind of sanitization is needed. + // Newlines are allowed, they just need to be escaped when emitted in an ASCII armor header + // Trailing/Leading whitespace is also fine. + userId.toString() private fun callbackFromRevocationAttributes(attributes: RevocationAttributes?) = object : RevocationSignatureSubpackets.Callback { diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/util/ArmorUtils.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/util/ArmorUtils.kt index b5d5b839..b6e802b2 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/util/ArmorUtils.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/util/ArmorUtils.kt @@ -247,7 +247,8 @@ class ArmorUtils { .add(OpenPgpFingerprint.of(publicKey).prettyPrint()) // Primary / First User ID (primary ?: first)?.let { - headerMap.getOrPut(HEADER_COMMENT) { mutableSetOf() }.add(it) + headerMap.getOrPut(HEADER_COMMENT) { mutableSetOf() } + .add(it.replace("\n", "\\n").replace("\r", "\\r")) } // X-1 further identities when (userIds.size) { diff --git a/pgpainless-sop/src/test/java/org/pgpainless/sop/GenerateKeyTest.java b/pgpainless-sop/src/test/java/org/pgpainless/sop/GenerateKeyTest.java index ca6df790..521cdfe0 100644 --- a/pgpainless-sop/src/test/java/org/pgpainless/sop/GenerateKeyTest.java +++ b/pgpainless-sop/src/test/java/org/pgpainless/sop/GenerateKeyTest.java @@ -100,4 +100,14 @@ public class GenerateKeyTest { assertThrows(SOPGPException.UnsupportedProfile.class, () -> sop.generateKey().profile("invalid")); } + + @Test + public void generateKeyWithNewlinesInUserId() throws IOException { + byte[] keyBytes = sop.generateKey() + .userId("Foo\n\nBar") + .generate() + .getBytes(); + + assertTrue(new String(keyBytes).contains("Foo\\n\\nBar")); + } } From 9b0a3cd4c7ffe8866ab9622fde866b79cd34a62b Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 23 Jul 2025 11:24:10 +0200 Subject: [PATCH 003/265] Do not trim passphrases automatically --- .../main/kotlin/org/pgpainless/util/Passphrase.kt | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/util/Passphrase.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/util/Passphrase.kt index 4d1e49d2..bd25f2b9 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/util/Passphrase.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/util/Passphrase.kt @@ -11,14 +11,9 @@ import org.bouncycastle.util.Arrays * * @param chars may be null for empty passwords. */ -class Passphrase(chars: CharArray?) { +class Passphrase(private val chars: CharArray?) { private val lock = Any() private var valid = true - private val chars: CharArray? - - init { - this.chars = trimWhitespace(chars) - } /** * Return a copy of the underlying char array. A return value of null represents an empty @@ -67,6 +62,13 @@ class Passphrase(chars: CharArray?) { override fun hashCode(): Int = getChars()?.let { String(it) }.hashCode() + /** + * Return a copy of this [Passphrase], but with whitespace characters trimmed off. + * + * @return copy with trimmed whitespace + */ + fun withTrimmedWhitespace(): Passphrase = Passphrase(trimWhitespace(chars)) + companion object { /** From 0d807cb6b8317f2e878509b5cb5f4a9a91e5287d Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 23 Jul 2025 11:25:31 +0200 Subject: [PATCH 004/265] Fix typo in error message --- .../key/modification/secretkeyring/SecretKeyRingEditor.kt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.kt index 56fb7695..5480442d 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.kt @@ -478,7 +478,7 @@ class SecretKeyRingEditor( val prevBinding = inspectKeyRing(secretKeyRing).getCurrentSubkeyBindingSignature(keyId) ?: throw NoSuchElementException( - "Previous subkey binding signaure for ${keyId.openPgpKeyId()} MUST NOT be null.") + "Previous subkey binding signature for ${keyId.openPgpKeyId()} MUST NOT be null.") val bindingSig = reissueSubkeyBindingSignature(subkey, expiration, protector, prevBinding) secretKeyRing = injectCertification(secretKeyRing, subkey, bindingSig) } From 02a5db32974ec81e4f1684e244eb864c8679922e Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 28 Jan 2025 12:50:01 +0100 Subject: [PATCH 005/265] Bump bc to 1.80-SNAPSHOT, sop-java to 10.1.0-SNAPSHOT --- .../bouncycastle/extensions/PGPPublicKeyExtensions.kt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/PGPPublicKeyExtensions.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/PGPPublicKeyExtensions.kt index d267fa83..c669a4fa 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/PGPPublicKeyExtensions.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/PGPPublicKeyExtensions.kt @@ -4,10 +4,10 @@ package org.pgpainless.bouncycastle.extensions -import org.bouncycastle.asn1.gnu.GNUObjectIdentifiers import org.bouncycastle.bcpg.ECDHPublicBCPGKey import org.bouncycastle.bcpg.ECDSAPublicBCPGKey import org.bouncycastle.bcpg.EdDSAPublicBCPGKey +import org.bouncycastle.internal.asn1.gnu.GNUObjectIdentifiers import org.bouncycastle.jcajce.provider.asymmetric.util.ECUtil import org.bouncycastle.openpgp.PGPPublicKey import org.pgpainless.algorithm.PublicKeyAlgorithm From 119bfbb3471a42351dab5ce64fcb08ebf216f217 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 28 Jan 2025 12:51:11 +0100 Subject: [PATCH 006/265] PGPainless 2.0.0-SNAPSHOT --- version.gradle | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version.gradle b/version.gradle index bc2515a4..e5dd2a4d 100644 --- a/version.gradle +++ b/version.gradle @@ -4,7 +4,7 @@ allprojects { ext { - shortVersion = '1.7.7' + shortVersion = '2.0.0-SNAPSHOT' isSnapshot = true javaSourceCompatibility = 11 bouncyCastleVersion = '1.81' From 6abc47a8e18fe678672ba8b6054f4bf42ecaa30e Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 28 Jan 2025 21:20:56 +0100 Subject: [PATCH 007/265] Adapt PGPKeyPairGenerator and remove support for generating ElGamal keys --- .../key/generation/KeyRingBuilder.kt | 19 +++--- .../pgpainless/key/generation/type/KeyType.kt | 4 ++ .../key/generation/type/ecc/ecdh/ECDH.kt | 7 +++ .../key/generation/type/ecc/ecdsa/ECDSA.kt | 7 +++ .../type/eddsa_legacy/EdDSALegacy.kt | 6 ++ .../key/generation/type/elgamal/ElGamal.kt | 27 -------- .../generation/type/elgamal/ElGamalLength.kt | 63 ------------------- .../pgpainless/key/generation/type/rsa/RSA.kt | 6 ++ .../generation/type/xdh_legacy/XDHLegacy.kt | 6 ++ .../EncryptDecryptTest.java | 22 ------- 10 files changed, 43 insertions(+), 124 deletions(-) delete mode 100644 pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/type/elgamal/ElGamal.kt delete mode 100644 pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/type/elgamal/ElGamalLength.kt diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingBuilder.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingBuilder.kt index aacfcceb..f65b4509 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingBuilder.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingBuilder.kt @@ -5,9 +5,10 @@ package org.pgpainless.key.generation import java.io.IOException -import java.security.KeyPairGenerator import java.util.* +import org.bouncycastle.bcpg.PublicKeyPacket import org.bouncycastle.openpgp.* +import org.bouncycastle.openpgp.api.OpenPGPImplementation import org.bouncycastle.openpgp.operator.PBESecretKeyDecryptor import org.bouncycastle.openpgp.operator.PBESecretKeyEncryptor import org.bouncycastle.openpgp.operator.PGPContentSignerBuilder @@ -19,7 +20,6 @@ import org.pgpainless.algorithm.SignatureType import org.pgpainless.bouncycastle.extensions.unlock import org.pgpainless.implementation.ImplementationFactory import org.pgpainless.policy.Policy -import org.pgpainless.provider.ProviderFactory import org.pgpainless.signature.subpackets.SelfSignatureSubpackets import org.pgpainless.signature.subpackets.SignatureSubpackets import org.pgpainless.signature.subpackets.SignatureSubpacketsHelper @@ -252,17 +252,12 @@ class KeyRingBuilder : KeyRingBuilderInterface { spec: KeySpec, creationTime: Date = spec.keyCreationDate ?: Date() ): PGPKeyPair { - spec.keyType.let { type -> - // Create raw Key Pair - val keyPair = - KeyPairGenerator.getInstance(type.name, ProviderFactory.provider) - .also { it.initialize(type.algorithmSpec) } - .generateKeyPair() + val gen = + OpenPGPImplementation.getInstance() + .pgpKeyPairGeneratorProvider() + .get(PublicKeyPacket.VERSION_4, creationTime) - // Form PGP Key Pair - return ImplementationFactory.getInstance() - .getPGPKeyPair(type.algorithm, keyPair, creationTime) - } + return spec.keyType.generateKeyPair(gen) } } } diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/type/KeyType.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/type/KeyType.kt index c7691f46..54718a53 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/type/KeyType.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/type/KeyType.kt @@ -5,6 +5,8 @@ package org.pgpainless.key.generation.type import java.security.spec.AlgorithmParameterSpec +import org.bouncycastle.openpgp.PGPKeyPair +import org.bouncycastle.openpgp.operator.PGPKeyPairGenerator import org.pgpainless.algorithm.PublicKeyAlgorithm import org.pgpainless.key.generation.type.ecc.EllipticCurve import org.pgpainless.key.generation.type.ecc.ecdh.ECDH @@ -92,6 +94,8 @@ interface KeyType { val canEncryptStorage: Boolean @JvmName("canEncryptStorage") get() = algorithm.encryptionCapable + fun generateKeyPair(generator: PGPKeyPairGenerator): PGPKeyPair + companion object { @JvmStatic fun RSA(length: RsaLength): RSA = RSA.withLength(length) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/type/ecc/ecdh/ECDH.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/type/ecc/ecdh/ECDH.kt index 04e196e0..6d488645 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/type/ecc/ecdh/ECDH.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/type/ecc/ecdh/ECDH.kt @@ -4,7 +4,10 @@ package org.pgpainless.key.generation.type.ecc.ecdh +import org.bouncycastle.jcajce.provider.asymmetric.util.ECUtil import org.bouncycastle.jce.spec.ECNamedCurveGenParameterSpec +import org.bouncycastle.openpgp.PGPKeyPair +import org.bouncycastle.openpgp.operator.PGPKeyPairGenerator import org.pgpainless.algorithm.PublicKeyAlgorithm import org.pgpainless.key.generation.type.KeyType import org.pgpainless.key.generation.type.ecc.EllipticCurve @@ -15,6 +18,10 @@ class ECDH private constructor(val curve: EllipticCurve) : KeyType { override val bitStrength = curve.bitStrength override val algorithmSpec = ECNamedCurveGenParameterSpec(curve.curveName) + override fun generateKeyPair(generator: PGPKeyPairGenerator): PGPKeyPair { + return ECUtil.getNamedCurveOid(curve.curveName).let { generator.generateECDHKeyPair(it) } + } + companion object { @JvmStatic fun fromCurve(curve: EllipticCurve) = ECDH(curve) } diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/type/ecc/ecdsa/ECDSA.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/type/ecc/ecdsa/ECDSA.kt index 1784b49d..173af972 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/type/ecc/ecdsa/ECDSA.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/type/ecc/ecdsa/ECDSA.kt @@ -4,7 +4,10 @@ package org.pgpainless.key.generation.type.ecc.ecdsa +import org.bouncycastle.jcajce.provider.asymmetric.util.ECUtil import org.bouncycastle.jce.spec.ECNamedCurveGenParameterSpec +import org.bouncycastle.openpgp.PGPKeyPair +import org.bouncycastle.openpgp.operator.PGPKeyPairGenerator import org.pgpainless.algorithm.PublicKeyAlgorithm import org.pgpainless.key.generation.type.KeyType import org.pgpainless.key.generation.type.ecc.EllipticCurve @@ -15,6 +18,10 @@ class ECDSA private constructor(val curve: EllipticCurve) : KeyType { override val bitStrength = curve.bitStrength override val algorithmSpec = ECNamedCurveGenParameterSpec(curve.curveName) + override fun generateKeyPair(generator: PGPKeyPairGenerator): PGPKeyPair { + return ECUtil.getNamedCurveOid(curve.curveName).let { generator.generateECDSAKeyPair(it) } + } + companion object { @JvmStatic fun fromCurve(curve: EllipticCurve) = ECDSA(curve) } diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/type/eddsa_legacy/EdDSALegacy.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/type/eddsa_legacy/EdDSALegacy.kt index e177de68..0d316cd6 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/type/eddsa_legacy/EdDSALegacy.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/type/eddsa_legacy/EdDSALegacy.kt @@ -5,6 +5,8 @@ package org.pgpainless.key.generation.type.eddsa_legacy import org.bouncycastle.jce.spec.ECNamedCurveGenParameterSpec +import org.bouncycastle.openpgp.PGPKeyPair +import org.bouncycastle.openpgp.operator.PGPKeyPairGenerator import org.pgpainless.algorithm.PublicKeyAlgorithm import org.pgpainless.key.generation.type.KeyType @@ -14,6 +16,10 @@ class EdDSALegacy private constructor(val curve: EdDSALegacyCurve) : KeyType { override val bitStrength = curve.bitStrength override val algorithmSpec = ECNamedCurveGenParameterSpec(curve.curveName) + override fun generateKeyPair(generator: PGPKeyPairGenerator): PGPKeyPair { + return generator.generateLegacyEd25519KeyPair() + } + companion object { @JvmStatic fun fromCurve(curve: EdDSALegacyCurve) = EdDSALegacy(curve) } diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/type/elgamal/ElGamal.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/type/elgamal/ElGamal.kt deleted file mode 100644 index d925fc3d..00000000 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/type/elgamal/ElGamal.kt +++ /dev/null @@ -1,27 +0,0 @@ -// SPDX-FileCopyrightText: 2023 Paul Schaub -// -// SPDX-License-Identifier: Apache-2.0 - -package org.pgpainless.key.generation.type.elgamal - -import org.bouncycastle.jce.spec.ElGamalParameterSpec -import org.pgpainless.algorithm.PublicKeyAlgorithm -import org.pgpainless.key.generation.type.KeyType - -/** - * ElGamal encryption only key type. - * - * @deprecated the use of ElGamal is not recommended anymore. - */ -@Deprecated("The use of ElGamal is not recommended anymore.") -class ElGamal private constructor(length: ElGamalLength) : KeyType { - - override val name = "ElGamal" - override val algorithm = PublicKeyAlgorithm.ELGAMAL_ENCRYPT - override val bitStrength = length.length - override val algorithmSpec = ElGamalParameterSpec(length.p, length.g) - - companion object { - @JvmStatic fun withLength(length: ElGamalLength) = ElGamal(length) - } -} diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/type/elgamal/ElGamalLength.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/type/elgamal/ElGamalLength.kt deleted file mode 100644 index 2d29b88d..00000000 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/type/elgamal/ElGamalLength.kt +++ /dev/null @@ -1,63 +0,0 @@ -// SPDX-FileCopyrightText: 2023 Paul Schaub -// -// SPDX-License-Identifier: Apache-2.0 - -package org.pgpainless.key.generation.type.elgamal - -import java.math.BigInteger -import org.pgpainless.key.generation.type.KeyLength - -/** - * The following primes are taken from RFC-3526. - * - * @see RFC-3526: More Modular Exponential (MODP) - * Diffie-Hellman groups for Internet Key Exchange (IKE) - * @deprecated the use of ElGamal keys is no longer recommended. - */ -@Deprecated("The use of ElGamal keys is no longer recommended.") -enum class ElGamalLength(override val length: Int, p: String, g: String) : KeyLength { - - /** prime: 2^1536 - 2^1472 - 1 + 2^64 * { [2^1406 pi] + 741804 }. generator: 2 */ - _1536( - 1536, - "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA237327FFFFFFFFFFFFFFFF", - "2"), - - /** prime: 2^2048 - 2^1984 - 1 + 2^64 * { [2^1918 pi] + 124476 }. generator: 2 */ - _2048( - 2048, - "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF6955817183995497CEA956AE515D2261898FA051015728E5A8AACAA68FFFFFFFFFFFFFFFF", - "2"), - - /** prime: 2^3072 - 2^3008 - 1 + 2^64 * { [2^2942 pi] + 1690314 }. generator: 2 */ - _3072( - 3072, - "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF6955817183995497CEA956AE515D2261898FA051015728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6BF12FFA06D98A0864D87602733EC86A64521F2B18177B200CBBE117577A615D6C770988C0BAD946E208E24FA074E5AB3143DB5BFCE0FD108E4B82D120A93AD2CAFFFFFFFFFFFFFFFF", - "2"), - - /** prime: 2^4096 - 2^4032 - 1 + 2^64 * { [2^3966 pi] + 240904 }. generator: 2 */ - _4096( - 4096, - "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF6955817183995497CEA956AE515D2261898FA051015728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6BF12FFA06D98A0864D87602733EC86A64521F2B18177B200CBBE117577A615D6C770988C0BAD946E208E24FA074E5AB3143DB5BFCE0FD108E4B82D120A92108011A723C12A787E6D788719A10BDBA5B2699C327186AF4E23C1A946834B6150BDA2583E9CA2AD44CE8DBBBC2DB04DE8EF92E8EFC141FBECAA6287C59474E6BC05D99B2964FA090C3A2233BA186515BE7ED1F612970CEE2D7AFB81BDD762170481CD0069127D5B05AA993B4EA988D8FDDC186FFB7DC90A6C08F4DF435C934063199FFFFFFFFFFFFFFFF", - "2"), - - /** prime: 2^6144 - 2^6080 - 1 + 2^64 * { [2^6014 pi] + 929484 }. generator: 2 */ - _6144( - 6144, - "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF6955817183995497CEA956AE515D2261898FA051015728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6BF12FFA06D98A0864D87602733EC86A64521F2B18177B200CBBE117577A615D6C770988C0BAD946E208E24FA074E5AB3143DB5BFCE0FD108E4B82D120A92108011A723C12A787E6D788719A10BDBA5B2699C327186AF4E23C1A946834B6150BDA2583E9CA2AD44CE8DBBBC2DB04DE8EF92E8EFC141FBECAA6287C59474E6BC05D99B2964FA090C3A2233BA186515BE7ED1F612970CEE2D7AFB81BDD762170481CD0069127D5B05AA993B4EA988D8FDDC186FFB7DC90A6C08F4DF435C93402849236C3FAB4D27C7026C1D4DCB2602646DEC9751E763DBA37BDF8FF9406AD9E530EE5DB382F413001AEB06A53ED9027D831179727B0865A8918DA3EDBEBCF9B14ED44CE6CBACED4BB1BDB7F1447E6CC254B332051512BD7AF426FB8F401378CD2BF5983CA01C64B92ECF032EA15D1721D03F482D7CE6E74FEF6D55E702F46980C82B5A84031900B1C9E59E7C97FBEC7E8F323A97A7E36CC88BE0F1D45B7FF585AC54BD407B22B4154AACC8F6D7EBF48E1D814CC5ED20F8037E0A79715EEF29BE32806A1D58BB7C5DA76F550AA3D8A1FBFF0EB19CCB1A313D55CDA56C9EC2EF29632387FE8D76E3C0468043E8F663F4860EE12BF2D5B0B7474D6E694F91E6DCC4024FFFFFFFFFFFFFFFF", - "2"), - - /** prime: 2^8192 - 2^8128 - 1 + 2^64 * { [2^8062 pi] + 4743158 }. generator: 2 */ - _8192( - 8192, - "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF6955817183995497CEA956AE515D2261898FA051015728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6BF12FFA06D98A0864D87602733EC86A64521F2B18177B200CBBE117577A615D6C770988C0BAD946E208E24FA074E5AB3143DB5BFCE0FD108E4B82D120A92108011A723C12A787E6D788719A10BDBA5B2699C327186AF4E23C1A946834B6150BDA2583E9CA2AD44CE8DBBBC2DB04DE8EF92E8EFC141FBECAA6287C59474E6BC05D99B2964FA090C3A2233BA186515BE7ED1F612970CEE2D7AFB81BDD762170481CD0069127D5B05AA993B4EA988D8FDDC186FFB7DC90A6C08F4DF435C93402849236C3FAB4D27C7026C1D4DCB2602646DEC9751E763DBA37BDF8FF9406AD9E530EE5DB382F413001AEB06A53ED9027D831179727B0865A8918DA3EDBEBCF9B14ED44CE6CBACED4BB1BDB7F1447E6CC254B332051512BD7AF426FB8F401378CD2BF5983CA01C64B92ECF032EA15D1721D03F482D7CE6E74FEF6D55E702F46980C82B5A84031900B1C9E59E7C97FBEC7E8F323A97A7E36CC88BE0F1D45B7FF585AC54BD407B22B4154AACC8F6D7EBF48E1D814CC5ED20F8037E0A79715EEF29BE32806A1D58BB7C5DA76F550AA3D8A1FBFF0EB19CCB1A313D55CDA56C9EC2EF29632387FE8D76E3C0468043E8F663F4860EE12BF2D5B0B7474D6E694F91E6DBE115974A3926F12FEE5E438777CB6A932DF8CD8BEC4D073B931BA3BC832B68D9DD300741FA7BF8AFC47ED2576F6936BA424663AAB639C5AE4F5683423B4742BF1C978238F16CBE39D652DE3FDB8BEFC848AD922222E04A4037C0713EB57A81A23F0C73473FC646CEA306B4BCBC8862F8385DDFA9D4B7FA2C087E879683303ED5BDD3A062B3CF5B3A278A66D2A13F83F44F82DDF310EE074AB6A364597E899A0255DC164F31CC50846851DF9AB48195DED7EA1B1D510BD7EE74D73FAF36BC31ECFA268359046F4EB879F924009438B481C6CD7889A002ED5EE382BC9190DA6FC026E479558E4475677E9AA9E3050E2765694DFC81F56E880B96E7160C980DD98EDD3DFFFFFFFFFFFFFFFFF", - "2"); - - val p: BigInteger - val g: BigInteger - - init { - this.p = BigInteger(p, 16) - this.g = BigInteger(g, 16) - } -} diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/type/rsa/RSA.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/type/rsa/RSA.kt index 39ddbbbb..aa78f113 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/type/rsa/RSA.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/type/rsa/RSA.kt @@ -5,6 +5,8 @@ package org.pgpainless.key.generation.type.rsa import java.security.spec.RSAKeyGenParameterSpec +import org.bouncycastle.openpgp.PGPKeyPair +import org.bouncycastle.openpgp.operator.PGPKeyPairGenerator import org.pgpainless.algorithm.PublicKeyAlgorithm import org.pgpainless.key.generation.type.KeyType @@ -16,6 +18,10 @@ class RSA private constructor(length: RsaLength) : KeyType { override val bitStrength = length.length override val algorithmSpec = RSAKeyGenParameterSpec(length.length, RSAKeyGenParameterSpec.F4) + override fun generateKeyPair(generator: PGPKeyPairGenerator): PGPKeyPair { + return generator.generateRsaKeyPair(bitStrength) + } + companion object { @JvmStatic fun withLength(length: RsaLength) = RSA(length) } diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/type/xdh_legacy/XDHLegacy.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/type/xdh_legacy/XDHLegacy.kt index 4f0408bc..262930c1 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/type/xdh_legacy/XDHLegacy.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/type/xdh_legacy/XDHLegacy.kt @@ -5,6 +5,8 @@ package org.pgpainless.key.generation.type.xdh_legacy import org.bouncycastle.jce.spec.ECNamedCurveGenParameterSpec +import org.bouncycastle.openpgp.PGPKeyPair +import org.bouncycastle.openpgp.operator.PGPKeyPairGenerator import org.pgpainless.algorithm.PublicKeyAlgorithm import org.pgpainless.key.generation.type.KeyType @@ -14,6 +16,10 @@ class XDHLegacy private constructor(spec: XDHLegacySpec) : KeyType { override val bitStrength = spec.bitStrength override val algorithmSpec = ECNamedCurveGenParameterSpec(spec.algorithmName) + override fun generateKeyPair(generator: PGPKeyPairGenerator): PGPKeyPair { + return generator.generateLegacyX25519KeyPair() + } + companion object { @JvmStatic fun fromSpec(spec: XDHLegacySpec) = XDHLegacy(spec) } diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java index 3e620386..4d81e32f 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java @@ -29,7 +29,6 @@ import org.junit.jupiter.api.TestTemplate; import org.junit.jupiter.api.extension.ExtendWith; import org.pgpainless.PGPainless; import org.pgpainless.algorithm.DocumentSignatureType; -import org.pgpainless.algorithm.KeyFlag; import org.pgpainless.algorithm.SymmetricKeyAlgorithm; import org.pgpainless.decryption_verification.ConsumerOptions; import org.pgpainless.decryption_verification.DecryptionStream; @@ -37,10 +36,6 @@ import org.pgpainless.decryption_verification.MessageMetadata; import org.pgpainless.exception.KeyException; import org.pgpainless.key.SubkeyIdentifier; import org.pgpainless.key.TestKeys; -import org.pgpainless.key.generation.KeySpec; -import org.pgpainless.key.generation.type.KeyType; -import org.pgpainless.key.generation.type.elgamal.ElGamal; -import org.pgpainless.key.generation.type.elgamal.ElGamalLength; import org.pgpainless.key.generation.type.rsa.RsaLength; import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.key.protection.UnprotectedKeysProtector; @@ -71,23 +66,6 @@ public class EncryptDecryptTest { Policy.SymmetricKeyAlgorithmPolicy.symmetricKeyDecryptionPolicy2022()); } - @TestTemplate - @ExtendWith(TestAllImplementations.class) - public void freshKeysRsaToElGamalTest() - throws PGPException, NoSuchAlgorithmException, InvalidAlgorithmParameterException, IOException { - PGPSecretKeyRing sender = PGPainless.generateKeyRing().simpleRsaKeyRing("romeo@montague.lit", RsaLength._3072); - PGPSecretKeyRing recipient = PGPainless.buildKeyRing() - .setPrimaryKey(KeySpec.getBuilder( - KeyType.RSA(RsaLength._4096), - KeyFlag.SIGN_DATA, KeyFlag.CERTIFY_OTHER)) - .addSubkey(KeySpec.getBuilder( - ElGamal.withLength(ElGamalLength._3072), - KeyFlag.ENCRYPT_STORAGE, KeyFlag.ENCRYPT_COMMS)) - .addUserId("juliet@capulet.lit").build(); - - encryptDecryptForSecretKeyRings(sender, recipient); - } - @TestTemplate @ExtendWith(TestAllImplementations.class) public void freshKeysRsaToRsaTest() From 69d65e763d739ad78771459d93ce604991a3716e Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 29 Jan 2025 10:54:00 +0100 Subject: [PATCH 008/265] Simplify code for setExpirationDate() --- .../kotlin/org/pgpainless/key/generation/KeyRingBuilder.kt | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingBuilder.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingBuilder.kt index f65b4509..de15530b 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingBuilder.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingBuilder.kt @@ -52,12 +52,8 @@ class KeyRingBuilder : KeyRingBuilderInterface { addUserId(Strings.fromUTF8ByteArray(userId)) override fun setExpirationDate(expirationDate: Date?): KeyRingBuilder = apply { - if (expirationDate == null) { - this.expirationDate = null - return@apply - } this.expirationDate = - expirationDate.let { + expirationDate?.let { require(Date() < expirationDate) { "Expiration date must be in the future." } expirationDate } From 626176cdadbcea6571cdd9caca45efce65be764d Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 29 Jan 2025 11:13:46 +0100 Subject: [PATCH 009/265] Allow passing version number to key generator --- .../src/main/kotlin/org/pgpainless/PGPainless.kt | 11 +++++++++-- .../org/pgpainless/algorithm/OpenPGPKeyVersion.kt | 6 ++++++ .../org/pgpainless/key/generation/KeyRingBuilder.kt | 4 +++- .../org/pgpainless/key/generation/KeyRingTemplates.kt | 11 ++++++----- 4 files changed, 24 insertions(+), 8 deletions(-) create mode 100644 pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/OpenPGPKeyVersion.kt diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt index 81d9e605..896692c2 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt @@ -10,6 +10,7 @@ import org.bouncycastle.openpgp.PGPKeyRing import org.bouncycastle.openpgp.PGPPublicKeyRing import org.bouncycastle.openpgp.PGPSecretKeyRing import org.bouncycastle.openpgp.PGPSignature +import org.pgpainless.algorithm.OpenPGPKeyVersion import org.pgpainless.decryption_verification.DecryptionBuilder import org.pgpainless.encryption_signing.EncryptionBuilder import org.pgpainless.key.certification.CertifyCertificate @@ -31,14 +32,20 @@ class PGPainless private constructor() { * * @return templates */ - @JvmStatic fun generateKeyRing() = KeyRingTemplates() + @JvmStatic + @JvmOverloads + fun generateKeyRing(version: OpenPGPKeyVersion = OpenPGPKeyVersion.v4) = + KeyRingTemplates(version) /** * Build a custom OpenPGP key ring. * * @return builder */ - @JvmStatic fun buildKeyRing() = KeyRingBuilder() + @JvmStatic + @JvmOverloads + fun buildKeyRing(version: OpenPGPKeyVersion = OpenPGPKeyVersion.v4) = + KeyRingBuilder(version) /** * Read an existing OpenPGP key ring. diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/OpenPGPKeyVersion.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/OpenPGPKeyVersion.kt new file mode 100644 index 00000000..2ed21fd1 --- /dev/null +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/OpenPGPKeyVersion.kt @@ -0,0 +1,6 @@ +package org.pgpainless.algorithm + +enum class OpenPGPKeyVersion(val version: Int) { + v4(4), + v6(6), +} diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingBuilder.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingBuilder.kt index de15530b..f00740ab 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingBuilder.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingBuilder.kt @@ -16,6 +16,7 @@ import org.bouncycastle.openpgp.operator.PGPDigestCalculator import org.bouncycastle.util.Strings import org.pgpainless.PGPainless import org.pgpainless.algorithm.KeyFlag +import org.pgpainless.algorithm.OpenPGPKeyVersion import org.pgpainless.algorithm.SignatureType import org.pgpainless.bouncycastle.extensions.unlock import org.pgpainless.implementation.ImplementationFactory @@ -25,7 +26,8 @@ import org.pgpainless.signature.subpackets.SignatureSubpackets import org.pgpainless.signature.subpackets.SignatureSubpacketsHelper import org.pgpainless.util.Passphrase -class KeyRingBuilder : KeyRingBuilderInterface { +class KeyRingBuilder(private val version: OpenPGPKeyVersion) : + KeyRingBuilderInterface { private var primaryKeySpec: KeySpec? = null private val subKeySpecs = mutableListOf() diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingTemplates.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingTemplates.kt index 82743661..98cf9b2b 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingTemplates.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingTemplates.kt @@ -7,6 +7,7 @@ package org.pgpainless.key.generation import org.bouncycastle.openpgp.PGPSecretKeyRing import org.pgpainless.PGPainless.Companion.buildKeyRing import org.pgpainless.algorithm.KeyFlag +import org.pgpainless.algorithm.OpenPGPKeyVersion import org.pgpainless.key.generation.KeySpec.Companion.getBuilder import org.pgpainless.key.generation.type.KeyType import org.pgpainless.key.generation.type.eddsa_legacy.EdDSALegacyCurve @@ -14,7 +15,7 @@ import org.pgpainless.key.generation.type.rsa.RsaLength import org.pgpainless.key.generation.type.xdh_legacy.XDHLegacySpec import org.pgpainless.util.Passphrase -class KeyRingTemplates { +class KeyRingTemplates(private val version: OpenPGPKeyVersion) { /** * Generate an RSA OpenPGP key consisting of an RSA primary key used for certification, a @@ -31,7 +32,7 @@ class KeyRingTemplates { length: RsaLength, passphrase: Passphrase = Passphrase.emptyPassphrase() ): PGPSecretKeyRing = - buildKeyRing() + buildKeyRing(version) .apply { setPrimaryKey(getBuilder(KeyType.RSA(length), KeyFlag.CERTIFY_OTHER)) addSubkey(getBuilder(KeyType.RSA(length), KeyFlag.SIGN_DATA)) @@ -78,7 +79,7 @@ class KeyRingTemplates { length: RsaLength, passphrase: Passphrase = Passphrase.emptyPassphrase() ): PGPSecretKeyRing = - buildKeyRing() + buildKeyRing(version) .apply { setPrimaryKey( getBuilder( @@ -125,7 +126,7 @@ class KeyRingTemplates { userId: CharSequence?, passphrase: Passphrase = Passphrase.emptyPassphrase() ): PGPSecretKeyRing = - buildKeyRing() + buildKeyRing(version) .apply { setPrimaryKey( getBuilder( @@ -175,7 +176,7 @@ class KeyRingTemplates { userId: CharSequence?, passphrase: Passphrase = Passphrase.emptyPassphrase() ): PGPSecretKeyRing = - buildKeyRing() + buildKeyRing(version) .apply { setPrimaryKey( getBuilder( From d2532977cc561523b87836b96360b739479b4075 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 29 Jan 2025 11:27:02 +0100 Subject: [PATCH 010/265] Pass version down in tests --- .../pgpainless/algorithm/OpenPGPKeyVersion.kt | 17 ++++++++++++++++- .../pgpainless/key/generation/KeyRingBuilder.kt | 8 ++++---- .../secretkeyring/SecretKeyRingEditor.kt | 4 +++- ...ModifiedBindingSignatureSubpacketsTest.java} | 12 +++++------- .../pgpainless/key/util/KeyRingUtilTest.java | 10 +++++----- 5 files changed, 33 insertions(+), 18 deletions(-) rename pgpainless-core/src/test/java/org/pgpainless/key/modification/{AddSubkeyWithModifiedBindingSignatureSubpackets.java => AddSubkeyWithModifiedBindingSignatureSubpacketsTest.java} (89%) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/OpenPGPKeyVersion.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/OpenPGPKeyVersion.kt index 2ed21fd1..a2267825 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/OpenPGPKeyVersion.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/OpenPGPKeyVersion.kt @@ -1,6 +1,21 @@ +// SPDX-FileCopyrightText: 2025 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.algorithm -enum class OpenPGPKeyVersion(val version: Int) { +enum class OpenPGPKeyVersion(val numeric: Int) { + @Deprecated("V3 keys are deprecated.") v3(3), v4(4), + librePgp(5), v6(6), + ; + + companion object { + @JvmStatic + fun from(numeric: Int): OpenPGPKeyVersion { + return values().find { numeric == it.numeric } + ?: throw IllegalArgumentException("Unknown key version $numeric") + } + } } diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingBuilder.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingBuilder.kt index f00740ab..12e622c4 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingBuilder.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingBuilder.kt @@ -6,7 +6,6 @@ package org.pgpainless.key.generation import java.io.IOException import java.util.* -import org.bouncycastle.bcpg.PublicKeyPacket import org.bouncycastle.openpgp.* import org.bouncycastle.openpgp.api.OpenPGPImplementation import org.bouncycastle.openpgp.operator.PBESecretKeyDecryptor @@ -90,7 +89,7 @@ class KeyRingBuilder(private val version: OpenPGPKeyVersion) : // generate primary key requireNotNull(primaryKeySpec) { "Primary Key spec required." } - val certKey = generateKeyPair(primaryKeySpec!!) + val certKey = generateKeyPair(primaryKeySpec!!, version) val signer = buildContentSigner(certKey) val signatureGenerator = PGPSignatureGenerator(signer) @@ -174,7 +173,7 @@ class KeyRingBuilder(private val version: OpenPGPKeyVersion) : private fun addSubKeys(primaryKey: PGPKeyPair, ringGenerator: PGPKeyRingGenerator) { for (subKeySpec in subKeySpecs) { - val subKey = generateKeyPair(subKeySpec) + val subKey = generateKeyPair(subKeySpec, version) if (subKeySpec.isInheritedSubPackets) { ringGenerator.addSubKey(subKey) } else { @@ -248,12 +247,13 @@ class KeyRingBuilder(private val version: OpenPGPKeyVersion) : @JvmOverloads fun generateKeyPair( spec: KeySpec, + version: OpenPGPKeyVersion, creationTime: Date = spec.keyCreationDate ?: Date() ): PGPKeyPair { val gen = OpenPGPImplementation.getInstance() .pgpKeyPairGeneratorProvider() - .get(PublicKeyPacket.VERSION_4, creationTime) + .get(version.numeric, creationTime) return spec.keyType.generateKeyPair(gen) } diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.kt index 5480442d..e5426f37 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.kt @@ -16,6 +16,7 @@ import org.pgpainless.PGPainless.Companion.inspectKeyRing import org.pgpainless.algorithm.AlgorithmSuite import org.pgpainless.algorithm.Feature import org.pgpainless.algorithm.KeyFlag +import org.pgpainless.algorithm.OpenPGPKeyVersion import org.pgpainless.algorithm.SignatureType import org.pgpainless.algorithm.negotiation.HashAlgorithmNegotiator import org.pgpainless.bouncycastle.extensions.getKeyExpirationDate @@ -244,7 +245,8 @@ class SecretKeyRingEditor( callback: SelfSignatureSubpackets.Callback?, protector: SecretKeyRingProtector ): SecretKeyRingEditorInterface { - val keyPair = KeyRingBuilder.generateKeyPair(keySpec, referenceTime) + val version = OpenPGPKeyVersion.from(secretKeyRing.getPublicKey().version) + val keyPair = KeyRingBuilder.generateKeyPair(keySpec, OpenPGPKeyVersion.v4, referenceTime) val subkeyProtector = PasswordBasedSecretKeyRingProtector.forKeyId(keyPair.keyID, subkeyPassphrase) val keyFlags = KeyFlag.fromBitmask(keySpec.subpackets.keyFlags).toMutableList() diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddSubkeyWithModifiedBindingSignatureSubpackets.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddSubkeyWithModifiedBindingSignatureSubpacketsTest.java similarity index 89% rename from pgpainless-core/src/test/java/org/pgpainless/key/modification/AddSubkeyWithModifiedBindingSignatureSubpackets.java rename to pgpainless-core/src/test/java/org/pgpainless/key/modification/AddSubkeyWithModifiedBindingSignatureSubpacketsTest.java index 85cddfd6..1c659e42 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddSubkeyWithModifiedBindingSignatureSubpackets.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddSubkeyWithModifiedBindingSignatureSubpacketsTest.java @@ -9,14 +9,10 @@ import static org.junit.jupiter.api.Assertions.assertFalse; import static org.junit.jupiter.api.Assertions.assertNotNull; import static org.junit.jupiter.api.Assertions.assertTrue; -import java.io.IOException; -import java.security.InvalidAlgorithmParameterException; -import java.security.NoSuchAlgorithmException; import java.util.Date; import java.util.List; import org.bouncycastle.bcpg.sig.NotationData; -import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPKeyPair; import org.bouncycastle.openpgp.PGPPublicKey; import org.bouncycastle.openpgp.PGPSecretKeyRing; @@ -25,6 +21,7 @@ import org.junit.JUtils; import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; import org.pgpainless.algorithm.KeyFlag; +import org.pgpainless.algorithm.OpenPGPKeyVersion; import org.pgpainless.key.OpenPgpV4Fingerprint; import org.pgpainless.key.generation.KeyRingBuilder; import org.pgpainless.key.generation.KeySpec; @@ -35,19 +32,20 @@ import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.signature.subpackets.SelfSignatureSubpackets; import org.pgpainless.signature.subpackets.SignatureSubpacketsUtil; -public class AddSubkeyWithModifiedBindingSignatureSubpackets { +public class AddSubkeyWithModifiedBindingSignatureSubpacketsTest { public static final long MILLIS_IN_SEC = 1000; @Test - public void bindEncryptionSubkeyAndModifyBindingSignatureHashedSubpackets() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { + public void bindEncryptionSubkeyAndModifyBindingSignatureHashedSubpackets() { SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys(); PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() .modernKeyRing("Alice "); KeyRingInfo before = PGPainless.inspectKeyRing(secretKeys); PGPKeyPair secretSubkey = KeyRingBuilder.generateKeyPair( - KeySpec.getBuilder(KeyType.EDDSA_LEGACY(EdDSALegacyCurve._Ed25519), KeyFlag.SIGN_DATA).build()); + KeySpec.getBuilder(KeyType.EDDSA_LEGACY(EdDSALegacyCurve._Ed25519), KeyFlag.SIGN_DATA).build(), + OpenPGPKeyVersion.v4); long secondsUntilExpiration = 1000; secretKeys = PGPainless.modifyKeyRing(secretKeys) diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/util/KeyRingUtilTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/util/KeyRingUtilTest.java index 11fd5cd3..221e62bd 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/util/KeyRingUtilTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/util/KeyRingUtilTest.java @@ -18,6 +18,7 @@ import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; import org.pgpainless.algorithm.HashAlgorithm; import org.pgpainless.algorithm.KeyFlag; +import org.pgpainless.algorithm.OpenPGPKeyVersion; import org.pgpainless.algorithm.SignatureType; import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.key.generation.KeyRingBuilder; @@ -28,8 +29,6 @@ import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.key.protection.UnlockSecretKey; import org.pgpainless.util.CollectionUtils; -import java.security.InvalidAlgorithmParameterException; -import java.security.NoSuchAlgorithmException; import java.util.Random; import static org.junit.jupiter.api.Assertions.assertEquals; @@ -40,7 +39,7 @@ import static org.junit.jupiter.api.Assertions.assertTrue; public class KeyRingUtilTest { @Test - public void testInjectCertification() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + public void testInjectCertification() throws PGPException { PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() .modernKeyRing("Alice"); @@ -73,12 +72,13 @@ public class KeyRingUtilTest { } @Test - public void testKeysPlusPublicKey() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + public void testKeysPlusPublicKey() { PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("Alice"); PGPPublicKeyRing publicKeys = PGPainless.extractCertificate(secretKeys); PGPKeyPair keyPair = KeyRingBuilder.generateKeyPair(KeySpec.getBuilder( - KeyType.ECDH(EllipticCurve._P256), KeyFlag.ENCRYPT_COMMS, KeyFlag.ENCRYPT_STORAGE).build()); + KeyType.ECDH(EllipticCurve._P256), KeyFlag.ENCRYPT_COMMS, KeyFlag.ENCRYPT_STORAGE).build(), + OpenPGPKeyVersion.v4); PGPPublicKey pubkey = keyPair.getPublicKey(); assertFalse(pubkey.isMasterKey()); From 443361ba03407f3b5b0f402865c607ac8188719d Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 29 Jan 2025 12:09:37 +0100 Subject: [PATCH 011/265] Add new key types X25519, X448, Ed25519, Ed448 --- .../pgpainless/key/generation/type/KeyType.kt | 20 +++++++++++-------- .../key/generation/type/ecc/Ed25519.kt | 16 +++++++++++++++ .../key/generation/type/ecc/Ed448.kt | 16 +++++++++++++++ .../key/generation/type/ecc/X25519.kt | 16 +++++++++++++++ .../key/generation/type/ecc/X448.kt | 16 +++++++++++++++ .../key/generation/type/ecc/ecdh/ECDH.kt | 2 -- .../key/generation/type/ecc/ecdsa/ECDSA.kt | 2 -- .../type/eddsa_legacy/EdDSALegacy.kt | 2 -- .../pgpainless/key/generation/type/rsa/RSA.kt | 2 -- .../generation/type/xdh_legacy/XDHLegacy.kt | 2 -- 10 files changed, 76 insertions(+), 18 deletions(-) create mode 100644 pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/type/ecc/Ed25519.kt create mode 100644 pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/type/ecc/Ed448.kt create mode 100644 pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/type/ecc/X25519.kt create mode 100644 pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/type/ecc/X448.kt diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/type/KeyType.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/type/KeyType.kt index 54718a53..2fa6d0c4 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/type/KeyType.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/type/KeyType.kt @@ -4,11 +4,14 @@ package org.pgpainless.key.generation.type -import java.security.spec.AlgorithmParameterSpec import org.bouncycastle.openpgp.PGPKeyPair import org.bouncycastle.openpgp.operator.PGPKeyPairGenerator import org.pgpainless.algorithm.PublicKeyAlgorithm +import org.pgpainless.key.generation.type.ecc.Ed25519 +import org.pgpainless.key.generation.type.ecc.Ed448 import org.pgpainless.key.generation.type.ecc.EllipticCurve +import org.pgpainless.key.generation.type.ecc.X25519 +import org.pgpainless.key.generation.type.ecc.X448 import org.pgpainless.key.generation.type.ecc.ecdh.ECDH import org.pgpainless.key.generation.type.ecc.ecdsa.ECDSA import org.pgpainless.key.generation.type.eddsa_legacy.EdDSALegacy @@ -42,13 +45,6 @@ interface KeyType { */ val bitStrength: Int - /** - * Return an implementation of [AlgorithmParameterSpec] that can be used to generate the key. - * - * @return algorithm parameter spec - */ - val algorithmSpec: AlgorithmParameterSpec - /** * Return true if the key that is generated from this type is able to carry the SIGN_DATA key * flag. See [org.pgpainless.algorithm.KeyFlag.SIGN_DATA]. @@ -107,5 +103,13 @@ interface KeyType { fun EDDSA_LEGACY(curve: EdDSALegacyCurve): EdDSALegacy = EdDSALegacy.fromCurve(curve) @JvmStatic fun XDH_LEGACY(curve: XDHLegacySpec): XDHLegacy = XDHLegacy.fromSpec(curve) + + @JvmStatic fun X25519(): X25519 = org.pgpainless.key.generation.type.ecc.X25519() + + @JvmStatic fun X448(): X448 = org.pgpainless.key.generation.type.ecc.X448() + + @JvmStatic fun Ed25519(): Ed25519 = org.pgpainless.key.generation.type.ecc.Ed25519() + + @JvmStatic fun Ed448(): Ed448 = org.pgpainless.key.generation.type.ecc.Ed448() } } diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/type/ecc/Ed25519.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/type/ecc/Ed25519.kt new file mode 100644 index 00000000..bbd1d38d --- /dev/null +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/type/ecc/Ed25519.kt @@ -0,0 +1,16 @@ +package org.pgpainless.key.generation.type.ecc + +import org.bouncycastle.openpgp.PGPKeyPair +import org.bouncycastle.openpgp.operator.PGPKeyPairGenerator +import org.pgpainless.algorithm.PublicKeyAlgorithm +import org.pgpainless.key.generation.type.KeyType + +class Ed25519 : KeyType { + override val name: String = "Ed25519" + override val algorithm: PublicKeyAlgorithm = PublicKeyAlgorithm.ED25519 + override val bitStrength: Int = 256 + + override fun generateKeyPair(generator: PGPKeyPairGenerator): PGPKeyPair { + return generator.generateEd25519KeyPair() + } +} diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/type/ecc/Ed448.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/type/ecc/Ed448.kt new file mode 100644 index 00000000..82b1431a --- /dev/null +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/type/ecc/Ed448.kt @@ -0,0 +1,16 @@ +package org.pgpainless.key.generation.type.ecc + +import org.bouncycastle.openpgp.PGPKeyPair +import org.bouncycastle.openpgp.operator.PGPKeyPairGenerator +import org.pgpainless.algorithm.PublicKeyAlgorithm +import org.pgpainless.key.generation.type.KeyType + +class Ed448 : KeyType { + override val name: String = "Ed448" + override val algorithm: PublicKeyAlgorithm = PublicKeyAlgorithm.ED448 + override val bitStrength: Int = 456 + + override fun generateKeyPair(generator: PGPKeyPairGenerator): PGPKeyPair { + return generator.generateEd448KeyPair() + } +} diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/type/ecc/X25519.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/type/ecc/X25519.kt new file mode 100644 index 00000000..4b4dd85b --- /dev/null +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/type/ecc/X25519.kt @@ -0,0 +1,16 @@ +package org.pgpainless.key.generation.type.ecc + +import org.bouncycastle.openpgp.PGPKeyPair +import org.bouncycastle.openpgp.operator.PGPKeyPairGenerator +import org.pgpainless.algorithm.PublicKeyAlgorithm +import org.pgpainless.key.generation.type.KeyType + +class X25519 : KeyType { + override val name: String = "X25519" + override val algorithm: PublicKeyAlgorithm = PublicKeyAlgorithm.X25519 + override val bitStrength: Int = 256 + + override fun generateKeyPair(generator: PGPKeyPairGenerator): PGPKeyPair { + return generator.generateX25519KeyPair() + } +} diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/type/ecc/X448.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/type/ecc/X448.kt new file mode 100644 index 00000000..383ba01e --- /dev/null +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/type/ecc/X448.kt @@ -0,0 +1,16 @@ +package org.pgpainless.key.generation.type.ecc + +import org.bouncycastle.openpgp.PGPKeyPair +import org.bouncycastle.openpgp.operator.PGPKeyPairGenerator +import org.pgpainless.algorithm.PublicKeyAlgorithm +import org.pgpainless.key.generation.type.KeyType + +class X448 : KeyType { + override val name: String = "X448" + override val algorithm: PublicKeyAlgorithm = PublicKeyAlgorithm.X448 + override val bitStrength: Int = 448 + + override fun generateKeyPair(generator: PGPKeyPairGenerator): PGPKeyPair { + return generator.generateX448KeyPair() + } +} diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/type/ecc/ecdh/ECDH.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/type/ecc/ecdh/ECDH.kt index 6d488645..650604dc 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/type/ecc/ecdh/ECDH.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/type/ecc/ecdh/ECDH.kt @@ -5,7 +5,6 @@ package org.pgpainless.key.generation.type.ecc.ecdh import org.bouncycastle.jcajce.provider.asymmetric.util.ECUtil -import org.bouncycastle.jce.spec.ECNamedCurveGenParameterSpec import org.bouncycastle.openpgp.PGPKeyPair import org.bouncycastle.openpgp.operator.PGPKeyPairGenerator import org.pgpainless.algorithm.PublicKeyAlgorithm @@ -16,7 +15,6 @@ class ECDH private constructor(val curve: EllipticCurve) : KeyType { override val name = "ECDH" override val algorithm = PublicKeyAlgorithm.ECDH override val bitStrength = curve.bitStrength - override val algorithmSpec = ECNamedCurveGenParameterSpec(curve.curveName) override fun generateKeyPair(generator: PGPKeyPairGenerator): PGPKeyPair { return ECUtil.getNamedCurveOid(curve.curveName).let { generator.generateECDHKeyPair(it) } diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/type/ecc/ecdsa/ECDSA.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/type/ecc/ecdsa/ECDSA.kt index 173af972..49e917cd 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/type/ecc/ecdsa/ECDSA.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/type/ecc/ecdsa/ECDSA.kt @@ -5,7 +5,6 @@ package org.pgpainless.key.generation.type.ecc.ecdsa import org.bouncycastle.jcajce.provider.asymmetric.util.ECUtil -import org.bouncycastle.jce.spec.ECNamedCurveGenParameterSpec import org.bouncycastle.openpgp.PGPKeyPair import org.bouncycastle.openpgp.operator.PGPKeyPairGenerator import org.pgpainless.algorithm.PublicKeyAlgorithm @@ -16,7 +15,6 @@ class ECDSA private constructor(val curve: EllipticCurve) : KeyType { override val name = "ECDSA" override val algorithm = PublicKeyAlgorithm.ECDSA override val bitStrength = curve.bitStrength - override val algorithmSpec = ECNamedCurveGenParameterSpec(curve.curveName) override fun generateKeyPair(generator: PGPKeyPairGenerator): PGPKeyPair { return ECUtil.getNamedCurveOid(curve.curveName).let { generator.generateECDSAKeyPair(it) } diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/type/eddsa_legacy/EdDSALegacy.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/type/eddsa_legacy/EdDSALegacy.kt index 0d316cd6..8ed48619 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/type/eddsa_legacy/EdDSALegacy.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/type/eddsa_legacy/EdDSALegacy.kt @@ -4,7 +4,6 @@ package org.pgpainless.key.generation.type.eddsa_legacy -import org.bouncycastle.jce.spec.ECNamedCurveGenParameterSpec import org.bouncycastle.openpgp.PGPKeyPair import org.bouncycastle.openpgp.operator.PGPKeyPairGenerator import org.pgpainless.algorithm.PublicKeyAlgorithm @@ -14,7 +13,6 @@ class EdDSALegacy private constructor(val curve: EdDSALegacyCurve) : KeyType { override val name = "EdDSA" override val algorithm = PublicKeyAlgorithm.EDDSA_LEGACY override val bitStrength = curve.bitStrength - override val algorithmSpec = ECNamedCurveGenParameterSpec(curve.curveName) override fun generateKeyPair(generator: PGPKeyPairGenerator): PGPKeyPair { return generator.generateLegacyEd25519KeyPair() diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/type/rsa/RSA.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/type/rsa/RSA.kt index aa78f113..c73d6293 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/type/rsa/RSA.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/type/rsa/RSA.kt @@ -4,7 +4,6 @@ package org.pgpainless.key.generation.type.rsa -import java.security.spec.RSAKeyGenParameterSpec import org.bouncycastle.openpgp.PGPKeyPair import org.bouncycastle.openpgp.operator.PGPKeyPairGenerator import org.pgpainless.algorithm.PublicKeyAlgorithm @@ -16,7 +15,6 @@ class RSA private constructor(length: RsaLength) : KeyType { override val name = "RSA" override val algorithm = PublicKeyAlgorithm.RSA_GENERAL override val bitStrength = length.length - override val algorithmSpec = RSAKeyGenParameterSpec(length.length, RSAKeyGenParameterSpec.F4) override fun generateKeyPair(generator: PGPKeyPairGenerator): PGPKeyPair { return generator.generateRsaKeyPair(bitStrength) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/type/xdh_legacy/XDHLegacy.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/type/xdh_legacy/XDHLegacy.kt index 262930c1..288603fa 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/type/xdh_legacy/XDHLegacy.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/type/xdh_legacy/XDHLegacy.kt @@ -4,7 +4,6 @@ package org.pgpainless.key.generation.type.xdh_legacy -import org.bouncycastle.jce.spec.ECNamedCurveGenParameterSpec import org.bouncycastle.openpgp.PGPKeyPair import org.bouncycastle.openpgp.operator.PGPKeyPairGenerator import org.pgpainless.algorithm.PublicKeyAlgorithm @@ -14,7 +13,6 @@ class XDHLegacy private constructor(spec: XDHLegacySpec) : KeyType { override val name = "XDH" override val algorithm = PublicKeyAlgorithm.ECDH override val bitStrength = spec.bitStrength - override val algorithmSpec = ECNamedCurveGenParameterSpec(spec.algorithmName) override fun generateKeyPair(generator: PGPKeyPairGenerator): PGPKeyPair { return generator.generateLegacyX25519KeyPair() From a62d3aacd02cb0aa1451f9d93f7cb89071feb82c Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 29 Jan 2025 12:09:54 +0100 Subject: [PATCH 012/265] Add new key types to default policy --- .../src/main/kotlin/org/pgpainless/policy/Policy.kt | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/policy/Policy.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/policy/Policy.kt index 7c6bb2d3..454407f7 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/policy/Policy.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/policy/Policy.kt @@ -379,6 +379,11 @@ class Policy( put(PublicKeyAlgorithm.DIFFIE_HELLMAN, 2000) // §7.2.2 put(PublicKeyAlgorithm.ECDH, 250) + // Fixed lengths + put(PublicKeyAlgorithm.X25519, 256) + put(PublicKeyAlgorithm.ED25519, 256) + put(PublicKeyAlgorithm.X448, 448) + put(PublicKeyAlgorithm.ED448, 456) }) } } From fd3616061a3f83cd857d69a915224a7ea7f3c00e Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 29 Jan 2025 12:10:14 +0100 Subject: [PATCH 013/265] Basic v6 key generation test --- .../key/generation/KeyRingBuilder.kt | 5 ++- .../key/generation/KeyRingTemplates.kt | 45 ++++++++++--------- .../key/generation/GenerateV6KeyTest.java | 18 ++++++++ 3 files changed, 44 insertions(+), 24 deletions(-) create mode 100644 pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateV6KeyTest.java diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingBuilder.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingBuilder.kt index 12e622c4..1ea80edb 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingBuilder.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingBuilder.kt @@ -91,7 +91,7 @@ class KeyRingBuilder(private val version: OpenPGPKeyVersion) : requireNotNull(primaryKeySpec) { "Primary Key spec required." } val certKey = generateKeyPair(primaryKeySpec!!, version) val signer = buildContentSigner(certKey) - val signatureGenerator = PGPSignatureGenerator(signer) + val signatureGenerator = PGPSignatureGenerator(signer, certKey.publicKey) val hashedSubPacketGenerator = primaryKeySpec!!.subpacketGenerator hashedSubPacketGenerator.setIssuerFingerprintAndKeyId(certKey.publicKey) @@ -203,7 +203,8 @@ class KeyRingBuilder(private val version: OpenPGPKeyVersion) : return hashedSubpackets } - val bindingSignatureGenerator = PGPSignatureGenerator(buildContentSigner(subKey)) + val bindingSignatureGenerator = + PGPSignatureGenerator(buildContentSigner(subKey), subKey.publicKey) bindingSignatureGenerator.init(SignatureType.PRIMARYKEY_BINDING.code, subKey.privateKey) val primaryKeyBindingSig = bindingSignatureGenerator.generateCertification(primaryKey.publicKey, subKey.publicKey) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingTemplates.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingTemplates.kt index 98cf9b2b..bb8788e1 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingTemplates.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingTemplates.kt @@ -125,25 +125,25 @@ class KeyRingTemplates(private val version: OpenPGPKeyVersion) { fun simpleEcKeyRing( userId: CharSequence?, passphrase: Passphrase = Passphrase.emptyPassphrase() - ): PGPSecretKeyRing = - buildKeyRing(version) + ): PGPSecretKeyRing { + val signingKeyType = + if (version == OpenPGPKeyVersion.v6) KeyType.Ed25519() + else KeyType.EDDSA_LEGACY(EdDSALegacyCurve._Ed25519) + val encryptionKeyType = + if (version == OpenPGPKeyVersion.v6) KeyType.X25519() + else KeyType.XDH_LEGACY(XDHLegacySpec._X25519) + return buildKeyRing(version) .apply { - setPrimaryKey( - getBuilder( - KeyType.EDDSA_LEGACY(EdDSALegacyCurve._Ed25519), - KeyFlag.CERTIFY_OTHER, - KeyFlag.SIGN_DATA)) + setPrimaryKey(getBuilder(signingKeyType, KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA)) addSubkey( - getBuilder( - KeyType.XDH_LEGACY(XDHLegacySpec._X25519), - KeyFlag.ENCRYPT_STORAGE, - KeyFlag.ENCRYPT_COMMS)) + getBuilder(encryptionKeyType, KeyFlag.ENCRYPT_STORAGE, KeyFlag.ENCRYPT_COMMS)) setPassphrase(passphrase) if (userId != null) { addUserId(userId.toString()) } } .build() + } /** * Creates a key ring consisting of an ed25519 EdDSA primary key and a X25519 XDH subkey. The @@ -175,25 +175,26 @@ class KeyRingTemplates(private val version: OpenPGPKeyVersion) { fun modernKeyRing( userId: CharSequence?, passphrase: Passphrase = Passphrase.emptyPassphrase() - ): PGPSecretKeyRing = - buildKeyRing(version) + ): PGPSecretKeyRing { + val signingKeyType = + if (version == OpenPGPKeyVersion.v6) KeyType.Ed25519() + else KeyType.EDDSA_LEGACY(EdDSALegacyCurve._Ed25519) + val encryptionKeyType = + if (version == OpenPGPKeyVersion.v6) KeyType.X25519() + else KeyType.XDH_LEGACY(XDHLegacySpec._X25519) + return buildKeyRing(version) .apply { - setPrimaryKey( - getBuilder( - KeyType.EDDSA_LEGACY(EdDSALegacyCurve._Ed25519), KeyFlag.CERTIFY_OTHER)) + setPrimaryKey(getBuilder(signingKeyType, KeyFlag.CERTIFY_OTHER)) addSubkey( - getBuilder( - KeyType.XDH_LEGACY(XDHLegacySpec._X25519), - KeyFlag.ENCRYPT_COMMS, - KeyFlag.ENCRYPT_STORAGE)) - addSubkey( - getBuilder(KeyType.EDDSA_LEGACY(EdDSALegacyCurve._Ed25519), KeyFlag.SIGN_DATA)) + getBuilder(encryptionKeyType, KeyFlag.ENCRYPT_COMMS, KeyFlag.ENCRYPT_STORAGE)) + addSubkey(getBuilder(signingKeyType, KeyFlag.SIGN_DATA)) setPassphrase(passphrase) if (userId != null) { addUserId(userId) } } .build() + } /** * Generate a modern PGP key ring consisting of an ed25519 EdDSA primary key which is used to diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateV6KeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateV6KeyTest.java new file mode 100644 index 00000000..48843b92 --- /dev/null +++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateV6KeyTest.java @@ -0,0 +1,18 @@ +package org.pgpainless.key.generation; + +import org.bouncycastle.openpgp.PGPSecretKeyRing; +import org.junit.jupiter.api.Test; +import org.pgpainless.PGPainless; +import org.pgpainless.algorithm.OpenPGPKeyVersion; + +import static org.junit.jupiter.api.Assertions.assertEquals; + +public class GenerateV6KeyTest { + + @Test + public void generateModernV6Key() { + PGPSecretKeyRing secretKey = PGPainless.generateKeyRing(OpenPGPKeyVersion.v6) + .modernKeyRing("Alice "); + assertEquals(6, secretKey.getPublicKey().getVersion()); + } +} From eb9efec7c9db9ae30e0189ec4a309a252bd68f88 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 29 Jan 2025 12:14:50 +0100 Subject: [PATCH 014/265] Add missing license headers --- .../kotlin/org/pgpainless/key/generation/type/ecc/Ed25519.kt | 4 ++++ .../kotlin/org/pgpainless/key/generation/type/ecc/Ed448.kt | 4 ++++ .../kotlin/org/pgpainless/key/generation/type/ecc/X25519.kt | 4 ++++ .../kotlin/org/pgpainless/key/generation/type/ecc/X448.kt | 4 ++++ .../java/org/pgpainless/key/generation/GenerateV6KeyTest.java | 4 ++++ 5 files changed, 20 insertions(+) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/type/ecc/Ed25519.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/type/ecc/Ed25519.kt index bbd1d38d..e20d0dd7 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/type/ecc/Ed25519.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/type/ecc/Ed25519.kt @@ -1,3 +1,7 @@ +// SPDX-FileCopyrightText: 2025 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.key.generation.type.ecc import org.bouncycastle.openpgp.PGPKeyPair diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/type/ecc/Ed448.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/type/ecc/Ed448.kt index 82b1431a..67392917 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/type/ecc/Ed448.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/type/ecc/Ed448.kt @@ -1,3 +1,7 @@ +// SPDX-FileCopyrightText: 2025 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.key.generation.type.ecc import org.bouncycastle.openpgp.PGPKeyPair diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/type/ecc/X25519.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/type/ecc/X25519.kt index 4b4dd85b..22e5da8c 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/type/ecc/X25519.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/type/ecc/X25519.kt @@ -1,3 +1,7 @@ +// SPDX-FileCopyrightText: 2025 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.key.generation.type.ecc import org.bouncycastle.openpgp.PGPKeyPair diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/type/ecc/X448.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/type/ecc/X448.kt index 383ba01e..3dc56f4e 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/type/ecc/X448.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/type/ecc/X448.kt @@ -1,3 +1,7 @@ +// SPDX-FileCopyrightText: 2025 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.key.generation.type.ecc import org.bouncycastle.openpgp.PGPKeyPair diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateV6KeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateV6KeyTest.java index 48843b92..1ecde1e7 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateV6KeyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateV6KeyTest.java @@ -1,3 +1,7 @@ +// SPDX-FileCopyrightText: 2025 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.key.generation; import org.bouncycastle.openpgp.PGPSecretKeyRing; From d4b16971d5bbb27a9e1dbb3c56bed2772acaee04 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 30 Jan 2025 12:08:55 +0100 Subject: [PATCH 015/265] Integrate KeyIdentifier with SubkeyIdentifier --- .../kotlin/org/pgpainless/key/SubkeyIdentifier.kt | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/SubkeyIdentifier.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/SubkeyIdentifier.kt index 2aec7976..58c935d9 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/SubkeyIdentifier.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/SubkeyIdentifier.kt @@ -5,6 +5,7 @@ package org.pgpainless.key import openpgp.openPgpKeyId +import org.bouncycastle.bcpg.KeyIdentifier import org.bouncycastle.openpgp.PGPKeyRing import org.bouncycastle.openpgp.PGPPublicKey @@ -38,13 +39,17 @@ class SubkeyIdentifier( subkeyFingerprint: OpenPgpFingerprint ) : this(OpenPgpFingerprint.of(keys), subkeyFingerprint) - val keyId = subkeyFingerprint.keyId + val keyIdentifier = KeyIdentifier(subkeyFingerprint.bytes) + val subkeyIdentifier = keyIdentifier + val primaryKeyIdentifier = KeyIdentifier(primaryKeyFingerprint.bytes) + + @Deprecated("Use of key-ids is discouraged.") val keyId = keyIdentifier.keyId val fingerprint = subkeyFingerprint - val subkeyId = subkeyFingerprint.keyId - val primaryKeyId = primaryKeyFingerprint.keyId + @Deprecated("Use of key-ids is discouraged.") val subkeyId = subkeyIdentifier.keyId + @Deprecated("Use of key-ids is discouraged.") val primaryKeyId = primaryKeyIdentifier.keyId - val isPrimaryKey = primaryKeyId == subkeyId + val isPrimaryKey = primaryKeyIdentifier == subkeyIdentifier fun matches(fingerprint: OpenPgpFingerprint) = primaryKeyFingerprint == fingerprint || subkeyFingerprint == fingerprint From 34c8921bed97e2d5f416108207788c6ab28449d2 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 30 Jan 2025 22:50:31 +0100 Subject: [PATCH 016/265] Start porting KeyRingInfo over to OpenPGPCertificate --- .../org/pgpainless/key/info/KeyRingInfo.kt | 74 +++++++++++-------- 1 file changed, 43 insertions(+), 31 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/info/KeyRingInfo.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/info/KeyRingInfo.kt index ce4fbe56..f232162b 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/info/KeyRingInfo.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/info/KeyRingInfo.kt @@ -7,6 +7,7 @@ package org.pgpainless.key.info import java.util.* import openpgp.openPgpKeyId import org.bouncycastle.openpgp.* +import org.bouncycastle.openpgp.api.OpenPGPCertificate import org.pgpainless.PGPainless import org.pgpainless.algorithm.* import org.pgpainless.bouncycastle.extensions.* @@ -22,33 +23,39 @@ import org.pgpainless.util.DateUtil import org.slf4j.LoggerFactory class KeyRingInfo( - val keys: PGPKeyRing, + val keys: OpenPGPCertificate, val policy: Policy = PGPainless.getPolicy(), val referenceDate: Date = Date() ) { + constructor( + keys: PGPKeyRing, + policy: Policy = PGPainless.getPolicy(), + referenceDate: Date = Date() + ) : this(OpenPGPCertificate(keys), policy, referenceDate) + @JvmOverloads constructor( keys: PGPKeyRing, referenceDate: Date = Date() ) : this(keys, PGPainless.getPolicy(), referenceDate) - private val signatures: Signatures = Signatures(keys, referenceDate, policy) + private val signatures: Signatures = Signatures(keys.pgpKeyRing, referenceDate, policy) /** Primary [PGPPublicKey]. */ - val publicKey: PGPPublicKey = KeyRingUtils.requirePrimaryPublicKeyFrom(keys) + val publicKey: PGPPublicKey = keys.primaryKey.pgpPublicKey /** Primary key ID. */ val keyId: Long = publicKey.keyID /** Primary key fingerprint. */ - val fingerprint: OpenPgpFingerprint = OpenPgpFingerprint.of(keys) + val fingerprint: OpenPgpFingerprint = OpenPgpFingerprint.of(publicKey) /** All User-IDs (valid, expired, revoked). */ val userIds: List = KeyRingUtils.getUserIdsIgnoringInvalidUTF8(publicKey) /** Primary User-ID. */ - val primaryUserId = findPrimaryUserId() + val primaryUserId = keys.getPrimaryUserId(referenceDate)?.userId /** Revocation State. */ val revocationState = signatures.primaryKeyRevocation.toRevocationState() @@ -64,8 +71,8 @@ class KeyRingInfo( * Primary [PGPSecretKey] of this key ring or null if the key ring is not a [PGPSecretKeyRing]. */ val secretKey: PGPSecretKey? = - when (keys) { - is PGPSecretKeyRing -> keys.secretKey!! + when (keys.pgpKeyRing) { + is PGPSecretKeyRing -> (keys.pgpKeyRing as PGPSecretKeyRing).secretKey!! else -> null } @@ -78,18 +85,19 @@ class KeyRingInfo( * * @return list of public keys */ - val publicKeys: List = keys.publicKeys.asSequence().toList() + val publicKeys: List = keys.pgpKeyRing.publicKeys.asSequence().toList() /** All secret keys. If the key ring is a [PGPPublicKeyRing], then return an empty list. */ val secretKeys: List = - when (keys) { - is PGPSecretKeyRing -> keys.secretKeys.asSequence().toList() + when (keys.pgpKeyRing) { + is PGPSecretKeyRing -> + (keys.pgpKeyRing as PGPSecretKeyRing).secretKeys.asSequence().toList() else -> listOf() } /** List of valid public subkeys. */ val validSubkeys: List = - keys.publicKeys.asSequence().filter { isKeyValidlyBound(it.keyID) }.toList() + keys.pgpKeyRing.publicKeys.asSequence().filter { isKeyValidlyBound(it.keyID) }.toList() /** List of valid user-IDs. */ val validUserIds: List = userIds.filter { isUserIdBound(it) } @@ -131,7 +139,7 @@ class KeyRingInfo( val lastModified: Date = getMostRecentSignature()?.creationTime ?: getLatestKeyCreationDate() /** True, if the underlying keyring is a [PGPSecretKeyRing]. */ - val isSecretKey: Boolean = keys is PGPSecretKeyRing + val isSecretKey: Boolean = keys.pgpKeyRing is PGPSecretKeyRing /** True, if there are no encrypted secret keys. */ val isFullyDecrypted: Boolean = @@ -143,7 +151,7 @@ class KeyRingInfo( /** List of public keys, whose secret key counterparts can be used to decrypt messages. */ val decryptionSubkeys: List = - keys.publicKeys + keys.pgpKeyRing.publicKeys .asSequence() .filter { if (it.keyID != keyId) { @@ -313,7 +321,7 @@ class KeyRingInfo( ): List { if (userId != null && !isUserIdValid(userId)) { throw UnboundUserIdException( - OpenPgpFingerprint.of(keys), + OpenPgpFingerprint.of(publicKey), userId.toString(), getLatestUserIdCertification(userId), getUserIdRevocation(userId)) @@ -335,7 +343,7 @@ class KeyRingInfo( } } - return keys.publicKeys + return keys.pgpKeyRing.publicKeys .asSequence() .filter { if (!isKeyValidlyBound(it.keyID)) { @@ -497,7 +505,7 @@ class KeyRingInfo( * @param keyId key id * @return public key or null */ - fun getPublicKey(keyId: Long): PGPPublicKey? = keys.getPublicKey(keyId) + fun getPublicKey(keyId: Long): PGPPublicKey? = keys.pgpKeyRing.getPublicKey(keyId) /** * Return the secret key with the given key id. @@ -506,8 +514,8 @@ class KeyRingInfo( * @return secret key or null */ fun getSecretKey(keyId: Long): PGPSecretKey? = - when (keys) { - is PGPSecretKeyRing -> keys.getSecretKey(keyId) + when (keys.pgpKeyRing) { + is PGPSecretKeyRing -> (keys.pgpKeyRing as PGPSecretKeyRing).getSecretKey(keyId) else -> null } @@ -532,7 +540,7 @@ class KeyRingInfo( * @return public key or null */ fun getPublicKey(fingerprint: OpenPgpFingerprint): PGPPublicKey? = - keys.getPublicKey(fingerprint.keyId) + keys.pgpKeyRing.getPublicKey(fingerprint.keyId) /** * Return the secret key with the given fingerprint. @@ -541,8 +549,9 @@ class KeyRingInfo( * @return secret key or null */ fun getSecretKey(fingerprint: OpenPgpFingerprint): PGPSecretKey? = - when (keys) { - is PGPSecretKeyRing -> keys.getSecretKey(fingerprint.keyId) + when (keys.pgpKeyRing) { + is PGPSecretKeyRing -> + (keys.pgpKeyRing as PGPSecretKeyRing).getSecretKey(fingerprint.keyId) else -> null } @@ -554,7 +563,9 @@ class KeyRingInfo( * key of the key. */ fun getPublicKey(identifier: SubkeyIdentifier): PGPPublicKey? { - require(identifier.primaryKeyId == publicKey.keyID) { "Mismatching primary key ID." } + require(identifier.primaryKeyIdentifier.keyId == publicKey.keyID) { + "Mismatching primary key ID." + } return getPublicKey(identifier.subkeyId) } @@ -566,12 +577,12 @@ class KeyRingInfo( * key of the key. */ fun getSecretKey(identifier: SubkeyIdentifier): PGPSecretKey? = - when (keys) { + when (keys.pgpKeyRing) { is PGPSecretKeyRing -> { - require(identifier.primaryKeyId == publicKey.keyID) { + require(identifier.primaryKeyIdentifier.keyId == publicKey.keyID) { "Mismatching primary key ID." } - keys.getSecretKey(identifier.subkeyId) + (keys.pgpKeyRing as PGPSecretKeyRing).getSecretKey(identifier.subkeyIdentifier) } else -> null } @@ -583,7 +594,7 @@ class KeyRingInfo( * @return true if key is bound validly */ fun isKeyValidlyBound(keyId: Long): Boolean { - val publicKey = keys.getPublicKey(keyId) ?: return false + val publicKey = keys.pgpKeyRing.getPublicKey(keyId) ?: return false // Primary key -> Check Primary Key Revocation if (publicKey.keyID == this.publicKey.keyID) { @@ -676,7 +687,8 @@ class KeyRingInfo( /** [HashAlgorithm] preferences of the given key. */ fun getPreferredHashAlgorithms(keyId: Long): Set { - return KeyAccessor.SubKey(this, SubkeyIdentifier(keys, keyId)).preferredHashAlgorithms + return KeyAccessor.SubKey(this, SubkeyIdentifier(keys.pgpKeyRing, keyId)) + .preferredHashAlgorithms } /** [SymmetricKeyAlgorithm] preferences of the given user-ID. */ @@ -686,7 +698,7 @@ class KeyRingInfo( /** [SymmetricKeyAlgorithm] preferences of the given key. */ fun getPreferredSymmetricKeyAlgorithms(keyId: Long): Set { - return KeyAccessor.SubKey(this, SubkeyIdentifier(keys, keyId)) + return KeyAccessor.SubKey(this, SubkeyIdentifier(keys.pgpKeyRing, keyId)) .preferredSymmetricKeyAlgorithms } @@ -697,7 +709,7 @@ class KeyRingInfo( /** [CompressionAlgorithm] preferences of the given key. */ fun getPreferredCompressionAlgorithms(keyId: Long): Set { - return KeyAccessor.SubKey(this, SubkeyIdentifier(keys, keyId)) + return KeyAccessor.SubKey(this, SubkeyIdentifier(keys.pgpKeyRing, keyId)) .preferredCompressionAlgorithms } @@ -713,9 +725,9 @@ class KeyRingInfo( throw NoSuchElementException("No user-id '$userId' found on this key.") } return if (userId != null) { - KeyAccessor.ViaUserId(this, SubkeyIdentifier(keys, keyId), userId) + KeyAccessor.ViaUserId(this, SubkeyIdentifier(keys.pgpKeyRing, keyId), userId) } else { - KeyAccessor.ViaKeyId(this, SubkeyIdentifier(keys, keyId)) + KeyAccessor.ViaKeyId(this, SubkeyIdentifier(keys.pgpKeyRing, keyId)) } } From e20beb675596fd18756b50c7c0ab50429c78405b Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Fri, 31 Jan 2025 12:50:07 +0100 Subject: [PATCH 017/265] Fix test stability --- .../generation/KeyGenerationSubpacketsTest.java | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/KeyGenerationSubpacketsTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/KeyGenerationSubpacketsTest.java index 238d1a40..6ebe74b3 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/generation/KeyGenerationSubpacketsTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/KeyGenerationSubpacketsTest.java @@ -11,9 +11,6 @@ import static org.junit.jupiter.api.Assertions.assertNotNull; import static org.junit.jupiter.api.Assertions.assertNull; import static org.junit.jupiter.api.Assertions.assertTrue; -import java.io.IOException; -import java.security.InvalidAlgorithmParameterException; -import java.security.NoSuchAlgorithmException; import java.util.ArrayList; import java.util.Collections; import java.util.Date; @@ -41,9 +38,9 @@ public class KeyGenerationSubpacketsTest { @Test public void verifyDefaultSubpacketsForUserIdSignatures() - throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + throws PGPException { PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("Alice"); - + Date plus1Sec = new Date(secretKeys.getPublicKey().getCreationTime().getTime() + 1000); KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys); PGPSignature userIdSig = info.getLatestUserIdCertification("Alice"); assertNotNull(userIdSig); @@ -56,7 +53,7 @@ public class KeyGenerationSubpacketsTest { assertEquals("Alice", info.getPrimaryUserId()); - secretKeys = PGPainless.modifyKeyRing(secretKeys) + secretKeys = PGPainless.modifyKeyRing(secretKeys, plus1Sec) .addUserId("Bob", new SelfSignatureSubpackets.Callback() { @Override @@ -68,7 +65,7 @@ public class KeyGenerationSubpacketsTest { .addUserId("Alice", SecretKeyRingProtector.unprotectedKeys()) .done(); - info = PGPainless.inspectKeyRing(secretKeys); + info = PGPainless.inspectKeyRing(secretKeys, plus1Sec); userIdSig = info.getLatestUserIdCertification("Alice"); assertNotNull(userIdSig); @@ -89,7 +86,7 @@ public class KeyGenerationSubpacketsTest { assertEquals("Bob", info.getPrimaryUserId()); - Date now = new Date(); + Date now = plus1Sec; Date t1 = new Date(now.getTime() + 1000 * 60 * 60); secretKeys = PGPainless.modifyKeyRing(secretKeys, t1) .addUserId("Alice", new SelfSignatureSubpackets.Callback() { @@ -107,7 +104,7 @@ public class KeyGenerationSubpacketsTest { @Test public void verifyDefaultSubpacketsForSubkeyBindingSignatures() - throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { + throws PGPException { PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("Alice"); KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys); List keysBefore = info.getPublicKeys(); From 2c0edf9588eab59f02f4846d5e3ec48e6ac55c3b Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 4 Feb 2025 15:59:26 +0100 Subject: [PATCH 018/265] Fix some tests --- .../pgpainless/algorithm/EncryptionPurpose.kt | 10 ++++++---- .../org/pgpainless/key/info/KeyRingInfo.kt | 17 +++++++++-------- ...CustomPublicKeyDataDecryptorFactoryTest.java | 6 +++--- .../java/org/pgpainless/example/ModifyKeys.java | 2 +- .../GenerateKeyWithCustomCreationDateTest.java | 8 ++------ .../pgpainless/key/info/KeyRingInfoTest.java | 3 +-- 6 files changed, 22 insertions(+), 24 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/EncryptionPurpose.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/EncryptionPurpose.kt index 1b4bbe6e..2ba984e7 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/EncryptionPurpose.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/EncryptionPurpose.kt @@ -4,11 +4,13 @@ package org.pgpainless.algorithm -enum class EncryptionPurpose { +import org.bouncycastle.bcpg.sig.KeyFlags + +enum class EncryptionPurpose(val code: Int) { /** The stream will encrypt communication that goes over the wire. E.g. EMail, Chat... */ - COMMUNICATIONS, + COMMUNICATIONS(KeyFlags.ENCRYPT_COMMS), /** The stream will encrypt data at rest. E.g. Encrypted backup... */ - STORAGE, + STORAGE(KeyFlags.ENCRYPT_STORAGE), /** The stream will use keys with either flags to encrypt the data. */ - ANY + ANY(KeyFlags.ENCRYPT_COMMS or KeyFlags.ENCRYPT_STORAGE) } diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/info/KeyRingInfo.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/info/KeyRingInfo.kt index f232162b..4f4d7587 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/info/KeyRingInfo.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/info/KeyRingInfo.kt @@ -97,10 +97,10 @@ class KeyRingInfo( /** List of valid public subkeys. */ val validSubkeys: List = - keys.pgpKeyRing.publicKeys.asSequence().filter { isKeyValidlyBound(it.keyID) }.toList() + keys.publicKeys.values.filter { it.isBoundAt(referenceDate) }.map { it.pgpPublicKey } /** List of valid user-IDs. */ - val validUserIds: List = userIds.filter { isUserIdBound(it) } + val validUserIds: List = keys.getValidUserIds(referenceDate).map { it.userId } /** List of valid and expired user-IDs. */ val validAndExpiredUserIds: List = @@ -136,7 +136,7 @@ class KeyRingInfo( val creationDate: Date = publicKey.creationTime!! /** Latest date at which the key was modified (either by adding a subkey or self-signature). */ - val lastModified: Date = getMostRecentSignature()?.creationTime ?: getLatestKeyCreationDate() + val lastModified: Date = keys.lastModificationDate /** True, if the underlying keyring is a [PGPSecretKeyRing]. */ val isSecretKey: Boolean = keys.pgpKeyRing is PGPSecretKeyRing @@ -195,10 +195,11 @@ class KeyRingInfo( /** List of all subkeys that can be used to sign a message. */ val signingSubkeys: List = - validSubkeys.filter { getKeyFlagsOf(it.keyID).contains(KeyFlag.SIGN_DATA) } + keys.getSigningKeys(referenceDate).map { it.pgpPublicKey } /** Whether the key is usable for encryption. */ - val isUsableForEncryption: Boolean = isUsableForEncryption(EncryptionPurpose.ANY) + val isUsableForEncryption: Boolean = + keys.getComponentKeysWithFlag(referenceDate, EncryptionPurpose.ANY.code).isNotEmpty() /** * Whether the key is capable of signing messages. This field is also true, if the key contains @@ -417,7 +418,7 @@ class KeyRingInfo( * @return latest key creation time */ fun getLatestKeyCreationDate(): Date = - validSubkeys.maxByOrNull { creationDate }?.creationTime + keys.getValidKeys(referenceDate).maxByOrNull { it.creationTime }?.creationTime ?: throw AssertionError("Apparently there is no validly bound key in this key ring.") /** @@ -426,7 +427,7 @@ class KeyRingInfo( * @return latest self-certification for the given user-ID. */ fun getLatestUserIdCertification(userId: CharSequence): PGPSignature? = - signatures.userIdCertifications[userId] + keys.getUserId(userId.toString())?.getCertification(referenceDate)?.signature /** * Return the latest revocation self-signature for the given user-ID @@ -434,7 +435,7 @@ class KeyRingInfo( * @return latest user-ID revocation for the given user-ID */ fun getUserIdRevocation(userId: CharSequence): PGPSignature? = - signatures.userIdRevocations[userId] + keys.getUserId(userId.toString())?.getRevocation(referenceDate)?.signature /** * Return the current binding signature for the subkey with the given key-ID. diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CustomPublicKeyDataDecryptorFactoryTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CustomPublicKeyDataDecryptorFactoryTest.java index 71fbf9be..d8b2f529 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CustomPublicKeyDataDecryptorFactoryTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CustomPublicKeyDataDecryptorFactoryTest.java @@ -13,6 +13,7 @@ import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.operator.PublicKeyDataDecryptorFactory; import org.bouncycastle.openpgp.operator.bc.BcPublicKeyDataDecryptorFactory; import org.bouncycastle.util.io.Streams; +import org.junit.jupiter.api.Disabled; import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; import org.pgpainless.algorithm.EncryptionPurpose; @@ -28,16 +29,15 @@ import java.io.ByteArrayInputStream; import java.io.ByteArrayOutputStream; import java.io.IOException; import java.nio.charset.StandardCharsets; -import java.security.InvalidAlgorithmParameterException; -import java.security.NoSuchAlgorithmException; import static org.junit.jupiter.api.Assertions.assertEquals; public class CustomPublicKeyDataDecryptorFactoryTest { @Test + @Disabled public void testDecryptionWithEmulatedHardwareDecryptionCallback() - throws PGPException, IOException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + throws PGPException, IOException { PGPSecretKeyRing secretKey = PGPainless.generateKeyRing().modernKeyRing("Alice"); PGPPublicKeyRing cert = PGPainless.extractCertificate(secretKey); KeyRingInfo info = PGPainless.inspectKeyRing(secretKey); diff --git a/pgpainless-core/src/test/java/org/pgpainless/example/ModifyKeys.java b/pgpainless-core/src/test/java/org/pgpainless/example/ModifyKeys.java index 768064e7..110761e6 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/example/ModifyKeys.java +++ b/pgpainless-core/src/test/java/org/pgpainless/example/ModifyKeys.java @@ -183,7 +183,7 @@ public class ModifyKeys { * The provided expiration date will be set on each user-id certification signature. */ @Test - public void setKeyExpirationDate() throws PGPException { + public void setKeyExpirationDate() { Date expirationDate = DateUtil.parseUTCDate("2030-06-24 12:44:56 UTC"); SecretKeyRingProtector protector = SecretKeyRingProtector diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithCustomCreationDateTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithCustomCreationDateTest.java index 0ad564db..f5e01ad0 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithCustomCreationDateTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithCustomCreationDateTest.java @@ -6,13 +6,10 @@ package org.pgpainless.key.generation; import static org.junit.jupiter.api.Assertions.assertFalse; -import java.security.InvalidAlgorithmParameterException; -import java.security.NoSuchAlgorithmException; import java.util.Calendar; import java.util.Date; import java.util.Iterator; -import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPPublicKey; import org.bouncycastle.openpgp.PGPSecretKey; import org.bouncycastle.openpgp.PGPSecretKeyRing; @@ -29,8 +26,7 @@ import org.pgpainless.util.DateUtil; public class GenerateKeyWithCustomCreationDateTest { @Test - public void generateKeyWithCustomCreationDateTest() - throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + public void generateKeyWithCustomCreationDateTest() { Date creationDate = DateUtil.parseUTCDate("2018-06-11 14:12:09 UTC"); PGPSecretKeyRing secretKeys = PGPainless.buildKeyRing() .addSubkey(KeySpec.getBuilder(KeyType.XDH_LEGACY(XDHLegacySpec._X25519), KeyFlag.ENCRYPT_COMMS, KeyFlag.ENCRYPT_STORAGE)) @@ -49,7 +45,7 @@ public class GenerateKeyWithCustomCreationDateTest { } @Test - public void generateSubkeyWithFutureKeyCreationDate() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + public void generateSubkeyWithFutureKeyCreationDate() { Calendar calendar = Calendar.getInstance(); calendar.add(Calendar.YEAR, 20); Date future = calendar.getTime(); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java index 34465bba..edf40b6d 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java @@ -219,8 +219,7 @@ public class KeyRingInfoTest { @TestTemplate @ExtendWith(TestAllImplementations.class) - public void testGetKeysWithFlagsAndExpiry() - throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + public void testGetKeysWithFlagsAndExpiry() { PGPSecretKeyRing secretKeys = PGPainless.buildKeyRing() .setPrimaryKey(KeySpec.getBuilder( From 002fa71bb7ec3138442b6ec26c01d624d0ff3260 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 4 Feb 2025 17:18:54 +0100 Subject: [PATCH 019/265] Add some debug checks to test --- .../FixUserIdDoesNotBreakEncryptionCapabilityTest.java | 3 +++ 1 file changed, 3 insertions(+) diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/FixUserIdDoesNotBreakEncryptionCapabilityTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/FixUserIdDoesNotBreakEncryptionCapabilityTest.java index d3fe1b2e..c9683ab6 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/FixUserIdDoesNotBreakEncryptionCapabilityTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/FixUserIdDoesNotBreakEncryptionCapabilityTest.java @@ -88,6 +88,9 @@ public class FixUserIdDoesNotBreakEncryptionCapabilityTest { KeyRingInfo before = PGPainless.inspectKeyRing(secretKeys); KeyRingInfo after = PGPainless.inspectKeyRing(modified); + assertEquals(userIdBefore, before.getPrimaryUserId()); + assertEquals(userIdAfter, after.getPrimaryUserId()); + assertTrue(after.isKeyValidlyBound(after.getKeyId())); assertTrue(before.isUsableForEncryption()); assertTrue(before.isUsableForSigning()); assertTrue(before.isUserIdValid(userIdBefore)); From c593b5a59005e0cc29b8e9035370f8ab6171172e Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 5 Feb 2025 09:56:56 +0100 Subject: [PATCH 020/265] Further integration of OpenPGPCertificate into KeyRingInfo --- .../org/pgpainless/key/info/KeyRingInfo.kt | 83 +++++++++++++------ .../org/pgpainless/example/ModifyKeys.java | 2 +- ...GenerateKeyWithoutPrimaryKeyFlagsTest.java | 5 +- .../pgpainless/key/info/KeyRingInfoTest.java | 4 +- ...dDoesNotBreakEncryptionCapabilityTest.java | 2 +- 5 files changed, 65 insertions(+), 31 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/info/KeyRingInfo.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/info/KeyRingInfo.kt index 4f4d7587..007756a6 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/info/KeyRingInfo.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/info/KeyRingInfo.kt @@ -6,6 +6,7 @@ package org.pgpainless.key.info import java.util.* import openpgp.openPgpKeyId +import org.bouncycastle.bcpg.KeyIdentifier import org.bouncycastle.openpgp.* import org.bouncycastle.openpgp.api.OpenPGPCertificate import org.pgpainless.PGPainless @@ -46,7 +47,12 @@ class KeyRingInfo( val publicKey: PGPPublicKey = keys.primaryKey.pgpPublicKey /** Primary key ID. */ - val keyId: Long = publicKey.keyID + val keyIdentifier: KeyIdentifier = publicKey.keyIdentifier + + @Deprecated( + "Use of raw key-ids is deprecated in favor of key-identifiers", + replaceWith = ReplaceWith("keyIdentifier")) + val keyId: Long = keyIdentifier.keyId /** Primary key fingerprint. */ val fingerprint: OpenPgpFingerprint = OpenPgpFingerprint.of(publicKey) @@ -154,7 +160,7 @@ class KeyRingInfo( keys.pgpKeyRing.publicKeys .asSequence() .filter { - if (it.keyID != keyId) { + if (!it.keyIdentifier.matches(keyIdentifier)) { if (signatures.subkeyBindings[it.keyID] == null) { LOGGER.debug("Subkey ${it.keyID.openPgpKeyId()} has no binding signature.") return@filter false @@ -208,7 +214,7 @@ class KeyRingInfo( * * To check for keys that are actually usable to sign messages, use [isUsableForSigning]. */ - val isSigningCapable: Boolean = isKeyValidlyBound(keyId) && signingSubkeys.isNotEmpty() + val isSigningCapable: Boolean = isKeyValidlyBound(keyIdentifier) && signingSubkeys.isNotEmpty() /** Whether the key is actually usable to sign messages. */ val isUsableForSigning: Boolean = @@ -218,7 +224,7 @@ class KeyRingInfo( val preferredHashAlgorithms: Set get() = primaryUserId?.let { getPreferredHashAlgorithms(it) } - ?: getPreferredHashAlgorithms(keyId) + ?: getPreferredHashAlgorithms(keyIdentifier) /** * [SymmetricKeyAlgorithm] preferences of the primary user-ID or if absent of the primary key. @@ -226,13 +232,13 @@ class KeyRingInfo( val preferredSymmetricKeyAlgorithms: Set get() = primaryUserId?.let { getPreferredSymmetricKeyAlgorithms(it) } - ?: getPreferredSymmetricKeyAlgorithms(keyId) + ?: getPreferredSymmetricKeyAlgorithms(keyIdentifier) /** [CompressionAlgorithm] preferences of the primary user-ID or if absent, the primary key. */ val preferredCompressionAlgorithms: Set get() = primaryUserId?.let { getPreferredCompressionAlgorithms(it) } - ?: getPreferredCompressionAlgorithms(keyId) + ?: getPreferredCompressionAlgorithms(keyIdentifier) /** * Return the expiration date of the subkey with the provided fingerprint. @@ -387,7 +393,7 @@ class KeyRingInfo( * encryption-purpose. */ fun isUsableForEncryption(purpose: EncryptionPurpose): Boolean { - return isKeyValidlyBound(keyId) && getEncryptionSubkeys(purpose).isNotEmpty() + return isKeyValidlyBound(keyIdentifier) && getEncryptionSubkeys(purpose).isNotEmpty() } /** @@ -453,6 +459,9 @@ class KeyRingInfo( fun getSubkeyRevocationSignature(keyId: Long): PGPSignature? = signatures.subkeyRevocations[keyId] + fun getKeyFlagsOf(keyIdentifier: KeyIdentifier): List = + getKeyFlagsOf(keyIdentifier.keyId) + /** * Return a list of [KeyFlags][KeyFlag] that apply to the subkey with the provided key id. * @@ -541,7 +550,7 @@ class KeyRingInfo( * @return public key or null */ fun getPublicKey(fingerprint: OpenPgpFingerprint): PGPPublicKey? = - keys.pgpKeyRing.getPublicKey(fingerprint.keyId) + keys.pgpKeyRing.getPublicKey(fingerprint.bytes) /** * Return the secret key with the given fingerprint. @@ -552,10 +561,14 @@ class KeyRingInfo( fun getSecretKey(fingerprint: OpenPgpFingerprint): PGPSecretKey? = when (keys.pgpKeyRing) { is PGPSecretKeyRing -> - (keys.pgpKeyRing as PGPSecretKeyRing).getSecretKey(fingerprint.keyId) + (keys.pgpKeyRing as PGPSecretKeyRing).getSecretKey(fingerprint.bytes) else -> null } + fun getPublicKey(keyIdentifier: KeyIdentifier): PGPPublicKey? { + return keys.pgpKeyRing.getPublicKey(keyIdentifier) + } + /** * Return the public key matching the given [SubkeyIdentifier]. * @@ -564,10 +577,10 @@ class KeyRingInfo( * key of the key. */ fun getPublicKey(identifier: SubkeyIdentifier): PGPPublicKey? { - require(identifier.primaryKeyIdentifier.keyId == publicKey.keyID) { + require(publicKey.keyIdentifier.equals(identifier.keyIdentifier)) { "Mismatching primary key ID." } - return getPublicKey(identifier.subkeyId) + return keys.pgpKeyRing.getPublicKey(identifier.subkeyIdentifier) } /** @@ -580,7 +593,7 @@ class KeyRingInfo( fun getSecretKey(identifier: SubkeyIdentifier): PGPSecretKey? = when (keys.pgpKeyRing) { is PGPSecretKeyRing -> { - require(identifier.primaryKeyIdentifier.keyId == publicKey.keyID) { + require(publicKey.keyIdentifier.equals(identifier.keyIdentifier)) { "Mismatching primary key ID." } (keys.pgpKeyRing as PGPSecretKeyRing).getSecretKey(identifier.subkeyIdentifier) @@ -588,6 +601,10 @@ class KeyRingInfo( else -> null } + fun isKeyValidlyBound(keyIdentifier: KeyIdentifier): Boolean { + return isKeyValidlyBound(keyIdentifier.keyId) + } + /** * Return true if the public key with the given key id is bound to the key ring properly. * @@ -598,7 +615,7 @@ class KeyRingInfo( val publicKey = keys.pgpKeyRing.getPublicKey(keyId) ?: return false // Primary key -> Check Primary Key Revocation - if (publicKey.keyID == this.publicKey.keyID) { + if (publicKey.keyIdentifier.matches(this.publicKey.keyIdentifier)) { return if (signatures.primaryKeyRevocation != null && signatures.primaryKeyRevocation.isHardRevocation) { false @@ -631,8 +648,9 @@ class KeyRingInfo( * Return the current primary user-id of the key ring. * *

- * Note: If no user-id is marked as primary key using a [PrimaryUserID] packet, this method - * returns the first user-id on the key, otherwise null. + * Note: If no user-id is marked as primary key using a + * [org.bouncycastle.bcpg.sig.PrimaryUserID] packet, this method returns the first user-id on + * the key, otherwise null. * * @return primary user-id or null */ @@ -683,7 +701,11 @@ class KeyRingInfo( /** [HashAlgorithm] preferences of the given user-ID. */ fun getPreferredHashAlgorithms(userId: CharSequence): Set { - return getKeyAccessor(userId, keyId).preferredHashAlgorithms + return getKeyAccessor(userId, keyIdentifier).preferredHashAlgorithms + } + + fun getPreferredHashAlgorithms(keyIdentifier: KeyIdentifier): Set { + return getPreferredHashAlgorithms(keyIdentifier.keyId) } /** [HashAlgorithm] preferences of the given key. */ @@ -694,7 +716,13 @@ class KeyRingInfo( /** [SymmetricKeyAlgorithm] preferences of the given user-ID. */ fun getPreferredSymmetricKeyAlgorithms(userId: CharSequence): Set { - return getKeyAccessor(userId, keyId).preferredSymmetricKeyAlgorithms + return getKeyAccessor(userId, keyIdentifier).preferredSymmetricKeyAlgorithms + } + + fun getPreferredSymmetricKeyAlgorithms( + keyIdentifier: KeyIdentifier + ): Set { + return getPreferredSymmetricKeyAlgorithms(keyIdentifier.keyId) } /** [SymmetricKeyAlgorithm] preferences of the given key. */ @@ -705,7 +733,11 @@ class KeyRingInfo( /** [CompressionAlgorithm] preferences of the given user-ID. */ fun getPreferredCompressionAlgorithms(userId: CharSequence): Set { - return getKeyAccessor(userId, keyId).preferredCompressionAlgorithms + return getKeyAccessor(userId, keyIdentifier).preferredCompressionAlgorithms + } + + fun getPreferredCompressionAlgorithms(keyIdentifier: KeyIdentifier): Set { + return getPreferredCompressionAlgorithms(keyIdentifier.keyId) } /** [CompressionAlgorithm] preferences of the given key. */ @@ -715,20 +747,21 @@ class KeyRingInfo( } val isUsableForThirdPartyCertification: Boolean = - isKeyValidlyBound(keyId) && getKeyFlagsOf(keyId).contains(KeyFlag.CERTIFY_OTHER) + isKeyValidlyBound(keyIdentifier) && + getKeyFlagsOf(keyIdentifier).contains(KeyFlag.CERTIFY_OTHER) - private fun getKeyAccessor(userId: CharSequence?, keyId: Long): KeyAccessor { - if (getPublicKey(keyId) == null) { - throw NoSuchElementException( - "No subkey with key-id ${keyId.openPgpKeyId()} found on this key.") + private fun getKeyAccessor(userId: CharSequence?, keyIdentifier: KeyIdentifier): KeyAccessor { + if (getPublicKey(keyIdentifier) == null) { + throw NoSuchElementException("No subkey with key-id $keyIdentifier found on this key.") } if (userId != null && !userIds.contains(userId)) { throw NoSuchElementException("No user-id '$userId' found on this key.") } return if (userId != null) { - KeyAccessor.ViaUserId(this, SubkeyIdentifier(keys.pgpKeyRing, keyId), userId) + KeyAccessor.ViaUserId( + this, SubkeyIdentifier(keys.pgpKeyRing, keyIdentifier.keyId), userId) } else { - KeyAccessor.ViaKeyId(this, SubkeyIdentifier(keys.pgpKeyRing, keyId)) + KeyAccessor.ViaKeyId(this, SubkeyIdentifier(keys.pgpKeyRing, keyIdentifier.keyId)) } } diff --git a/pgpainless-core/src/test/java/org/pgpainless/example/ModifyKeys.java b/pgpainless-core/src/test/java/org/pgpainless/example/ModifyKeys.java index 110761e6..fdc91cd2 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/example/ModifyKeys.java +++ b/pgpainless-core/src/test/java/org/pgpainless/example/ModifyKeys.java @@ -54,7 +54,7 @@ public class ModifyKeys { .modernKeyRing(userId, originalPassphrase); KeyRingInfo info = PGPainless.inspectKeyRing(secretKey); - primaryKeyId = info.getKeyId(); + primaryKeyId = info.getKeyIdentifier().getKeyId(); encryptionSubkeyId = info.getEncryptionSubkeys(EncryptionPurpose.ANY).get(0).getKeyID(); signingSubkeyId = info.getSigningSubkeys().get(0).getKeyID(); } diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithoutPrimaryKeyFlagsTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithoutPrimaryKeyFlagsTest.java index e477aeef..ea0dbc73 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithoutPrimaryKeyFlagsTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithoutPrimaryKeyFlagsTest.java @@ -15,6 +15,7 @@ import java.nio.charset.StandardCharsets; import java.security.InvalidAlgorithmParameterException; import java.security.NoSuchAlgorithmException; +import org.bouncycastle.bcpg.KeyIdentifier; import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPPublicKeyRing; import org.bouncycastle.openpgp.PGPSecretKeyRing; @@ -53,9 +54,9 @@ public class GenerateKeyWithoutPrimaryKeyFlagsTest { KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys); assertTrue(info.getValidUserIds().contains("Alice")); - long primaryKeyId = info.getKeyId(); + KeyIdentifier primaryKeyIdentifier = info.getKeyIdentifier(); assertTrue(info.getKeyFlagsOf("Alice").isEmpty()); - assertTrue(info.getKeyFlagsOf(primaryKeyId).isEmpty()); + assertTrue(info.getKeyFlagsOf(primaryKeyIdentifier).isEmpty()); assertFalse(info.isUsableForThirdPartyCertification()); // Key without CERTIFY_OTHER flag cannot be used to certify other keys diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java index edf40b6d..ca284cdc 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java @@ -66,8 +66,8 @@ public class KeyRingInfoTest { KeyRingInfo sInfo = PGPainless.inspectKeyRing(secretKeys); KeyRingInfo pInfo = PGPainless.inspectKeyRing(publicKeys); - assertEquals(TestKeys.EMIL_KEY_ID, sInfo.getKeyId()); - assertEquals(TestKeys.EMIL_KEY_ID, pInfo.getKeyId()); + assertEquals(TestKeys.EMIL_KEY_ID, sInfo.getKeyIdentifier().getKeyId()); + assertEquals(TestKeys.EMIL_KEY_ID, pInfo.getKeyIdentifier().getKeyId()); assertEquals(TestKeys.EMIL_FINGERPRINT, sInfo.getFingerprint()); assertEquals(TestKeys.EMIL_FINGERPRINT, pInfo.getFingerprint()); assertEquals(PublicKeyAlgorithm.ECDSA, sInfo.getAlgorithm()); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/FixUserIdDoesNotBreakEncryptionCapabilityTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/FixUserIdDoesNotBreakEncryptionCapabilityTest.java index c9683ab6..3053bc7b 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/FixUserIdDoesNotBreakEncryptionCapabilityTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/FixUserIdDoesNotBreakEncryptionCapabilityTest.java @@ -90,7 +90,7 @@ public class FixUserIdDoesNotBreakEncryptionCapabilityTest { assertEquals(userIdBefore, before.getPrimaryUserId()); assertEquals(userIdAfter, after.getPrimaryUserId()); - assertTrue(after.isKeyValidlyBound(after.getKeyId())); + assertTrue(after.isKeyValidlyBound(after.getKeyIdentifier())); assertTrue(before.isUsableForEncryption()); assertTrue(before.isUsableForSigning()); assertTrue(before.isUserIdValid(userIdBefore)); From 137bb51f2cf61837e12aa47b13afb3f51702de38 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 5 Feb 2025 10:31:28 +0100 Subject: [PATCH 021/265] Change type of KeyRingInfo.publicKey to OpenPGPPrimaryKey --- .../org/pgpainless/key/info/KeyRingInfo.kt | 30 ++++++----- .../org/pgpainless/example/GenerateKeys.java | 50 ++++++++----------- 2 files changed, 38 insertions(+), 42 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/info/KeyRingInfo.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/info/KeyRingInfo.kt index 007756a6..9271f550 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/info/KeyRingInfo.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/info/KeyRingInfo.kt @@ -43,8 +43,8 @@ class KeyRingInfo( private val signatures: Signatures = Signatures(keys.pgpKeyRing, referenceDate, policy) - /** Primary [PGPPublicKey]. */ - val publicKey: PGPPublicKey = keys.primaryKey.pgpPublicKey + /** Primary [OpenPGPCertificate.OpenPGPPrimaryKey]. */ + val publicKey: OpenPGPCertificate.OpenPGPPrimaryKey = keys.primaryKey /** Primary key ID. */ val keyIdentifier: KeyIdentifier = publicKey.keyIdentifier @@ -55,10 +55,10 @@ class KeyRingInfo( val keyId: Long = keyIdentifier.keyId /** Primary key fingerprint. */ - val fingerprint: OpenPgpFingerprint = OpenPgpFingerprint.of(publicKey) + val fingerprint: OpenPgpFingerprint = OpenPgpFingerprint.of(publicKey.pgpPublicKey) /** All User-IDs (valid, expired, revoked). */ - val userIds: List = KeyRingUtils.getUserIdsIgnoringInvalidUTF8(publicKey) + val userIds: List = KeyRingUtils.getUserIdsIgnoringInvalidUTF8(publicKey.pgpPublicKey) /** Primary User-ID. */ val primaryUserId = keys.getPrimaryUserId(referenceDate)?.userId @@ -102,8 +102,7 @@ class KeyRingInfo( } /** List of valid public subkeys. */ - val validSubkeys: List = - keys.publicKeys.values.filter { it.isBoundAt(referenceDate) }.map { it.pgpPublicKey } + val validSubkeys: List = keys.getValidKeys(referenceDate).map { it.pgpPublicKey } /** List of valid user-IDs. */ val validUserIds: List = keys.getValidUserIds(referenceDate).map { it.userId } @@ -136,7 +135,8 @@ class KeyRingInfo( val revocationSelfSignature: PGPSignature? = signatures.primaryKeyRevocation /** Public-key encryption-algorithm of the primary key. */ - val algorithm: PublicKeyAlgorithm = PublicKeyAlgorithm.requireFromId(publicKey.algorithm) + val algorithm: PublicKeyAlgorithm = + PublicKeyAlgorithm.requireFromId(publicKey.pgpPublicKey.algorithm) /** Creation date of the primary key. */ val creationDate: Date = publicKey.creationTime!! @@ -178,12 +178,16 @@ class KeyRingInfo( val primaryKeyExpirationDate: Date? get() { val directKeyExpirationDate: Date? = - latestDirectKeySelfSignature?.let { getKeyExpirationTimeAsDate(it, publicKey) } + latestDirectKeySelfSignature?.let { + getKeyExpirationTimeAsDate(it, publicKey.pgpPublicKey) + } val possiblyExpiredPrimaryUserId = getPossiblyExpiredPrimaryUserId() val primaryUserIdCertification = possiblyExpiredPrimaryUserId?.let { getLatestUserIdCertification(it) } val userIdExpirationDate: Date? = - primaryUserIdCertification?.let { getKeyExpirationTimeAsDate(it, publicKey) } + primaryUserIdCertification?.let { + getKeyExpirationTimeAsDate(it, publicKey.pgpPublicKey) + } if (latestDirectKeySelfSignature == null && primaryUserIdCertification == null) { throw NoSuchElementException( @@ -257,7 +261,7 @@ class KeyRingInfo( * @return expiration date */ fun getSubkeyExpirationDate(keyId: Long): Date? { - if (publicKey.keyID == keyId) return primaryKeyExpirationDate + if (publicKey.keyIdentifier.keyId == keyId) return primaryKeyExpirationDate val subkey = getPublicKey(keyId) ?: throw NoSuchElementException( @@ -328,7 +332,7 @@ class KeyRingInfo( ): List { if (userId != null && !isUserIdValid(userId)) { throw UnboundUserIdException( - OpenPgpFingerprint.of(publicKey), + OpenPgpFingerprint.of(publicKey.pgpPublicKey), userId.toString(), getLatestUserIdCertification(userId), getUserIdRevocation(userId)) @@ -469,7 +473,7 @@ class KeyRingInfo( * @return list of key flags */ fun getKeyFlagsOf(keyId: Long): List = - if (keyId == publicKey.keyID) { + if (keyId == publicKey.keyIdentifier.keyId) { latestDirectKeySelfSignature?.let { sig -> SignatureSubpacketsUtil.parseKeyFlags(sig)?.let { flags -> return flags @@ -684,7 +688,7 @@ class KeyRingInfo( return false } if (sig.hashedSubPackets.isPrimaryUserID) { - getKeyExpirationTimeAsDate(sig, publicKey)?.let { expirationDate -> + getKeyExpirationTimeAsDate(sig, publicKey.pgpPublicKey)?.let { expirationDate -> // key expired? if (expirationDate < referenceDate) return false } diff --git a/pgpainless-core/src/test/java/org/pgpainless/example/GenerateKeys.java b/pgpainless-core/src/test/java/org/pgpainless/example/GenerateKeys.java index d6bcb0b1..3ee24a60 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/example/GenerateKeys.java +++ b/pgpainless-core/src/test/java/org/pgpainless/example/GenerateKeys.java @@ -7,12 +7,8 @@ package org.pgpainless.example; import static org.junit.jupiter.api.Assertions.assertEquals; import static org.junit.jupiter.api.Assertions.assertTrue; -import java.io.IOException; -import java.security.InvalidAlgorithmParameterException; -import java.security.NoSuchAlgorithmException; import java.util.Date; -import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPPublicKeyRing; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.junit.jupiter.api.Test; @@ -39,11 +35,11 @@ import org.pgpainless.util.Passphrase; * The result ({@link org.pgpainless.key.generation.KeyRingBuilder}) provides some factory methods for key archetypes * such as {@link org.pgpainless.key.generation.KeyRingTemplates#modernKeyRing(CharSequence, String)} or * {@link org.pgpainless.key.generation.KeyRingTemplates#simpleRsaKeyRing(CharSequence, RsaLength)}. - * + *

* Those methods always take a user-id which is used as primary user-id, as well as a passphrase which is used to encrypt * the secret key. * To generate unencrypted secret keys, just pass {@code null} as passphrase. - * + *

* Besides the archetype methods, it is possible to generate fully customized keys (see {@link #generateCustomOpenPGPKey()}). */ public class GenerateKeys { @@ -52,12 +48,11 @@ public class GenerateKeys { * This example demonstrates how to generate a modern OpenPGP key which consists of an ed25519 EdDSA primary key * used solely for certification of subkeys, as well as an ed25519 EdDSA signing subkey, and an X25519 ECDH * encryption subkey. - * + *

* This is the recommended way to generate OpenPGP keys with PGPainless. */ @Test - public void generateModernEcKey() - throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { + public void generateModernEcKey() { // Define a primary user-id String userId = "gbaker@pgpainless.org"; // Set a password to protect the secret key @@ -75,7 +70,7 @@ public class GenerateKeys { assertEquals(3, keyInfo.getSecretKeys().size()); assertEquals(userId, keyInfo.getPrimaryUserId()); assertEquals(PublicKeyAlgorithm.EDDSA_LEGACY.getAlgorithmId(), - keyInfo.getPublicKey().getAlgorithm()); + keyInfo.getAlgorithm().getAlgorithmId()); assertEquals(PublicKeyAlgorithm.EDDSA_LEGACY.getAlgorithmId(), keyInfo.getSigningSubkeys().get(0).getAlgorithm()); assertEquals(PublicKeyAlgorithm.ECDH.getAlgorithmId(), @@ -85,12 +80,11 @@ public class GenerateKeys { /** * This example demonstrates how to generate a simple OpenPGP key consisting of a 4096-bit RSA key. * The RSA key is used for both signing and certifying, as well as encryption. - * + *

* This method is recommended if the application has to deal with legacy clients with poor algorithm support. */ @Test - public void generateSimpleRSAKey() - throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + public void generateSimpleRSAKey() { // Define a primary user-id String userId = "mpage@pgpainless.org"; // Set a password to protect the secret key @@ -102,19 +96,18 @@ public class GenerateKeys { KeyRingInfo keyInfo = new KeyRingInfo(secretKey); assertEquals(1, keyInfo.getSecretKeys().size()); assertEquals(userId, keyInfo.getPrimaryUserId()); - assertEquals(PublicKeyAlgorithm.RSA_GENERAL.getAlgorithmId(), keyInfo.getPublicKey().getAlgorithm()); + assertEquals(PublicKeyAlgorithm.RSA_GENERAL.getAlgorithmId(), keyInfo.getAlgorithm().getAlgorithmId()); } /** * This example demonstrates how to generate a simple OpenPGP key based on elliptic curves. * The key consists of an ECDSA primary key that is used both for certification of subkeys, and signing of data, * and a single ECDH encryption subkey. - * + *

* This method is recommended if small keys and high performance are desired. */ @Test - public void generateSimpleECKey() - throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + public void generateSimpleECKey() { // Define a primary user-id String userId = "mhelms@pgpainless.org"; // Set a password to protect the secret key @@ -133,43 +126,42 @@ public class GenerateKeys { * This example demonstrates how to generate a custom OpenPGP secret key. * Among user-id and password, the user can add an arbitrary number of subkeys and specify their algorithms and * algorithm preferences. - * + *

* If the target key amalgamation (key ring) should consist of more than just a single (sub-)key, start by providing * the primary key specification using {@link org.pgpainless.key.generation.KeyRingBuilder#setPrimaryKey(KeySpec)}. * Any additional subkeys can be then added using {@link org.pgpainless.key.generation.KeyRingBuilder#addSubkey(KeySpec)}. - * - * {@link KeySpec} objects can best be obtained by using the {@link KeySpec#getBuilder(KeyType, KeyFlag, KeyFlag...)} + *

+ * {@link KeySpec} objects can best be obtained by using the {@link KeySpec#getBuilder(KeyType, KeyFlag...)} * method and providing a {@link KeyType}. * There are a bunch of factory methods for different {@link KeyType} implementations present in {@link KeyType} itself * (such as {@link KeyType#ECDH(EllipticCurve)}). {@link KeyFlag KeyFlags} determine * the use of the key, like encryption, signing data or certifying subkeys. - * + *

* If you so desire, you can now specify your own algorithm preferences. * For that, see {@link org.pgpainless.key.generation.KeySpecBuilder#overridePreferredCompressionAlgorithms(CompressionAlgorithm...)}, * {@link org.pgpainless.key.generation.KeySpecBuilder#overridePreferredHashAlgorithms(HashAlgorithm...)} or * {@link org.pgpainless.key.generation.KeySpecBuilder#overridePreferredSymmetricKeyAlgorithms(SymmetricKeyAlgorithm...)}. - * + *

* Note, that if you set preferred algorithms, the preference lists are sorted from high priority to low priority. - * + *

* When setting the primary key spec ({@link org.pgpainless.key.generation.KeyRingBuilder#setPrimaryKey(KeySpecBuilder)}), * make sure that the primary key spec has the {@link KeyFlag} {@link KeyFlag#CERTIFY_OTHER} set, as this is a requirement * for primary keys. - * + *

* Furthermore, you have to set at least the primary user-id via - * {@link org.pgpainless.key.generation.KeyRingBuilder#addUserId(String)}, + * {@link org.pgpainless.key.generation.KeyRingBuilder#addUserId(CharSequence)}, * but you can also add additional user-ids. - * + *

* If you want the key to expire at a certain point in time, call * {@link org.pgpainless.key.generation.KeyRingBuilder#setExpirationDate(Date)}. * Lastly you can decide whether to set a passphrase to protect the secret key using * {@link org.pgpainless.key.generation.KeyRingBuilder#setPassphrase(Passphrase)}. */ @Test - public void generateCustomOpenPGPKey() - throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + public void generateCustomOpenPGPKey() { // Instead of providing a string, we can assemble a user-id by using the user-id builder. // The example below corresponds to "Morgan Carpenter (Pride!) " - UserId userId = UserId.newBuilder() + UserId userId = UserId.builder() .withName("Morgan Carpenter") .withEmail("mcarpenter@pgpainless.org") .withComment("Pride!") From c40a0b91f94d0bb3dd0292f902601c8e5adbb61d Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 5 Feb 2025 12:01:16 +0100 Subject: [PATCH 022/265] KeyRingInfo: Expose OpenPGPComponentKey in place of PGPPublicKey, OpenPGPSecretKey instead of PGPSecretKey --- .../commands/RoundTripSignVerifyCmdTest.java | 2 +- .../OpenPgpMessageInputStream.kt | 20 +-- .../encryption_signing/BcHashContextSigner.kt | 6 +- .../encryption_signing/EncryptionOptions.kt | 11 +- .../encryption_signing/SigningOptions.kt | 34 ++-- .../org/pgpainless/key/SubkeyIdentifier.kt | 21 +-- .../key/certification/CertifyCertificate.kt | 7 +- .../org/pgpainless/key/info/KeyRingInfo.kt | 159 +++++++++--------- ...vestigateMultiSEIPMessageHandlingTest.java | 6 +- ...ngBcPublicKeyDataDecryptorFactoryTest.java | 4 +- .../CertificateWithMissingSecretKeyTest.java | 11 +- ...stomPublicKeyDataDecryptorFactoryTest.java | 9 +- .../DecryptHiddenRecipientMessageTest.java | 7 +- .../MissingPassphraseForDecryptionTest.java | 13 +- ...erifyWithMissingPublicKeyCallbackTest.java | 11 +- .../MultiSigningSubkeyTest.java | 14 +- .../encryption_signing/SigningTest.java | 19 +-- .../org/pgpainless/example/GenerateKeys.java | 4 +- .../org/pgpainless/example/ModifyKeys.java | 26 +-- .../java/org/pgpainless/example/Sign.java | 10 +- .../KeyGenerationSubpacketsTest.java | 14 +- .../pgpainless/key/info/KeyRingInfoTest.java | 40 +++-- ...odifiedBindingSignatureSubpacketsTest.java | 12 +- .../ChangeSubkeyExpirationTimeTest.java | 8 +- .../key/modification/RevokeSubKeyTest.java | 11 +- .../SignatureSubpacketsUtilTest.java | 10 +- ...bkeyAndPrimaryKeyBindingSignatureTest.java | 13 +- 27 files changed, 254 insertions(+), 248 deletions(-) diff --git a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripSignVerifyCmdTest.java b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripSignVerifyCmdTest.java index 9dcb3aca..9ce18779 100644 --- a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripSignVerifyCmdTest.java +++ b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripSignVerifyCmdTest.java @@ -252,7 +252,7 @@ public class RoundTripSignVerifyCmdTest extends CLITest { String verification = verificationsOut.toString(); String[] split = verification.split(" "); OpenPgpV4Fingerprint primaryKeyFingerprint = new OpenPgpV4Fingerprint(cert); - OpenPgpV4Fingerprint signingKeyFingerprint = new OpenPgpV4Fingerprint(info.getSigningSubkeys().get(0)); + OpenPgpV4Fingerprint signingKeyFingerprint = new OpenPgpV4Fingerprint(info.getSigningSubkeys().get(0).getPGPPublicKey()); assertEquals(signingKeyFingerprint.toString(), split[1].trim(), verification); assertEquals(primaryKeyFingerprint.toString(), split[2].trim()); diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.kt index bd24b245..06018e06 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.kt @@ -675,17 +675,17 @@ class OpenPgpMessageInputStream( private fun getDecryptionKey(keyId: Long): PGPSecretKeyRing? = options.getDecryptionKeys().firstOrNull { it.any { k -> k.keyID == keyId } - .and(PGPainless.inspectKeyRing(it).decryptionSubkeys.any { k -> k.keyID == keyId }) + .and( + PGPainless.inspectKeyRing(it).decryptionSubkeys.any { k -> + k.keyIdentifier.keyId == keyId + }) } private fun getDecryptionKey(pkesk: PGPPublicKeyEncryptedData): PGPSecretKeyRing? = options.getDecryptionKeys().firstOrNull { it.getSecretKeyFor(pkesk) != null && PGPainless.inspectKeyRing(it).decryptionSubkeys.any { subkey -> - when (pkesk.version) { - 3 -> pkesk.keyID == subkey.keyID - else -> throw NotImplementedError("Version 6 PKESK not yet supported.") - } + pkesk.keyIdentifier.matches(subkey.keyIdentifier) } } @@ -693,10 +693,7 @@ class OpenPgpMessageInputStream( options.getDecryptionKeys().filter { it.getSecretKeyFor(pkesk) != null && PGPainless.inspectKeyRing(it).decryptionSubkeys.any { subkey -> - when (pkesk.version) { - 3 -> pkesk.keyID == subkey.keyID - else -> throw NotImplementedError("Version 6 PKESK not yet supported.") - } + pkesk.keyIdentifier.matches(subkey.keyIdentifier) } } @@ -708,8 +705,9 @@ class OpenPgpMessageInputStream( options.getDecryptionKeys().forEach { val info = PGPainless.inspectKeyRing(it) for (key in info.decryptionSubkeys) { - if (key.algorithm == algorithm && info.isSecretKeyAvailable(key.keyID)) { - candidates.add(it to it.getSecretKey(key.keyID)) + if (key.pgpPublicKey.algorithm == algorithm && + info.isSecretKeyAvailable(key.keyIdentifier)) { + candidates.add(it to it.getSecretKey(key.keyIdentifier)) } } } diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/BcHashContextSigner.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/BcHashContextSigner.kt index 47aed2be..88e8d21d 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/BcHashContextSigner.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/BcHashContextSigner.kt @@ -27,9 +27,11 @@ class BcHashContextSigner { ): PGPSignature { val info = PGPainless.inspectKeyRing(secretKey) return info.signingSubkeys - .mapNotNull { info.getSecretKey(it.keyID) } + .mapNotNull { info.getSecretKey(it.keyIdentifier) } .firstOrNull() - ?.let { signHashContext(hashContext, signatureType, it.unlock(protector)) } + ?.let { + signHashContext(hashContext, signatureType, it.pgpSecretKey.unlock(protector)) + } ?: throw PGPException("Key does not contain suitable signing subkey.") } diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionOptions.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionOptions.kt index f261b85e..c6683480 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionOptions.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionOptions.kt @@ -144,7 +144,7 @@ class EncryptionOptions(private val purpose: EncryptionPurpose) { val info = KeyRingInfo(key, evaluationDate) val subkeys = encryptionKeySelector.selectEncryptionSubkeys( - info.getEncryptionSubkeys(userId, purpose)) + info.getEncryptionSubkeys(userId, purpose).map { it.pgpPublicKey }) if (subkeys.isEmpty()) { throw KeyException.UnacceptableEncryptionKeyException(OpenPgpFingerprint.of(key)) } @@ -184,7 +184,9 @@ class EncryptionOptions(private val purpose: EncryptionPurpose) { throw ExpiredKeyException(OpenPgpFingerprint.of(key), primaryKeyExpiration) } - var encryptionSubkeys = selector.selectEncryptionSubkeys(info.getEncryptionSubkeys(purpose)) + var encryptionSubkeys = + selector.selectEncryptionSubkeys( + info.getEncryptionSubkeys(purpose).map { it.pgpPublicKey }) // There are some legacy keys around without key flags. // If we allow encryption for those keys, we add valid keys without any key flags, if they @@ -193,8 +195,9 @@ class EncryptionOptions(private val purpose: EncryptionPurpose) { if (encryptionSubkeys.isEmpty() && allowEncryptionWithMissingKeyFlags) { encryptionSubkeys = info.validSubkeys - .filter { it.isEncryptionKey } - .filter { info.getKeyFlagsOf(it.keyID).isEmpty() } + .filter { it.pgpPublicKey.isEncryptionKey } + .filter { info.getKeyFlagsOf(it.keyIdentifier).isEmpty() } + .map { it.pgpPublicKey } } if (encryptionSubkeys.isEmpty()) { diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/SigningOptions.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/SigningOptions.kt index e0fe2972..0f193e2f 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/SigningOptions.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/SigningOptions.kt @@ -5,6 +5,7 @@ package org.pgpainless.encryption_signing import java.util.* +import org.bouncycastle.bcpg.KeyIdentifier import org.bouncycastle.openpgp.* import org.pgpainless.PGPainless.Companion.getPolicy import org.pgpainless.PGPainless.Companion.inspectKeyRing @@ -153,12 +154,13 @@ class SigningOptions { for (signingPubKey in signingPubKeys) { val signingSecKey: PGPSecretKey = - signingKey.getSecretKey(signingPubKey.keyID) - ?: throw MissingSecretKeyException(of(signingKey), signingPubKey.keyID) + signingKey.getSecretKey(signingPubKey.keyIdentifier) + ?: throw MissingSecretKeyException( + of(signingKey), signingPubKey.keyIdentifier.keyId) val signingSubkey: PGPPrivateKey = signingSecKey.unlock(signingKeyProtector) val hashAlgorithms = if (userId != null) keyRingInfo.getPreferredHashAlgorithms(userId) - else keyRingInfo.getPreferredHashAlgorithms(signingPubKey.keyID) + else keyRingInfo.getPreferredHashAlgorithms(signingPubKey.keyIdentifier) val hashAlgorithm: HashAlgorithm = negotiateHashAlgorithm(hashAlgorithms, getPolicy()) addSigningMethod( signingKey, signingSubkey, hashAlgorithm, signatureType, false, subpacketsCallback) @@ -197,15 +199,16 @@ class SigningOptions { } for (signingPubKey in signingPubKeys) { - if (signingPubKey.keyID != keyId) { + if (!signingPubKey.keyIdentifier.matches(KeyIdentifier(keyId))) { continue } val signingSecKey = - signingKey.getSecretKey(signingPubKey.keyID) - ?: throw MissingSecretKeyException(of(signingKey), signingPubKey.keyID) + signingKey.getSecretKey(signingPubKey.keyIdentifier) + ?: throw MissingSecretKeyException( + of(signingKey), signingPubKey.keyIdentifier.keyId) val signingSubkey = signingSecKey.unlock(signingKeyProtector) - val hashAlgorithms = keyRingInfo.getPreferredHashAlgorithms(signingPubKey.keyID) + val hashAlgorithms = keyRingInfo.getPreferredHashAlgorithms(signingPubKey.keyIdentifier) val hashAlgorithm: HashAlgorithm = negotiateHashAlgorithm(hashAlgorithms, getPolicy()) addSigningMethod( signingKey, signingSubkey, hashAlgorithm, signatureType, false, subpacketsCallback) @@ -297,12 +300,13 @@ class SigningOptions { for (signingPubKey in signingPubKeys) { val signingSecKey: PGPSecretKey = - signingKey.getSecretKey(signingPubKey.keyID) - ?: throw MissingSecretKeyException(of(signingKey), signingPubKey.keyID) + signingKey.getSecretKey(signingPubKey.keyIdentifier) + ?: throw MissingSecretKeyException( + of(signingKey), signingPubKey.keyIdentifier.keyId) val signingSubkey: PGPPrivateKey = signingSecKey.unlock(signingKeyProtector) val hashAlgorithms = if (userId != null) keyRingInfo.getPreferredHashAlgorithms(userId) - else keyRingInfo.getPreferredHashAlgorithms(signingPubKey.keyID) + else keyRingInfo.getPreferredHashAlgorithms(signingPubKey.keyIdentifier) val hashAlgorithm: HashAlgorithm = negotiateHashAlgorithm(hashAlgorithms, getPolicy()) addSigningMethod( signingKey, signingSubkey, hashAlgorithm, signatureType, true, subpacketCallback) @@ -342,12 +346,14 @@ class SigningOptions { } for (signingPubKey in signingPubKeys) { - if (signingPubKey.keyID == keyId) { + if (signingPubKey.keyIdentifier.matches(KeyIdentifier(keyId))) { val signingSecKey: PGPSecretKey = - signingKey.getSecretKey(signingPubKey.keyID) - ?: throw MissingSecretKeyException(of(signingKey), signingPubKey.keyID) + signingKey.getSecretKey(signingPubKey.keyIdentifier) + ?: throw MissingSecretKeyException( + of(signingKey), signingPubKey.keyIdentifier.keyId) val signingSubkey: PGPPrivateKey = signingSecKey.unlock(signingKeyProtector) - val hashAlgorithms = keyRingInfo.getPreferredHashAlgorithms(signingPubKey.keyID) + val hashAlgorithms = + keyRingInfo.getPreferredHashAlgorithms(signingPubKey.keyIdentifier) val hashAlgorithm: HashAlgorithm = negotiateHashAlgorithm(hashAlgorithms, getPolicy()) addSigningMethod( diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/SubkeyIdentifier.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/SubkeyIdentifier.kt index 58c935d9..56307873 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/SubkeyIdentifier.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/SubkeyIdentifier.kt @@ -4,7 +4,6 @@ package org.pgpainless.key -import openpgp.openPgpKeyId import org.bouncycastle.bcpg.KeyIdentifier import org.bouncycastle.openpgp.PGPKeyRing import org.bouncycastle.openpgp.PGPPublicKey @@ -24,21 +23,23 @@ class SubkeyIdentifier( constructor(key: PGPPublicKey) : this(OpenPgpFingerprint.of(key)) - constructor( - keys: PGPKeyRing, - keyId: Long - ) : this( - OpenPgpFingerprint.of(keys.publicKey), - OpenPgpFingerprint.of( - keys.getPublicKey(keyId) - ?: throw NoSuchElementException( - "OpenPGP key does not contain subkey ${keyId.openPgpKeyId()}"))) + constructor(keys: PGPKeyRing, keyId: Long) : this(keys, KeyIdentifier(keyId)) constructor( keys: PGPKeyRing, subkeyFingerprint: OpenPgpFingerprint ) : this(OpenPgpFingerprint.of(keys), subkeyFingerprint) + constructor( + keys: PGPKeyRing, + subkeyIdentifier: KeyIdentifier + ) : this( + OpenPgpFingerprint.of(keys), + OpenPgpFingerprint.of( + keys.getPublicKey(subkeyIdentifier) + ?: throw NoSuchElementException( + "OpenPGP key does not contain subkey $subkeyIdentifier"))) + val keyIdentifier = KeyIdentifier(subkeyFingerprint.bytes) val subkeyIdentifier = keyIdentifier val primaryKeyIdentifier = KeyIdentifier(primaryKeyFingerprint.bytes) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/certification/CertifyCertificate.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/certification/CertifyCertificate.kt index 9499355c..e75dc5bf 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/certification/CertifyCertificate.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/certification/CertifyCertificate.kt @@ -225,7 +225,7 @@ class CertifyCertificate { val fingerprint = info.fingerprint val certificationPubKey = info.getPublicKey(fingerprint) requireNotNull(certificationPubKey) { "Primary key cannot be null." } - if (!info.isKeyValidlyBound(certificationPubKey.keyID)) { + if (!info.isKeyValidlyBound(certificationPubKey.keyIdentifier)) { throw RevokedKeyException(fingerprint) } @@ -238,8 +238,9 @@ class CertifyCertificate { throw ExpiredKeyException(fingerprint, expirationDate) } - return certificationKey.getSecretKey(certificationPubKey.keyID) - ?: throw MissingSecretKeyException(fingerprint, certificationPubKey.keyID) + return certificationKey.getSecretKey(certificationPubKey.keyIdentifier) + ?: throw MissingSecretKeyException( + fingerprint, certificationPubKey.keyIdentifier.keyId) } } } diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/info/KeyRingInfo.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/info/KeyRingInfo.kt index 9271f550..011407f6 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/info/KeyRingInfo.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/info/KeyRingInfo.kt @@ -9,6 +9,9 @@ import openpgp.openPgpKeyId import org.bouncycastle.bcpg.KeyIdentifier import org.bouncycastle.openpgp.* import org.bouncycastle.openpgp.api.OpenPGPCertificate +import org.bouncycastle.openpgp.api.OpenPGPCertificate.OpenPGPComponentKey +import org.bouncycastle.openpgp.api.OpenPGPKey +import org.bouncycastle.openpgp.api.OpenPGPKey.OpenPGPSecretKey import org.pgpainless.PGPainless import org.pgpainless.algorithm.* import org.pgpainless.bouncycastle.extensions.* @@ -33,7 +36,10 @@ class KeyRingInfo( keys: PGPKeyRing, policy: Policy = PGPainless.getPolicy(), referenceDate: Date = Date() - ) : this(OpenPGPCertificate(keys), policy, referenceDate) + ) : this( + if (keys is PGPSecretKeyRing) OpenPGPKey(keys) else OpenPGPCertificate(keys), + policy, + referenceDate) @JvmOverloads constructor( @@ -74,35 +80,32 @@ class KeyRingInfo( if (revocationState.isSoftRevocation()) revocationState.date else null /** - * Primary [PGPSecretKey] of this key ring or null if the key ring is not a [PGPSecretKeyRing]. + * Primary [OpenPGPSecretKey] of this key ring or null if the key ring is not a [OpenPGPKey]. */ - val secretKey: PGPSecretKey? = - when (keys.pgpKeyRing) { - is PGPSecretKeyRing -> (keys.pgpKeyRing as PGPSecretKeyRing).secretKey!! - else -> null - } + val secretKey: OpenPGPSecretKey? = + if (keys.isSecretKey) { + (keys as OpenPGPKey).primarySecretKey + } else null /** OpenPGP key version. */ val version: Int = publicKey.version /** - * Return all [PGPPublicKeys][PGPPublicKey] of this key ring. The first key in the list being - * the primary key. Note that the list is unmodifiable. + * Return all [public component keys][OpenPGPComponentKey] of this key ring. The first key in + * the list being the primary key. Note that the list is unmodifiable. * * @return list of public keys */ - val publicKeys: List = keys.pgpKeyRing.publicKeys.asSequence().toList() + val publicKeys: List = keys.keys - /** All secret keys. If the key ring is a [PGPPublicKeyRing], then return an empty list. */ - val secretKeys: List = - when (keys.pgpKeyRing) { - is PGPSecretKeyRing -> - (keys.pgpKeyRing as PGPSecretKeyRing).secretKeys.asSequence().toList() - else -> listOf() - } + /** All secret keys. If the key ring is not an [OpenPGPKey], then return an empty list. */ + val secretKeys: List = + if (keys.isSecretKey) { + (keys as OpenPGPKey).secretKeys.values.toList() + } else listOf() - /** List of valid public subkeys. */ - val validSubkeys: List = keys.getValidKeys(referenceDate).map { it.pgpPublicKey } + /** List of valid public component keys. */ + val validSubkeys: List = keys.getValidKeys(referenceDate) /** List of valid user-IDs. */ val validUserIds: List = keys.getValidUserIds(referenceDate).map { it.userId } @@ -144,30 +147,32 @@ class KeyRingInfo( /** Latest date at which the key was modified (either by adding a subkey or self-signature). */ val lastModified: Date = keys.lastModificationDate - /** True, if the underlying keyring is a [PGPSecretKeyRing]. */ - val isSecretKey: Boolean = keys.pgpKeyRing is PGPSecretKeyRing + /** True, if the underlying key is a [OpenPGPKey]. */ + val isSecretKey: Boolean = keys.isSecretKey /** True, if there are no encrypted secret keys. */ val isFullyDecrypted: Boolean = - !isSecretKey || secretKeys.all { it.hasDummyS2K() || it.isDecrypted() } + !isSecretKey || + secretKeys.all { it.pgpSecretKey.hasDummyS2K() || it.pgpSecretKey.isDecrypted() } /** True, if there are only encrypted secret keys. */ val isFullyEncrypted: Boolean = - isSecretKey && secretKeys.none { !it.hasDummyS2K() && it.isDecrypted() } + isSecretKey && + secretKeys.none { !it.pgpSecretKey.hasDummyS2K() && it.pgpSecretKey.isDecrypted() } /** List of public keys, whose secret key counterparts can be used to decrypt messages. */ - val decryptionSubkeys: List = - keys.pgpKeyRing.publicKeys + val decryptionSubkeys: List = + keys.keys .asSequence() .filter { if (!it.keyIdentifier.matches(keyIdentifier)) { - if (signatures.subkeyBindings[it.keyID] == null) { - LOGGER.debug("Subkey ${it.keyID.openPgpKeyId()} has no binding signature.") + if (signatures.subkeyBindings[it.keyIdentifier.keyId] == null) { + LOGGER.debug("Subkey ${it.keyIdentifier} has no binding signature.") return@filter false } } - if (!it.isEncryptionKey) { - LOGGER.debug("(Sub-?)Key ${it.keyID.openPgpKeyId()} is not encryption-capable.") + if (!it.pgpPublicKey.isEncryptionKey) { + LOGGER.debug("(Sub-?)Key ${it.keyIdentifier} is not encryption-capable.") return@filter false } return@filter true @@ -204,8 +209,7 @@ class KeyRingInfo( } /** List of all subkeys that can be used to sign a message. */ - val signingSubkeys: List = - keys.getSigningKeys(referenceDate).map { it.pgpPublicKey } + val signingSubkeys: List = keys.getSigningKeys(referenceDate) /** Whether the key is usable for encryption. */ val isUsableForEncryption: Boolean = @@ -222,7 +226,7 @@ class KeyRingInfo( /** Whether the key is actually usable to sign messages. */ val isUsableForSigning: Boolean = - isSigningCapable && signingSubkeys.any { isSecretKeyAvailable(it.keyID) } + isSigningCapable && signingSubkeys.any { isSecretKeyAvailable(it.keyIdentifier) } /** [HashAlgorithm] preferences of the primary user-ID or if absent, of the primary key. */ val preferredHashAlgorithms: Set @@ -254,6 +258,10 @@ class KeyRingInfo( return getSubkeyExpirationDate(fingerprint.keyId) } + fun getSubkeyExpirationDate(keyIdentifier: KeyIdentifier): Date? { + return getSubkeyExpirationDate(keyIdentifier.keyId) + } + /** * Return the expiration date of the subkey with the provided keyId. * @@ -284,7 +292,7 @@ class KeyRingInfo( } val primaryKeyExpiration = primaryKeyExpirationDate - val keysWithFlag: List = getKeysWithKeyFlag(use) + val keysWithFlag: List = getKeysWithKeyFlag(use) if (keysWithFlag.isEmpty()) throw NoSuchElementException("No key with the required key flag found.") @@ -292,7 +300,9 @@ class KeyRingInfo( val latestSubkeyExpiration = keysWithFlag .map { key -> - getSubkeyExpirationDate(key.keyID).also { if (it == null) nonExpiring = true } + getSubkeyExpirationDate(key.keyIdentifier).also { + if (it == null) nonExpiring = true + } } .filterNotNull() .maxByOrNull { it } @@ -318,8 +328,8 @@ class KeyRingInfo( * @param flag flag * @return keys with flag */ - fun getKeysWithKeyFlag(flag: KeyFlag): List = - publicKeys.filter { getKeyFlagsOf(it.keyID).contains(flag) } + fun getKeysWithKeyFlag(flag: KeyFlag): List = + publicKeys.filter { getKeyFlagsOf(it.keyIdentifier).contains(flag) } /** * Return a list of all subkeys which can be used to encrypt a message for the given user-ID. @@ -329,7 +339,7 @@ class KeyRingInfo( fun getEncryptionSubkeys( userId: CharSequence?, purpose: EncryptionPurpose - ): List { + ): List { if (userId != null && !isUserIdValid(userId)) { throw UnboundUserIdException( OpenPgpFingerprint.of(publicKey.pgpPublicKey), @@ -345,7 +355,7 @@ class KeyRingInfo( * * @return subkeys which can be used for encryption */ - fun getEncryptionSubkeys(purpose: EncryptionPurpose): List { + fun getEncryptionSubkeys(purpose: EncryptionPurpose): List { primaryKeyExpirationDate?.let { if (it < referenceDate) { LOGGER.debug( @@ -354,29 +364,29 @@ class KeyRingInfo( } } - return keys.pgpKeyRing.publicKeys + return keys.keys .asSequence() .filter { - if (!isKeyValidlyBound(it.keyID)) { - LOGGER.debug("(Sub?)-Key ${it.keyID.openPgpKeyId()} is not validly bound.") + if (!isKeyValidlyBound(it.keyIdentifier)) { + LOGGER.debug("(Sub?)-Key ${it.keyIdentifier} is not validly bound.") return@filter false } - getSubkeyExpirationDate(it.keyID)?.let { exp -> + getSubkeyExpirationDate(it.keyIdentifier)?.let { exp -> if (exp < referenceDate) { LOGGER.debug( - "(Sub?)-Key ${it.keyID.openPgpKeyId()} is expired on ${DateUtil.formatUTCDate(exp)}.") + "(Sub?)-Key ${it.keyIdentifier} is expired on ${DateUtil.formatUTCDate(exp)}.") return@filter false } } - if (!it.isEncryptionKey) { + if (!it.pgpPublicKey.isEncryptionKey) { LOGGER.debug( - "(Sub?)-Key ${it.keyID.openPgpKeyId()} algorithm is not capable of encryption.") + "(Sub?)-Key ${it.keyIdentifier} algorithm is not capable of encryption.") return@filter false } - val keyFlags = getKeyFlagsOf(it.keyID) + val keyFlags = getKeyFlagsOf(it.keyIdentifier) when (purpose) { EncryptionPurpose.COMMUNICATIONS -> return@filter keyFlags.contains(KeyFlag.ENCRYPT_COMMS) @@ -519,7 +529,7 @@ class KeyRingInfo( * @param keyId key id * @return public key or null */ - fun getPublicKey(keyId: Long): PGPPublicKey? = keys.pgpKeyRing.getPublicKey(keyId) + fun getPublicKey(keyId: Long): OpenPGPComponentKey? = keys.getKey(KeyIdentifier(keyId)) /** * Return the secret key with the given key id. @@ -527,11 +537,16 @@ class KeyRingInfo( * @param keyId key id * @return secret key or null */ - fun getSecretKey(keyId: Long): PGPSecretKey? = - when (keys.pgpKeyRing) { - is PGPSecretKeyRing -> (keys.pgpKeyRing as PGPSecretKeyRing).getSecretKey(keyId) - else -> null - } + fun getSecretKey(keyId: Long): OpenPGPSecretKey? = getSecretKey(KeyIdentifier(keyId)) + + fun getSecretKey(keyIdentifier: KeyIdentifier): OpenPGPSecretKey? = + if (keys.isSecretKey) { + (keys as OpenPGPKey).getSecretKey(keyIdentifier) + } else null + + fun isSecretKeyAvailable(keyId: Long): Boolean { + return isSecretKeyAvailable(KeyIdentifier(keyId)) + } /** * Return true, if the secret-key with the given key-ID is available (i.e. not moved to a @@ -539,10 +554,10 @@ class KeyRingInfo( * * @return availability of the secret key */ - fun isSecretKeyAvailable(keyId: Long): Boolean { - return getSecretKey(keyId)?.let { - return if (it.s2K == null) true // Unencrypted key - else it.s2K.type !in 100..110 // Secret key on smart-card + fun isSecretKeyAvailable(keyIdentifier: KeyIdentifier): Boolean { + return getSecretKey(keyIdentifier)?.let { + return if (it.pgpSecretKey.s2K == null) true // Unencrypted key + else it.pgpSecretKey.s2K.type !in 100..110 // Secret key on smart-card } ?: false // Missing secret key } @@ -553,8 +568,8 @@ class KeyRingInfo( * @param fingerprint fingerprint * @return public key or null */ - fun getPublicKey(fingerprint: OpenPgpFingerprint): PGPPublicKey? = - keys.pgpKeyRing.getPublicKey(fingerprint.bytes) + fun getPublicKey(fingerprint: OpenPgpFingerprint): OpenPGPComponentKey? = + keys.getKey(KeyIdentifier(fingerprint.bytes)) /** * Return the secret key with the given fingerprint. @@ -562,15 +577,11 @@ class KeyRingInfo( * @param fingerprint fingerprint * @return secret key or null */ - fun getSecretKey(fingerprint: OpenPgpFingerprint): PGPSecretKey? = - when (keys.pgpKeyRing) { - is PGPSecretKeyRing -> - (keys.pgpKeyRing as PGPSecretKeyRing).getSecretKey(fingerprint.bytes) - else -> null - } + fun getSecretKey(fingerprint: OpenPgpFingerprint): OpenPGPSecretKey? = + getSecretKey(KeyIdentifier(fingerprint.bytes)) - fun getPublicKey(keyIdentifier: KeyIdentifier): PGPPublicKey? { - return keys.pgpKeyRing.getPublicKey(keyIdentifier) + fun getPublicKey(keyIdentifier: KeyIdentifier): OpenPGPComponentKey? { + return keys.getKey(keyIdentifier) } /** @@ -580,11 +591,11 @@ class KeyRingInfo( * @throws IllegalArgumentException if the identifier's primary key does not match the primary * key of the key. */ - fun getPublicKey(identifier: SubkeyIdentifier): PGPPublicKey? { + fun getPublicKey(identifier: SubkeyIdentifier): OpenPGPComponentKey? { require(publicKey.keyIdentifier.equals(identifier.keyIdentifier)) { "Mismatching primary key ID." } - return keys.pgpKeyRing.getPublicKey(identifier.subkeyIdentifier) + return getPublicKey(identifier.subkeyIdentifier) } /** @@ -594,16 +605,8 @@ class KeyRingInfo( * @throws IllegalArgumentException if the identifier's primary key does not match the primary * key of the key. */ - fun getSecretKey(identifier: SubkeyIdentifier): PGPSecretKey? = - when (keys.pgpKeyRing) { - is PGPSecretKeyRing -> { - require(publicKey.keyIdentifier.equals(identifier.keyIdentifier)) { - "Mismatching primary key ID." - } - (keys.pgpKeyRing as PGPSecretKeyRing).getSecretKey(identifier.subkeyIdentifier) - } - else -> null - } + fun getSecretKey(identifier: SubkeyIdentifier): OpenPGPComponentKey? = + getSecretKey(identifier.subkeyIdentifier) fun isKeyValidlyBound(keyIdentifier: KeyIdentifier): Boolean { return isKeyValidlyBound(keyIdentifier.keyId) diff --git a/pgpainless-core/src/test/java/investigations/InvestigateMultiSEIPMessageHandlingTest.java b/pgpainless-core/src/test/java/investigations/InvestigateMultiSEIPMessageHandlingTest.java index a0ea747a..f37bf690 100644 --- a/pgpainless-core/src/test/java/investigations/InvestigateMultiSEIPMessageHandlingTest.java +++ b/pgpainless-core/src/test/java/investigations/InvestigateMultiSEIPMessageHandlingTest.java @@ -120,11 +120,11 @@ public class InvestigateMultiSEIPMessageHandlingTest { public void generateTestMessage() throws PGPException, IOException { PGPSecretKeyRing ring1 = PGPainless.readKeyRing().secretKeyRing(KEY1); KeyRingInfo info1 = PGPainless.inspectKeyRing(ring1); - PGPPublicKey cryptKey1 = info1.getEncryptionSubkeys(EncryptionPurpose.ANY).get(0); - PGPSecretKey signKey1 = ring1.getSecretKey(info1.getSigningSubkeys().get(0).getKeyID()); + PGPPublicKey cryptKey1 = info1.getEncryptionSubkeys(EncryptionPurpose.ANY).get(0).getPGPPublicKey(); + PGPSecretKey signKey1 = ring1.getSecretKey(info1.getSigningSubkeys().get(0).getKeyIdentifier()); PGPSecretKeyRing ring2 = PGPainless.readKeyRing().secretKeyRing(KEY2); KeyRingInfo info2 = PGPainless.inspectKeyRing(ring2); - PGPSecretKey signKey2 = ring2.getSecretKey(info2.getSigningSubkeys().get(0).getKeyID()); + PGPSecretKey signKey2 = ring2.getSecretKey(info2.getSigningSubkeys().get(0).getKeyIdentifier()); ByteArrayOutputStream out = new ByteArrayOutputStream(); ArmoredOutputStream armorOut = new ArmoredOutputStream(out); diff --git a/pgpainless-core/src/test/java/org/bouncycastle/CachingBcPublicKeyDataDecryptorFactoryTest.java b/pgpainless-core/src/test/java/org/bouncycastle/CachingBcPublicKeyDataDecryptorFactoryTest.java index 10cf4b1f..bb5f260c 100644 --- a/pgpainless-core/src/test/java/org/bouncycastle/CachingBcPublicKeyDataDecryptorFactoryTest.java +++ b/pgpainless-core/src/test/java/org/bouncycastle/CachingBcPublicKeyDataDecryptorFactoryTest.java @@ -68,9 +68,9 @@ public class CachingBcPublicKeyDataDecryptorFactoryTest { SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys(); KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys); SubkeyIdentifier decryptionKey = new SubkeyIdentifier(secretKeys, - info.getEncryptionSubkeys(EncryptionPurpose.ANY).get(0).getKeyID()); + info.getEncryptionSubkeys(EncryptionPurpose.ANY).get(0).getKeyIdentifier()); - PGPSecretKey secretKey = secretKeys.getSecretKey(decryptionKey.getSubkeyId()); + PGPSecretKey secretKey = secretKeys.getSecretKey(decryptionKey.getKeyIdentifier()); PGPPrivateKey privateKey = UnlockSecretKey.unlockSecretKey(secretKey, protector); CachingBcPublicKeyDataDecryptorFactory cachingFactory = new CachingBcPublicKeyDataDecryptorFactory( privateKey, decryptionKey); diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CertificateWithMissingSecretKeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CertificateWithMissingSecretKeyTest.java index e5f9e370..5927df70 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CertificateWithMissingSecretKeyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CertificateWithMissingSecretKeyTest.java @@ -14,9 +14,8 @@ import java.io.ByteArrayInputStream; import java.io.ByteArrayOutputStream; import java.io.IOException; import java.nio.charset.StandardCharsets; -import java.security.InvalidAlgorithmParameterException; -import java.security.NoSuchAlgorithmException; +import org.bouncycastle.bcpg.KeyIdentifier; import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPPublicKeyRing; import org.bouncycastle.openpgp.PGPSecretKeyRing; @@ -66,14 +65,14 @@ public class CertificateWithMissingSecretKeyTest { private static final long signingSubkeyId = -7647663290973502178L; private static PGPSecretKeyRing missingSigningSecKey; - private static long encryptionSubkeyId; + private static KeyIdentifier encryptionSubkeyId; private static PGPSecretKeyRing missingDecryptionSecKey; private static final SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys(); @BeforeAll - public static void prepare() throws IOException, PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + public static void prepare() throws IOException { // missing signing sec key we read from bytes missingSigningSecKey = PGPainless.readKeyRing().secretKeyRing(MISSING_SIGNING_SECKEY); @@ -81,9 +80,9 @@ public class CertificateWithMissingSecretKeyTest { PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() .modernKeyRing("Missing Decryption Key "); encryptionSubkeyId = PGPainless.inspectKeyRing(secretKeys) - .getEncryptionSubkeys(EncryptionPurpose.ANY).get(0).getKeyID(); + .getEncryptionSubkeys(EncryptionPurpose.ANY).get(0).getKeyIdentifier(); // remove the encryption/decryption secret key - missingDecryptionSecKey = KeyRingUtils.stripSecretKey(secretKeys, encryptionSubkeyId); + missingDecryptionSecKey = KeyRingUtils.stripSecretKey(secretKeys, encryptionSubkeyId.getKeyId()); } @Test diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CustomPublicKeyDataDecryptorFactoryTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CustomPublicKeyDataDecryptorFactoryTest.java index d8b2f529..c8d9e2f1 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CustomPublicKeyDataDecryptorFactoryTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CustomPublicKeyDataDecryptorFactoryTest.java @@ -6,10 +6,10 @@ package org.pgpainless.decryption_verification; import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPPrivateKey; -import org.bouncycastle.openpgp.PGPPublicKey; import org.bouncycastle.openpgp.PGPPublicKeyRing; import org.bouncycastle.openpgp.PGPSecretKey; import org.bouncycastle.openpgp.PGPSecretKeyRing; +import org.bouncycastle.openpgp.api.OpenPGPCertificate; import org.bouncycastle.openpgp.operator.PublicKeyDataDecryptorFactory; import org.bouncycastle.openpgp.operator.bc.BcPublicKeyDataDecryptorFactory; import org.bouncycastle.util.io.Streams; @@ -41,7 +41,8 @@ public class CustomPublicKeyDataDecryptorFactoryTest { PGPSecretKeyRing secretKey = PGPainless.generateKeyRing().modernKeyRing("Alice"); PGPPublicKeyRing cert = PGPainless.extractCertificate(secretKey); KeyRingInfo info = PGPainless.inspectKeyRing(secretKey); - PGPPublicKey encryptionKey = info.getEncryptionSubkeys(EncryptionPurpose.ANY).get(0); + OpenPGPCertificate.OpenPGPComponentKey encryptionKey = + info.getEncryptionSubkeys(EncryptionPurpose.ANY).get(0); // Encrypt a test message String plaintext = "Hello, World!\n"; @@ -59,7 +60,7 @@ public class CustomPublicKeyDataDecryptorFactoryTest { throws HardwareSecurity.HardwareSecurityException { // Emulate hardware decryption. try { - PGPSecretKey decryptionKey = secretKey.getSecretKey(encryptionKey.getKeyID()); + PGPSecretKey decryptionKey = secretKey.getSecretKey(encryptionKey.getKeyIdentifier()); PGPPrivateKey privateKey = UnlockSecretKey.unlockSecretKey(decryptionKey, Passphrase.emptyPassphrase()); PublicKeyDataDecryptorFactory internal = new BcPublicKeyDataDecryptorFactory(privateKey); return internal.recoverSessionData(keyAlgorithm, new byte[][] {sessionKeyData}, pkeskVersion); @@ -75,7 +76,7 @@ public class CustomPublicKeyDataDecryptorFactoryTest { .withOptions(ConsumerOptions.get() .addCustomDecryptorFactory( new HardwareSecurity.HardwareDataDecryptorFactory( - new SubkeyIdentifier(cert, encryptionKey.getKeyID()), + new SubkeyIdentifier(cert, encryptionKey.getKeyIdentifier()), hardwareDecryptionCallback))); ByteArrayOutputStream decryptedOut = new ByteArrayOutputStream(); diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/DecryptHiddenRecipientMessageTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/DecryptHiddenRecipientMessageTest.java index 4eb7b203..fc8cf347 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/DecryptHiddenRecipientMessageTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/DecryptHiddenRecipientMessageTest.java @@ -13,8 +13,8 @@ import java.nio.charset.StandardCharsets; import java.util.List; import org.bouncycastle.openpgp.PGPException; -import org.bouncycastle.openpgp.PGPPublicKey; import org.bouncycastle.openpgp.PGPSecretKeyRing; +import org.bouncycastle.openpgp.api.OpenPGPCertificate; import org.bouncycastle.util.io.Streams; import org.junit.jupiter.api.TestTemplate; import org.junit.jupiter.api.extension.ExtendWith; @@ -144,10 +144,11 @@ public class DecryptHiddenRecipientMessageTest { assertEquals(0L, metadata.getRecipientKeyIds().get(0)); KeyRingInfo info = new KeyRingInfo(secretKeys); - List encryptionKeys = info.getEncryptionSubkeys(EncryptionPurpose.ANY); + List encryptionKeys = + info.getEncryptionSubkeys(EncryptionPurpose.ANY); assertEquals(1, encryptionKeys.size()); - assertEquals(new SubkeyIdentifier(secretKeys, encryptionKeys.get(0).getKeyID()), metadata.getDecryptionKey()); + assertEquals(new SubkeyIdentifier(secretKeys, encryptionKeys.get(0).getKeyIdentifier()), metadata.getDecryptionKey()); assertEquals("Hello Recipient :)", out.toString()); } } diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/MissingPassphraseForDecryptionTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/MissingPassphraseForDecryptionTest.java index 42562713..dcac7ada 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/MissingPassphraseForDecryptionTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/MissingPassphraseForDecryptionTest.java @@ -14,14 +14,12 @@ import java.io.ByteArrayInputStream; import java.io.ByteArrayOutputStream; import java.io.IOException; import java.nio.charset.StandardCharsets; -import java.security.InvalidAlgorithmParameterException; -import java.security.NoSuchAlgorithmException; import java.util.List; import org.bouncycastle.openpgp.PGPException; -import org.bouncycastle.openpgp.PGPPublicKey; import org.bouncycastle.openpgp.PGPPublicKeyRing; import org.bouncycastle.openpgp.PGPSecretKeyRing; +import org.bouncycastle.openpgp.api.OpenPGPCertificate; import org.bouncycastle.util.io.Streams; import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.Test; @@ -44,7 +42,7 @@ public class MissingPassphraseForDecryptionTest { private byte[] message; @BeforeEach - public void setup() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { + public void setup() throws PGPException, IOException { secretKeys = PGPainless.generateKeyRing().modernKeyRing("Test", passphrase); PGPPublicKeyRing certificate = PGPainless.extractCertificate(secretKeys); ByteArrayOutputStream out = new ByteArrayOutputStream(); @@ -91,7 +89,8 @@ public class MissingPassphraseForDecryptionTest { @Test public void throwExceptionStrategy() throws PGPException, IOException { KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys); - List encryptionKeys = info.getEncryptionSubkeys(EncryptionPurpose.ANY); + List encryptionKeys = + info.getEncryptionSubkeys(EncryptionPurpose.ANY); SecretKeyPassphraseProvider callback = new SecretKeyPassphraseProvider() { @Override @@ -118,8 +117,8 @@ public class MissingPassphraseForDecryptionTest { } catch (MissingPassphraseException e) { assertFalse(e.getKeyIds().isEmpty()); assertEquals(encryptionKeys.size(), e.getKeyIds().size()); - for (PGPPublicKey encryptionKey : encryptionKeys) { - assertTrue(e.getKeyIds().contains(new SubkeyIdentifier(secretKeys, encryptionKey.getKeyID()))); + for (OpenPGPCertificate.OpenPGPComponentKey encryptionKey : encryptionKeys) { + assertTrue(e.getKeyIds().contains(new SubkeyIdentifier(secretKeys, encryptionKey.getKeyIdentifier()))); } } } diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifyWithMissingPublicKeyCallbackTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifyWithMissingPublicKeyCallbackTest.java index 0d58e7dd..c77c70e1 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifyWithMissingPublicKeyCallbackTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifyWithMissingPublicKeyCallbackTest.java @@ -12,13 +12,11 @@ import java.io.ByteArrayInputStream; import java.io.ByteArrayOutputStream; import java.io.IOException; import java.nio.charset.StandardCharsets; -import java.security.InvalidAlgorithmParameterException; -import java.security.NoSuchAlgorithmException; import org.bouncycastle.openpgp.PGPException; -import org.bouncycastle.openpgp.PGPPublicKey; import org.bouncycastle.openpgp.PGPPublicKeyRing; import org.bouncycastle.openpgp.PGPSecretKeyRing; +import org.bouncycastle.openpgp.api.OpenPGPCertificate; import org.bouncycastle.util.io.Streams; import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; @@ -39,9 +37,10 @@ import org.pgpainless.key.util.KeyRingUtils; public class VerifyWithMissingPublicKeyCallbackTest { @Test - public void testMissingPublicKeyCallback() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { + public void testMissingPublicKeyCallback() throws PGPException, IOException { PGPSecretKeyRing signingSecKeys = PGPainless.generateKeyRing().modernKeyRing("alice"); - PGPPublicKey signingKey = new KeyRingInfo(signingSecKeys).getSigningSubkeys().get(0); + OpenPGPCertificate.OpenPGPComponentKey signingKey = + new KeyRingInfo(signingSecKeys).getSigningSubkeys().get(0); PGPPublicKeyRing signingPubKeys = KeyRingUtils.publicKeyRingFrom(signingSecKeys); PGPPublicKeyRing unrelatedKeys = TestKeys.getJulietPublicKeyRing(); @@ -63,7 +62,7 @@ public class VerifyWithMissingPublicKeyCallbackTest { .setMissingCertificateCallback(new MissingPublicKeyCallback() { @Override public PGPPublicKeyRing onMissingPublicKeyEncountered(long keyId) { - assertEquals(signingKey.getKeyID(), keyId, "Signing key-ID mismatch."); + assertEquals(signingKey.getKeyIdentifier().getKeyId(), keyId, "Signing key-ID mismatch."); return signingPubKeys; } })); diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/MultiSigningSubkeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/MultiSigningSubkeyTest.java index 28097db6..d504238a 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/MultiSigningSubkeyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/MultiSigningSubkeyTest.java @@ -5,10 +5,10 @@ package org.pgpainless.encryption_signing; import org.bouncycastle.openpgp.PGPException; -import org.bouncycastle.openpgp.PGPPublicKey; import org.bouncycastle.openpgp.PGPPublicKeyRing; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.PGPSignature; +import org.bouncycastle.openpgp.api.OpenPGPCertificate; import org.bouncycastle.util.io.Streams; import org.junit.jupiter.api.BeforeAll; import org.junit.jupiter.api.Test; @@ -31,8 +31,6 @@ import java.io.ByteArrayInputStream; import java.io.ByteArrayOutputStream; import java.io.IOException; import java.nio.charset.StandardCharsets; -import java.security.InvalidAlgorithmParameterException; -import java.security.NoSuchAlgorithmException; import java.util.Iterator; import java.util.List; import java.util.stream.Collectors; @@ -50,7 +48,7 @@ public class MultiSigningSubkeyTest { private static SecretKeyRingProtector protector; @BeforeAll - public static void generateKey() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + public static void generateKey() { signingKey = PGPainless.buildKeyRing() .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA_LEGACY(EdDSALegacyCurve._Ed25519), KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA)) .addSubkey(KeySpec.getBuilder(KeyType.EDDSA_LEGACY(EdDSALegacyCurve._Ed25519), KeyFlag.SIGN_DATA)) @@ -59,10 +57,10 @@ public class MultiSigningSubkeyTest { .addUserId("Alice ") .build(); signingCert = PGPainless.extractCertificate(signingKey); - Iterator signingSubkeys = PGPainless.inspectKeyRing(signingKey).getSigningSubkeys().listIterator(); - primaryKey = new SubkeyIdentifier(signingKey, signingSubkeys.next().getKeyID()); - signingKey1 = new SubkeyIdentifier(signingKey, signingSubkeys.next().getKeyID()); - signingKey2 = new SubkeyIdentifier(signingKey, signingSubkeys.next().getKeyID()); + Iterator signingSubkeys = PGPainless.inspectKeyRing(signingKey).getSigningSubkeys().listIterator(); + primaryKey = new SubkeyIdentifier(signingKey, signingSubkeys.next().getKeyIdentifier()); + signingKey1 = new SubkeyIdentifier(signingKey, signingSubkeys.next().getKeyIdentifier()); + signingKey2 = new SubkeyIdentifier(signingKey, signingSubkeys.next().getKeyIdentifier()); protector = SecretKeyRingProtector.unprotectedKeys(); } diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/SigningTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/SigningTest.java index c62116b3..35c40e56 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/SigningTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/SigningTest.java @@ -14,8 +14,6 @@ import java.io.ByteArrayInputStream; import java.io.ByteArrayOutputStream; import java.io.IOException; import java.nio.charset.StandardCharsets; -import java.security.InvalidAlgorithmParameterException; -import java.security.NoSuchAlgorithmException; import java.util.Arrays; import org.bouncycastle.openpgp.PGPException; @@ -60,7 +58,7 @@ public class SigningTest { PGPSecretKeyRing cryptieKeys = TestKeys.getCryptieSecretKeyRing(); KeyRingInfo cryptieInfo = new KeyRingInfo(cryptieKeys); - PGPSecretKey cryptieSigningKey = cryptieKeys.getSecretKey(cryptieInfo.getSigningSubkeys().get(0).getKeyID()); + PGPSecretKey cryptieSigningKey = cryptieKeys.getSecretKey(cryptieInfo.getSigningSubkeys().get(0).getKeyIdentifier()); PGPPublicKeyRingCollection keys = new PGPPublicKeyRingCollection(Arrays.asList(julietKeys, romeoKeys)); @@ -115,8 +113,7 @@ public class SigningTest { @TestTemplate @ExtendWith(TestAllImplementations.class) - public void testSignWithInvalidUserIdFails() - throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + public void testSignWithInvalidUserIdFails() { PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() .modernKeyRing("alice", "password123"); SecretKeyRingProtector protector = SecretKeyRingProtector.unlockAnyKeyWith(Passphrase.fromPassword("password123")); @@ -131,7 +128,7 @@ public class SigningTest { @TestTemplate @ExtendWith(TestAllImplementations.class) public void testSignWithRevokedUserIdFails() - throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + throws PGPException { PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() .modernKeyRing("alice", "password123"); SecretKeyRingProtector protector = SecretKeyRingProtector.unlockAnyKeyWith( @@ -184,7 +181,7 @@ public class SigningTest { @TestTemplate @ExtendWith(TestAllImplementations.class) public void negotiateHashAlgorithmChoseFallbackIfEmptyPreferences() - throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { + throws PGPException, IOException { PGPSecretKeyRing secretKeys = PGPainless.buildKeyRing() .setPrimaryKey(KeySpec.getBuilder( KeyType.EDDSA_LEGACY(EdDSALegacyCurve._Ed25519), KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA) @@ -214,7 +211,7 @@ public class SigningTest { @TestTemplate @ExtendWith(TestAllImplementations.class) public void negotiateHashAlgorithmChoseFallbackIfUnacceptablePreferences() - throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { + throws PGPException, IOException { PGPSecretKeyRing secretKeys = PGPainless.buildKeyRing() .setPrimaryKey( KeySpec.getBuilder(KeyType.EDDSA_LEGACY(EdDSALegacyCurve._Ed25519), KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA) @@ -243,8 +240,7 @@ public class SigningTest { @TestTemplate @ExtendWith(TestAllImplementations.class) - public void signingWithNonCapableKeyThrowsKeyCannotSignException() - throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + public void signingWithNonCapableKeyThrowsKeyCannotSignException() { PGPSecretKeyRing secretKeys = PGPainless.buildKeyRing() .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA_LEGACY(EdDSALegacyCurve._Ed25519), KeyFlag.CERTIFY_OTHER)) .addUserId("Alice") @@ -259,8 +255,7 @@ public class SigningTest { @TestTemplate @ExtendWith(TestAllImplementations.class) - public void signWithInvalidUserIdThrowsKeyValidationError() - throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + public void signWithInvalidUserIdThrowsKeyValidationError() { PGPSecretKeyRing secretKeys = PGPainless.buildKeyRing() .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA_LEGACY(EdDSALegacyCurve._Ed25519), KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA)) diff --git a/pgpainless-core/src/test/java/org/pgpainless/example/GenerateKeys.java b/pgpainless-core/src/test/java/org/pgpainless/example/GenerateKeys.java index 3ee24a60..c3b0dfa7 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/example/GenerateKeys.java +++ b/pgpainless-core/src/test/java/org/pgpainless/example/GenerateKeys.java @@ -72,9 +72,9 @@ public class GenerateKeys { assertEquals(PublicKeyAlgorithm.EDDSA_LEGACY.getAlgorithmId(), keyInfo.getAlgorithm().getAlgorithmId()); assertEquals(PublicKeyAlgorithm.EDDSA_LEGACY.getAlgorithmId(), - keyInfo.getSigningSubkeys().get(0).getAlgorithm()); + keyInfo.getSigningSubkeys().get(0).getPGPPublicKey().getAlgorithm()); assertEquals(PublicKeyAlgorithm.ECDH.getAlgorithmId(), - keyInfo.getEncryptionSubkeys(EncryptionPurpose.ANY).get(0).getAlgorithm()); + keyInfo.getEncryptionSubkeys(EncryptionPurpose.ANY).get(0).getPGPPublicKey().getAlgorithm()); } /** diff --git a/pgpainless-core/src/test/java/org/pgpainless/example/ModifyKeys.java b/pgpainless-core/src/test/java/org/pgpainless/example/ModifyKeys.java index fdc91cd2..296c5b56 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/example/ModifyKeys.java +++ b/pgpainless-core/src/test/java/org/pgpainless/example/ModifyKeys.java @@ -15,10 +15,11 @@ import java.security.NoSuchAlgorithmException; import java.util.Date; import java.util.List; +import org.bouncycastle.bcpg.KeyIdentifier; import org.bouncycastle.openpgp.PGPException; -import org.bouncycastle.openpgp.PGPPublicKey; import org.bouncycastle.openpgp.PGPPublicKeyRing; import org.bouncycastle.openpgp.PGPSecretKeyRing; +import org.bouncycastle.openpgp.api.OpenPGPCertificate; import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; @@ -44,19 +45,18 @@ public class ModifyKeys { private final String originalPassphrase = "p4ssw0rd"; private PGPSecretKeyRing secretKey; private long primaryKeyId; - private long encryptionSubkeyId; - private long signingSubkeyId; + private KeyIdentifier encryptionSubkeyId; + private KeyIdentifier signingSubkeyId; @BeforeEach - public void generateKey() - throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + public void generateKey() { secretKey = PGPainless.generateKeyRing() .modernKeyRing(userId, originalPassphrase); KeyRingInfo info = PGPainless.inspectKeyRing(secretKey); primaryKeyId = info.getKeyIdentifier().getKeyId(); - encryptionSubkeyId = info.getEncryptionSubkeys(EncryptionPurpose.ANY).get(0).getKeyID(); - signingSubkeyId = info.getSigningSubkeys().get(0).getKeyID(); + encryptionSubkeyId = info.getEncryptionSubkeys(EncryptionPurpose.ANY).get(0).getKeyIdentifier(); + signingSubkeyId = info.getSigningSubkeys().get(0).getKeyIdentifier(); } /** @@ -75,7 +75,7 @@ public class ModifyKeys { * This example demonstrates how to export a secret key or certificate to an ASCII armored string. */ @Test - public void toAsciiArmoredString() throws IOException { + public void toAsciiArmoredString() { PGPPublicKeyRing certificate = PGPainless.extractCertificate(secretKey); String asciiArmoredSecretKey = PGPainless.asciiArmor(secretKey); @@ -111,7 +111,7 @@ public class ModifyKeys { public void changeSingleSubkeyPassphrase() throws PGPException { secretKey = PGPainless.modifyKeyRing(secretKey) // Here we change the passphrase of the encryption subkey - .changeSubKeyPassphraseFromOldPassphrase(encryptionSubkeyId, Passphrase.fromPassword(originalPassphrase)) + .changeSubKeyPassphraseFromOldPassphrase(encryptionSubkeyId.getKeyId(), Passphrase.fromPassword(originalPassphrase)) .withSecureDefaultSettings() .toNewPassphrase(Passphrase.fromPassword("cryptP4ssphr4s3")) .done(); @@ -147,13 +147,13 @@ public class ModifyKeys { * This example demonstrates how to add an additional subkey to an existing key. * Prerequisites are a {@link SecretKeyRingProtector} that is capable of unlocking the primary key of the existing key, * and a {@link Passphrase} for the new subkey. - * + *

* There are two ways to add a subkey into an existing key; * Either the subkey gets generated on the fly (see below), * or the subkey already exists. In the latter case, the user has to provide * {@link org.bouncycastle.openpgp.PGPSignatureSubpacketVector PGPSignatureSubpacketVectors} for the binding signature * manually. - * + *

* Once the subkey is added, it can be decrypted using the provided subkey passphrase. */ @Test @@ -173,9 +173,9 @@ public class ModifyKeys { KeyRingInfo info = PGPainless.inspectKeyRing(secretKey); assertEquals(4, info.getSecretKeys().size()); assertEquals(4, info.getPublicKeys().size()); - List encryptionSubkeys = info.getEncryptionSubkeys(EncryptionPurpose.COMMUNICATIONS); + List encryptionSubkeys = info.getEncryptionSubkeys(EncryptionPurpose.COMMUNICATIONS); assertEquals(2, encryptionSubkeys.size()); - UnlockSecretKey.unlockSecretKey(secretKey.getSecretKey(encryptionSubkeys.get(1).getKeyID()), subkeyPassphrase); + UnlockSecretKey.unlockSecretKey(secretKey.getSecretKey(encryptionSubkeys.get(1).getKeyIdentifier()), subkeyPassphrase); } /** diff --git a/pgpainless-core/src/test/java/org/pgpainless/example/Sign.java b/pgpainless-core/src/test/java/org/pgpainless/example/Sign.java index 06228c75..b3181369 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/example/Sign.java +++ b/pgpainless-core/src/test/java/org/pgpainless/example/Sign.java @@ -12,13 +12,11 @@ import java.io.ByteArrayOutputStream; import java.io.IOException; import java.io.InputStream; import java.nio.charset.StandardCharsets; -import java.security.InvalidAlgorithmParameterException; -import java.security.NoSuchAlgorithmException; import org.bouncycastle.openpgp.PGPException; -import org.bouncycastle.openpgp.PGPPublicKey; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.PGPSignature; +import org.bouncycastle.openpgp.api.OpenPGPCertificate; import org.bouncycastle.util.io.Streams; import org.junit.jupiter.api.BeforeAll; import org.junit.jupiter.api.Test; @@ -38,7 +36,7 @@ public class Sign { private static SecretKeyRingProtector protector; @BeforeAll - public static void prepare() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + public static void prepare() { secretKey = PGPainless.generateKeyRing().modernKeyRing("Emilia Example "); protector = SecretKeyRingProtector.unprotectedKeys(); // no password } @@ -94,8 +92,8 @@ public class Sign { EncryptionResult result = signingStream.getResult(); - PGPPublicKey signingKey = PGPainless.inspectKeyRing(secretKey).getSigningSubkeys().get(0); - PGPSignature signature = result.getDetachedSignatures().get(new SubkeyIdentifier(secretKey, signingKey.getKeyID())).iterator().next(); + OpenPGPCertificate.OpenPGPComponentKey signingKey = PGPainless.inspectKeyRing(secretKey).getSigningSubkeys().get(0); + PGPSignature signature = result.getDetachedSignatures().get(new SubkeyIdentifier(secretKey, signingKey.getKeyIdentifier())).iterator().next(); String detachedSignature = ArmorUtils.toAsciiArmoredString(signature.getEncoded()); assertTrue(detachedSignature.startsWith("-----BEGIN PGP SIGNATURE-----")); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/KeyGenerationSubpacketsTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/KeyGenerationSubpacketsTest.java index 6ebe74b3..9900f55b 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/generation/KeyGenerationSubpacketsTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/KeyGenerationSubpacketsTest.java @@ -18,10 +18,10 @@ import java.util.List; import org.bouncycastle.bcpg.sig.IssuerFingerprint; import org.bouncycastle.openpgp.PGPException; -import org.bouncycastle.openpgp.PGPPublicKey; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.PGPSignature; import org.bouncycastle.openpgp.PGPSignatureSubpacketVector; +import org.bouncycastle.openpgp.api.OpenPGPCertificate; import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; import org.pgpainless.algorithm.HashAlgorithm; @@ -107,7 +107,7 @@ public class KeyGenerationSubpacketsTest { throws PGPException { PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("Alice"); KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys); - List keysBefore = info.getPublicKeys(); + List keysBefore = info.getPublicKeys(); secretKeys = PGPainless.modifyKeyRing(secretKeys) .addSubKey(KeySpec.getBuilder(KeyType.EDDSA_LEGACY(EdDSALegacyCurve._Ed25519), KeyFlag.SIGN_DATA).build(), @@ -116,12 +116,12 @@ public class KeyGenerationSubpacketsTest { info = PGPainless.inspectKeyRing(secretKeys); - List keysAfter = new ArrayList<>(info.getPublicKeys()); + List keysAfter = new ArrayList<>(info.getPublicKeys()); keysAfter.removeAll(keysBefore); assertEquals(1, keysAfter.size()); - PGPPublicKey newSigningKey = keysAfter.get(0); + OpenPGPCertificate.OpenPGPComponentKey newSigningKey = keysAfter.get(0); - PGPSignature bindingSig = info.getCurrentSubkeyBindingSignature(newSigningKey.getKeyID()); + PGPSignature bindingSig = info.getCurrentSubkeyBindingSignature(newSigningKey.getKeyIdentifier().getKeyId()); assertNotNull(bindingSig); assureSignatureHasDefaultSubpackets(bindingSig, secretKeys, KeyFlag.SIGN_DATA); assertNotNull(bindingSig.getHashedSubPackets().getEmbeddedSignatures().get(0)); @@ -142,8 +142,8 @@ public class KeyGenerationSubpacketsTest { keysAfter.removeAll(keysBefore); keysAfter.remove(newSigningKey); assertEquals(1, keysAfter.size()); - PGPPublicKey newEncryptionKey = keysAfter.get(0); - bindingSig = info.getCurrentSubkeyBindingSignature(newEncryptionKey.getKeyID()); + OpenPGPCertificate.OpenPGPComponentKey newEncryptionKey = keysAfter.get(0); + bindingSig = info.getCurrentSubkeyBindingSignature(newEncryptionKey.getKeyIdentifier().getKeyId()); assertNotNull(bindingSig); assertNull(bindingSig.getHashedSubPackets().getIssuerFingerprint()); assertEquals(KeyFlag.toBitmask(KeyFlag.ENCRYPT_COMMS), bindingSig.getHashedSubPackets().getKeyFlags()); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java index ca284cdc..8b1877ee 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java @@ -25,10 +25,11 @@ import java.util.NoSuchElementException; import java.util.Set; import org.bouncycastle.openpgp.PGPException; -import org.bouncycastle.openpgp.PGPPublicKey; import org.bouncycastle.openpgp.PGPPublicKeyRing; import org.bouncycastle.openpgp.PGPSecretKey; import org.bouncycastle.openpgp.PGPSecretKeyRing; +import org.bouncycastle.openpgp.api.OpenPGPCertificate; +import org.bouncycastle.openpgp.api.OpenPGPKey; import org.junit.JUtils; import org.junit.jupiter.api.Test; import org.junit.jupiter.api.TestTemplate; @@ -162,7 +163,7 @@ public class KeyRingInfoTest { PGPPublicKeyRing publicKeys = KeyRingUtils.publicKeyRingFrom(secretKeys); KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys); - assertEquals(KeyRingUtils.requirePrimarySecretKeyFrom(secretKeys), info.getSecretKey()); + assertEquals(KeyRingUtils.requirePrimarySecretKeyFrom(secretKeys), info.getSecretKey().getPGPSecretKey()); info = PGPainless.inspectKeyRing(publicKeys); assertNull(info.getSecretKey()); @@ -173,7 +174,7 @@ public class KeyRingInfoTest { PGPSecretKeyRing secretKeys = TestKeys.getCryptieSecretKeyRing(); KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys); - assertEquals(KeyRingUtils.requirePrimaryPublicKeyFrom(secretKeys), info.getPublicKey()); + assertEquals(KeyRingUtils.requirePrimaryPublicKeyFrom(secretKeys), info.getPublicKey().getPGPPublicKey()); assertEquals(KeyRingUtils.requirePrimarySecretKeyFrom(secretKeys), KeyRingUtils.requireSecretKeyFrom(secretKeys, secretKeys.getPublicKey().getKeyID())); @@ -229,7 +230,7 @@ public class KeyRingInfoTest { KeyFlag.ENCRYPT_STORAGE)) .addSubkey(KeySpec.getBuilder( KeyType.ECDSA(EllipticCurve._BRAINPOOLP384R1), KeyFlag.SIGN_DATA)) - .addUserId(UserId.newBuilder().withName("Alice").withEmail("alice@pgpainless.org").build()) + .addUserId(UserId.builder().withName("Alice").withEmail("alice@pgpainless.org").build()) .build(); Iterator keys = secretKeys.iterator(); @@ -256,17 +257,17 @@ public class KeyRingInfoTest { KeyRingInfo info = new KeyRingInfo(secretKeys); - List encryptionKeys = info.getKeysWithKeyFlag(KeyFlag.ENCRYPT_STORAGE); + List encryptionKeys = info.getKeysWithKeyFlag(KeyFlag.ENCRYPT_STORAGE); assertEquals(1, encryptionKeys.size()); - assertEquals(encryptionKey.getKeyID(), encryptionKeys.get(0).getKeyID()); + assertEquals(encryptionKey.getKeyIdentifier(), encryptionKeys.get(0).getKeyIdentifier()); - List signingKeys = info.getKeysWithKeyFlag(KeyFlag.SIGN_DATA); + List signingKeys = info.getKeysWithKeyFlag(KeyFlag.SIGN_DATA); assertEquals(1, signingKeys.size()); - assertEquals(signingKey.getKeyID(), signingKeys.get(0).getKeyID()); + assertEquals(signingKey.getKeyIdentifier(), signingKeys.get(0).getKeyIdentifier()); - List certKeys = info.getKeysWithKeyFlag(KeyFlag.CERTIFY_OTHER); + List certKeys = info.getKeysWithKeyFlag(KeyFlag.CERTIFY_OTHER); assertEquals(1, certKeys.size()); - assertEquals(primaryKey.getKeyID(), certKeys.get(0).getKeyID()); + assertEquals(primaryKey.getKeyIdentifier(), certKeys.get(0).getKeyIdentifier()); assertNotNull(info.getPrimaryKeyExpirationDate()); assertEquals(primaryKeyExpiration.getTime(), info.getPrimaryKeyExpirationDate().getTime(), 5); @@ -522,14 +523,15 @@ public class KeyRingInfoTest { } @Test - public void getSecretKeyTest() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + public void getSecretKeyTest() { PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("Alice"); + OpenPGPKey key = new OpenPGPKey(secretKeys); KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys); OpenPgpV4Fingerprint primaryKeyFingerprint = new OpenPgpV4Fingerprint(secretKeys); - PGPSecretKey primaryKey = info.getSecretKey(primaryKeyFingerprint); + OpenPGPKey.OpenPGPSecretKey primaryKey = info.getSecretKey(primaryKeyFingerprint); - assertEquals(secretKeys.getSecretKey(), primaryKey); + assertEquals(key.getPrimarySecretKey().getKeyIdentifier(), primaryKey.getKeyIdentifier()); } @Test @@ -693,12 +695,16 @@ public class KeyRingInfoTest { assertFalse(info.isKeyValidlyBound(unboundKey.getKeyId())); - List encryptionSubkeys = info.getEncryptionSubkeys(EncryptionPurpose.ANY); - assertTrue(encryptionSubkeys.stream().map(OpenPgpV4Fingerprint::new).noneMatch(f -> f.equals(unboundKey)), + List encryptionSubkeys = info.getEncryptionSubkeys(EncryptionPurpose.ANY); + assertTrue(encryptionSubkeys.stream() + .map(it -> new OpenPgpV4Fingerprint(it.getPGPPublicKey())) + .noneMatch(f -> f.equals(unboundKey)), "Unbound subkey MUST NOT be considered a valid encryption subkey"); - List signingSubkeys = info.getSigningSubkeys(); - assertTrue(signingSubkeys.stream().map(OpenPgpV4Fingerprint::new).noneMatch(f -> f.equals(unboundKey)), + List signingSubkeys = info.getSigningSubkeys(); + assertTrue(signingSubkeys.stream() + .map(it -> new OpenPgpV4Fingerprint(it.getPGPPublicKey())) + .noneMatch(f -> f.equals(unboundKey)), "Unbound subkey MUST NOT be considered a valid signing subkey"); assertTrue(info.getKeyFlagsOf(unboundKey.getKeyId()).isEmpty()); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddSubkeyWithModifiedBindingSignatureSubpacketsTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddSubkeyWithModifiedBindingSignatureSubpacketsTest.java index 1c659e42..dce54107 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddSubkeyWithModifiedBindingSignatureSubpacketsTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddSubkeyWithModifiedBindingSignatureSubpacketsTest.java @@ -14,9 +14,9 @@ import java.util.List; import org.bouncycastle.bcpg.sig.NotationData; import org.bouncycastle.openpgp.PGPKeyPair; -import org.bouncycastle.openpgp.PGPPublicKey; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.PGPSignature; +import org.bouncycastle.openpgp.api.OpenPGPCertificate; import org.junit.JUtils; import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; @@ -59,19 +59,19 @@ public class AddSubkeyWithModifiedBindingSignatureSubpacketsTest { .done(); KeyRingInfo after = PGPainless.inspectKeyRing(secretKeys); - List signingKeys = after.getSigningSubkeys(); + List signingKeys = after.getSigningSubkeys(); signingKeys.removeAll(before.getSigningSubkeys()); assertFalse(signingKeys.isEmpty()); - PGPPublicKey newKey = signingKeys.get(0); - Date newExpirationDate = after.getSubkeyExpirationDate(new OpenPgpV4Fingerprint(newKey)); + OpenPGPCertificate.OpenPGPComponentKey newKey = signingKeys.get(0); + Date newExpirationDate = after.getSubkeyExpirationDate(new OpenPgpV4Fingerprint(newKey.getPGPPublicKey())); assertNotNull(newExpirationDate); Date now = new Date(); JUtils.assertEquals( now.getTime() + MILLIS_IN_SEC * secondsUntilExpiration, newExpirationDate.getTime(), 2 * MILLIS_IN_SEC); - assertTrue(newKey.getSignatures().hasNext()); - PGPSignature binding = newKey.getSignatures().next(); + assertTrue(newKey.getPGPPublicKey().getSignatures().hasNext()); + PGPSignature binding = newKey.getPGPPublicKey().getSignatures().next(); List notations = SignatureSubpacketsUtil.getHashedNotationData(binding); assertEquals(1, notations.size()); assertEquals("test@test.test", notations.get(0).getNotationName()); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeSubkeyExpirationTimeTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeSubkeyExpirationTimeTest.java index e1926b67..94cc71a1 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeSubkeyExpirationTimeTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeSubkeyExpirationTimeTest.java @@ -4,8 +4,8 @@ package org.pgpainless.key.modification; -import org.bouncycastle.openpgp.PGPPublicKey; import org.bouncycastle.openpgp.PGPSecretKeyRing; +import org.bouncycastle.openpgp.api.OpenPGPCertificate; import org.junit.JUtils; import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; @@ -28,17 +28,17 @@ public class ChangeSubkeyExpirationTimeTest { PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("Alice"); Date now = secretKeys.getPublicKey().getCreationTime(); Date inAnHour = new Date(now.getTime() + 1000 * 60 * 60); - PGPPublicKey encryptionKey = PGPainless.inspectKeyRing(secretKeys) + OpenPGPCertificate.OpenPGPComponentKey encryptionKey = PGPainless.inspectKeyRing(secretKeys) .getEncryptionSubkeys(EncryptionPurpose.ANY).get(0); secretKeys = PGPainless.modifyKeyRing(secretKeys) .setExpirationDateOfSubkey( inAnHour, - encryptionKey.getKeyID(), + encryptionKey.getKeyIdentifier().getKeyId(), SecretKeyRingProtector.unprotectedKeys()) .done(); JUtils.assertDateEquals(inAnHour, PGPainless.inspectKeyRing(secretKeys) - .getSubkeyExpirationDate(OpenPgpFingerprint.of(encryptionKey))); + .getSubkeyExpirationDate(OpenPgpFingerprint.of(encryptionKey.getPGPPublicKey()))); } @Test diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeSubKeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeSubKeyTest.java index ee6f0de3..992df1da 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeSubKeyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeSubKeyTest.java @@ -13,8 +13,6 @@ import static org.junit.jupiter.api.Assertions.assertThrows; import static org.junit.jupiter.api.Assertions.assertTrue; import java.io.IOException; -import java.security.InvalidAlgorithmParameterException; -import java.security.NoSuchAlgorithmException; import java.util.Iterator; import org.bouncycastle.bcpg.sig.IssuerFingerprint; @@ -127,11 +125,11 @@ public class RevokeSubKeyTest { @Test public void inspectSubpacketsOnDefaultRevocationSignature() - throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + throws PGPException { PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("Alice"); SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys(); PGPPublicKey encryptionSubkey = PGPainless.inspectKeyRing(secretKeys) - .getEncryptionSubkeys(EncryptionPurpose.ANY).get(0); + .getEncryptionSubkeys(EncryptionPurpose.ANY).get(0).getPGPPublicKey(); secretKeys = PGPainless.modifyKeyRing(secretKeys) .revokeSubKey(encryptionSubkey.getKeyID(), protector) @@ -151,12 +149,11 @@ public class RevokeSubKeyTest { } @Test - public void inspectSubpacketsOnModifiedRevocationSignature() - throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + public void inspectSubpacketsOnModifiedRevocationSignature() { PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("Alice"); SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys(); PGPPublicKey encryptionSubkey = PGPainless.inspectKeyRing(secretKeys) - .getEncryptionSubkeys(EncryptionPurpose.ANY).get(0); + .getEncryptionSubkeys(EncryptionPurpose.ANY).get(0).getPGPPublicKey(); secretKeys = PGPainless.modifyKeyRing(secretKeys) .revokeSubKey(encryptionSubkey.getKeyID(), protector, new RevocationSignatureSubpackets.Callback() { diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureSubpacketsUtilTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureSubpacketsUtilTest.java index 1caeb9e9..3d862ddf 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureSubpacketsUtilTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureSubpacketsUtilTest.java @@ -13,8 +13,6 @@ import static org.junit.jupiter.api.Assertions.assertThrows; import static org.junit.jupiter.api.Assertions.assertTrue; import java.io.IOException; -import java.security.InvalidAlgorithmParameterException; -import java.security.NoSuchAlgorithmException; import java.time.temporal.ChronoUnit; import java.util.Arrays; import java.util.Date; @@ -30,11 +28,11 @@ import org.bouncycastle.bcpg.sig.RevocationKey; import org.bouncycastle.bcpg.sig.TrustSignature; import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPPrivateKey; -import org.bouncycastle.openpgp.PGPPublicKey; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.PGPSignature; import org.bouncycastle.openpgp.PGPSignatureGenerator; import org.bouncycastle.openpgp.PGPSignatureSubpacketGenerator; +import org.bouncycastle.openpgp.api.OpenPGPCertificate; import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; import org.pgpainless.algorithm.CompressionAlgorithm; @@ -52,7 +50,7 @@ import org.pgpainless.signature.subpackets.SignatureSubpacketsUtil; public class SignatureSubpacketsUtilTest { @Test - public void testGetKeyExpirationTimeAsDate() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + public void testGetKeyExpirationTimeAsDate() { PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() .modernKeyRing("Expire"); Date expiration = Date.from(new Date().toInstant().plus(365, ChronoUnit.DAYS)); @@ -62,10 +60,10 @@ public class SignatureSubpacketsUtilTest { PGPSignature expirationSig = SignaturePicker.pickCurrentUserIdCertificationSignature( secretKeys, "Expire", Policy.getInstance(), new Date()); - PGPPublicKey notTheRightKey = PGPainless.inspectKeyRing(secretKeys).getSigningSubkeys().get(0); + OpenPGPCertificate.OpenPGPComponentKey notTheRightKey = PGPainless.inspectKeyRing(secretKeys).getSigningSubkeys().get(0); assertThrows(IllegalArgumentException.class, () -> - SignatureSubpacketsUtil.getKeyExpirationTimeAsDate(expirationSig, notTheRightKey)); + SignatureSubpacketsUtil.getKeyExpirationTimeAsDate(expirationSig, notTheRightKey.getPGPPublicKey())); } @Test diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/builder/SubkeyAndPrimaryKeyBindingSignatureTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/builder/SubkeyAndPrimaryKeyBindingSignatureTest.java index e44af522..e4275636 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/builder/SubkeyAndPrimaryKeyBindingSignatureTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/builder/SubkeyAndPrimaryKeyBindingSignatureTest.java @@ -14,10 +14,10 @@ import java.util.HashSet; import java.util.Set; import org.bouncycastle.openpgp.PGPException; -import org.bouncycastle.openpgp.PGPPublicKey; import org.bouncycastle.openpgp.PGPSecretKey; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.PGPSignature; +import org.bouncycastle.openpgp.api.OpenPGPCertificate; import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; import org.pgpainless.algorithm.EncryptionPurpose; @@ -37,10 +37,11 @@ public class SubkeyAndPrimaryKeyBindingSignatureTest { KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys); PGPSecretKey primaryKey = secretKeys.getSecretKey(); - PGPPublicKey encryptionSubkey = info.getEncryptionSubkeys(EncryptionPurpose.ANY).get(0); + OpenPGPCertificate.OpenPGPComponentKey encryptionSubkey = + info.getEncryptionSubkeys(EncryptionPurpose.ANY).get(0); assertNotNull(encryptionSubkey); - Set hashAlgorithmSet = info.getPreferredHashAlgorithms(encryptionSubkey.getKeyID()); + Set hashAlgorithmSet = info.getPreferredHashAlgorithms(encryptionSubkey.getKeyIdentifier()); assertEquals( new HashSet<>(Arrays.asList( HashAlgorithm.SHA512, HashAlgorithm.SHA384, HashAlgorithm.SHA256, HashAlgorithm.SHA224)), @@ -55,10 +56,10 @@ public class SubkeyAndPrimaryKeyBindingSignatureTest { } }); - PGPSignature binding = sbb.build(encryptionSubkey); - secretKeys = KeyRingUtils.injectCertification(secretKeys, encryptionSubkey, binding); + PGPSignature binding = sbb.build(encryptionSubkey.getPGPPublicKey()); + secretKeys = KeyRingUtils.injectCertification(secretKeys, encryptionSubkey.getPGPPublicKey(), binding); info = PGPainless.inspectKeyRing(secretKeys); - assertEquals(Collections.singleton(HashAlgorithm.SHA512), info.getPreferredHashAlgorithms(encryptionSubkey.getKeyID())); + assertEquals(Collections.singleton(HashAlgorithm.SHA512), info.getPreferredHashAlgorithms(encryptionSubkey.getKeyIdentifier())); } } From b8bb5de2a233704b31a69742432e01b5aafd3af8 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 5 Feb 2025 12:06:25 +0100 Subject: [PATCH 023/265] Disable ElGamal key tests --- .../pgpainless/sop/CarolKeySignEncryptRoundtripTest.java | 2 ++ .../PGPainlessDetachedSignDetachedVerifyTest.java | 8 ++++++++ .../operation/PGPainlessInlineSignInlineVerifyTest.java | 9 +++++++++ 3 files changed, 19 insertions(+) diff --git a/pgpainless-sop/src/test/java/org/pgpainless/sop/CarolKeySignEncryptRoundtripTest.java b/pgpainless-sop/src/test/java/org/pgpainless/sop/CarolKeySignEncryptRoundtripTest.java index 83778106..d994c9bc 100644 --- a/pgpainless-sop/src/test/java/org/pgpainless/sop/CarolKeySignEncryptRoundtripTest.java +++ b/pgpainless-sop/src/test/java/org/pgpainless/sop/CarolKeySignEncryptRoundtripTest.java @@ -8,6 +8,7 @@ import static org.junit.jupiter.api.Assertions.assertArrayEquals; import java.io.IOException; +import org.junit.jupiter.api.Disabled; import org.junit.jupiter.api.Test; import sop.ByteArrayAndResult; import sop.DecryptionResult; @@ -15,6 +16,7 @@ import sop.EncryptionResult; import sop.ReadyWithResult; import sop.testsuite.assertions.VerificationListAssert; +@Disabled("Carol is an ElGamal key, which are no longer supported.") public class CarolKeySignEncryptRoundtripTest { private static final String CAROL_KEY = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" + diff --git a/pgpainless-sop/src/test/java/sop/testsuite/pgpainless/operation/PGPainlessDetachedSignDetachedVerifyTest.java b/pgpainless-sop/src/test/java/sop/testsuite/pgpainless/operation/PGPainlessDetachedSignDetachedVerifyTest.java index dff9e86f..28fc3d6a 100644 --- a/pgpainless-sop/src/test/java/sop/testsuite/pgpainless/operation/PGPainlessDetachedSignDetachedVerifyTest.java +++ b/pgpainless-sop/src/test/java/sop/testsuite/pgpainless/operation/PGPainlessDetachedSignDetachedVerifyTest.java @@ -8,6 +8,8 @@ import org.junit.jupiter.api.Disabled; import sop.SOP; import sop.testsuite.operation.DetachedSignDetachedVerifyTest; +import java.io.IOException; + public class PGPainlessDetachedSignDetachedVerifyTest extends DetachedSignDetachedVerifyTest { @Override @@ -15,4 +17,10 @@ public class PGPainlessDetachedSignDetachedVerifyTest extends DetachedSignDetach public void verifyMissingCertCausesMissingArg(SOP sop) { super.verifyMissingCertCausesMissingArg(sop); } + + @Override + @Disabled("Carol is an ElGamal key, which are no longer supported.") + public void signVerifyWithCarolKey(SOP sop) throws IOException { + super.signVerifyWithCarolKey(sop); + } } diff --git a/pgpainless-sop/src/test/java/sop/testsuite/pgpainless/operation/PGPainlessInlineSignInlineVerifyTest.java b/pgpainless-sop/src/test/java/sop/testsuite/pgpainless/operation/PGPainlessInlineSignInlineVerifyTest.java index 16166eb1..deb9d6b5 100644 --- a/pgpainless-sop/src/test/java/sop/testsuite/pgpainless/operation/PGPainlessInlineSignInlineVerifyTest.java +++ b/pgpainless-sop/src/test/java/sop/testsuite/pgpainless/operation/PGPainlessInlineSignInlineVerifyTest.java @@ -4,8 +4,17 @@ package sop.testsuite.pgpainless.operation; +import org.junit.jupiter.api.Disabled; +import sop.SOP; import sop.testsuite.operation.InlineSignInlineVerifyTest; +import java.io.IOException; + public class PGPainlessInlineSignInlineVerifyTest extends InlineSignInlineVerifyTest { + @Override + @Disabled("Carol is an ElGamal key, which is no longer supported.") + public void inlineSignVerifyCarol(SOP sop) throws IOException { + super.inlineSignVerifyCarol(sop); + } } From 7217eda924710135ce00af6227583a378d5b4b73 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Fri, 7 Feb 2025 13:19:43 +0100 Subject: [PATCH 024/265] KeyRingInfo: Replace PGPainless signature evaluation with BCs --- .../org/pgpainless/key/info/KeyRingInfo.kt | 155 ++++-------------- .../builder/AbstractSignatureBuilder.kt | 4 +- 2 files changed, 36 insertions(+), 123 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/info/KeyRingInfo.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/info/KeyRingInfo.kt index 011407f6..cb10b060 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/info/KeyRingInfo.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/info/KeyRingInfo.kt @@ -20,7 +20,6 @@ import org.pgpainless.key.OpenPgpFingerprint import org.pgpainless.key.SubkeyIdentifier import org.pgpainless.key.util.KeyRingUtils import org.pgpainless.policy.Policy -import org.pgpainless.signature.consumer.SignaturePicker import org.pgpainless.signature.subpackets.SignatureSubpacketsUtil import org.pgpainless.signature.subpackets.SignatureSubpacketsUtil.Companion.getKeyExpirationTimeAsDate import org.pgpainless.util.DateUtil @@ -47,7 +46,7 @@ class KeyRingInfo( referenceDate: Date = Date() ) : this(keys, PGPainless.getPolicy(), referenceDate) - private val signatures: Signatures = Signatures(keys.pgpKeyRing, referenceDate, policy) + // private val signatures: Signatures = Signatures(keys.pgpKeyRing, referenceDate, policy) /** Primary [OpenPGPCertificate.OpenPGPPrimaryKey]. */ val publicKey: OpenPGPCertificate.OpenPGPPrimaryKey = keys.primaryKey @@ -67,10 +66,16 @@ class KeyRingInfo( val userIds: List = KeyRingUtils.getUserIdsIgnoringInvalidUTF8(publicKey.pgpPublicKey) /** Primary User-ID. */ - val primaryUserId = keys.getPrimaryUserId(referenceDate)?.userId + val primaryUserId: String? = keys.getPrimaryUserId(referenceDate)?.userId /** Revocation State. */ - val revocationState = signatures.primaryKeyRevocation.toRevocationState() + val revocationState: RevocationState = + publicKey.getLatestSelfSignature(referenceDate)?.let { + if (!it.isRevocation) RevocationState.notRevoked() + else if (it.isHardRevocation) RevocationState.hardRevoked() + else RevocationState.softRevoked(it.creationTime) + } + ?: RevocationState.notRevoked() /** * Return the date on which the primary key was revoked, or null if it has not yet been revoked. * @@ -111,13 +116,7 @@ class KeyRingInfo( val validUserIds: List = keys.getValidUserIds(referenceDate).map { it.userId } /** List of valid and expired user-IDs. */ - val validAndExpiredUserIds: List = - userIds.filter { - val certification = signatures.userIdCertifications[it] ?: return@filter false - val revocation = signatures.userIdRevocations[it] ?: return@filter true - return@filter !revocation.isHardRevocation && - certification.creationTime > revocation.creationTime - } + val validAndExpiredUserIds: List = userIds /** List of email addresses that can be extracted from the user-IDs. */ val emailAddresses: List = @@ -132,10 +131,12 @@ class KeyRingInfo( } /** Newest direct-key self-signature on the primary key. */ - val latestDirectKeySelfSignature: PGPSignature? = signatures.primaryKeySelfSignature + val latestDirectKeySelfSignature: PGPSignature? = + publicKey.getLatestDirectKeySelfSignature(referenceDate)?.signature /** Newest primary-key revocation self-signature. */ - val revocationSelfSignature: PGPSignature? = signatures.primaryKeyRevocation + val revocationSelfSignature: PGPSignature? = + publicKey.getLatestKeyRevocationSignature(referenceDate)?.signature /** Public-key encryption-algorithm of the primary key. */ val algorithm: PublicKeyAlgorithm = @@ -166,7 +167,7 @@ class KeyRingInfo( .asSequence() .filter { if (!it.keyIdentifier.matches(keyIdentifier)) { - if (signatures.subkeyBindings[it.keyIdentifier.keyId] == null) { + if (it.getLatestSelfSignature(referenceDate) == null) { LOGGER.debug("Subkey ${it.keyIdentifier} has no binding signature.") return@filter false } @@ -319,7 +320,11 @@ class KeyRingInfo( * @return true, if the given user-ID is hard-revoked. */ fun isHardRevoked(userId: CharSequence): Boolean { - return signatures.userIdRevocations[userId]?.isHardRevocation ?: false + return keys + .getUserId(userId.toString()) + ?.getLatestSelfSignature(referenceDate) + ?.isHardRevocation + ?: false } /** @@ -425,13 +430,7 @@ class KeyRingInfo( /** Return the most-recently created self-signature on the key. */ private fun getMostRecentSignature(): PGPSignature? = - setOfNotNull(latestDirectKeySelfSignature, revocationSelfSignature) - .asSequence() - .plus(signatures.userIdCertifications.values) - .plus(signatures.userIdRevocations.values) - .plus(signatures.subkeyBindings.values) - .plus(signatures.subkeyRevocations.values) - .maxByOrNull { it.creationTime } + keys.components.map { it.latestSelfSignature }.maxByOrNull { it.creationTime }?.signature /** * Return the creation time of the latest added subkey. * @@ -463,7 +462,7 @@ class KeyRingInfo( * @return current subkey binding signature */ fun getCurrentSubkeyBindingSignature(keyId: Long): PGPSignature? = - signatures.subkeyBindings[keyId] + keys.getKey(KeyIdentifier(keyId))?.getCertification(referenceDate)?.signature /** * Return the current revocation signature for the subkey with the given key-ID. @@ -471,7 +470,7 @@ class KeyRingInfo( * @return current subkey revocation signature */ fun getSubkeyRevocationSignature(keyId: Long): PGPSignature? = - signatures.subkeyRevocations[keyId] + keys.getKey(KeyIdentifier(keyId))?.getRevocation(referenceDate)?.signature fun getKeyFlagsOf(keyIdentifier: KeyIdentifier): List = getKeyFlagsOf(keyIdentifier.keyId) @@ -619,36 +618,7 @@ class KeyRingInfo( * @return true if key is bound validly */ fun isKeyValidlyBound(keyId: Long): Boolean { - val publicKey = keys.pgpKeyRing.getPublicKey(keyId) ?: return false - - // Primary key -> Check Primary Key Revocation - if (publicKey.keyIdentifier.matches(this.publicKey.keyIdentifier)) { - return if (signatures.primaryKeyRevocation != null && - signatures.primaryKeyRevocation.isHardRevocation) { - false - } else signatures.primaryKeyRevocation == null - } - - // Else Subkey -> Check Subkey Revocation - val binding = signatures.subkeyBindings[keyId] - val revocation = signatures.subkeyRevocations[keyId] - - // No valid binding - if (binding == null || binding.isExpired(referenceDate)) { - return false - } - - // Revocation - return if (revocation != null) { - if (revocation.isHardRevocation) { - // Subkey is hard revoked - false - } else { - // Key is soft-revoked, not yet re-bound - (revocation.isExpired(referenceDate) || - !revocation.creationTime.after(binding.creationTime)) - } - } else true + return keys.getKey(KeyIdentifier(keyId))?.isBoundAt(referenceDate) ?: false } /** @@ -662,49 +632,20 @@ class KeyRingInfo( * @return primary user-id or null */ private fun findPrimaryUserId(): String? { - if (userIds.isEmpty()) { - return null - } - - return signatures.userIdCertifications - .filter { (_, certification) -> certification.hashedSubPackets.isPrimaryUserID } - .entries - .maxByOrNull { (_, certification) -> certification.creationTime } - ?.key - ?: signatures.userIdCertifications.keys.firstOrNull() + return keys.primaryKey.getExplicitOrImplicitPrimaryUserId(referenceDate)?.userId } /** Return true, if the primary user-ID, as well as the given user-ID are valid and bound. */ - fun isUserIdValid(userId: CharSequence) = - if (primaryUserId == null) { - false - } else { - isUserIdBound(primaryUserId) && - (if (userId == primaryUserId) true else isUserIdBound(userId)) - } + fun isUserIdValid(userId: CharSequence): Boolean { + var valid = isUserIdBound(userId) + if (primaryUserId != null) valid = valid && isUserIdBound(primaryUserId) + valid = valid && isKeyValidlyBound(publicKey.keyIdentifier) + return valid + } /** Return true, if the given user-ID is validly bound. */ - fun isUserIdBound(userId: CharSequence) = - signatures.userIdCertifications[userId]?.let { sig -> - if (sig.isExpired(referenceDate)) { - // certification expired - return false - } - if (sig.hashedSubPackets.isPrimaryUserID) { - getKeyExpirationTimeAsDate(sig, publicKey.pgpPublicKey)?.let { expirationDate -> - // key expired? - if (expirationDate < referenceDate) return false - } - } - signatures.userIdRevocations[userId]?.let { rev -> - if (rev.isHardRevocation) { - return false // hard revoked -> invalid - } - sig.creationTime > rev.creationTime // re-certification after soft revocation? - } - ?: true // certification, but no revocation - } - ?: false // no certification + fun isUserIdBound(userId: CharSequence): Boolean = + keys.getUserId(userId.toString())?.isBoundAt(referenceDate) ?: false /** [HashAlgorithm] preferences of the given user-ID. */ fun getPreferredHashAlgorithms(userId: CharSequence): Set { @@ -786,34 +727,4 @@ class KeyRingInfo( @JvmStatic private val LOGGER = LoggerFactory.getLogger(KeyRingInfo::class.java) } - - private class Signatures(val keys: PGPKeyRing, val referenceDate: Date, val policy: Policy) { - val primaryKeyRevocation: PGPSignature? = - SignaturePicker.pickCurrentRevocationSelfSignature(keys, policy, referenceDate) - val primaryKeySelfSignature: PGPSignature? = - SignaturePicker.pickLatestDirectKeySignature(keys, policy, referenceDate) - val userIdRevocations = mutableMapOf() - val userIdCertifications = mutableMapOf() - val subkeyRevocations = mutableMapOf() - val subkeyBindings = mutableMapOf() - - init { - KeyRingUtils.getUserIdsIgnoringInvalidUTF8(keys.publicKey).forEach { userId -> - SignaturePicker.pickCurrentUserIdRevocationSignature( - keys, userId, policy, referenceDate) - ?.let { userIdRevocations[userId] = it } - SignaturePicker.pickLatestUserIdCertificationSignature( - keys, userId, policy, referenceDate) - ?.let { userIdCertifications[userId] = it } - } - keys.publicKeys.asSequence().drop(1).forEach { subkey -> - SignaturePicker.pickCurrentSubkeyBindingRevocationSignature( - keys, subkey, policy, referenceDate) - ?.let { subkeyRevocations[subkey.keyID] = it } - SignaturePicker.pickLatestSubkeyBindingSignature( - keys, subkey, policy, referenceDate) - ?.let { subkeyBindings[subkey.keyID] = it } - } - } - } } diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/builder/AbstractSignatureBuilder.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/builder/AbstractSignatureBuilder.kt index eaf05df1..f7f94202 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/builder/AbstractSignatureBuilder.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/builder/AbstractSignatureBuilder.kt @@ -34,7 +34,9 @@ abstract class AbstractSignatureBuilder>( protected abstract val signatureTypePredicate: Predicate init { - require(signatureTypePredicate.test(_signatureType)) { "Invalid signature type." } + require(signatureTypePredicate.test(_signatureType)) { + "Invalid signature type: $_signatureType" + } } @Throws(PGPException::class) From d889d37de570c55db3e85cc66d4fba239da3c388 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Fri, 7 Feb 2025 13:19:56 +0100 Subject: [PATCH 025/265] Fix tests --- .../org/pgpainless/example/ModifyKeys.java | 5 ++++- .../pgpainless/key/TestMergeCertificate.java | 3 +-- ...ureSubpacketsArePreservedOnNewSigTest.java | 3 +-- .../key/modification/RevokeUserIdsTest.java | 21 +++++++++++-------- 4 files changed, 18 insertions(+), 14 deletions(-) diff --git a/pgpainless-core/src/test/java/org/pgpainless/example/ModifyKeys.java b/pgpainless-core/src/test/java/org/pgpainless/example/ModifyKeys.java index 296c5b56..404858d1 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/example/ModifyKeys.java +++ b/pgpainless-core/src/test/java/org/pgpainless/example/ModifyKeys.java @@ -175,7 +175,10 @@ public class ModifyKeys { assertEquals(4, info.getPublicKeys().size()); List encryptionSubkeys = info.getEncryptionSubkeys(EncryptionPurpose.COMMUNICATIONS); assertEquals(2, encryptionSubkeys.size()); - UnlockSecretKey.unlockSecretKey(secretKey.getSecretKey(encryptionSubkeys.get(1).getKeyIdentifier()), subkeyPassphrase); + OpenPGPCertificate.OpenPGPComponentKey addedKey = encryptionSubkeys.stream() + .filter(it -> !it.getKeyIdentifier().matches(encryptionSubkeyId)).findFirst() + .get(); + UnlockSecretKey.unlockSecretKey(secretKey.getSecretKey(addedKey.getKeyIdentifier()), subkeyPassphrase); } /** diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/TestMergeCertificate.java b/pgpainless-core/src/test/java/org/pgpainless/key/TestMergeCertificate.java index 34861a5c..eee86a1b 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/TestMergeCertificate.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/TestMergeCertificate.java @@ -4,7 +4,6 @@ package org.pgpainless.key; -import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPPublicKeyRing; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.PGPSignature; @@ -68,7 +67,7 @@ public class TestMergeCertificate { "-----END PGP SIGNATURE-----"; @Test - public void testRevocationStateWithDifferentRevocationsMerged() throws IOException, PGPException { + public void testRevocationStateWithDifferentRevocationsMerged() throws IOException { PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(KEY); PGPPublicKeyRing certificate = PGPainless.extractCertificate(secretKeys); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/OldSignatureSubpacketsArePreservedOnNewSigTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/OldSignatureSubpacketsArePreservedOnNewSigTest.java index b8c3244e..5dc47a2a 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/OldSignatureSubpacketsArePreservedOnNewSigTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/OldSignatureSubpacketsArePreservedOnNewSigTest.java @@ -28,8 +28,7 @@ public class OldSignatureSubpacketsArePreservedOnNewSigTest { @TestTemplate @ExtendWith(TestAllImplementations.class) - public void verifyOldSignatureSubpacketsArePreservedOnNewExpirationDateSig() - throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException { + public void verifyOldSignatureSubpacketsArePreservedOnNewExpirationDateSig() { PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() .simpleEcKeyRing("Alice "); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeUserIdsTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeUserIdsTest.java index fb6f1ec1..9694c763 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeUserIdsTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeUserIdsTest.java @@ -9,8 +9,7 @@ import static org.junit.jupiter.api.Assertions.assertNotNull; import static org.junit.jupiter.api.Assertions.assertThrows; import static org.junit.jupiter.api.Assertions.assertTrue; -import java.security.InvalidAlgorithmParameterException; -import java.security.NoSuchAlgorithmException; +import java.util.Date; import java.util.NoSuchElementException; import org.bouncycastle.openpgp.PGPException; @@ -26,7 +25,7 @@ import org.pgpainless.util.selection.userid.SelectUserId; public class RevokeUserIdsTest { @Test - public void revokeWithSelectUserId() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + public void revokeWithSelectUserId() throws PGPException { PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() .modernKeyRing("Alice "); SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys(); @@ -41,7 +40,9 @@ public class RevokeUserIdsTest { assertTrue(info.isUserIdValid("Allice ")); assertTrue(info.isUserIdValid("Alice ")); - secretKeys = PGPainless.modifyKeyRing(secretKeys) + Date n1 = new Date(info.getCreationDate().getTime() + 1000); // 1 sec later + + secretKeys = PGPainless.modifyKeyRing(secretKeys, n1) .revokeUserIds( SelectUserId.containsEmailAddress("alice@example.org"), protector, @@ -50,14 +51,14 @@ public class RevokeUserIdsTest { .withoutDescription()) .done(); - info = PGPainless.inspectKeyRing(secretKeys); + info = PGPainless.inspectKeyRing(secretKeys, n1); assertTrue(info.isUserIdValid("Alice ")); assertFalse(info.isUserIdValid("Allice ")); assertFalse(info.isUserIdValid("Alice ")); } @Test - public void removeUserId() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + public void removeUserId() throws PGPException { PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() .modernKeyRing("Alice "); SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys(); @@ -72,11 +73,13 @@ public class RevokeUserIdsTest { assertTrue(info.isUserIdValid("Allice ")); assertTrue(info.isUserIdValid("Alice ")); - secretKeys = PGPainless.modifyKeyRing(secretKeys) + Date n1 = new Date(info.getCreationDate().getTime() + 1000); + + secretKeys = PGPainless.modifyKeyRing(secretKeys, n1) .removeUserId("Allice ", protector) .done(); - info = PGPainless.inspectKeyRing(secretKeys); + info = PGPainless.inspectKeyRing(secretKeys, n1); assertTrue(info.isUserIdValid("Alice ")); assertFalse(info.isUserIdValid("Allice ")); assertTrue(info.isUserIdValid("Alice ")); @@ -89,7 +92,7 @@ public class RevokeUserIdsTest { } @Test - public void emptySelectionYieldsNoSuchElementException() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + public void emptySelectionYieldsNoSuchElementException() { PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() .modernKeyRing("Alice "); From ba042e2728792093ff14642baba96535c331c65c Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Fri, 7 Feb 2025 13:29:51 +0100 Subject: [PATCH 026/265] Tests: Remove unused throws declarations --- .../ModifiedPublicKeysInvestigation.java | 8 +-- .../org/bouncycastle/AsciiArmorCRCTests.java | 3 +- .../bouncycastle/PGPPublicKeyRingTest.java | 7 +- .../CleartextSignatureVerificationTest.java | 4 +- .../OpenPgpInputStreamTest.java | 4 +- .../OpenPgpMessageInputStreamTest.java | 12 ++-- ...DecryptWithUnavailableGnuDummyKeyTest.java | 4 +- .../BcHashContextSignerTest.java | 7 +- .../EncryptDecryptTest.java | 10 ++- .../EncryptionOptionsTest.java | 9 +-- .../FileInformationTest.java | 4 +- .../HiddenRecipientEncryptionTest.java | 4 +- .../org/pgpainless/example/ConvertKeys.java | 6 +- .../org/pgpainless/example/ModifyKeys.java | 5 +- .../java/org/pgpainless/example/ReadKeys.java | 3 +- .../key/SelfCertifyingRevocationTest.java | 3 +- .../java/org/pgpainless/key/WeirdKeys.java | 4 +- .../certification/CertifyCertificateTest.java | 10 ++- .../collection/PGPKeyRingCollectionTest.java | 7 +- .../BrainpoolKeyGenerationTest.java | 11 +-- .../GenerateEllipticCurveKeyTest.java | 5 +- .../GenerateKeyWithAdditionalUserIdTest.java | 5 +- ...GenerateKeyWithoutPrimaryKeyFlagsTest.java | 4 +- .../GenerateKeyWithoutUserIdTest.java | 4 +- .../GenerateWithEmptyPassphraseTest.java | 7 +- .../GeneratingWeakKeyThrowsTest.java | 6 +- .../pgpainless/key/info/KeyRingInfoTest.java | 4 +- .../key/info/PrimaryUserIdTest.java | 5 +- .../key/info/UserIdRevocationTest.java | 6 +- .../key/modification/AddSubKeyTest.java | 4 +- .../key/modification/AddUserIdTest.java | 6 +- ...nOnKeyWithDifferentSignatureTypesTest.java | 8 +-- ...gePrimaryUserIdAndExpirationDatesTest.java | 15 ++-- .../ChangeSecretKeyRingPassphraseTest.java | 4 +- ...ureSubpacketsArePreservedOnNewSigTest.java | 3 - .../RefuseToAddWeakSubkeyTest.java | 10 +-- .../RevocationCertificateTest.java | 5 +- ...ithoutPreferredAlgorithmsOnPrimaryKey.java | 3 +- .../parsing/KeyRingCollectionReaderTest.java | 9 +-- .../key/parsing/KeyRingReaderTest.java | 71 +++++++++---------- .../CachingSecretKeyRingProtectorTest.java | 8 +-- .../PassphraseProtectedKeyTest.java | 8 +-- .../SecretKeyRingProtectorTest.java | 4 +- .../key/protection/UnlockSecretKeyTest.java | 5 +- .../key/protection/fixes/S2KUsageFixTest.java | 4 +- .../BindingSignatureSubpacketsTest.java | 67 +++++++++-------- .../signature/CertificateValidatorTest.java | 14 ++-- .../signature/KeyRevocationTest.java | 2 +- .../OnePassSignatureBracketingTest.java | 4 +- .../signature/SignatureStructureTest.java | 4 +- .../signature/SignatureUtilsTest.java | 7 +- .../SignatureWasPossiblyMadeByKeyTest.java | 14 ++-- ...artyCertificationSignatureBuilderTest.java | 7 +- .../org/pgpainless/util/ArmorUtilsTest.java | 2 +- .../java/org/pgpainless/util/BCUtilTest.java | 6 +- .../util/GuessPreferredHashAlgorithmTest.java | 6 +- ...ncryptCommsStorageFlagsDifferentiated.java | 7 +- 57 files changed, 171 insertions(+), 307 deletions(-) diff --git a/pgpainless-core/src/test/java/investigations/ModifiedPublicKeysInvestigation.java b/pgpainless-core/src/test/java/investigations/ModifiedPublicKeysInvestigation.java index 6930f78f..e3d6bd19 100644 --- a/pgpainless-core/src/test/java/investigations/ModifiedPublicKeysInvestigation.java +++ b/pgpainless-core/src/test/java/investigations/ModifiedPublicKeysInvestigation.java @@ -8,8 +8,6 @@ import static org.junit.jupiter.api.Assertions.assertDoesNotThrow; import static org.junit.jupiter.api.Assertions.assertThrows; import java.io.IOException; -import java.security.InvalidAlgorithmParameterException; -import java.security.NoSuchAlgorithmException; import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPSecretKey; @@ -252,7 +250,7 @@ public class ModifiedPublicKeysInvestigation { } @Test - public void assertUnmodifiedRSAKeyDoesNotThrow() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + public void assertUnmodifiedRSAKeyDoesNotThrow() { PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() .simpleRsaKeyRing("Unmodified", RsaLength._4096, "987654321"); SecretKeyRingProtector protector = SecretKeyRingProtector.unlockAnyKeyWith(Passphrase.fromPassword("987654321")); @@ -264,7 +262,7 @@ public class ModifiedPublicKeysInvestigation { } @Test - public void assertUnmodifiedECKeyDoesNotThrow() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + public void assertUnmodifiedECKeyDoesNotThrow() { PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() .simpleEcKeyRing("Unmodified", "987654321"); SecretKeyRingProtector protector = SecretKeyRingProtector.unlockAnyKeyWith(Passphrase.fromPassword("987654321")); @@ -276,7 +274,7 @@ public class ModifiedPublicKeysInvestigation { } @Test - public void assertUnmodifiedModernKeyDoesNotThrow() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + public void assertUnmodifiedModernKeyDoesNotThrow() { PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() .modernKeyRing("Unmodified", "987654321"); SecretKeyRingProtector protector = SecretKeyRingProtector.unlockAnyKeyWith(Passphrase.fromPassword("987654321")); diff --git a/pgpainless-core/src/test/java/org/bouncycastle/AsciiArmorCRCTests.java b/pgpainless-core/src/test/java/org/bouncycastle/AsciiArmorCRCTests.java index f9bd7a61..eb9e7ef5 100644 --- a/pgpainless-core/src/test/java/org/bouncycastle/AsciiArmorCRCTests.java +++ b/pgpainless-core/src/test/java/org/bouncycastle/AsciiArmorCRCTests.java @@ -15,7 +15,6 @@ import java.nio.charset.StandardCharsets; import java.util.List; import org.bouncycastle.bcpg.ArmoredInputStream; -import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.PGPSignature; import org.bouncycastle.util.io.Streams; @@ -270,7 +269,7 @@ public class AsciiArmorCRCTests { "-----END PGP SIGNATURE-----"; @Test - public void assertMissingCRCSumInSignatureArmorIsOkay() throws PGPException, IOException { + public void assertMissingCRCSumInSignatureArmorIsOkay() { List signatureList = SignatureUtils.readSignatures(ARMORED_SIGNATURE_WITH_MISSING_CRC_SUM); assertEquals(1, signatureList.size()); } diff --git a/pgpainless-core/src/test/java/org/bouncycastle/PGPPublicKeyRingTest.java b/pgpainless-core/src/test/java/org/bouncycastle/PGPPublicKeyRingTest.java index ebb344b0..53317bde 100644 --- a/pgpainless-core/src/test/java/org/bouncycastle/PGPPublicKeyRingTest.java +++ b/pgpainless-core/src/test/java/org/bouncycastle/PGPPublicKeyRingTest.java @@ -8,12 +8,9 @@ import static org.junit.jupiter.api.Assertions.assertEquals; import static org.junit.jupiter.api.Assertions.assertFalse; import static org.junit.jupiter.api.Assertions.assertTrue; -import java.security.InvalidAlgorithmParameterException; -import java.security.NoSuchAlgorithmException; import java.util.Iterator; import java.util.List; -import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPPublicKey; import org.bouncycastle.openpgp.PGPPublicKeyRing; import org.bouncycastle.openpgp.PGPSecretKeyRing; @@ -31,7 +28,7 @@ public class PGPPublicKeyRingTest { * @see "); diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStreamTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStreamTest.java index 6102372a..e8345d1c 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStreamTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStreamTest.java @@ -15,8 +15,6 @@ import java.io.ByteArrayOutputStream; import java.io.IOException; import java.io.OutputStream; import java.nio.charset.StandardCharsets; -import java.security.InvalidAlgorithmParameterException; -import java.security.NoSuchAlgorithmException; import java.util.Date; import java.util.Iterator; import java.util.stream.Stream; @@ -240,7 +238,7 @@ public class OpenPgpMessageInputStreamTest { armorOut.close(); } - public static void genKey() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { + public static void genKey() { PGPainless.asciiArmor( PGPainless.generateKeyRing().modernKeyRing("Alice "), System.out); @@ -654,7 +652,7 @@ public class OpenPgpMessageInputStreamTest { } @Test - public void readAfterCloseTest() throws PGPException, IOException { + public void readAfterCloseTest() throws IOException { OpenPgpMessageInputStream pgpIn = get(SENC_LIT, ConsumerOptions.get() .addMessagePassphrase(Passphrase.fromPassword(PASSPHRASE))); Streams.drain(pgpIn); // read all @@ -670,7 +668,7 @@ public class OpenPgpMessageInputStreamTest { } private static Tuple processReadBuffered(String armoredMessage, ConsumerOptions options) - throws PGPException, IOException { + throws IOException { OpenPgpMessageInputStream in = get(armoredMessage, options); ByteArrayOutputStream out = new ByteArrayOutputStream(); Streams.pipeAll(in, out); @@ -680,7 +678,7 @@ public class OpenPgpMessageInputStreamTest { } private static Tuple processReadSequential(String armoredMessage, ConsumerOptions options) - throws PGPException, IOException { + throws IOException { OpenPgpMessageInputStream in = get(armoredMessage, options); ByteArrayOutputStream out = new ByteArrayOutputStream(); @@ -695,7 +693,7 @@ public class OpenPgpMessageInputStreamTest { } private static OpenPgpMessageInputStream get(String armored, ConsumerOptions options) - throws IOException, PGPException { + throws IOException { ByteArrayInputStream bytesIn = new ByteArrayInputStream(armored.getBytes(StandardCharsets.UTF_8)); ArmoredInputStream armorIn = ArmoredInputStreamFactory.get(bytesIn); OpenPgpMessageInputStream pgpIn = OpenPgpMessageInputStream.create(armorIn, options); diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/TryDecryptWithUnavailableGnuDummyKeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/TryDecryptWithUnavailableGnuDummyKeyTest.java index 640025b1..859e2a29 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/TryDecryptWithUnavailableGnuDummyKeyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/TryDecryptWithUnavailableGnuDummyKeyTest.java @@ -19,8 +19,6 @@ import org.pgpainless.exception.MissingDecryptionMethodException; import java.io.ByteArrayInputStream; import java.io.ByteArrayOutputStream; import java.io.IOException; -import java.security.InvalidAlgorithmParameterException; -import java.security.NoSuchAlgorithmException; import static org.junit.jupiter.api.Assertions.assertThrows; @@ -28,7 +26,7 @@ public class TryDecryptWithUnavailableGnuDummyKeyTest { @Test public void testAttemptToDecryptWithRemovedPrivateKeysThrows() - throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { + throws PGPException, IOException { PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() .modernKeyRing("Hardy Hardware "); PGPPublicKeyRing certificate = PGPainless.extractCertificate(secretKeys); diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/BcHashContextSignerTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/BcHashContextSignerTest.java index 1346e6b7..61858395 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/BcHashContextSignerTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/BcHashContextSignerTest.java @@ -11,7 +11,6 @@ import java.io.ByteArrayInputStream; import java.io.ByteArrayOutputStream; import java.io.IOException; import java.nio.charset.StandardCharsets; -import java.security.InvalidAlgorithmParameterException; import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; @@ -66,13 +65,13 @@ public class BcHashContextSignerTest { } @Test - public void signContextWithRSAKeys() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { + public void signContextWithRSAKeys() throws PGPException, NoSuchAlgorithmException, IOException { PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().simpleRsaKeyRing("Sigfried", RsaLength._3072); signWithKeys(secretKeys); } @Test - public void signContextWithEcKeys() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { + public void signContextWithEcKeys() throws PGPException, NoSuchAlgorithmException, IOException { PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().simpleEcKeyRing("Sigfried"); signWithKeys(secretKeys); } @@ -110,7 +109,7 @@ public class BcHashContextSignerTest { } private PGPSignature signMessage(byte[] message, HashAlgorithm hashAlgorithm, PGPSecretKeyRing secretKeys) - throws NoSuchAlgorithmException, PGPException { + throws NoSuchAlgorithmException { // Prepare the hash context // This would be done by the caller application MessageDigest messageDigest = MessageDigest.getInstance(hashAlgorithm.getAlgorithmName(), new BouncyCastleProvider()); diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java index 4d81e32f..4e2fb744 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java @@ -14,8 +14,6 @@ import java.io.ByteArrayInputStream; import java.io.ByteArrayOutputStream; import java.io.IOException; import java.nio.charset.Charset; -import java.security.InvalidAlgorithmParameterException; -import java.security.NoSuchAlgorithmException; import java.util.Set; import org.bouncycastle.bcpg.ArmoredOutputStream; @@ -69,7 +67,7 @@ public class EncryptDecryptTest { @TestTemplate @ExtendWith(TestAllImplementations.class) public void freshKeysRsaToRsaTest() - throws PGPException, NoSuchAlgorithmException, InvalidAlgorithmParameterException, IOException { + throws PGPException, IOException { PGPSecretKeyRing sender = PGPainless.generateKeyRing().simpleRsaKeyRing("romeo@montague.lit", RsaLength._3072); PGPSecretKeyRing recipient = PGPainless.generateKeyRing().simpleRsaKeyRing("juliet@capulet.lit", RsaLength._3072); @@ -79,7 +77,7 @@ public class EncryptDecryptTest { @TestTemplate @ExtendWith(TestAllImplementations.class) public void freshKeysEcToEcTest() - throws IOException, PGPException, NoSuchAlgorithmException, InvalidAlgorithmParameterException { + throws IOException, PGPException { PGPSecretKeyRing sender = PGPainless.generateKeyRing().simpleEcKeyRing("romeo@montague.lit"); PGPSecretKeyRing recipient = PGPainless.generateKeyRing().simpleEcKeyRing("juliet@capulet.lit"); @@ -89,7 +87,7 @@ public class EncryptDecryptTest { @TestTemplate @ExtendWith(TestAllImplementations.class) public void freshKeysEcToRsaTest() - throws PGPException, NoSuchAlgorithmException, InvalidAlgorithmParameterException, IOException { + throws PGPException, IOException { PGPSecretKeyRing sender = PGPainless.generateKeyRing().simpleEcKeyRing("romeo@montague.lit"); PGPSecretKeyRing recipient = PGPainless.generateKeyRing().simpleRsaKeyRing("juliet@capulet.lit", RsaLength._3072); @@ -99,7 +97,7 @@ public class EncryptDecryptTest { @TestTemplate @ExtendWith(TestAllImplementations.class) public void freshKeysRsaToEcTest() - throws PGPException, NoSuchAlgorithmException, InvalidAlgorithmParameterException, IOException { + throws PGPException, IOException { PGPSecretKeyRing sender = PGPainless.generateKeyRing().simpleRsaKeyRing("romeo@montague.lit", RsaLength._3072); PGPSecretKeyRing recipient = PGPainless.generateKeyRing().simpleEcKeyRing("juliet@capulet.lit"); diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptionOptionsTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptionOptionsTest.java index 5f6c6c15..cd20ebdd 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptionOptionsTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptionOptionsTest.java @@ -9,8 +9,6 @@ import static org.junit.jupiter.api.Assertions.assertNull; import static org.junit.jupiter.api.Assertions.assertThrows; import static org.junit.jupiter.api.Assertions.assertTrue; -import java.security.InvalidAlgorithmParameterException; -import java.security.NoSuchAlgorithmException; import java.util.ArrayList; import java.util.Arrays; import java.util.Collections; @@ -18,7 +16,6 @@ import java.util.Iterator; import java.util.List; import java.util.Set; -import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPPublicKey; import org.bouncycastle.openpgp.PGPPublicKeyRing; import org.bouncycastle.openpgp.PGPPublicKeyRingCollection; @@ -49,7 +46,7 @@ public class EncryptionOptionsTest { private static SubkeyIdentifier encryptStorage; @BeforeAll - public static void generateKey() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + public static void generateKey() { secretKeys = PGPainless.buildKeyRing() .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA_LEGACY(EdDSALegacyCurve._Ed25519), KeyFlag.CERTIFY_OTHER) .build()) @@ -135,7 +132,7 @@ public class EncryptionOptionsTest { } @Test - public void testAddRecipient_KeyWithoutEncryptionKeyFails() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + public void testAddRecipient_KeyWithoutEncryptionKeyFails() { EncryptionOptions options = new EncryptionOptions(); PGPSecretKeyRing secretKeys = PGPainless.buildKeyRing() .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA_LEGACY(EdDSALegacyCurve._Ed25519), KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA)) @@ -169,7 +166,7 @@ public class EncryptionOptionsTest { } @Test - public void testAddRecipients_PGPPublicKeyRingCollection() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + public void testAddRecipients_PGPPublicKeyRingCollection() { PGPPublicKeyRing secondKeyRing = KeyRingUtils.publicKeyRingFrom( PGPainless.generateKeyRing().modernKeyRing("other@pgpainless.org")); diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/FileInformationTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/FileInformationTest.java index 50e9722b..57a13452 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/FileInformationTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/FileInformationTest.java @@ -13,8 +13,6 @@ import java.io.ByteArrayInputStream; import java.io.ByteArrayOutputStream; import java.io.IOException; import java.nio.charset.StandardCharsets; -import java.security.InvalidAlgorithmParameterException; -import java.security.NoSuchAlgorithmException; import java.util.Date; import org.bouncycastle.openpgp.PGPException; @@ -38,7 +36,7 @@ public class FileInformationTest { private static PGPPublicKeyRing certificate; @BeforeAll - public static void generateKey() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + public static void generateKey() { secretKey = PGPainless.generateKeyRing().modernKeyRing("alice@wonderland.lit"); certificate = PGPainless.extractCertificate(secretKey); } diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/HiddenRecipientEncryptionTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/HiddenRecipientEncryptionTest.java index 1cb0d3cb..0c510514 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/HiddenRecipientEncryptionTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/HiddenRecipientEncryptionTest.java @@ -11,8 +11,6 @@ import java.io.ByteArrayInputStream; import java.io.ByteArrayOutputStream; import java.io.IOException; import java.nio.charset.StandardCharsets; -import java.security.InvalidAlgorithmParameterException; -import java.security.NoSuchAlgorithmException; import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPPublicKeyRing; @@ -31,7 +29,7 @@ import org.pgpainless.key.SubkeyIdentifier; public class HiddenRecipientEncryptionTest { @Test - public void testAnonymousRecipientRoundtrip() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { + public void testAnonymousRecipientRoundtrip() throws PGPException, IOException { PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() .modernKeyRing("Alice "); PGPPublicKeyRing certificate = PGPainless.extractCertificate(secretKeys); diff --git a/pgpainless-core/src/test/java/org/pgpainless/example/ConvertKeys.java b/pgpainless-core/src/test/java/org/pgpainless/example/ConvertKeys.java index fc99fa44..caae8355 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/example/ConvertKeys.java +++ b/pgpainless-core/src/test/java/org/pgpainless/example/ConvertKeys.java @@ -7,10 +7,6 @@ package org.pgpainless.example; import static org.junit.jupiter.api.Assertions.assertFalse; import static org.junit.jupiter.api.Assertions.assertTrue; -import java.security.InvalidAlgorithmParameterException; -import java.security.NoSuchAlgorithmException; - -import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPPublicKeyRing; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.junit.jupiter.api.Test; @@ -23,7 +19,7 @@ public class ConvertKeys { * This example demonstrates how to extract a public key certificate from a secret key. */ @Test - public void secretKeyToCertificate() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + public void secretKeyToCertificate() { String userId = "alice@wonderland.lit"; PGPSecretKeyRing secretKey = PGPainless.generateKeyRing() .modernKeyRing(userId); diff --git a/pgpainless-core/src/test/java/org/pgpainless/example/ModifyKeys.java b/pgpainless-core/src/test/java/org/pgpainless/example/ModifyKeys.java index 404858d1..08543f3d 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/example/ModifyKeys.java +++ b/pgpainless-core/src/test/java/org/pgpainless/example/ModifyKeys.java @@ -9,9 +9,6 @@ import static org.junit.jupiter.api.Assertions.assertFalse; import static org.junit.jupiter.api.Assertions.assertThrows; import static org.junit.jupiter.api.Assertions.assertTrue; -import java.io.IOException; -import java.security.InvalidAlgorithmParameterException; -import java.security.NoSuchAlgorithmException; import java.util.Date; import java.util.List; @@ -157,7 +154,7 @@ public class ModifyKeys { * Once the subkey is added, it can be decrypted using the provided subkey passphrase. */ @Test - public void addSubkey() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { + public void addSubkey() { // Protector for unlocking the existing secret key SecretKeyRingProtector protector = SecretKeyRingProtector.unlockEachKeyWith(Passphrase.fromPassword(originalPassphrase), secretKey); diff --git a/pgpainless-core/src/test/java/org/pgpainless/example/ReadKeys.java b/pgpainless-core/src/test/java/org/pgpainless/example/ReadKeys.java index 54e00c26..1559c1c1 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/example/ReadKeys.java +++ b/pgpainless-core/src/test/java/org/pgpainless/example/ReadKeys.java @@ -8,7 +8,6 @@ import static org.junit.jupiter.api.Assertions.assertEquals; import java.io.IOException; -import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPPublicKeyRing; import org.bouncycastle.openpgp.PGPPublicKeyRingCollection; import org.bouncycastle.openpgp.PGPSecretKeyRing; @@ -89,7 +88,7 @@ public class ReadKeys { * and a single public key block containing multiple public key packets. */ @Test - public void readKeyRingCollection() throws PGPException, IOException { + public void readKeyRingCollection() throws IOException { String certificateCollection = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "Comment: Alice's OpenPGP certificate\n" + "\n" + diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/SelfCertifyingRevocationTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/SelfCertifyingRevocationTest.java index 5923f352..0631526a 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/SelfCertifyingRevocationTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/SelfCertifyingRevocationTest.java @@ -10,7 +10,6 @@ import static org.junit.jupiter.api.Assertions.assertTrue; import java.io.IOException; -import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPPublicKeyRing; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.junit.jupiter.api.Test; @@ -162,7 +161,7 @@ public class SelfCertifyingRevocationTest { } @Test - public void mergeCertificatesResultsInRevokedKey() throws IOException, PGPException { + public void mergeCertificatesResultsInRevokedKey() throws IOException { PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(SECRET_KEY); assertNotNull(secretKeys); PGPPublicKeyRing publicKeys = PGPainless.extractCertificate(secretKeys); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/WeirdKeys.java b/pgpainless-core/src/test/java/org/pgpainless/key/WeirdKeys.java index 4b0bb9de..3a0c24a3 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/WeirdKeys.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/WeirdKeys.java @@ -9,8 +9,6 @@ import static org.junit.jupiter.api.Assertions.assertTrue; import java.io.ByteArrayOutputStream; import java.io.IOException; -import java.security.InvalidAlgorithmParameterException; -import java.security.NoSuchAlgorithmException; import java.util.Collections; import org.bouncycastle.bcpg.HashAlgorithmTags; @@ -104,7 +102,7 @@ public class WeirdKeys { @Test public void generateCertAndTestWithNonUTF8UserId() - throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { + throws PGPException, IOException { PGPSecretKeyRing nakedKey = PGPainless.generateKeyRing().modernKeyRing(null); PGPPublicKey pubKey = nakedKey.getPublicKey(); PGPSecretKey secKey = nakedKey.getSecretKey(); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/certification/CertifyCertificateTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/certification/CertifyCertificateTest.java index eb0069f5..deb2877c 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/certification/CertifyCertificateTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/certification/CertifyCertificateTest.java @@ -10,8 +10,6 @@ import static org.junit.jupiter.api.Assertions.assertNotNull; import static org.junit.jupiter.api.Assertions.assertTrue; import java.io.IOException; -import java.security.InvalidAlgorithmParameterException; -import java.security.NoSuchAlgorithmException; import java.util.List; import org.bouncycastle.bcpg.sig.TrustSignature; @@ -36,7 +34,7 @@ import org.pgpainless.util.DateUtil; public class CertifyCertificateTest { @Test - public void testUserIdCertification() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { + public void testUserIdCertification() throws PGPException, IOException { SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys(); PGPSecretKeyRing alice = PGPainless.generateKeyRing().modernKeyRing("Alice "); String bobUserId = "Bob "; @@ -71,7 +69,7 @@ public class CertifyCertificateTest { } @Test - public void testKeyDelegation() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { + public void testKeyDelegation() throws PGPException, IOException { SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys(); PGPSecretKeyRing alice = PGPainless.generateKeyRing().modernKeyRing("Alice "); PGPSecretKeyRing bob = PGPainless.generateKeyRing().modernKeyRing("Bob "); @@ -110,7 +108,7 @@ public class CertifyCertificateTest { } @Test - public void testPetNameCertification() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + public void testPetNameCertification() { PGPSecretKeyRing aliceKey = PGPainless.generateKeyRing() .modernKeyRing("Alice "); PGPSecretKeyRing bobKey = PGPainless.generateKeyRing() @@ -140,7 +138,7 @@ public class CertifyCertificateTest { } @Test - public void testScopedDelegation() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + public void testScopedDelegation() { PGPSecretKeyRing aliceKey = PGPainless.generateKeyRing() .modernKeyRing("Alice "); PGPSecretKeyRing caKey = PGPainless.generateKeyRing() diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/collection/PGPKeyRingCollectionTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/collection/PGPKeyRingCollectionTest.java index fd5530ba..ca311091 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/collection/PGPKeyRingCollectionTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/collection/PGPKeyRingCollectionTest.java @@ -7,10 +7,7 @@ package org.pgpainless.key.collection; import static org.junit.jupiter.api.Assertions.assertEquals; import static org.junit.jupiter.api.Assertions.assertThrows; -import java.io.IOException; import java.nio.charset.StandardCharsets; -import java.security.InvalidAlgorithmParameterException; -import java.security.NoSuchAlgorithmException; import java.util.Arrays; import java.util.Collection; @@ -25,7 +22,7 @@ import org.pgpainless.key.util.KeyRingUtils; public class PGPKeyRingCollectionTest { @Test - public void constructorThrowsForInvalidInput() throws PGPException, IOException { + public void constructorThrowsForInvalidInput() { // This is neither a public key, nor a private key String invalidKeyRing = "-----BEGIN PGP SIGNATURE-----\n" + "\n" + @@ -56,7 +53,7 @@ public class PGPKeyRingCollectionTest { } @Test - public void testConstructorFromCollection() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + public void testConstructorFromCollection() { PGPSecretKeyRing first = PGPainless.generateKeyRing().simpleEcKeyRing("alice@wonderland.lit"); PGPSecretKeyRing second = PGPainless.generateKeyRing().simpleEcKeyRing("bob@the-builder.tv"); PGPPublicKeyRing secondPub = KeyRingUtils.publicKeyRingFrom(second); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/BrainpoolKeyGenerationTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/BrainpoolKeyGenerationTest.java index 77023908..0a973d6f 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/generation/BrainpoolKeyGenerationTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/BrainpoolKeyGenerationTest.java @@ -9,11 +9,8 @@ import static org.junit.jupiter.api.Assertions.assertFalse; import static org.junit.jupiter.api.Assertions.assertThrows; import static org.junit.jupiter.api.Assertions.assertTrue; -import java.security.InvalidAlgorithmParameterException; -import java.security.NoSuchAlgorithmException; import java.util.Iterator; -import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPPublicKey; import org.bouncycastle.openpgp.PGPSecretKey; import org.bouncycastle.openpgp.PGPSecretKeyRing; @@ -36,8 +33,7 @@ public class BrainpoolKeyGenerationTest { @TestTemplate @ExtendWith(TestAllImplementations.class) - public void generateEcKeysTest() - throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException { + public void generateEcKeysTest() { for (EllipticCurve curve : EllipticCurve.values()) { PGPSecretKeyRing secretKeys = generateKey( @@ -65,8 +61,7 @@ public class BrainpoolKeyGenerationTest { @TestTemplate @ExtendWith(TestAllImplementations.class) - public void generateEdDSAKeyTest() - throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + public void generateEdDSAKeyTest() { PGPSecretKeyRing secretKeys = PGPainless.buildKeyRing() .setPrimaryKey(KeySpec.getBuilder( @@ -113,7 +108,7 @@ public class BrainpoolKeyGenerationTest { assertEquals(3072, rsaSub.getPublicKey().getBitStrength()); } - public PGPSecretKeyRing generateKey(KeySpec primaryKey, KeySpec subKey, String userId) throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException { + public PGPSecretKeyRing generateKey(KeySpec primaryKey, KeySpec subKey, String userId) { PGPSecretKeyRing secretKeys = PGPainless.buildKeyRing() .setPrimaryKey(primaryKey) .addSubkey(subKey) diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateEllipticCurveKeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateEllipticCurveKeyTest.java index 4cb992db..a9ab1668 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateEllipticCurveKeyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateEllipticCurveKeyTest.java @@ -6,9 +6,6 @@ package org.pgpainless.key.generation; import static org.junit.jupiter.api.Assertions.assertEquals; -import java.security.InvalidAlgorithmParameterException; -import java.security.NoSuchAlgorithmException; - import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.junit.jupiter.api.TestTemplate; @@ -29,7 +26,7 @@ public class GenerateEllipticCurveKeyTest { @TestTemplate @ExtendWith(TestAllImplementations.class) public void generateEllipticCurveKeys() - throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException { + throws PGPException { PGPSecretKeyRing keyRing = PGPainless.buildKeyRing() .setPrimaryKey(KeySpec.getBuilder( KeyType.EDDSA_LEGACY(EdDSALegacyCurve._Ed25519), diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithAdditionalUserIdTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithAdditionalUserIdTest.java index cf12ab57..6c9ccbe5 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithAdditionalUserIdTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithAdditionalUserIdTest.java @@ -7,12 +7,9 @@ package org.pgpainless.key.generation; import static org.junit.jupiter.api.Assertions.assertEquals; import static org.junit.jupiter.api.Assertions.assertFalse; -import java.security.InvalidAlgorithmParameterException; -import java.security.NoSuchAlgorithmException; import java.util.Date; import java.util.Iterator; -import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPPublicKeyRing; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.junit.JUtils; @@ -32,7 +29,7 @@ public class GenerateKeyWithAdditionalUserIdTest { @TestTemplate @ExtendWith(TestAllImplementations.class) - public void test() throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException { + public void test() { Date now = DateUtil.now(); Date expiration = TestTimeFrameProvider.defaultExpirationForCreationDate(now); PGPSecretKeyRing secretKeys = PGPainless.buildKeyRing() diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithoutPrimaryKeyFlagsTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithoutPrimaryKeyFlagsTest.java index ea0dbc73..ad375512 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithoutPrimaryKeyFlagsTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithoutPrimaryKeyFlagsTest.java @@ -12,8 +12,6 @@ import java.io.ByteArrayInputStream; import java.io.ByteArrayOutputStream; import java.io.IOException; import java.nio.charset.StandardCharsets; -import java.security.InvalidAlgorithmParameterException; -import java.security.NoSuchAlgorithmException; import org.bouncycastle.bcpg.KeyIdentifier; import org.bouncycastle.openpgp.PGPException; @@ -43,7 +41,7 @@ import org.pgpainless.key.protection.SecretKeyRingProtector; public class GenerateKeyWithoutPrimaryKeyFlagsTest { @Test - public void generateKeyWithoutCertifyKeyFlag_cannotCertifyThirdParties() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { + public void generateKeyWithoutCertifyKeyFlag_cannotCertifyThirdParties() throws PGPException, IOException { PGPSecretKeyRing secretKeys = PGPainless.buildKeyRing().setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA_LEGACY(EdDSALegacyCurve._Ed25519))) .addSubkey(KeySpec.getBuilder(KeyType.EDDSA_LEGACY(EdDSALegacyCurve._Ed25519), KeyFlag.SIGN_DATA)) .addSubkey(KeySpec.getBuilder(KeyType.XDH_LEGACY(XDHLegacySpec._X25519), KeyFlag.ENCRYPT_STORAGE, KeyFlag.ENCRYPT_COMMS)) diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithoutUserIdTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithoutUserIdTest.java index e6a5c96a..88cc2b26 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithoutUserIdTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithoutUserIdTest.java @@ -32,8 +32,6 @@ import java.io.ByteArrayInputStream; import java.io.ByteArrayOutputStream; import java.io.IOException; import java.io.InputStream; -import java.security.InvalidAlgorithmParameterException; -import java.security.NoSuchAlgorithmException; import java.util.Date; import java.util.List; @@ -43,7 +41,7 @@ import static org.junit.jupiter.api.Assertions.assertTrue; public class GenerateKeyWithoutUserIdTest { @Test - public void generateKeyWithoutUserId() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { + public void generateKeyWithoutUserId() throws PGPException, IOException { Date now = new Date(); Date expirationDate = TestTimeFrameProvider.defaultExpirationForCreationDate(now); PGPSecretKeyRing secretKey = PGPainless.buildKeyRing() diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateWithEmptyPassphraseTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateWithEmptyPassphraseTest.java index c1375883..ef649d86 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateWithEmptyPassphraseTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateWithEmptyPassphraseTest.java @@ -6,10 +6,6 @@ package org.pgpainless.key.generation; import static org.junit.jupiter.api.Assertions.assertNotNull; -import java.security.InvalidAlgorithmParameterException; -import java.security.NoSuchAlgorithmException; - -import org.bouncycastle.openpgp.PGPException; import org.junit.jupiter.api.TestTemplate; import org.junit.jupiter.api.extension.ExtendWith; import org.pgpainless.PGPainless; @@ -30,8 +26,7 @@ public class GenerateWithEmptyPassphraseTest { @TestTemplate @ExtendWith(TestAllImplementations.class) - public void testGeneratingKeyWithEmptyPassphraseDoesNotThrow() - throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException { + public void testGeneratingKeyWithEmptyPassphraseDoesNotThrow() { assertNotNull(PGPainless.buildKeyRing() .setPrimaryKey(KeySpec.getBuilder( diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GeneratingWeakKeyThrowsTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GeneratingWeakKeyThrowsTest.java index 6fbf0572..65dea167 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GeneratingWeakKeyThrowsTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GeneratingWeakKeyThrowsTest.java @@ -6,12 +6,9 @@ package org.pgpainless.key.generation; import static org.junit.jupiter.api.Assertions.assertThrows; -import java.security.InvalidAlgorithmParameterException; -import java.security.NoSuchAlgorithmException; import java.util.HashMap; import java.util.Map; -import org.bouncycastle.openpgp.PGPException; import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; import org.pgpainless.algorithm.KeyFlag; @@ -50,8 +47,7 @@ public class GeneratingWeakKeyThrowsTest { } @Test - public void allowToAddWeakKeysWithWeakPolicy() - throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + public void allowToAddWeakKeysWithWeakPolicy() { // set a weak algorithm policy Map bitStrengths = new HashMap<>(); bitStrengths.put(PublicKeyAlgorithm.RSA_GENERAL, 512); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java index 8b1877ee..fccd02fb 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java @@ -12,8 +12,6 @@ import static org.junit.jupiter.api.Assertions.assertThrows; import static org.junit.jupiter.api.Assertions.assertTrue; import java.io.IOException; -import java.security.InvalidAlgorithmParameterException; -import java.security.NoSuchAlgorithmException; import java.util.Arrays; import java.util.Calendar; import java.util.Collections; @@ -558,7 +556,7 @@ public class KeyRingInfoTest { } @Test - public void testGetExpirationDateForUse_NoSuchKey() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + public void testGetExpirationDateForUse_NoSuchKey() { PGPSecretKeyRing secretKeys = PGPainless.buildKeyRing() .addUserId("Alice") .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA_LEGACY(EdDSALegacyCurve._Ed25519), KeyFlag.CERTIFY_OTHER)) diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/info/PrimaryUserIdTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/info/PrimaryUserIdTest.java index d2ec8598..30601f99 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/info/PrimaryUserIdTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/info/PrimaryUserIdTest.java @@ -6,9 +6,6 @@ package org.pgpainless.key.info; import static org.junit.jupiter.api.Assertions.assertEquals; -import java.security.InvalidAlgorithmParameterException; -import java.security.NoSuchAlgorithmException; - import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.junit.jupiter.api.Test; @@ -18,7 +15,7 @@ import org.pgpainless.key.protection.SecretKeyRingProtector; public class PrimaryUserIdTest { @Test - public void testGetPrimaryUserId() throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException { + public void testGetPrimaryUserId() throws PGPException { PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().simpleEcKeyRing("alice@wonderland.lit"); secretKeys = PGPainless.modifyKeyRing(secretKeys) .addUserId("mad_alice@wonderland.lit", SecretKeyRingProtector.unprotectedKeys()) diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/info/UserIdRevocationTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/info/UserIdRevocationTest.java index abb067d1..9738bb0a 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/info/UserIdRevocationTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/info/UserIdRevocationTest.java @@ -11,8 +11,6 @@ import static org.junit.jupiter.api.Assertions.assertThrows; import static org.junit.jupiter.api.Assertions.assertTrue; import java.io.IOException; -import java.security.InvalidAlgorithmParameterException; -import java.security.NoSuchAlgorithmException; import java.util.Arrays; import java.util.List; import java.util.NoSuchElementException; @@ -38,7 +36,7 @@ import org.pgpainless.key.util.RevocationAttributes; public class UserIdRevocationTest { @Test - public void testRevocationWithoutRevocationAttributes() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + public void testRevocationWithoutRevocationAttributes() throws PGPException { PGPSecretKeyRing secretKeys = PGPainless.buildKeyRing() .setPrimaryKey(KeySpec.getBuilder( KeyType.EDDSA_LEGACY(EdDSALegacyCurve._Ed25519), @@ -76,7 +74,7 @@ public class UserIdRevocationTest { } @Test - public void testRevocationWithRevocationReason() throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException { + public void testRevocationWithRevocationReason() { PGPSecretKeyRing secretKeys = PGPainless.buildKeyRing() .setPrimaryKey(KeySpec.getBuilder( KeyType.EDDSA_LEGACY(EdDSALegacyCurve._Ed25519), diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddSubKeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddSubKeyTest.java index afcf9c98..ab58bc75 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddSubKeyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddSubKeyTest.java @@ -8,8 +8,6 @@ import static org.junit.jupiter.api.Assertions.assertEquals; import static org.junit.jupiter.api.Assertions.assertNotEquals; import java.io.IOException; -import java.security.InvalidAlgorithmParameterException; -import java.security.NoSuchAlgorithmException; import java.util.ArrayList; import java.util.Collections; import java.util.Iterator; @@ -39,7 +37,7 @@ public class AddSubKeyTest { @TestTemplate @ExtendWith(TestAllImplementations.class) public void testAddSubKey() - throws IOException, PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + throws IOException, PGPException { PGPSecretKeyRing secretKeys = TestKeys.getCryptieSecretKeyRing(); List keyIdsBefore = new ArrayList<>(); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddUserIdTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddUserIdTest.java index 7e15c998..69921f13 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddUserIdTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddUserIdTest.java @@ -10,8 +10,6 @@ import static org.junit.jupiter.api.Assertions.assertNotEquals; import static org.junit.jupiter.api.Assertions.assertThrows; import java.io.IOException; -import java.security.InvalidAlgorithmParameterException; -import java.security.NoSuchAlgorithmException; import java.util.Date; import java.util.Iterator; import java.util.NoSuchElementException; @@ -37,7 +35,7 @@ public class AddUserIdTest { @TestTemplate @ExtendWith(TestAllImplementations.class) public void addUserIdToExistingKeyRing() - throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException { + throws PGPException { PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().simpleEcKeyRing("alice@wonderland.lit", "rabb1th0le"); KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys); @@ -114,7 +112,7 @@ public class AddUserIdTest { } @Test - public void addNewPrimaryUserIdTest() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + public void addNewPrimaryUserIdTest() { Date now = new Date(); PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() .modernKeyRing("Alice"); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeExpirationOnKeyWithDifferentSignatureTypesTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeExpirationOnKeyWithDifferentSignatureTypesTest.java index c029a317..2eac921b 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeExpirationOnKeyWithDifferentSignatureTypesTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeExpirationOnKeyWithDifferentSignatureTypesTest.java @@ -7,7 +7,6 @@ package org.pgpainless.key.modification; import java.io.IOException; import java.util.Date; -import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.junit.JUtils; import org.junit.jupiter.api.TestTemplate; @@ -138,7 +137,7 @@ public class ChangeExpirationOnKeyWithDifferentSignatureTypesTest { @TestTemplate @ExtendWith(TestAllImplementations.class) public void setExpirationDate_keyHasSigClass10() - throws PGPException, IOException { + throws IOException { PGPSecretKeyRing keys = PGPainless.readKeyRing().secretKeyRing(keyWithGenericCertification); SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys(); executeTestForKeys(keys, protector); @@ -147,14 +146,13 @@ public class ChangeExpirationOnKeyWithDifferentSignatureTypesTest { @TestTemplate @ExtendWith(TestAllImplementations.class) public void setExpirationDate_keyHasSigClass12() - throws PGPException, IOException { + throws IOException { PGPSecretKeyRing keys = PGPainless.readKeyRing().secretKeyRing(keyWithCasualCertification); SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys(); executeTestForKeys(keys, protector); } - private void executeTestForKeys(PGPSecretKeyRing keys, SecretKeyRingProtector protector) - throws PGPException { + private void executeTestForKeys(PGPSecretKeyRing keys, SecretKeyRingProtector protector) { Date expirationDate = new Date(System.currentTimeMillis() + 1000 * 60 * 60 * 24 * 14); // round date for test stability expirationDate = DateUtil.toSecondsPrecision(expirationDate); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangePrimaryUserIdAndExpirationDatesTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangePrimaryUserIdAndExpirationDatesTest.java index 834497ac..e9bbab7a 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangePrimaryUserIdAndExpirationDatesTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangePrimaryUserIdAndExpirationDatesTest.java @@ -12,8 +12,6 @@ import org.pgpainless.PGPainless; import org.pgpainless.key.info.KeyRingInfo; import org.pgpainless.key.protection.SecretKeyRingProtector; -import java.security.InvalidAlgorithmParameterException; -import java.security.NoSuchAlgorithmException; import java.util.Date; import static org.junit.jupiter.api.Assertions.assertEquals; @@ -27,7 +25,7 @@ public class ChangePrimaryUserIdAndExpirationDatesTest { @Test public void generateA_primaryB_revokeA_cantSecondaryA() - throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + throws PGPException { PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() .modernKeyRing("A"); SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys(); @@ -72,8 +70,7 @@ public class ChangePrimaryUserIdAndExpirationDatesTest { } @Test - public void generateA_primaryExpire_isExpired() - throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + public void generateA_primaryExpire_isExpired() { PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() .modernKeyRing("A"); SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys(); @@ -95,8 +92,7 @@ public class ChangePrimaryUserIdAndExpirationDatesTest { } @Test - public void generateA_primaryB_primaryExpire_bIsStillPrimary() - throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + public void generateA_primaryB_primaryExpire_bIsStillPrimary() { PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() .modernKeyRing("A"); SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys(); @@ -137,8 +133,7 @@ public class ChangePrimaryUserIdAndExpirationDatesTest { } @Test - public void generateA_expire_certify() - throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + public void generateA_expire_certify() { PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("A"); SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys(); @@ -161,7 +156,7 @@ public class ChangePrimaryUserIdAndExpirationDatesTest { @Test public void generateA_expire_primaryB_expire_isPrimaryB() - throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + throws PGPException { PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("A"); SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys(); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeSecretKeyRingPassphraseTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeSecretKeyRingPassphraseTest.java index a0ea6984..7bb41920 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeSecretKeyRingPassphraseTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeSecretKeyRingPassphraseTest.java @@ -11,8 +11,6 @@ import static org.junit.jupiter.api.Assertions.assertThrows; import java.io.ByteArrayInputStream; import java.io.ByteArrayOutputStream; import java.io.IOException; -import java.security.InvalidAlgorithmParameterException; -import java.security.NoSuchAlgorithmException; import java.util.Iterator; import org.bouncycastle.openpgp.PGPException; @@ -39,7 +37,7 @@ public class ChangeSecretKeyRingPassphraseTest { private final PGPSecretKeyRing keyRing = PGPainless.generateKeyRing().simpleEcKeyRing("password@encryp.ted", "weakPassphrase"); - public ChangeSecretKeyRingPassphraseTest() throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException { + public ChangeSecretKeyRingPassphraseTest() { } @TestTemplate diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/OldSignatureSubpacketsArePreservedOnNewSigTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/OldSignatureSubpacketsArePreservedOnNewSigTest.java index 5dc47a2a..d908191f 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/OldSignatureSubpacketsArePreservedOnNewSigTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/OldSignatureSubpacketsArePreservedOnNewSigTest.java @@ -8,11 +8,8 @@ import static org.junit.jupiter.api.Assertions.assertArrayEquals; import static org.junit.jupiter.api.Assertions.assertNotEquals; import static org.junit.jupiter.api.Assertions.assertNotNull; -import java.security.InvalidAlgorithmParameterException; -import java.security.NoSuchAlgorithmException; import java.util.Date; -import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.PGPSignature; import org.bouncycastle.openpgp.PGPSignatureSubpacketVector; diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/RefuseToAddWeakSubkeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/RefuseToAddWeakSubkeyTest.java index 04197d6f..d5a3396a 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/RefuseToAddWeakSubkeyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/RefuseToAddWeakSubkeyTest.java @@ -7,13 +7,9 @@ package org.pgpainless.key.modification; import static org.junit.jupiter.api.Assertions.assertEquals; import static org.junit.jupiter.api.Assertions.assertThrows; -import java.io.IOException; -import java.security.InvalidAlgorithmParameterException; -import java.security.NoSuchAlgorithmException; import java.util.EnumMap; import java.util.Map; -import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; @@ -31,8 +27,7 @@ import org.pgpainless.util.Passphrase; public class RefuseToAddWeakSubkeyTest { @Test - public void testEditorRefusesToAddWeakSubkey() - throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + public void testEditorRefusesToAddWeakSubkey() { // ensure default policy is set PGPainless.getPolicy().setPublicKeyAlgorithmPolicy(Policy.PublicKeyAlgorithmPolicy.bsi2021PublicKeyAlgorithmPolicy()); @@ -46,8 +41,7 @@ public class RefuseToAddWeakSubkeyTest { } @Test - public void testEditorAllowsToAddWeakSubkeyIfCompliesToPublicKeyAlgorithmPolicy() - throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { + public void testEditorAllowsToAddWeakSubkeyIfCompliesToPublicKeyAlgorithmPolicy() { PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() .modernKeyRing("Alice"); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevocationCertificateTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevocationCertificateTest.java index 48b5d5b7..27f0a9e1 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevocationCertificateTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevocationCertificateTest.java @@ -12,8 +12,6 @@ import static org.junit.jupiter.api.Assertions.assertThrows; import static org.junit.jupiter.api.Assertions.assertTrue; import java.io.IOException; -import java.security.InvalidAlgorithmParameterException; -import java.security.NoSuchAlgorithmException; import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPPublicKey; @@ -75,8 +73,7 @@ public class RevocationCertificateTest { } @Test - public void createMinimalRevocationCertificateForFreshKeyTest() - throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + public void createMinimalRevocationCertificateForFreshKeyTest() { PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("Alice "); PGPPublicKeyRing minimalRevocationCert = PGPainless.modifyKeyRing(secretKeys).createMinimalRevocationCertificate( diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeKeyWithoutPreferredAlgorithmsOnPrimaryKey.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeKeyWithoutPreferredAlgorithmsOnPrimaryKey.java index 2cbbbe87..c4a177ed 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeKeyWithoutPreferredAlgorithmsOnPrimaryKey.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeKeyWithoutPreferredAlgorithmsOnPrimaryKey.java @@ -7,7 +7,6 @@ package org.pgpainless.key.modification; import java.io.IOException; import java.util.Date; -import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.junit.JUtils; import org.junit.jupiter.api.TestTemplate; @@ -99,7 +98,7 @@ public class RevokeKeyWithoutPreferredAlgorithmsOnPrimaryKey { @TestTemplate @ExtendWith(TestAllImplementations.class) public void testChangingExpirationTimeWithKeyWithoutPrefAlgos() - throws IOException, PGPException { + throws IOException { Date expirationDate = DateUtil.now(); PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(KEY); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/parsing/KeyRingCollectionReaderTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/parsing/KeyRingCollectionReaderTest.java index 552ae25f..cd0a6c7b 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/parsing/KeyRingCollectionReaderTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/parsing/KeyRingCollectionReaderTest.java @@ -7,11 +7,8 @@ package org.pgpainless.key.parsing; import static org.junit.jupiter.api.Assertions.assertEquals; import java.io.IOException; -import java.security.InvalidAlgorithmParameterException; -import java.security.NoSuchAlgorithmException; import java.util.Iterator; -import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPPublicKeyRing; import org.bouncycastle.openpgp.PGPPublicKeyRingCollection; import org.bouncycastle.openpgp.PGPSecretKeyRing; @@ -25,7 +22,7 @@ import org.pgpainless.util.ArmorUtils; public class KeyRingCollectionReaderTest { @Test - public void writeAndParseKeyRingCollections() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { + public void writeAndParseKeyRingCollections() throws IOException { // secret keys PGPSecretKeyRing alice = PGPainless.generateKeyRing().modernKeyRing("Alice "); PGPSecretKeyRing bob = PGPainless.generateKeyRing().modernKeyRing("Bob "); @@ -48,7 +45,7 @@ public class KeyRingCollectionReaderTest { } @Test - public void parseSeparatedSecretKeyRingCollection() throws PGPException, IOException { + public void parseSeparatedSecretKeyRingCollection() throws IOException { String ascii = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" + "Version: PGPainless\n" + "Comment: 58F2 0119 232F BBC0 B624 CCA7 7BED B6B3 2279 0657\n" + @@ -107,7 +104,7 @@ public class KeyRingCollectionReaderTest { } @Test - public void parseConcatenatedSecretKeyRingCollection() throws PGPException, IOException { + public void parseConcatenatedSecretKeyRingCollection() throws IOException { // same key ring collection as above, but concatenated in a single armor block String ascii = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" + "Version: BCPG v1.68\n" + diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/parsing/KeyRingReaderTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/parsing/KeyRingReaderTest.java index 5ae6d9b2..a3b817e8 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/parsing/KeyRingReaderTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/parsing/KeyRingReaderTest.java @@ -14,8 +14,6 @@ import java.io.ByteArrayOutputStream; import java.io.IOException; import java.io.InputStream; import java.nio.charset.StandardCharsets; -import java.security.InvalidAlgorithmParameterException; -import java.security.NoSuchAlgorithmException; import java.util.ArrayList; import java.util.Collection; import java.util.List; @@ -70,15 +68,14 @@ class KeyRingReaderTest { } @Test - void publicKeyRingCollectionFromStream() throws IOException, PGPException { + void publicKeyRingCollectionFromStream() throws IOException { InputStream inputStream = requireResource("pub_keys_10_pieces.asc"); PGPPublicKeyRingCollection rings = PGPainless.readKeyRing().publicKeyRingCollection(inputStream); assertEquals(10, rings.size()); } @Test - void publicKeyRingCollectionFromNotArmoredStream() throws IOException, PGPException, - InvalidAlgorithmParameterException, NoSuchAlgorithmException { + void publicKeyRingCollectionFromNotArmoredStream() throws IOException { Collection collection = new ArrayList<>(); for (int i = 0; i < 10; i++) { @@ -96,7 +93,7 @@ class KeyRingReaderTest { } @Test - void publicKeyRingCollectionFromString() throws IOException, PGPException { + void publicKeyRingCollectionFromString() throws IOException { String armoredString = new String(readFromResource("pub_keys_10_pieces.asc")); InputStream inputStream = new ByteArrayInputStream(armoredString.getBytes(StandardCharsets.UTF_8)); PGPPublicKeyRingCollection rings = PGPainless.readKeyRing().publicKeyRingCollection(inputStream); @@ -104,7 +101,7 @@ class KeyRingReaderTest { } @Test - void publicKeyRingCollectionFromBytes() throws IOException, PGPException { + void publicKeyRingCollectionFromBytes() throws IOException { byte[] bytes = readFromResource("pub_keys_10_pieces.asc"); InputStream byteArrayInputStream = new ByteArrayInputStream(bytes); PGPPublicKeyRingCollection rings = PGPainless.readKeyRing().publicKeyRingCollection(byteArrayInputStream); @@ -115,7 +112,7 @@ class KeyRingReaderTest { * One armored pub key. */ @Test - void parsePublicKeysSingleArmored() throws IOException, PGPException { + void parsePublicKeysSingleArmored() throws IOException { assertEquals(1, getPgpPublicKeyRingsFromResource("single_pub_key_armored.asc").size()); } @@ -123,7 +120,7 @@ class KeyRingReaderTest { * One binary pub key. */ @Test - void parsePublicKeysSingleBinary() throws IOException, PGPException { + void parsePublicKeysSingleBinary() throws IOException { assertEquals(1, getPgpPublicKeyRingsFromResource("single_pub_key_binary.key").size()); } @@ -131,7 +128,7 @@ class KeyRingReaderTest { * Many armored pub keys with a single -----BEGIN PGP PUBLIC KEY BLOCK-----...-----END PGP PUBLIC KEY BLOCK-----. */ @Test - void parsePublicKeysMultiplyArmoredSingleHeader() throws IOException, PGPException { + void parsePublicKeysMultiplyArmoredSingleHeader() throws IOException { assertEquals(10, getPgpPublicKeyRingsFromResource("10_pub_keys_armored_single_header.asc").size()); } @@ -139,7 +136,7 @@ class KeyRingReaderTest { * Many armored pub keys where each has own -----BEGIN PGP PUBLIC KEY BLOCK-----...-----END PGP PUBLIC KEY BLOCK-----. */ @Test - void parsePublicKeysMultiplyArmoredOwnHeader() throws IOException, PGPException { + void parsePublicKeysMultiplyArmoredOwnHeader() throws IOException { assertEquals(10, getPgpPublicKeyRingsFromResource("10_pub_keys_armored_own_header.asc").size()); } @@ -148,7 +145,7 @@ class KeyRingReaderTest { * Each of those blocks can have a different count of keys. */ @Test - void parsePublicKeysMultiplyArmoredOwnWithSingleHeader() throws IOException, PGPException { + void parsePublicKeysMultiplyArmoredOwnWithSingleHeader() throws IOException { assertEquals(10, getPgpPublicKeyRingsFromResource("10_pub_keys_armored_own_with_single_header.asc").size()); } @@ -156,7 +153,7 @@ class KeyRingReaderTest { * Many binary pub keys. */ @Test - void parsePublicKeysMultiplyBinary() throws IOException, PGPException { + void parsePublicKeysMultiplyBinary() throws IOException { assertEquals(10, getPgpPublicKeyRingsFromResource("10_pub_keys_binary.key").size()); } @@ -164,7 +161,7 @@ class KeyRingReaderTest { * One armored private key. */ @Test - void parseSecretKeysSingleArmored() throws IOException, PGPException { + void parseSecretKeysSingleArmored() throws IOException { assertEquals(1, getPgpSecretKeyRingsFromResource("single_prv_key_armored.asc").size()); } @@ -172,7 +169,7 @@ class KeyRingReaderTest { * One binary private key. */ @Test - void parseSecretKeysSingleBinary() throws IOException, PGPException { + void parseSecretKeysSingleBinary() throws IOException { assertEquals(1, getPgpSecretKeyRingsFromResource("single_prv_key_binary.key").size()); } @@ -181,7 +178,7 @@ class KeyRingReaderTest { * -----BEGIN PGP PRIVATE KEY BLOCK-----...-----END PGP PRIVATE KEY BLOCK----- */ @Test - void parseSecretKeysMultiplyArmoredSingleHeader() throws IOException, PGPException { + void parseSecretKeysMultiplyArmoredSingleHeader() throws IOException { assertEquals(10, getPgpSecretKeyRingsFromResource("10_prv_keys_armored_single_header.asc").size()); } @@ -189,7 +186,7 @@ class KeyRingReaderTest { * Many armored private keys where each has own -----BEGIN PGP PRIVATE KEY BLOCK-----...-----END PGP PRIVATE KEY BLOCK-----. */ @Test - void parseSecretKeysMultiplyArmoredOwnHeader() throws IOException, PGPException { + void parseSecretKeysMultiplyArmoredOwnHeader() throws IOException { assertEquals(10, getPgpSecretKeyRingsFromResource("10_prv_keys_armored_own_header.asc").size()); } @@ -198,7 +195,7 @@ class KeyRingReaderTest { * Each of those blocks can have a different count of keys. */ @Test - void parseSecretKeysMultiplyArmoredOwnWithSingleHeader() throws IOException, PGPException { + void parseSecretKeysMultiplyArmoredOwnWithSingleHeader() throws IOException { assertEquals(10, getPgpSecretKeyRingsFromResource("10_prv_keys_armored_own_with_single_header.asc").size()); } @@ -206,7 +203,7 @@ class KeyRingReaderTest { * Many binary private keys. */ @Test - void parseSecretKeysMultiplyBinary() throws IOException, PGPException { + void parseSecretKeysMultiplyBinary() throws IOException { assertEquals(10, getPgpSecretKeyRingsFromResource("10_prv_keys_binary.key").size()); } @@ -214,7 +211,7 @@ class KeyRingReaderTest { * Many armored keys(private or pub) where each has own -----BEGIN PGP ... KEY BLOCK-----...-----END PGP ... KEY BLOCK-----. */ @Test - void parseKeysMultiplyArmoredOwnHeader() throws IOException, PGPException { + void parseKeysMultiplyArmoredOwnHeader() throws IOException { assertEquals(10, getPGPKeyRingsFromResource("10_prv_and_pub_keys_armored_own_header.asc").size()); } @@ -223,7 +220,7 @@ class KeyRingReaderTest { * Each of those blocks can have a different count of keys. */ @Test - void parseKeysMultiplyArmoredOwnWithSingleHeader() throws IOException, PGPException { + void parseKeysMultiplyArmoredOwnWithSingleHeader() throws IOException { assertEquals(10, getPGPKeyRingsFromResource("10_prv_and_pub_keys_armored_own_with_single_header.asc").size()); } @@ -231,22 +228,22 @@ class KeyRingReaderTest { * Many binary keys(private or pub). */ @Test - void parseKeysMultiplyBinary() throws IOException, PGPException { + void parseKeysMultiplyBinary() throws IOException { assertEquals(10, getPGPKeyRingsFromResource("10_prv_and_pub_keys_binary.key").size()); } private PGPKeyRingCollection getPGPKeyRingsFromResource(String fileName) - throws IOException, PGPException { + throws IOException { return PGPainless.readKeyRing().keyRingCollection(requireResource(fileName), true); } private PGPPublicKeyRingCollection getPgpPublicKeyRingsFromResource(String fileName) - throws IOException, PGPException { + throws IOException { return PGPainless.readKeyRing().publicKeyRingCollection(requireResource(fileName)); } private PGPSecretKeyRingCollection getPgpSecretKeyRingsFromResource(String fileName) - throws IOException, PGPException { + throws IOException { return PGPainless.readKeyRing().secretKeyRingCollection(requireResource(fileName)); } @@ -312,7 +309,7 @@ class KeyRingReaderTest { } @Test - public void testReadSecretKeyCollectionIgnoresMarkerPackets() throws PGPException, IOException { + public void testReadSecretKeyCollectionIgnoresMarkerPackets() throws IOException { // Marker // Alice // Marker @@ -380,7 +377,7 @@ class KeyRingReaderTest { } @Test - public void testReadCertificateCollectionIgnoresMarkerPackets() throws PGPException, IOException { + public void testReadCertificateCollectionIgnoresMarkerPackets() throws IOException { String markersAndCerts = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "Version: PGPainless\n" + "Comment: Certificates with injected Marker Packets\n" + @@ -434,7 +431,7 @@ class KeyRingReaderTest { } @Test - public void testReadSignatureIgnoresMarkerPacket() throws PGPException, IOException { + public void testReadSignatureIgnoresMarkerPacket() { String markerAndSignature = "-----BEGIN PGP SIGNATURE-----\n" + "Version: PGPainless\n" + "Comment: Signature with prepended Marker Packet\n" + @@ -449,7 +446,7 @@ class KeyRingReaderTest { } @Test - public void testReadSecretKeysIgnoresMultipleMarkers() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { + public void testReadSecretKeysIgnoresMultipleMarkers() throws IOException { PGPSecretKeyRing alice = PGPainless.generateKeyRing().modernKeyRing("alice@pgpainless.org"); PGPSecretKeyRing bob = PGPainless.generateKeyRing().modernKeyRing("bob@pgpainless.org"); MarkerPacket marker = TestUtils.getMarkerPacket(); @@ -483,7 +480,7 @@ class KeyRingReaderTest { @Test public void testReadingSecretKeysExceedsIterationLimit() - throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { + throws IOException { PGPSecretKeyRing alice = PGPainless.generateKeyRing().modernKeyRing("alice@pgpainless.org"); MarkerPacket marker = TestUtils.getMarkerPacket(); @@ -502,7 +499,7 @@ class KeyRingReaderTest { @Test public void testReadingSecretKeyCollectionExceedsIterationLimit() - throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { + throws IOException { PGPSecretKeyRing alice = PGPainless.generateKeyRing().modernKeyRing("alice@pgpainless.org"); PGPSecretKeyRing bob = PGPainless.generateKeyRing().modernKeyRing("bob@pgpainless.org"); MarkerPacket marker = TestUtils.getMarkerPacket(); @@ -524,7 +521,7 @@ class KeyRingReaderTest { @Test public void testReadingPublicKeysExceedsIterationLimit() - throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { + throws IOException { PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("alice@pgpainless.org"); PGPPublicKeyRing alice = PGPainless.extractCertificate(secretKeys); MarkerPacket marker = TestUtils.getMarkerPacket(); @@ -544,7 +541,7 @@ class KeyRingReaderTest { @Test public void testReadingPublicKeyCollectionExceedsIterationLimit() - throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { + throws IOException { PGPSecretKeyRing sec1 = PGPainless.generateKeyRing().modernKeyRing("alice@pgpainless.org"); PGPSecretKeyRing sec2 = PGPainless.generateKeyRing().modernKeyRing("bob@pgpainless.org"); PGPPublicKeyRing alice = PGPainless.extractCertificate(sec1); @@ -566,7 +563,7 @@ class KeyRingReaderTest { } @Test - public void testReadKeyRingWithBinaryPublicKey() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { + public void testReadKeyRingWithBinaryPublicKey() throws IOException { PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("Alice "); PGPPublicKeyRing publicKeys = PGPainless.extractCertificate(secretKeys); byte[] bytes = publicKeys.getEncoded(); @@ -579,7 +576,7 @@ class KeyRingReaderTest { } @Test - public void testReadKeyRingWithBinarySecretKey() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { + public void testReadKeyRingWithBinarySecretKey() throws IOException { PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("Alice "); byte[] bytes = secretKeys.getEncoded(); @@ -591,7 +588,7 @@ class KeyRingReaderTest { } @Test - public void testReadKeyRingWithArmoredPublicKey() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { + public void testReadKeyRingWithArmoredPublicKey() throws IOException { PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("Alice "); PGPPublicKeyRing publicKeys = PGPainless.extractCertificate(secretKeys); String armored = PGPainless.asciiArmor(publicKeys); @@ -604,7 +601,7 @@ class KeyRingReaderTest { } @Test - public void testReadKeyRingWithArmoredSecretKey() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { + public void testReadKeyRingWithArmoredSecretKey() throws IOException { PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("Alice "); String armored = PGPainless.asciiArmor(secretKeys); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/protection/CachingSecretKeyRingProtectorTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/protection/CachingSecretKeyRingProtectorTest.java index 3f7a9e6e..f77f1177 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/protection/CachingSecretKeyRingProtectorTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/protection/CachingSecretKeyRingProtectorTest.java @@ -10,8 +10,6 @@ import static org.junit.jupiter.api.Assertions.assertNull; import static org.junit.jupiter.api.Assertions.assertThrows; import java.io.IOException; -import java.security.InvalidAlgorithmParameterException; -import java.security.NoSuchAlgorithmException; import java.util.Iterator; import java.util.Random; @@ -51,13 +49,13 @@ public class CachingSecretKeyRingProtectorTest { } @Test - public void noCallbackReturnsNullForUnknownKeyId() throws PGPException { + public void noCallbackReturnsNullForUnknownKeyId() { assertNull(protector.getDecryptor(123L)); assertNull(protector.getEncryptor(123L)); } @Test - public void testAddPassphrase() throws PGPException { + public void testAddPassphrase() { Passphrase passphrase = Passphrase.fromPassword("HelloWorld"); protector.addPassphrase(123L, passphrase); assertEquals(passphrase, protector.getPassphraseFor(123L)); @@ -77,7 +75,7 @@ public class CachingSecretKeyRingProtectorTest { } @Test - public void testAddPassphraseForKeyRing() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + public void testAddPassphraseForKeyRing() { PGPSecretKeyRing keys = PGPainless.generateKeyRing() .modernKeyRing("test@test.test", "Passphrase123"); Passphrase passphrase = Passphrase.fromPassword("Passphrase123"); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/protection/PassphraseProtectedKeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/protection/PassphraseProtectedKeyTest.java index 370cfd85..6b90ba19 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/protection/PassphraseProtectedKeyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/protection/PassphraseProtectedKeyTest.java @@ -7,8 +7,6 @@ package org.pgpainless.key.protection; import static org.junit.jupiter.api.Assertions.assertNotNull; import static org.junit.jupiter.api.Assertions.assertNull; -import java.security.InvalidAlgorithmParameterException; -import java.security.NoSuchAlgorithmException; import java.util.Iterator; import javax.annotation.Nullable; @@ -46,19 +44,19 @@ public class PassphraseProtectedKeyTest { }); @Test - public void testReturnsNonNullDecryptorEncryptorForPassword() throws PGPException { + public void testReturnsNonNullDecryptorEncryptorForPassword() { assertNotNull(protector.getEncryptor(TestKeys.CRYPTIE_KEY_ID)); assertNotNull(protector.getDecryptor(TestKeys.CRYPTIE_KEY_ID)); } @Test - public void testReturnsNullDecryptorEncryptorForNoPassword() throws PGPException { + public void testReturnsNullDecryptorEncryptorForNoPassword() { assertNull(protector.getEncryptor(TestKeys.JULIET_KEY_ID)); assertNull(protector.getDecryptor(TestKeys.JULIET_KEY_ID)); } @Test - public void testReturnsNonNullDecryptorForSubkeys() throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException { + public void testReturnsNonNullDecryptorForSubkeys() throws PGPException { PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("alice", "passphrase"); SecretKeyRingProtector protector = PasswordBasedSecretKeyRingProtector.forKey(secretKeys, Passphrase.fromPassword("passphrase")); for (Iterator it = secretKeys.getPublicKeys(); it.hasNext(); ) { diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/protection/SecretKeyRingProtectorTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/protection/SecretKeyRingProtectorTest.java index a5030f74..193e9223 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/protection/SecretKeyRingProtectorTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/protection/SecretKeyRingProtectorTest.java @@ -10,8 +10,6 @@ import static org.junit.jupiter.api.Assertions.assertNull; import static org.junit.jupiter.api.Assertions.assertThrows; import java.io.IOException; -import java.security.InvalidAlgorithmParameterException; -import java.security.NoSuchAlgorithmException; import java.util.Iterator; import java.util.Map; import java.util.Random; @@ -35,7 +33,7 @@ public class SecretKeyRingProtectorTest { @TestTemplate @ExtendWith(TestAllImplementations.class) public void testUnlockAllKeysWithSamePassword() - throws IOException, PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + throws IOException, PGPException { PGPSecretKeyRing secretKeys = TestKeys.getCryptieSecretKeyRing(); SecretKeyRingProtector protector = diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/protection/UnlockSecretKeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/protection/UnlockSecretKeyTest.java index c6a35ea9..2bb0e3ac 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/protection/UnlockSecretKeyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/protection/UnlockSecretKeyTest.java @@ -7,9 +7,6 @@ package org.pgpainless.key.protection; import static org.junit.jupiter.api.Assertions.assertNotNull; import static org.junit.jupiter.api.Assertions.assertThrows; -import java.security.InvalidAlgorithmParameterException; -import java.security.NoSuchAlgorithmException; - import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPPrivateKey; import org.bouncycastle.openpgp.PGPSecretKey; @@ -22,7 +19,7 @@ import org.pgpainless.util.Passphrase; public class UnlockSecretKeyTest { @Test - public void testUnlockSecretKey() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + public void testUnlockSecretKey() throws PGPException { PGPSecretKeyRing secretKeyRing = PGPainless.generateKeyRing() .simpleEcKeyRing("alice@wonderland.lit", "heureka!"); PGPSecretKey secretKey = secretKeyRing.getSecretKey(); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/protection/fixes/S2KUsageFixTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/protection/fixes/S2KUsageFixTest.java index ba6673e5..dca08b2d 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/protection/fixes/S2KUsageFixTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/protection/fixes/S2KUsageFixTest.java @@ -11,8 +11,6 @@ import java.io.ByteArrayInputStream; import java.io.ByteArrayOutputStream; import java.io.IOException; import java.nio.charset.StandardCharsets; -import java.security.InvalidAlgorithmParameterException; -import java.security.NoSuchAlgorithmException; import org.bouncycastle.bcpg.SecretKeyPacket; import org.bouncycastle.openpgp.PGPException; @@ -68,7 +66,7 @@ public class S2KUsageFixTest { @Test public void verifyOutFixInChangePassphraseWorks() - throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + throws PGPException { PGPSecretKeyRing before = PGPainless.generateKeyRing().modernKeyRing("Alice", "before"); for (PGPSecretKey key : before) { assertEquals(SecretKeyPacket.USAGE_SHA1, key.getS2KUsage()); diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/BindingSignatureSubpacketsTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/BindingSignatureSubpacketsTest.java index 331ca07a..bf3d7a0d 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/BindingSignatureSubpacketsTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/BindingSignatureSubpacketsTest.java @@ -13,7 +13,6 @@ import java.io.InputStream; import java.nio.charset.StandardCharsets; import java.util.Date; -import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPPublicKeyRing; import org.bouncycastle.openpgp.PGPSignature; import org.junit.jupiter.api.TestTemplate; @@ -53,7 +52,7 @@ public class BindingSignatureSubpacketsTest { @TestTemplate @ExtendWith(TestAllImplementations.class) - public void baseCase() throws IOException, PGPException { + public void baseCase() throws IOException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + @@ -114,7 +113,7 @@ public class BindingSignatureSubpacketsTest { @TestTemplate @ExtendWith(TestAllImplementations.class) - public void subkeyBindingIssuerFpOnly() throws IOException, PGPException { + public void subkeyBindingIssuerFpOnly() throws IOException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + @@ -175,7 +174,7 @@ public class BindingSignatureSubpacketsTest { @TestTemplate @ExtendWith(TestAllImplementations.class) - public void subkeyBindingIssuerV6IssuerFp() throws IOException, PGPException { + public void subkeyBindingIssuerV6IssuerFp() throws IOException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + @@ -236,7 +235,7 @@ public class BindingSignatureSubpacketsTest { @TestTemplate @ExtendWith(TestAllImplementations.class) - public void subkeyBindingIssuerFakeIssuer() throws IOException, PGPException { + public void subkeyBindingIssuerFakeIssuer() throws IOException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + @@ -297,7 +296,7 @@ public class BindingSignatureSubpacketsTest { @TestTemplate @ExtendWith(TestAllImplementations.class) - public void subkeyBindingFakeIssuerIssuer() throws IOException, PGPException { + public void subkeyBindingFakeIssuerIssuer() throws IOException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + @@ -358,7 +357,7 @@ public class BindingSignatureSubpacketsTest { @TestTemplate @ExtendWith(TestAllImplementations.class) - public void subkeyBindingFakeIssuer() throws IOException, PGPException { + public void subkeyBindingFakeIssuer() throws IOException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + @@ -419,7 +418,7 @@ public class BindingSignatureSubpacketsTest { @TestTemplate @ExtendWith(TestAllImplementations.class) - public void subkeyBindingNoIssuer() throws IOException, PGPException { + public void subkeyBindingNoIssuer() throws IOException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + @@ -479,7 +478,7 @@ public class BindingSignatureSubpacketsTest { @TestTemplate @ExtendWith(TestAllImplementations.class) - public void unknownSubpacketHashed() throws IOException, PGPException { + public void unknownSubpacketHashed() throws IOException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + @@ -540,7 +539,7 @@ public class BindingSignatureSubpacketsTest { @TestTemplate @ExtendWith(TestAllImplementations.class) - public void subkeyBindingUnknownCriticalSubpacket() throws IOException, PGPException { + public void subkeyBindingUnknownCriticalSubpacket() throws IOException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + @@ -601,7 +600,7 @@ public class BindingSignatureSubpacketsTest { @TestTemplate @ExtendWith(TestAllImplementations.class) - public void subkeyBindingUnknownSubpacketUnhashed() throws IOException, PGPException { + public void subkeyBindingUnknownSubpacketUnhashed() throws IOException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + @@ -662,7 +661,7 @@ public class BindingSignatureSubpacketsTest { @TestTemplate @ExtendWith(TestAllImplementations.class) - public void subkeyBindingUnknownCriticalSubpacketUnhashed() throws IOException, PGPException { + public void subkeyBindingUnknownCriticalSubpacketUnhashed() throws IOException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + @@ -723,7 +722,7 @@ public class BindingSignatureSubpacketsTest { @TestTemplate @ExtendWith(TestAllImplementations.class) - public void subkeyBindingUnknownNotationHashed() throws IOException, PGPException { + public void subkeyBindingUnknownNotationHashed() throws IOException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + @@ -785,7 +784,7 @@ public class BindingSignatureSubpacketsTest { @TestTemplate @ExtendWith(TestAllImplementations.class) - public void subkeyBindingCriticalUnknownNotationHashed() throws IOException, PGPException { + public void subkeyBindingCriticalUnknownNotationHashed() throws IOException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + @@ -847,7 +846,7 @@ public class BindingSignatureSubpacketsTest { @TestTemplate @ExtendWith(TestAllImplementations.class) - public void subkeyBindingUnknownNotationUnhashed() throws IOException, PGPException { + public void subkeyBindingUnknownNotationUnhashed() throws IOException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + @@ -909,7 +908,7 @@ public class BindingSignatureSubpacketsTest { @TestTemplate @ExtendWith(TestAllImplementations.class) - public void subkeyBindingCriticalUnknownNotationUnhashed() throws IOException, PGPException { + public void subkeyBindingCriticalUnknownNotationUnhashed() throws IOException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + @@ -971,7 +970,7 @@ public class BindingSignatureSubpacketsTest { @TestTemplate @ExtendWith(TestAllImplementations.class) - public void subkeyBindingBackSigFakeBackSig() throws IOException, PGPException { + public void subkeyBindingBackSigFakeBackSig() throws IOException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + @@ -1043,7 +1042,7 @@ public class BindingSignatureSubpacketsTest { @TestTemplate @ExtendWith(TestAllImplementations.class) - public void subkeyBindingFakeBackSigBackSig() throws IOException, PGPException { + public void subkeyBindingFakeBackSigBackSig() throws IOException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + @@ -1115,7 +1114,7 @@ public class BindingSignatureSubpacketsTest { @TestTemplate @ExtendWith(TestAllImplementations.class) - public void primaryBindingIssuerFpOnly() throws IOException, PGPException { + public void primaryBindingIssuerFpOnly() throws IOException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + @@ -1176,7 +1175,7 @@ public class BindingSignatureSubpacketsTest { @TestTemplate @ExtendWith(TestAllImplementations.class) - public void primaryBindingIssuerV6IssuerFp() throws IOException, PGPException { + public void primaryBindingIssuerV6IssuerFp() throws IOException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + @@ -1237,7 +1236,7 @@ public class BindingSignatureSubpacketsTest { @TestTemplate @ExtendWith(TestAllImplementations.class) - public void primaryBindingIssuerFakeIssuer() throws IOException, PGPException { + public void primaryBindingIssuerFakeIssuer() throws IOException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + @@ -1298,7 +1297,7 @@ public class BindingSignatureSubpacketsTest { @TestTemplate @ExtendWith(TestAllImplementations.class) - public void primaryBindingFakeIssuerIssuer() throws IOException, PGPException { + public void primaryBindingFakeIssuerIssuer() throws IOException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + @@ -1359,7 +1358,7 @@ public class BindingSignatureSubpacketsTest { @TestTemplate @ExtendWith(TestAllImplementations.class) - public void primaryBindingFakeIssuer() throws IOException, PGPException { + public void primaryBindingFakeIssuer() throws IOException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + @@ -1420,7 +1419,7 @@ public class BindingSignatureSubpacketsTest { @TestTemplate @ExtendWith(TestAllImplementations.class) - public void primaryBindingNoIssuer() throws IOException, PGPException { + public void primaryBindingNoIssuer() throws IOException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + @@ -1480,7 +1479,7 @@ public class BindingSignatureSubpacketsTest { @TestTemplate @ExtendWith(TestAllImplementations.class) - public void primaryBindingUnknownSubpacketHashed() throws IOException, PGPException { + public void primaryBindingUnknownSubpacketHashed() throws IOException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + @@ -1541,7 +1540,7 @@ public class BindingSignatureSubpacketsTest { @TestTemplate @ExtendWith(TestAllImplementations.class) - public void primaryBindingCriticalUnknownSubpacketHashed() throws IOException, PGPException { + public void primaryBindingCriticalUnknownSubpacketHashed() throws IOException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + @@ -1602,7 +1601,7 @@ public class BindingSignatureSubpacketsTest { @TestTemplate @ExtendWith(TestAllImplementations.class) - public void primaryBindingUnknownSubpacketUnhashed() throws IOException, PGPException { + public void primaryBindingUnknownSubpacketUnhashed() throws IOException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + @@ -1663,7 +1662,7 @@ public class BindingSignatureSubpacketsTest { @TestTemplate @ExtendWith(TestAllImplementations.class) - public void primaryBindingCriticalUnknownSubpacketUnhashed() throws IOException, PGPException { + public void primaryBindingCriticalUnknownSubpacketUnhashed() throws IOException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + @@ -1724,7 +1723,7 @@ public class BindingSignatureSubpacketsTest { @TestTemplate @ExtendWith(TestAllImplementations.class) - public void primaryBindingUnknownNotationHashed() throws IOException, PGPException { + public void primaryBindingUnknownNotationHashed() throws IOException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + @@ -1786,7 +1785,7 @@ public class BindingSignatureSubpacketsTest { @TestTemplate @ExtendWith(TestAllImplementations.class) - public void primaryBindingCriticalUnknownNotationHashed() throws IOException, PGPException { + public void primaryBindingCriticalUnknownNotationHashed() throws IOException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + @@ -1848,7 +1847,7 @@ public class BindingSignatureSubpacketsTest { @TestTemplate @ExtendWith(TestAllImplementations.class) - public void primaryBindingUnknownNotationUnhashed() throws IOException, PGPException { + public void primaryBindingUnknownNotationUnhashed() throws IOException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + @@ -1910,7 +1909,7 @@ public class BindingSignatureSubpacketsTest { @TestTemplate @ExtendWith(TestAllImplementations.class) - public void primaryBindingCriticalUnknownNotationUnhashed() throws IOException, PGPException { + public void primaryBindingCriticalUnknownNotationUnhashed() throws IOException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + @@ -1970,7 +1969,7 @@ public class BindingSignatureSubpacketsTest { expectSignatureValidationSucceeds(key, "Critical unknown notation is acceptable in unhashed area of primary key binding sig."); } - private void expectSignatureValidationSucceeds(String key, String message) throws IOException, PGPException { + private void expectSignatureValidationSucceeds(String key, String message) throws IOException { PGPPublicKeyRing publicKeys = PGPainless.readKeyRing().publicKeyRing(key); PGPSignature signature = SignatureUtils.readSignatures(sig).get(0); @@ -1984,7 +1983,7 @@ public class BindingSignatureSubpacketsTest { } } - private void expectSignatureValidationFails(String key, String message) throws IOException, PGPException { + private void expectSignatureValidationFails(String key, String message) throws IOException { PGPPublicKeyRing publicKeys = PGPainless.readKeyRing().publicKeyRing(key); PGPSignature signature = SignatureUtils.readSignatures(sig).get(0); diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/CertificateValidatorTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/CertificateValidatorTest.java index 175ce101..0aba7e18 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/CertificateValidatorTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/CertificateValidatorTest.java @@ -39,7 +39,7 @@ public class CertificateValidatorTest { */ @TestTemplate @ExtendWith(TestAllImplementations.class) - public void testPrimaryKeySignsAndIsHardRevokedUnknown() throws IOException, PGPException { + public void testPrimaryKeySignsAndIsHardRevokedUnknown() throws IOException { String key = "-----BEGIN PGP ARMORED FILE-----\n" + "Comment: ASCII Armor added by openpgp-interoperability-test-suite\n" + @@ -190,7 +190,7 @@ public class CertificateValidatorTest { */ @TestTemplate @ExtendWith(TestAllImplementations.class) - public void testSubkeySignsPrimaryKeyIsHardRevokedUnknown() throws IOException, PGPException { + public void testSubkeySignsPrimaryKeyIsHardRevokedUnknown() throws IOException { String key = "-----BEGIN PGP ARMORED FILE-----\n" + "Comment: ASCII Armor added by openpgp-interoperability-test-suite\n" + @@ -342,7 +342,7 @@ public class CertificateValidatorTest { */ @TestTemplate @ExtendWith(TestAllImplementations.class) - public void testSubkeySignsAndIsHardRevokedUnknown() throws IOException, PGPException { + public void testSubkeySignsAndIsHardRevokedUnknown() throws IOException { String keyWithHardRev = "-----BEGIN PGP ARMORED FILE-----\n" + "Comment: ASCII Armor added by openpgp-interoperability-test-suite\n" + @@ -494,7 +494,7 @@ public class CertificateValidatorTest { */ @TestTemplate @ExtendWith(TestAllImplementations.class) - public void testPrimaryKeySignsAndIsSoftRevokedSuperseded() throws IOException, PGPException { + public void testPrimaryKeySignsAndIsSoftRevokedSuperseded() throws IOException { String keyWithSoftRev = "-----BEGIN PGP ARMORED FILE-----\n" + "Comment: ASCII Armor added by openpgp-interoperability-test-suite\n" + @@ -651,7 +651,7 @@ public class CertificateValidatorTest { */ @TestTemplate @ExtendWith(TestAllImplementations.class) - public void testSubkeySignsPrimaryKeyIsSoftRevokedSuperseded() throws IOException, PGPException { + public void testSubkeySignsPrimaryKeyIsSoftRevokedSuperseded() throws IOException { String key = "-----BEGIN PGP ARMORED FILE-----\n" + "Comment: ASCII Armor added by openpgp-interoperability-test-suite\n" + @@ -804,7 +804,7 @@ public class CertificateValidatorTest { */ @TestTemplate @ExtendWith(TestAllImplementations.class) - public void testPrimaryKeySignsAndIsSoftRevokedRetired() throws IOException, PGPException { + public void testPrimaryKeySignsAndIsSoftRevokedRetired() throws IOException { String key = "-----BEGIN PGP ARMORED FILE-----\n" + "Comment: ASCII Armor added by openpgp-interoperability-test-suite\n" + @@ -957,7 +957,7 @@ public class CertificateValidatorTest { */ @TestTemplate @ExtendWith(TestAllImplementations.class) - public void testTemporaryValidity() throws IOException, PGPException { + public void testTemporaryValidity() throws IOException { String keyA = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "Comment: D1A6 6E1A 23B1 82C9 980F 788C FBFC C82A 015E 7330\n" + diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/KeyRevocationTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/KeyRevocationTest.java index 67f5cf4c..87059847 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/KeyRevocationTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/KeyRevocationTest.java @@ -27,7 +27,7 @@ public class KeyRevocationTest { @TestTemplate @ExtendWith(TestAllImplementations.class) - public void subkeySignsPrimaryKeyRevokedNoReason() throws IOException, PGPException { + public void subkeySignsPrimaryKeyRevokedNoReason() throws IOException { String key = "-----BEGIN PGP ARMORED FILE-----\n" + "Comment: ASCII Armor added by openpgp-interoperability-test-suite\n" + diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/OnePassSignatureBracketingTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/OnePassSignatureBracketingTest.java index fd7c53e9..a0dcf141 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/OnePassSignatureBracketingTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/OnePassSignatureBracketingTest.java @@ -12,8 +12,6 @@ import java.io.ByteArrayOutputStream; import java.io.IOException; import java.io.InputStream; import java.nio.charset.StandardCharsets; -import java.security.InvalidAlgorithmParameterException; -import java.security.NoSuchAlgorithmException; import org.bouncycastle.openpgp.PGPCompressedData; import org.bouncycastle.openpgp.PGPEncryptedData; @@ -54,7 +52,7 @@ public class OnePassSignatureBracketingTest { @TestTemplate @ExtendWith(TestAllImplementations.class) public void onePassSignaturePacketsAndSignaturesAreBracketedTest() - throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { + throws PGPException, IOException { PGPSecretKeyRing key1 = PGPainless.generateKeyRing().modernKeyRing("Alice"); PGPSecretKeyRing key2 = PGPainless.generateKeyRing().modernKeyRing("Bob"); diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureStructureTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureStructureTest.java index 0d957309..83c7c2a8 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureStructureTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureStructureTest.java @@ -7,12 +7,10 @@ package org.pgpainless.signature; import static org.junit.jupiter.api.Assertions.assertEquals; import static org.junit.jupiter.api.Assertions.assertNotNull; -import java.io.IOException; import java.util.List; import org.bouncycastle.bcpg.sig.IssuerKeyID; import org.bouncycastle.bcpg.sig.NotationData; -import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPSignature; import org.bouncycastle.util.encoders.Hex; import org.junit.jupiter.api.BeforeAll; @@ -30,7 +28,7 @@ public class SignatureStructureTest { private static PGPSignature signature; @BeforeAll - public static void parseSignature() throws IOException, PGPException { + public static void parseSignature() { // see https://tests.sequoia-pgp.org/#Detached_signature_with_Subpackets (base case) signature = SignatureUtils.readSignatures("-----BEGIN PGP SIGNATURE-----\n" + "\n" + diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureUtilsTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureUtilsTest.java index f57ed2c4..1415eff9 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureUtilsTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureUtilsTest.java @@ -9,7 +9,6 @@ import static org.junit.jupiter.api.Assertions.assertEquals; import java.io.IOException; import java.util.List; -import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPPublicKey; import org.bouncycastle.openpgp.PGPPublicKeyRing; import org.bouncycastle.openpgp.PGPSignature; @@ -19,7 +18,7 @@ import org.pgpainless.PGPainless; public class SignatureUtilsTest { @Test - public void readSignaturesFromCompressedDataDoesNotAttemptDecompression() throws PGPException, IOException { + public void readSignaturesFromCompressedDataDoesNotAttemptDecompression() { String compressed = "-----BEGIN PGP MESSAGE-----\n" + "Version: PGPainless\n" + "\n" + @@ -35,7 +34,7 @@ public class SignatureUtilsTest { } @Test - public void noIssuerResultsInKeyId0() throws PGPException, IOException { + public void noIssuerResultsInKeyId0() { String sig = "-----BEGIN PGP SIGNATURE-----\n" + "\n" + "wsEaBAABCABOBYJhVBVcRxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNlcXVvaWEt\n" + @@ -55,7 +54,7 @@ public class SignatureUtilsTest { } @Test - public void skipInvalidSignatures() throws PGPException, IOException { + public void skipInvalidSignatures() { // Sig version 23 (invalid), sig version 4 String sigs = "-----BEGIN PGP SIGNATURE-----\n" + "\n" + diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureWasPossiblyMadeByKeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureWasPossiblyMadeByKeyTest.java index c7424af1..ebd414bf 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureWasPossiblyMadeByKeyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureWasPossiblyMadeByKeyTest.java @@ -76,7 +76,7 @@ public class SignatureWasPossiblyMadeByKeyTest { } @Test - public void issuer() throws PGPException, IOException { + public void issuer() throws PGPException { String sigWithIssuer = "-----BEGIN PGP SIGNATURE-----\n" + "\n" + "wsE7BAABCABlBYJgyf21RxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNlcXVvaWEt\n" + @@ -96,7 +96,7 @@ public class SignatureWasPossiblyMadeByKeyTest { } @Test - public void hashedIssuer() throws PGPException, IOException { + public void hashedIssuer() throws PGPException { String sigWithHashedIssuer = "-----BEGIN PGP SIGNATURE-----\n" + "\n" + "wsE7BAABCABvBYJgyf21CRD7/MgqAV5zMEcUAAAAAAAeACBzYWx0QG5vdGF0aW9u\n" + @@ -116,7 +116,7 @@ public class SignatureWasPossiblyMadeByKeyTest { } @Test - public void noIssuerNoFingerprint() throws PGPException, IOException { + public void noIssuerNoFingerprint() throws PGPException { String sigWithNoIssuerNoFingerprint = "-----BEGIN PGP SIGNATURE-----\n" + "\n" + "wsEaBAABCABOBYJgyf21RxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNlcXVvaWEt\n" + @@ -137,7 +137,7 @@ public class SignatureWasPossiblyMadeByKeyTest { } @Test - public void noIssuerUnhashedFingerprint() throws PGPException, IOException { + public void noIssuerUnhashedFingerprint() throws PGPException { String sigWithNoIssuerUnhashedFingerprint = "-----BEGIN PGP SIGNATURE-----\n" + "\n" + "wsExBAABCABOBYJgyf21RxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNlcXVvaWEt\n" + @@ -158,7 +158,7 @@ public class SignatureWasPossiblyMadeByKeyTest { } @Test - public void issuerMismatch() throws PGPException, IOException { + public void issuerMismatch() { String sig = "-----BEGIN PGP SIGNATURE-----\n" + "\n" + "wsE7BAABCABlBYJgyf21RxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNlcXVvaWEt\n" + @@ -178,7 +178,7 @@ public class SignatureWasPossiblyMadeByKeyTest { } @Test - public void noIssuer_fingerprintMismatch() throws PGPException, IOException { + public void noIssuer_fingerprintMismatch() { String sigWithNoIssuerAndWrongFingerprint = "-----BEGIN PGP SIGNATURE-----\n" + "\n" + "wsExBAABCABlBYJgyf21RxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNlcXVvaWEt\n" + @@ -198,7 +198,7 @@ public class SignatureWasPossiblyMadeByKeyTest { assertWasNotPossiblyMadeByKey(NOSIGKEY, get(sigWithNoIssuerAndWrongFingerprint)); } - private PGPSignature get(String encoded) throws PGPException, IOException { + private PGPSignature get(String encoded) { return SignatureUtils.readSignatures(encoded).get(0); } diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/builder/ThirdPartyCertificationSignatureBuilderTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/builder/ThirdPartyCertificationSignatureBuilderTest.java index 2b0f4d35..35726ee6 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/builder/ThirdPartyCertificationSignatureBuilderTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/builder/ThirdPartyCertificationSignatureBuilderTest.java @@ -17,9 +17,6 @@ import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.signature.subpackets.CertificationSubpackets; import org.pgpainless.signature.subpackets.SignatureSubpacketsUtil; -import java.security.InvalidAlgorithmParameterException; -import java.security.NoSuchAlgorithmException; - import static org.junit.jupiter.api.Assertions.assertArrayEquals; import static org.junit.jupiter.api.Assertions.assertEquals; import static org.junit.jupiter.api.Assertions.assertFalse; @@ -30,7 +27,7 @@ import static org.junit.jupiter.api.Assertions.assertTrue; public class ThirdPartyCertificationSignatureBuilderTest { @Test - public void testInvalidSignatureTypeThrows() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + public void testInvalidSignatureTypeThrows() { PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() .modernKeyRing("Alice"); assertThrows(IllegalArgumentException.class, () -> @@ -41,7 +38,7 @@ public class ThirdPartyCertificationSignatureBuilderTest { } @Test - public void testUserIdCertification() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + public void testUserIdCertification() throws PGPException { PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() .modernKeyRing("Alice"); diff --git a/pgpainless-core/src/test/java/org/pgpainless/util/ArmorUtilsTest.java b/pgpainless-core/src/test/java/org/pgpainless/util/ArmorUtilsTest.java index c0a6e00c..22f98512 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/util/ArmorUtilsTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/util/ArmorUtilsTest.java @@ -130,7 +130,7 @@ public class ArmorUtilsTest { } @Test - public void signatureToAsciiArmoredString() throws PGPException, IOException { + public void signatureToAsciiArmoredString() { String SIG = "-----BEGIN PGP SIGNATURE-----\n" + "Version: PGPainless\n" + "\n" + diff --git a/pgpainless-core/src/test/java/org/pgpainless/util/BCUtilTest.java b/pgpainless-core/src/test/java/org/pgpainless/util/BCUtilTest.java index 821d9e30..6e7b94cc 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/util/BCUtilTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/util/BCUtilTest.java @@ -8,11 +8,8 @@ import static org.junit.jupiter.api.Assertions.assertEquals; import static org.junit.jupiter.api.Assertions.assertFalse; import static org.junit.jupiter.api.Assertions.assertTrue; -import java.security.InvalidAlgorithmParameterException; -import java.security.NoSuchAlgorithmException; import java.util.Iterator; -import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPPublicKey; import org.bouncycastle.openpgp.PGPPublicKeyRing; import org.bouncycastle.openpgp.PGPPublicKeyRingCollection; @@ -34,8 +31,7 @@ public class BCUtilTest { private static final Logger LOGGER = LoggerFactory.getLogger(BCUtilTest.class); @Test - public void keyRingToCollectionTest() - throws PGPException, NoSuchAlgorithmException, InvalidAlgorithmParameterException { + public void keyRingToCollectionTest() { PGPSecretKeyRing sec = PGPainless.buildKeyRing() .setPrimaryKey(KeySpec.getBuilder( KeyType.RSA(RsaLength._3072), diff --git a/pgpainless-core/src/test/java/org/pgpainless/util/GuessPreferredHashAlgorithmTest.java b/pgpainless-core/src/test/java/org/pgpainless/util/GuessPreferredHashAlgorithmTest.java index e276ba8f..bf991236 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/util/GuessPreferredHashAlgorithmTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/util/GuessPreferredHashAlgorithmTest.java @@ -6,11 +6,8 @@ package org.pgpainless.util; import static org.junit.jupiter.api.Assertions.assertEquals; -import java.security.InvalidAlgorithmParameterException; -import java.security.NoSuchAlgorithmException; import java.util.Collections; -import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPPublicKey; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.junit.jupiter.api.Test; @@ -27,8 +24,7 @@ import org.pgpainless.key.util.OpenPgpKeyAttributeUtil; public class GuessPreferredHashAlgorithmTest { @Test - public void guessPreferredHashAlgorithmsAssumesHashAlgoUsedBySelfSig() - throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException { + public void guessPreferredHashAlgorithmsAssumesHashAlgoUsedBySelfSig() { PGPSecretKeyRing secretKeys = PGPainless.buildKeyRing() .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA_LEGACY(EdDSALegacyCurve._Ed25519), KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA) diff --git a/pgpainless-core/src/test/java/org/pgpainless/weird_keys/TestEncryptCommsStorageFlagsDifferentiated.java b/pgpainless-core/src/test/java/org/pgpainless/weird_keys/TestEncryptCommsStorageFlagsDifferentiated.java index b96d95e5..8c9da177 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/weird_keys/TestEncryptCommsStorageFlagsDifferentiated.java +++ b/pgpainless-core/src/test/java/org/pgpainless/weird_keys/TestEncryptCommsStorageFlagsDifferentiated.java @@ -6,10 +6,6 @@ package org.pgpainless.weird_keys; import static org.junit.jupiter.api.Assertions.assertThrows; -import java.security.InvalidAlgorithmParameterException; -import java.security.NoSuchAlgorithmException; - -import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPPublicKeyRing; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.junit.jupiter.api.Test; @@ -25,8 +21,7 @@ import org.pgpainless.key.util.KeyRingUtils; public class TestEncryptCommsStorageFlagsDifferentiated { @Test - public void testThatEncryptionDifferentiatesBetweenPurposeKeyFlags() - throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException { + public void testThatEncryptionDifferentiatesBetweenPurposeKeyFlags() { PGPSecretKeyRing secretKeys = PGPainless.buildKeyRing() .setPrimaryKey(KeySpec.getBuilder( KeyType.RSA(RsaLength._3072), From e19119e4cbfbc877ca20a6cc80e869f42cef0c8d Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 10 Feb 2025 12:21:18 +0100 Subject: [PATCH 027/265] Begin transition to instance-based PGPainless, adapt policy --- .../main/kotlin/org/pgpainless/PGPainless.kt | 20 ++++- .../pgpainless/bouncycastle/PolicyAdapter.kt | 77 +++++++++++++++++++ 2 files changed, 95 insertions(+), 2 deletions(-) create mode 100644 pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/PolicyAdapter.kt diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt index 896692c2..863a10da 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt @@ -10,7 +10,9 @@ import org.bouncycastle.openpgp.PGPKeyRing import org.bouncycastle.openpgp.PGPPublicKeyRing import org.bouncycastle.openpgp.PGPSecretKeyRing import org.bouncycastle.openpgp.PGPSignature +import org.bouncycastle.openpgp.api.OpenPGPImplementation import org.pgpainless.algorithm.OpenPGPKeyVersion +import org.pgpainless.bouncycastle.PolicyAdapter import org.pgpainless.decryption_verification.DecryptionBuilder import org.pgpainless.encryption_signing.EncryptionBuilder import org.pgpainless.key.certification.CertifyCertificate @@ -23,10 +25,24 @@ import org.pgpainless.key.util.KeyRingUtils import org.pgpainless.policy.Policy import org.pgpainless.util.ArmorUtils -class PGPainless private constructor() { +class PGPainless( + val implementation: OpenPGPImplementation = OpenPGPImplementation.getInstance(), + val algorithmPolicy: Policy = Policy.getInstance() +) { + + init { + implementation.setPolicy( + PolicyAdapter(algorithmPolicy)) // adapt PGPainless' Policy to BCs OpenPGPPolicy + } companion object { + @Volatile private var instance: PGPainless? = null + + @JvmStatic + fun getInstance() = + instance ?: synchronized(this) { instance ?: PGPainless().also { instance = it } } + /** * Generate a fresh OpenPGP key ring from predefined templates. * @@ -166,7 +182,7 @@ class PGPainless private constructor() { * * @return policy */ - @JvmStatic fun getPolicy() = Policy.getInstance() + @JvmStatic fun getPolicy() = getInstance().algorithmPolicy /** * Create different kinds of signatures on other keys. diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/PolicyAdapter.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/PolicyAdapter.kt new file mode 100644 index 00000000..eed5e24c --- /dev/null +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/PolicyAdapter.kt @@ -0,0 +1,77 @@ +// SPDX-FileCopyrightText: 2025 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + +package org.pgpainless.bouncycastle + +import java.util.Date +import org.bouncycastle.openpgp.api.OpenPGPPolicy +import org.bouncycastle.openpgp.api.OpenPGPPolicy.OpenPGPNotationRegistry +import org.pgpainless.policy.Policy + +class PolicyAdapter(val policy: Policy = Policy.getInstance()) : OpenPGPPolicy { + + override fun isAcceptableDocumentSignatureHashAlgorithm( + algorithmId: Int, + signatureCreationTime: Date? + ): Boolean { + return if (signatureCreationTime == null) + policy.dataSignatureHashAlgorithmPolicy.isAcceptable(algorithmId) + else + policy.dataSignatureHashAlgorithmPolicy.isAcceptable(algorithmId, signatureCreationTime) + } + + override fun isAcceptableRevocationSignatureHashAlgorithm( + algorithmId: Int, + revocationCreationTime: Date? + ): Boolean { + return if (revocationCreationTime == null) + policy.revocationSignatureHashAlgorithmPolicy.isAcceptable(algorithmId) + else + policy.revocationSignatureHashAlgorithmPolicy.isAcceptable( + algorithmId, revocationCreationTime) + } + + override fun isAcceptableCertificationSignatureHashAlgorithm( + algorithmId: Int, + certificationCreationTime: Date? + ): Boolean { + return if (certificationCreationTime == null) + policy.certificationSignatureHashAlgorithmPolicy.isAcceptable(algorithmId) + else + policy.certificationSignatureHashAlgorithmPolicy.isAcceptable( + algorithmId, certificationCreationTime) + } + + override fun getDefaultCertificationSignatureHashAlgorithm(): Int { + return policy.certificationSignatureHashAlgorithmPolicy.defaultHashAlgorithm.algorithmId + } + + override fun getDefaultDocumentSignatureHashAlgorithm(): Int { + return policy.dataSignatureHashAlgorithmPolicy.defaultHashAlgorithm.algorithmId + } + + override fun isAcceptableSymmetricKeyAlgorithm(p0: Int): Boolean { + return policy.symmetricKeyEncryptionAlgorithmPolicy.isAcceptable(p0) + } + + override fun getDefaultSymmetricKeyAlgorithm(): Int { + return policy.symmetricKeyEncryptionAlgorithmPolicy.defaultSymmetricKeyAlgorithm.algorithmId + } + + override fun isAcceptablePublicKeyStrength(algorithmId: Int, bitStrength: Int): Boolean { + return policy.publicKeyAlgorithmPolicy.isAcceptable(algorithmId, bitStrength) + } + + override fun getNotationRegistry(): OpenPGPPolicy.OpenPGPNotationRegistry { + return object : OpenPGPNotationRegistry() { + override fun isNotationKnown(notationName: String?): Boolean { + return notationName?.let { policy.notationRegistry.isKnownNotation(it) } ?: false + } + + override fun addKnownNotation(notationName: String?) { + notationName?.let { policy.notationRegistry.addKnownNotation(it) } + } + } + } +} From 0cb7b8886a92d813f9199ea7c2853862965af4b8 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 10 Feb 2025 12:44:33 +0100 Subject: [PATCH 028/265] WIP: Migrate away from static methods --- .../src/main/kotlin/org/pgpainless/PGPainless.kt | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt index 863a10da..a7edcf5c 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt @@ -10,7 +10,9 @@ import org.bouncycastle.openpgp.PGPKeyRing import org.bouncycastle.openpgp.PGPPublicKeyRing import org.bouncycastle.openpgp.PGPSecretKeyRing import org.bouncycastle.openpgp.PGPSignature +import org.bouncycastle.openpgp.api.OpenPGPApi import org.bouncycastle.openpgp.api.OpenPGPImplementation +import org.bouncycastle.openpgp.api.bc.BcOpenPGPApi import org.pgpainless.algorithm.OpenPGPKeyVersion import org.pgpainless.bouncycastle.PolicyAdapter import org.pgpainless.decryption_verification.DecryptionBuilder @@ -30,11 +32,17 @@ class PGPainless( val algorithmPolicy: Policy = Policy.getInstance() ) { + private var api: OpenPGPApi + init { implementation.setPolicy( PolicyAdapter(algorithmPolicy)) // adapt PGPainless' Policy to BCs OpenPGPPolicy + api = BcOpenPGPApi(implementation) } + fun generateKey(version: OpenPGPKeyVersion = OpenPGPKeyVersion.v4): KeyRingTemplates = + KeyRingTemplates(version) + companion object { @Volatile private var instance: PGPainless? = null @@ -43,6 +51,11 @@ class PGPainless( fun getInstance() = instance ?: synchronized(this) { instance ?: PGPainless().also { instance = it } } + @JvmStatic + fun setInstance(pgpainless: PGPainless) { + instance = pgpainless + } + /** * Generate a fresh OpenPGP key ring from predefined templates. * @@ -51,7 +64,7 @@ class PGPainless( @JvmStatic @JvmOverloads fun generateKeyRing(version: OpenPGPKeyVersion = OpenPGPKeyVersion.v4) = - KeyRingTemplates(version) + getInstance().generateKey(version) /** * Build a custom OpenPGP key ring. From b55aa24cade3830fd0070f80c2df9978d3f9fd03 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 10 Feb 2025 13:34:07 +0100 Subject: [PATCH 029/265] Change return type of KeyRingBuilder.build() to OpenPGPKey --- .../cli/commands/ExtractCertCmdTest.java | 8 ++-- .../RoundTripEncryptDecryptCmdTest.java | 14 +++---- .../commands/RoundTripSignVerifyCmdTest.java | 8 ++-- .../main/kotlin/org/pgpainless/PGPainless.kt | 2 +- .../key/generation/KeyRingBuilder.kt | 12 ++++-- .../key/generation/KeyRingBuilderInterface.kt | 4 +- .../key/generation/KeyRingTemplates.kt | 36 ++++++++--------- .../ModifiedPublicKeysInvestigation.java | 9 +++-- .../bouncycastle/PGPPublicKeyRingTest.java | 6 ++- .../CertificateWithMissingSecretKeyTest.java | 3 +- .../CleartextSignatureVerificationTest.java | 3 +- ...stomPublicKeyDataDecryptorFactoryTest.java | 3 +- .../MissingPassphraseForDecryptionTest.java | 3 +- .../OpenPgpInputStreamTest.java | 3 +- .../OpenPgpMessageInputStreamTest.java | 3 +- ...DecryptWithUnavailableGnuDummyKeyTest.java | 3 +- ...erifyWithMissingPublicKeyCallbackTest.java | 3 +- .../BcHashContextSignerTest.java | 6 ++- .../EncryptDecryptTest.java | 24 ++++++++---- .../EncryptionOptionsTest.java | 9 +++-- .../FileInformationTest.java | 3 +- .../HiddenRecipientEncryptionTest.java | 3 +- .../MultiSigningSubkeyTest.java | 3 +- .../encryption_signing/SigningTest.java | 18 ++++++--- .../org/pgpainless/example/ConvertKeys.java | 3 +- .../org/pgpainless/example/GenerateKeys.java | 12 ++++-- .../org/pgpainless/example/ModifyKeys.java | 3 +- .../java/org/pgpainless/example/Sign.java | 3 +- .../java/org/pgpainless/key/WeirdKeys.java | 3 +- .../certification/CertifyCertificateTest.java | 24 ++++++++---- .../collection/PGPKeyRingCollectionTest.java | 6 ++- .../BrainpoolKeyGenerationTest.java | 6 ++- .../GenerateEllipticCurveKeyTest.java | 3 +- .../GenerateKeyWithAdditionalUserIdTest.java | 3 +- ...GenerateKeyWithCustomCreationDateTest.java | 6 ++- ...GenerateKeyWithoutPrimaryKeyFlagsTest.java | 3 +- .../GenerateKeyWithoutUserIdTest.java | 3 +- .../key/generation/GenerateV6KeyTest.java | 3 +- .../KeyGenerationSubpacketsTest.java | 6 ++- .../pgpainless/key/info/KeyRingInfoTest.java | 9 +++-- .../key/info/PrimaryUserIdTest.java | 3 +- .../key/info/UserIdRevocationTest.java | 6 ++- ...odifiedBindingSignatureSubpacketsTest.java | 3 +- .../key/modification/AddUserIdTest.java | 7 +++- ...gePrimaryUserIdAndExpirationDatesTest.java | 15 ++++--- .../ChangeSecretKeyRingPassphraseTest.java | 3 +- .../ChangeSubkeyExpirationTimeTest.java | 3 +- ...ureSubpacketsArePreservedOnNewSigTest.java | 3 +- .../RefuseToAddWeakSubkeyTest.java | 6 ++- .../RevocationCertificateTest.java | 3 +- .../key/modification/RevokeSubKeyTest.java | 6 ++- .../key/modification/RevokeUserIdsTest.java | 9 +++-- .../parsing/KeyRingCollectionReaderTest.java | 6 ++- .../key/parsing/KeyRingReaderTest.java | 39 ++++++++++++------- .../CachingSecretKeyRingProtectorTest.java | 3 +- .../PassphraseProtectedKeyTest.java | 3 +- .../SecretKeyRingProtectorTest.java | 3 +- .../key/protection/UnlockSecretKeyTest.java | 3 +- .../key/protection/fixes/S2KUsageFixTest.java | 3 +- .../pgpainless/key/util/KeyRingUtilTest.java | 6 ++- .../OnePassSignatureBracketingTest.java | 6 ++- .../SignatureSubpacketsUtilTest.java | 3 +- ...artyCertificationSignatureBuilderTest.java | 9 +++-- ...irdPartyDirectKeySignatureBuilderTest.java | 3 +- .../org/pgpainless/util/ArmorUtilsTest.java | 9 +++-- .../java/org/pgpainless/util/BCUtilTest.java | 3 +- .../util/GuessPreferredHashAlgorithmTest.java | 3 +- .../selection/userid/SelectUserIdTest.java | 15 ++++--- ...ncryptCommsStorageFlagsDifferentiated.java | 3 +- .../extensions/PGPPublicKeyExtensionsTest.kt | 2 + .../org/pgpainless/sop/GenerateKeyImpl.kt | 10 ++--- .../java/org/pgpainless/sop/ArmorTest.java | 5 ++- .../org/pgpainless/sop/IncapableKeysTest.java | 11 +++--- .../PGPainlessChangeKeyPasswordTest.java | 7 ++-- 74 files changed, 319 insertions(+), 188 deletions(-) diff --git a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/ExtractCertCmdTest.java b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/ExtractCertCmdTest.java index f1f69912..801b654d 100644 --- a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/ExtractCertCmdTest.java +++ b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/ExtractCertCmdTest.java @@ -11,10 +11,7 @@ import static org.junit.jupiter.api.Assertions.assertTrue; import java.io.ByteArrayOutputStream; import java.io.File; import java.io.IOException; -import java.security.InvalidAlgorithmParameterException; -import java.security.NoSuchAlgorithmException; -import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPPublicKeyRing; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.junit.jupiter.api.Test; @@ -31,9 +28,10 @@ public class ExtractCertCmdTest extends CLITest { @Test public void testExtractCert() - throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException, IOException { + throws IOException { PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() - .simpleEcKeyRing("Juliet Capulet "); + .simpleEcKeyRing("Juliet Capulet ") + .getPGPSecretKeyRing(); pipeBytesToStdin(secretKeys.getEncoded()); ByteArrayOutputStream out = pipeStdoutToStream(); diff --git a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripEncryptDecryptCmdTest.java b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripEncryptDecryptCmdTest.java index f8d56bc3..9d3b3b9d 100644 --- a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripEncryptDecryptCmdTest.java +++ b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripEncryptDecryptCmdTest.java @@ -11,10 +11,7 @@ import static org.junit.jupiter.api.Assertions.assertTrue; import java.io.ByteArrayOutputStream; import java.io.File; import java.io.IOException; -import java.security.InvalidAlgorithmParameterException; -import java.security.NoSuchAlgorithmException; -import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPPublicKeyRing; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.junit.jupiter.api.Disabled; @@ -298,13 +295,13 @@ public class RoundTripEncryptDecryptCmdTest extends CLITest { } @Test - public void testEncryptWithIncapableCert() throws PGPException, - InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { + public void testEncryptWithIncapableCert() throws IOException { PGPSecretKeyRing secretKeys = PGPainless.buildKeyRing() .addUserId("No Crypt ") .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA_LEGACY(EdDSALegacyCurve._Ed25519), KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA)) - .build(); + .build() + .getPGPSecretKeyRing(); PGPPublicKeyRing cert = PGPainless.extractCertificate(secretKeys); File certFile = writeFile("cert.pgp", cert.getEncoded()); @@ -318,13 +315,14 @@ public class RoundTripEncryptDecryptCmdTest extends CLITest { @Test public void testSignWithIncapableKey() - throws IOException, PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + throws IOException { PGPSecretKeyRing secretKeys = PGPainless.buildKeyRing() .addUserId("Cannot Sign ") .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA_LEGACY(EdDSALegacyCurve._Ed25519), KeyFlag.CERTIFY_OTHER)) .addSubkey(KeySpec.getBuilder( KeyType.XDH_LEGACY(XDHLegacySpec._X25519), KeyFlag.ENCRYPT_COMMS, KeyFlag.ENCRYPT_STORAGE)) - .build(); + .build() + .getPGPSecretKeyRing(); File keyFile = writeFile("key.pgp", secretKeys.getEncoded()); File certFile = writeFile("cert.pgp", PGPainless.extractCertificate(secretKeys).getEncoded()); diff --git a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripSignVerifyCmdTest.java b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripSignVerifyCmdTest.java index 9ce18779..fea9a5d2 100644 --- a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripSignVerifyCmdTest.java +++ b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripSignVerifyCmdTest.java @@ -11,12 +11,9 @@ import static org.junit.jupiter.api.Assertions.assertTrue; import java.io.ByteArrayOutputStream; import java.io.File; import java.io.IOException; -import java.security.InvalidAlgorithmParameterException; -import java.security.NoSuchAlgorithmException; import java.text.ParseException; import java.util.Date; -import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPPublicKeyRing; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.junit.jupiter.api.Test; @@ -199,12 +196,13 @@ public class RoundTripSignVerifyCmdTest extends CLITest { @Test public void testSignWithIncapableKey() - throws IOException, PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + throws IOException { PGPSecretKeyRing secretKeys = PGPainless.buildKeyRing() .addUserId("Cannot Sign ") .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA_LEGACY(EdDSALegacyCurve._Ed25519), KeyFlag.CERTIFY_OTHER)) .addSubkey(KeySpec.getBuilder(KeyType.XDH_LEGACY(XDHLegacySpec._X25519), KeyFlag.ENCRYPT_COMMS, KeyFlag.ENCRYPT_STORAGE)) - .build(); + .build() + .getPGPSecretKeyRing(); File keyFile = writeFile("key.pgp", secretKeys.getEncoded()); pipeStringToStdin("Hello, World!\n"); diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt index a7edcf5c..04ae3481 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt @@ -74,7 +74,7 @@ class PGPainless( @JvmStatic @JvmOverloads fun buildKeyRing(version: OpenPGPKeyVersion = OpenPGPKeyVersion.v4) = - KeyRingBuilder(version) + KeyRingBuilder(version, getInstance().implementation) /** * Read an existing OpenPGP key ring. diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingBuilder.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingBuilder.kt index 1ea80edb..ee842982 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingBuilder.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingBuilder.kt @@ -8,6 +8,7 @@ import java.io.IOException import java.util.* import org.bouncycastle.openpgp.* import org.bouncycastle.openpgp.api.OpenPGPImplementation +import org.bouncycastle.openpgp.api.OpenPGPKey import org.bouncycastle.openpgp.operator.PBESecretKeyDecryptor import org.bouncycastle.openpgp.operator.PBESecretKeyEncryptor import org.bouncycastle.openpgp.operator.PGPContentSignerBuilder @@ -25,8 +26,10 @@ import org.pgpainless.signature.subpackets.SignatureSubpackets import org.pgpainless.signature.subpackets.SignatureSubpacketsHelper import org.pgpainless.util.Passphrase -class KeyRingBuilder(private val version: OpenPGPKeyVersion) : - KeyRingBuilderInterface { +class KeyRingBuilder( + private val version: OpenPGPKeyVersion, + private val implementation: OpenPGPImplementation +) : KeyRingBuilderInterface { private var primaryKeySpec: KeySpec? = null private val subKeySpecs = mutableListOf() @@ -80,7 +83,7 @@ class KeyRingBuilder(private val version: OpenPGPKeyVersion) : private fun keyIsCertificationCapable(keySpec: KeySpec) = keySpec.keyType.canCertify - override fun build(): PGPSecretKeyRing { + override fun build(): OpenPGPKey { val keyFingerprintCalculator = ImplementationFactory.getInstance().v4FingerprintCalculator val secretKeyEncryptor = buildSecretKeyEncryptor(keyFingerprintCalculator) val secretKeyDecryptor = buildSecretKeyDecryptor() @@ -168,7 +171,8 @@ class KeyRingBuilder(private val version: OpenPGPKeyVersion) : while (secretKeys.hasNext()) { secretKeyList.add(secretKeys.next()) } - return PGPSecretKeyRing(secretKeyList) + val pgpSecretKeyRing = PGPSecretKeyRing(secretKeyList) + return OpenPGPKey(pgpSecretKeyRing, implementation) } private fun addSubKeys(primaryKey: PGPKeyPair, ringGenerator: PGPKeyRingGenerator) { diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingBuilderInterface.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingBuilderInterface.kt index ecc818b6..8004d9a3 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingBuilderInterface.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingBuilderInterface.kt @@ -8,7 +8,7 @@ import java.security.InvalidAlgorithmParameterException import java.security.NoSuchAlgorithmException import java.util.* import org.bouncycastle.openpgp.PGPException -import org.bouncycastle.openpgp.PGPSecretKeyRing +import org.bouncycastle.openpgp.api.OpenPGPKey import org.pgpainless.util.Passphrase interface KeyRingBuilderInterface> { @@ -33,5 +33,5 @@ interface KeyRingBuilderInterface> { NoSuchAlgorithmException::class, PGPException::class, InvalidAlgorithmParameterException::class) - fun build(): PGPSecretKeyRing + fun build(): OpenPGPKey } diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingTemplates.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingTemplates.kt index bb8788e1..cbb5a9df 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingTemplates.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingTemplates.kt @@ -4,7 +4,7 @@ package org.pgpainless.key.generation -import org.bouncycastle.openpgp.PGPSecretKeyRing +import org.bouncycastle.openpgp.api.OpenPGPKey import org.pgpainless.PGPainless.Companion.buildKeyRing import org.pgpainless.algorithm.KeyFlag import org.pgpainless.algorithm.OpenPGPKeyVersion @@ -24,14 +24,14 @@ class KeyRingTemplates(private val version: OpenPGPKeyVersion) { * @param userId userId or null * @param length length of the RSA keys * @param passphrase passphrase to encrypt the key with. Can be empty for an unencrytped key. - * @return key + * @return [OpenPGPKey] */ @JvmOverloads fun rsaKeyRing( userId: CharSequence?, length: RsaLength, passphrase: Passphrase = Passphrase.emptyPassphrase() - ): PGPSecretKeyRing = + ): OpenPGPKey = buildKeyRing(version) .apply { setPrimaryKey(getBuilder(KeyType.RSA(length), KeyFlag.CERTIFY_OTHER)) @@ -53,9 +53,9 @@ class KeyRingTemplates(private val version: OpenPGPKeyVersion) { * @param length length of the RSA keys * @param password passphrase to encrypt the key with. Can be null or blank for unencrypted * keys. - * @return key + * @return [OpenPGPKey] */ - fun rsaKeyRing(userId: CharSequence?, length: RsaLength, password: String?): PGPSecretKeyRing = + fun rsaKeyRing(userId: CharSequence?, length: RsaLength, password: String?): OpenPGPKey = password.let { if (it.isNullOrBlank()) { rsaKeyRing(userId, length, Passphrase.emptyPassphrase()) @@ -70,15 +70,15 @@ class KeyRingTemplates(private val version: OpenPGPKeyVersion) { * * @param userId user id. * @param length length in bits. - * @param password Password of the key. Can be empty for unencrypted keys. - * @return [PGPSecretKeyRing] containing the KeyPair. + * @param passphrase Password of the key. Can be empty for unencrypted keys. + * @return [OpenPGPKey] */ @JvmOverloads fun simpleRsaKeyRing( userId: CharSequence?, length: RsaLength, passphrase: Passphrase = Passphrase.emptyPassphrase() - ): PGPSecretKeyRing = + ): OpenPGPKey = buildKeyRing(version) .apply { setPrimaryKey( @@ -101,7 +101,7 @@ class KeyRingTemplates(private val version: OpenPGPKeyVersion) { * @param userId user id. * @param length length in bits. * @param password Password of the key. Can be null or blank for unencrypted keys. - * @return [PGPSecretKeyRing] containing the KeyPair. + * @return [OpenPGPKey] */ fun simpleRsaKeyRing(userId: CharSequence?, length: RsaLength, password: String?) = password.let { @@ -119,13 +119,13 @@ class KeyRingTemplates(private val version: OpenPGPKeyVersion) { * * @param userId user-id * @param passphrase Password of the private key. Can be empty for an unencrypted key. - * @return [PGPSecretKeyRing] containing the key pairs. + * @return [OpenPGPKey] */ @JvmOverloads fun simpleEcKeyRing( userId: CharSequence?, passphrase: Passphrase = Passphrase.emptyPassphrase() - ): PGPSecretKeyRing { + ): OpenPGPKey { val signingKeyType = if (version == OpenPGPKeyVersion.v6) KeyType.Ed25519() else KeyType.EDDSA_LEGACY(EdDSALegacyCurve._Ed25519) @@ -151,10 +151,10 @@ class KeyRingTemplates(private val version: OpenPGPKeyVersion) { * used for encryption and decryption of messages. * * @param userId user-id - * @param passphrase Password of the private key. Can be null or blank for an unencrypted key. - * @return [PGPSecretKeyRing] containing the key pairs. + * @param password Password of the private key. Can be null or blank for an unencrypted key. + * @return [OpenPGPKey] */ - fun simpleEcKeyRing(userId: CharSequence?, password: String?): PGPSecretKeyRing = + fun simpleEcKeyRing(userId: CharSequence?, password: String?): OpenPGPKey = password.let { if (it.isNullOrBlank()) { simpleEcKeyRing(userId, Passphrase.emptyPassphrase()) @@ -169,13 +169,13 @@ class KeyRingTemplates(private val version: OpenPGPKeyVersion) { * * @param userId primary user id * @param passphrase passphrase for the private key. Can be empty for an unencrypted key. - * @return key ring + * @return [OpenPGPKey] */ @JvmOverloads fun modernKeyRing( userId: CharSequence?, passphrase: Passphrase = Passphrase.emptyPassphrase() - ): PGPSecretKeyRing { + ): OpenPGPKey { val signingKeyType = if (version == OpenPGPKeyVersion.v6) KeyType.Ed25519() else KeyType.EDDSA_LEGACY(EdDSALegacyCurve._Ed25519) @@ -202,9 +202,9 @@ class KeyRingTemplates(private val version: OpenPGPKeyVersion) { * * @param userId primary user id * @param password passphrase for the private key. Can be null or blank for an unencrypted key. - * @return key ring + * @return [OpenPGPKey] */ - fun modernKeyRing(userId: CharSequence?, password: String?): PGPSecretKeyRing = + fun modernKeyRing(userId: CharSequence?, password: String?): OpenPGPKey = password.let { if (it.isNullOrBlank()) { modernKeyRing(userId, Passphrase.emptyPassphrase()) diff --git a/pgpainless-core/src/test/java/investigations/ModifiedPublicKeysInvestigation.java b/pgpainless-core/src/test/java/investigations/ModifiedPublicKeysInvestigation.java index e3d6bd19..2a965cb7 100644 --- a/pgpainless-core/src/test/java/investigations/ModifiedPublicKeysInvestigation.java +++ b/pgpainless-core/src/test/java/investigations/ModifiedPublicKeysInvestigation.java @@ -252,7 +252,8 @@ public class ModifiedPublicKeysInvestigation { @Test public void assertUnmodifiedRSAKeyDoesNotThrow() { PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() - .simpleRsaKeyRing("Unmodified", RsaLength._4096, "987654321"); + .simpleRsaKeyRing("Unmodified", RsaLength._4096, "987654321") + .getPGPSecretKeyRing(); SecretKeyRingProtector protector = SecretKeyRingProtector.unlockAnyKeyWith(Passphrase.fromPassword("987654321")); for (PGPSecretKey secretKey : secretKeys) { @@ -264,7 +265,8 @@ public class ModifiedPublicKeysInvestigation { @Test public void assertUnmodifiedECKeyDoesNotThrow() { PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() - .simpleEcKeyRing("Unmodified", "987654321"); + .simpleEcKeyRing("Unmodified", "987654321") + .getPGPSecretKeyRing(); SecretKeyRingProtector protector = SecretKeyRingProtector.unlockAnyKeyWith(Passphrase.fromPassword("987654321")); for (PGPSecretKey secretKey : secretKeys) { @@ -276,7 +278,8 @@ public class ModifiedPublicKeysInvestigation { @Test public void assertUnmodifiedModernKeyDoesNotThrow() { PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() - .modernKeyRing("Unmodified", "987654321"); + .modernKeyRing("Unmodified", "987654321") + .getPGPSecretKeyRing(); SecretKeyRingProtector protector = SecretKeyRingProtector.unlockAnyKeyWith(Passphrase.fromPassword("987654321")); for (PGPSecretKey secretKey : secretKeys) { diff --git a/pgpainless-core/src/test/java/org/bouncycastle/PGPPublicKeyRingTest.java b/pgpainless-core/src/test/java/org/bouncycastle/PGPPublicKeyRingTest.java index 53317bde..ac909383 100644 --- a/pgpainless-core/src/test/java/org/bouncycastle/PGPPublicKeyRingTest.java +++ b/pgpainless-core/src/test/java/org/bouncycastle/PGPPublicKeyRingTest.java @@ -29,7 +29,8 @@ public class PGPPublicKeyRingTest { */ @Test public void subkeysDoNotHaveUserIDsTest() { - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().simpleEcKeyRing("primary@user.id"); + PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().simpleEcKeyRing("primary@user.id") + .getPGPSecretKeyRing(); PGPPublicKeyRing publicKeys = KeyRingUtils.publicKeyRingFrom(secretKeys); PGPPublicKey primaryKey = publicKeys.getPublicKey(); for (PGPPublicKey subkey : publicKeys) { @@ -44,7 +45,8 @@ public class PGPPublicKeyRingTest { @Test public void removeUserIdTest() { String userId = "alice@wonderland.lit"; - PGPSecretKeyRing secretKeyRing = PGPainless.generateKeyRing().simpleEcKeyRing(userId); + PGPSecretKeyRing secretKeyRing = PGPainless.generateKeyRing().simpleEcKeyRing(userId) + .getPGPSecretKeyRing(); PGPPublicKeyRing publicKeys = KeyRingUtils.publicKeyRingFrom(secretKeyRing); List userIds = CollectionUtils.iteratorToList(publicKeys.getPublicKey().getUserIDs()); diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CertificateWithMissingSecretKeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CertificateWithMissingSecretKeyTest.java index 5927df70..3ddd89eb 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CertificateWithMissingSecretKeyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CertificateWithMissingSecretKeyTest.java @@ -78,7 +78,8 @@ public class CertificateWithMissingSecretKeyTest { // missing encryption sec key we generate on the fly PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() - .modernKeyRing("Missing Decryption Key "); + .modernKeyRing("Missing Decryption Key ") + .getPGPSecretKeyRing(); encryptionSubkeyId = PGPainless.inspectKeyRing(secretKeys) .getEncryptionSubkeys(EncryptionPurpose.ANY).get(0).getKeyIdentifier(); // remove the encryption/decryption secret key diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CleartextSignatureVerificationTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CleartextSignatureVerificationTest.java index 3a17821f..1bf4f9bf 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CleartextSignatureVerificationTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CleartextSignatureVerificationTest.java @@ -217,7 +217,8 @@ public class CleartextSignatureVerificationTest { throws PGPException, IOException { String message = randomString(28, 4000); - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("Alice"); + PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("Alice") + .getPGPSecretKeyRing(); ByteArrayOutputStream out = new ByteArrayOutputStream(); EncryptionStream encryptionStream = PGPainless.encryptAndOrSign() .onOutputStream(out) diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CustomPublicKeyDataDecryptorFactoryTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CustomPublicKeyDataDecryptorFactoryTest.java index c8d9e2f1..1f1f65ff 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CustomPublicKeyDataDecryptorFactoryTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CustomPublicKeyDataDecryptorFactoryTest.java @@ -38,7 +38,8 @@ public class CustomPublicKeyDataDecryptorFactoryTest { @Disabled public void testDecryptionWithEmulatedHardwareDecryptionCallback() throws PGPException, IOException { - PGPSecretKeyRing secretKey = PGPainless.generateKeyRing().modernKeyRing("Alice"); + PGPSecretKeyRing secretKey = PGPainless.generateKeyRing().modernKeyRing("Alice") + .getPGPSecretKeyRing(); PGPPublicKeyRing cert = PGPainless.extractCertificate(secretKey); KeyRingInfo info = PGPainless.inspectKeyRing(secretKey); OpenPGPCertificate.OpenPGPComponentKey encryptionKey = diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/MissingPassphraseForDecryptionTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/MissingPassphraseForDecryptionTest.java index dcac7ada..979587ac 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/MissingPassphraseForDecryptionTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/MissingPassphraseForDecryptionTest.java @@ -43,7 +43,8 @@ public class MissingPassphraseForDecryptionTest { @BeforeEach public void setup() throws PGPException, IOException { - secretKeys = PGPainless.generateKeyRing().modernKeyRing("Test", passphrase); + secretKeys = PGPainless.generateKeyRing().modernKeyRing("Test", passphrase) + .getPGPSecretKeyRing(); PGPPublicKeyRing certificate = PGPainless.extractCertificate(secretKeys); ByteArrayOutputStream out = new ByteArrayOutputStream(); EncryptionStream encryptionStream = PGPainless.encryptAndOrSign() diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpInputStreamTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpInputStreamTest.java index 594181b2..4944c85f 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpInputStreamTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpInputStreamTest.java @@ -737,7 +737,8 @@ public class OpenPgpInputStreamTest { public void testSignedMessageConsumption() throws PGPException, IOException { ByteArrayInputStream plaintext = new ByteArrayInputStream("Hello, World!\n".getBytes(StandardCharsets.UTF_8)); PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() - .modernKeyRing("Sigmund "); + .modernKeyRing("Sigmund ") + .getPGPSecretKeyRing(); ByteArrayOutputStream signedOut = new ByteArrayOutputStream(); EncryptionStream signer = PGPainless.encryptAndOrSign() diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStreamTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStreamTest.java index e8345d1c..ed57fee5 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStreamTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStreamTest.java @@ -240,7 +240,8 @@ public class OpenPgpMessageInputStreamTest { public static void genKey() { PGPainless.asciiArmor( - PGPainless.generateKeyRing().modernKeyRing("Alice "), + PGPainless.generateKeyRing().modernKeyRing("Alice ") + .getPGPSecretKeyRing(), System.out); } diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/TryDecryptWithUnavailableGnuDummyKeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/TryDecryptWithUnavailableGnuDummyKeyTest.java index 859e2a29..0c8bff4f 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/TryDecryptWithUnavailableGnuDummyKeyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/TryDecryptWithUnavailableGnuDummyKeyTest.java @@ -28,7 +28,8 @@ public class TryDecryptWithUnavailableGnuDummyKeyTest { public void testAttemptToDecryptWithRemovedPrivateKeysThrows() throws PGPException, IOException { PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() - .modernKeyRing("Hardy Hardware "); + .modernKeyRing("Hardy Hardware ") + .getPGPSecretKeyRing(); PGPPublicKeyRing certificate = PGPainless.extractCertificate(secretKeys); ByteArrayOutputStream ciphertextOut = new ByteArrayOutputStream(); diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifyWithMissingPublicKeyCallbackTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifyWithMissingPublicKeyCallbackTest.java index c77c70e1..4845ddab 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifyWithMissingPublicKeyCallbackTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifyWithMissingPublicKeyCallbackTest.java @@ -38,7 +38,8 @@ public class VerifyWithMissingPublicKeyCallbackTest { @Test public void testMissingPublicKeyCallback() throws PGPException, IOException { - PGPSecretKeyRing signingSecKeys = PGPainless.generateKeyRing().modernKeyRing("alice"); + PGPSecretKeyRing signingSecKeys = PGPainless.generateKeyRing().modernKeyRing("alice") + .getPGPSecretKeyRing(); OpenPGPCertificate.OpenPGPComponentKey signingKey = new KeyRingInfo(signingSecKeys).getSigningSubkeys().get(0); PGPPublicKeyRing signingPubKeys = KeyRingUtils.publicKeyRingFrom(signingSecKeys); diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/BcHashContextSignerTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/BcHashContextSignerTest.java index 61858395..91c2d8c5 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/BcHashContextSignerTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/BcHashContextSignerTest.java @@ -66,13 +66,15 @@ public class BcHashContextSignerTest { @Test public void signContextWithRSAKeys() throws PGPException, NoSuchAlgorithmException, IOException { - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().simpleRsaKeyRing("Sigfried", RsaLength._3072); + PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().simpleRsaKeyRing("Sigfried", RsaLength._3072) + .getPGPSecretKeyRing(); signWithKeys(secretKeys); } @Test public void signContextWithEcKeys() throws PGPException, NoSuchAlgorithmException, IOException { - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().simpleEcKeyRing("Sigfried"); + PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().simpleEcKeyRing("Sigfried") + .getPGPSecretKeyRing(); signWithKeys(secretKeys); } diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java index 4e2fb744..dbf75f6e 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java @@ -68,8 +68,10 @@ public class EncryptDecryptTest { @ExtendWith(TestAllImplementations.class) public void freshKeysRsaToRsaTest() throws PGPException, IOException { - PGPSecretKeyRing sender = PGPainless.generateKeyRing().simpleRsaKeyRing("romeo@montague.lit", RsaLength._3072); - PGPSecretKeyRing recipient = PGPainless.generateKeyRing().simpleRsaKeyRing("juliet@capulet.lit", RsaLength._3072); + PGPSecretKeyRing sender = PGPainless.generateKeyRing().simpleRsaKeyRing("romeo@montague.lit", RsaLength._3072) + .getPGPSecretKeyRing(); + PGPSecretKeyRing recipient = PGPainless.generateKeyRing().simpleRsaKeyRing("juliet@capulet.lit", RsaLength._3072) + .getPGPSecretKeyRing(); encryptDecryptForSecretKeyRings(sender, recipient); } @@ -78,8 +80,10 @@ public class EncryptDecryptTest { @ExtendWith(TestAllImplementations.class) public void freshKeysEcToEcTest() throws IOException, PGPException { - PGPSecretKeyRing sender = PGPainless.generateKeyRing().simpleEcKeyRing("romeo@montague.lit"); - PGPSecretKeyRing recipient = PGPainless.generateKeyRing().simpleEcKeyRing("juliet@capulet.lit"); + PGPSecretKeyRing sender = PGPainless.generateKeyRing().simpleEcKeyRing("romeo@montague.lit") + .getPGPSecretKeyRing(); + PGPSecretKeyRing recipient = PGPainless.generateKeyRing().simpleEcKeyRing("juliet@capulet.lit") + .getPGPSecretKeyRing(); encryptDecryptForSecretKeyRings(sender, recipient); } @@ -88,8 +92,10 @@ public class EncryptDecryptTest { @ExtendWith(TestAllImplementations.class) public void freshKeysEcToRsaTest() throws PGPException, IOException { - PGPSecretKeyRing sender = PGPainless.generateKeyRing().simpleEcKeyRing("romeo@montague.lit"); - PGPSecretKeyRing recipient = PGPainless.generateKeyRing().simpleRsaKeyRing("juliet@capulet.lit", RsaLength._3072); + PGPSecretKeyRing sender = PGPainless.generateKeyRing().simpleEcKeyRing("romeo@montague.lit") + .getPGPSecretKeyRing(); + PGPSecretKeyRing recipient = PGPainless.generateKeyRing().simpleRsaKeyRing("juliet@capulet.lit", RsaLength._3072) + .getPGPSecretKeyRing(); encryptDecryptForSecretKeyRings(sender, recipient); } @@ -98,8 +104,10 @@ public class EncryptDecryptTest { @ExtendWith(TestAllImplementations.class) public void freshKeysRsaToEcTest() throws PGPException, IOException { - PGPSecretKeyRing sender = PGPainless.generateKeyRing().simpleRsaKeyRing("romeo@montague.lit", RsaLength._3072); - PGPSecretKeyRing recipient = PGPainless.generateKeyRing().simpleEcKeyRing("juliet@capulet.lit"); + PGPSecretKeyRing sender = PGPainless.generateKeyRing().simpleRsaKeyRing("romeo@montague.lit", RsaLength._3072) + .getPGPSecretKeyRing(); + PGPSecretKeyRing recipient = PGPainless.generateKeyRing().simpleEcKeyRing("juliet@capulet.lit") + .getPGPSecretKeyRing(); encryptDecryptForSecretKeyRings(sender, recipient); } diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptionOptionsTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptionOptionsTest.java index cd20ebdd..3c8b4749 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptionOptionsTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptionOptionsTest.java @@ -55,7 +55,8 @@ public class EncryptionOptionsTest { .addSubkey(KeySpec.getBuilder(KeyType.XDH_LEGACY(XDHLegacySpec._X25519), KeyFlag.ENCRYPT_STORAGE) .build()) .addUserId("test@pgpainless.org") - .build(); + .build() + .getPGPSecretKeyRing(); publicKeys = KeyRingUtils.publicKeyRingFrom(secretKeys); @@ -137,7 +138,8 @@ public class EncryptionOptionsTest { PGPSecretKeyRing secretKeys = PGPainless.buildKeyRing() .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA_LEGACY(EdDSALegacyCurve._Ed25519), KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA)) .addUserId("test@pgpainless.org") - .build(); + .build() + .getPGPSecretKeyRing(); PGPPublicKeyRing publicKeys = KeyRingUtils.publicKeyRingFrom(secretKeys); assertThrows(KeyException.UnacceptableEncryptionKeyException.class, () -> options.addRecipient(publicKeys)); @@ -168,7 +170,8 @@ public class EncryptionOptionsTest { @Test public void testAddRecipients_PGPPublicKeyRingCollection() { PGPPublicKeyRing secondKeyRing = KeyRingUtils.publicKeyRingFrom( - PGPainless.generateKeyRing().modernKeyRing("other@pgpainless.org")); + PGPainless.generateKeyRing().modernKeyRing("other@pgpainless.org") + .getPGPSecretKeyRing()); PGPPublicKeyRingCollection collection = new PGPPublicKeyRingCollection( Arrays.asList(publicKeys, secondKeyRing)); diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/FileInformationTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/FileInformationTest.java index 57a13452..799e0f9e 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/FileInformationTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/FileInformationTest.java @@ -37,7 +37,8 @@ public class FileInformationTest { @BeforeAll public static void generateKey() { - secretKey = PGPainless.generateKeyRing().modernKeyRing("alice@wonderland.lit"); + secretKey = PGPainless.generateKeyRing().modernKeyRing("alice@wonderland.lit") + .getPGPSecretKeyRing(); certificate = PGPainless.extractCertificate(secretKey); } diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/HiddenRecipientEncryptionTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/HiddenRecipientEncryptionTest.java index 0c510514..af018584 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/HiddenRecipientEncryptionTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/HiddenRecipientEncryptionTest.java @@ -31,7 +31,8 @@ public class HiddenRecipientEncryptionTest { @Test public void testAnonymousRecipientRoundtrip() throws PGPException, IOException { PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() - .modernKeyRing("Alice "); + .modernKeyRing("Alice ") + .getPGPSecretKeyRing(); PGPPublicKeyRing certificate = PGPainless.extractCertificate(secretKeys); String msg = "Hello, World!\n"; diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/MultiSigningSubkeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/MultiSigningSubkeyTest.java index d504238a..9abfeb08 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/MultiSigningSubkeyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/MultiSigningSubkeyTest.java @@ -55,7 +55,8 @@ public class MultiSigningSubkeyTest { .addSubkey(KeySpec.getBuilder(KeyType.RSA(RsaLength._3072), KeyFlag.SIGN_DATA)) .addSubkey(KeySpec.getBuilder(KeyType.XDH_LEGACY(XDHLegacySpec._X25519), KeyFlag.ENCRYPT_COMMS, KeyFlag.ENCRYPT_STORAGE)) .addUserId("Alice ") - .build(); + .build() + .getPGPSecretKeyRing(); signingCert = PGPainless.extractCertificate(signingKey); Iterator signingSubkeys = PGPainless.inspectKeyRing(signingKey).getSigningSubkeys().listIterator(); primaryKey = new SubkeyIdentifier(signingKey, signingSubkeys.next().getKeyIdentifier()); diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/SigningTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/SigningTest.java index 35c40e56..74ec8377 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/SigningTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/SigningTest.java @@ -115,7 +115,8 @@ public class SigningTest { @ExtendWith(TestAllImplementations.class) public void testSignWithInvalidUserIdFails() { PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() - .modernKeyRing("alice", "password123"); + .modernKeyRing("alice", "password123") + .getPGPSecretKeyRing(); SecretKeyRingProtector protector = SecretKeyRingProtector.unlockAnyKeyWith(Passphrase.fromPassword("password123")); SigningOptions opts = new SigningOptions(); @@ -130,7 +131,8 @@ public class SigningTest { public void testSignWithRevokedUserIdFails() throws PGPException { PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() - .modernKeyRing("alice", "password123"); + .modernKeyRing("alice", "password123") + .getPGPSecretKeyRing(); SecretKeyRingProtector protector = SecretKeyRingProtector.unlockAnyKeyWith( Passphrase.fromPassword("password123")); secretKeys = PGPainless.modifyKeyRing(secretKeys) @@ -187,7 +189,8 @@ public class SigningTest { KeyType.EDDSA_LEGACY(EdDSALegacyCurve._Ed25519), KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA) .overridePreferredHashAlgorithms()) .addUserId("Alice") - .build(); + .build() + .getPGPSecretKeyRing(); SigningOptions options = new SigningOptions() .addDetachedSignature(SecretKeyRingProtector.unprotectedKeys(), secretKeys, @@ -217,7 +220,8 @@ public class SigningTest { KeySpec.getBuilder(KeyType.EDDSA_LEGACY(EdDSALegacyCurve._Ed25519), KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA) .overridePreferredHashAlgorithms(HashAlgorithm.MD5)) .addUserId("Alice") - .build(); + .build() + .getPGPSecretKeyRing(); SigningOptions options = new SigningOptions() .addDetachedSignature(SecretKeyRingProtector.unprotectedKeys(), secretKeys, @@ -244,7 +248,8 @@ public class SigningTest { PGPSecretKeyRing secretKeys = PGPainless.buildKeyRing() .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA_LEGACY(EdDSALegacyCurve._Ed25519), KeyFlag.CERTIFY_OTHER)) .addUserId("Alice") - .build(); + .build() + .getPGPSecretKeyRing(); SigningOptions options = new SigningOptions(); assertThrows(KeyException.UnacceptableSigningKeyException.class, () -> options.addDetachedSignature( @@ -260,7 +265,8 @@ public class SigningTest { .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA_LEGACY(EdDSALegacyCurve._Ed25519), KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA)) .addUserId("Alice") - .build(); + .build() + .getPGPSecretKeyRing(); SigningOptions options = new SigningOptions(); assertThrows(KeyException.UnboundUserIdException.class, () -> diff --git a/pgpainless-core/src/test/java/org/pgpainless/example/ConvertKeys.java b/pgpainless-core/src/test/java/org/pgpainless/example/ConvertKeys.java index caae8355..d93fc5f4 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/example/ConvertKeys.java +++ b/pgpainless-core/src/test/java/org/pgpainless/example/ConvertKeys.java @@ -22,7 +22,8 @@ public class ConvertKeys { public void secretKeyToCertificate() { String userId = "alice@wonderland.lit"; PGPSecretKeyRing secretKey = PGPainless.generateKeyRing() - .modernKeyRing(userId); + .modernKeyRing(userId) + .getPGPSecretKeyRing(); // Extract certificate (public key) from secret key PGPPublicKeyRing certificate = PGPainless.extractCertificate(secretKey); diff --git a/pgpainless-core/src/test/java/org/pgpainless/example/GenerateKeys.java b/pgpainless-core/src/test/java/org/pgpainless/example/GenerateKeys.java index c3b0dfa7..3954f94a 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/example/GenerateKeys.java +++ b/pgpainless-core/src/test/java/org/pgpainless/example/GenerateKeys.java @@ -59,7 +59,8 @@ public class GenerateKeys { String password = "ra1nb0w"; // Generate the OpenPGP key PGPSecretKeyRing secretKey = PGPainless.generateKeyRing() - .modernKeyRing(userId, password); + .modernKeyRing(userId, password) + .getPGPSecretKeyRing(); // Extract public key PGPPublicKeyRing publicKey = PGPainless.extractCertificate(secretKey); // Encode the public key to an ASCII armored string ready for sharing @@ -91,7 +92,8 @@ public class GenerateKeys { String password = "b1angl3s"; // Generate the OpenPGP key PGPSecretKeyRing secretKey = PGPainless.generateKeyRing() - .simpleRsaKeyRing(userId, RsaLength._4096, password); + .simpleRsaKeyRing(userId, RsaLength._4096, password) + .getPGPSecretKeyRing(); KeyRingInfo keyInfo = new KeyRingInfo(secretKey); assertEquals(1, keyInfo.getSecretKeys().size()); @@ -114,7 +116,8 @@ public class GenerateKeys { String password = "tr4ns"; // Generate the OpenPGP key PGPSecretKeyRing secretKey = PGPainless.generateKeyRing() - .simpleEcKeyRing(userId, password); + .simpleEcKeyRing(userId, password) + .getPGPSecretKeyRing(); KeyRingInfo keyInfo = new KeyRingInfo(secretKey); @@ -201,7 +204,8 @@ public class GenerateKeys { .addUserId(additionalUserId) // Set passphrase. Alternatively use .withoutPassphrase() to leave key unprotected. .setPassphrase(passphrase) - .build(); + .build() + .getPGPSecretKeyRing(); KeyRingInfo keyInfo = new KeyRingInfo(secretKey); diff --git a/pgpainless-core/src/test/java/org/pgpainless/example/ModifyKeys.java b/pgpainless-core/src/test/java/org/pgpainless/example/ModifyKeys.java index 08543f3d..696a17ae 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/example/ModifyKeys.java +++ b/pgpainless-core/src/test/java/org/pgpainless/example/ModifyKeys.java @@ -48,7 +48,8 @@ public class ModifyKeys { @BeforeEach public void generateKey() { secretKey = PGPainless.generateKeyRing() - .modernKeyRing(userId, originalPassphrase); + .modernKeyRing(userId, originalPassphrase) + .getPGPSecretKeyRing(); KeyRingInfo info = PGPainless.inspectKeyRing(secretKey); primaryKeyId = info.getKeyIdentifier().getKeyId(); diff --git a/pgpainless-core/src/test/java/org/pgpainless/example/Sign.java b/pgpainless-core/src/test/java/org/pgpainless/example/Sign.java index b3181369..0ae2ab93 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/example/Sign.java +++ b/pgpainless-core/src/test/java/org/pgpainless/example/Sign.java @@ -37,7 +37,8 @@ public class Sign { @BeforeAll public static void prepare() { - secretKey = PGPainless.generateKeyRing().modernKeyRing("Emilia Example "); + secretKey = PGPainless.generateKeyRing().modernKeyRing("Emilia Example ") + .getPGPSecretKeyRing(); protector = SecretKeyRingProtector.unprotectedKeys(); // no password } diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/WeirdKeys.java b/pgpainless-core/src/test/java/org/pgpainless/key/WeirdKeys.java index 3a0c24a3..a272b12b 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/WeirdKeys.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/WeirdKeys.java @@ -103,7 +103,8 @@ public class WeirdKeys { @Test public void generateCertAndTestWithNonUTF8UserId() throws PGPException, IOException { - PGPSecretKeyRing nakedKey = PGPainless.generateKeyRing().modernKeyRing(null); + PGPSecretKeyRing nakedKey = PGPainless.generateKeyRing().modernKeyRing(null) + .getPGPSecretKeyRing(); PGPPublicKey pubKey = nakedKey.getPublicKey(); PGPSecretKey secKey = nakedKey.getSecretKey(); PGPPrivateKey privKey = UnlockSecretKey.unlockSecretKey(secKey, Passphrase.emptyPassphrase()); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/certification/CertifyCertificateTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/certification/CertifyCertificateTest.java index deb2877c..cdaec4e0 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/certification/CertifyCertificateTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/certification/CertifyCertificateTest.java @@ -36,9 +36,11 @@ public class CertifyCertificateTest { @Test public void testUserIdCertification() throws PGPException, IOException { SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys(); - PGPSecretKeyRing alice = PGPainless.generateKeyRing().modernKeyRing("Alice "); + PGPSecretKeyRing alice = PGPainless.generateKeyRing().modernKeyRing("Alice ") + .getPGPSecretKeyRing(); String bobUserId = "Bob "; - PGPSecretKeyRing bob = PGPainless.generateKeyRing().modernKeyRing(bobUserId); + PGPSecretKeyRing bob = PGPainless.generateKeyRing().modernKeyRing(bobUserId) + .getPGPSecretKeyRing(); PGPPublicKeyRing bobCertificate = PGPainless.extractCertificate(bob); @@ -71,8 +73,10 @@ public class CertifyCertificateTest { @Test public void testKeyDelegation() throws PGPException, IOException { SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys(); - PGPSecretKeyRing alice = PGPainless.generateKeyRing().modernKeyRing("Alice "); - PGPSecretKeyRing bob = PGPainless.generateKeyRing().modernKeyRing("Bob "); + PGPSecretKeyRing alice = PGPainless.generateKeyRing().modernKeyRing("Alice ") + .getPGPSecretKeyRing(); + PGPSecretKeyRing bob = PGPainless.generateKeyRing().modernKeyRing("Bob ") + .getPGPSecretKeyRing(); PGPPublicKeyRing bobCertificate = PGPainless.extractCertificate(bob); @@ -110,9 +114,11 @@ public class CertifyCertificateTest { @Test public void testPetNameCertification() { PGPSecretKeyRing aliceKey = PGPainless.generateKeyRing() - .modernKeyRing("Alice "); + .modernKeyRing("Alice ") + .getPGPSecretKeyRing(); PGPSecretKeyRing bobKey = PGPainless.generateKeyRing() - .modernKeyRing("Bob "); + .modernKeyRing("Bob ") + .getPGPSecretKeyRing(); PGPPublicKeyRing bobCert = PGPainless.extractCertificate(bobKey); String petName = "Bobby"; @@ -140,9 +146,11 @@ public class CertifyCertificateTest { @Test public void testScopedDelegation() { PGPSecretKeyRing aliceKey = PGPainless.generateKeyRing() - .modernKeyRing("Alice "); + .modernKeyRing("Alice ") + .getPGPSecretKeyRing(); PGPSecretKeyRing caKey = PGPainless.generateKeyRing() - .modernKeyRing("CA "); + .modernKeyRing("CA ") + .getPGPSecretKeyRing(); PGPPublicKeyRing caCert = PGPainless.extractCertificate(caKey); CertifyCertificate.CertificationResult result = PGPainless.certify() diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/collection/PGPKeyRingCollectionTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/collection/PGPKeyRingCollectionTest.java index ca311091..f356f007 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/collection/PGPKeyRingCollectionTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/collection/PGPKeyRingCollectionTest.java @@ -54,8 +54,10 @@ public class PGPKeyRingCollectionTest { @Test public void testConstructorFromCollection() { - PGPSecretKeyRing first = PGPainless.generateKeyRing().simpleEcKeyRing("alice@wonderland.lit"); - PGPSecretKeyRing second = PGPainless.generateKeyRing().simpleEcKeyRing("bob@the-builder.tv"); + PGPSecretKeyRing first = PGPainless.generateKeyRing().simpleEcKeyRing("alice@wonderland.lit") + .getPGPSecretKeyRing(); + PGPSecretKeyRing second = PGPainless.generateKeyRing().simpleEcKeyRing("bob@the-builder.tv") + .getPGPSecretKeyRing(); PGPPublicKeyRing secondPub = KeyRingUtils.publicKeyRingFrom(second); Collection keys = Arrays.asList(first, second, secondPub); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/BrainpoolKeyGenerationTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/BrainpoolKeyGenerationTest.java index 0a973d6f..f68be6c6 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/generation/BrainpoolKeyGenerationTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/BrainpoolKeyGenerationTest.java @@ -73,7 +73,8 @@ public class BrainpoolKeyGenerationTest { KeyType.RSA(RsaLength._3072), KeyFlag.SIGN_DATA)) .addUserId(UserId.nameAndEmail("Alice", "alice@pgpainless.org")) .setPassphrase(Passphrase.fromPassword("passphrase")) - .build(); + .build() + .getPGPSecretKeyRing(); for (PGPSecretKey key : secretKeys) { KeyInfo info = new KeyInfo(key); @@ -113,7 +114,8 @@ public class BrainpoolKeyGenerationTest { .setPrimaryKey(primaryKey) .addSubkey(subKey) .addUserId(userId) - .build(); + .build() + .getPGPSecretKeyRing(); return secretKeys; } } diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateEllipticCurveKeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateEllipticCurveKeyTest.java index a9ab1668..0d63293b 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateEllipticCurveKeyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateEllipticCurveKeyTest.java @@ -33,7 +33,8 @@ public class GenerateEllipticCurveKeyTest { KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA)) .addSubkey(KeySpec.getBuilder(KeyType.XDH_LEGACY(XDHLegacySpec._X25519), KeyFlag.ENCRYPT_COMMS)) .addUserId(UserId.onlyEmail("alice@wonderland.lit").toString()) - .build(); + .build() + .getPGPSecretKeyRing(); assertEquals(PublicKeyAlgorithm.EDDSA_LEGACY.getAlgorithmId(), keyRing.getPublicKey().getAlgorithm()); UnlockSecretKey.unlockSecretKey(keyRing.getSecretKey(), SecretKeyRingProtector.unprotectedKeys()); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithAdditionalUserIdTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithAdditionalUserIdTest.java index 6c9ccbe5..2cdd4131 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithAdditionalUserIdTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithAdditionalUserIdTest.java @@ -42,7 +42,8 @@ public class GenerateKeyWithAdditionalUserIdTest { .addUserId(UserId.onlyEmail("additional2@user.id")) .addUserId("\ttrimThis@user.id ") .setExpirationDate(expiration) - .build(); + .build() + .getPGPSecretKeyRing(); PGPPublicKeyRing publicKeys = KeyRingUtils.publicKeyRingFrom(secretKeys); JUtils.assertDateEquals(expiration, PGPainless.inspectKeyRing(publicKeys).getPrimaryKeyExpirationDate()); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithCustomCreationDateTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithCustomCreationDateTest.java index f5e01ad0..342e060a 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithCustomCreationDateTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithCustomCreationDateTest.java @@ -33,7 +33,8 @@ public class GenerateKeyWithCustomCreationDateTest { .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA_LEGACY(EdDSALegacyCurve._Ed25519), KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA) .setKeyCreationDate(creationDate)) // primary key with custom creation time .addUserId("Alice") - .build(); + .build() + .getPGPSecretKeyRing(); Iterator iterator = secretKeys.iterator(); PGPPublicKey primaryKey = iterator.next().getPublicKey(); @@ -54,7 +55,8 @@ public class GenerateKeyWithCustomCreationDateTest { .addSubkey(KeySpec.getBuilder(KeyType.ECDH(EllipticCurve._P384), KeyFlag.ENCRYPT_COMMS, KeyFlag.ENCRYPT_STORAGE).setKeyCreationDate(future)) .setPrimaryKey(KeySpec.getBuilder(KeyType.ECDSA(EllipticCurve._P384), KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA)) .addUserId("Captain Future ") - .build(); + .build() + .getPGPSecretKeyRing(); // Subkey has future key creation date, so its binding will predate the key -> no usable encryption key left assertFalse(PGPainless.inspectKeyRing(secretKeys) diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithoutPrimaryKeyFlagsTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithoutPrimaryKeyFlagsTest.java index ad375512..d23e6f15 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithoutPrimaryKeyFlagsTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithoutPrimaryKeyFlagsTest.java @@ -46,7 +46,8 @@ public class GenerateKeyWithoutPrimaryKeyFlagsTest { .addSubkey(KeySpec.getBuilder(KeyType.EDDSA_LEGACY(EdDSALegacyCurve._Ed25519), KeyFlag.SIGN_DATA)) .addSubkey(KeySpec.getBuilder(KeyType.XDH_LEGACY(XDHLegacySpec._X25519), KeyFlag.ENCRYPT_STORAGE, KeyFlag.ENCRYPT_COMMS)) .addUserId("Alice") - .build(); + .build() + .getPGPSecretKeyRing(); PGPPublicKeyRing cert = PGPainless.extractCertificate(secretKeys); KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithoutUserIdTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithoutUserIdTest.java index 88cc2b26..a42146dc 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithoutUserIdTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithoutUserIdTest.java @@ -49,7 +49,8 @@ public class GenerateKeyWithoutUserIdTest { .addSubkey(KeySpec.getBuilder(KeyType.EDDSA_LEGACY(EdDSALegacyCurve._Ed25519), KeyFlag.SIGN_DATA).setKeyCreationDate(now)) .addSubkey(KeySpec.getBuilder(KeyType.XDH_LEGACY(XDHLegacySpec._X25519), KeyFlag.ENCRYPT_COMMS, KeyFlag.ENCRYPT_STORAGE).setKeyCreationDate(now)) .setExpirationDate(expirationDate) - .build(); + .build() + .getPGPSecretKeyRing(); KeyRingInfo info = PGPainless.inspectKeyRing(secretKey); assertNull(info.getPrimaryUserId()); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateV6KeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateV6KeyTest.java index 1ecde1e7..8ad1daeb 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateV6KeyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateV6KeyTest.java @@ -16,7 +16,8 @@ public class GenerateV6KeyTest { @Test public void generateModernV6Key() { PGPSecretKeyRing secretKey = PGPainless.generateKeyRing(OpenPGPKeyVersion.v6) - .modernKeyRing("Alice "); + .modernKeyRing("Alice ") + .getPGPSecretKeyRing(); assertEquals(6, secretKey.getPublicKey().getVersion()); } } diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/KeyGenerationSubpacketsTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/KeyGenerationSubpacketsTest.java index 9900f55b..b5c5a3a3 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/generation/KeyGenerationSubpacketsTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/KeyGenerationSubpacketsTest.java @@ -39,7 +39,8 @@ public class KeyGenerationSubpacketsTest { @Test public void verifyDefaultSubpacketsForUserIdSignatures() throws PGPException { - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("Alice"); + PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("Alice") + .getPGPSecretKeyRing(); Date plus1Sec = new Date(secretKeys.getPublicKey().getCreationTime().getTime() + 1000); KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys); PGPSignature userIdSig = info.getLatestUserIdCertification("Alice"); @@ -105,7 +106,8 @@ public class KeyGenerationSubpacketsTest { @Test public void verifyDefaultSubpacketsForSubkeyBindingSignatures() throws PGPException { - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("Alice"); + PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("Alice") + .getPGPSecretKeyRing(); KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys); List keysBefore = info.getPublicKeys(); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java index fccd02fb..0a12c04c 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java @@ -229,7 +229,8 @@ public class KeyRingInfoTest { .addSubkey(KeySpec.getBuilder( KeyType.ECDSA(EllipticCurve._BRAINPOOLP384R1), KeyFlag.SIGN_DATA)) .addUserId(UserId.builder().withName("Alice").withEmail("alice@pgpainless.org").build()) - .build(); + .build() + .getPGPSecretKeyRing(); Iterator keys = secretKeys.iterator(); Date now = DateUtil.now(); @@ -522,7 +523,8 @@ public class KeyRingInfoTest { @Test public void getSecretKeyTest() { - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("Alice"); + PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("Alice") + .getPGPSecretKeyRing(); OpenPGPKey key = new OpenPGPKey(secretKeys); KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys); @@ -560,7 +562,8 @@ public class KeyRingInfoTest { PGPSecretKeyRing secretKeys = PGPainless.buildKeyRing() .addUserId("Alice") .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA_LEGACY(EdDSALegacyCurve._Ed25519), KeyFlag.CERTIFY_OTHER)) - .build(); + .build() + .getPGPSecretKeyRing(); KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/info/PrimaryUserIdTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/info/PrimaryUserIdTest.java index 30601f99..a8d412ad 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/info/PrimaryUserIdTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/info/PrimaryUserIdTest.java @@ -16,7 +16,8 @@ public class PrimaryUserIdTest { @Test public void testGetPrimaryUserId() throws PGPException { - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().simpleEcKeyRing("alice@wonderland.lit"); + PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().simpleEcKeyRing("alice@wonderland.lit") + .getPGPSecretKeyRing(); secretKeys = PGPainless.modifyKeyRing(secretKeys) .addUserId("mad_alice@wonderland.lit", SecretKeyRingProtector.unprotectedKeys()) .done(); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/info/UserIdRevocationTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/info/UserIdRevocationTest.java index 9738bb0a..cf34f9fe 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/info/UserIdRevocationTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/info/UserIdRevocationTest.java @@ -45,7 +45,8 @@ public class UserIdRevocationTest { KeyType.XDH_LEGACY(XDHLegacySpec._X25519), KeyFlag.ENCRYPT_COMMS)) .addUserId("primary@key.id") .addUserId("secondary@key.id") - .build(); + .build() + .getPGPSecretKeyRing(); // make a copy with revoked subkey PGPSecretKeyRing revoked = PGPainless.modifyKeyRing(secretKeys) @@ -82,7 +83,8 @@ public class UserIdRevocationTest { .addSubkey(KeySpec.getBuilder(KeyType.XDH_LEGACY(XDHLegacySpec._X25519), KeyFlag.ENCRYPT_COMMS)) .addUserId("primary@key.id") .addUserId("secondary@key.id") - .build(); + .build() + .getPGPSecretKeyRing(); secretKeys = PGPainless.modifyKeyRing(secretKeys) .revokeUserId("secondary@key.id", new UnprotectedKeysProtector(), diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddSubkeyWithModifiedBindingSignatureSubpacketsTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddSubkeyWithModifiedBindingSignatureSubpacketsTest.java index dce54107..043c1188 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddSubkeyWithModifiedBindingSignatureSubpacketsTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddSubkeyWithModifiedBindingSignatureSubpacketsTest.java @@ -40,7 +40,8 @@ public class AddSubkeyWithModifiedBindingSignatureSubpacketsTest { public void bindEncryptionSubkeyAndModifyBindingSignatureHashedSubpackets() { SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys(); PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() - .modernKeyRing("Alice "); + .modernKeyRing("Alice ") + .getPGPSecretKeyRing(); KeyRingInfo before = PGPainless.inspectKeyRing(secretKeys); PGPKeyPair secretSubkey = KeyRingBuilder.generateKeyPair( diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddUserIdTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddUserIdTest.java index 69921f13..92fd7e3e 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddUserIdTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddUserIdTest.java @@ -36,7 +36,9 @@ public class AddUserIdTest { @ExtendWith(TestAllImplementations.class) public void addUserIdToExistingKeyRing() throws PGPException { - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().simpleEcKeyRing("alice@wonderland.lit", "rabb1th0le"); + PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() + .simpleEcKeyRing("alice@wonderland.lit", "rabb1th0le") + .getPGPSecretKeyRing(); KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys); Iterator userIds = info.getValidUserIds().iterator(); @@ -115,7 +117,8 @@ public class AddUserIdTest { public void addNewPrimaryUserIdTest() { Date now = new Date(); PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() - .modernKeyRing("Alice"); + .modernKeyRing("Alice") + .getPGPSecretKeyRing(); UserId bob = UserId.newBuilder().withName("Bob").noEmail().noComment().build(); assertNotEquals("Bob", PGPainless.inspectKeyRing(secretKeys).getPrimaryUserId()); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangePrimaryUserIdAndExpirationDatesTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangePrimaryUserIdAndExpirationDatesTest.java index e9bbab7a..c7751434 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangePrimaryUserIdAndExpirationDatesTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangePrimaryUserIdAndExpirationDatesTest.java @@ -27,7 +27,8 @@ public class ChangePrimaryUserIdAndExpirationDatesTest { public void generateA_primaryB_revokeA_cantSecondaryA() throws PGPException { PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() - .modernKeyRing("A"); + .modernKeyRing("A") + .getPGPSecretKeyRing(); SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys(); Date now = new Date(); @@ -72,7 +73,8 @@ public class ChangePrimaryUserIdAndExpirationDatesTest { @Test public void generateA_primaryExpire_isExpired() { PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() - .modernKeyRing("A"); + .modernKeyRing("A") + .getPGPSecretKeyRing(); SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys(); KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys); @@ -94,7 +96,8 @@ public class ChangePrimaryUserIdAndExpirationDatesTest { @Test public void generateA_primaryB_primaryExpire_bIsStillPrimary() { PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() - .modernKeyRing("A"); + .modernKeyRing("A") + .getPGPSecretKeyRing(); SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys(); Date now = new Date(); @@ -134,7 +137,8 @@ public class ChangePrimaryUserIdAndExpirationDatesTest { @Test public void generateA_expire_certify() { - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("A"); + PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("A") + .getPGPSecretKeyRing(); SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys(); Date now = new Date(); @@ -157,7 +161,8 @@ public class ChangePrimaryUserIdAndExpirationDatesTest { @Test public void generateA_expire_primaryB_expire_isPrimaryB() throws PGPException { - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("A"); + PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("A") + .getPGPSecretKeyRing(); SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys(); Date now = new Date(); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeSecretKeyRingPassphraseTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeSecretKeyRingPassphraseTest.java index 7bb41920..ff41aa81 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeSecretKeyRingPassphraseTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeSecretKeyRingPassphraseTest.java @@ -35,7 +35,8 @@ import org.pgpainless.util.Passphrase; public class ChangeSecretKeyRingPassphraseTest { - private final PGPSecretKeyRing keyRing = PGPainless.generateKeyRing().simpleEcKeyRing("password@encryp.ted", "weakPassphrase"); + private final PGPSecretKeyRing keyRing = PGPainless.generateKeyRing().simpleEcKeyRing("password@encryp.ted", "weakPassphrase") + .getPGPSecretKeyRing(); public ChangeSecretKeyRingPassphraseTest() { } diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeSubkeyExpirationTimeTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeSubkeyExpirationTimeTest.java index 94cc71a1..d62f8ad8 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeSubkeyExpirationTimeTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeSubkeyExpirationTimeTest.java @@ -25,7 +25,8 @@ public class ChangeSubkeyExpirationTimeTest { @Test public void changeExpirationTimeOfSubkey() { - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("Alice"); + PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("Alice") + .getPGPSecretKeyRing(); Date now = secretKeys.getPublicKey().getCreationTime(); Date inAnHour = new Date(now.getTime() + 1000 * 60 * 60); OpenPGPCertificate.OpenPGPComponentKey encryptionKey = PGPainless.inspectKeyRing(secretKeys) diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/OldSignatureSubpacketsArePreservedOnNewSigTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/OldSignatureSubpacketsArePreservedOnNewSigTest.java index d908191f..afea503c 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/OldSignatureSubpacketsArePreservedOnNewSigTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/OldSignatureSubpacketsArePreservedOnNewSigTest.java @@ -27,7 +27,8 @@ public class OldSignatureSubpacketsArePreservedOnNewSigTest { @ExtendWith(TestAllImplementations.class) public void verifyOldSignatureSubpacketsArePreservedOnNewExpirationDateSig() { PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() - .simpleEcKeyRing("Alice "); + .simpleEcKeyRing("Alice ") + .getPGPSecretKeyRing(); PGPSignature oldSignature = PGPainless.inspectKeyRing(secretKeys).getLatestUserIdCertification("Alice "); assertNotNull(oldSignature); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/RefuseToAddWeakSubkeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/RefuseToAddWeakSubkeyTest.java index d5a3396a..e640302e 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/RefuseToAddWeakSubkeyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/RefuseToAddWeakSubkeyTest.java @@ -32,7 +32,8 @@ public class RefuseToAddWeakSubkeyTest { PGPainless.getPolicy().setPublicKeyAlgorithmPolicy(Policy.PublicKeyAlgorithmPolicy.bsi2021PublicKeyAlgorithmPolicy()); PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() - .modernKeyRing("Alice"); + .modernKeyRing("Alice") + .getPGPSecretKeyRing(); SecretKeyRingEditorInterface editor = PGPainless.modifyKeyRing(secretKeys); KeySpec spec = KeySpec.getBuilder(KeyType.RSA(RsaLength._1024), KeyFlag.ENCRYPT_COMMS).build(); @@ -43,7 +44,8 @@ public class RefuseToAddWeakSubkeyTest { @Test public void testEditorAllowsToAddWeakSubkeyIfCompliesToPublicKeyAlgorithmPolicy() { PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() - .modernKeyRing("Alice"); + .modernKeyRing("Alice") + .getPGPSecretKeyRing(); // set weak policy Map minimalBitStrengths = new EnumMap<>(PublicKeyAlgorithm.class); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevocationCertificateTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevocationCertificateTest.java index 27f0a9e1..6dbd7318 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevocationCertificateTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevocationCertificateTest.java @@ -74,7 +74,8 @@ public class RevocationCertificateTest { @Test public void createMinimalRevocationCertificateForFreshKeyTest() { - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("Alice "); + PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("Alice ") + .getPGPSecretKeyRing(); PGPPublicKeyRing minimalRevocationCert = PGPainless.modifyKeyRing(secretKeys).createMinimalRevocationCertificate( SecretKeyRingProtector.unprotectedKeys(), diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeSubKeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeSubKeyTest.java index 992df1da..729c2151 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeSubKeyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeSubKeyTest.java @@ -126,7 +126,8 @@ public class RevokeSubKeyTest { @Test public void inspectSubpacketsOnDefaultRevocationSignature() throws PGPException { - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("Alice"); + PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("Alice") + .getPGPSecretKeyRing(); SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys(); PGPPublicKey encryptionSubkey = PGPainless.inspectKeyRing(secretKeys) .getEncryptionSubkeys(EncryptionPurpose.ANY).get(0).getPGPPublicKey(); @@ -150,7 +151,8 @@ public class RevokeSubKeyTest { @Test public void inspectSubpacketsOnModifiedRevocationSignature() { - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("Alice"); + PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("Alice") + .getPGPSecretKeyRing(); SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys(); PGPPublicKey encryptionSubkey = PGPainless.inspectKeyRing(secretKeys) .getEncryptionSubkeys(EncryptionPurpose.ANY).get(0).getPGPPublicKey(); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeUserIdsTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeUserIdsTest.java index 9694c763..e06f2065 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeUserIdsTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeUserIdsTest.java @@ -27,7 +27,8 @@ public class RevokeUserIdsTest { @Test public void revokeWithSelectUserId() throws PGPException { PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() - .modernKeyRing("Alice "); + .modernKeyRing("Alice ") + .getPGPSecretKeyRing(); SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys(); secretKeys = PGPainless.modifyKeyRing(secretKeys) @@ -60,7 +61,8 @@ public class RevokeUserIdsTest { @Test public void removeUserId() throws PGPException { PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() - .modernKeyRing("Alice "); + .modernKeyRing("Alice ") + .getPGPSecretKeyRing(); SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys(); secretKeys = PGPainless.modifyKeyRing(secretKeys) @@ -94,7 +96,8 @@ public class RevokeUserIdsTest { @Test public void emptySelectionYieldsNoSuchElementException() { PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() - .modernKeyRing("Alice "); + .modernKeyRing("Alice ") + .getPGPSecretKeyRing(); assertThrows(NoSuchElementException.class, () -> PGPainless.modifyKeyRing(secretKeys).revokeUserIds( diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/parsing/KeyRingCollectionReaderTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/parsing/KeyRingCollectionReaderTest.java index cd0a6c7b..c91186c7 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/parsing/KeyRingCollectionReaderTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/parsing/KeyRingCollectionReaderTest.java @@ -24,8 +24,10 @@ public class KeyRingCollectionReaderTest { @Test public void writeAndParseKeyRingCollections() throws IOException { // secret keys - PGPSecretKeyRing alice = PGPainless.generateKeyRing().modernKeyRing("Alice "); - PGPSecretKeyRing bob = PGPainless.generateKeyRing().modernKeyRing("Bob "); + PGPSecretKeyRing alice = PGPainless.generateKeyRing().modernKeyRing("Alice ") + .getPGPSecretKeyRing(); + PGPSecretKeyRing bob = PGPainless.generateKeyRing().modernKeyRing("Bob ") + .getPGPSecretKeyRing(); PGPSecretKeyRingCollection collection = KeyRingUtils.keyRingsToKeyRingCollection(alice, bob); String ascii = ArmorUtils.toAsciiArmoredString(collection); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/parsing/KeyRingReaderTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/parsing/KeyRingReaderTest.java index a3b817e8..680ba46e 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/parsing/KeyRingReaderTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/parsing/KeyRingReaderTest.java @@ -79,7 +79,8 @@ class KeyRingReaderTest { Collection collection = new ArrayList<>(); for (int i = 0; i < 10; i++) { - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().simpleEcKeyRing("user_" + i + "@encrypted.key"); + PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().simpleEcKeyRing("user_" + i + "@encrypted.key") + .getPGPSecretKeyRing(); collection.add(KeyRingUtils.publicKeyRingFrom(secretKeys)); } @@ -447,8 +448,10 @@ class KeyRingReaderTest { @Test public void testReadSecretKeysIgnoresMultipleMarkers() throws IOException { - PGPSecretKeyRing alice = PGPainless.generateKeyRing().modernKeyRing("alice@pgpainless.org"); - PGPSecretKeyRing bob = PGPainless.generateKeyRing().modernKeyRing("bob@pgpainless.org"); + PGPSecretKeyRing alice = PGPainless.generateKeyRing().modernKeyRing("alice@pgpainless.org") + .getPGPSecretKeyRing(); + PGPSecretKeyRing bob = PGPainless.generateKeyRing().modernKeyRing("bob@pgpainless.org") + .getPGPSecretKeyRing(); MarkerPacket marker = TestUtils.getMarkerPacket(); ByteArrayOutputStream bytes = new ByteArrayOutputStream(); @@ -481,7 +484,8 @@ class KeyRingReaderTest { @Test public void testReadingSecretKeysExceedsIterationLimit() throws IOException { - PGPSecretKeyRing alice = PGPainless.generateKeyRing().modernKeyRing("alice@pgpainless.org"); + PGPSecretKeyRing alice = PGPainless.generateKeyRing().modernKeyRing("alice@pgpainless.org") + .getPGPSecretKeyRing(); MarkerPacket marker = TestUtils.getMarkerPacket(); ByteArrayOutputStream bytes = new ByteArrayOutputStream(); @@ -500,8 +504,10 @@ class KeyRingReaderTest { @Test public void testReadingSecretKeyCollectionExceedsIterationLimit() throws IOException { - PGPSecretKeyRing alice = PGPainless.generateKeyRing().modernKeyRing("alice@pgpainless.org"); - PGPSecretKeyRing bob = PGPainless.generateKeyRing().modernKeyRing("bob@pgpainless.org"); + PGPSecretKeyRing alice = PGPainless.generateKeyRing().modernKeyRing("alice@pgpainless.org") + .getPGPSecretKeyRing(); + PGPSecretKeyRing bob = PGPainless.generateKeyRing().modernKeyRing("bob@pgpainless.org") + .getPGPSecretKeyRing(); MarkerPacket marker = TestUtils.getMarkerPacket(); ByteArrayOutputStream bytes = new ByteArrayOutputStream(); @@ -522,7 +528,8 @@ class KeyRingReaderTest { @Test public void testReadingPublicKeysExceedsIterationLimit() throws IOException { - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("alice@pgpainless.org"); + PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("alice@pgpainless.org") + .getPGPSecretKeyRing(); PGPPublicKeyRing alice = PGPainless.extractCertificate(secretKeys); MarkerPacket marker = TestUtils.getMarkerPacket(); @@ -542,8 +549,10 @@ class KeyRingReaderTest { @Test public void testReadingPublicKeyCollectionExceedsIterationLimit() throws IOException { - PGPSecretKeyRing sec1 = PGPainless.generateKeyRing().modernKeyRing("alice@pgpainless.org"); - PGPSecretKeyRing sec2 = PGPainless.generateKeyRing().modernKeyRing("bob@pgpainless.org"); + PGPSecretKeyRing sec1 = PGPainless.generateKeyRing().modernKeyRing("alice@pgpainless.org") + .getPGPSecretKeyRing(); + PGPSecretKeyRing sec2 = PGPainless.generateKeyRing().modernKeyRing("bob@pgpainless.org") + .getPGPSecretKeyRing(); PGPPublicKeyRing alice = PGPainless.extractCertificate(sec1); PGPPublicKeyRing bob = PGPainless.extractCertificate(sec2); MarkerPacket marker = TestUtils.getMarkerPacket(); @@ -564,7 +573,8 @@ class KeyRingReaderTest { @Test public void testReadKeyRingWithBinaryPublicKey() throws IOException { - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("Alice "); + PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("Alice ") + .getPGPSecretKeyRing(); PGPPublicKeyRing publicKeys = PGPainless.extractCertificate(secretKeys); byte[] bytes = publicKeys.getEncoded(); @@ -577,7 +587,8 @@ class KeyRingReaderTest { @Test public void testReadKeyRingWithBinarySecretKey() throws IOException { - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("Alice "); + PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("Alice ") + .getPGPSecretKeyRing(); byte[] bytes = secretKeys.getEncoded(); PGPKeyRing keyRing = PGPainless.readKeyRing() @@ -589,7 +600,8 @@ class KeyRingReaderTest { @Test public void testReadKeyRingWithArmoredPublicKey() throws IOException { - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("Alice "); + PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("Alice ") + .getPGPSecretKeyRing(); PGPPublicKeyRing publicKeys = PGPainless.extractCertificate(secretKeys); String armored = PGPainless.asciiArmor(publicKeys); @@ -602,7 +614,8 @@ class KeyRingReaderTest { @Test public void testReadKeyRingWithArmoredSecretKey() throws IOException { - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("Alice "); + PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("Alice ") + .getPGPSecretKeyRing(); String armored = PGPainless.asciiArmor(secretKeys); PGPKeyRing keyRing = PGPainless.readKeyRing() diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/protection/CachingSecretKeyRingProtectorTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/protection/CachingSecretKeyRingProtectorTest.java index f77f1177..081d8959 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/protection/CachingSecretKeyRingProtectorTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/protection/CachingSecretKeyRingProtectorTest.java @@ -77,7 +77,8 @@ public class CachingSecretKeyRingProtectorTest { @Test public void testAddPassphraseForKeyRing() { PGPSecretKeyRing keys = PGPainless.generateKeyRing() - .modernKeyRing("test@test.test", "Passphrase123"); + .modernKeyRing("test@test.test", "Passphrase123") + .getPGPSecretKeyRing(); Passphrase passphrase = Passphrase.fromPassword("Passphrase123"); protector.addPassphrase(keys, passphrase); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/protection/PassphraseProtectedKeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/protection/PassphraseProtectedKeyTest.java index 6b90ba19..6139ec0a 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/protection/PassphraseProtectedKeyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/protection/PassphraseProtectedKeyTest.java @@ -57,7 +57,8 @@ public class PassphraseProtectedKeyTest { @Test public void testReturnsNonNullDecryptorForSubkeys() throws PGPException { - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("alice", "passphrase"); + PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("alice", "passphrase") + .getPGPSecretKeyRing(); SecretKeyRingProtector protector = PasswordBasedSecretKeyRingProtector.forKey(secretKeys, Passphrase.fromPassword("passphrase")); for (Iterator it = secretKeys.getPublicKeys(); it.hasNext(); ) { PGPPublicKey subkey = it.next(); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/protection/SecretKeyRingProtectorTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/protection/SecretKeyRingProtectorTest.java index 193e9223..92ae553d 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/protection/SecretKeyRingProtectorTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/protection/SecretKeyRingProtectorTest.java @@ -44,7 +44,8 @@ public class SecretKeyRingProtectorTest { secretKey.extractPrivateKey(decryptor); } PGPSecretKeyRing unrelatedKeys = PGPainless.generateKeyRing().simpleEcKeyRing("unrelated", - "SecurePassword"); + "SecurePassword") + .getPGPSecretKeyRing(); for (PGPSecretKey unrelatedKey : unrelatedKeys) { PBESecretKeyDecryptor decryptor = protector.getDecryptor(unrelatedKey.getKeyID()); assertNull(decryptor); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/protection/UnlockSecretKeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/protection/UnlockSecretKeyTest.java index 2bb0e3ac..ba98c2c2 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/protection/UnlockSecretKeyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/protection/UnlockSecretKeyTest.java @@ -21,7 +21,8 @@ public class UnlockSecretKeyTest { @Test public void testUnlockSecretKey() throws PGPException { PGPSecretKeyRing secretKeyRing = PGPainless.generateKeyRing() - .simpleEcKeyRing("alice@wonderland.lit", "heureka!"); + .simpleEcKeyRing("alice@wonderland.lit", "heureka!") + .getPGPSecretKeyRing(); PGPSecretKey secretKey = secretKeyRing.getSecretKey(); SecretKeyRingProtector correctPassphrase = SecretKeyRingProtector diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/protection/fixes/S2KUsageFixTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/protection/fixes/S2KUsageFixTest.java index dca08b2d..e84d16e4 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/protection/fixes/S2KUsageFixTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/protection/fixes/S2KUsageFixTest.java @@ -67,7 +67,8 @@ public class S2KUsageFixTest { @Test public void verifyOutFixInChangePassphraseWorks() throws PGPException { - PGPSecretKeyRing before = PGPainless.generateKeyRing().modernKeyRing("Alice", "before"); + PGPSecretKeyRing before = PGPainless.generateKeyRing().modernKeyRing("Alice", "before") + .getPGPSecretKeyRing(); for (PGPSecretKey key : before) { assertEquals(SecretKeyPacket.USAGE_SHA1, key.getS2KUsage()); } diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/util/KeyRingUtilTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/util/KeyRingUtilTest.java index 221e62bd..6e6ca5aa 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/util/KeyRingUtilTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/util/KeyRingUtilTest.java @@ -41,7 +41,8 @@ public class KeyRingUtilTest { @Test public void testInjectCertification() throws PGPException { PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() - .modernKeyRing("Alice"); + .modernKeyRing("Alice") + .getPGPSecretKeyRing(); // test preconditions assertFalse(secretKeys.getPublicKey().getUserAttributes().hasNext()); @@ -73,7 +74,8 @@ public class KeyRingUtilTest { @Test public void testKeysPlusPublicKey() { - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("Alice"); + PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("Alice") + .getPGPSecretKeyRing(); PGPPublicKeyRing publicKeys = PGPainless.extractCertificate(secretKeys); PGPKeyPair keyPair = KeyRingBuilder.generateKeyPair(KeySpec.getBuilder( diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/OnePassSignatureBracketingTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/OnePassSignatureBracketingTest.java index a0dcf141..4627f781 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/OnePassSignatureBracketingTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/OnePassSignatureBracketingTest.java @@ -54,8 +54,10 @@ public class OnePassSignatureBracketingTest { public void onePassSignaturePacketsAndSignaturesAreBracketedTest() throws PGPException, IOException { - PGPSecretKeyRing key1 = PGPainless.generateKeyRing().modernKeyRing("Alice"); - PGPSecretKeyRing key2 = PGPainless.generateKeyRing().modernKeyRing("Bob"); + PGPSecretKeyRing key1 = PGPainless.generateKeyRing().modernKeyRing("Alice") + .getPGPSecretKeyRing(); + PGPSecretKeyRing key2 = PGPainless.generateKeyRing().modernKeyRing("Bob") + .getPGPSecretKeyRing(); PGPPublicKeyRing cert1 = PGPainless.extractCertificate(key1); ByteArrayOutputStream out = new ByteArrayOutputStream(); diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureSubpacketsUtilTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureSubpacketsUtilTest.java index 3d862ddf..68c125c8 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureSubpacketsUtilTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureSubpacketsUtilTest.java @@ -52,7 +52,8 @@ public class SignatureSubpacketsUtilTest { @Test public void testGetKeyExpirationTimeAsDate() { PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() - .modernKeyRing("Expire"); + .modernKeyRing("Expire") + .getPGPSecretKeyRing(); Date expiration = Date.from(new Date().toInstant().plus(365, ChronoUnit.DAYS)); secretKeys = PGPainless.modifyKeyRing(secretKeys) .setExpirationDate(expiration, SecretKeyRingProtector.unprotectedKeys()) diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/builder/ThirdPartyCertificationSignatureBuilderTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/builder/ThirdPartyCertificationSignatureBuilderTest.java index 35726ee6..d9df7cf5 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/builder/ThirdPartyCertificationSignatureBuilderTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/builder/ThirdPartyCertificationSignatureBuilderTest.java @@ -29,7 +29,8 @@ public class ThirdPartyCertificationSignatureBuilderTest { @Test public void testInvalidSignatureTypeThrows() { PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() - .modernKeyRing("Alice"); + .modernKeyRing("Alice") + .getPGPSecretKeyRing(); assertThrows(IllegalArgumentException.class, () -> new ThirdPartyCertificationSignatureBuilder( SignatureType.BINARY_DOCUMENT, // invalid type @@ -40,10 +41,12 @@ public class ThirdPartyCertificationSignatureBuilderTest { @Test public void testUserIdCertification() throws PGPException { PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() - .modernKeyRing("Alice"); + .modernKeyRing("Alice") + .getPGPSecretKeyRing(); PGPPublicKeyRing bobsPublicKeys = PGPainless.extractCertificate( - PGPainless.generateKeyRing().modernKeyRing("Bob")); + PGPainless.generateKeyRing().modernKeyRing("Bob") + .getPGPSecretKeyRing()); ThirdPartyCertificationSignatureBuilder signatureBuilder = new ThirdPartyCertificationSignatureBuilder( secretKeys.getSecretKey(), diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/builder/ThirdPartyDirectKeySignatureBuilderTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/builder/ThirdPartyDirectKeySignatureBuilderTest.java index 56605f83..9c860916 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/builder/ThirdPartyDirectKeySignatureBuilderTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/builder/ThirdPartyDirectKeySignatureBuilderTest.java @@ -33,7 +33,8 @@ public class ThirdPartyDirectKeySignatureBuilderTest { @Test public void testDirectKeySignatureBuilding() throws PGPException { PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() - .modernKeyRing("Alice"); + .modernKeyRing("Alice") + .getPGPSecretKeyRing(); DirectKeySelfSignatureBuilder dsb = new DirectKeySelfSignatureBuilder( secretKeys.getSecretKey(), diff --git a/pgpainless-core/src/test/java/org/pgpainless/util/ArmorUtilsTest.java b/pgpainless-core/src/test/java/org/pgpainless/util/ArmorUtilsTest.java index 22f98512..d3e27085 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/util/ArmorUtilsTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/util/ArmorUtilsTest.java @@ -183,7 +183,8 @@ public class ArmorUtilsTest { .addUserId("Juliet ") .addUserId("xmpp:juliet@capulet.lit") .setPassphrase(Passphrase.fromPassword("test")) - .build(); + .build() + .getPGPSecretKeyRing(); PGPPublicKey publicKey = secretKeyRing.getPublicKey(); PGPPublicKeyRing publicKeyRing = PGPainless.readKeyRing().publicKeyRing(publicKey.getEncoded()); String armored = PGPainless.asciiArmor(publicKeyRing); @@ -199,7 +200,8 @@ public class ArmorUtilsTest { .addUserId("xmpp:juliet@capulet.lit") .addUserId("Juliet Montague ") .setPassphrase(Passphrase.fromPassword("test")) - .build(); + .build() + .getPGPSecretKeyRing(); PGPPublicKey publicKey = secretKeyRing.getPublicKey(); PGPPublicKeyRing publicKeyRing = PGPainless.readKeyRing().publicKeyRing(publicKey.getEncoded()); String armored = PGPainless.asciiArmor(publicKeyRing); @@ -214,7 +216,8 @@ public class ArmorUtilsTest { .setPrimaryKey(KeySpec.getBuilder(ECDSA.fromCurve(EllipticCurve._P256), KeyFlag.SIGN_DATA, KeyFlag.CERTIFY_OTHER)) .addUserId("Juliet ") .setPassphrase(Passphrase.fromPassword("test")) - .build(); + .build() + .getPGPSecretKeyRing(); PGPPublicKey publicKey = secretKeyRing.getPublicKey(); PGPPublicKeyRing publicKeyRing = PGPainless.readKeyRing().publicKeyRing(publicKey.getEncoded()); String armored = PGPainless.asciiArmor(publicKeyRing); diff --git a/pgpainless-core/src/test/java/org/pgpainless/util/BCUtilTest.java b/pgpainless-core/src/test/java/org/pgpainless/util/BCUtilTest.java index 6e7b94cc..5df91552 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/util/BCUtilTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/util/BCUtilTest.java @@ -38,7 +38,8 @@ public class BCUtilTest { KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA)) .addSubkey(KeySpec.getBuilder(KeyType.RSA(RsaLength._3072), KeyFlag.ENCRYPT_COMMS)) .addUserId("donald@duck.tails") - .build(); + .build() + .getPGPSecretKeyRing(); PGPPublicKeyRing pub = KeyRingUtils.publicKeyRingFrom(sec); diff --git a/pgpainless-core/src/test/java/org/pgpainless/util/GuessPreferredHashAlgorithmTest.java b/pgpainless-core/src/test/java/org/pgpainless/util/GuessPreferredHashAlgorithmTest.java index bf991236..b6ebd8a2 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/util/GuessPreferredHashAlgorithmTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/util/GuessPreferredHashAlgorithmTest.java @@ -32,7 +32,8 @@ public class GuessPreferredHashAlgorithmTest { .overridePreferredSymmetricKeyAlgorithms(new SymmetricKeyAlgorithm[] {}) .overridePreferredCompressionAlgorithms(new CompressionAlgorithm[] {})) .addUserId("test@test.test") - .build(); + .build() + .getPGPSecretKeyRing(); PGPPublicKey publicKey = secretKeys.getPublicKey(); assertEquals(Collections.emptyList(), diff --git a/pgpainless-core/src/test/java/org/pgpainless/util/selection/userid/SelectUserIdTest.java b/pgpainless-core/src/test/java/org/pgpainless/util/selection/userid/SelectUserIdTest.java index 99a0c87c..71851b2a 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/util/selection/userid/SelectUserIdTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/util/selection/userid/SelectUserIdTest.java @@ -25,7 +25,8 @@ public class SelectUserIdTest { @Test public void testSelectUserIds() throws PGPException { PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() - .simpleEcKeyRing(""); + .simpleEcKeyRing("") + .getPGPSecretKeyRing(); secretKeys = PGPainless.modifyKeyRing(secretKeys) .addUserId( UserId.newBuilder().withName("Alice Liddell").noComment() @@ -53,7 +54,8 @@ public class SelectUserIdTest { @Test public void testContainsSubstring() throws PGPException { - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().simpleEcKeyRing("wine drinker"); + PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().simpleEcKeyRing("wine drinker") + .getPGPSecretKeyRing(); secretKeys = PGPainless.modifyKeyRing(secretKeys) .addUserId("this is not a quine", SecretKeyRingProtector.unprotectedKeys()) .addUserId("this is not a crime", SecretKeyRingProtector.unprotectedKeys()) @@ -67,7 +69,8 @@ public class SelectUserIdTest { @Test public void testContainsEmailAddress() { - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().simpleEcKeyRing("Alice "); + PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().simpleEcKeyRing("Alice ") + .getPGPSecretKeyRing(); List userIds = PGPainless.inspectKeyRing(secretKeys).getValidUserIds(); assertEquals("Alice ", userIds.stream().filter( @@ -80,7 +83,8 @@ public class SelectUserIdTest { @Test public void testAndOrNot() throws PGPException { - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().simpleEcKeyRing("Alice "); + PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().simpleEcKeyRing("Alice ") + .getPGPSecretKeyRing(); secretKeys = PGPainless.modifyKeyRing(secretKeys) .addUserId("Alice ", SecretKeyRingProtector.unprotectedKeys()) .addUserId("", SecretKeyRingProtector.unprotectedKeys()) @@ -106,7 +110,8 @@ public class SelectUserIdTest { @Test public void testFirstMatch() throws PGPException { - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().simpleEcKeyRing("First UserID"); + PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().simpleEcKeyRing("First UserID") + .getPGPSecretKeyRing(); secretKeys = PGPainless.modifyKeyRing(secretKeys) .addUserId("Second UserID", SecretKeyRingProtector.unprotectedKeys()) .done(); diff --git a/pgpainless-core/src/test/java/org/pgpainless/weird_keys/TestEncryptCommsStorageFlagsDifferentiated.java b/pgpainless-core/src/test/java/org/pgpainless/weird_keys/TestEncryptCommsStorageFlagsDifferentiated.java index 8c9da177..4c50a297 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/weird_keys/TestEncryptCommsStorageFlagsDifferentiated.java +++ b/pgpainless-core/src/test/java/org/pgpainless/weird_keys/TestEncryptCommsStorageFlagsDifferentiated.java @@ -30,7 +30,8 @@ public class TestEncryptCommsStorageFlagsDifferentiated { KeyFlag.ENCRYPT_STORAGE // no ENCRYPT_COMMS )) .addUserId("cannot@encrypt.comms") - .build(); + .build() + .getPGPSecretKeyRing(); PGPPublicKeyRing publicKeys = KeyRingUtils.publicKeyRingFrom(secretKeys); diff --git a/pgpainless-core/src/test/kotlin/org/pgpainless/bouncycastle/extensions/PGPPublicKeyExtensionsTest.kt b/pgpainless-core/src/test/kotlin/org/pgpainless/bouncycastle/extensions/PGPPublicKeyExtensionsTest.kt index d9c99c47..da642e4c 100644 --- a/pgpainless-core/src/test/kotlin/org/pgpainless/bouncycastle/extensions/PGPPublicKeyExtensionsTest.kt +++ b/pgpainless-core/src/test/kotlin/org/pgpainless/bouncycastle/extensions/PGPPublicKeyExtensionsTest.kt @@ -24,6 +24,7 @@ class PGPPublicKeyExtensionsTest { PGPainless.buildKeyRing() .setPrimaryKey(KeySpec.getBuilder(KeyType.ECDSA(curve))) .build() + .pgpSecretKeyRing .publicKey assertEquals(curve.curveName, key.getCurveName()) @@ -37,6 +38,7 @@ class PGPPublicKeyExtensionsTest { PGPainless.buildKeyRing() .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA_LEGACY(curve))) .build() + .pgpSecretKeyRing .publicKey assertEquals(curve.curveName, key.getCurveName()) diff --git a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/GenerateKeyImpl.kt b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/GenerateKeyImpl.kt index f8297c56..fe904909 100644 --- a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/GenerateKeyImpl.kt +++ b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/GenerateKeyImpl.kt @@ -9,7 +9,7 @@ import java.lang.RuntimeException import java.security.InvalidAlgorithmParameterException import java.security.NoSuchAlgorithmException import org.bouncycastle.openpgp.PGPException -import org.bouncycastle.openpgp.PGPSecretKeyRing +import org.bouncycastle.openpgp.api.OpenPGPKey import org.pgpainless.PGPainless import org.pgpainless.algorithm.KeyFlag import org.pgpainless.key.generation.KeyRingBuilder @@ -50,11 +50,11 @@ class GenerateKeyImpl : GenerateKey { return object : Ready() { override fun writeTo(outputStream: OutputStream) { if (armor) { - val armorOut = ArmorUtils.toAsciiArmoredStream(key, outputStream) - key.encode(armorOut) + val armorOut = ArmorUtils.toAsciiArmoredStream(key.pgpKeyRing, outputStream) + key.pgpKeyRing.encode(armorOut) armorOut.close() } else { - key.encode(outputStream) + key.pgpKeyRing.encode(outputStream) } } } @@ -88,7 +88,7 @@ class GenerateKeyImpl : GenerateKey { userIds: Set, passphrase: Passphrase, signingOnly: Boolean - ): PGPSecretKeyRing { + ): OpenPGPKey { val keyBuilder: KeyRingBuilder = when (profile) { CURVE25519_PROFILE.name -> diff --git a/pgpainless-sop/src/test/java/org/pgpainless/sop/ArmorTest.java b/pgpainless-sop/src/test/java/org/pgpainless/sop/ArmorTest.java index 82688bbf..37ef1a75 100644 --- a/pgpainless-sop/src/test/java/org/pgpainless/sop/ArmorTest.java +++ b/pgpainless-sop/src/test/java/org/pgpainless/sop/ArmorTest.java @@ -17,7 +17,10 @@ public class ArmorTest { @Test public void armor() throws IOException { - byte[] data = PGPainless.generateKeyRing().modernKeyRing("Alice").getEncoded(); + byte[] data = PGPainless.generateKeyRing() + .modernKeyRing("Alice") + .getPGPSecretKeyRing() + .getEncoded(); byte[] knownGoodArmor = ArmorUtils.toAsciiArmoredString(data) .replace("Version: PGPainless\n", "") // armor command does not add version anymore .getBytes(StandardCharsets.UTF_8); diff --git a/pgpainless-sop/src/test/java/org/pgpainless/sop/IncapableKeysTest.java b/pgpainless-sop/src/test/java/org/pgpainless/sop/IncapableKeysTest.java index efcd51c4..dd8fef77 100644 --- a/pgpainless-sop/src/test/java/org/pgpainless/sop/IncapableKeysTest.java +++ b/pgpainless-sop/src/test/java/org/pgpainless/sop/IncapableKeysTest.java @@ -4,7 +4,6 @@ package org.pgpainless.sop; -import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.junit.jupiter.api.BeforeAll; import org.junit.jupiter.api.Test; @@ -20,8 +19,6 @@ import sop.exception.SOPGPException; import java.io.IOException; import java.nio.charset.StandardCharsets; -import java.security.InvalidAlgorithmParameterException; -import java.security.NoSuchAlgorithmException; import static org.junit.jupiter.api.Assertions.assertThrows; @@ -35,12 +32,13 @@ public class IncapableKeysTest { private static final SOP sop = new SOPImpl(); @BeforeAll - public static void generateKeys() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { + public static void generateKeys() throws IOException { PGPSecretKeyRing key = PGPainless.buildKeyRing() .addSubkey(KeySpec.getBuilder(KeyType.ECDH(EllipticCurve._P256), KeyFlag.ENCRYPT_COMMS, KeyFlag.ENCRYPT_STORAGE)) .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA_LEGACY(EdDSALegacyCurve._Ed25519), KeyFlag.CERTIFY_OTHER)) .addUserId("Non Signing ") - .build(); + .build() + .getPGPSecretKeyRing(); nonSigningKey = ArmorUtils.toAsciiArmoredString(key).getBytes(StandardCharsets.UTF_8); nonSigningCert = sop.extractCert().key(nonSigningKey).getBytes(); @@ -48,7 +46,8 @@ public class IncapableKeysTest { .addSubkey(KeySpec.getBuilder(KeyType.EDDSA_LEGACY(EdDSALegacyCurve._Ed25519), KeyFlag.SIGN_DATA)) .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA_LEGACY(EdDSALegacyCurve._Ed25519), KeyFlag.CERTIFY_OTHER)) .addUserId("Non Encryption ") - .build(); + .build() + .getPGPSecretKeyRing(); nonEncryptionKey = ArmorUtils.toAsciiArmoredString(key).getBytes(StandardCharsets.UTF_8); nonEncryptionCert = sop.extractCert().key(nonEncryptionKey).getBytes(); } diff --git a/pgpainless-sop/src/test/java/sop/testsuite/pgpainless/operation/PGPainlessChangeKeyPasswordTest.java b/pgpainless-sop/src/test/java/sop/testsuite/pgpainless/operation/PGPainlessChangeKeyPasswordTest.java index baf595d3..cc6dd4dd 100644 --- a/pgpainless-sop/src/test/java/sop/testsuite/pgpainless/operation/PGPainlessChangeKeyPasswordTest.java +++ b/pgpainless-sop/src/test/java/sop/testsuite/pgpainless/operation/PGPainlessChangeKeyPasswordTest.java @@ -22,8 +22,6 @@ import sop.testsuite.operation.ChangeKeyPasswordTest; import java.io.IOException; import java.nio.charset.StandardCharsets; -import java.security.InvalidAlgorithmParameterException; -import java.security.NoSuchAlgorithmException; import java.util.Iterator; import static org.junit.jupiter.api.Assertions.assertArrayEquals; @@ -32,12 +30,13 @@ public class PGPainlessChangeKeyPasswordTest extends ChangeKeyPasswordTest { @ParameterizedTest @MethodSource("provideInstances") - public void changePasswordOfKeyWithSeparateSubkeyPasswords(SOP sop) throws IOException, PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + public void changePasswordOfKeyWithSeparateSubkeyPasswords(SOP sop) throws IOException, PGPException { PGPSecretKeyRing secretKeys = PGPainless.buildKeyRing() .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA_LEGACY(EdDSALegacyCurve._Ed25519), KeyFlag.CERTIFY_OTHER)) .addSubkey(KeySpec.getBuilder(KeyType.EDDSA_LEGACY(EdDSALegacyCurve._Ed25519), KeyFlag.SIGN_DATA)) .addSubkey(KeySpec.getBuilder(KeyType.XDH_LEGACY(XDHLegacySpec._X25519), KeyFlag.ENCRYPT_COMMS, KeyFlag.ENCRYPT_STORAGE)) - .build(); + .build() + .getPGPSecretKeyRing(); Iterator keys = secretKeys.getPublicKeys(); long primaryKeyId = keys.next().getKeyID(); long signingKeyId = keys.next().getKeyID(); From 95c475d1405994984aa497b0c134e34158205c24 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 10 Feb 2025 17:05:16 +0100 Subject: [PATCH 030/265] WIP: Transform Options and OpenPgpMessageInputStream --- .../java/org/gnupg/GnuPGDummyKeyUtil.java | 6 + .../main/kotlin/org/pgpainless/PGPainless.kt | 19 ++- .../OpenPGPCertificateExtensions.kt | 8 ++ .../extensions/OpenPGPKeyExtensions.kt | 8 ++ .../extensions/PGPSecretKeyRingExtensions.kt | 5 +- .../ConsumerOptions.kt | 55 +++++++-- .../MessageMetadata.kt | 15 ++- .../OpenPgpMessageInputStream.kt | 109 ++++++++++-------- .../key/protection/SecretKeyRingProtector.kt | 20 +++- .../protection/UnprotectedKeysProtector.kt | 13 ++- .../consumer/OnePassSignatureCheck.kt | 7 +- .../java/org/gnupg/GnuPGDummyKeyUtilTest.java | 53 +++++---- .../pgpainless/example/DecryptOrVerify.java | 24 ++-- 13 files changed, 231 insertions(+), 111 deletions(-) create mode 100644 pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/OpenPGPCertificateExtensions.kt create mode 100644 pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/OpenPGPKeyExtensions.kt diff --git a/pgpainless-core/src/main/java/org/gnupg/GnuPGDummyKeyUtil.java b/pgpainless-core/src/main/java/org/gnupg/GnuPGDummyKeyUtil.java index 42af92d8..754ef3fa 100644 --- a/pgpainless-core/src/main/java/org/gnupg/GnuPGDummyKeyUtil.java +++ b/pgpainless-core/src/main/java/org/gnupg/GnuPGDummyKeyUtil.java @@ -10,6 +10,7 @@ import org.bouncycastle.bcpg.SecretKeyPacket; import org.bouncycastle.bcpg.SecretSubkeyPacket; import org.bouncycastle.openpgp.PGPSecretKey; import org.bouncycastle.openpgp.PGPSecretKeyRing; +import org.bouncycastle.openpgp.api.OpenPGPKey; import org.pgpainless.key.SubkeyIdentifier; import javax.annotation.Nonnull; @@ -60,6 +61,11 @@ public final class GnuPGDummyKeyUtil { return hardwareBackedKeys; } + public static Builder modify(@Nonnull OpenPGPKey key) + { + return modify(key.getPGPSecretKeyRing()); + } + /** * Modify the given {@link PGPSecretKeyRing}. * diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt index 04ae3481..47768dcb 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt @@ -11,7 +11,10 @@ import org.bouncycastle.openpgp.PGPPublicKeyRing import org.bouncycastle.openpgp.PGPSecretKeyRing import org.bouncycastle.openpgp.PGPSignature import org.bouncycastle.openpgp.api.OpenPGPApi +import org.bouncycastle.openpgp.api.OpenPGPCertificate import org.bouncycastle.openpgp.api.OpenPGPImplementation +import org.bouncycastle.openpgp.api.OpenPGPKey +import org.bouncycastle.openpgp.api.OpenPGPKeyReader import org.bouncycastle.openpgp.api.bc.BcOpenPGPApi import org.pgpainless.algorithm.OpenPGPKeyVersion import org.pgpainless.bouncycastle.PolicyAdapter @@ -43,6 +46,14 @@ class PGPainless( fun generateKey(version: OpenPGPKeyVersion = OpenPGPKeyVersion.v4): KeyRingTemplates = KeyRingTemplates(version) + fun readKey(): OpenPGPKeyReader = api.readKeyOrCertificate() + + fun toKey(secretKeyRing: PGPSecretKeyRing): OpenPGPKey = + OpenPGPKey(secretKeyRing, implementation) + + fun toCertificate(publicKeyRing: PGPPublicKeyRing): OpenPGPCertificate = + OpenPGPCertificate(publicKeyRing, implementation) + companion object { @Volatile private var instance: PGPainless? = null @@ -81,7 +92,9 @@ class PGPainless( * * @return builder */ - @JvmStatic fun readKeyRing() = KeyRingReader() + @Deprecated("Use readKey() instead.", replaceWith = ReplaceWith("readKey()")) + @JvmStatic + fun readKeyRing() = KeyRingReader() /** * Extract a public key certificate from a secret key. @@ -90,6 +103,7 @@ class PGPainless( * @return public key certificate */ @JvmStatic + @Deprecated("Use toKey() and then .toCertificate() instead.") fun extractCertificate(secretKey: PGPSecretKeyRing) = KeyRingUtils.publicKeyRingFrom(secretKey) @@ -190,6 +204,9 @@ class PGPainless( fun inspectKeyRing(key: PGPKeyRing, referenceTime: Date = Date()) = KeyRingInfo(key, referenceTime) + fun inspectKeyRing(key: OpenPGPKey, referenceTime: Date = Date()) = + KeyRingInfo(key, getPolicy(), referenceTime) + /** * Access, and make changes to PGPainless policy on acceptable/default algorithms etc. * diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/OpenPGPCertificateExtensions.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/OpenPGPCertificateExtensions.kt new file mode 100644 index 00000000..31e4fae6 --- /dev/null +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/OpenPGPCertificateExtensions.kt @@ -0,0 +1,8 @@ +package org.pgpainless.bouncycastle.extensions + +import org.bouncycastle.openpgp.PGPOnePassSignature +import org.bouncycastle.openpgp.api.OpenPGPCertificate +import org.bouncycastle.openpgp.api.OpenPGPCertificate.OpenPGPComponentKey + +fun OpenPGPCertificate.getSigningKeyFor(ops: PGPOnePassSignature): OpenPGPComponentKey? = + this.getKey(ops.keyIdentifier) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/OpenPGPKeyExtensions.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/OpenPGPKeyExtensions.kt new file mode 100644 index 00000000..c78a79db --- /dev/null +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/OpenPGPKeyExtensions.kt @@ -0,0 +1,8 @@ +package org.pgpainless.bouncycastle.extensions + +import org.bouncycastle.openpgp.PGPPublicKeyEncryptedData +import org.bouncycastle.openpgp.api.OpenPGPKey +import org.bouncycastle.openpgp.api.OpenPGPKey.OpenPGPSecretKey + +fun OpenPGPKey.getSecretKeyFor(pkesk: PGPPublicKeyEncryptedData): OpenPGPSecretKey? = + this.getSecretKey(pkesk.keyIdentifier) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/PGPSecretKeyRingExtensions.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/PGPSecretKeyRingExtensions.kt index 99c562e6..53e7e0c5 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/PGPSecretKeyRingExtensions.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/PGPSecretKeyRingExtensions.kt @@ -73,7 +73,4 @@ fun PGPSecretKeyRing.getSecretKeyFor(onePassSignature: PGPOnePassSignature): PGP this.getSecretKey(onePassSignature.keyID) fun PGPSecretKeyRing.getSecretKeyFor(pkesk: PGPPublicKeyEncryptedData): PGPSecretKey? = - when (pkesk.version) { - 3 -> this.getSecretKey(pkesk.keyID) - else -> throw NotImplementedError("Version 6 PKESKs are not yet supported.") - } + this.getSecretKey(pkesk.keyIdentifier) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/ConsumerOptions.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/ConsumerOptions.kt index 39a4e8e4..de03b9d3 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/ConsumerOptions.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/ConsumerOptions.kt @@ -4,11 +4,16 @@ package org.pgpainless.decryption_verification +import org.bouncycastle.bcpg.KeyIdentifier import java.io.IOException import java.io.InputStream import java.util.* import org.bouncycastle.openpgp.* +import org.bouncycastle.openpgp.api.OpenPGPCertificate +import org.bouncycastle.openpgp.api.OpenPGPImplementation +import org.bouncycastle.openpgp.api.OpenPGPKey import org.bouncycastle.openpgp.operator.PublicKeyDataDecryptorFactory +import org.pgpainless.PGPainless import org.pgpainless.bouncycastle.extensions.getPublicKeyFor import org.pgpainless.decryption_verification.cleartext_signatures.InMemoryMultiPassStrategy import org.pgpainless.decryption_verification.cleartext_signatures.MultiPassStrategy @@ -19,7 +24,9 @@ import org.pgpainless.util.Passphrase import org.pgpainless.util.SessionKey /** Options for decryption and signature verification. */ -class ConsumerOptions { +class ConsumerOptions( + private val implementation: OpenPGPImplementation +) { private var ignoreMDCErrors = false var isDisableAsciiArmorCRC = false @@ -34,7 +41,7 @@ class ConsumerOptions { private var sessionKey: SessionKey? = null private val customDecryptorFactories = mutableMapOf() - private val decryptionKeys = mutableMapOf() + private val decryptionKeys = mutableMapOf() private val decryptionPassphrases = mutableSetOf() private var missingKeyPassphraseStrategy = MissingKeyPassphraseStrategy.INTERACTIVE private var multiPassStrategy: MultiPassStrategy = InMemoryMultiPassStrategy() @@ -65,6 +72,10 @@ class ConsumerOptions { fun getVerifyNotAfter() = verifyNotAfter + fun addVerificationCert(verificationCert: OpenPGPCertificate): ConsumerOptions = apply { + this.certificates.addCertificate(verificationCert) + } + /** * Add a certificate (public key ring) for signature verification. * @@ -155,6 +166,12 @@ class ConsumerOptions { fun getSessionKey() = sessionKey + @JvmOverloads + fun addDecryptionKey( + key: OpenPGPKey, + protector: SecretKeyRingProtector = SecretKeyRingProtector.unprotectedKeys() + ) = apply { decryptionKeys[key] = protector } + /** * Add a key for message decryption. If the key is encrypted, the [SecretKeyRingProtector] is * used to decrypt it when needed. @@ -167,7 +184,7 @@ class ConsumerOptions { fun addDecryptionKey( key: PGPSecretKeyRing, protector: SecretKeyRingProtector = SecretKeyRingProtector.unprotectedKeys() - ) = apply { decryptionKeys[key] = protector } + ) = addDecryptionKey(OpenPGPKey(key, implementation), protector) /** * Add the keys in the provided key collection for message decryption. @@ -270,7 +287,7 @@ class ConsumerOptions { * @param decryptionKeyRing secret key * @return protector for that particular secret key */ - fun getSecretKeyProtector(decryptionKeyRing: PGPSecretKeyRing): SecretKeyRingProtector? { + fun getSecretKeyProtector(decryptionKeyRing: OpenPGPKey): SecretKeyRingProtector? { return decryptionKeys[decryptionKeyRing] } @@ -378,14 +395,20 @@ class ConsumerOptions { * available signer certificates. */ class CertificateSource { - private val explicitCertificates: MutableSet = mutableSetOf() + private val explicitCertificates: MutableSet = mutableSetOf() /** * Add a certificate as verification cert explicitly. * * @param certificate certificate */ - fun addCertificate(certificate: PGPPublicKeyRing) { + fun addCertificate(certificate: PGPPublicKeyRing, + implementation: OpenPGPImplementation = PGPainless.getInstance().implementation + ) { + explicitCertificates.add(OpenPGPCertificate(certificate, implementation)) + } + + fun addCertificate(certificate: OpenPGPCertificate) { explicitCertificates.add(certificate) } @@ -394,7 +417,7 @@ class ConsumerOptions { * * @return explicitly set verification certs */ - fun getExplicitCertificates(): Set { + fun getExplicitCertificates(): Set { return explicitCertificates.toSet() } @@ -406,15 +429,23 @@ class ConsumerOptions { * @param keyId key id * @return certificate */ - fun getCertificate(keyId: Long): PGPPublicKeyRing? { - return explicitCertificates.firstOrNull { it.getPublicKey(keyId) != null } + fun getCertificate(keyId: Long): OpenPGPCertificate? { + return getCertificate(KeyIdentifier(keyId)) } - fun getCertificate(signature: PGPSignature): PGPPublicKeyRing? = - explicitCertificates.firstOrNull { it.getPublicKeyFor(signature) != null } + fun getCertificate(identifier: KeyIdentifier): OpenPGPCertificate? { + return explicitCertificates.firstOrNull { it.getKey(identifier) != null } + } + + fun getCertificate(signature: PGPSignature): OpenPGPCertificate? = + explicitCertificates.firstOrNull { it.getSigningKeyFor(signature) != null } } companion object { - @JvmStatic fun get() = ConsumerOptions() + @JvmStatic + @JvmOverloads + fun get( + implementation: OpenPGPImplementation = PGPainless.getInstance().implementation + ) = ConsumerOptions(implementation) } } diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/MessageMetadata.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/MessageMetadata.kt index f7238391..44321bb2 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/MessageMetadata.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/MessageMetadata.kt @@ -4,10 +4,12 @@ package org.pgpainless.decryption_verification +import org.bouncycastle.bcpg.KeyIdentifier import java.util.* import javax.annotation.Nonnull import org.bouncycastle.openpgp.PGPKeyRing import org.bouncycastle.openpgp.PGPLiteralData +import org.bouncycastle.openpgp.api.OpenPGPCertificate import org.pgpainless.algorithm.CompressionAlgorithm import org.pgpainless.algorithm.StreamEncoding import org.pgpainless.algorithm.SymmetricKeyAlgorithm @@ -47,9 +49,15 @@ class MessageMetadata(val message: Message) { if (encryptionAlgorithm == null) false else encryptionAlgorithm != SymmetricKeyAlgorithm.NULL - fun isEncryptedFor(keys: PGPKeyRing): Boolean { + fun isEncryptedFor(cert: OpenPGPCertificate): Boolean { return encryptionLayers.asSequence().any { - it.recipients.any { keyId -> keys.getPublicKey(keyId) != null } + it.recipients.any { keyId -> cert.getKey(KeyIdentifier(keyId)) != null } + } + } + + fun isEncryptedFor(cert: PGPKeyRing): Boolean { + return encryptionLayers.asSequence().any { + it.recipients.any { keyId -> cert.getPublicKey(keyId) != null } } } @@ -270,6 +278,9 @@ class MessageMetadata(val message: Message) { fun isVerifiedSignedBy(keys: PGPKeyRing) = verifiedSignatures.any { keys.matches(it.signingKey) } + fun isVerifiedSignedBy(cert: OpenPGPCertificate) = + verifiedSignatures.any { cert.pgpKeyRing.matches(it.signingKey) } + fun isVerifiedDetachedSignedBy(fingerprint: OpenPgpFingerprint) = verifiedDetachedSignatures.any { it.signingKey.matches(fingerprint) } diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.kt index 06018e06..b4957a75 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.kt @@ -18,6 +18,7 @@ import org.bouncycastle.openpgp.PGPCompressedData import org.bouncycastle.openpgp.PGPEncryptedData import org.bouncycastle.openpgp.PGPEncryptedDataList import org.bouncycastle.openpgp.PGPException +import org.bouncycastle.openpgp.PGPKeyPair import org.bouncycastle.openpgp.PGPOnePassSignature import org.bouncycastle.openpgp.PGPPBEEncryptedData import org.bouncycastle.openpgp.PGPPrivateKey @@ -27,6 +28,10 @@ import org.bouncycastle.openpgp.PGPPublicKeyRing import org.bouncycastle.openpgp.PGPSecretKey import org.bouncycastle.openpgp.PGPSecretKeyRing import org.bouncycastle.openpgp.PGPSignature +import org.bouncycastle.openpgp.api.OpenPGPCertificate +import org.bouncycastle.openpgp.api.OpenPGPKey +import org.bouncycastle.openpgp.api.OpenPGPKey.OpenPGPSecretKey +import org.bouncycastle.openpgp.api.OpenPGPSignature.OpenPGPDocumentSignature import org.bouncycastle.openpgp.operator.PBEDataDecryptorFactory import org.bouncycastle.openpgp.operator.PublicKeyDataDecryptorFactory import org.bouncycastle.util.io.TeeInputStream @@ -37,6 +42,7 @@ import org.pgpainless.algorithm.StreamEncoding import org.pgpainless.algorithm.SymmetricKeyAlgorithm import org.pgpainless.bouncycastle.extensions.getPublicKeyFor import org.pgpainless.bouncycastle.extensions.getSecretKeyFor +import org.pgpainless.bouncycastle.extensions.getSigningKeyFor import org.pgpainless.bouncycastle.extensions.issuerKeyId import org.pgpainless.bouncycastle.extensions.unlock import org.pgpainless.decryption_verification.MessageMetadata.CompressedData @@ -66,6 +72,7 @@ import org.pgpainless.signature.consumer.SignatureValidator import org.pgpainless.util.ArmoredInputStreamFactory import org.pgpainless.util.SessionKey import org.slf4j.LoggerFactory +import kotlin.math.sign class OpenPgpMessageInputStream( type: Type, @@ -400,30 +407,33 @@ class OpenPgpMessageInputStream( } val postponedDueToMissingPassphrase = - mutableListOf>() + mutableListOf>() // try (known) secret keys esks.pkesks.forEach { pkesk -> - LOGGER.debug("Encountered PKESK for recipient ${pkesk.keyID.openPgpKeyId()}") + LOGGER.debug("Encountered PKESK for recipient ${pkesk.keyIdentifier}") val decryptionKeyCandidates = getDecryptionKeys(pkesk) for (decryptionKeys in decryptionKeyCandidates) { val secretKey = decryptionKeys.getSecretKeyFor(pkesk)!! - val decryptionKeyId = SubkeyIdentifier(decryptionKeys, secretKey.keyID) - if (hasUnsupportedS2KSpecifier(secretKey, decryptionKeyId)) { + if (hasUnsupportedS2KSpecifier(secretKey)) { continue } - LOGGER.debug("Attempt decryption using secret key $decryptionKeyId") + LOGGER.debug("Attempt decryption using secret key ${decryptionKeys.keyIdentifier}") val protector = options.getSecretKeyProtector(decryptionKeys) ?: continue - if (!protector.hasPassphraseFor(secretKey.keyID)) { + if (!protector.hasPassphraseFor(secretKey.keyIdentifier)) { LOGGER.debug( - "Missing passphrase for key $decryptionKeyId. Postponing decryption until all other keys were tried.") + "Missing passphrase for key ${decryptionKeys.keyIdentifier}. Postponing decryption until all other keys were tried.") postponedDueToMissingPassphrase.add(secretKey to pkesk) continue } val privateKey = secretKey.unlock(protector) - if (decryptWithPrivateKey(esks, privateKey, decryptionKeyId, pkesk)) { + if (decryptWithPrivateKey( + esks, + privateKey, + SubkeyIdentifier(secretKey.openPGPKey.pgpSecretKeyRing, secretKey.keyIdentifier), + pkesk)) { return true } } @@ -431,24 +441,27 @@ class OpenPgpMessageInputStream( // try anonymous secret keys for (pkesk in esks.anonPkesks) { - for ((decryptionKeys, secretKey) in findPotentialDecryptionKeys(pkesk)) { - val decryptionKeyId = SubkeyIdentifier(decryptionKeys, secretKey.keyID) - if (hasUnsupportedS2KSpecifier(secretKey, decryptionKeyId)) { + for (decryptionKeys in findPotentialDecryptionKeys(pkesk)) { + if (hasUnsupportedS2KSpecifier(decryptionKeys)) { continue } - LOGGER.debug("Attempt decryption of anonymous PKESK with key $decryptionKeyId.") - val protector = options.getSecretKeyProtector(decryptionKeys) ?: continue + LOGGER.debug("Attempt decryption of anonymous PKESK with key $decryptionKeys.") + val protector = options.getSecretKeyProtector(decryptionKeys.openPGPKey) ?: continue - if (!protector.hasPassphraseFor(secretKey.keyID)) { + if (!protector.hasPassphraseFor(decryptionKeys.keyIdentifier)) { LOGGER.debug( - "Missing passphrase for key $decryptionKeyId. Postponing decryption until all other keys were tried.") - postponedDueToMissingPassphrase.add(secretKey to pkesk) + "Missing passphrase for key ${decryptionKeys.keyIdentifier}. Postponing decryption until all other keys were tried.") + postponedDueToMissingPassphrase.add(decryptionKeys to pkesk) continue } - val privateKey = secretKey.unlock(protector) - if (decryptWithPrivateKey(esks, privateKey, decryptionKeyId, pkesk)) { + val privateKey = decryptionKeys.unlock(protector) + if (decryptWithPrivateKey( + esks, + privateKey, + SubkeyIdentifier(decryptionKeys.openPGPKey.pgpSecretKeyRing, privateKey.keyIdentifier), + pkesk)) { return true } } @@ -463,10 +476,10 @@ class OpenPgpMessageInputStream( } else if (options.getMissingKeyPassphraseStrategy() == MissingKeyPassphraseStrategy.INTERACTIVE) { for ((secretKey, pkesk) in postponedDueToMissingPassphrase) { - val keyId = secretKey.keyID + val keyId = secretKey.keyIdentifier val decryptionKeys = getDecryptionKey(pkesk)!! - val decryptionKeyId = SubkeyIdentifier(decryptionKeys, keyId) - if (hasUnsupportedS2KSpecifier(secretKey, decryptionKeyId)) { + val decryptionKeyId = SubkeyIdentifier(decryptionKeys.pgpSecretKeyRing, keyId) + if (hasUnsupportedS2KSpecifier(secretKey)) { continue } @@ -489,24 +502,23 @@ class OpenPgpMessageInputStream( private fun decryptWithPrivateKey( esks: SortedESKs, - privateKey: PGPPrivateKey, + privateKey: PGPKeyPair, decryptionKeyId: SubkeyIdentifier, pkesk: PGPPublicKeyEncryptedData ): Boolean { val decryptorFactory = - ImplementationFactory.getInstance().getPublicKeyDataDecryptorFactory(privateKey) + ImplementationFactory.getInstance().getPublicKeyDataDecryptorFactory(privateKey.privateKey) return decryptPKESKAndStream(esks, decryptionKeyId, decryptorFactory, pkesk) } private fun hasUnsupportedS2KSpecifier( - secretKey: PGPSecretKey, - decryptionKeyId: SubkeyIdentifier + secretKey: OpenPGPSecretKey ): Boolean { - val s2k = secretKey.s2K + val s2k = secretKey.pgpSecretKey.s2K if (s2k != null) { if (s2k.type in 100..110) { LOGGER.debug( - "Skipping PKESK because key $decryptionKeyId has unsupported private S2K specifier ${s2k.type}") + "Skipping PKESK because key ${secretKey.keyIdentifier} has unsupported private S2K specifier ${s2k.type}") return true } } @@ -672,26 +684,26 @@ class OpenPgpMessageInputStream( return MessageMetadata((layerMetadata as Message)) } - private fun getDecryptionKey(keyId: Long): PGPSecretKeyRing? = + private fun getDecryptionKey(keyId: Long): OpenPGPKey? = options.getDecryptionKeys().firstOrNull { - it.any { k -> k.keyID == keyId } + it.pgpSecretKeyRing.any { k -> k.keyID == keyId } .and( PGPainless.inspectKeyRing(it).decryptionSubkeys.any { k -> k.keyIdentifier.keyId == keyId }) } - private fun getDecryptionKey(pkesk: PGPPublicKeyEncryptedData): PGPSecretKeyRing? = + private fun getDecryptionKey(pkesk: PGPPublicKeyEncryptedData): OpenPGPKey? = options.getDecryptionKeys().firstOrNull { - it.getSecretKeyFor(pkesk) != null && + it.pgpSecretKeyRing.getSecretKeyFor(pkesk) != null && PGPainless.inspectKeyRing(it).decryptionSubkeys.any { subkey -> pkesk.keyIdentifier.matches(subkey.keyIdentifier) } } - private fun getDecryptionKeys(pkesk: PGPPublicKeyEncryptedData): List = + private fun getDecryptionKeys(pkesk: PGPPublicKeyEncryptedData): List = options.getDecryptionKeys().filter { - it.getSecretKeyFor(pkesk) != null && + it.pgpSecretKeyRing.getSecretKeyFor(pkesk) != null && PGPainless.inspectKeyRing(it).decryptionSubkeys.any { subkey -> pkesk.keyIdentifier.matches(subkey.keyIdentifier) } @@ -699,15 +711,15 @@ class OpenPgpMessageInputStream( private fun findPotentialDecryptionKeys( pkesk: PGPPublicKeyEncryptedData - ): List> { + ): List { val algorithm = pkesk.algorithm - val candidates = mutableListOf>() + val candidates = mutableListOf() options.getDecryptionKeys().forEach { val info = PGPainless.inspectKeyRing(it) for (key in info.decryptionSubkeys) { if (key.pgpPublicKey.algorithm == algorithm && info.isSecretKeyAvailable(key.keyIdentifier)) { - candidates.add(it to it.getSecretKey(key.keyIdentifier)) + candidates.add(it.getSecretKey(key.keyIdentifier)) } } } @@ -753,8 +765,8 @@ class OpenPgpMessageInputStream( } private class Signatures(val options: ConsumerOptions) : OutputStream() { - val detachedSignatures = mutableListOf() - val prependedSignatures = mutableListOf() + val detachedSignatures = mutableListOf() + val prependedSignatures = mutableListOf() val onePassSignatures = mutableListOf() val opsUpdateStack = ArrayDeque>() var literalOPS = mutableListOf() @@ -798,22 +810,21 @@ class OpenPgpMessageInputStream( } } - fun initializeSignature(signature: PGPSignature): SignatureCheck? { + fun initializeSignature(signature: PGPSignature): OpenPGPDocumentSignature? { val certificate = findCertificate(signature) ?: return null - val publicKey = certificate.getPublicKeyFor(signature) ?: return null - val verifierKey = SubkeyIdentifier(certificate, publicKey.keyID) - initialize(signature, publicKey) - return SignatureCheck(signature, certificate, verifierKey) + val publicKey = certificate.getSigningKeyFor(signature) ?: return null + initialize(signature, publicKey.pgpPublicKey) + return OpenPGPDocumentSignature(signature, publicKey) } fun addOnePassSignature(signature: PGPOnePassSignature) { val certificate = findCertificate(signature) if (certificate != null) { - val publicKey = certificate.getPublicKeyFor(signature) + val publicKey = certificate.getSigningKeyFor(signature) if (publicKey != null) { val ops = OnePassSignatureCheck(signature, certificate) - initialize(signature, publicKey) + initialize(signature, publicKey.pgpPublicKey) onePassSignatures.add(ops) literalOPS.add(ops) } @@ -844,7 +855,7 @@ class OpenPgpMessageInputStream( val verification = SignatureVerification( signature, - SubkeyIdentifier(check.verificationKeys, check.onePassSignature.keyID)) + SubkeyIdentifier(check.verificationKeys.pgpPublicKeyRing, check.onePassSignature.keyIdentifier)) try { SignatureValidator.signatureWasCreatedInBounds( @@ -882,7 +893,7 @@ class OpenPgpMessageInputStream( opsUpdateStack.removeFirst() } - private fun findCertificate(signature: PGPSignature): PGPPublicKeyRing? { + private fun findCertificate(signature: PGPSignature): OpenPGPCertificate? { val cert = options.getCertificateSource().getCertificate(signature) if (cert != null) { return cert @@ -896,7 +907,7 @@ class OpenPgpMessageInputStream( return null // TODO: Missing cert for sig } - private fun findCertificate(signature: PGPOnePassSignature): PGPPublicKeyRing? { + private fun findCertificate(signature: PGPOnePassSignature): OpenPGPCertificate? { val cert = options.getCertificateSource().getCertificate(signature.keyID) if (cert != null) { return cert @@ -977,7 +988,7 @@ class OpenPgpMessageInputStream( for (prepended in prependedSignatures) { val verification = - SignatureVerification(prepended.signature, prepended.signingKeyIdentifier) + SignatureVerification(prepended.signature, prepended.keyIdentifier) try { SignatureValidator.signatureWasCreatedInBounds( options.getVerifyNotBefore(), options.getVerifyNotAfter()) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/SecretKeyRingProtector.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/SecretKeyRingProtector.kt index 5e86d950..373c964c 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/SecretKeyRingProtector.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/SecretKeyRingProtector.kt @@ -4,15 +4,17 @@ package org.pgpainless.key.protection -import kotlin.jvm.Throws +import org.bouncycastle.bcpg.KeyIdentifier import org.bouncycastle.openpgp.PGPException import org.bouncycastle.openpgp.PGPSecretKey import org.bouncycastle.openpgp.PGPSecretKeyRing +import org.bouncycastle.openpgp.api.KeyPassphraseProvider import org.bouncycastle.openpgp.operator.PBESecretKeyDecryptor import org.bouncycastle.openpgp.operator.PBESecretKeyEncryptor import org.pgpainless.key.protection.passphrase_provider.SecretKeyPassphraseProvider import org.pgpainless.key.protection.passphrase_provider.SolitaryPassphraseProvider import org.pgpainless.util.Passphrase +import kotlin.Throws /** * Task of the [SecretKeyRingProtector] is to map encryptor/decryptor objects to key-ids. @@ -22,7 +24,7 @@ import org.pgpainless.util.Passphrase * While it is easy to create an implementation of this interface that fits your needs, there are a * bunch of implementations ready for use. */ -interface SecretKeyRingProtector { +interface SecretKeyRingProtector : KeyPassphraseProvider { /** * Returns true, if the protector has a passphrase for the key with the given key-id. @@ -30,7 +32,9 @@ interface SecretKeyRingProtector { * @param keyId key id * @return true if it has a passphrase, false otherwise */ - fun hasPassphraseFor(keyId: Long): Boolean + fun hasPassphraseFor(keyId: Long): Boolean = hasPassphraseFor(KeyIdentifier(keyId)) + + fun hasPassphraseFor(keyIdentifier: KeyIdentifier): Boolean /** * Return a decryptor for the key of id `keyId`. This method returns null if the key is @@ -39,7 +43,10 @@ interface SecretKeyRingProtector { * @param keyId id of the key * @return decryptor for the key */ - @Throws(PGPException::class) fun getDecryptor(keyId: Long): PBESecretKeyDecryptor? + @Throws(PGPException::class) fun getDecryptor(keyId: Long): PBESecretKeyDecryptor? = + getDecryptor(KeyIdentifier(keyId)) + + @Throws(PGPException::class) fun getDecryptor(keyIdentifier: KeyIdentifier): PBESecretKeyDecryptor? /** * Return an encryptor for the key of id `keyId`. This method returns null if the key is @@ -48,7 +55,10 @@ interface SecretKeyRingProtector { * @param keyId id of the key * @return encryptor for the key */ - @Throws(PGPException::class) fun getEncryptor(keyId: Long): PBESecretKeyEncryptor? + @Throws(PGPException::class) fun getEncryptor(keyId: Long): PBESecretKeyEncryptor? = + getEncryptor(KeyIdentifier(keyId)) + + @Throws(PGPException::class) fun getEncryptor(keyIdentifier: KeyIdentifier): PBESecretKeyEncryptor? companion object { diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/UnprotectedKeysProtector.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/UnprotectedKeysProtector.kt index a25bb31a..8d81973d 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/UnprotectedKeysProtector.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/UnprotectedKeysProtector.kt @@ -3,14 +3,21 @@ // SPDX-License-Identifier: Apache-2.0 package org.pgpainless.key.protection +import org.bouncycastle.bcpg.KeyIdentifier +import org.bouncycastle.openpgp.api.OpenPGPKey +import org.bouncycastle.openpgp.operator.PBESecretKeyDecryptor +import org.bouncycastle.openpgp.operator.PBESecretKeyEncryptor + /** * Implementation of the [SecretKeyRingProtector] which assumes that all handled keys are not * password protected. */ class UnprotectedKeysProtector : SecretKeyRingProtector { - override fun hasPassphraseFor(keyId: Long) = true + override fun hasPassphraseFor(keyIdentifier: KeyIdentifier): Boolean = true - override fun getDecryptor(keyId: Long) = null + override fun getDecryptor(keyIdentifier: KeyIdentifier): PBESecretKeyDecryptor? = null - override fun getEncryptor(keyId: Long) = null + override fun getEncryptor(keyIdentifier: KeyIdentifier): PBESecretKeyEncryptor? = null + + override fun getKeyPassword(p0: OpenPGPKey.OpenPGPSecretKey?): CharArray? = null } diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/consumer/OnePassSignatureCheck.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/consumer/OnePassSignatureCheck.kt index 4a89e0b2..59d65cdb 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/consumer/OnePassSignatureCheck.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/consumer/OnePassSignatureCheck.kt @@ -7,6 +7,9 @@ package org.pgpainless.signature.consumer import org.bouncycastle.openpgp.PGPOnePassSignature import org.bouncycastle.openpgp.PGPPublicKeyRing import org.bouncycastle.openpgp.PGPSignature +import org.bouncycastle.openpgp.api.OpenPGPCertificate +import org.bouncycastle.openpgp.api.OpenPGPCertificate.OpenPGPComponentKey +import org.pgpainless.bouncycastle.extensions.getSigningKeyFor import org.pgpainless.key.SubkeyIdentifier /** @@ -20,7 +23,7 @@ import org.pgpainless.key.SubkeyIdentifier */ data class OnePassSignatureCheck( val onePassSignature: PGPOnePassSignature, - val verificationKeys: PGPPublicKeyRing, + val verificationKeys: OpenPGPCertificate, var signature: PGPSignature? = null ) { @@ -30,5 +33,5 @@ data class OnePassSignatureCheck( * @return signing key fingerprint */ val signingKey: SubkeyIdentifier - get() = SubkeyIdentifier(verificationKeys, onePassSignature.keyID) + get() = SubkeyIdentifier(verificationKeys.pgpPublicKeyRing, onePassSignature.keyID) } diff --git a/pgpainless-core/src/test/java/org/gnupg/GnuPGDummyKeyUtilTest.java b/pgpainless-core/src/test/java/org/gnupg/GnuPGDummyKeyUtilTest.java index 87c5b02e..51a6c4c5 100644 --- a/pgpainless-core/src/test/java/org/gnupg/GnuPGDummyKeyUtilTest.java +++ b/pgpainless-core/src/test/java/org/gnupg/GnuPGDummyKeyUtilTest.java @@ -17,6 +17,8 @@ import org.bouncycastle.bcpg.S2K; import org.bouncycastle.bcpg.SecretKeyPacket; import org.bouncycastle.openpgp.PGPSecretKey; import org.bouncycastle.openpgp.PGPSecretKeyRing; +import org.bouncycastle.openpgp.api.OpenPGPKey; +import org.bouncycastle.openpgp.api.OpenPGPKeyReader; import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; import org.pgpainless.key.SubkeyIdentifier; @@ -178,8 +180,9 @@ public class GnuPGDummyKeyUtilTest { @Test public void testMoveAllKeysToCard() throws IOException { - PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(FULL_KEY); - PGPSecretKeyRing expected = PGPainless.readKeyRing().secretKeyRing(ALL_KEYS_ON_CARD); + OpenPGPKeyReader reader = PGPainless.getInstance().readKey(); + OpenPGPKey secretKeys = reader.parseKey(FULL_KEY); + OpenPGPKey expected = reader.parseKey(ALL_KEYS_ON_CARD); PGPSecretKeyRing onCard = GnuPGDummyKeyUtil.modify(secretKeys) .divertPrivateKeysToCard(GnuPGDummyKeyUtil.KeyFilter.any(), cardSerial); @@ -190,46 +193,50 @@ public class GnuPGDummyKeyUtilTest { assertEquals(S2K.GNU_PROTECTION_MODE_DIVERT_TO_CARD, s2K.getProtectionMode()); } - assertArrayEquals(expected.getEncoded(), onCard.getEncoded()); + assertArrayEquals(expected.getPGPSecretKeyRing().getEncoded(), onCard.getEncoded()); } @Test public void testMovePrimaryKeyToCard() throws IOException { - PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(FULL_KEY); - PGPSecretKeyRing expected = PGPainless.readKeyRing().secretKeyRing(PRIMARY_KEY_ON_CARD); + OpenPGPKeyReader reader = PGPainless.getInstance().readKey(); + OpenPGPKey secretKeys = reader.parseKey(FULL_KEY); + OpenPGPKey expected = reader.parseKey(PRIMARY_KEY_ON_CARD); PGPSecretKeyRing onCard = GnuPGDummyKeyUtil.modify(secretKeys) .divertPrivateKeysToCard(GnuPGDummyKeyUtil.KeyFilter.only(primaryKeyId), cardSerial); - assertArrayEquals(expected.getEncoded(), onCard.getEncoded()); + assertArrayEquals(expected.getPGPSecretKeyRing().getEncoded(), onCard.getEncoded()); } @Test public void testMoveEncryptionKeyToCard() throws IOException { - PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(FULL_KEY); - PGPSecretKeyRing expected = PGPainless.readKeyRing().secretKeyRing(ENCRYPTION_KEY_ON_CARD); + OpenPGPKeyReader reader = PGPainless.getInstance().readKey(); + OpenPGPKey secretKeys = reader.parseKey(FULL_KEY); + OpenPGPKey expected = reader.parseKey(ENCRYPTION_KEY_ON_CARD); PGPSecretKeyRing onCard = GnuPGDummyKeyUtil.modify(secretKeys) .divertPrivateKeysToCard(GnuPGDummyKeyUtil.KeyFilter.only(encryptionKeyId), cardSerial); - assertArrayEquals(expected.getEncoded(), onCard.getEncoded()); + assertArrayEquals(expected.getPGPSecretKeyRing().getEncoded(), onCard.getEncoded()); } @Test public void testMoveSigningKeyToCard() throws IOException { - PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(FULL_KEY); - PGPSecretKeyRing expected = PGPainless.readKeyRing().secretKeyRing(SIGNATURE_KEY_ON_CARD); + OpenPGPKeyReader reader = PGPainless.getInstance().readKey(); + OpenPGPKey secretKeys = reader.parseKey(FULL_KEY); + OpenPGPKey expected = reader.parseKey(SIGNATURE_KEY_ON_CARD); PGPSecretKeyRing onCard = GnuPGDummyKeyUtil.modify(secretKeys) .divertPrivateKeysToCard(GnuPGDummyKeyUtil.KeyFilter.only(signatureKeyId), cardSerial); - assertArrayEquals(expected.getEncoded(), onCard.getEncoded()); + assertArrayEquals(expected.getPGPSecretKeyRing().getEncoded(), onCard.getEncoded()); } @Test public void testRemoveAllKeys() throws IOException { - PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(FULL_KEY); - PGPSecretKeyRing expected = PGPainless.readKeyRing().secretKeyRing(ALL_KEYS_REMOVED); + OpenPGPKeyReader reader = PGPainless.getInstance().readKey(); + OpenPGPKey secretKeys = reader.parseKey(FULL_KEY); + OpenPGPKey expected = reader.parseKey(ALL_KEYS_REMOVED); PGPSecretKeyRing removedSecretKeys = GnuPGDummyKeyUtil.modify(secretKeys) .removePrivateKeys(GnuPGDummyKeyUtil.KeyFilter.any()); @@ -240,33 +247,35 @@ public class GnuPGDummyKeyUtilTest { assertEquals(GnuPGDummyExtension.NO_PRIVATE_KEY.getId(), s2k.getProtectionMode()); } - assertArrayEquals(expected.getEncoded(), removedSecretKeys.getEncoded()); + assertArrayEquals(expected.getPGPSecretKeyRing().getEncoded(), removedSecretKeys.getEncoded()); } @Test public void testGetSingleIdOfHardwareBackedKey() throws IOException { - PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(FULL_KEY); - assertTrue(GnuPGDummyKeyUtil.getIdsOfKeysWithGnuPGS2KDivertedToCard(secretKeys).isEmpty()); + OpenPGPKeyReader reader = PGPainless.getInstance().readKey(); + OpenPGPKey secretKeys = reader.parseKey(FULL_KEY); + assertTrue(GnuPGDummyKeyUtil.getIdsOfKeysWithGnuPGS2KDivertedToCard(secretKeys.getPGPSecretKeyRing()).isEmpty()); PGPSecretKeyRing withHardwareBackedEncryptionKey = GnuPGDummyKeyUtil.modify(secretKeys) .divertPrivateKeysToCard(GnuPGDummyKeyUtil.KeyFilter.only(encryptionKeyId)); Set hardwareBackedKeys = GnuPGDummyKeyUtil .getIdsOfKeysWithGnuPGS2KDivertedToCard(withHardwareBackedEncryptionKey); - assertEquals(Collections.singleton(new SubkeyIdentifier(secretKeys, encryptionKeyId)), hardwareBackedKeys); + assertEquals(Collections.singleton(new SubkeyIdentifier(secretKeys.getPGPSecretKeyRing(), encryptionKeyId)), hardwareBackedKeys); } @Test public void testGetIdsOfFullyHardwareBackedKey() throws IOException { - PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(FULL_KEY); - assertTrue(GnuPGDummyKeyUtil.getIdsOfKeysWithGnuPGS2KDivertedToCard(secretKeys).isEmpty()); + OpenPGPKeyReader reader = PGPainless.getInstance().readKey(); + OpenPGPKey secretKeys = reader.parseKey(FULL_KEY); + assertTrue(GnuPGDummyKeyUtil.getIdsOfKeysWithGnuPGS2KDivertedToCard(secretKeys.getPGPSecretKeyRing()).isEmpty()); PGPSecretKeyRing withHardwareBackedEncryptionKey = GnuPGDummyKeyUtil.modify(secretKeys) .divertPrivateKeysToCard(GnuPGDummyKeyUtil.KeyFilter.any()); Set expected = new HashSet<>(); - for (PGPSecretKey key : secretKeys) { - expected.add(new SubkeyIdentifier(secretKeys, key.getKeyID())); + for (PGPSecretKey key : secretKeys.getPGPSecretKeyRing()) { + expected.add(new SubkeyIdentifier(secretKeys.getPGPSecretKeyRing(), key.getKeyID())); } Set hardwareBackedKeys = GnuPGDummyKeyUtil diff --git a/pgpainless-core/src/test/java/org/pgpainless/example/DecryptOrVerify.java b/pgpainless-core/src/test/java/org/pgpainless/example/DecryptOrVerify.java index c35b3572..a7e9cb5a 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/example/DecryptOrVerify.java +++ b/pgpainless-core/src/test/java/org/pgpainless/example/DecryptOrVerify.java @@ -15,8 +15,9 @@ import java.io.IOException; import java.nio.charset.StandardCharsets; import org.bouncycastle.openpgp.PGPException; -import org.bouncycastle.openpgp.PGPPublicKeyRing; -import org.bouncycastle.openpgp.PGPSecretKeyRing; +import org.bouncycastle.openpgp.api.OpenPGPCertificate; +import org.bouncycastle.openpgp.api.OpenPGPKey; +import org.bouncycastle.openpgp.api.OpenPGPKeyReader; import org.bouncycastle.util.io.Streams; import org.junit.jupiter.api.BeforeAll; import org.junit.jupiter.api.Test; @@ -134,15 +135,16 @@ public class DecryptOrVerify { "=9PiO\n" + "-----END PGP MESSAGE-----"; - private static PGPSecretKeyRing secretKey; - private static PGPPublicKeyRing certificate; + private static OpenPGPKey secretKey; + private static OpenPGPCertificate certificate; @BeforeAll public static void prepare() throws IOException { + OpenPGPKeyReader reader = PGPainless.getInstance().readKey(); // read the secret key - secretKey = PGPainless.readKeyRing().secretKeyRing(KEY); + secretKey = reader.parseKey(KEY); // certificate is the public part of the key - certificate = PGPainless.extractCertificate(secretKey); + certificate = secretKey.toCertificate(); } /** @@ -153,7 +155,7 @@ public class DecryptOrVerify { */ @Test public void decryptMessage() throws PGPException, IOException { - ConsumerOptions consumerOptions = new ConsumerOptions() + ConsumerOptions consumerOptions = ConsumerOptions.get() .addDecryptionKey(secretKey, keyProtector); // add the decryption key ring ByteArrayOutputStream plaintextOut = new ByteArrayOutputStream(); @@ -186,7 +188,7 @@ public class DecryptOrVerify { */ @Test public void decryptMessageAndVerifySignatures() throws PGPException, IOException { - ConsumerOptions consumerOptions = new ConsumerOptions() + ConsumerOptions consumerOptions = ConsumerOptions.get() .addDecryptionKey(secretKey, keyProtector) // provide the secret key of the recipient for decryption .addVerificationCert(certificate); // provide the signers public key for signature verification @@ -218,7 +220,7 @@ public class DecryptOrVerify { */ @Test public void verifySignatures() throws PGPException, IOException { - ConsumerOptions options = new ConsumerOptions() + ConsumerOptions options = ConsumerOptions.get() .addVerificationCert(certificate); // provide the signers certificate for verification of signatures for (String signed : new String[] {INBAND_SIGNED, CLEARTEXT_SIGNED}) { @@ -257,7 +259,7 @@ public class DecryptOrVerify { SigningOptions signingOptions = SigningOptions.get(); // for cleartext signed messages, we need to add a detached signature... - signingOptions.addDetachedSignature(keyProtector, secretKey, DocumentSignatureType.CANONICAL_TEXT_DOCUMENT); + signingOptions.addDetachedSignature(keyProtector, secretKey.getPGPSecretKeyRing(), DocumentSignatureType.CANONICAL_TEXT_DOCUMENT); ProducerOptions producerOptions = ProducerOptions.sign(signingOptions) .setCleartextSigned(); // and declare that the message will be cleartext signed @@ -279,7 +281,7 @@ public class DecryptOrVerify { // and pass it to the decryption stream DecryptionStream verificationStream = PGPainless.decryptAndOrVerify() .onInputStream(signedIn) - .withOptions(new ConsumerOptions().addVerificationCert(certificate)); + .withOptions(ConsumerOptions.get().addVerificationCert(certificate)); // plain will receive the plaintext message ByteArrayOutputStream plain = new ByteArrayOutputStream(); From 504939d82b2f09fd9e83fd190833e070d2f2e7ec Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 11 Feb 2025 16:17:48 +0100 Subject: [PATCH 031/265] Even more migration and code compiles again --- .../RoundTripEncryptDecryptCmdTest.java | 3 +- .../java/org/gnupg/GnuPGDummyKeyUtil.java | 3 +- .../exception/WrongPassphraseException.java | 7 +- .../extensions/PGPKeyRingExtensions.kt | 9 +++ .../extensions/PGPSecretKeyRingExtensions.kt | 10 +++ .../ConsumerOptions.kt | 22 +++-- .../MessageMetadata.kt | 2 +- .../MissingPublicKeyCallback.kt | 9 ++- .../OpenPgpMessageInputStream.kt | 81 +++++++++---------- .../org/pgpainless/key/OpenPgpFingerprint.kt | 3 + .../pgpainless/key/OpenPgpV4Fingerprint.kt | 3 + .../pgpainless/key/OpenPgpV5Fingerprint.kt | 3 + .../org/pgpainless/key/SubkeyIdentifier.kt | 7 ++ .../org/pgpainless/key/_64DigitFingerprint.kt | 3 + .../secretkeyring/SecretKeyRingEditor.kt | 13 +-- .../SecretKeyRingEditorInterface.kt | 36 +++++---- .../protection/BaseSecretKeyRingProtector.kt | 20 ++++- .../CachingSecretKeyRingProtector.kt | 75 +++++++++++------ .../PasswordBasedSecretKeyRingProtector.kt | 21 ++--- .../key/protection/SecretKeyRingProtector.kt | 31 ++++--- .../MapBasedPassphraseProvider.kt | 9 ++- .../SecretKeyPassphraseProvider.kt | 11 ++- .../SolitaryPassphraseProvider.kt | 5 +- .../org/pgpainless/key/util/KeyRingUtils.kt | 5 +- .../consumer/CertificateValidator.kt | 7 +- .../consumer/OnePassSignatureCheck.kt | 2 - ...vestigateMultiSEIPMessageHandlingTest.java | 12 +-- ...artialLengthLiteralDataRegressionTest.java | 2 +- .../org/bouncycastle/AsciiArmorCRCTests.java | 2 +- .../DecryptAndVerifyMessageTest.java | 6 +- .../DecryptHiddenRecipientMessageTest.java | 2 +- .../IgnoreUnknownSignatureVersionsTest.java | 2 +- .../MissingPassphraseForDecryptionTest.java | 10 ++- ...tionUsingKeyWithMissingPassphraseTest.java | 21 ++--- ...ntDecryptionUsingNonEncryptionKeyTest.java | 6 +- ...ificationWithoutCertIsStillSignedTest.java | 2 +- .../VerifyDetachedSignatureTest.java | 4 +- .../VerifyNotBeforeNotAfterTest.java | 20 ++--- .../VerifyVersion3SignaturePacketTest.java | 2 +- ...erifyWithMissingPublicKeyCallbackTest.java | 23 +++--- .../ChangeSecretKeyRingPassphraseTest.java | 4 +- .../CachingSecretKeyRingProtectorTest.java | 16 ++-- .../MapBasedPassphraseProviderTest.java | 11 +-- .../PassphraseProtectedKeyTest.java | 14 ++-- .../SecretKeyRingProtectorTest.java | 14 ++-- .../UnprotectedKeysProtectorTest.java | 5 +- ...ultiPassphraseSymmetricEncryptionTest.java | 2 +- .../SymmetricEncryptionTest.java | 6 +- .../sop/MatchMakingSecretKeyRingProtector.kt | 20 +++-- .../PGPainlessChangeKeyPasswordTest.java | 7 +- 50 files changed, 368 insertions(+), 245 deletions(-) diff --git a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripEncryptDecryptCmdTest.java b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripEncryptDecryptCmdTest.java index 9d3b3b9d..e4fd9e0c 100644 --- a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripEncryptDecryptCmdTest.java +++ b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripEncryptDecryptCmdTest.java @@ -14,7 +14,6 @@ import java.io.IOException; import org.bouncycastle.openpgp.PGPPublicKeyRing; import org.bouncycastle.openpgp.PGPSecretKeyRing; -import org.junit.jupiter.api.Disabled; import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; import org.pgpainless.algorithm.KeyFlag; @@ -135,7 +134,7 @@ public class RoundTripEncryptDecryptCmdTest extends CLITest { } @Test - @Disabled("Disabled, since we now read certificates from secret keys") + // @Disabled("Disabled, since we now read certificates from secret keys") public void testEncryptingForKeyFails() throws IOException { File notACert = writeFile("key.asc", KEY); diff --git a/pgpainless-core/src/main/java/org/gnupg/GnuPGDummyKeyUtil.java b/pgpainless-core/src/main/java/org/gnupg/GnuPGDummyKeyUtil.java index 754ef3fa..48390c59 100644 --- a/pgpainless-core/src/main/java/org/gnupg/GnuPGDummyKeyUtil.java +++ b/pgpainless-core/src/main/java/org/gnupg/GnuPGDummyKeyUtil.java @@ -61,8 +61,7 @@ public final class GnuPGDummyKeyUtil { return hardwareBackedKeys; } - public static Builder modify(@Nonnull OpenPGPKey key) - { + public static Builder modify(@Nonnull OpenPGPKey key) { return modify(key.getPGPSecretKeyRing()); } diff --git a/pgpainless-core/src/main/java/org/pgpainless/exception/WrongPassphraseException.java b/pgpainless-core/src/main/java/org/pgpainless/exception/WrongPassphraseException.java index 409db3e2..d039ca6a 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/exception/WrongPassphraseException.java +++ b/pgpainless-core/src/main/java/org/pgpainless/exception/WrongPassphraseException.java @@ -4,6 +4,7 @@ package org.pgpainless.exception; +import org.bouncycastle.bcpg.KeyIdentifier; import org.bouncycastle.openpgp.PGPException; public class WrongPassphraseException extends PGPException { @@ -13,7 +14,11 @@ public class WrongPassphraseException extends PGPException { } public WrongPassphraseException(long keyId, PGPException cause) { - this("Wrong passphrase provided for key " + Long.toHexString(keyId), cause); + this(new KeyIdentifier(keyId), cause); + } + + public WrongPassphraseException(KeyIdentifier keyIdentifier, PGPException cause) { + this("Wrong passphrase provided for key " + keyIdentifier, cause); } public WrongPassphraseException(String message, PGPException cause) { diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/PGPKeyRingExtensions.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/PGPKeyRingExtensions.kt index 7126db66..5727ee7c 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/PGPKeyRingExtensions.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/PGPKeyRingExtensions.kt @@ -9,6 +9,8 @@ import org.bouncycastle.openpgp.PGPKeyRing import org.bouncycastle.openpgp.PGPOnePassSignature import org.bouncycastle.openpgp.PGPPublicKey import org.bouncycastle.openpgp.PGPSignature +import org.bouncycastle.openpgp.api.OpenPGPCertificate +import org.bouncycastle.openpgp.api.OpenPGPImplementation import org.pgpainless.PGPainless import org.pgpainless.key.OpenPgpFingerprint import org.pgpainless.key.SubkeyIdentifier @@ -72,3 +74,10 @@ val PGPKeyRing.openPgpFingerprint: OpenPgpFingerprint /** Return this OpenPGP key as an ASCII armored String. */ fun PGPKeyRing.toAsciiArmor(): String = PGPainless.asciiArmor(this) + +@Deprecated("Use toOpenPGPCertificate(implementation) instead.") +fun PGPKeyRing.toOpenPGPCertificate(): OpenPGPCertificate = + toOpenPGPCertificate(PGPainless.getInstance().implementation) + +fun PGPKeyRing.toOpenPGPCertificate(implementation: OpenPGPImplementation): OpenPGPCertificate = + OpenPGPCertificate(this, implementation) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/PGPSecretKeyRingExtensions.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/PGPSecretKeyRingExtensions.kt index 53e7e0c5..90c67236 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/PGPSecretKeyRingExtensions.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/PGPSecretKeyRingExtensions.kt @@ -6,6 +6,9 @@ package org.pgpainless.bouncycastle.extensions import openpgp.openPgpKeyId import org.bouncycastle.openpgp.* +import org.bouncycastle.openpgp.api.OpenPGPImplementation +import org.bouncycastle.openpgp.api.OpenPGPKey +import org.pgpainless.PGPainless import org.pgpainless.key.OpenPgpFingerprint /** OpenPGP certificate containing the public keys of this OpenPGP key. */ @@ -74,3 +77,10 @@ fun PGPSecretKeyRing.getSecretKeyFor(onePassSignature: PGPOnePassSignature): PGP fun PGPSecretKeyRing.getSecretKeyFor(pkesk: PGPPublicKeyEncryptedData): PGPSecretKey? = this.getSecretKey(pkesk.keyIdentifier) + +@Deprecated("Use toOpenPGPKey(implementation) instead.") +fun PGPSecretKeyRing.toOpenPGPKey(): OpenPGPKey = + toOpenPGPKey(PGPainless.getInstance().implementation) + +fun PGPSecretKeyRing.toOpenPGPKey(implementation: OpenPGPImplementation): OpenPGPKey = + OpenPGPKey(this, implementation) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/ConsumerOptions.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/ConsumerOptions.kt index de03b9d3..363bc7fa 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/ConsumerOptions.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/ConsumerOptions.kt @@ -4,17 +4,16 @@ package org.pgpainless.decryption_verification -import org.bouncycastle.bcpg.KeyIdentifier import java.io.IOException import java.io.InputStream import java.util.* +import org.bouncycastle.bcpg.KeyIdentifier import org.bouncycastle.openpgp.* import org.bouncycastle.openpgp.api.OpenPGPCertificate import org.bouncycastle.openpgp.api.OpenPGPImplementation import org.bouncycastle.openpgp.api.OpenPGPKey import org.bouncycastle.openpgp.operator.PublicKeyDataDecryptorFactory import org.pgpainless.PGPainless -import org.pgpainless.bouncycastle.extensions.getPublicKeyFor import org.pgpainless.decryption_verification.cleartext_signatures.InMemoryMultiPassStrategy import org.pgpainless.decryption_verification.cleartext_signatures.MultiPassStrategy import org.pgpainless.key.SubkeyIdentifier @@ -24,9 +23,7 @@ import org.pgpainless.util.Passphrase import org.pgpainless.util.SessionKey /** Options for decryption and signature verification. */ -class ConsumerOptions( - private val implementation: OpenPGPImplementation -) { +class ConsumerOptions { private var ignoreMDCErrors = false var isDisableAsciiArmorCRC = false @@ -183,7 +180,8 @@ class ConsumerOptions( @JvmOverloads fun addDecryptionKey( key: PGPSecretKeyRing, - protector: SecretKeyRingProtector = SecretKeyRingProtector.unprotectedKeys() + protector: SecretKeyRingProtector = SecretKeyRingProtector.unprotectedKeys(), + implementation: OpenPGPImplementation = PGPainless.getInstance().implementation ) = addDecryptionKey(OpenPGPKey(key, implementation), protector) /** @@ -402,8 +400,10 @@ class ConsumerOptions( * * @param certificate certificate */ - fun addCertificate(certificate: PGPPublicKeyRing, - implementation: OpenPGPImplementation = PGPainless.getInstance().implementation + @JvmOverloads + fun addCertificate( + certificate: PGPPublicKeyRing, + implementation: OpenPGPImplementation = PGPainless.getInstance().implementation ) { explicitCertificates.add(OpenPGPCertificate(certificate, implementation)) } @@ -442,10 +442,6 @@ class ConsumerOptions( } companion object { - @JvmStatic - @JvmOverloads - fun get( - implementation: OpenPGPImplementation = PGPainless.getInstance().implementation - ) = ConsumerOptions(implementation) + @JvmStatic fun get() = ConsumerOptions() } } diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/MessageMetadata.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/MessageMetadata.kt index 44321bb2..79a0ca98 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/MessageMetadata.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/MessageMetadata.kt @@ -4,9 +4,9 @@ package org.pgpainless.decryption_verification -import org.bouncycastle.bcpg.KeyIdentifier import java.util.* import javax.annotation.Nonnull +import org.bouncycastle.bcpg.KeyIdentifier import org.bouncycastle.openpgp.PGPKeyRing import org.bouncycastle.openpgp.PGPLiteralData import org.bouncycastle.openpgp.api.OpenPGPCertificate diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/MissingPublicKeyCallback.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/MissingPublicKeyCallback.kt index eb81847f..9da5eb06 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/MissingPublicKeyCallback.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/MissingPublicKeyCallback.kt @@ -4,7 +4,8 @@ package org.pgpainless.decryption_verification -import org.bouncycastle.openpgp.PGPPublicKeyRing +import org.bouncycastle.bcpg.KeyIdentifier +import org.bouncycastle.openpgp.api.OpenPGPCertificate fun interface MissingPublicKeyCallback { @@ -14,14 +15,14 @@ fun interface MissingPublicKeyCallback { * here. PGPainless will then continue verification with the next signature. * * Note: The key-id might belong to a subkey, so be aware that when looking up the - * [PGPPublicKeyRing], you may not only search for the key-id on the key rings primary key! + * [OpenPGPCertificate], you may not only search for the key-id on the key rings primary key! * * It would be super cool to provide the OpenPgp fingerprint here, but unfortunately * one-pass-signatures only contain the key id. * - * @param keyId ID of the missing signing (sub)key + * @param keyIdentifier ID of the missing signing (sub)key * @return keyring containing the key or null * @see RFC */ - fun onMissingPublicKeyEncountered(keyId: Long): PGPPublicKeyRing? + fun onMissingPublicKeyEncountered(keyIdentifier: KeyIdentifier): OpenPGPCertificate? } diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.kt index b4957a75..d193003f 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.kt @@ -21,12 +21,8 @@ import org.bouncycastle.openpgp.PGPException import org.bouncycastle.openpgp.PGPKeyPair import org.bouncycastle.openpgp.PGPOnePassSignature import org.bouncycastle.openpgp.PGPPBEEncryptedData -import org.bouncycastle.openpgp.PGPPrivateKey import org.bouncycastle.openpgp.PGPPublicKey import org.bouncycastle.openpgp.PGPPublicKeyEncryptedData -import org.bouncycastle.openpgp.PGPPublicKeyRing -import org.bouncycastle.openpgp.PGPSecretKey -import org.bouncycastle.openpgp.PGPSecretKeyRing import org.bouncycastle.openpgp.PGPSignature import org.bouncycastle.openpgp.api.OpenPGPCertificate import org.bouncycastle.openpgp.api.OpenPGPKey @@ -40,11 +36,9 @@ import org.pgpainless.algorithm.CompressionAlgorithm import org.pgpainless.algorithm.OpenPgpPacket import org.pgpainless.algorithm.StreamEncoding import org.pgpainless.algorithm.SymmetricKeyAlgorithm -import org.pgpainless.bouncycastle.extensions.getPublicKeyFor import org.pgpainless.bouncycastle.extensions.getSecretKeyFor import org.pgpainless.bouncycastle.extensions.getSigningKeyFor import org.pgpainless.bouncycastle.extensions.issuerKeyId -import org.pgpainless.bouncycastle.extensions.unlock import org.pgpainless.decryption_verification.MessageMetadata.CompressedData import org.pgpainless.decryption_verification.MessageMetadata.EncryptedData import org.pgpainless.decryption_verification.MessageMetadata.Layer @@ -61,18 +55,16 @@ import org.pgpainless.exception.MissingDecryptionMethodException import org.pgpainless.exception.MissingPassphraseException import org.pgpainless.exception.SignatureValidationException import org.pgpainless.exception.UnacceptableAlgorithmException +import org.pgpainless.exception.WrongPassphraseException import org.pgpainless.implementation.ImplementationFactory import org.pgpainless.key.SubkeyIdentifier -import org.pgpainless.key.util.KeyRingUtils import org.pgpainless.policy.Policy import org.pgpainless.signature.consumer.CertificateValidator import org.pgpainless.signature.consumer.OnePassSignatureCheck -import org.pgpainless.signature.consumer.SignatureCheck import org.pgpainless.signature.consumer.SignatureValidator import org.pgpainless.util.ArmoredInputStreamFactory import org.pgpainless.util.SessionKey import org.slf4j.LoggerFactory -import kotlin.math.sign class OpenPgpMessageInputStream( type: Type, @@ -430,10 +422,11 @@ class OpenPgpMessageInputStream( val privateKey = secretKey.unlock(protector) if (decryptWithPrivateKey( - esks, - privateKey, - SubkeyIdentifier(secretKey.openPGPKey.pgpSecretKeyRing, secretKey.keyIdentifier), - pkesk)) { + esks, + privateKey, + SubkeyIdentifier( + secretKey.openPGPKey.pgpSecretKeyRing, secretKey.keyIdentifier), + pkesk)) { return true } } @@ -441,27 +434,24 @@ class OpenPgpMessageInputStream( // try anonymous secret keys for (pkesk in esks.anonPkesks) { - for (decryptionKeys in findPotentialDecryptionKeys(pkesk)) { - if (hasUnsupportedS2KSpecifier(decryptionKeys)) { + for (decryptionKey in findPotentialDecryptionKeys(pkesk)) { + if (hasUnsupportedS2KSpecifier(decryptionKey)) { continue } - LOGGER.debug("Attempt decryption of anonymous PKESK with key $decryptionKeys.") - val protector = options.getSecretKeyProtector(decryptionKeys.openPGPKey) ?: continue + LOGGER.debug("Attempt decryption of anonymous PKESK with key $decryptionKey.") + val protector = options.getSecretKeyProtector(decryptionKey.openPGPKey) ?: continue - if (!protector.hasPassphraseFor(decryptionKeys.keyIdentifier)) { + if (!protector.hasPassphraseFor(decryptionKey.keyIdentifier)) { LOGGER.debug( - "Missing passphrase for key ${decryptionKeys.keyIdentifier}. Postponing decryption until all other keys were tried.") - postponedDueToMissingPassphrase.add(decryptionKeys to pkesk) + "Missing passphrase for key ${decryptionKey.keyIdentifier}. Postponing decryption until all other keys were tried.") + postponedDueToMissingPassphrase.add(decryptionKey to pkesk) continue } - val privateKey = decryptionKeys.unlock(protector) + val privateKey = decryptionKey.unlock(protector) if (decryptWithPrivateKey( - esks, - privateKey, - SubkeyIdentifier(decryptionKeys.openPGPKey.pgpSecretKeyRing, privateKey.keyIdentifier), - pkesk)) { + esks, privateKey, SubkeyIdentifier(decryptionKey), pkesk)) { return true } } @@ -471,7 +461,7 @@ class OpenPgpMessageInputStream( MissingKeyPassphraseStrategy.THROW_EXCEPTION) { // Non-interactive mode: Throw an exception with all locked decryption keys postponedDueToMissingPassphrase - .map { SubkeyIdentifier(getDecryptionKey(it.first.keyID)!!, it.first.keyID) } + .map { SubkeyIdentifier(it.first) } .also { if (it.isNotEmpty()) throw MissingPassphraseException(it.toSet()) } } else if (options.getMissingKeyPassphraseStrategy() == MissingKeyPassphraseStrategy.INTERACTIVE) { @@ -486,7 +476,12 @@ class OpenPgpMessageInputStream( LOGGER.debug( "Attempt decryption with key $decryptionKeyId while interactively requesting its passphrase.") val protector = options.getSecretKeyProtector(decryptionKeys) ?: continue - val privateKey = secretKey.unlock(protector) + val privateKey = + try { + secretKey.unlock(protector) + } catch (e: PGPException) { + throw WrongPassphraseException(secretKey.keyIdentifier, e) + } if (decryptWithPrivateKey(esks, privateKey, decryptionKeyId, pkesk)) { return true } @@ -507,13 +502,12 @@ class OpenPgpMessageInputStream( pkesk: PGPPublicKeyEncryptedData ): Boolean { val decryptorFactory = - ImplementationFactory.getInstance().getPublicKeyDataDecryptorFactory(privateKey.privateKey) + ImplementationFactory.getInstance() + .getPublicKeyDataDecryptorFactory(privateKey.privateKey) return decryptPKESKAndStream(esks, decryptionKeyId, decryptorFactory, pkesk) } - private fun hasUnsupportedS2KSpecifier( - secretKey: OpenPGPSecretKey - ): Boolean { + private fun hasUnsupportedS2KSpecifier(secretKey: OpenPGPSecretKey): Boolean { val s2k = secretKey.pgpSecretKey.s2K if (s2k != null) { if (s2k.type in 100..110) { @@ -686,7 +680,8 @@ class OpenPgpMessageInputStream( private fun getDecryptionKey(keyId: Long): OpenPGPKey? = options.getDecryptionKeys().firstOrNull { - it.pgpSecretKeyRing.any { k -> k.keyID == keyId } + it.pgpSecretKeyRing + .any { k -> k.keyID == keyId } .and( PGPainless.inspectKeyRing(it).decryptionSubkeys.any { k -> k.keyIdentifier.keyId == keyId @@ -855,7 +850,9 @@ class OpenPgpMessageInputStream( val verification = SignatureVerification( signature, - SubkeyIdentifier(check.verificationKeys.pgpPublicKeyRing, check.onePassSignature.keyIdentifier)) + SubkeyIdentifier( + check.verificationKeys.pgpPublicKeyRing, + check.onePassSignature.keyIdentifier)) try { SignatureValidator.signatureWasCreatedInBounds( @@ -902,13 +899,13 @@ class OpenPgpMessageInputStream( if (options.getMissingCertificateCallback() != null) { return options .getMissingCertificateCallback()!! - .onMissingPublicKeyEncountered(signature.keyID) + .onMissingPublicKeyEncountered(signature.keyIdentifiers.first()) } return null // TODO: Missing cert for sig } private fun findCertificate(signature: PGPOnePassSignature): OpenPGPCertificate? { - val cert = options.getCertificateSource().getCertificate(signature.keyID) + val cert = options.getCertificateSource().getCertificate(signature.keyIdentifier) if (cert != null) { return cert } @@ -916,7 +913,7 @@ class OpenPgpMessageInputStream( if (options.getMissingCertificateCallback() != null) { return options .getMissingCertificateCallback()!! - .onMissingPublicKeyEncountered(signature.keyID) + .onMissingPublicKeyEncountered(signature.keyIdentifier) } return null // TODO: Missing cert for sig } @@ -968,15 +965,13 @@ class OpenPgpMessageInputStream( fun finish(layer: Layer, policy: Policy) { for (detached in detachedSignatures) { val verification = - SignatureVerification(detached.signature, detached.signingKeyIdentifier) + SignatureVerification(detached.signature, SubkeyIdentifier(detached.issuer)) try { SignatureValidator.signatureWasCreatedInBounds( options.getVerifyNotBefore(), options.getVerifyNotAfter()) .verify(detached.signature) CertificateValidator.validateCertificateAndVerifyInitializedSignature( - detached.signature, - KeyRingUtils.publicKeys(detached.signingKeyRing), - policy) + detached.signature, detached.issuerCertificate.pgpPublicKeyRing, policy) LOGGER.debug("Acceptable signature by key ${verification.signingKey}") layer.addVerifiedDetachedSignature(verification) } catch (e: SignatureValidationException) { @@ -988,15 +983,13 @@ class OpenPgpMessageInputStream( for (prepended in prependedSignatures) { val verification = - SignatureVerification(prepended.signature, prepended.keyIdentifier) + SignatureVerification(prepended.signature, SubkeyIdentifier(prepended.issuer)) try { SignatureValidator.signatureWasCreatedInBounds( options.getVerifyNotBefore(), options.getVerifyNotAfter()) .verify(prepended.signature) CertificateValidator.validateCertificateAndVerifyInitializedSignature( - prepended.signature, - KeyRingUtils.publicKeys(prepended.signingKeyRing), - policy) + prepended.signature, prepended.issuerCertificate.pgpPublicKeyRing, policy) LOGGER.debug("Acceptable signature by key ${verification.signingKey}") layer.addVerifiedPrependedSignature(verification) } catch (e: SignatureValidationException) { diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/OpenPgpFingerprint.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/OpenPgpFingerprint.kt index 9a2f1f7b..679df490 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/OpenPgpFingerprint.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/OpenPgpFingerprint.kt @@ -5,6 +5,7 @@ package org.pgpainless.key import java.nio.charset.Charset +import org.bouncycastle.bcpg.KeyIdentifier import org.bouncycastle.openpgp.PGPKeyRing import org.bouncycastle.openpgp.PGPPublicKey import org.bouncycastle.openpgp.PGPSecretKey @@ -55,6 +56,8 @@ abstract class OpenPgpFingerprint : CharSequence, Comparable constructor(keys: PGPKeyRing) : this(keys.publicKey) + abstract val keyIdentifier: KeyIdentifier + /** * Check, whether the fingerprint consists of 40 valid hexadecimal characters. * diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/OpenPgpV4Fingerprint.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/OpenPgpV4Fingerprint.kt index e02f0ae7..4d05c4f9 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/OpenPgpV4Fingerprint.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/OpenPgpV4Fingerprint.kt @@ -8,6 +8,7 @@ import java.net.URI import java.nio.Buffer import java.nio.ByteBuffer import java.nio.charset.Charset +import org.bouncycastle.bcpg.KeyIdentifier import org.bouncycastle.openpgp.PGPKeyRing import org.bouncycastle.openpgp.PGPPublicKey import org.bouncycastle.openpgp.PGPSecretKey @@ -39,6 +40,8 @@ class OpenPgpV4Fingerprint : OpenPgpFingerprint { return buf.getLong() } + override val keyIdentifier: KeyIdentifier = KeyIdentifier(bytes) + override fun isValid(fingerprint: String): Boolean { return fingerprint.matches("^[0-9A-F]{40}$".toRegex()) } diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/OpenPgpV5Fingerprint.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/OpenPgpV5Fingerprint.kt index 7bc36cc9..df62ddef 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/OpenPgpV5Fingerprint.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/OpenPgpV5Fingerprint.kt @@ -4,6 +4,7 @@ package org.pgpainless.key +import org.bouncycastle.bcpg.KeyIdentifier import org.bouncycastle.openpgp.PGPKeyRing import org.bouncycastle.openpgp.PGPPublicKey import org.bouncycastle.openpgp.PGPSecretKey @@ -24,4 +25,6 @@ class OpenPgpV5Fingerprint : _64DigitFingerprint { override fun getVersion(): Int { return 5 } + + override val keyIdentifier: KeyIdentifier = KeyIdentifier(bytes) } diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/SubkeyIdentifier.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/SubkeyIdentifier.kt index 56307873..0ee58cc6 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/SubkeyIdentifier.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/SubkeyIdentifier.kt @@ -7,6 +7,7 @@ package org.pgpainless.key import org.bouncycastle.bcpg.KeyIdentifier import org.bouncycastle.openpgp.PGPKeyRing import org.bouncycastle.openpgp.PGPPublicKey +import org.bouncycastle.openpgp.api.OpenPGPCertificate.OpenPGPComponentKey /** * Tuple class used to identify a subkey by fingerprints of the primary key of the subkeys key ring, @@ -25,6 +26,12 @@ class SubkeyIdentifier( constructor(keys: PGPKeyRing, keyId: Long) : this(keys, KeyIdentifier(keyId)) + constructor( + key: OpenPGPComponentKey + ) : this( + OpenPgpFingerprint.of(key.certificate.pgpPublicKeyRing), + OpenPgpFingerprint.of(key.pgpPublicKey)) + constructor( keys: PGPKeyRing, subkeyFingerprint: OpenPgpFingerprint diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/_64DigitFingerprint.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/_64DigitFingerprint.kt index a34dd880..f5447d61 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/_64DigitFingerprint.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/_64DigitFingerprint.kt @@ -7,6 +7,7 @@ package org.pgpainless.key import java.nio.Buffer import java.nio.ByteBuffer import java.nio.charset.Charset +import org.bouncycastle.bcpg.KeyIdentifier import org.bouncycastle.openpgp.PGPKeyRing import org.bouncycastle.openpgp.PGPPublicKey import org.bouncycastle.openpgp.PGPSecretKey @@ -51,6 +52,8 @@ open class _64DigitFingerprint : OpenPgpFingerprint { return -1 // might be v5 or v6 } + override val keyIdentifier: KeyIdentifier = KeyIdentifier(bytes) + override fun isValid(fingerprint: String): Boolean { return fingerprint.matches(("^[0-9A-F]{64}$".toRegex())) } diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.kt index e5426f37..7202cff7 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.kt @@ -9,6 +9,7 @@ import java.util.function.Predicate import javax.annotation.Nonnull import kotlin.NoSuchElementException import openpgp.openPgpKeyId +import org.bouncycastle.bcpg.KeyIdentifier import org.bouncycastle.bcpg.sig.KeyExpirationTime import org.bouncycastle.openpgp.* import org.pgpainless.PGPainless @@ -248,7 +249,7 @@ class SecretKeyRingEditor( val version = OpenPGPKeyVersion.from(secretKeyRing.getPublicKey().version) val keyPair = KeyRingBuilder.generateKeyPair(keySpec, OpenPGPKeyVersion.v4, referenceTime) val subkeyProtector = - PasswordBasedSecretKeyRingProtector.forKeyId(keyPair.keyID, subkeyPassphrase) + PasswordBasedSecretKeyRingProtector.forKeyId(keyPair.keyIdentifier, subkeyPassphrase) val keyFlags = KeyFlag.fromBitmask(keySpec.subpackets.keyFlags).toMutableList() return addSubKey( keyPair, @@ -555,15 +556,15 @@ class SecretKeyRingEditor( } override fun changeSubKeyPassphraseFromOldPassphrase( - keyId: Long, + keyIdentifier: KeyIdentifier, oldPassphrase: Passphrase, oldProtectionSettings: KeyRingProtectionSettings ): SecretKeyRingEditorInterface.WithKeyRingEncryptionSettings { return WithKeyRingEncryptionSettingsImpl( this, - keyId, + keyIdentifier, CachingSecretKeyRingProtector( - mapOf(keyId to oldPassphrase), oldProtectionSettings, null)) + mapOf(keyIdentifier to oldPassphrase), oldProtectionSettings, null)) } override fun done(): PGPSecretKeyRing { @@ -746,7 +747,7 @@ class SecretKeyRingEditor( private class WithKeyRingEncryptionSettingsImpl( private val editor: SecretKeyRingEditor, - private val keyId: Long?, + private val keyId: KeyIdentifier?, private val oldProtector: SecretKeyRingProtector ) : SecretKeyRingEditorInterface.WithKeyRingEncryptionSettings { @@ -763,7 +764,7 @@ class SecretKeyRingEditor( private class WithPassphraseImpl( private val editor: SecretKeyRingEditor, - private val keyId: Long?, + private val keyId: KeyIdentifier?, private val oldProtector: SecretKeyRingProtector, private val newProtectionSettings: KeyRingProtectionSettings ) : SecretKeyRingEditorInterface.WithPassphrase { diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditorInterface.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditorInterface.kt index 140ff905..ad8e36ff 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditorInterface.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditorInterface.kt @@ -8,6 +8,7 @@ import java.io.IOException import java.security.InvalidAlgorithmParameterException import java.security.NoSuchAlgorithmException import java.util.* +import org.bouncycastle.bcpg.KeyIdentifier import org.bouncycastle.openpgp.* import org.pgpainless.algorithm.KeyFlag import org.pgpainless.key.OpenPgpFingerprint @@ -592,19 +593,9 @@ interface SecretKeyRingEditorInterface { KeyRingProtectionSettings.secureDefaultSettings() ): WithKeyRingEncryptionSettings - /** - * Change the passphrase of a single subkey in the key ring. - * - * Note: While it is a valid use-case to have different passphrases per subKey, this is one of - * the reasons why OpenPGP sucks in practice. - * - * @param keyId id of the subkey - * @param oldPassphrase old passphrase (empty if the key was unprotected) - * @return next builder step - */ + @Deprecated("Pass KeyIdentifier instead.") fun changeSubKeyPassphraseFromOldPassphrase(keyId: Long, oldPassphrase: Passphrase) = - changeSubKeyPassphraseFromOldPassphrase( - keyId, oldPassphrase, KeyRingProtectionSettings.secureDefaultSettings()) + changeSubKeyPassphraseFromOldPassphrase(KeyIdentifier(keyId), oldPassphrase) /** * Change the passphrase of a single subkey in the key ring. @@ -612,13 +603,30 @@ interface SecretKeyRingEditorInterface { * Note: While it is a valid use-case to have different passphrases per subKey, this is one of * the reasons why OpenPGP sucks in practice. * - * @param keyId id of the subkey + * @param keyIdentifier id of the subkey + * @param oldPassphrase old passphrase (empty if the key was unprotected) + * @return next builder step + */ + fun changeSubKeyPassphraseFromOldPassphrase( + keyIdentifier: KeyIdentifier, + oldPassphrase: Passphrase + ) = + changeSubKeyPassphraseFromOldPassphrase( + keyIdentifier, oldPassphrase, KeyRingProtectionSettings.secureDefaultSettings()) + + /** + * Change the passphrase of a single subkey in the key ring. + * + * Note: While it is a valid use-case to have different passphrases per subKey, this is one of + * the reasons why OpenPGP sucks in practice. + * + * @param keyIdentifier id of the subkey * @param oldPassphrase old passphrase (empty if the key was unprotected) * @param oldProtectionSettings custom settings for the old passphrase * @return next builder step */ fun changeSubKeyPassphraseFromOldPassphrase( - keyId: Long, + keyIdentifier: KeyIdentifier, oldPassphrase: Passphrase, oldProtectionSettings: KeyRingProtectionSettings ): WithKeyRingEncryptionSettings diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/BaseSecretKeyRingProtector.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/BaseSecretKeyRingProtector.kt index c5db2086..35a6ebee 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/BaseSecretKeyRingProtector.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/BaseSecretKeyRingProtector.kt @@ -4,6 +4,8 @@ package org.pgpainless.key.protection +import org.bouncycastle.bcpg.KeyIdentifier +import org.bouncycastle.openpgp.api.OpenPGPKey import org.bouncycastle.openpgp.operator.PBESecretKeyDecryptor import org.bouncycastle.openpgp.operator.PBESecretKeyEncryptor import org.pgpainless.implementation.ImplementationFactory @@ -22,16 +24,21 @@ open class BaseSecretKeyRingProtector( passphraseProvider: SecretKeyPassphraseProvider ) : this(passphraseProvider, KeyRingProtectionSettings.secureDefaultSettings()) - override fun hasPassphraseFor(keyId: Long): Boolean = passphraseProvider.hasPassphrase(keyId) + override fun hasPassphraseFor(keyIdentifier: KeyIdentifier): Boolean { + return passphraseProvider.hasPassphrase(keyIdentifier) + } override fun getDecryptor(keyId: Long): PBESecretKeyDecryptor? = - passphraseProvider.getPassphraseFor(keyId)?.let { + getDecryptor(KeyIdentifier(keyId)) + + override fun getDecryptor(keyIdentifier: KeyIdentifier): PBESecretKeyDecryptor? = + passphraseProvider.getPassphraseFor(keyIdentifier)?.let { if (it.isEmpty) null else ImplementationFactory.getInstance().getPBESecretKeyDecryptor(it) } - override fun getEncryptor(keyId: Long): PBESecretKeyEncryptor? = - passphraseProvider.getPassphraseFor(keyId)?.let { + override fun getEncryptor(keyIdentifier: KeyIdentifier): PBESecretKeyEncryptor? { + return passphraseProvider.getPassphraseFor(keyIdentifier)?.let { if (it.isEmpty) null else ImplementationFactory.getInstance() @@ -41,4 +48,9 @@ open class BaseSecretKeyRingProtector( protectionSettings.s2kCount, it) } + } + + override fun getKeyPassword(p0: OpenPGPKey.OpenPGPSecretKey): CharArray? { + return passphraseProvider.getPassphraseFor(p0.keyIdentifier)?.getChars() + } } diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/CachingSecretKeyRingProtector.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/CachingSecretKeyRingProtector.kt index 20704685..75ba146c 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/CachingSecretKeyRingProtector.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/CachingSecretKeyRingProtector.kt @@ -4,9 +4,12 @@ package org.pgpainless.key.protection -import openpgp.openPgpKeyId +import org.bouncycastle.bcpg.KeyIdentifier import org.bouncycastle.openpgp.PGPKeyRing import org.bouncycastle.openpgp.PGPPublicKey +import org.bouncycastle.openpgp.api.OpenPGPKey +import org.bouncycastle.openpgp.operator.PBESecretKeyDecryptor +import org.bouncycastle.openpgp.operator.PBESecretKeyEncryptor import org.pgpainless.key.OpenPgpFingerprint import org.pgpainless.key.protection.passphrase_provider.SecretKeyPassphraseProvider import org.pgpainless.util.Passphrase @@ -21,7 +24,7 @@ import org.pgpainless.util.Passphrase */ class CachingSecretKeyRingProtector : SecretKeyRingProtector, SecretKeyPassphraseProvider { - private val cache: MutableMap + private val cache: MutableMap private val protector: SecretKeyRingProtector private val provider: SecretKeyPassphraseProvider? @@ -30,12 +33,12 @@ class CachingSecretKeyRingProtector : SecretKeyRingProtector, SecretKeyPassphras constructor( missingPassphraseCallback: SecretKeyPassphraseProvider? ) : this( - mapOf(), + mapOf(), KeyRingProtectionSettings.secureDefaultSettings(), missingPassphraseCallback) constructor( - passphrases: Map, + passphrases: Map, protectionSettings: KeyRingProtectionSettings, missingPassphraseCallback: SecretKeyPassphraseProvider? ) { @@ -44,6 +47,10 @@ class CachingSecretKeyRingProtector : SecretKeyRingProtector, SecretKeyPassphras this.provider = missingPassphraseCallback } + @Deprecated("Pass KeyIdentifier instead.") + fun addPassphrase(keyId: Long, passphrase: Passphrase) = + addPassphrase(KeyIdentifier(keyId), passphrase) + /** * Add a passphrase to the cache. If the cache already contains a passphrase for the given * key-id, a [IllegalArgumentException] is thrown. The reason for this is to prevent accidental @@ -53,24 +60,30 @@ class CachingSecretKeyRingProtector : SecretKeyRingProtector, SecretKeyPassphras * If you can ensure that there will be no key-id clash, and you want to replace the passphrase, * you can use [replacePassphrase] to replace the passphrase. * - * @param keyId id of the key + * @param keyIdentifier id of the key * @param passphrase passphrase */ - fun addPassphrase(keyId: Long, passphrase: Passphrase) = apply { - require(!cache.containsKey(keyId)) { - "The cache already holds a passphrase for ID ${keyId.openPgpKeyId()}.\n" + + fun addPassphrase(keyIdentifier: KeyIdentifier, passphrase: Passphrase) = apply { + require(!cache.containsKey(keyIdentifier)) { + "The cache already holds a passphrase for ID ${keyIdentifier}.\n" + "If you want to replace this passphrase, use replacePassphrase(Long, Passphrase) instead." } - cache[keyId] = passphrase + cache[keyIdentifier] = passphrase } + @Deprecated("Pass KeyIdentifier instead.") + fun replacePassphrase(keyId: Long, passphrase: Passphrase) = + replacePassphrase(KeyIdentifier(keyId), passphrase) + /** * Replace the passphrase for the given key-id in the cache. * * @param keyId keyId * @param passphrase passphrase */ - fun replacePassphrase(keyId: Long, passphrase: Passphrase) = apply { cache[keyId] = passphrase } + fun replacePassphrase(keyId: KeyIdentifier, passphrase: Passphrase) = apply { + cache[keyId] = passphrase + } /** * Remember the given passphrase for all keys in the given key ring. If for the key-id of any @@ -91,14 +104,14 @@ class CachingSecretKeyRingProtector : SecretKeyRingProtector, SecretKeyPassphras fun addPassphrase(keyRing: PGPKeyRing, passphrase: Passphrase) = apply { // check for existing passphrases before doing anything keyRing.publicKeys.forEach { - require(!cache.containsKey(it.keyID)) { - "The cache already holds a passphrase for the key with ID ${it.keyID.openPgpKeyId()}.\n" + + require(!cache.containsKey(it.keyIdentifier)) { + "The cache already holds a passphrase for the key with ID ${it.keyIdentifier}.\n" + "If you want to replace the passphrase, use replacePassphrase(PGPKeyRing, Passphrase) instead." } } // only then instert - keyRing.publicKeys.forEach { cache[it.keyID] = passphrase } + keyRing.publicKeys.forEach { cache[it.keyIdentifier] = passphrase } } /** @@ -108,7 +121,7 @@ class CachingSecretKeyRingProtector : SecretKeyRingProtector, SecretKeyPassphras * @param passphrase passphrase */ fun replacePassphrase(keyRing: PGPKeyRing, passphrase: Passphrase) = apply { - keyRing.publicKeys.forEach { cache[it.keyID] = passphrase } + keyRing.publicKeys.forEach { cache[it.keyIdentifier] = passphrase } } /** @@ -118,7 +131,7 @@ class CachingSecretKeyRingProtector : SecretKeyRingProtector, SecretKeyPassphras * @param passphrase passphrase */ fun addPassphrase(key: PGPPublicKey, passphrase: Passphrase) = - addPassphrase(key.keyID, passphrase) + addPassphrase(key.keyIdentifier, passphrase) /** * Remember the given passphrase for the key with the given fingerprint. @@ -127,14 +140,17 @@ class CachingSecretKeyRingProtector : SecretKeyRingProtector, SecretKeyPassphras * @param passphrase passphrase */ fun addPassphrase(fingerprint: OpenPgpFingerprint, passphrase: Passphrase) = - addPassphrase(fingerprint.keyId, passphrase) + addPassphrase(fingerprint.keyIdentifier, passphrase) + + @Deprecated("Pass KeyIdentifier instead.") + fun forgetPassphrase(keyId: Long) = forgetPassphrase(KeyIdentifier(keyId)) /** * Remove a passphrase from the cache. The passphrase will be cleared and then removed. * * @param keyId id of the key */ - fun forgetPassphrase(keyId: Long) = apply { cache.remove(keyId)?.clear() } + fun forgetPassphrase(keyId: KeyIdentifier) = apply { cache.remove(keyId)?.clear() } /** * Forget the passphrase to all keys in the provided key ring. @@ -150,18 +166,27 @@ class CachingSecretKeyRingProtector : SecretKeyRingProtector, SecretKeyPassphras * * @param key key */ - fun forgetPassphrase(key: PGPPublicKey) = apply { forgetPassphrase(key.keyID) } + fun forgetPassphrase(key: PGPPublicKey) = apply { forgetPassphrase(key.keyIdentifier) } - override fun getPassphraseFor(keyId: Long?): Passphrase? { - return if (hasPassphrase(keyId)) cache[keyId] - else provider?.getPassphraseFor(keyId)?.also { cache[keyId] = it } + override fun getPassphraseFor(keyIdentifier: KeyIdentifier): Passphrase? { + return if (hasPassphrase(keyIdentifier)) cache[keyIdentifier] + else provider?.getPassphraseFor(keyIdentifier)?.also { cache[keyIdentifier] = it } } - override fun hasPassphrase(keyId: Long?) = cache[keyId]?.isValid ?: false + override fun hasPassphraseFor(keyIdentifier: KeyIdentifier): Boolean { + return hasPassphrase(keyIdentifier) + } - override fun hasPassphraseFor(keyId: Long) = hasPassphrase(keyId) + override fun hasPassphrase(keyIdentifier: KeyIdentifier): Boolean { + return cache[keyIdentifier]?.isValid ?: false + } - override fun getDecryptor(keyId: Long) = protector.getDecryptor(keyId) + override fun getDecryptor(keyIdentifier: KeyIdentifier): PBESecretKeyDecryptor? = + protector.getDecryptor(keyIdentifier) - override fun getEncryptor(keyId: Long) = protector.getEncryptor(keyId) + override fun getEncryptor(keyIdentifier: KeyIdentifier): PBESecretKeyEncryptor? = + protector.getEncryptor(keyIdentifier) + + override fun getKeyPassword(p0: OpenPGPKey.OpenPGPSecretKey): CharArray? = + getPassphraseFor(p0.keyIdentifier)?.getChars() } diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/PasswordBasedSecretKeyRingProtector.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/PasswordBasedSecretKeyRingProtector.kt index 9eb47e88..a4f9d2bb 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/PasswordBasedSecretKeyRingProtector.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/PasswordBasedSecretKeyRingProtector.kt @@ -4,6 +4,7 @@ package org.pgpainless.key.protection +import org.bouncycastle.bcpg.KeyIdentifier import org.bouncycastle.openpgp.PGPKeyRing import org.bouncycastle.openpgp.PGPSecretKey import org.pgpainless.key.protection.passphrase_provider.SecretKeyPassphraseProvider @@ -38,12 +39,12 @@ class PasswordBasedSecretKeyRingProtector : BaseSecretKeyRingProtector { ): PasswordBasedSecretKeyRingProtector { return object : SecretKeyPassphraseProvider { - override fun getPassphraseFor(keyId: Long?): Passphrase? { - return if (hasPassphrase(keyId)) passphrase else null + override fun getPassphraseFor(keyIdentifier: KeyIdentifier): Passphrase? { + return if (hasPassphrase(keyIdentifier)) passphrase else null } - override fun hasPassphrase(keyId: Long?): Boolean { - return keyId != null && keyRing.getPublicKey(keyId) != null + override fun hasPassphrase(keyIdentifier: KeyIdentifier): Boolean { + return keyRing.getPublicKey(keyIdentifier) != null } } .let { PasswordBasedSecretKeyRingProtector(it) } @@ -51,20 +52,20 @@ class PasswordBasedSecretKeyRingProtector : BaseSecretKeyRingProtector { @JvmStatic fun forKey(key: PGPSecretKey, passphrase: Passphrase): PasswordBasedSecretKeyRingProtector = - forKeyId(key.publicKey.keyID, passphrase) + forKeyId(key.publicKey.keyIdentifier, passphrase) @JvmStatic fun forKeyId( - singleKeyId: Long, + singleKeyIdentifier: KeyIdentifier, passphrase: Passphrase ): PasswordBasedSecretKeyRingProtector { return object : SecretKeyPassphraseProvider { - override fun getPassphraseFor(keyId: Long?): Passphrase? { - return if (hasPassphrase(keyId)) passphrase else null + override fun getPassphraseFor(keyIdentifier: KeyIdentifier): Passphrase? { + return if (hasPassphrase(keyIdentifier)) passphrase else null } - override fun hasPassphrase(keyId: Long?): Boolean { - return keyId == singleKeyId + override fun hasPassphrase(keyIdentifier: KeyIdentifier): Boolean { + return keyIdentifier.matches(singleKeyIdentifier) } } .let { PasswordBasedSecretKeyRingProtector(it) } diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/SecretKeyRingProtector.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/SecretKeyRingProtector.kt index 373c964c..ccab4c27 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/SecretKeyRingProtector.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/SecretKeyRingProtector.kt @@ -4,6 +4,7 @@ package org.pgpainless.key.protection +import kotlin.Throws import org.bouncycastle.bcpg.KeyIdentifier import org.bouncycastle.openpgp.PGPException import org.bouncycastle.openpgp.PGPSecretKey @@ -14,7 +15,6 @@ import org.bouncycastle.openpgp.operator.PBESecretKeyEncryptor import org.pgpainless.key.protection.passphrase_provider.SecretKeyPassphraseProvider import org.pgpainless.key.protection.passphrase_provider.SolitaryPassphraseProvider import org.pgpainless.util.Passphrase -import kotlin.Throws /** * Task of the [SecretKeyRingProtector] is to map encryptor/decryptor objects to key-ids. @@ -43,10 +43,11 @@ interface SecretKeyRingProtector : KeyPassphraseProvider { * @param keyId id of the key * @return decryptor for the key */ - @Throws(PGPException::class) fun getDecryptor(keyId: Long): PBESecretKeyDecryptor? = - getDecryptor(KeyIdentifier(keyId)) + @Throws(PGPException::class) + fun getDecryptor(keyId: Long): PBESecretKeyDecryptor? = getDecryptor(KeyIdentifier(keyId)) - @Throws(PGPException::class) fun getDecryptor(keyIdentifier: KeyIdentifier): PBESecretKeyDecryptor? + @Throws(PGPException::class) + fun getDecryptor(keyIdentifier: KeyIdentifier): PBESecretKeyDecryptor? /** * Return an encryptor for the key of id `keyId`. This method returns null if the key is @@ -55,10 +56,11 @@ interface SecretKeyRingProtector : KeyPassphraseProvider { * @param keyId id of the key * @return encryptor for the key */ - @Throws(PGPException::class) fun getEncryptor(keyId: Long): PBESecretKeyEncryptor? = - getEncryptor(KeyIdentifier(keyId)) + @Throws(PGPException::class) + fun getEncryptor(keyId: Long): PBESecretKeyEncryptor? = getEncryptor(KeyIdentifier(keyId)) - @Throws(PGPException::class) fun getEncryptor(keyIdentifier: KeyIdentifier): PBESecretKeyEncryptor? + @Throws(PGPException::class) + fun getEncryptor(keyIdentifier: KeyIdentifier): PBESecretKeyEncryptor? companion object { @@ -97,7 +99,7 @@ interface SecretKeyRingProtector : KeyPassphraseProvider { passphrase: Passphrase, keys: PGPSecretKeyRing ): SecretKeyRingProtector = - fromPassphraseMap(keys.map { it.keyID }.associateWith { passphrase }) + fromPassphraseMap(keys.map { it.keyIdentifier }.associateWith { passphrase }) /** * Use the provided passphrase to unlock any key. @@ -132,12 +134,15 @@ interface SecretKeyRingProtector : KeyPassphraseProvider { * Otherwise, this protector will always return null. * * @param passphrase passphrase - * @param keyId id of the key to lock/unlock + * @param keyIdentifier id of the key to lock/unlock * @return protector */ @JvmStatic - fun unlockSingleKeyWith(passphrase: Passphrase, keyId: Long): SecretKeyRingProtector = - PasswordBasedSecretKeyRingProtector.forKeyId(keyId, passphrase) + fun unlockSingleKeyWith( + passphrase: Passphrase, + keyIdentifier: KeyIdentifier + ): SecretKeyRingProtector = + PasswordBasedSecretKeyRingProtector.forKeyId(keyIdentifier, passphrase) /** * Protector for unprotected keys. This protector returns null for all @@ -159,7 +164,9 @@ interface SecretKeyRingProtector : KeyPassphraseProvider { * @return protector */ @JvmStatic - fun fromPassphraseMap(passphraseMap: Map): SecretKeyRingProtector = + fun fromPassphraseMap( + passphraseMap: Map + ): SecretKeyRingProtector = CachingSecretKeyRingProtector( passphraseMap, KeyRingProtectionSettings.secureDefaultSettings(), null) } diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/passphrase_provider/MapBasedPassphraseProvider.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/passphrase_provider/MapBasedPassphraseProvider.kt index 3457cff7..2ba0e448 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/passphrase_provider/MapBasedPassphraseProvider.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/passphrase_provider/MapBasedPassphraseProvider.kt @@ -4,6 +4,7 @@ package org.pgpainless.key.protection.passphrase_provider +import org.bouncycastle.bcpg.KeyIdentifier import org.pgpainless.util.Passphrase /** @@ -14,9 +15,11 @@ import org.pgpainless.util.Passphrase * * TODO: Make this null-safe and throw an exception instead? */ -class MapBasedPassphraseProvider(val map: Map) : SecretKeyPassphraseProvider { +class MapBasedPassphraseProvider(val map: Map) : + SecretKeyPassphraseProvider { - override fun getPassphraseFor(keyId: Long?): Passphrase? = map[keyId] + override fun getPassphraseFor(keyIdentifier: KeyIdentifier): Passphrase? = map[keyIdentifier] - override fun hasPassphrase(keyId: Long?): Boolean = map.containsKey(keyId) + override fun hasPassphrase(keyIdentifier: KeyIdentifier): Boolean = + map.containsKey(keyIdentifier) } diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/passphrase_provider/SecretKeyPassphraseProvider.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/passphrase_provider/SecretKeyPassphraseProvider.kt index a80b8bb0..268538f2 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/passphrase_provider/SecretKeyPassphraseProvider.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/passphrase_provider/SecretKeyPassphraseProvider.kt @@ -4,6 +4,7 @@ package org.pgpainless.key.protection.passphrase_provider +import org.bouncycastle.bcpg.KeyIdentifier import org.bouncycastle.openpgp.PGPSecretKey import org.pgpainless.util.Passphrase @@ -19,7 +20,7 @@ interface SecretKeyPassphraseProvider { * @return passphrase or null, if no passphrase record is found. */ fun getPassphraseFor(secretKey: PGPSecretKey): Passphrase? { - return getPassphraseFor(secretKey.keyID) + return getPassphraseFor(secretKey.keyIdentifier) } /** @@ -30,7 +31,11 @@ interface SecretKeyPassphraseProvider { * @param keyId if of the secret key * @return passphrase or null, if no passphrase record has been found. */ - fun getPassphraseFor(keyId: Long?): Passphrase? + fun getPassphraseFor(keyId: Long): Passphrase? = getPassphraseFor(KeyIdentifier(keyId)) - fun hasPassphrase(keyId: Long?): Boolean + fun getPassphraseFor(keyIdentifier: KeyIdentifier): Passphrase? + + fun hasPassphrase(keyId: Long): Boolean = hasPassphrase(KeyIdentifier(keyId)) + + fun hasPassphrase(keyIdentifier: KeyIdentifier): Boolean } diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/passphrase_provider/SolitaryPassphraseProvider.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/passphrase_provider/SolitaryPassphraseProvider.kt index a9f6801d..b846df2d 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/passphrase_provider/SolitaryPassphraseProvider.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/passphrase_provider/SolitaryPassphraseProvider.kt @@ -4,12 +4,13 @@ package org.pgpainless.key.protection.passphrase_provider +import org.bouncycastle.bcpg.KeyIdentifier import org.pgpainless.util.Passphrase /** Implementation of the [SecretKeyPassphraseProvider] that holds a single [Passphrase]. */ class SolitaryPassphraseProvider(val passphrase: Passphrase?) : SecretKeyPassphraseProvider { - override fun getPassphraseFor(keyId: Long?): Passphrase? = passphrase + override fun getPassphraseFor(keyIdentifier: KeyIdentifier): Passphrase? = passphrase - override fun hasPassphrase(keyId: Long?): Boolean = true + override fun hasPassphrase(keyIdentifier: KeyIdentifier): Boolean = true } diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/util/KeyRingUtils.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/util/KeyRingUtils.kt index f83b5486..02624fd1 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/util/KeyRingUtils.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/util/KeyRingUtils.kt @@ -7,6 +7,7 @@ package org.pgpainless.key.util import java.io.ByteArrayOutputStream import kotlin.jvm.Throws import openpgp.openPgpKeyId +import org.bouncycastle.bcpg.KeyIdentifier import org.bouncycastle.bcpg.S2K import org.bouncycastle.bcpg.SecretKeyPacket import org.bouncycastle.openpgp.* @@ -468,7 +469,7 @@ class KeyRingUtils { @JvmStatic @Throws(MissingPassphraseException::class, PGPException::class) fun changePassphrase( - keyId: Long?, + keyId: KeyIdentifier?, secretKeys: PGPSecretKeyRing, oldProtector: SecretKeyRingProtector, newProtector: SecretKeyRingProtector @@ -484,7 +485,7 @@ class KeyRingUtils { secretKeys.secretKeys .asSequence() .map { - if (it.keyID == keyId) { + if (it.keyIdentifier.matches(keyId)) { reencryptPrivateKey(it, oldProtector, newProtector) } else { it diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/consumer/CertificateValidator.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/consumer/CertificateValidator.kt index 83b7e54e..61bdd282 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/consumer/CertificateValidator.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/consumer/CertificateValidator.kt @@ -13,6 +13,7 @@ import org.bouncycastle.openpgp.PGPSignature import org.pgpainless.PGPainless import org.pgpainless.algorithm.KeyFlag import org.pgpainless.algorithm.SignatureType +import org.pgpainless.bouncycastle.extensions.getPublicKey import org.pgpainless.bouncycastle.extensions.issuerKeyId import org.pgpainless.exception.SignatureValidationException import org.pgpainless.key.util.KeyRingUtils @@ -303,10 +304,12 @@ class CertificateValidator { policy: Policy ): Boolean { return validateCertificate( - onePassSignature.signature!!, onePassSignature.verificationKeys, policy) && + onePassSignature.signature!!, + onePassSignature.verificationKeys.pgpPublicKeyRing, + policy) && SignatureVerifier.verifyOnePassSignature( onePassSignature.signature!!, - onePassSignature.verificationKeys.getPublicKey( + onePassSignature.verificationKeys.pgpKeyRing.getPublicKey( onePassSignature.signature!!.issuerKeyId), onePassSignature, policy) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/consumer/OnePassSignatureCheck.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/consumer/OnePassSignatureCheck.kt index 59d65cdb..7536776e 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/consumer/OnePassSignatureCheck.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/consumer/OnePassSignatureCheck.kt @@ -8,8 +8,6 @@ import org.bouncycastle.openpgp.PGPOnePassSignature import org.bouncycastle.openpgp.PGPPublicKeyRing import org.bouncycastle.openpgp.PGPSignature import org.bouncycastle.openpgp.api.OpenPGPCertificate -import org.bouncycastle.openpgp.api.OpenPGPCertificate.OpenPGPComponentKey -import org.pgpainless.bouncycastle.extensions.getSigningKeyFor import org.pgpainless.key.SubkeyIdentifier /** diff --git a/pgpainless-core/src/test/java/investigations/InvestigateMultiSEIPMessageHandlingTest.java b/pgpainless-core/src/test/java/investigations/InvestigateMultiSEIPMessageHandlingTest.java index f37bf690..28488fac 100644 --- a/pgpainless-core/src/test/java/investigations/InvestigateMultiSEIPMessageHandlingTest.java +++ b/pgpainless-core/src/test/java/investigations/InvestigateMultiSEIPMessageHandlingTest.java @@ -21,6 +21,7 @@ import org.bouncycastle.openpgp.PGPPublicKey; import org.bouncycastle.openpgp.PGPSecretKey; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.PGPSignatureGenerator; +import org.bouncycastle.openpgp.api.OpenPGPKey; import org.bouncycastle.openpgp.operator.PGPDataEncryptorBuilder; import org.bouncycastle.util.io.Streams; import org.junit.jupiter.api.Test; @@ -176,12 +177,13 @@ public class InvestigateMultiSEIPMessageHandlingTest { @Test public void testDecryptAndVerifyDetectsAppendedSEIPData() throws IOException, PGPException { - PGPSecretKeyRing ring1 = PGPainless.readKeyRing().secretKeyRing(KEY1); - PGPSecretKeyRing ring2 = PGPainless.readKeyRing().secretKeyRing(KEY2); + PGPainless api = PGPainless.getInstance(); + OpenPGPKey ring1 = api.readKey().parseKey(KEY1); + OpenPGPKey ring2 = api.readKey().parseKey(KEY2); - ConsumerOptions options = new ConsumerOptions() - .addVerificationCert(PGPainless.extractCertificate(ring1)) - .addVerificationCert(PGPainless.extractCertificate(ring2)) + ConsumerOptions options = ConsumerOptions.get() + .addVerificationCert(ring2) + .addVerificationCert(ring2) .addDecryptionKey(ring1); DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() diff --git a/pgpainless-core/src/test/java/investigations/OnePassSignatureVerificationWithPartialLengthLiteralDataRegressionTest.java b/pgpainless-core/src/test/java/investigations/OnePassSignatureVerificationWithPartialLengthLiteralDataRegressionTest.java index 7ec53edb..3afcce54 100644 --- a/pgpainless-core/src/test/java/investigations/OnePassSignatureVerificationWithPartialLengthLiteralDataRegressionTest.java +++ b/pgpainless-core/src/test/java/investigations/OnePassSignatureVerificationWithPartialLengthLiteralDataRegressionTest.java @@ -124,7 +124,7 @@ public class OnePassSignatureVerificationWithPartialLengthLiteralDataRegressionT DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() .onInputStream(in) - .withOptions(new ConsumerOptions() + .withOptions(ConsumerOptions.get() .addVerificationCert(cert) .addDecryptionKey(secretKeys)); diff --git a/pgpainless-core/src/test/java/org/bouncycastle/AsciiArmorCRCTests.java b/pgpainless-core/src/test/java/org/bouncycastle/AsciiArmorCRCTests.java index eb9e7ef5..031c3e73 100644 --- a/pgpainless-core/src/test/java/org/bouncycastle/AsciiArmorCRCTests.java +++ b/pgpainless-core/src/test/java/org/bouncycastle/AsciiArmorCRCTests.java @@ -544,7 +544,7 @@ public class AsciiArmorCRCTests { assertThrows(IOException.class, () -> { DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() .onInputStream(new ByteArrayInputStream(message.getBytes(StandardCharsets.UTF_8))) - .withOptions(new ConsumerOptions().addDecryptionKey( + .withOptions(ConsumerOptions.get().addDecryptionKey( key, SecretKeyRingProtector.unlockAnyKeyWith(passphrase) )); diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/DecryptAndVerifyMessageTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/DecryptAndVerifyMessageTest.java index 82796cb9..22372f2e 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/DecryptAndVerifyMessageTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/DecryptAndVerifyMessageTest.java @@ -52,7 +52,7 @@ public class DecryptAndVerifyMessageTest { public void decryptMessageAndVerifySignatureTest() throws Exception { String encryptedMessage = TestKeys.MSG_SIGN_CRYPT_JULIET_JULIET; - ConsumerOptions options = new ConsumerOptions() + ConsumerOptions options = ConsumerOptions.get() .addDecryptionKey(juliet) .addVerificationCert(KeyRingUtils.publicKeyRingFrom(juliet)); @@ -87,7 +87,7 @@ public class DecryptAndVerifyMessageTest { public void decryptMessageAndReadBeyondEndTest() throws Exception { final String encryptedMessage = TestKeys.MSG_SIGN_CRYPT_JULIET_JULIET; - final ConsumerOptions options = new ConsumerOptions() + final ConsumerOptions options = ConsumerOptions.get() .addDecryptionKey(juliet) .addVerificationCert(KeyRingUtils.publicKeyRingFrom(juliet)); @@ -105,7 +105,7 @@ public class DecryptAndVerifyMessageTest { public void decryptMessageAndVerifySignatureByteByByteTest() throws Exception { String encryptedMessage = TestKeys.MSG_SIGN_CRYPT_JULIET_JULIET; - ConsumerOptions options = new ConsumerOptions() + ConsumerOptions options = ConsumerOptions.get() .addDecryptionKey(juliet) .addVerificationCert(KeyRingUtils.publicKeyRingFrom(juliet)); diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/DecryptHiddenRecipientMessageTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/DecryptHiddenRecipientMessageTest.java index fc8cf347..a5f39d0f 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/DecryptHiddenRecipientMessageTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/DecryptHiddenRecipientMessageTest.java @@ -128,7 +128,7 @@ public class DecryptHiddenRecipientMessageTest { "=1knQ\n" + "-----END PGP MESSAGE-----\n"; ByteArrayInputStream messageIn = new ByteArrayInputStream(message.getBytes(StandardCharsets.UTF_8)); - ConsumerOptions options = new ConsumerOptions() + ConsumerOptions options = ConsumerOptions.get() .addDecryptionKey(secretKeys); DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/IgnoreUnknownSignatureVersionsTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/IgnoreUnknownSignatureVersionsTest.java index 2b222c83..b5c1bed0 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/IgnoreUnknownSignatureVersionsTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/IgnoreUnknownSignatureVersionsTest.java @@ -177,7 +177,7 @@ public class IgnoreUnknownSignatureVersionsTest { private MessageMetadata verifySignature(PGPPublicKeyRing cert, String BASE_CASE) throws PGPException, IOException { DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify().onInputStream(new ByteArrayInputStream(message.getBytes(StandardCharsets.UTF_8))) - .withOptions(new ConsumerOptions() + .withOptions(ConsumerOptions.get() .addVerificationCert(cert) .addVerificationOfDetachedSignatures(new ByteArrayInputStream(BASE_CASE.getBytes(StandardCharsets.UTF_8)))); diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/MissingPassphraseForDecryptionTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/MissingPassphraseForDecryptionTest.java index 979587ac..6ff534b0 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/MissingPassphraseForDecryptionTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/MissingPassphraseForDecryptionTest.java @@ -16,11 +16,13 @@ import java.io.IOException; import java.nio.charset.StandardCharsets; import java.util.List; +import org.bouncycastle.bcpg.KeyIdentifier; import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPPublicKeyRing; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.api.OpenPGPCertificate; import org.bouncycastle.util.io.Streams; +import org.jetbrains.annotations.NotNull; import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; @@ -62,13 +64,13 @@ public class MissingPassphraseForDecryptionTest { // interactive callback SecretKeyPassphraseProvider callback = new SecretKeyPassphraseProvider() { @Override - public Passphrase getPassphraseFor(Long keyId) { + public Passphrase getPassphraseFor(@NotNull KeyIdentifier keyIdentifier) { // is called in interactive mode return Passphrase.fromPassword(passphrase); } @Override - public boolean hasPassphrase(Long keyId) { + public boolean hasPassphrase(@NotNull KeyIdentifier keyIdentifier) { return true; } }; @@ -95,13 +97,13 @@ public class MissingPassphraseForDecryptionTest { SecretKeyPassphraseProvider callback = new SecretKeyPassphraseProvider() { @Override - public Passphrase getPassphraseFor(Long keyId) { + public Passphrase getPassphraseFor(@NotNull KeyIdentifier keyIdentifier) { fail("MUST NOT get called in non-interactive mode."); return null; } @Override - public boolean hasPassphrase(Long keyId) { + public boolean hasPassphrase(@NotNull KeyIdentifier keyIdentifier) { return true; } }; diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/PostponeDecryptionUsingKeyWithMissingPassphraseTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/PostponeDecryptionUsingKeyWithMissingPassphraseTest.java index 8489da9a..1a4137f7 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/PostponeDecryptionUsingKeyWithMissingPassphraseTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/PostponeDecryptionUsingKeyWithMissingPassphraseTest.java @@ -12,6 +12,7 @@ import java.io.ByteArrayOutputStream; import java.io.IOException; import java.nio.charset.StandardCharsets; +import org.bouncycastle.bcpg.KeyIdentifier; import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.util.io.Streams; @@ -23,6 +24,8 @@ import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.key.protection.passphrase_provider.SecretKeyPassphraseProvider; import org.pgpainless.util.Passphrase; +import javax.annotation.Nonnull; + public class PostponeDecryptionUsingKeyWithMissingPassphraseTest { private static PGPSecretKeyRing k1; @@ -120,13 +123,13 @@ public class PostponeDecryptionUsingKeyWithMissingPassphraseTest { public void missingPassphraseFirst() throws PGPException, IOException { SecretKeyRingProtector protector1 = new CachingSecretKeyRingProtector(new SecretKeyPassphraseProvider() { @Override - public Passphrase getPassphraseFor(Long keyId) { + public Passphrase getPassphraseFor(@Nonnull KeyIdentifier keyIdentifier) { fail("Although the first PKESK is for k1, we should have skipped it and tried k2 first, which has passphrase available."); return null; } @Override - public boolean hasPassphrase(Long keyId) { + public boolean hasPassphrase(@Nonnull KeyIdentifier keyIdentifier) { return false; } }); @@ -134,7 +137,7 @@ public class PostponeDecryptionUsingKeyWithMissingPassphraseTest { DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() .onInputStream(new ByteArrayInputStream(ENCRYPTED_FOR_K1_K2.getBytes(StandardCharsets.UTF_8))) - .withOptions(new ConsumerOptions() + .withOptions(ConsumerOptions.get() .addDecryptionKey(k1, protector1) .addDecryptionKey(k2, protector2)); @@ -150,20 +153,20 @@ public class PostponeDecryptionUsingKeyWithMissingPassphraseTest { SecretKeyRingProtector protector1 = SecretKeyRingProtector.unlockEachKeyWith(p1, k1); SecretKeyRingProtector protector2 = new CachingSecretKeyRingProtector(new SecretKeyPassphraseProvider() { @Override - public Passphrase getPassphraseFor(Long keyId) { + public Passphrase getPassphraseFor(@Nonnull KeyIdentifier keyIdentifier) { fail("This callback should not get called, since the first PKESK is for k1, which has a passphrase available."); return null; } @Override - public boolean hasPassphrase(Long keyId) { + public boolean hasPassphrase(@Nonnull KeyIdentifier keyIdentifier) { return false; } }); DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() .onInputStream(new ByteArrayInputStream(ENCRYPTED_FOR_K1_K2.getBytes(StandardCharsets.UTF_8))) - .withOptions(new ConsumerOptions() + .withOptions(ConsumerOptions.get() .addDecryptionKey(k1, protector1) .addDecryptionKey(k2, protector2)); @@ -178,13 +181,13 @@ public class PostponeDecryptionUsingKeyWithMissingPassphraseTest { public void messagePassphraseFirst() throws PGPException, IOException { SecretKeyPassphraseProvider provider = new SecretKeyPassphraseProvider() { @Override - public Passphrase getPassphraseFor(Long keyId) { + public Passphrase getPassphraseFor(@Nonnull KeyIdentifier keyIdentifier) { fail("Since we provide a decryption passphrase, we should not try to decrypt any key."); return null; } @Override - public boolean hasPassphrase(Long keyId) { + public boolean hasPassphrase(@Nonnull KeyIdentifier keyIdentifier) { return false; } }; @@ -192,7 +195,7 @@ public class PostponeDecryptionUsingKeyWithMissingPassphraseTest { DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() .onInputStream(new ByteArrayInputStream(ENCRYPTED_FOR_K2_PASS_K1.getBytes(StandardCharsets.UTF_8))) - .withOptions(new ConsumerOptions() + .withOptions(ConsumerOptions.get() .addMessagePassphrase(PASSPHRASE) .addDecryptionKey(k1, protector) .addDecryptionKey(k2, protector)); diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/PreventDecryptionUsingNonEncryptionKeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/PreventDecryptionUsingNonEncryptionKeyTest.java index f06f0233..ea54f2a4 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/PreventDecryptionUsingNonEncryptionKeyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/PreventDecryptionUsingNonEncryptionKeyTest.java @@ -180,7 +180,7 @@ public class PreventDecryptionUsingNonEncryptionKeyTest { ByteArrayInputStream msgIn = new ByteArrayInputStream(MSG.getBytes(StandardCharsets.UTF_8)); DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() .onInputStream(msgIn) - .withOptions(new ConsumerOptions().addDecryptionKey(secretKeys)); + .withOptions(ConsumerOptions.get().addDecryptionKey(secretKeys)); Streams.drain(decryptionStream); decryptionStream.close(); @@ -196,7 +196,7 @@ public class PreventDecryptionUsingNonEncryptionKeyTest { ByteArrayInputStream msgIn = new ByteArrayInputStream(MSG.getBytes(StandardCharsets.UTF_8)); DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() .onInputStream(msgIn) - .withOptions(new ConsumerOptions().addDecryptionKey(secretKeys)); + .withOptions(ConsumerOptions.get().addDecryptionKey(secretKeys)); Streams.drain(decryptionStream); decryptionStream.close(); @@ -215,6 +215,6 @@ public class PreventDecryptionUsingNonEncryptionKeyTest { assertThrows(MissingDecryptionMethodException.class, () -> PGPainless.decryptAndOrVerify() .onInputStream(msgIn) - .withOptions(new ConsumerOptions().addDecryptionKey(secretKeys))); + .withOptions(ConsumerOptions.get().addDecryptionKey(secretKeys))); } } diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/SignedMessageVerificationWithoutCertIsStillSignedTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/SignedMessageVerificationWithoutCertIsStillSignedTest.java index 9f85b241..dfacbaac 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/SignedMessageVerificationWithoutCertIsStillSignedTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/SignedMessageVerificationWithoutCertIsStillSignedTest.java @@ -30,7 +30,7 @@ public class SignedMessageVerificationWithoutCertIsStillSignedTest { @Test public void verifyMissingVerificationCertOptionStillResultsInMessageIsSigned() throws IOException, PGPException { - ConsumerOptions withoutVerificationCert = new ConsumerOptions(); + ConsumerOptions withoutVerificationCert = ConsumerOptions.get(); DecryptionStream verificationStream = PGPainless.decryptAndOrVerify() .onInputStream(new ByteArrayInputStream(message.getBytes(StandardCharsets.UTF_8))) .withOptions(withoutVerificationCert); diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifyDetachedSignatureTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifyDetachedSignatureTest.java index e1406f87..e344d55f 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifyDetachedSignatureTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifyDetachedSignatureTest.java @@ -57,7 +57,7 @@ public class VerifyDetachedSignatureTest { DecryptionStream verifier = PGPainless.decryptAndOrVerify() .onInputStream(new ByteArrayInputStream(signedContent.getBytes(StandardCharsets.UTF_8))) .withOptions( - new ConsumerOptions() + ConsumerOptions.get() .addVerificationOfDetachedSignatures(new ByteArrayInputStream(signature.getBytes(StandardCharsets.UTF_8))) .addVerificationCerts(PGPainless.readKeyRing().keyRingCollection(pubkey, true).getPgpPublicKeyRingCollection()) .setMultiPassStrategy(new InMemoryMultiPassStrategy()) @@ -132,7 +132,7 @@ public class VerifyDetachedSignatureTest { DecryptionStream verifier = PGPainless.decryptAndOrVerify() .onInputStream(new ByteArrayInputStream(signedContent.getBytes(StandardCharsets.UTF_8))) .withOptions( - new ConsumerOptions() + ConsumerOptions.get() .addVerificationOfDetachedSignatures(new ByteArrayInputStream(signature.getBytes(StandardCharsets.UTF_8))) .addVerificationCerts(PGPainless.readKeyRing().keyRingCollection(pubkey, true).getPgpPublicKeyRingCollection()) .setMultiPassStrategy(new InMemoryMultiPassStrategy()) diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifyNotBeforeNotAfterTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifyNotBeforeNotAfterTest.java index 069a5f2d..e0608723 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifyNotBeforeNotAfterTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifyNotBeforeNotAfterTest.java @@ -62,7 +62,7 @@ public class VerifyNotBeforeNotAfterTest { @Test public void noConstraintsVerifyInlineSig() throws PGPException, IOException { - ConsumerOptions options = new ConsumerOptions() + ConsumerOptions options = ConsumerOptions.get() .addVerificationCert(certificate); DecryptionStream verifier = PGPainless.decryptAndOrVerify() .onInputStream(new ByteArrayInputStream(inlineSigned)) @@ -74,7 +74,7 @@ public class VerifyNotBeforeNotAfterTest { @Test public void noConstraintsVerifyDetachedSig() throws PGPException, IOException { - ConsumerOptions options = new ConsumerOptions() + ConsumerOptions options = ConsumerOptions.get() .addVerificationCert(certificate) .addVerificationOfDetachedSignatures(new ByteArrayInputStream(detachedSignature)); DecryptionStream verifier = PGPainless.decryptAndOrVerify() @@ -87,7 +87,7 @@ public class VerifyNotBeforeNotAfterTest { @Test public void notBeforeT1DoesNotRejectInlineSigMadeAtT1() throws PGPException, IOException { - ConsumerOptions options = new ConsumerOptions() + ConsumerOptions options = ConsumerOptions.get() .verifyNotBefore(T1) .addVerificationCert(certificate); DecryptionStream verifier = PGPainless.decryptAndOrVerify() @@ -99,7 +99,7 @@ public class VerifyNotBeforeNotAfterTest { @Test public void notBeforeT1DoesNotRejectDetachedSigMadeAtT1() throws PGPException, IOException { - ConsumerOptions options = new ConsumerOptions() + ConsumerOptions options = ConsumerOptions.get() .verifyNotBefore(T1) .addVerificationCert(certificate) .addVerificationOfDetachedSignatures(new ByteArrayInputStream(detachedSignature)); @@ -112,7 +112,7 @@ public class VerifyNotBeforeNotAfterTest { @Test public void verifyNotBeforeT2DoesRejectInlineSignatureMadeAtT1() throws PGPException, IOException { - ConsumerOptions options = new ConsumerOptions() + ConsumerOptions options = ConsumerOptions.get() .verifyNotBefore(T2) .addVerificationCert(certificate); DecryptionStream verifier = PGPainless.decryptAndOrVerify() @@ -124,7 +124,7 @@ public class VerifyNotBeforeNotAfterTest { @Test public void verifyNotBeforeT2DoesRejectDetachedSigMadeAtT1() throws PGPException, IOException { - ConsumerOptions options = new ConsumerOptions() + ConsumerOptions options = ConsumerOptions.get() .verifyNotBefore(T2) .addVerificationCert(certificate) .addVerificationOfDetachedSignatures(new ByteArrayInputStream(detachedSignature)); @@ -137,7 +137,7 @@ public class VerifyNotBeforeNotAfterTest { @Test public void verifyNotAfterT1DoesNotRejectInlineSigMadeAtT1() throws PGPException, IOException { - ConsumerOptions options = new ConsumerOptions() + ConsumerOptions options = ConsumerOptions.get() .verifyNotAfter(T1) .addVerificationCert(certificate); DecryptionStream verifier = PGPainless.decryptAndOrVerify() @@ -149,7 +149,7 @@ public class VerifyNotBeforeNotAfterTest { @Test public void verifyNotAfterT1DoesRejectDetachedSigMadeAtT1() throws PGPException, IOException { - ConsumerOptions options = new ConsumerOptions() + ConsumerOptions options = ConsumerOptions.get() .verifyNotAfter(T1) .addVerificationCert(certificate) .addVerificationOfDetachedSignatures(new ByteArrayInputStream(detachedSignature)); @@ -162,7 +162,7 @@ public class VerifyNotBeforeNotAfterTest { @Test public void verifyNotAfterT0DoesRejectInlineSigMadeAtT1() throws PGPException, IOException { - ConsumerOptions options = new ConsumerOptions() + ConsumerOptions options = ConsumerOptions.get() .verifyNotAfter(T0) .addVerificationCert(certificate); DecryptionStream verifier = PGPainless.decryptAndOrVerify() @@ -174,7 +174,7 @@ public class VerifyNotBeforeNotAfterTest { @Test public void verifyNotAfterT0DoesRejectDetachedSigMadeAtT1() throws PGPException, IOException { - ConsumerOptions options = new ConsumerOptions() + ConsumerOptions options = ConsumerOptions.get() .verifyNotAfter(T0) .addVerificationCert(certificate) .addVerificationOfDetachedSignatures(new ByteArrayInputStream(detachedSignature)); diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifyVersion3SignaturePacketTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifyVersion3SignaturePacketTest.java index 6b9d9cab..6de4dc72 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifyVersion3SignaturePacketTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifyVersion3SignaturePacketTest.java @@ -35,7 +35,7 @@ class VerifyVersion3SignaturePacketTest { void verifyDetachedVersion3Signature() throws PGPException, IOException { PGPSignature version3Signature = generateV3Signature(); - ConsumerOptions options = new ConsumerOptions() + ConsumerOptions options = ConsumerOptions.get() .addVerificationCert(TestKeys.getEmilPublicKeyRing()) .addVerificationOfDetachedSignatures(new ByteArrayInputStream(version3Signature.getEncoded())); diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifyWithMissingPublicKeyCallbackTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifyWithMissingPublicKeyCallbackTest.java index 4845ddab..3bc2c5f0 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifyWithMissingPublicKeyCallbackTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifyWithMissingPublicKeyCallbackTest.java @@ -13,21 +13,23 @@ import java.io.ByteArrayOutputStream; import java.io.IOException; import java.nio.charset.StandardCharsets; +import org.bouncycastle.bcpg.KeyIdentifier; import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPPublicKeyRing; -import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.api.OpenPGPCertificate; +import org.bouncycastle.openpgp.api.OpenPGPKey; import org.bouncycastle.util.io.Streams; import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; import org.pgpainless.algorithm.DocumentSignatureType; +import org.pgpainless.algorithm.OpenPGPKeyVersion; import org.pgpainless.encryption_signing.EncryptionStream; import org.pgpainless.encryption_signing.ProducerOptions; import org.pgpainless.encryption_signing.SigningOptions; import org.pgpainless.key.TestKeys; -import org.pgpainless.key.info.KeyRingInfo; import org.pgpainless.key.protection.SecretKeyRingProtector; -import org.pgpainless.key.util.KeyRingUtils; + +import javax.annotation.Nonnull; /** * Test functionality of the {@link MissingPublicKeyCallback} which is called when during signature verification, @@ -38,11 +40,12 @@ public class VerifyWithMissingPublicKeyCallbackTest { @Test public void testMissingPublicKeyCallback() throws PGPException, IOException { - PGPSecretKeyRing signingSecKeys = PGPainless.generateKeyRing().modernKeyRing("alice") - .getPGPSecretKeyRing(); + PGPainless api = PGPainless.getInstance(); + + OpenPGPKey signingSecKeys = api.generateKey(OpenPGPKeyVersion.v4).modernKeyRing("alice"); OpenPGPCertificate.OpenPGPComponentKey signingKey = - new KeyRingInfo(signingSecKeys).getSigningSubkeys().get(0); - PGPPublicKeyRing signingPubKeys = KeyRingUtils.publicKeyRingFrom(signingSecKeys); + signingSecKeys.getSigningKeys().get(0); + OpenPGPCertificate signingPubKeys = signingSecKeys.toCertificate(); PGPPublicKeyRing unrelatedKeys = TestKeys.getJulietPublicKeyRing(); String msg = "Arguing that you don't care about the right to privacy because you have nothing to hide" + @@ -51,7 +54,7 @@ public class VerifyWithMissingPublicKeyCallbackTest { EncryptionStream signingStream = PGPainless.encryptAndOrSign().onOutputStream(signOut) .withOptions(ProducerOptions.sign(new SigningOptions().addInlineSignature( SecretKeyRingProtector.unprotectedKeys(), - signingSecKeys, DocumentSignatureType.CANONICAL_TEXT_DOCUMENT + signingSecKeys.getPGPSecretKeyRing(), DocumentSignatureType.CANONICAL_TEXT_DOCUMENT ))); Streams.pipeAll(new ByteArrayInputStream(msg.getBytes(StandardCharsets.UTF_8)), signingStream); signingStream.close(); @@ -62,8 +65,8 @@ public class VerifyWithMissingPublicKeyCallbackTest { .addVerificationCert(unrelatedKeys) .setMissingCertificateCallback(new MissingPublicKeyCallback() { @Override - public PGPPublicKeyRing onMissingPublicKeyEncountered(long keyId) { - assertEquals(signingKey.getKeyIdentifier().getKeyId(), keyId, "Signing key-ID mismatch."); + public OpenPGPCertificate onMissingPublicKeyEncountered(@Nonnull KeyIdentifier keyIdentifier) { + assertEquals(signingKey.getKeyIdentifier(), keyIdentifier, "Signing key-ID mismatch."); return signingPubKeys; } })); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeSecretKeyRingPassphraseTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeSecretKeyRingPassphraseTest.java index ff41aa81..bfafa0a1 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeSecretKeyRingPassphraseTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeSecretKeyRingPassphraseTest.java @@ -97,7 +97,7 @@ public class ChangeSecretKeyRingPassphraseTest { extractPrivateKey(subKey, Passphrase.fromPassword("weakPassphrase")); PGPSecretKeyRing secretKeys = PGPainless.modifyKeyRing(keyRing) - .changeSubKeyPassphraseFromOldPassphrase(subKey.getPublicKey().getKeyID(), + .changeSubKeyPassphraseFromOldPassphrase(subKey.getPublicKey().getKeyIdentifier(), Passphrase.fromPassword("weakPassphrase")) .withSecureDefaultSettings() .toNewPassphrase(Passphrase.fromPassword("subKeyPassphrase")) @@ -130,7 +130,7 @@ public class ChangeSecretKeyRingPassphraseTest { PGPSecretKey subKey = keys.next(); PGPSecretKeyRing secretKeys = PGPainless.modifyKeyRing(keyRing) - .changeSubKeyPassphraseFromOldPassphrase(subKey.getKeyID(), Passphrase.fromPassword("weakPassphrase")) + .changeSubKeyPassphraseFromOldPassphrase(subKey.getKeyIdentifier(), Passphrase.fromPassword("weakPassphrase")) .withSecureDefaultSettings() .toNoPassphrase() .done(); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/protection/CachingSecretKeyRingProtectorTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/protection/CachingSecretKeyRingProtectorTest.java index 081d8959..d77466bf 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/protection/CachingSecretKeyRingProtectorTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/protection/CachingSecretKeyRingProtectorTest.java @@ -13,11 +13,13 @@ import java.io.IOException; import java.util.Iterator; import java.util.Random; +import org.bouncycastle.bcpg.KeyIdentifier; import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPKeyRing; import org.bouncycastle.openpgp.PGPPublicKey; import org.bouncycastle.openpgp.PGPSecretKey; import org.bouncycastle.openpgp.PGPSecretKeyRing; +import org.jetbrains.annotations.NotNull; import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; @@ -30,13 +32,13 @@ public class CachingSecretKeyRingProtectorTest { // Dummy passphrase callback that returns the doubled key-id as passphrase private final SecretKeyPassphraseProvider dummyCallback = new SecretKeyPassphraseProvider() { @Override - public Passphrase getPassphraseFor(Long keyId) { - long doubled = keyId * 2; + public Passphrase getPassphraseFor(@NotNull KeyIdentifier keyIdentifier) { + long doubled = keyIdentifier.getKeyId() * 2; return Passphrase.fromPassword(Long.toString(doubled)); } @Override - public boolean hasPassphrase(Long keyId) { + public boolean hasPassphrase(@NotNull KeyIdentifier keyIdentifier) { return true; } }; @@ -49,15 +51,15 @@ public class CachingSecretKeyRingProtectorTest { } @Test - public void noCallbackReturnsNullForUnknownKeyId() { + public void noCallbackReturnsNullForUnknownKeyId() throws PGPException { assertNull(protector.getDecryptor(123L)); assertNull(protector.getEncryptor(123L)); } @Test - public void testAddPassphrase() { + public void testAddPassphrase() throws PGPException { Passphrase passphrase = Passphrase.fromPassword("HelloWorld"); - protector.addPassphrase(123L, passphrase); + protector.addPassphrase(new KeyIdentifier(123L), passphrase); assertEquals(passphrase, protector.getPassphraseFor(123L)); assertNotNull(protector.getEncryptor(123L)); assertNotNull(protector.getDecryptor(123L)); @@ -75,7 +77,7 @@ public class CachingSecretKeyRingProtectorTest { } @Test - public void testAddPassphraseForKeyRing() { + public void testAddPassphraseForKeyRing() throws PGPException { PGPSecretKeyRing keys = PGPainless.generateKeyRing() .modernKeyRing("test@test.test", "Passphrase123") .getPGPSecretKeyRing(); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/protection/MapBasedPassphraseProviderTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/protection/MapBasedPassphraseProviderTest.java index 3961a2be..9dd6ba33 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/protection/MapBasedPassphraseProviderTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/protection/MapBasedPassphraseProviderTest.java @@ -11,6 +11,7 @@ import java.io.IOException; import java.util.Map; import java.util.concurrent.ConcurrentHashMap; +import org.bouncycastle.bcpg.KeyIdentifier; import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.junit.jupiter.api.Test; @@ -22,10 +23,10 @@ public class MapBasedPassphraseProviderTest { @Test public void testMapBasedProvider() throws IOException, PGPException { - Map passphraseMap = new ConcurrentHashMap<>(); - passphraseMap.put(1L, Passphrase.fromPassword("tiger")); - passphraseMap.put(123123123L, Passphrase.fromPassword("snake")); - passphraseMap.put(69696969L, Passphrase.emptyPassphrase()); + Map passphraseMap = new ConcurrentHashMap<>(); + passphraseMap.put(new KeyIdentifier(1L), Passphrase.fromPassword("tiger")); + passphraseMap.put(new KeyIdentifier(123123123L), Passphrase.fromPassword("snake")); + passphraseMap.put(new KeyIdentifier(69696969L), Passphrase.emptyPassphrase()); MapBasedPassphraseProvider provider = new MapBasedPassphraseProvider(passphraseMap); assertEquals(Passphrase.fromPassword("tiger"), provider.getPassphraseFor(1L)); @@ -35,7 +36,7 @@ public class MapBasedPassphraseProviderTest { PGPSecretKeyRing secretKeys = TestKeys.getCryptieSecretKeyRing(); passphraseMap = new ConcurrentHashMap<>(); - passphraseMap.put(secretKeys.getSecretKey().getKeyID(), TestKeys.CRYPTIE_PASSPHRASE); + passphraseMap.put(secretKeys.getSecretKey().getKeyIdentifier(), TestKeys.CRYPTIE_PASSPHRASE); provider = new MapBasedPassphraseProvider(passphraseMap); assertEquals(TestKeys.CRYPTIE_PASSPHRASE, provider.getPassphraseFor(secretKeys.getSecretKey())); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/protection/PassphraseProtectedKeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/protection/PassphraseProtectedKeyTest.java index 6139ec0a..495d569e 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/protection/PassphraseProtectedKeyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/protection/PassphraseProtectedKeyTest.java @@ -10,9 +10,11 @@ import static org.junit.jupiter.api.Assertions.assertNull; import java.util.Iterator; import javax.annotation.Nullable; +import org.bouncycastle.bcpg.KeyIdentifier; import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPPublicKey; import org.bouncycastle.openpgp.PGPSecretKeyRing; +import org.jetbrains.annotations.NotNull; import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; import org.pgpainless.key.TestKeys; @@ -29,8 +31,8 @@ public class PassphraseProtectedKeyTest { new SecretKeyPassphraseProvider() { @Nullable @Override - public Passphrase getPassphraseFor(Long keyId) { - if (keyId == TestKeys.CRYPTIE_KEY_ID) { + public Passphrase getPassphraseFor(@NotNull KeyIdentifier keyIdentifier) { + if (keyIdentifier.getKeyId() == TestKeys.CRYPTIE_KEY_ID) { return new Passphrase(TestKeys.CRYPTIE_PASSWORD.toCharArray()); } else { return null; @@ -38,19 +40,19 @@ public class PassphraseProtectedKeyTest { } @Override - public boolean hasPassphrase(Long keyId) { - return keyId == TestKeys.CRYPTIE_KEY_ID; + public boolean hasPassphrase(@NotNull KeyIdentifier keyIdentifier) { + return keyIdentifier.getKeyId() == TestKeys.CRYPTIE_KEY_ID; } }); @Test - public void testReturnsNonNullDecryptorEncryptorForPassword() { + public void testReturnsNonNullDecryptorEncryptorForPassword() throws PGPException { assertNotNull(protector.getEncryptor(TestKeys.CRYPTIE_KEY_ID)); assertNotNull(protector.getDecryptor(TestKeys.CRYPTIE_KEY_ID)); } @Test - public void testReturnsNullDecryptorEncryptorForNoPassword() { + public void testReturnsNullDecryptorEncryptorForNoPassword() throws PGPException { assertNull(protector.getEncryptor(TestKeys.JULIET_KEY_ID)); assertNull(protector.getDecryptor(TestKeys.JULIET_KEY_ID)); } diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/protection/SecretKeyRingProtectorTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/protection/SecretKeyRingProtectorTest.java index 92ae553d..73258713 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/protection/SecretKeyRingProtectorTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/protection/SecretKeyRingProtectorTest.java @@ -15,10 +15,12 @@ import java.util.Map; import java.util.Random; import java.util.concurrent.ConcurrentHashMap; +import org.bouncycastle.bcpg.KeyIdentifier; import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPSecretKey; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.operator.PBESecretKeyDecryptor; +import org.jetbrains.annotations.NotNull; import org.junit.jupiter.api.Test; import org.junit.jupiter.api.TestTemplate; import org.junit.jupiter.api.extension.ExtendWith; @@ -85,8 +87,8 @@ public class SecretKeyRingProtectorTest { @Test public void testFromPassphraseMap() { - Map passphraseMap = new ConcurrentHashMap<>(); - passphraseMap.put(1L, Passphrase.emptyPassphrase()); + Map passphraseMap = new ConcurrentHashMap<>(); + passphraseMap.put(new KeyIdentifier(1L), Passphrase.emptyPassphrase()); CachingSecretKeyRingProtector protector = (CachingSecretKeyRingProtector) SecretKeyRingProtector.fromPassphraseMap(passphraseMap); @@ -102,17 +104,17 @@ public class SecretKeyRingProtectorTest { @Test public void testMissingPassphraseCallback() { - Map passphraseMap = new ConcurrentHashMap<>(); - passphraseMap.put(1L, Passphrase.emptyPassphrase()); + Map passphraseMap = new ConcurrentHashMap<>(); + passphraseMap.put(new KeyIdentifier(1L), Passphrase.emptyPassphrase()); CachingSecretKeyRingProtector protector = new CachingSecretKeyRingProtector(passphraseMap, KeyRingProtectionSettings.secureDefaultSettings(), new SecretKeyPassphraseProvider() { @Override - public Passphrase getPassphraseFor(Long keyId) { + public Passphrase getPassphraseFor(@NotNull KeyIdentifier keyIdentifier) { return Passphrase.fromPassword("missingP455w0rd"); } @Override - public boolean hasPassphrase(Long keyId) { + public boolean hasPassphrase(@NotNull KeyIdentifier keyIdentifier) { return true; } }); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/protection/UnprotectedKeysProtectorTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/protection/UnprotectedKeysProtectorTest.java index 07f65a59..4f590c8b 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/protection/UnprotectedKeysProtectorTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/protection/UnprotectedKeysProtectorTest.java @@ -6,6 +6,7 @@ package org.pgpainless.key.protection; import static org.junit.jupiter.api.Assertions.assertNull; +import org.bouncycastle.openpgp.PGPException; import org.junit.jupiter.api.Test; public class UnprotectedKeysProtectorTest { @@ -13,12 +14,12 @@ public class UnprotectedKeysProtectorTest { private final UnprotectedKeysProtector protector = new UnprotectedKeysProtector(); @Test - public void testKeyProtectorReturnsNullDecryptor() { + public void testKeyProtectorReturnsNullDecryptor() throws PGPException { assertNull(protector.getDecryptor(0L)); } @Test - public void testKeyProtectorReturnsNullEncryptor() { + public void testKeyProtectorReturnsNullEncryptor() throws PGPException { assertNull(protector.getEncryptor(0L)); } } diff --git a/pgpainless-core/src/test/java/org/pgpainless/symmetric_encryption/MultiPassphraseSymmetricEncryptionTest.java b/pgpainless-core/src/test/java/org/pgpainless/symmetric_encryption/MultiPassphraseSymmetricEncryptionTest.java index d0d37117..029f59ac 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/symmetric_encryption/MultiPassphraseSymmetricEncryptionTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/symmetric_encryption/MultiPassphraseSymmetricEncryptionTest.java @@ -48,7 +48,7 @@ public class MultiPassphraseSymmetricEncryptionTest { for (Passphrase passphrase : new Passphrase[] {Passphrase.fromPassword("p2"), Passphrase.fromPassword("p1")}) { DecryptionStream decryptor = PGPainless.decryptAndOrVerify() .onInputStream(new ByteArrayInputStream(ciphertext)) - .withOptions(new ConsumerOptions() + .withOptions(ConsumerOptions.get() .addMessagePassphrase(passphrase)); ByteArrayOutputStream plaintextOut = new ByteArrayOutputStream(); diff --git a/pgpainless-core/src/test/java/org/pgpainless/symmetric_encryption/SymmetricEncryptionTest.java b/pgpainless-core/src/test/java/org/pgpainless/symmetric_encryption/SymmetricEncryptionTest.java index dbf7ca24..3fa54bf6 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/symmetric_encryption/SymmetricEncryptionTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/symmetric_encryption/SymmetricEncryptionTest.java @@ -65,7 +65,7 @@ public class SymmetricEncryptionTest { // Test symmetric decryption DecryptionStream decryptor = PGPainless.decryptAndOrVerify() .onInputStream(new ByteArrayInputStream(ciphertext)) - .withOptions(new ConsumerOptions() + .withOptions(ConsumerOptions.get() .addMessagePassphrase(encryptionPassphrase)); ByteArrayOutputStream decrypted = new ByteArrayOutputStream(); @@ -82,7 +82,7 @@ public class SymmetricEncryptionTest { new SolitaryPassphraseProvider(Passphrase.fromPassword(TestKeys.CRYPTIE_PASSWORD))); decryptor = PGPainless.decryptAndOrVerify() .onInputStream(new ByteArrayInputStream(ciphertext)) - .withOptions(new ConsumerOptions() + .withOptions(ConsumerOptions.get() .addDecryptionKeys(decryptionKeys, protector)); decrypted = new ByteArrayOutputStream(); @@ -110,7 +110,7 @@ public class SymmetricEncryptionTest { assertThrows(MissingDecryptionMethodException.class, () -> PGPainless.decryptAndOrVerify() .onInputStream(new ByteArrayInputStream(ciphertextOut.toByteArray())) - .withOptions(new ConsumerOptions() + .withOptions(ConsumerOptions.get() .setMissingKeyPassphraseStrategy(MissingKeyPassphraseStrategy.THROW_EXCEPTION) .addMessagePassphrase(Passphrase.fromPassword("meldir")))); } diff --git a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/MatchMakingSecretKeyRingProtector.kt b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/MatchMakingSecretKeyRingProtector.kt index 13347721..74e79511 100644 --- a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/MatchMakingSecretKeyRingProtector.kt +++ b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/MatchMakingSecretKeyRingProtector.kt @@ -4,9 +4,11 @@ package org.pgpainless.sop +import org.bouncycastle.bcpg.KeyIdentifier import org.bouncycastle.openpgp.PGPException import org.bouncycastle.openpgp.PGPSecretKey import org.bouncycastle.openpgp.PGPSecretKeyRing +import org.bouncycastle.openpgp.api.OpenPGPKey import org.bouncycastle.openpgp.operator.PBESecretKeyDecryptor import org.bouncycastle.openpgp.operator.PBESecretKeyEncryptor import org.pgpainless.bouncycastle.extensions.isDecrypted @@ -41,7 +43,7 @@ class MatchMakingSecretKeyRingProtector : SecretKeyRingProtector { } if (testPassphrase(passphrase, subkey)) { - protector.addPassphrase(subkey.keyID, passphrase) + protector.addPassphrase(subkey.keyIdentifier, passphrase) } } } @@ -54,11 +56,11 @@ class MatchMakingSecretKeyRingProtector : SecretKeyRingProtector { key.forEach { subkey -> if (subkey.isDecrypted()) { - protector.addPassphrase(subkey.keyID, Passphrase.emptyPassphrase()) + protector.addPassphrase(subkey.keyIdentifier, Passphrase.emptyPassphrase()) } else { passphrases.forEach { passphrase -> if (testPassphrase(passphrase, subkey)) { - protector.addPassphrase(subkey.keyID, passphrase) + protector.addPassphrase(subkey.keyIdentifier, passphrase) } } } @@ -74,11 +76,17 @@ class MatchMakingSecretKeyRingProtector : SecretKeyRingProtector { false } - override fun hasPassphraseFor(keyId: Long): Boolean = protector.hasPassphrase(keyId) + override fun hasPassphraseFor(keyIdentifier: KeyIdentifier): Boolean = + protector.hasPassphrase(keyIdentifier) - override fun getDecryptor(keyId: Long): PBESecretKeyDecryptor? = protector.getDecryptor(keyId) + override fun getDecryptor(keyIdentifier: KeyIdentifier): PBESecretKeyDecryptor? = + protector.getDecryptor(keyIdentifier) - override fun getEncryptor(keyId: Long): PBESecretKeyEncryptor? = protector.getEncryptor(keyId) + override fun getEncryptor(keyIdentifier: KeyIdentifier): PBESecretKeyEncryptor? = + protector.getEncryptor(keyIdentifier) + + override fun getKeyPassword(p0: OpenPGPKey.OpenPGPSecretKey): CharArray? = + protector.getKeyPassword(p0) /** Clear all known passphrases from the protector. */ fun clear() { diff --git a/pgpainless-sop/src/test/java/sop/testsuite/pgpainless/operation/PGPainlessChangeKeyPasswordTest.java b/pgpainless-sop/src/test/java/sop/testsuite/pgpainless/operation/PGPainlessChangeKeyPasswordTest.java index cc6dd4dd..cb45551d 100644 --- a/pgpainless-sop/src/test/java/sop/testsuite/pgpainless/operation/PGPainlessChangeKeyPasswordTest.java +++ b/pgpainless-sop/src/test/java/sop/testsuite/pgpainless/operation/PGPainlessChangeKeyPasswordTest.java @@ -4,6 +4,7 @@ package sop.testsuite.pgpainless.operation; +import org.bouncycastle.bcpg.KeyIdentifier; import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPPublicKey; import org.bouncycastle.openpgp.PGPSecretKeyRing; @@ -38,9 +39,9 @@ public class PGPainlessChangeKeyPasswordTest extends ChangeKeyPasswordTest { .build() .getPGPSecretKeyRing(); Iterator keys = secretKeys.getPublicKeys(); - long primaryKeyId = keys.next().getKeyID(); - long signingKeyId = keys.next().getKeyID(); - long encryptKeyId = keys.next().getKeyID(); + KeyIdentifier primaryKeyId = keys.next().getKeyIdentifier(); + KeyIdentifier signingKeyId = keys.next().getKeyIdentifier(); + KeyIdentifier encryptKeyId = keys.next().getKeyIdentifier(); String p1 = "sw0rdf1sh"; String p2 = "0r4ng3"; From bbecdd693f9d48f1b6fedefa6253c7f6b558b0cb Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 11 Feb 2025 16:32:37 +0100 Subject: [PATCH 032/265] Reenable disabled test and add workaround for broken one --- .../pgpainless/sop/CarolKeySignEncryptRoundtripTest.java | 2 -- .../pgpainless/operation/PGPainlessRevokeKeyTest.java | 6 ++++++ 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/pgpainless-sop/src/test/java/org/pgpainless/sop/CarolKeySignEncryptRoundtripTest.java b/pgpainless-sop/src/test/java/org/pgpainless/sop/CarolKeySignEncryptRoundtripTest.java index d994c9bc..83778106 100644 --- a/pgpainless-sop/src/test/java/org/pgpainless/sop/CarolKeySignEncryptRoundtripTest.java +++ b/pgpainless-sop/src/test/java/org/pgpainless/sop/CarolKeySignEncryptRoundtripTest.java @@ -8,7 +8,6 @@ import static org.junit.jupiter.api.Assertions.assertArrayEquals; import java.io.IOException; -import org.junit.jupiter.api.Disabled; import org.junit.jupiter.api.Test; import sop.ByteArrayAndResult; import sop.DecryptionResult; @@ -16,7 +15,6 @@ import sop.EncryptionResult; import sop.ReadyWithResult; import sop.testsuite.assertions.VerificationListAssert; -@Disabled("Carol is an ElGamal key, which are no longer supported.") public class CarolKeySignEncryptRoundtripTest { private static final String CAROL_KEY = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" + diff --git a/pgpainless-sop/src/test/java/sop/testsuite/pgpainless/operation/PGPainlessRevokeKeyTest.java b/pgpainless-sop/src/test/java/sop/testsuite/pgpainless/operation/PGPainlessRevokeKeyTest.java index b7590b7a..5567d3e0 100644 --- a/pgpainless-sop/src/test/java/sop/testsuite/pgpainless/operation/PGPainlessRevokeKeyTest.java +++ b/pgpainless-sop/src/test/java/sop/testsuite/pgpainless/operation/PGPainlessRevokeKeyTest.java @@ -4,6 +4,7 @@ package sop.testsuite.pgpainless.operation; +import static java.lang.Thread.sleep; import static org.junit.jupiter.api.Assertions.assertFalse; import static org.junit.jupiter.api.Assertions.assertTrue; @@ -28,6 +29,11 @@ public class PGPainlessRevokeKeyTest extends RevokeKeyTest { super.revokeUnprotectedKey(sop); byte[] key = sop.generateKey().generate().getBytes(); + try { + sleep(1000); + } catch (InterruptedException e) { + throw new RuntimeException(e); + } byte[] revokedKey = sop.revokeKey().keys(key).getBytes(); PGPKeyRing certificate = PGPainless.readKeyRing().keyRing(revokedKey); From 4a90b8721f45868e883bcc706fe8ca1541845e02 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 12 Feb 2025 19:32:22 +0100 Subject: [PATCH 033/265] Port ConsumerOptions, SigningOptions to new OpenPGPCertificate, OpenPGPKey classes --- .../ConsumerOptions.kt | 47 +-- .../OpenPgpMessageInputStream.kt | 19 +- .../encryption_signing/EncryptionStream.kt | 3 +- .../encryption_signing/SigningOptions.kt | 306 +++++++++++------- .../org/pgpainless/key/SubkeyIdentifier.kt | 3 + .../key/protection/UnlockSecretKey.kt | 32 ++ 6 files changed, 260 insertions(+), 150 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/ConsumerOptions.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/ConsumerOptions.kt index 363bc7fa..a11e3536 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/ConsumerOptions.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/ConsumerOptions.kt @@ -12,6 +12,7 @@ import org.bouncycastle.openpgp.* import org.bouncycastle.openpgp.api.OpenPGPCertificate import org.bouncycastle.openpgp.api.OpenPGPImplementation import org.bouncycastle.openpgp.api.OpenPGPKey +import org.bouncycastle.openpgp.api.OpenPGPSignature.OpenPGPDocumentSignature import org.bouncycastle.openpgp.operator.PublicKeyDataDecryptorFactory import org.pgpainless.PGPainless import org.pgpainless.decryption_verification.cleartext_signatures.InMemoryMultiPassStrategy @@ -73,12 +74,20 @@ class ConsumerOptions { this.certificates.addCertificate(verificationCert) } + fun addVerificationCerts(verificationCerts: Collection): ConsumerOptions = + apply { + for (cert in verificationCerts) { + addVerificationCert(cert) + } + } + /** * Add a certificate (public key ring) for signature verification. * * @param verificationCert certificate for signature verification * @return options */ + @Deprecated("Pass OpenPGPCertificate instead.") fun addVerificationCert(verificationCert: PGPPublicKeyRing): ConsumerOptions = apply { this.certificates.addCertificate(verificationCert) } @@ -89,6 +98,7 @@ class ConsumerOptions { * @param verificationCerts certificates for signature verification * @return options */ + @Deprecated("Use of methods taking PGPPublicKeyRingCollections is discouraged.") fun addVerificationCerts(verificationCerts: PGPPublicKeyRingCollection): ConsumerOptions = apply { for (cert in verificationCerts) { @@ -125,6 +135,14 @@ class ConsumerOptions { } } + fun addVerificationOfDetachedSignature(signature: OpenPGPDocumentSignature): ConsumerOptions = + apply { + if (signature.issuerCertificate != null) { + addVerificationCert(signature.issuerCertificate) + } + addVerificationOfDetachedSignature(signature.signature) + } + /** * Add a detached signature for the signature verification process. * @@ -178,6 +196,7 @@ class ConsumerOptions { * @return options */ @JvmOverloads + @Deprecated("Pass OpenPGPKey instead.") fun addDecryptionKey( key: PGPSecretKeyRing, protector: SecretKeyRingProtector = SecretKeyRingProtector.unprotectedKeys(), @@ -192,6 +211,7 @@ class ConsumerOptions { * @return options */ @JvmOverloads + @Deprecated("Pass OpenPGPKey instances instead.") fun addDecryptionKeys( keys: PGPSecretKeyRingCollection, protector: SecretKeyRingProtector = SecretKeyRingProtector.unprotectedKeys() @@ -201,21 +221,6 @@ class ConsumerOptions { } } - /** - * Add a passphrase for message decryption. This passphrase will be used to try to decrypt - * messages which were symmetrically encrypted for a passphrase. - * - * See - * [Symmetrically Encrypted Data Packet](https://datatracker.ietf.org/doc/html/rfc4880#section-5.7) - * - * @param passphrase passphrase - * @return options - */ - @Deprecated( - "Deprecated in favor of addMessagePassphrase", - ReplaceWith("addMessagePassphrase(passphrase)")) - fun addDecryptionPassphrase(passphrase: Passphrase) = addMessagePassphrase(passphrase) - /** * Add a passphrase for message decryption. This passphrase will be used to try to decrypt * messages which were symmetrically encrypted for a passphrase. @@ -255,21 +260,21 @@ class ConsumerOptions { * * @return decryption keys */ - fun getDecryptionKeys() = decryptionKeys.keys.toSet() + fun getDecryptionKeys(): Set = decryptionKeys.keys.toSet() /** * Return the set of available message decryption passphrases. * * @return decryption passphrases */ - fun getDecryptionPassphrases() = decryptionPassphrases.toSet() + fun getDecryptionPassphrases(): Set = decryptionPassphrases.toSet() /** * Return an object holding available certificates for signature verification. * * @return certificate source */ - fun getCertificateSource() = certificates + fun getCertificateSource(): CertificateSource = certificates /** * Return the callback that gets called when a certificate for signature verification is @@ -277,7 +282,7 @@ class ConsumerOptions { * * @return missing public key callback */ - fun getMissingCertificateCallback() = missingCertificateCallback + fun getMissingCertificateCallback(): MissingPublicKeyCallback? = missingCertificateCallback /** * Return the [SecretKeyRingProtector] for the given [PGPSecretKeyRing]. @@ -321,7 +326,7 @@ class ConsumerOptions { this.ignoreMDCErrors = ignoreMDCErrors } - fun isIgnoreMDCErrors() = ignoreMDCErrors + fun isIgnoreMDCErrors(): Boolean = ignoreMDCErrors /** * Force PGPainless to handle the data provided by the [InputStream] as non-OpenPGP data. This @@ -337,7 +342,7 @@ class ConsumerOptions { * * @return true if non-OpenPGP data is forced */ - fun isForceNonOpenPgpData() = forceNonOpenPgpData + fun isForceNonOpenPgpData(): Boolean = forceNonOpenPgpData /** * Specify the [MissingKeyPassphraseStrategy]. This strategy defines, how missing passphrases diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.kt index d193003f..e4a79d5b 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.kt @@ -26,6 +26,7 @@ import org.bouncycastle.openpgp.PGPPublicKeyEncryptedData import org.bouncycastle.openpgp.PGPSignature import org.bouncycastle.openpgp.api.OpenPGPCertificate import org.bouncycastle.openpgp.api.OpenPGPKey +import org.bouncycastle.openpgp.api.OpenPGPKey.OpenPGPPrivateKey import org.bouncycastle.openpgp.api.OpenPGPKey.OpenPGPSecretKey import org.bouncycastle.openpgp.api.OpenPGPSignature.OpenPGPDocumentSignature import org.bouncycastle.openpgp.operator.PBEDataDecryptorFactory @@ -58,6 +59,7 @@ import org.pgpainless.exception.UnacceptableAlgorithmException import org.pgpainless.exception.WrongPassphraseException import org.pgpainless.implementation.ImplementationFactory import org.pgpainless.key.SubkeyIdentifier +import org.pgpainless.key.protection.UnlockSecretKey.Companion.unlockSecretKey import org.pgpainless.policy.Policy import org.pgpainless.signature.consumer.CertificateValidator import org.pgpainless.signature.consumer.OnePassSignatureCheck @@ -420,10 +422,15 @@ class OpenPgpMessageInputStream( continue } - val privateKey = secretKey.unlock(protector) + val privateKey = + try { + unlockSecretKey(secretKey, protector) + } catch (e: PGPException) { + throw WrongPassphraseException(secretKey.keyIdentifier, e) + } if (decryptWithPrivateKey( esks, - privateKey, + privateKey.unlockedKey, SubkeyIdentifier( secretKey.openPGPKey.pgpSecretKeyRing, secretKey.keyIdentifier), pkesk)) { @@ -451,7 +458,7 @@ class OpenPgpMessageInputStream( val privateKey = decryptionKey.unlock(protector) if (decryptWithPrivateKey( - esks, privateKey, SubkeyIdentifier(decryptionKey), pkesk)) { + esks, privateKey.unlockedKey, SubkeyIdentifier(decryptionKey), pkesk)) { return true } } @@ -476,13 +483,13 @@ class OpenPgpMessageInputStream( LOGGER.debug( "Attempt decryption with key $decryptionKeyId while interactively requesting its passphrase.") val protector = options.getSecretKeyProtector(decryptionKeys) ?: continue - val privateKey = + val privateKey: OpenPGPPrivateKey = try { - secretKey.unlock(protector) + unlockSecretKey(secretKey, protector) } catch (e: PGPException) { throw WrongPassphraseException(secretKey.keyIdentifier, e) } - if (decryptWithPrivateKey(esks, privateKey, decryptionKeyId, pkesk)) { + if (decryptWithPrivateKey(esks, privateKey.unlockedKey, decryptionKeyId, pkesk)) { return true } } diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionStream.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionStream.kt index f2617c34..5d226d06 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionStream.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionStream.kt @@ -17,6 +17,7 @@ import org.pgpainless.algorithm.CompressionAlgorithm import org.pgpainless.algorithm.StreamEncoding import org.pgpainless.algorithm.SymmetricKeyAlgorithm import org.pgpainless.implementation.ImplementationFactory +import org.pgpainless.key.SubkeyIdentifier import org.pgpainless.util.ArmoredOutputStreamFactory import org.slf4j.LoggerFactory @@ -250,7 +251,7 @@ class EncryptionStream( options.signingOptions.signingMethods.entries.reversed().forEach { (key, method) -> method.signatureGenerator.generate().let { sig -> if (method.isDetached) { - resultBuilder.addDetachedSignature(key, sig) + resultBuilder.addDetachedSignature(SubkeyIdentifier(key), sig) } if (!method.isDetached || options.isCleartextSigned) { sig.encode(signatureLayerStream) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/SigningOptions.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/SigningOptions.kt index 0f193e2f..da2ebb42 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/SigningOptions.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/SigningOptions.kt @@ -7,19 +7,22 @@ package org.pgpainless.encryption_signing import java.util.* import org.bouncycastle.bcpg.KeyIdentifier import org.bouncycastle.openpgp.* +import org.bouncycastle.openpgp.api.OpenPGPKey +import org.bouncycastle.openpgp.api.OpenPGPKey.OpenPGPPrivateKey +import org.bouncycastle.openpgp.api.OpenPGPKey.OpenPGPSecretKey import org.pgpainless.PGPainless.Companion.getPolicy import org.pgpainless.PGPainless.Companion.inspectKeyRing import org.pgpainless.algorithm.DocumentSignatureType import org.pgpainless.algorithm.HashAlgorithm import org.pgpainless.algorithm.PublicKeyAlgorithm.Companion.requireFromId import org.pgpainless.algorithm.negotiation.HashAlgorithmNegotiator.Companion.negotiateSignatureHashAlgorithm -import org.pgpainless.bouncycastle.extensions.unlock +import org.pgpainless.bouncycastle.extensions.toOpenPGPKey import org.pgpainless.exception.KeyException import org.pgpainless.exception.KeyException.* import org.pgpainless.implementation.ImplementationFactory import org.pgpainless.key.OpenPgpFingerprint.Companion.of -import org.pgpainless.key.SubkeyIdentifier import org.pgpainless.key.protection.SecretKeyRingProtector +import org.pgpainless.key.protection.UnlockSecretKey.Companion.unlockSecretKey import org.pgpainless.policy.Policy import org.pgpainless.signature.subpackets.BaseSignatureSubpackets.Callback import org.pgpainless.signature.subpackets.SignatureSubpackets @@ -27,7 +30,7 @@ import org.pgpainless.signature.subpackets.SignatureSubpacketsHelper class SigningOptions { - val signingMethods: Map = mutableMapOf() + val signingMethods: Map = mutableMapOf() private var _hashAlgorithmOverride: HashAlgorithm? = null private var _evaluationDate: Date = Date() @@ -62,17 +65,33 @@ class SigningOptions { * Sign the message using an inline signature made by the provided signing key. * * @param signingKeyProtector protector to unlock the signing key - * @param signingKey key ring containing the signing key + * @param signingKey OpenPGPKey containing the signing (sub-)key. * @return this * @throws KeyException if something is wrong with the key * @throws PGPException if the key cannot be unlocked or a signing method cannot be created */ @Throws(KeyException::class, PGPException::class) + fun addSignature( + signingKeyProtector: SecretKeyRingProtector, + signingKey: OpenPGPKey + ): SigningOptions = apply { + addInlineSignature( + signingKeyProtector, signingKey, null, DocumentSignatureType.BINARY_DOCUMENT) + } + + /** + * Sign the message using an inline signature made by the provided signing key. + * + * @param signingKeyProtector protector to unlock the signing key + * @param signingKey key ring containing the signing key + * @return this + * @throws KeyException if something is wrong with the key + * @throws PGPException if the key cannot be unlocked or a signing method cannot be created + */ + @Deprecated("Pass an OpenPGPKey instead.") + @Throws(KeyException::class, PGPException::class) fun addSignature(signingKeyProtector: SecretKeyRingProtector, signingKey: PGPSecretKeyRing) = - apply { - addInlineSignature( - signingKeyProtector, signingKey, null, DocumentSignatureType.BINARY_DOCUMENT) - } + addSignature(signingKeyProtector, signingKey.toOpenPGPKey()) /** * Add inline signatures with all secret key rings in the provided secret key ring collection. @@ -86,6 +105,7 @@ class SigningOptions { * created */ @Throws(KeyException::class, PGPException::class) + @Deprecated("Repeatedly call addInlineSignature(), passing an OpenPGPKey instead.") fun addInlineSignatures( signingKeyProtector: SecretKeyRingProtector, signingKeys: Iterable, @@ -94,6 +114,12 @@ class SigningOptions { signingKeys.forEach { addInlineSignature(signingKeyProtector, it, null, signatureType) } } + fun addInlineSignature( + signingKeyProtector: SecretKeyRingProtector, + signingKey: OpenPGPKey, + signatureType: DocumentSignatureType = DocumentSignatureType.BINARY_DOCUMENT + ): SigningOptions = addInlineSignature(signingKeyProtector, signingKey, null, signatureType) + /** * Add an inline-signature. Inline signatures are being embedded into the message itself and can * be processed in one pass, thanks to the use of one-pass-signature packets. @@ -106,11 +132,49 @@ class SigningOptions { * @throws PGPException if the key cannot be unlocked or the signing method cannot be created */ @Throws(KeyException::class, PGPException::class) + @Deprecated("Pass an OpenPGPKey instead.") fun addInlineSignature( signingKeyProtector: SecretKeyRingProtector, signingKey: PGPSecretKeyRing, signatureType: DocumentSignatureType - ) = apply { addInlineSignature(signingKeyProtector, signingKey, null, signatureType) } + ) = addInlineSignature(signingKeyProtector, signingKey.toOpenPGPKey(), signatureType) + + fun addInlineSignature( + signingKeyProtector: SecretKeyRingProtector, + signingKey: OpenPGPKey, + userId: CharSequence? = null, + signatureType: DocumentSignatureType = DocumentSignatureType.BINARY_DOCUMENT, + subpacketsCallback: Callback? = null + ) = apply { + val keyRingInfo = inspectKeyRing(signingKey, evaluationDate) + if (userId != null && !keyRingInfo.isUserIdValid(userId)) { + throw UnboundUserIdException( + of(signingKey.pgpSecretKeyRing), + userId.toString(), + keyRingInfo.getLatestUserIdCertification(userId), + keyRingInfo.getUserIdRevocation(userId)) + } + + val signingPubKeys = keyRingInfo.signingSubkeys + if (signingPubKeys.isEmpty()) { + throw UnacceptableSigningKeyException(of(signingKey.pgpSecretKeyRing)) + } + + for (signingPubKey in signingPubKeys) { + val signingSecKey: OpenPGPSecretKey = + signingKey.getSecretKey(signingPubKey) + ?: throw MissingSecretKeyException( + of(signingKey.pgpSecretKeyRing), signingPubKey.keyIdentifier.keyId) + val signingPrivKey: OpenPGPPrivateKey = + unlockSecretKey(signingSecKey, signingKeyProtector) + val hashAlgorithms = + if (userId != null) keyRingInfo.getPreferredHashAlgorithms(userId) + else keyRingInfo.getPreferredHashAlgorithms(signingPubKey.keyIdentifier) + val hashAlgorithm: HashAlgorithm = negotiateHashAlgorithm(hashAlgorithms, getPolicy()) + addSigningMethod( + signingPrivKey, hashAlgorithm, signatureType, false, subpacketsCallback) + } + } /** * Add an inline-signature. Inline signatures are being embedded into the message itself and can @@ -129,6 +193,7 @@ class SigningOptions { * @throws KeyException if the key is invalid * @throws PGPException if the key cannot be unlocked or the signing method cannot be created */ + @Deprecated("Pass an OpenPGPKey instead.") @Throws(KeyException::class, PGPException::class) @JvmOverloads fun addInlineSignature( @@ -137,34 +202,36 @@ class SigningOptions { userId: CharSequence? = null, signatureType: DocumentSignatureType = DocumentSignatureType.BINARY_DOCUMENT, subpacketsCallback: Callback? = null - ) = apply { - val keyRingInfo = inspectKeyRing(signingKey, evaluationDate) - if (userId != null && !keyRingInfo.isUserIdValid(userId)) { - throw UnboundUserIdException( - of(signingKey), - userId.toString(), - keyRingInfo.getLatestUserIdCertification(userId), - keyRingInfo.getUserIdRevocation(userId)) - } + ) = + addInlineSignature( + signingKeyProtector, + signingKey.toOpenPGPKey(), + userId, + signatureType, + subpacketsCallback) + fun addInlineSignature( + signingKeyProtector: SecretKeyRingProtector, + signingKey: OpenPGPSecretKey, + signatureType: DocumentSignatureType = DocumentSignatureType.BINARY_DOCUMENT, + subpacketsCallback: Callback? = null + ): SigningOptions = apply { + val openPGPKey = signingKey.openPGPKey + val keyRingInfo = inspectKeyRing(openPGPKey, evaluationDate) val signingPubKeys = keyRingInfo.signingSubkeys if (signingPubKeys.isEmpty()) { - throw UnacceptableSigningKeyException(of(signingKey)) + throw UnacceptableSigningKeyException(of(openPGPKey.pgpSecretKeyRing)) } - for (signingPubKey in signingPubKeys) { - val signingSecKey: PGPSecretKey = - signingKey.getSecretKey(signingPubKey.keyIdentifier) - ?: throw MissingSecretKeyException( - of(signingKey), signingPubKey.keyIdentifier.keyId) - val signingSubkey: PGPPrivateKey = signingSecKey.unlock(signingKeyProtector) - val hashAlgorithms = - if (userId != null) keyRingInfo.getPreferredHashAlgorithms(userId) - else keyRingInfo.getPreferredHashAlgorithms(signingPubKey.keyIdentifier) - val hashAlgorithm: HashAlgorithm = negotiateHashAlgorithm(hashAlgorithms, getPolicy()) - addSigningMethod( - signingKey, signingSubkey, hashAlgorithm, signatureType, false, subpacketsCallback) + if (!signingPubKeys.any { it.keyIdentifier.matches(signingKey.keyIdentifier) }) { + throw MissingSecretKeyException( + of(openPGPKey.pgpSecretKeyRing), signingKey.keyIdentifier.keyId) } + + val signingPrivKey = unlockSecretKey(signingKey, signingKeyProtector) + val hashAlgorithms = keyRingInfo.getPreferredHashAlgorithms(signingKey.keyIdentifier) + val hashAlgorithm: HashAlgorithm = negotiateHashAlgorithm(hashAlgorithms, getPolicy()) + addSigningMethod(signingPrivKey, hashAlgorithm, signatureType, false, subpacketsCallback) } /** @@ -191,31 +258,13 @@ class SigningOptions { keyId: Long, signatureType: DocumentSignatureType = DocumentSignatureType.BINARY_DOCUMENT, subpacketsCallback: Callback? = null - ) = apply { - val keyRingInfo = inspectKeyRing(signingKey, evaluationDate) - val signingPubKeys = keyRingInfo.signingSubkeys - if (signingPubKeys.isEmpty()) { - throw UnacceptableSigningKeyException(of(signingKey)) - } - - for (signingPubKey in signingPubKeys) { - if (!signingPubKey.keyIdentifier.matches(KeyIdentifier(keyId))) { - continue - } - - val signingSecKey = - signingKey.getSecretKey(signingPubKey.keyIdentifier) - ?: throw MissingSecretKeyException( - of(signingKey), signingPubKey.keyIdentifier.keyId) - val signingSubkey = signingSecKey.unlock(signingKeyProtector) - val hashAlgorithms = keyRingInfo.getPreferredHashAlgorithms(signingPubKey.keyIdentifier) - val hashAlgorithm: HashAlgorithm = negotiateHashAlgorithm(hashAlgorithms, getPolicy()) - addSigningMethod( - signingKey, signingSubkey, hashAlgorithm, signatureType, false, subpacketsCallback) - return this - } - throw MissingSecretKeyException(of(signingKey), keyId) - } + ) = + addInlineSignature( + signingKeyProtector, + signingKey.toOpenPGPKey().getSecretKey(KeyIdentifier(keyId)) + ?: throw MissingSecretKeyException(of(signingKey), keyId), + signatureType, + subpacketsCallback) /** * Add detached signatures with all key rings from the provided secret key ring collection. @@ -229,6 +278,7 @@ class SigningOptions { * method cannot be created */ @Throws(KeyException::class, PGPException::class) + @Deprecated("Repeatedly call addDetachedSignature(), passing an OpenPGPKey instead.") fun addDetachedSignatures( signingKeyProtector: SecretKeyRingProtector, signingKeys: Iterable, @@ -237,6 +287,12 @@ class SigningOptions { signingKeys.forEach { addDetachedSignature(signingKeyProtector, it, null, signatureType) } } + fun addDetachedSignature( + signingKeyProtector: SecretKeyRingProtector, + signingKey: OpenPGPKey, + signatureType: DocumentSignatureType = DocumentSignatureType.BINARY_DOCUMENT + ): SigningOptions = addDetachedSignature(signingKeyProtector, signingKey, null, signatureType) + /** * Create a detached signature. Detached signatures are not being added into the PGP message * itself. Instead, they can be distributed separately to the message. Detached signatures are @@ -250,6 +306,7 @@ class SigningOptions { * @throws PGPException if the key cannot be validated or unlocked, or if no signature method * can be created */ + @Deprecated("Pass an OpenPGPKey instead.") @Throws(KeyException::class, PGPException::class) fun addDetachedSignature( signingKeyProtector: SecretKeyRingProtector, @@ -257,6 +314,37 @@ class SigningOptions { signatureType: DocumentSignatureType ) = apply { addDetachedSignature(signingKeyProtector, signingKey, null, signatureType) } + fun addDetachedSignature( + signingKeyProtector: SecretKeyRingProtector, + signingKey: OpenPGPKey, + userId: CharSequence? = null, + signatureType: DocumentSignatureType = DocumentSignatureType.BINARY_DOCUMENT, + subpacketCallback: Callback? = null + ): SigningOptions = apply { + val keyRingInfo = inspectKeyRing(signingKey, evaluationDate) + if (userId != null && !keyRingInfo.isUserIdValid(userId)) { + throw UnboundUserIdException( + of(signingKey.pgpSecretKeyRing), + userId.toString(), + keyRingInfo.getLatestUserIdCertification(userId), + keyRingInfo.getUserIdRevocation(userId)) + } + + val signingPubKeys = keyRingInfo.signingSubkeys + if (signingPubKeys.isEmpty()) { + throw UnacceptableSigningKeyException(of(signingKey.pgpSecretKeyRing)) + } + + for (signingPubKey in signingPubKeys) { + val signingSecKey: OpenPGPSecretKey = + signingKey.getSecretKey(signingPubKey.keyIdentifier) + ?: throw MissingSecretKeyException( + of(signingKey.pgpSecretKeyRing), signingPubKey.keyIdentifier.keyId) + addDetachedSignature( + signingKeyProtector, signingSecKey, userId, signatureType, subpacketCallback) + } + } + /** * Create a detached signature. Detached signatures are not being added into the PGP message * itself. Instead, they can be distributed separately to the message. Detached signatures are @@ -275,6 +363,7 @@ class SigningOptions { * @throws PGPException if the key cannot be validated or unlocked, or if no signature method * can be created */ + @Deprecated("Pass an OpenPGPKey instead.") @JvmOverloads @Throws(KeyException::class, PGPException::class) fun addDetachedSignature( @@ -283,34 +372,28 @@ class SigningOptions { userId: String? = null, signatureType: DocumentSignatureType = DocumentSignatureType.BINARY_DOCUMENT, subpacketCallback: Callback? = null - ) = apply { - val keyRingInfo = inspectKeyRing(signingKey, evaluationDate) - if (userId != null && !keyRingInfo.isUserIdValid(userId)) { - throw UnboundUserIdException( - of(signingKey), - userId.toString(), - keyRingInfo.getLatestUserIdCertification(userId), - keyRingInfo.getUserIdRevocation(userId)) - } + ) = + addDetachedSignature( + signingKeyProtector, + signingKey.toOpenPGPKey(), + userId, + signatureType, + subpacketCallback) - val signingPubKeys = keyRingInfo.signingSubkeys - if (signingPubKeys.isEmpty()) { - throw UnacceptableSigningKeyException(of(signingKey)) - } - - for (signingPubKey in signingPubKeys) { - val signingSecKey: PGPSecretKey = - signingKey.getSecretKey(signingPubKey.keyIdentifier) - ?: throw MissingSecretKeyException( - of(signingKey), signingPubKey.keyIdentifier.keyId) - val signingSubkey: PGPPrivateKey = signingSecKey.unlock(signingKeyProtector) - val hashAlgorithms = - if (userId != null) keyRingInfo.getPreferredHashAlgorithms(userId) - else keyRingInfo.getPreferredHashAlgorithms(signingPubKey.keyIdentifier) - val hashAlgorithm: HashAlgorithm = negotiateHashAlgorithm(hashAlgorithms, getPolicy()) - addSigningMethod( - signingKey, signingSubkey, hashAlgorithm, signatureType, true, subpacketCallback) - } + fun addDetachedSignature( + signingKeyProtector: SecretKeyRingProtector, + signingKey: OpenPGPSecretKey, + userId: CharSequence? = null, + signatureType: DocumentSignatureType = DocumentSignatureType.BINARY_DOCUMENT, + subpacketCallback: Callback? = null + ): SigningOptions = apply { + val keyRingInfo = inspectKeyRing(signingKey.openPGPKey, evaluationDate) + val signingPrivKey: OpenPGPPrivateKey = signingKey.unlock(signingKeyProtector) + val hashAlgorithms = + if (userId != null) keyRingInfo.getPreferredHashAlgorithms(userId) + else keyRingInfo.getPreferredHashAlgorithms(signingKey.keyIdentifier) + val hashAlgorithm: HashAlgorithm = negotiateHashAlgorithm(hashAlgorithms, getPolicy()) + addSigningMethod(signingPrivKey, hashAlgorithm, signatureType, true, subpacketCallback) } /** @@ -331,65 +414,44 @@ class SigningOptions { */ @Throws(KeyException::class, PGPException::class) @JvmOverloads + @Deprecated("Pass an OpenPGPSecretKey instead.") fun addDetachedSignature( signingKeyProtector: SecretKeyRingProtector, signingKey: PGPSecretKeyRing, keyId: Long, signatureType: DocumentSignatureType = DocumentSignatureType.BINARY_DOCUMENT, subpacketsCallback: Callback? = null - ) = apply { - val keyRingInfo = inspectKeyRing(signingKey, evaluationDate) - - val signingPubKeys = keyRingInfo.signingSubkeys - if (signingPubKeys.isEmpty()) { - throw UnacceptableSigningKeyException(of(signingKey)) - } - - for (signingPubKey in signingPubKeys) { - if (signingPubKey.keyIdentifier.matches(KeyIdentifier(keyId))) { - val signingSecKey: PGPSecretKey = - signingKey.getSecretKey(signingPubKey.keyIdentifier) - ?: throw MissingSecretKeyException( - of(signingKey), signingPubKey.keyIdentifier.keyId) - val signingSubkey: PGPPrivateKey = signingSecKey.unlock(signingKeyProtector) - val hashAlgorithms = - keyRingInfo.getPreferredHashAlgorithms(signingPubKey.keyIdentifier) - val hashAlgorithm: HashAlgorithm = - negotiateHashAlgorithm(hashAlgorithms, getPolicy()) - addSigningMethod( - signingKey, - signingSubkey, - hashAlgorithm, - signatureType, - true, - subpacketsCallback) - return this - } - } - - throw MissingSecretKeyException(of(signingKey), keyId) - } + ) = + addDetachedSignature( + signingKeyProtector, + signingKey.toOpenPGPKey().getSecretKey(KeyIdentifier(keyId)) + ?: throw MissingSecretKeyException(of(signingKey), keyId), + null, + signatureType, + subpacketsCallback) private fun addSigningMethod( - signingKey: PGPSecretKeyRing, - signingSubkey: PGPPrivateKey, + signingKey: OpenPGPPrivateKey, hashAlgorithm: HashAlgorithm, signatureType: DocumentSignatureType, detached: Boolean, subpacketCallback: Callback? = null ) { - val signingKeyIdentifier = SubkeyIdentifier(signingKey, signingSubkey.keyID) - val signingSecretKey: PGPSecretKey = signingKey.getSecretKey(signingSubkey.keyID) + val signingSecretKey: PGPSecretKey = signingKey.secretKey.pgpSecretKey val publicKeyAlgorithm = requireFromId(signingSecretKey.publicKey.algorithm) val bitStrength = signingSecretKey.publicKey.bitStrength if (!getPolicy().publicKeyAlgorithmPolicy.isAcceptable(publicKeyAlgorithm, bitStrength)) { throw UnacceptableSigningKeyException( PublicKeyAlgorithmPolicyException( - of(signingKey), signingSecretKey.keyID, publicKeyAlgorithm, bitStrength)) + of(signingKey.secretKey.pgpSecretKey), + signingSecretKey.keyID, + publicKeyAlgorithm, + bitStrength)) } val generator: PGPSignatureGenerator = - createSignatureGenerator(signingSubkey, hashAlgorithm, signatureType) + createSignatureGenerator( + signingKey.unlockedKey.privateKey, hashAlgorithm, signatureType) // Subpackets val hashedSubpackets = @@ -405,7 +467,7 @@ class SigningOptions { val signingMethod = if (detached) SigningMethod.detachedSignature(generator, hashAlgorithm) else SigningMethod.inlineSignature(generator, hashAlgorithm) - (signingMethods as MutableMap)[signingKeyIdentifier] = signingMethod + (signingMethods as MutableMap)[signingKey] = signingMethod } /** diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/SubkeyIdentifier.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/SubkeyIdentifier.kt index 0ee58cc6..02966a51 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/SubkeyIdentifier.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/SubkeyIdentifier.kt @@ -8,6 +8,7 @@ import org.bouncycastle.bcpg.KeyIdentifier import org.bouncycastle.openpgp.PGPKeyRing import org.bouncycastle.openpgp.PGPPublicKey import org.bouncycastle.openpgp.api.OpenPGPCertificate.OpenPGPComponentKey +import org.bouncycastle.openpgp.api.OpenPGPKey.OpenPGPPrivateKey /** * Tuple class used to identify a subkey by fingerprints of the primary key of the subkeys key ring, @@ -32,6 +33,8 @@ class SubkeyIdentifier( OpenPgpFingerprint.of(key.certificate.pgpPublicKeyRing), OpenPgpFingerprint.of(key.pgpPublicKey)) + constructor(key: OpenPGPPrivateKey) : this(key.secretKey) + constructor( keys: PGPKeyRing, subkeyFingerprint: OpenPgpFingerprint diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/UnlockSecretKey.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/UnlockSecretKey.kt index b3b0308f..597be3e6 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/UnlockSecretKey.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/UnlockSecretKey.kt @@ -10,6 +10,8 @@ import openpgp.openPgpKeyId import org.bouncycastle.openpgp.PGPException import org.bouncycastle.openpgp.PGPPrivateKey import org.bouncycastle.openpgp.PGPSecretKey +import org.bouncycastle.openpgp.api.OpenPGPKey.OpenPGPPrivateKey +import org.bouncycastle.openpgp.api.OpenPGPKey.OpenPGPSecretKey import org.bouncycastle.openpgp.operator.PBESecretKeyDecryptor import org.pgpainless.PGPainless import org.pgpainless.bouncycastle.extensions.isEncrypted @@ -35,6 +37,36 @@ class UnlockSecretKey { } } + @JvmStatic + @Throws(PGPException::class) + fun unlockSecretKey( + secretKey: OpenPGPSecretKey, + protector: SecretKeyRingProtector + ): OpenPGPPrivateKey { + val privateKey = + try { + secretKey.unlock(protector) + } catch (e: PGPException) { + throw WrongPassphraseException(secretKey.keyIdentifier, e) + } + + if (privateKey == null) { + if (secretKey.pgpSecretKey.s2K.type in 100..110) { + throw PGPException( + "Cannot decrypt secret key ${secretKey.keyIdentifier}: \n" + + "Unsupported private S2K type ${secretKey.pgpSecretKey.s2K.type}") + } + throw PGPException("Cannot decrypt secret key.") + } + + if (PGPainless.getPolicy().isEnableKeyParameterValidation()) { + PublicKeyParameterValidationUtil.verifyPublicKeyParameterIntegrity( + privateKey.unlockedKey.privateKey, privateKey.unlockedKey.publicKey) + } + + return privateKey + } + @JvmStatic @Throws(PGPException::class) fun unlockSecretKey( From 30d584c696e8f1fd305327e1e72ffaae445687fe Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 17 Feb 2025 12:01:13 +0100 Subject: [PATCH 034/265] Port EncryptionOptions over to OpenPGPCertificate --- .../main/kotlin/org/pgpainless/PGPainless.kt | 2 +- .../encryption_signing/EncryptionOptions.kt | 209 ++++++++++++++---- .../consumer/CertificateValidator.kt | 2 +- .../EncryptionOptionsTest.java | 5 +- 4 files changed, 165 insertions(+), 53 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt index 47768dcb..d8670947 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt @@ -204,7 +204,7 @@ class PGPainless( fun inspectKeyRing(key: PGPKeyRing, referenceTime: Date = Date()) = KeyRingInfo(key, referenceTime) - fun inspectKeyRing(key: OpenPGPKey, referenceTime: Date = Date()) = + fun inspectKeyRing(key: OpenPGPCertificate, referenceTime: Date = Date()) = KeyRingInfo(key, getPolicy(), referenceTime) /** diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionOptions.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionOptions.kt index c6683480..4dbfe64b 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionOptions.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionOptions.kt @@ -5,14 +5,16 @@ package org.pgpainless.encryption_signing import java.util.* -import org.bouncycastle.openpgp.PGPPublicKey import org.bouncycastle.openpgp.PGPPublicKeyRing +import org.bouncycastle.openpgp.api.OpenPGPCertificate +import org.bouncycastle.openpgp.api.OpenPGPCertificate.OpenPGPComponentKey import org.bouncycastle.openpgp.operator.PGPKeyEncryptionMethodGenerator +import org.pgpainless.PGPainless.Companion.inspectKeyRing import org.pgpainless.algorithm.EncryptionPurpose import org.pgpainless.algorithm.SymmetricKeyAlgorithm import org.pgpainless.authentication.CertificateAuthority +import org.pgpainless.bouncycastle.extensions.toOpenPGPCertificate import org.pgpainless.encryption_signing.EncryptionOptions.EncryptionKeySelector -import org.pgpainless.exception.KeyException import org.pgpainless.exception.KeyException.* import org.pgpainless.implementation.ImplementationFactory import org.pgpainless.key.OpenPgpFingerprint @@ -50,10 +52,10 @@ class EncryptionOptions(private val purpose: EncryptionPurpose) { constructor() : this(EncryptionPurpose.ANY) /** - * Factory method to create an [EncryptionOptions] object which will encrypt for keys which - * carry the flag [org.pgpainless.algorithm.KeyFlag.ENCRYPT_COMMS]. + * Set the evaluation date for certificate evaluation. * - * @return encryption options + * @param evaluationDate reference time + * @return this */ fun setEvaluationDate(evaluationDate: Date) = apply { this.evaluationDate = evaluationDate } @@ -81,7 +83,9 @@ class EncryptionOptions(private val purpose: EncryptionPurpose) { authority .lookupByUserId(userId, email, evaluationDate, targetAmount) .filter { it.isAuthenticated() } - .forEach { addRecipient(it.certificate).also { foundAcceptable = true } } + .forEach { + addRecipient(it.certificate.toOpenPGPCertificate()).also { foundAcceptable = true } + } require(foundAcceptable) { "Could not identify any trust-worthy certificates for '$userId' and target trust amount $targetAmount." } @@ -89,11 +93,14 @@ class EncryptionOptions(private val purpose: EncryptionPurpose) { /** * Add all key rings in the provided [Iterable] (e.g. - * [org.bouncycastle.openpgp.PGPPublicKeyRingCollection]) as recipients. + * [org.bouncycastle.openpgp.PGPPublicKeyRingCollection]) as recipients. Note: This method is + * deprecated. Instead, repeatedly call [addRecipient], passing in individual + * [OpenPGPCertificate] instances. * * @param keys keys * @return this */ + @Deprecated("Repeatedly pass OpenPGPCertificate instances instead.") fun addRecipients(keys: Iterable) = apply { keys.toList().let { require(it.isNotEmpty()) { "Set of recipient keys cannot be empty." } @@ -104,12 +111,15 @@ class EncryptionOptions(private val purpose: EncryptionPurpose) { /** * Add all key rings in the provided [Iterable] (e.g. * [org.bouncycastle.openpgp.PGPPublicKeyRingCollection]) as recipients. Per key ring, the - * selector is applied to select one or more encryption subkeys. + * selector is applied to select one or more encryption subkeys. Note: This method is + * deprecated. Instead, repeatedly call [addRecipient], passing in individual + * [OpenPGPCertificate] instances. * * @param keys keys * @param selector encryption key selector * @return this */ + @Deprecated("Repeatedly pass OpenPGPCertificate instances instead.") fun addRecipients(keys: Iterable, selector: EncryptionKeySelector) = apply { keys.toList().let { require(it.isNotEmpty()) { "Set of recipient keys cannot be empty." } @@ -117,76 +127,180 @@ class EncryptionOptions(private val purpose: EncryptionPurpose) { } } + /** + * Encrypt the message to the recipients [OpenPGPCertificate]. + * + * @param cert recipient certificate + * @return this + */ + fun addRecipient(cert: OpenPGPCertificate) = addRecipient(cert, encryptionKeySelector) + /** * Add a recipient by providing a key. * * @param key key ring * @return this */ + @Deprecated( + "Pass in OpenPGPCertificate instead.", + replaceWith = + ReplaceWith("addRecipient(key.toOpenPGPCertificate(), encryptionKeySelector)")) fun addRecipient(key: PGPPublicKeyRing) = addRecipient(key, encryptionKeySelector) + /** + * Encrypt the message for the given recipients [OpenPGPCertificate], sourcing algorithm + * preferences by inspecting the binding signature on the passed [userId]. + * + * @param cert recipient certificate + * @param userId recipient user-id + * @return this + */ + fun addRecipient(cert: OpenPGPCertificate, userId: CharSequence) = + addRecipient(cert, userId, encryptionKeySelector) + /** * Add a recipient by providing a key and recipient user-id. The user-id is used to determine - * the recipients preferences (algorithms etc.). + * the recipients preferences (algorithms etc.). Note: This method is deprecated. Replace the + * [PGPPublicKeyRing] instance with an [OpenPGPCertificate]. * * @param key key ring * @param userId user id * @return this */ + @Deprecated( + "Pass in OpenPGPCertificate instead.", + replaceWith = ReplaceWith("addRecipient(key.toOpenPGPCertificate(), userId)")) fun addRecipient(key: PGPPublicKeyRing, userId: CharSequence) = addRecipient(key, userId, encryptionKeySelector) + /** + * Encrypt the message for the given recipients [OpenPGPCertificate], sourcing algorithm + * preferences by inspecting the binding signature on the given [userId] and filtering the + * recipient subkeys through the given [EncryptionKeySelector]. + * + * @param cert recipient certificate + * @param userId user-id for sourcing algorithm preferences + * @param encryptionKeySelector decides which subkeys to encrypt for + * @return this + */ + fun addRecipient( + cert: OpenPGPCertificate, + userId: CharSequence, + encryptionKeySelector: EncryptionKeySelector + ) = apply { + val info = inspectKeyRing(cert, evaluationDate) + val subkeys = + encryptionKeySelector.selectEncryptionSubkeys( + info.getEncryptionSubkeys(userId, purpose)) + if (subkeys.isEmpty()) { + throw UnacceptableEncryptionKeyException(OpenPgpFingerprint.of(cert.pgpPublicKeyRing)) + } + + for (subkey in subkeys) { + val keyId = SubkeyIdentifier(subkey) + _keyRingInfo[keyId] = info + _keyViews[keyId] = KeyAccessor.ViaUserId(info, keyId, userId.toString()) + addRecipientKey(subkey, false) + } + } + + /** + * Encrypt the message for the given recipients public key, sourcing algorithm preferences by + * inspecting the binding signature on the given [userId] and filtering the recipient subkeys + * through the given [EncryptionKeySelector]. + * + * @param key recipient public key + * @param userId user-id for sourcing algorithm preferences + * @param encryptionKeySelector decides which subkeys to encrypt for + * @return this + */ + @Deprecated( + "Pass in OpenPGPCertificate instead.", + replaceWith = + ReplaceWith("addRecipient(key.toOpenPGPCertificate(), userId, encryptionKeySelector)")) fun addRecipient( key: PGPPublicKeyRing, userId: CharSequence, encryptionKeySelector: EncryptionKeySelector - ) = apply { - val info = KeyRingInfo(key, evaluationDate) - val subkeys = - encryptionKeySelector.selectEncryptionSubkeys( - info.getEncryptionSubkeys(userId, purpose).map { it.pgpPublicKey }) - if (subkeys.isEmpty()) { - throw KeyException.UnacceptableEncryptionKeyException(OpenPgpFingerprint.of(key)) - } + ) = addRecipient(key.toOpenPGPCertificate(), userId, encryptionKeySelector) - for (subkey in subkeys) { - val keyId = SubkeyIdentifier(key, subkey.keyID) - _keyRingInfo[keyId] = info - _keyViews[keyId] = KeyAccessor.ViaUserId(info, keyId, userId.toString()) - addRecipientKey(key, subkey, false) - } - } + /** + * Encrypt the message for the given recipients [OpenPGPCertificate], filtering encryption + * subkeys through the given [EncryptionKeySelector]. + * + * @param cert recipient certificate + * @param encryptionKeySelector decides, which subkeys to encrypt for + * @return this + */ + fun addRecipient(cert: OpenPGPCertificate, encryptionKeySelector: EncryptionKeySelector) = + addAsRecipient(cert, encryptionKeySelector, false) - fun addRecipient(key: PGPPublicKeyRing, encryptionKeySelector: EncryptionKeySelector) = apply { - addAsRecipient(key, encryptionKeySelector, false) - } + /** + * Encrypt the message for the given recipients public key, filtering encryption subkeys through + * the given [EncryptionKeySelector]. + * + * @param key recipient public key + * @param encryptionKeySelector decides, which subkeys to encrypt for + * @return this + */ + @Deprecated( + "Pass in OpenPGPCertificate instead.", + replaceWith = + ReplaceWith("addRecipient(key.toOpenPGPCertificate(), encryptionKeySelector)")) + fun addRecipient(key: PGPPublicKeyRing, encryptionKeySelector: EncryptionKeySelector) = + addRecipient(key.toOpenPGPCertificate(), encryptionKeySelector) + /** + * Encrypt the message for the recipients [OpenPGPCertificate], keeping the recipient anonymous + * by setting a wildcard key-id / fingerprint. + * + * @param cert recipient certificate + * @param selector decides, which subkeys to encrypt for + * @return this + */ @JvmOverloads + fun addHiddenRecipient( + cert: OpenPGPCertificate, + selector: EncryptionKeySelector = encryptionKeySelector + ) = addAsRecipient(cert, selector, true) + + /** + * Encrypt the message for the recipients public key, keeping the recipient anonymous by setting + * a wildcard key-id / fingerprint. + * + * @param key recipient public key + * @param selector decides, which subkeys to encrypt for + * @return this + */ + @JvmOverloads + @Deprecated( + "Pass in an OpenPGPCertificate instead.", + replaceWith = ReplaceWith("addHiddenRecipient(key.toOpenPGPCertificate(), selector)")) fun addHiddenRecipient( key: PGPPublicKeyRing, selector: EncryptionKeySelector = encryptionKeySelector - ) = apply { addAsRecipient(key, selector, true) } + ) = addHiddenRecipient(key.toOpenPGPCertificate(), selector) private fun addAsRecipient( - key: PGPPublicKeyRing, + cert: OpenPGPCertificate, selector: EncryptionKeySelector, wildcardKeyId: Boolean ) = apply { - val info = KeyRingInfo(key, evaluationDate) + val info = inspectKeyRing(cert, evaluationDate) val primaryKeyExpiration = try { info.primaryKeyExpirationDate } catch (e: NoSuchElementException) { - throw UnacceptableSelfSignatureException(OpenPgpFingerprint.of(key)) + throw UnacceptableSelfSignatureException( + OpenPgpFingerprint.of(cert.pgpPublicKeyRing)) } if (primaryKeyExpiration != null && primaryKeyExpiration < evaluationDate) { - throw ExpiredKeyException(OpenPgpFingerprint.of(key), primaryKeyExpiration) + throw ExpiredKeyException( + OpenPgpFingerprint.of(cert.pgpPublicKeyRing), primaryKeyExpiration) } - var encryptionSubkeys = - selector.selectEncryptionSubkeys( - info.getEncryptionSubkeys(purpose).map { it.pgpPublicKey }) + var encryptionSubkeys = selector.selectEncryptionSubkeys(info.getEncryptionSubkeys(purpose)) // There are some legacy keys around without key flags. // If we allow encryption for those keys, we add valid keys without any key flags, if they @@ -197,31 +311,26 @@ class EncryptionOptions(private val purpose: EncryptionPurpose) { info.validSubkeys .filter { it.pgpPublicKey.isEncryptionKey } .filter { info.getKeyFlagsOf(it.keyIdentifier).isEmpty() } - .map { it.pgpPublicKey } } if (encryptionSubkeys.isEmpty()) { - throw UnacceptableEncryptionKeyException(OpenPgpFingerprint.of(key)) + throw UnacceptableEncryptionKeyException(OpenPgpFingerprint.of(cert.pgpPublicKeyRing)) } for (subkey in encryptionSubkeys) { - val keyId = SubkeyIdentifier(key, subkey.keyID) + val keyId = SubkeyIdentifier(subkey) _keyRingInfo[keyId] = info _keyViews[keyId] = KeyAccessor.ViaKeyId(info, keyId) - addRecipientKey(key, subkey, wildcardKeyId) + addRecipientKey(subkey, wildcardKeyId) } } - private fun addRecipientKey( - certificate: PGPPublicKeyRing, - key: PGPPublicKey, - wildcardKeyId: Boolean - ) { - _encryptionKeyIdentifiers.add(SubkeyIdentifier(certificate, key.keyID)) + private fun addRecipientKey(key: OpenPGPComponentKey, wildcardKeyId: Boolean) { + _encryptionKeyIdentifiers.add(SubkeyIdentifier(key)) addEncryptionMethod( - ImplementationFactory.getInstance().getPublicKeyKeyEncryptionMethodGenerator(key).also { - it.setUseWildcardKeyID(wildcardKeyId) - }) + ImplementationFactory.getInstance() + .getPublicKeyKeyEncryptionMethodGenerator(key.pgpPublicKey) + .also { it.setUseWildcardKeyID(wildcardKeyId) }) } /** @@ -295,7 +404,9 @@ class EncryptionOptions(private val purpose: EncryptionPurpose) { fun hasEncryptionMethod() = _encryptionMethods.isNotEmpty() fun interface EncryptionKeySelector { - fun selectEncryptionSubkeys(encryptionCapableKeys: List): List + fun selectEncryptionSubkeys( + encryptionCapableKeys: List + ): List } companion object { diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/consumer/CertificateValidator.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/consumer/CertificateValidator.kt index 61bdd282..e58a677f 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/consumer/CertificateValidator.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/consumer/CertificateValidator.kt @@ -164,7 +164,7 @@ class CertificateValidator { if (signingSubkey.keyID == primaryKey.keyID) { // signing key is primary key if (directKeyAndRevSigs.isNotEmpty()) { - val directKeySig = directKeyAndRevSigs[0]!! + val directKeySig = directKeyAndRevSigs[0] val flags = SignatureSubpacketsUtil.getKeyFlags(directKeySig) if (flags != null && KeyFlag.hasKeyFlag(flags.flags, KeyFlag.SIGN_DATA)) { return true diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptionOptionsTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptionOptionsTest.java index 3c8b4749..809b90ae 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptionOptionsTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptionOptionsTest.java @@ -20,6 +20,7 @@ import org.bouncycastle.openpgp.PGPPublicKey; import org.bouncycastle.openpgp.PGPPublicKeyRing; import org.bouncycastle.openpgp.PGPPublicKeyRingCollection; import org.bouncycastle.openpgp.PGPSecretKeyRing; +import org.bouncycastle.openpgp.api.OpenPGPCertificate; import org.jetbrains.annotations.NotNull; import org.junit.jupiter.api.BeforeAll; import org.junit.jupiter.api.Test; @@ -153,7 +154,7 @@ public class EncryptionOptionsTest { () -> options.addRecipient(publicKeys, new EncryptionOptions.EncryptionKeySelector() { @NotNull @Override - public List selectEncryptionSubkeys(@NotNull List encryptionCapableKeys) { + public List selectEncryptionSubkeys(@NotNull List encryptionCapableKeys) { return Collections.emptyList(); } })); @@ -161,7 +162,7 @@ public class EncryptionOptionsTest { assertThrows(KeyException.UnacceptableEncryptionKeyException.class, () -> options.addRecipient(publicKeys, "test@pgpainless.org", new EncryptionOptions.EncryptionKeySelector() { @Override - public List selectEncryptionSubkeys(@Nonnull List encryptionCapableKeys) { + public List selectEncryptionSubkeys(@Nonnull List encryptionCapableKeys) { return Collections.emptyList(); } })); From acb5a4a5506add1ef14aaf31a1479b75a5c83b87 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 17 Feb 2025 12:25:28 +0100 Subject: [PATCH 035/265] Port test --- .../OpenPgpMessageInputStream.kt | 6 +-- .../encryption_signing/EncryptionOptions.kt | 5 +++ .../encryption_signing/SigningOptions.kt | 3 +- .../key/protection/UnlockSecretKey.kt | 2 +- .../EncryptionOptionsTest.java | 42 +++++++++---------- 5 files changed, 29 insertions(+), 29 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.kt index e4a79d5b..2512c89c 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.kt @@ -430,7 +430,7 @@ class OpenPgpMessageInputStream( } if (decryptWithPrivateKey( esks, - privateKey.unlockedKey, + privateKey.keyPair, SubkeyIdentifier( secretKey.openPGPKey.pgpSecretKeyRing, secretKey.keyIdentifier), pkesk)) { @@ -458,7 +458,7 @@ class OpenPgpMessageInputStream( val privateKey = decryptionKey.unlock(protector) if (decryptWithPrivateKey( - esks, privateKey.unlockedKey, SubkeyIdentifier(decryptionKey), pkesk)) { + esks, privateKey.keyPair, SubkeyIdentifier(decryptionKey), pkesk)) { return true } } @@ -489,7 +489,7 @@ class OpenPgpMessageInputStream( } catch (e: PGPException) { throw WrongPassphraseException(secretKey.keyIdentifier, e) } - if (decryptWithPrivateKey(esks, privateKey.unlockedKey, decryptionKeyId, pkesk)) { + if (decryptWithPrivateKey(esks, privateKey.keyPair, decryptionKeyId, pkesk)) { return true } } diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionOptions.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionOptions.kt index 4dbfe64b..d60943b1 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionOptions.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionOptions.kt @@ -25,6 +25,7 @@ import org.pgpainless.util.Passphrase class EncryptionOptions(private val purpose: EncryptionPurpose) { private val _encryptionMethods: MutableSet = mutableSetOf() + private val _encryptionKeys: MutableSet = mutableSetOf() private val _encryptionKeyIdentifiers: MutableSet = mutableSetOf() private val _keyRingInfo: MutableMap = mutableMapOf() private val _keyViews: MutableMap = mutableMapOf() @@ -40,6 +41,9 @@ class EncryptionOptions(private val purpose: EncryptionPurpose) { val encryptionKeyIdentifiers get() = _encryptionKeyIdentifiers.toSet() + val encryptionKeys + get() = _encryptionKeys.toSet() + val keyRingInfo get() = _keyRingInfo.toMap() @@ -326,6 +330,7 @@ class EncryptionOptions(private val purpose: EncryptionPurpose) { } private fun addRecipientKey(key: OpenPGPComponentKey, wildcardKeyId: Boolean) { + _encryptionKeys.add(key) _encryptionKeyIdentifiers.add(SubkeyIdentifier(key)) addEncryptionMethod( ImplementationFactory.getInstance() diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/SigningOptions.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/SigningOptions.kt index da2ebb42..6e9ca8a5 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/SigningOptions.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/SigningOptions.kt @@ -450,8 +450,7 @@ class SigningOptions { } val generator: PGPSignatureGenerator = - createSignatureGenerator( - signingKey.unlockedKey.privateKey, hashAlgorithm, signatureType) + createSignatureGenerator(signingKey.keyPair.privateKey, hashAlgorithm, signatureType) // Subpackets val hashedSubpackets = diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/UnlockSecretKey.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/UnlockSecretKey.kt index 597be3e6..a4526f61 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/UnlockSecretKey.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/UnlockSecretKey.kt @@ -61,7 +61,7 @@ class UnlockSecretKey { if (PGPainless.getPolicy().isEnableKeyParameterValidation()) { PublicKeyParameterValidationUtil.verifyPublicKeyParameterIntegrity( - privateKey.unlockedKey.privateKey, privateKey.unlockedKey.publicKey) + privateKey.keyPair.privateKey, privateKey.keyPair.publicKey) } return privateKey diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptionOptionsTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptionOptionsTest.java index 809b90ae..b81313e1 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptionOptionsTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptionOptionsTest.java @@ -16,11 +16,10 @@ import java.util.Iterator; import java.util.List; import java.util.Set; -import org.bouncycastle.openpgp.PGPPublicKey; import org.bouncycastle.openpgp.PGPPublicKeyRing; import org.bouncycastle.openpgp.PGPPublicKeyRingCollection; -import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.api.OpenPGPCertificate; +import org.bouncycastle.openpgp.api.OpenPGPKey; import org.jetbrains.annotations.NotNull; import org.junit.jupiter.api.BeforeAll; import org.junit.jupiter.api.Test; @@ -28,7 +27,6 @@ import org.pgpainless.PGPainless; import org.pgpainless.algorithm.KeyFlag; import org.pgpainless.algorithm.SymmetricKeyAlgorithm; import org.pgpainless.exception.KeyException; -import org.pgpainless.key.SubkeyIdentifier; import org.pgpainless.key.generation.KeySpec; import org.pgpainless.key.generation.type.KeyType; import org.pgpainless.key.generation.type.eddsa_legacy.EdDSALegacyCurve; @@ -40,11 +38,11 @@ import javax.annotation.Nonnull; public class EncryptionOptionsTest { - private static PGPSecretKeyRing secretKeys; - private static PGPPublicKeyRing publicKeys; - private static SubkeyIdentifier primaryKey; - private static SubkeyIdentifier encryptComms; - private static SubkeyIdentifier encryptStorage; + private static OpenPGPKey secretKeys; + private static OpenPGPCertificate publicKeys; + private static OpenPGPCertificate.OpenPGPComponentKey primaryKey; + private static OpenPGPCertificate.OpenPGPComponentKey encryptComms; + private static OpenPGPCertificate.OpenPGPComponentKey encryptStorage; @BeforeAll public static void generateKey() { @@ -56,15 +54,14 @@ public class EncryptionOptionsTest { .addSubkey(KeySpec.getBuilder(KeyType.XDH_LEGACY(XDHLegacySpec._X25519), KeyFlag.ENCRYPT_STORAGE) .build()) .addUserId("test@pgpainless.org") - .build() - .getPGPSecretKeyRing(); + .build(); - publicKeys = KeyRingUtils.publicKeyRingFrom(secretKeys); + publicKeys = secretKeys.toCertificate(); - Iterator iterator = publicKeys.iterator(); - primaryKey = new SubkeyIdentifier(publicKeys, iterator.next().getKeyID()); - encryptComms = new SubkeyIdentifier(publicKeys, iterator.next().getKeyID()); - encryptStorage = new SubkeyIdentifier(publicKeys, iterator.next().getKeyID()); + Iterator iterator = publicKeys.getKeys().iterator(); + primaryKey = iterator.next(); + encryptComms = iterator.next(); + encryptStorage = iterator.next(); } @Test @@ -91,7 +88,7 @@ public class EncryptionOptionsTest { EncryptionOptions options = EncryptionOptions.encryptCommunications(); options.addRecipient(publicKeys); - Set encryptionKeys = options.getEncryptionKeyIdentifiers(); + Set encryptionKeys = options.getEncryptionKeys(); assertEquals(1, encryptionKeys.size()); assertEquals(encryptComms, encryptionKeys.iterator().next()); } @@ -101,7 +98,7 @@ public class EncryptionOptionsTest { EncryptionOptions options = EncryptionOptions.encryptDataAtRest(); options.addRecipient(publicKeys); - Set encryptionKeys = options.getEncryptionKeyIdentifiers(); + Set encryptionKeys = options.getEncryptionKeys(); assertEquals(1, encryptionKeys.size()); assertEquals(encryptStorage, encryptionKeys.iterator().next()); } @@ -111,7 +108,7 @@ public class EncryptionOptionsTest { EncryptionOptions options = new EncryptionOptions(); options.addRecipient(publicKeys, EncryptionOptions.encryptToAllCapableSubkeys()); - Set encryptionKeys = options.getEncryptionKeyIdentifiers(); + Set encryptionKeys = options.getEncryptionKeys(); assertEquals(2, encryptionKeys.size()); assertTrue(encryptionKeys.contains(encryptComms)); @@ -136,12 +133,11 @@ public class EncryptionOptionsTest { @Test public void testAddRecipient_KeyWithoutEncryptionKeyFails() { EncryptionOptions options = new EncryptionOptions(); - PGPSecretKeyRing secretKeys = PGPainless.buildKeyRing() + OpenPGPKey secretKeys = PGPainless.buildKeyRing() .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA_LEGACY(EdDSALegacyCurve._Ed25519), KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA)) .addUserId("test@pgpainless.org") - .build() - .getPGPSecretKeyRing(); - PGPPublicKeyRing publicKeys = KeyRingUtils.publicKeyRingFrom(secretKeys); + .build(); + OpenPGPCertificate publicKeys = secretKeys.toCertificate(); assertThrows(KeyException.UnacceptableEncryptionKeyException.class, () -> options.addRecipient(publicKeys)); } @@ -175,7 +171,7 @@ public class EncryptionOptionsTest { .getPGPSecretKeyRing()); PGPPublicKeyRingCollection collection = new PGPPublicKeyRingCollection( - Arrays.asList(publicKeys, secondKeyRing)); + Arrays.asList(publicKeys.getPGPPublicKeyRing(), secondKeyRing)); EncryptionOptions options = new EncryptionOptions(); options.addRecipients(collection, EncryptionOptions.encryptToFirstSubkey()); From 92da00fc8ca70bc8e6c899dae7182a659fd83f2d Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 17 Feb 2025 12:33:43 +0100 Subject: [PATCH 036/265] OpenPGPFingerprint: Add factory methods for new key / subkey classes --- .../encryption_signing/EncryptionOptions.kt | 8 ++++---- .../encryption_signing/SigningOptions.kt | 18 +++++++++--------- .../org/pgpainless/key/OpenPgpFingerprint.kt | 15 +++++++++++++++ 3 files changed, 28 insertions(+), 13 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionOptions.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionOptions.kt index d60943b1..71093fe4 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionOptions.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionOptions.kt @@ -197,7 +197,7 @@ class EncryptionOptions(private val purpose: EncryptionPurpose) { encryptionKeySelector.selectEncryptionSubkeys( info.getEncryptionSubkeys(userId, purpose)) if (subkeys.isEmpty()) { - throw UnacceptableEncryptionKeyException(OpenPgpFingerprint.of(cert.pgpPublicKeyRing)) + throw UnacceptableEncryptionKeyException(OpenPgpFingerprint.of(cert)) } for (subkey in subkeys) { @@ -296,12 +296,12 @@ class EncryptionOptions(private val purpose: EncryptionPurpose) { info.primaryKeyExpirationDate } catch (e: NoSuchElementException) { throw UnacceptableSelfSignatureException( - OpenPgpFingerprint.of(cert.pgpPublicKeyRing)) + OpenPgpFingerprint.of(cert)) } if (primaryKeyExpiration != null && primaryKeyExpiration < evaluationDate) { throw ExpiredKeyException( - OpenPgpFingerprint.of(cert.pgpPublicKeyRing), primaryKeyExpiration) + OpenPgpFingerprint.of(cert), primaryKeyExpiration) } var encryptionSubkeys = selector.selectEncryptionSubkeys(info.getEncryptionSubkeys(purpose)) @@ -318,7 +318,7 @@ class EncryptionOptions(private val purpose: EncryptionPurpose) { } if (encryptionSubkeys.isEmpty()) { - throw UnacceptableEncryptionKeyException(OpenPgpFingerprint.of(cert.pgpPublicKeyRing)) + throw UnacceptableEncryptionKeyException(OpenPgpFingerprint.of(cert)) } for (subkey in encryptionSubkeys) { diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/SigningOptions.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/SigningOptions.kt index 6e9ca8a5..41b9a448 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/SigningOptions.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/SigningOptions.kt @@ -149,7 +149,7 @@ class SigningOptions { val keyRingInfo = inspectKeyRing(signingKey, evaluationDate) if (userId != null && !keyRingInfo.isUserIdValid(userId)) { throw UnboundUserIdException( - of(signingKey.pgpSecretKeyRing), + of(signingKey), userId.toString(), keyRingInfo.getLatestUserIdCertification(userId), keyRingInfo.getUserIdRevocation(userId)) @@ -157,14 +157,14 @@ class SigningOptions { val signingPubKeys = keyRingInfo.signingSubkeys if (signingPubKeys.isEmpty()) { - throw UnacceptableSigningKeyException(of(signingKey.pgpSecretKeyRing)) + throw UnacceptableSigningKeyException(of(signingKey)) } for (signingPubKey in signingPubKeys) { val signingSecKey: OpenPGPSecretKey = signingKey.getSecretKey(signingPubKey) ?: throw MissingSecretKeyException( - of(signingKey.pgpSecretKeyRing), signingPubKey.keyIdentifier.keyId) + of(signingKey), signingPubKey.keyIdentifier.keyId) val signingPrivKey: OpenPGPPrivateKey = unlockSecretKey(signingSecKey, signingKeyProtector) val hashAlgorithms = @@ -220,12 +220,12 @@ class SigningOptions { val keyRingInfo = inspectKeyRing(openPGPKey, evaluationDate) val signingPubKeys = keyRingInfo.signingSubkeys if (signingPubKeys.isEmpty()) { - throw UnacceptableSigningKeyException(of(openPGPKey.pgpSecretKeyRing)) + throw UnacceptableSigningKeyException(of(openPGPKey)) } if (!signingPubKeys.any { it.keyIdentifier.matches(signingKey.keyIdentifier) }) { throw MissingSecretKeyException( - of(openPGPKey.pgpSecretKeyRing), signingKey.keyIdentifier.keyId) + of(openPGPKey), signingKey.keyIdentifier.keyId) } val signingPrivKey = unlockSecretKey(signingKey, signingKeyProtector) @@ -324,7 +324,7 @@ class SigningOptions { val keyRingInfo = inspectKeyRing(signingKey, evaluationDate) if (userId != null && !keyRingInfo.isUserIdValid(userId)) { throw UnboundUserIdException( - of(signingKey.pgpSecretKeyRing), + of(signingKey), userId.toString(), keyRingInfo.getLatestUserIdCertification(userId), keyRingInfo.getUserIdRevocation(userId)) @@ -332,14 +332,14 @@ class SigningOptions { val signingPubKeys = keyRingInfo.signingSubkeys if (signingPubKeys.isEmpty()) { - throw UnacceptableSigningKeyException(of(signingKey.pgpSecretKeyRing)) + throw UnacceptableSigningKeyException(of(signingKey)) } for (signingPubKey in signingPubKeys) { val signingSecKey: OpenPGPSecretKey = signingKey.getSecretKey(signingPubKey.keyIdentifier) ?: throw MissingSecretKeyException( - of(signingKey.pgpSecretKeyRing), signingPubKey.keyIdentifier.keyId) + of(signingKey), signingPubKey.keyIdentifier.keyId) addDetachedSignature( signingKeyProtector, signingSecKey, userId, signatureType, subpacketCallback) } @@ -443,7 +443,7 @@ class SigningOptions { if (!getPolicy().publicKeyAlgorithmPolicy.isAcceptable(publicKeyAlgorithm, bitStrength)) { throw UnacceptableSigningKeyException( PublicKeyAlgorithmPolicyException( - of(signingKey.secretKey.pgpSecretKey), + of(signingKey), signingSecretKey.keyID, publicKeyAlgorithm, bitStrength)) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/OpenPgpFingerprint.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/OpenPgpFingerprint.kt index 679df490..5352e67e 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/OpenPgpFingerprint.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/OpenPgpFingerprint.kt @@ -9,6 +9,9 @@ import org.bouncycastle.bcpg.KeyIdentifier import org.bouncycastle.openpgp.PGPKeyRing import org.bouncycastle.openpgp.PGPPublicKey import org.bouncycastle.openpgp.PGPSecretKey +import org.bouncycastle.openpgp.api.OpenPGPCertificate +import org.bouncycastle.openpgp.api.OpenPGPCertificate.OpenPGPComponentKey +import org.bouncycastle.openpgp.api.OpenPGPKey.OpenPGPPrivateKey import org.bouncycastle.util.encoders.Hex /** Abstract super class of different version OpenPGP fingerprints. */ @@ -129,6 +132,18 @@ abstract class OpenPgpFingerprint : CharSequence, Comparable */ @JvmStatic fun of(keys: PGPKeyRing): OpenPgpFingerprint = of(keys.publicKey) + /** + * Return the [OpenPgpFingerprint] of the primary key of the given [OpenPGPCertificate]. + */ + @JvmStatic fun of(cert: OpenPGPCertificate): OpenPgpFingerprint = of(cert.pgpPublicKeyRing) + + /** + * Return the [OpenPgpFingerprint] of the given [OpenPGPComponentKey]. + */ + @JvmStatic fun of (key: OpenPGPComponentKey): OpenPgpFingerprint = of(key.pgpPublicKey) + + @JvmStatic fun of (key: OpenPGPPrivateKey): OpenPgpFingerprint = of(key.secretKey) + /** * Try to parse an [OpenPgpFingerprint] from the given fingerprint string. If the trimmed * fingerprint without whitespace is 64 characters long, it is either a v5 or v6 From dcb78ddedf5deda5db422dba98590517bbe7ce0f Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 17 Feb 2025 13:01:46 +0100 Subject: [PATCH 037/265] Improve KeyExceptions --- .../pgpainless/exception/KeyException.java | 82 ++++++++++++++++--- .../encryption_signing/EncryptionOptions.kt | 11 +-- .../encryption_signing/SigningOptions.kt | 42 +++++----- .../org/pgpainless/key/OpenPgpFingerprint.kt | 12 +-- 4 files changed, 99 insertions(+), 48 deletions(-) diff --git a/pgpainless-core/src/main/java/org/pgpainless/exception/KeyException.java b/pgpainless-core/src/main/java/org/pgpainless/exception/KeyException.java index 65d27390..6664dea7 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/exception/KeyException.java +++ b/pgpainless-core/src/main/java/org/pgpainless/exception/KeyException.java @@ -4,7 +4,9 @@ package org.pgpainless.exception; +import org.bouncycastle.bcpg.KeyIdentifier; import org.bouncycastle.openpgp.PGPSignature; +import org.bouncycastle.openpgp.api.OpenPGPCertificate; import org.pgpainless.algorithm.PublicKeyAlgorithm; import org.pgpainless.key.OpenPgpFingerprint; import org.pgpainless.util.DateUtil; @@ -33,6 +35,10 @@ public abstract class KeyException extends RuntimeException { public static class ExpiredKeyException extends KeyException { + public ExpiredKeyException(@Nonnull OpenPGPCertificate cert, @Nonnull Date expirationDate) { + this(OpenPgpFingerprint.of(cert), expirationDate); + } + public ExpiredKeyException(@Nonnull OpenPgpFingerprint fingerprint, @Nonnull Date expirationDate) { super("Key " + fingerprint + " is expired. Expiration date: " + DateUtil.formatUTCDate(expirationDate), fingerprint); } @@ -43,10 +49,29 @@ public abstract class KeyException extends RuntimeException { public RevokedKeyException(@Nonnull OpenPgpFingerprint fingerprint) { super("Key " + fingerprint + " appears to be revoked.", fingerprint); } + + public RevokedKeyException(@Nonnull OpenPGPCertificate.OpenPGPComponentKey key) { + super("Subkey " + key.getKeyIdentifier() + " appears to be revoked.", + OpenPgpFingerprint.of(key)); + } + + public RevokedKeyException(@Nonnull OpenPGPCertificate cert) { + super("Key or certificate " + cert.getKeyIdentifier() + " appears to be revoked.", + OpenPgpFingerprint.of(cert)); + } } public static class UnacceptableEncryptionKeyException extends KeyException { + public UnacceptableEncryptionKeyException(@Nonnull OpenPGPCertificate cert) { + this(OpenPgpFingerprint.of(cert)); + } + + public UnacceptableEncryptionKeyException(@Nonnull OpenPGPCertificate.OpenPGPComponentKey subkey) { + super("Subkey " + subkey.getKeyIdentifier() + " is not an acceptable encryption key.", + OpenPgpFingerprint.of(subkey)); + } + public UnacceptableEncryptionKeyException(@Nonnull OpenPgpFingerprint fingerprint) { super("Key " + fingerprint + " has no acceptable encryption key.", fingerprint); } @@ -58,6 +83,14 @@ public abstract class KeyException extends RuntimeException { public static class UnacceptableSigningKeyException extends KeyException { + public UnacceptableSigningKeyException(OpenPGPCertificate certificate) { + this(OpenPgpFingerprint.of(certificate)); + } + + public UnacceptableSigningKeyException(OpenPGPCertificate.OpenPGPComponentKey subkey) { + this(OpenPgpFingerprint.of(subkey)); + } + public UnacceptableSigningKeyException(@Nonnull OpenPgpFingerprint fingerprint) { super("Key " + fingerprint + " has no acceptable signing key.", fingerprint); } @@ -76,6 +109,10 @@ public abstract class KeyException extends RuntimeException { public static class UnacceptableSelfSignatureException extends KeyException { + public UnacceptableSelfSignatureException(@Nonnull OpenPGPCertificate cert) { + this(OpenPgpFingerprint.of(cert)); + } + public UnacceptableSelfSignatureException(@Nonnull OpenPgpFingerprint fingerprint) { super("Key " + fingerprint + " does not have a valid/acceptable signature to derive an expiration date from.", fingerprint); } @@ -83,29 +120,50 @@ public abstract class KeyException extends RuntimeException { public static class MissingSecretKeyException extends KeyException { - private final long missingSecretKeyId; + private final KeyIdentifier missingSecretKeyIdentifier; - public MissingSecretKeyException(@Nonnull OpenPgpFingerprint fingerprint, long keyId) { - super("Key " + fingerprint + " does not contain a secret key for public key " + Long.toHexString(keyId), fingerprint); - this.missingSecretKeyId = keyId; + public MissingSecretKeyException(@Nonnull OpenPGPCertificate.OpenPGPComponentKey publicKey) { + this(OpenPgpFingerprint.of(publicKey.getCertificate()), publicKey.getKeyIdentifier()); } - public long getMissingSecretKeyId() { - return missingSecretKeyId; + public MissingSecretKeyException(@Nonnull OpenPgpFingerprint fingerprint, KeyIdentifier keyIdentifier) { + super("Key " + fingerprint + " does not contain a secret key for public key " + keyIdentifier, fingerprint); + this.missingSecretKeyIdentifier = keyIdentifier; + } + + @Deprecated + public MissingSecretKeyException(@Nonnull OpenPgpFingerprint fingerprint, long keyId) { + this(fingerprint, new KeyIdentifier(keyId)); + } + + public KeyIdentifier getMissingSecretKeyIdentifier() { + return missingSecretKeyIdentifier; } } public static class PublicKeyAlgorithmPolicyException extends KeyException { - private final long violatingSubkeyId; + private final KeyIdentifier violatingSubkeyId; - public PublicKeyAlgorithmPolicyException(@Nonnull OpenPgpFingerprint fingerprint, long keyId, @Nonnull PublicKeyAlgorithm algorithm, int bitSize) { - super("Subkey " + Long.toHexString(keyId) + " of key " + fingerprint + " is violating the Public Key Algorithm Policy:\n" + - algorithm + " of size " + bitSize + " is not acceptable.", fingerprint); - this.violatingSubkeyId = keyId; + public PublicKeyAlgorithmPolicyException(@Nonnull OpenPGPCertificate.OpenPGPComponentKey subkey, + @Nonnull PublicKeyAlgorithm algorithm, + int bitSize) { + super("Subkey " + subkey.getKeyIdentifier() + " of key " + subkey.getCertificate().getKeyIdentifier() + + " is violating the Public Key Algorithm Policy:\n" + + algorithm + " of size " + bitSize + " is not acceptable.", OpenPgpFingerprint.of(subkey)); + this.violatingSubkeyId = subkey.getKeyIdentifier(); } - public long getViolatingSubkeyId() { + public PublicKeyAlgorithmPolicyException(@Nonnull OpenPgpFingerprint fingerprint, + long keyId, + @Nonnull PublicKeyAlgorithm algorithm, + int bitSize) { + super("Subkey " + Long.toHexString(keyId) + " of key " + fingerprint + " is violating the Public Key Algorithm Policy:\n" + + algorithm + " of size " + bitSize + " is not acceptable.", fingerprint); + this.violatingSubkeyId = new KeyIdentifier(keyId); + } + + public KeyIdentifier getViolatingSubkeyId() { return violatingSubkeyId; } } diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionOptions.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionOptions.kt index 71093fe4..d130a4f1 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionOptions.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionOptions.kt @@ -17,7 +17,6 @@ import org.pgpainless.bouncycastle.extensions.toOpenPGPCertificate import org.pgpainless.encryption_signing.EncryptionOptions.EncryptionKeySelector import org.pgpainless.exception.KeyException.* import org.pgpainless.implementation.ImplementationFactory -import org.pgpainless.key.OpenPgpFingerprint import org.pgpainless.key.SubkeyIdentifier import org.pgpainless.key.info.KeyAccessor import org.pgpainless.key.info.KeyRingInfo @@ -197,7 +196,7 @@ class EncryptionOptions(private val purpose: EncryptionPurpose) { encryptionKeySelector.selectEncryptionSubkeys( info.getEncryptionSubkeys(userId, purpose)) if (subkeys.isEmpty()) { - throw UnacceptableEncryptionKeyException(OpenPgpFingerprint.of(cert)) + throw UnacceptableEncryptionKeyException(cert) } for (subkey in subkeys) { @@ -295,13 +294,11 @@ class EncryptionOptions(private val purpose: EncryptionPurpose) { try { info.primaryKeyExpirationDate } catch (e: NoSuchElementException) { - throw UnacceptableSelfSignatureException( - OpenPgpFingerprint.of(cert)) + throw UnacceptableSelfSignatureException(cert) } if (primaryKeyExpiration != null && primaryKeyExpiration < evaluationDate) { - throw ExpiredKeyException( - OpenPgpFingerprint.of(cert), primaryKeyExpiration) + throw ExpiredKeyException(cert, primaryKeyExpiration) } var encryptionSubkeys = selector.selectEncryptionSubkeys(info.getEncryptionSubkeys(purpose)) @@ -318,7 +315,7 @@ class EncryptionOptions(private val purpose: EncryptionPurpose) { } if (encryptionSubkeys.isEmpty()) { - throw UnacceptableEncryptionKeyException(OpenPgpFingerprint.of(cert)) + throw UnacceptableEncryptionKeyException(cert) } for (subkey in encryptionSubkeys) { diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/SigningOptions.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/SigningOptions.kt index 41b9a448..cc675619 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/SigningOptions.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/SigningOptions.kt @@ -157,14 +157,13 @@ class SigningOptions { val signingPubKeys = keyRingInfo.signingSubkeys if (signingPubKeys.isEmpty()) { - throw UnacceptableSigningKeyException(of(signingKey)) + throw UnacceptableSigningKeyException(signingKey) } for (signingPubKey in signingPubKeys) { val signingSecKey: OpenPGPSecretKey = signingKey.getSecretKey(signingPubKey) - ?: throw MissingSecretKeyException( - of(signingKey), signingPubKey.keyIdentifier.keyId) + ?: throw MissingSecretKeyException(signingPubKey) val signingPrivKey: OpenPGPPrivateKey = unlockSecretKey(signingSecKey, signingKeyProtector) val hashAlgorithms = @@ -220,12 +219,11 @@ class SigningOptions { val keyRingInfo = inspectKeyRing(openPGPKey, evaluationDate) val signingPubKeys = keyRingInfo.signingSubkeys if (signingPubKeys.isEmpty()) { - throw UnacceptableSigningKeyException(of(openPGPKey)) + throw UnacceptableSigningKeyException(openPGPKey) } if (!signingPubKeys.any { it.keyIdentifier.matches(signingKey.keyIdentifier) }) { - throw MissingSecretKeyException( - of(openPGPKey), signingKey.keyIdentifier.keyId) + throw MissingSecretKeyException(signingKey) } val signingPrivKey = unlockSecretKey(signingKey, signingKeyProtector) @@ -258,13 +256,16 @@ class SigningOptions { keyId: Long, signatureType: DocumentSignatureType = DocumentSignatureType.BINARY_DOCUMENT, subpacketsCallback: Callback? = null - ) = - addInlineSignature( + ): SigningOptions { + val key = signingKey.toOpenPGPKey() + val subkeyIdentifier = KeyIdentifier(keyId) + return addInlineSignature( signingKeyProtector, - signingKey.toOpenPGPKey().getSecretKey(KeyIdentifier(keyId)) - ?: throw MissingSecretKeyException(of(signingKey), keyId), + key.getSecretKey(subkeyIdentifier) + ?: throw MissingSecretKeyException(of(signingKey), subkeyIdentifier), signatureType, subpacketsCallback) + } /** * Add detached signatures with all key rings from the provided secret key ring collection. @@ -332,14 +333,13 @@ class SigningOptions { val signingPubKeys = keyRingInfo.signingSubkeys if (signingPubKeys.isEmpty()) { - throw UnacceptableSigningKeyException(of(signingKey)) + throw UnacceptableSigningKeyException(signingKey) } for (signingPubKey in signingPubKeys) { val signingSecKey: OpenPGPSecretKey = signingKey.getSecretKey(signingPubKey.keyIdentifier) - ?: throw MissingSecretKeyException( - of(signingKey), signingPubKey.keyIdentifier.keyId) + ?: throw MissingSecretKeyException(signingPubKey) addDetachedSignature( signingKeyProtector, signingSecKey, userId, signatureType, subpacketCallback) } @@ -421,14 +421,17 @@ class SigningOptions { keyId: Long, signatureType: DocumentSignatureType = DocumentSignatureType.BINARY_DOCUMENT, subpacketsCallback: Callback? = null - ) = - addDetachedSignature( + ): SigningOptions { + val key = signingKey.toOpenPGPKey() + val signingKeyIdentifier = KeyIdentifier(keyId) + return addDetachedSignature( signingKeyProtector, - signingKey.toOpenPGPKey().getSecretKey(KeyIdentifier(keyId)) - ?: throw MissingSecretKeyException(of(signingKey), keyId), + key.getSecretKey(signingKeyIdentifier) + ?: throw MissingSecretKeyException(of(key), signingKeyIdentifier), null, signatureType, subpacketsCallback) + } private fun addSigningMethod( signingKey: OpenPGPPrivateKey, @@ -443,10 +446,7 @@ class SigningOptions { if (!getPolicy().publicKeyAlgorithmPolicy.isAcceptable(publicKeyAlgorithm, bitStrength)) { throw UnacceptableSigningKeyException( PublicKeyAlgorithmPolicyException( - of(signingKey), - signingSecretKey.keyID, - publicKeyAlgorithm, - bitStrength)) + signingKey.secretKey, publicKeyAlgorithm, bitStrength)) } val generator: PGPSignatureGenerator = diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/OpenPgpFingerprint.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/OpenPgpFingerprint.kt index 5352e67e..31347f99 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/OpenPgpFingerprint.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/OpenPgpFingerprint.kt @@ -132,17 +132,13 @@ abstract class OpenPgpFingerprint : CharSequence, Comparable */ @JvmStatic fun of(keys: PGPKeyRing): OpenPgpFingerprint = of(keys.publicKey) - /** - * Return the [OpenPgpFingerprint] of the primary key of the given [OpenPGPCertificate]. - */ + /** Return the [OpenPgpFingerprint] of the primary key of the given [OpenPGPCertificate]. */ @JvmStatic fun of(cert: OpenPGPCertificate): OpenPgpFingerprint = of(cert.pgpPublicKeyRing) - /** - * Return the [OpenPgpFingerprint] of the given [OpenPGPComponentKey]. - */ - @JvmStatic fun of (key: OpenPGPComponentKey): OpenPgpFingerprint = of(key.pgpPublicKey) + /** Return the [OpenPgpFingerprint] of the given [OpenPGPComponentKey]. */ + @JvmStatic fun of(key: OpenPGPComponentKey): OpenPgpFingerprint = of(key.pgpPublicKey) - @JvmStatic fun of (key: OpenPGPPrivateKey): OpenPgpFingerprint = of(key.secretKey) + @JvmStatic fun of(key: OpenPGPPrivateKey): OpenPgpFingerprint = of(key.secretKey) /** * Try to parse an [OpenPgpFingerprint] from the given fingerprint string. If the trimmed From 31dddb9de16aec4ab1926e044f407cf2d4688297 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 17 Feb 2025 14:36:43 +0100 Subject: [PATCH 038/265] Progress porting the example tests --- .../main/kotlin/org/pgpainless/PGPainless.kt | 4 +++ .../org/pgpainless/example/ConvertKeys.java | 10 +++--- .../java/org/pgpainless/example/Encrypt.java | 19 ++++++---- .../org/pgpainless/example/GenerateKeys.java | 35 +++++++++---------- 4 files changed, 38 insertions(+), 30 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt index d8670947..f9e009cf 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt @@ -132,6 +132,8 @@ class PGPainless( if (key is PGPSecretKeyRing) ArmorUtils.toAsciiArmoredString(key) else ArmorUtils.toAsciiArmoredString(key as PGPPublicKeyRing) + @JvmStatic fun asciiArmor(cert: OpenPGPCertificate) = asciiArmor(cert.pgpKeyRing) + /** * Wrap a key of certificate in ASCII armor and write the result into the given * [OutputStream]. @@ -204,6 +206,8 @@ class PGPainless( fun inspectKeyRing(key: PGPKeyRing, referenceTime: Date = Date()) = KeyRingInfo(key, referenceTime) + @JvmStatic + @JvmOverloads fun inspectKeyRing(key: OpenPGPCertificate, referenceTime: Date = Date()) = KeyRingInfo(key, getPolicy(), referenceTime) diff --git a/pgpainless-core/src/test/java/org/pgpainless/example/ConvertKeys.java b/pgpainless-core/src/test/java/org/pgpainless/example/ConvertKeys.java index d93fc5f4..36371ba4 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/example/ConvertKeys.java +++ b/pgpainless-core/src/test/java/org/pgpainless/example/ConvertKeys.java @@ -9,6 +9,8 @@ import static org.junit.jupiter.api.Assertions.assertTrue; import org.bouncycastle.openpgp.PGPPublicKeyRing; import org.bouncycastle.openpgp.PGPSecretKeyRing; +import org.bouncycastle.openpgp.api.OpenPGPCertificate; +import org.bouncycastle.openpgp.api.OpenPGPKey; import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; import org.pgpainless.key.info.KeyRingInfo; @@ -21,11 +23,11 @@ public class ConvertKeys { @Test public void secretKeyToCertificate() { String userId = "alice@wonderland.lit"; - PGPSecretKeyRing secretKey = PGPainless.generateKeyRing() - .modernKeyRing(userId) - .getPGPSecretKeyRing(); + OpenPGPKey secretKey = PGPainless.generateKeyRing() + .modernKeyRing(userId); + // Extract certificate (public key) from secret key - PGPPublicKeyRing certificate = PGPainless.extractCertificate(secretKey); + OpenPGPCertificate certificate = secretKey.toCertificate(); KeyRingInfo secretKeyInfo = PGPainless.inspectKeyRing(secretKey); diff --git a/pgpainless-core/src/test/java/org/pgpainless/example/Encrypt.java b/pgpainless-core/src/test/java/org/pgpainless/example/Encrypt.java index d97891d8..f6e7d802 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/example/Encrypt.java +++ b/pgpainless-core/src/test/java/org/pgpainless/example/Encrypt.java @@ -15,6 +15,9 @@ import java.nio.charset.StandardCharsets; import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPPublicKeyRing; import org.bouncycastle.openpgp.PGPSecretKeyRing; +import org.bouncycastle.openpgp.api.OpenPGPCertificate; +import org.bouncycastle.openpgp.api.OpenPGPKey; +import org.bouncycastle.openpgp.api.OpenPGPKeyReader; import org.bouncycastle.util.io.Streams; import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; @@ -133,12 +136,13 @@ public class Encrypt { @Test public void encryptAndSignMessage() throws PGPException, IOException { // Prepare keys - PGPSecretKeyRing keyAlice = PGPainless.readKeyRing().secretKeyRing(ALICE_KEY); - PGPPublicKeyRing certificateAlice = PGPainless.readKeyRing().publicKeyRing(ALICE_CERT); + OpenPGPKeyReader reader = PGPainless.getInstance().readKey(); + OpenPGPKey keyAlice = reader.parseKey(ALICE_KEY); + OpenPGPCertificate certificateAlice = reader.parseCertificate(ALICE_CERT); SecretKeyRingProtector protectorAlice = SecretKeyRingProtector.unprotectedKeys(); - PGPSecretKeyRing keyBob = PGPainless.readKeyRing().secretKeyRing(BOB_KEY); - PGPPublicKeyRing certificateBob = PGPainless.readKeyRing().publicKeyRing(BOB_CERT); + OpenPGPKey keyBob = reader.parseKey(BOB_KEY); + OpenPGPCertificate certificateBob = reader.parseCertificate(BOB_CERT); SecretKeyRingProtector protectorBob = SecretKeyRingProtector.unprotectedKeys(); // plaintext message to encrypt @@ -227,10 +231,11 @@ public class Encrypt { @Test public void encryptWithCommentHeader() throws PGPException, IOException { // Prepare keys - PGPPublicKeyRing certificateAlice = PGPainless.readKeyRing().publicKeyRing(ALICE_CERT); + OpenPGPKeyReader reader = PGPainless.getInstance().readKey(); + OpenPGPCertificate certificateAlice = reader.parseCertificate(ALICE_CERT); - PGPSecretKeyRing keyBob = PGPainless.readKeyRing().secretKeyRing(BOB_KEY); - PGPPublicKeyRing certificateBob = PGPainless.readKeyRing().publicKeyRing(BOB_CERT); + OpenPGPKey keyBob = reader.parseKey(BOB_KEY); + OpenPGPCertificate certificateBob = reader.parseCertificate(BOB_CERT); SecretKeyRingProtector protectorBob = SecretKeyRingProtector.unprotectedKeys(); // plaintext message to encrypt diff --git a/pgpainless-core/src/test/java/org/pgpainless/example/GenerateKeys.java b/pgpainless-core/src/test/java/org/pgpainless/example/GenerateKeys.java index 3954f94a..ddd74cb1 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/example/GenerateKeys.java +++ b/pgpainless-core/src/test/java/org/pgpainless/example/GenerateKeys.java @@ -9,8 +9,8 @@ import static org.junit.jupiter.api.Assertions.assertTrue; import java.util.Date; -import org.bouncycastle.openpgp.PGPPublicKeyRing; -import org.bouncycastle.openpgp.PGPSecretKeyRing; +import org.bouncycastle.openpgp.api.OpenPGPCertificate; +import org.bouncycastle.openpgp.api.OpenPGPKey; import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; import org.pgpainless.algorithm.CompressionAlgorithm; @@ -58,16 +58,16 @@ public class GenerateKeys { // Set a password to protect the secret key String password = "ra1nb0w"; // Generate the OpenPGP key - PGPSecretKeyRing secretKey = PGPainless.generateKeyRing() - .modernKeyRing(userId, password) - .getPGPSecretKeyRing(); + OpenPGPKey secretKey = PGPainless.generateKeyRing() + .modernKeyRing(userId, password); + // Extract public key - PGPPublicKeyRing publicKey = PGPainless.extractCertificate(secretKey); + OpenPGPCertificate publicKey = secretKey.toCertificate(); // Encode the public key to an ASCII armored string ready for sharing String asciiArmoredPublicKey = PGPainless.asciiArmor(publicKey); assertTrue(asciiArmoredPublicKey.startsWith("-----BEGIN PGP PUBLIC KEY BLOCK-----")); - KeyRingInfo keyInfo = new KeyRingInfo(secretKey); + KeyRingInfo keyInfo = PGPainless.inspectKeyRing(secretKey); assertEquals(3, keyInfo.getSecretKeys().size()); assertEquals(userId, keyInfo.getPrimaryUserId()); assertEquals(PublicKeyAlgorithm.EDDSA_LEGACY.getAlgorithmId(), @@ -91,11 +91,10 @@ public class GenerateKeys { // Set a password to protect the secret key String password = "b1angl3s"; // Generate the OpenPGP key - PGPSecretKeyRing secretKey = PGPainless.generateKeyRing() - .simpleRsaKeyRing(userId, RsaLength._4096, password) - .getPGPSecretKeyRing(); + OpenPGPKey secretKey = PGPainless.generateKeyRing() + .simpleRsaKeyRing(userId, RsaLength._4096, password); - KeyRingInfo keyInfo = new KeyRingInfo(secretKey); + KeyRingInfo keyInfo = PGPainless.inspectKeyRing(secretKey); assertEquals(1, keyInfo.getSecretKeys().size()); assertEquals(userId, keyInfo.getPrimaryUserId()); assertEquals(PublicKeyAlgorithm.RSA_GENERAL.getAlgorithmId(), keyInfo.getAlgorithm().getAlgorithmId()); @@ -115,12 +114,11 @@ public class GenerateKeys { // Set a password to protect the secret key String password = "tr4ns"; // Generate the OpenPGP key - PGPSecretKeyRing secretKey = PGPainless.generateKeyRing() - .simpleEcKeyRing(userId, password) - .getPGPSecretKeyRing(); + OpenPGPKey secretKey = PGPainless.generateKeyRing() + .simpleEcKeyRing(userId, password); - KeyRingInfo keyInfo = new KeyRingInfo(secretKey); + KeyRingInfo keyInfo = PGPainless.inspectKeyRing(secretKey); assertEquals(2, keyInfo.getSecretKeys().size()); assertEquals(userId, keyInfo.getPrimaryUserId()); } @@ -174,7 +172,7 @@ public class GenerateKeys { // It is recommended to use the Passphrase class, as it can be used to safely invalidate passwords from memory Passphrase passphrase = Passphrase.fromPassword("1nters3x"); - PGPSecretKeyRing secretKey = PGPainless.buildKeyRing() + OpenPGPKey secretKey = PGPainless.buildKeyRing() .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA_LEGACY(EdDSALegacyCurve._Ed25519), // The primary key MUST carry the CERTIFY_OTHER flag, but CAN carry additional flags KeyFlag.CERTIFY_OTHER)) @@ -204,11 +202,10 @@ public class GenerateKeys { .addUserId(additionalUserId) // Set passphrase. Alternatively use .withoutPassphrase() to leave key unprotected. .setPassphrase(passphrase) - .build() - .getPGPSecretKeyRing(); + .build(); - KeyRingInfo keyInfo = new KeyRingInfo(secretKey); + KeyRingInfo keyInfo = PGPainless.inspectKeyRing(secretKey); assertEquals(3, keyInfo.getSecretKeys().size()); assertEquals("Morgan Carpenter (Pride!) ", keyInfo.getPrimaryUserId()); assertTrue(keyInfo.isUserIdValid(additionalUserId)); From 7e9b8d1ceefc6b8f5f9ed85153bc457a1c4bca86 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 18 Feb 2025 14:00:54 +0100 Subject: [PATCH 039/265] Port ReadKeys example --- .../java/org/pgpainless/example/ReadKeys.java | 21 ++++++++----------- 1 file changed, 9 insertions(+), 12 deletions(-) diff --git a/pgpainless-core/src/test/java/org/pgpainless/example/ReadKeys.java b/pgpainless-core/src/test/java/org/pgpainless/example/ReadKeys.java index 1559c1c1..e6d529c4 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/example/ReadKeys.java +++ b/pgpainless-core/src/test/java/org/pgpainless/example/ReadKeys.java @@ -7,10 +7,10 @@ package org.pgpainless.example; import static org.junit.jupiter.api.Assertions.assertEquals; import java.io.IOException; +import java.util.List; -import org.bouncycastle.openpgp.PGPPublicKeyRing; -import org.bouncycastle.openpgp.PGPPublicKeyRingCollection; -import org.bouncycastle.openpgp.PGPSecretKeyRing; +import org.bouncycastle.openpgp.api.OpenPGPCertificate; +import org.bouncycastle.openpgp.api.OpenPGPKey; import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; import org.pgpainless.key.OpenPgpFingerprint; @@ -40,10 +40,9 @@ public class ReadKeys { "=iIGO\n" + "-----END PGP PUBLIC KEY BLOCK-----"; - PGPPublicKeyRing publicKey = PGPainless.readKeyRing() - .publicKeyRing(certificate); + OpenPGPCertificate publicKey = PGPainless.getInstance().readKey().parseCertificate(certificate); - KeyRingInfo keyInfo = new KeyRingInfo(publicKey); + KeyRingInfo keyInfo = PGPainless.inspectKeyRing(publicKey); OpenPgpFingerprint fingerprint = new OpenPgpV4Fingerprint("EB85 BB5F A33A 75E1 5E94 4E63 F231 550C 4F47 E38E"); assertEquals(fingerprint, keyInfo.getFingerprint()); assertEquals("Alice Lovelace ", keyInfo.getPrimaryUserId()); @@ -72,10 +71,9 @@ public class ReadKeys { "=n8OM\n" + "-----END PGP PRIVATE KEY BLOCK-----"; - PGPSecretKeyRing secretKey = PGPainless.readKeyRing() - .secretKeyRing(key); + OpenPGPKey secretKey = PGPainless.getInstance().readKey().parseKey(key); - KeyRingInfo keyInfo = new KeyRingInfo(secretKey); + KeyRingInfo keyInfo = PGPainless.inspectKeyRing(secretKey); OpenPgpFingerprint fingerprint = new OpenPgpV4Fingerprint("EB85 BB5F A33A 75E1 5E94 4E63 F231 550C 4F47 E38E"); assertEquals(fingerprint, keyInfo.getFingerprint()); assertEquals("Alice Lovelace ", keyInfo.getPrimaryUserId()); @@ -83,7 +81,7 @@ public class ReadKeys { /** * This example demonstrates how to read a collection of multiple OpenPGP public keys (certificates) at once. - * + *

* Note, that a public key collection can both be a concatenation of public key blocks (like below), * and a single public key block containing multiple public key packets. */ @@ -147,8 +145,7 @@ public class ReadKeys { "=NXei\n" + "-----END PGP PUBLIC KEY BLOCK-----"; - PGPPublicKeyRingCollection collection = PGPainless.readKeyRing() - .publicKeyRingCollection(certificateCollection); + List collection = PGPainless.getInstance().readKey().parseKeysOrCertificates(certificateCollection); assertEquals(2, collection.size()); } } From e3c586e182b57d81b05205f567b0bbcdd21a7804 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 18 Feb 2025 14:08:34 +0100 Subject: [PATCH 040/265] Port Sign and UnlockSecretKeys examples --- .../java/org/pgpainless/example/Sign.java | 10 ++++---- .../pgpainless/example/UnlockSecretKeys.java | 23 ++++++++++--------- 2 files changed, 17 insertions(+), 16 deletions(-) diff --git a/pgpainless-core/src/test/java/org/pgpainless/example/Sign.java b/pgpainless-core/src/test/java/org/pgpainless/example/Sign.java index 0ae2ab93..cef4850a 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/example/Sign.java +++ b/pgpainless-core/src/test/java/org/pgpainless/example/Sign.java @@ -14,9 +14,9 @@ import java.io.InputStream; import java.nio.charset.StandardCharsets; import org.bouncycastle.openpgp.PGPException; -import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.PGPSignature; import org.bouncycastle.openpgp.api.OpenPGPCertificate; +import org.bouncycastle.openpgp.api.OpenPGPKey; import org.bouncycastle.util.io.Streams; import org.junit.jupiter.api.BeforeAll; import org.junit.jupiter.api.Test; @@ -32,13 +32,13 @@ import org.pgpainless.util.ArmorUtils; public class Sign { - private static PGPSecretKeyRing secretKey; + private static OpenPGPKey secretKey; private static SecretKeyRingProtector protector; @BeforeAll public static void prepare() { - secretKey = PGPainless.generateKeyRing().modernKeyRing("Emilia Example ") - .getPGPSecretKeyRing(); + secretKey = PGPainless.generateKeyRing() + .modernKeyRing("Emilia Example "); protector = SecretKeyRingProtector.unprotectedKeys(); // no password } @@ -94,7 +94,7 @@ public class Sign { EncryptionResult result = signingStream.getResult(); OpenPGPCertificate.OpenPGPComponentKey signingKey = PGPainless.inspectKeyRing(secretKey).getSigningSubkeys().get(0); - PGPSignature signature = result.getDetachedSignatures().get(new SubkeyIdentifier(secretKey, signingKey.getKeyIdentifier())).iterator().next(); + PGPSignature signature = result.getDetachedSignatures().get(new SubkeyIdentifier(signingKey)).iterator().next(); String detachedSignature = ArmorUtils.toAsciiArmoredString(signature.getEncoded()); assertTrue(detachedSignature.startsWith("-----BEGIN PGP SIGNATURE-----")); diff --git a/pgpainless-core/src/test/java/org/pgpainless/example/UnlockSecretKeys.java b/pgpainless-core/src/test/java/org/pgpainless/example/UnlockSecretKeys.java index 92387978..cb2908dd 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/example/UnlockSecretKeys.java +++ b/pgpainless-core/src/test/java/org/pgpainless/example/UnlockSecretKeys.java @@ -6,9 +6,10 @@ package org.pgpainless.example; import java.io.IOException; +import org.bouncycastle.bcpg.KeyIdentifier; import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPSecretKey; -import org.bouncycastle.openpgp.PGPSecretKeyRing; +import org.bouncycastle.openpgp.api.OpenPGPKey; import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; import org.pgpainless.key.OpenPgpV4Fingerprint; @@ -22,11 +23,11 @@ import org.pgpainless.util.Passphrase; * {@link PGPSecretKey PGPSecretKeys} are often password protected to prevent unauthorized access. * To perform certain actions with secret keys, such as creating signatures or decrypting encrypted messages, * the secret key needs to be unlocked to access the underlying {@link org.bouncycastle.openpgp.PGPPrivateKey}. - * + *

* Providing the required {@link org.bouncycastle.openpgp.operator.PBESecretKeyEncryptor}/{@link org.bouncycastle.openpgp.operator.PBESecretKeyDecryptor} * is a task that needs to be performed by the {@link SecretKeyRingProtector}. * There are different implementations available that implement this interface. - * + *

* Below are some examples of how to use these implementations in different scenarios. */ public class UnlockSecretKeys { @@ -36,7 +37,7 @@ public class UnlockSecretKeys { */ @Test public void unlockUnprotectedKeys() throws PGPException, IOException { - PGPSecretKeyRing unprotectedKey = TestKeys.getJulietSecretKeyRing(); + OpenPGPKey unprotectedKey = PGPainless.getInstance().toKey(TestKeys.getJulietSecretKeyRing()); // This protector will only unlock unprotected keys SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys(); @@ -49,7 +50,7 @@ public class UnlockSecretKeys { */ @Test public void unlockWholeKeyWithSamePassphrase() throws PGPException, IOException { - PGPSecretKeyRing secretKey = TestKeys.getCryptieSecretKeyRing(); + OpenPGPKey secretKey = PGPainless.getInstance().toKey(TestKeys.getCryptieSecretKeyRing()); Passphrase passphrase = TestKeys.CRYPTIE_PASSPHRASE; // Unlock all subkeys in the secret key with the same passphrase @@ -91,14 +92,14 @@ public class UnlockSecretKeys { "UPPI6jsYqxEHzRGex8t971atnDAjvDiS31YN\n" + "=fTmB\n" + "-----END PGP PRIVATE KEY BLOCK-----"; - PGPSecretKeyRing secretKey = PGPainless.readKeyRing().secretKeyRing(pgpPrivateKeyBlock); + OpenPGPKey secretKey = PGPainless.getInstance().readKey().parseKey(pgpPrivateKeyBlock); CachingSecretKeyRingProtector protector = SecretKeyRingProtector.defaultSecretKeyRingProtector(null); // Add passphrases for subkeys via public key - protector.addPassphrase(secretKey.getPublicKey(), + protector.addPassphrase(secretKey.getPrimaryKey().getKeyIdentifier(), Passphrase.fromPassword("pr1maryK3y")); // or via subkey-id - protector.addPassphrase(3907509425258753406L, + protector.addPassphrase(new KeyIdentifier(3907509425258753406L), Passphrase.fromPassword("f1rs7subk3y")); // or via fingerprint protector.addPassphrase(new OpenPgpV4Fingerprint("DD8E1195E4B1720E7FB10EF7F60402708E75D941"), @@ -107,10 +108,10 @@ public class UnlockSecretKeys { assertProtectorUnlocksAllSecretKeys(secretKey, protector); } - private void assertProtectorUnlocksAllSecretKeys(PGPSecretKeyRing secretKey, SecretKeyRingProtector protector) + private void assertProtectorUnlocksAllSecretKeys(OpenPGPKey key, SecretKeyRingProtector protector) throws PGPException { - for (PGPSecretKey key : secretKey) { - UnlockSecretKey.unlockSecretKey(key, protector); + for (OpenPGPKey.OpenPGPSecretKey componentKey : key.getSecretKeys().values()) { + UnlockSecretKey.unlockSecretKey(componentKey, protector); } } } From 8936cf22d02502f6565880c73691a68cf7f0851e Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 18 Feb 2025 14:13:55 +0100 Subject: [PATCH 041/265] Port CanonicalizedDataEncryptionTest --- .../CanonicalizedDataEncryptionTest.java | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CanonicalizedDataEncryptionTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CanonicalizedDataEncryptionTest.java index f9936db0..d59edcaf 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CanonicalizedDataEncryptionTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CanonicalizedDataEncryptionTest.java @@ -22,11 +22,10 @@ import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPLiteralData; import org.bouncycastle.openpgp.PGPLiteralDataGenerator; import org.bouncycastle.openpgp.PGPOnePassSignature; -import org.bouncycastle.openpgp.PGPPrivateKey; -import org.bouncycastle.openpgp.PGPPublicKeyRing; -import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.PGPSignature; import org.bouncycastle.openpgp.PGPSignatureGenerator; +import org.bouncycastle.openpgp.api.OpenPGPCertificate; +import org.bouncycastle.openpgp.api.OpenPGPKey; import org.bouncycastle.openpgp.operator.bc.BcPGPContentSignerBuilder; import org.bouncycastle.util.io.Streams; import org.junit.jupiter.api.BeforeAll; @@ -109,13 +108,13 @@ public class CanonicalizedDataEncryptionTest { String message = "Hello, World!\n"; - private static PGPSecretKeyRing secretKeys; - private static PGPPublicKeyRing publicKeys; + private static OpenPGPKey secretKeys; + private static OpenPGPCertificate publicKeys; @BeforeAll public static void readKeys() throws IOException { - secretKeys = PGPainless.readKeyRing().secretKeyRing(KEY); - publicKeys = PGPainless.extractCertificate(secretKeys); + secretKeys = PGPainless.getInstance().readKey().parseKey(KEY); + publicKeys = secretKeys.toCertificate(); // CHECKSTYLE:OFF System.out.println(PGPainless.asciiArmor(secretKeys)); // CHECKSTYLE:ON @@ -397,7 +396,7 @@ public class CanonicalizedDataEncryptionTest { public void manualSignAndVerify(DocumentSignatureType sigType, StreamEncoding streamEncoding) throws IOException, PGPException { - PGPPrivateKey privateKey = UnlockSecretKey.unlockSecretKey(secretKeys.getSecretKey(), SecretKeyRingProtector.unprotectedKeys()); + OpenPGPKey.OpenPGPPrivateKey privateKey = UnlockSecretKey.unlockSecretKey(secretKeys.getPrimarySecretKey(), SecretKeyRingProtector.unprotectedKeys()); ByteArrayOutputStream out = new ByteArrayOutputStream(); ArmoredOutputStream armorOut = new ArmoredOutputStream(out); @@ -406,9 +405,10 @@ public class CanonicalizedDataEncryptionTest { PGPSignatureGenerator signer = new PGPSignatureGenerator( new BcPGPContentSignerBuilder( - secretKeys.getPublicKey().getAlgorithm(), - HashAlgorithm.SHA256.getAlgorithmId())); - signer.init(sigType.getSignatureType().getCode(), privateKey); + secretKeys.getPrimaryKey().getPGPPublicKey().getAlgorithm(), + HashAlgorithm.SHA256.getAlgorithmId()), + secretKeys.getPrimaryKey().getPGPPublicKey()); + signer.init(sigType.getSignatureType().getCode(), privateKey.getKeyPair().getPrivateKey()); PGPOnePassSignature ops = signer.generateOnePassVersion(false); ops.encode(compressedOut); From ce65e406c1b36eb956bb510e9b9b9943c0821697 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 18 Feb 2025 14:25:23 +0100 Subject: [PATCH 042/265] Fix version --- version.gradle | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version.gradle b/version.gradle index e5dd2a4d..5cf20738 100644 --- a/version.gradle +++ b/version.gradle @@ -4,7 +4,7 @@ allprojects { ext { - shortVersion = '2.0.0-SNAPSHOT' + shortVersion = '2.0.0' isSnapshot = true javaSourceCompatibility = 11 bouncyCastleVersion = '1.81' From cb440776f2269ac4bd3d1b3b9741834fa1115228 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 18 Feb 2025 15:14:04 +0100 Subject: [PATCH 043/265] Add workaround for decryption with non-encryption subkey --- .../ConsumerOptions.kt | 9 ++++++++ .../OpenPgpMessageInputStream.kt | 5 +++++ ...ntDecryptionUsingNonEncryptionKeyTest.java | 22 +++++++++++++++---- 3 files changed, 32 insertions(+), 4 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/ConsumerOptions.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/ConsumerOptions.kt index a11e3536..1ab218e5 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/ConsumerOptions.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/ConsumerOptions.kt @@ -43,6 +43,7 @@ class ConsumerOptions { private val decryptionPassphrases = mutableSetOf() private var missingKeyPassphraseStrategy = MissingKeyPassphraseStrategy.INTERACTIVE private var multiPassStrategy: MultiPassStrategy = InMemoryMultiPassStrategy() + private var allowDecryptionWithNonEncryptionKey: Boolean = false /** * Consider signatures on the message made before the given timestamp invalid. Null means no @@ -328,6 +329,14 @@ class ConsumerOptions { fun isIgnoreMDCErrors(): Boolean = ignoreMDCErrors + fun setAllowDecryptionWithNonEncryptionKey(allow: Boolean): ConsumerOptions = apply { + allowDecryptionWithNonEncryptionKey = allow + } + + fun getAllowDecryptionWithNonEncryptionKey(): Boolean { + return allowDecryptionWithNonEncryptionKey + } + /** * Force PGPainless to handle the data provided by the [InputStream] as non-OpenPGP data. This * workaround might come in handy if PGPainless accidentally mistakes the data for binary diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.kt index 2512c89c..10d60c75 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.kt @@ -409,6 +409,11 @@ class OpenPgpMessageInputStream( val decryptionKeyCandidates = getDecryptionKeys(pkesk) for (decryptionKeys in decryptionKeyCandidates) { val secretKey = decryptionKeys.getSecretKeyFor(pkesk)!! + if (!secretKey.isEncryptionKey && !options.getAllowDecryptionWithNonEncryptionKey()) { + LOGGER.debug( + "Message is encrypted for ${secretKey.keyIdentifier}, but the key is not encryption capable.") + continue + } if (hasUnsupportedS2KSpecifier(secretKey)) { continue } diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/PreventDecryptionUsingNonEncryptionKeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/PreventDecryptionUsingNonEncryptionKeyTest.java index ea54f2a4..9a80667d 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/PreventDecryptionUsingNonEncryptionKeyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/PreventDecryptionUsingNonEncryptionKeyTest.java @@ -14,7 +14,6 @@ import java.nio.charset.StandardCharsets; import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.util.io.Streams; -import org.junit.jupiter.api.Disabled; import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; import org.pgpainless.exception.MissingDecryptionMethodException; @@ -206,15 +205,30 @@ public class PreventDecryptionUsingNonEncryptionKeyTest { } @Test - @Disabled public void nonEncryptionKeyCannotDecrypt() throws IOException { PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(ENCRYPTION_INCAPABLE_KEY); ByteArrayInputStream msgIn = new ByteArrayInputStream(MSG.getBytes(StandardCharsets.UTF_8)); assertThrows(MissingDecryptionMethodException.class, () -> - PGPainless.decryptAndOrVerify() + PGPainless.decryptAndOrVerify() + .onInputStream(msgIn) + .withOptions(ConsumerOptions.get().addDecryptionKey(secretKeys))); + } + + @Test + public void nonEncryptionKeyCanDecryptIfAllowed() throws IOException, PGPException { + PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(ENCRYPTION_INCAPABLE_KEY); + + ByteArrayInputStream msgIn = new ByteArrayInputStream(MSG.getBytes(StandardCharsets.UTF_8)); + + DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() .onInputStream(msgIn) - .withOptions(ConsumerOptions.get().addDecryptionKey(secretKeys))); + .withOptions(ConsumerOptions.get() + .setAllowDecryptionWithNonEncryptionKey(true) + .addDecryptionKey(secretKeys)); + + byte[] decrypted = Streams.readAll(decryptionStream); + decryptionStream.close(); } } From 79bbea593ebb20dab2ef243347be1be691b240f5 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 18 Feb 2025 15:14:26 +0100 Subject: [PATCH 044/265] Remove unnecessary imports --- .../src/test/java/org/pgpainless/example/ConvertKeys.java | 2 -- .../src/test/java/org/pgpainless/example/Encrypt.java | 2 -- 2 files changed, 4 deletions(-) diff --git a/pgpainless-core/src/test/java/org/pgpainless/example/ConvertKeys.java b/pgpainless-core/src/test/java/org/pgpainless/example/ConvertKeys.java index 36371ba4..d44d4db2 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/example/ConvertKeys.java +++ b/pgpainless-core/src/test/java/org/pgpainless/example/ConvertKeys.java @@ -7,8 +7,6 @@ package org.pgpainless.example; import static org.junit.jupiter.api.Assertions.assertFalse; import static org.junit.jupiter.api.Assertions.assertTrue; -import org.bouncycastle.openpgp.PGPPublicKeyRing; -import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.api.OpenPGPCertificate; import org.bouncycastle.openpgp.api.OpenPGPKey; import org.junit.jupiter.api.Test; diff --git a/pgpainless-core/src/test/java/org/pgpainless/example/Encrypt.java b/pgpainless-core/src/test/java/org/pgpainless/example/Encrypt.java index f6e7d802..9d352cc8 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/example/Encrypt.java +++ b/pgpainless-core/src/test/java/org/pgpainless/example/Encrypt.java @@ -13,8 +13,6 @@ import java.io.IOException; import java.nio.charset.StandardCharsets; import org.bouncycastle.openpgp.PGPException; -import org.bouncycastle.openpgp.PGPPublicKeyRing; -import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.api.OpenPGPCertificate; import org.bouncycastle.openpgp.api.OpenPGPKey; import org.bouncycastle.openpgp.api.OpenPGPKeyReader; From 259a77d4df364f6243b17e2d0d9a970cb518c04a Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 18 Feb 2025 15:14:48 +0100 Subject: [PATCH 045/265] OpenPGPFingerprint(s): Use FingerprintUtil to calculate key-ids --- .../org/pgpainless/key/OpenPgpV4Fingerprint.kt | 17 ++--------------- .../org/pgpainless/key/OpenPgpV5Fingerprint.kt | 3 +++ .../org/pgpainless/key/_64DigitFingerprint.kt | 18 ++---------------- 3 files changed, 7 insertions(+), 31 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/OpenPgpV4Fingerprint.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/OpenPgpV4Fingerprint.kt index 4d05c4f9..f4bb41db 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/OpenPgpV4Fingerprint.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/OpenPgpV4Fingerprint.kt @@ -5,14 +5,11 @@ package org.pgpainless.key import java.net.URI -import java.nio.Buffer -import java.nio.ByteBuffer -import java.nio.charset.Charset +import org.bouncycastle.bcpg.FingerprintUtil import org.bouncycastle.bcpg.KeyIdentifier import org.bouncycastle.openpgp.PGPKeyRing import org.bouncycastle.openpgp.PGPPublicKey import org.bouncycastle.openpgp.PGPSecretKey -import org.bouncycastle.util.encoders.Hex class OpenPgpV4Fingerprint : OpenPgpFingerprint { @@ -28,17 +25,7 @@ class OpenPgpV4Fingerprint : OpenPgpFingerprint { override fun getVersion() = 4 - override val keyId: Long - get() { - val bytes = Hex.decode(toString().toByteArray(Charset.forName("UTF-8"))) - val buf = ByteBuffer.wrap(bytes) - - // The key id is the right-most 8 bytes (conveniently a long) - // We have to cast here in order to be compatible with java 8 - // https://github.com/eclipse/jetty.project/issues/3244 - (buf as Buffer).position(12) // 20 - 8 bytes = offset 12 - return buf.getLong() - } + override val keyId: Long = FingerprintUtil.keyIdFromV4Fingerprint(bytes) override val keyIdentifier: KeyIdentifier = KeyIdentifier(bytes) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/OpenPgpV5Fingerprint.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/OpenPgpV5Fingerprint.kt index df62ddef..5864bcd9 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/OpenPgpV5Fingerprint.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/OpenPgpV5Fingerprint.kt @@ -4,6 +4,7 @@ package org.pgpainless.key +import org.bouncycastle.bcpg.FingerprintUtil import org.bouncycastle.bcpg.KeyIdentifier import org.bouncycastle.openpgp.PGPKeyRing import org.bouncycastle.openpgp.PGPPublicKey @@ -22,6 +23,8 @@ class OpenPgpV5Fingerprint : _64DigitFingerprint { constructor(bytes: ByteArray) : super(bytes) + override val keyId: Long = FingerprintUtil.keyIdFromLibrePgpFingerprint(bytes) + override fun getVersion(): Int { return 5 } diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/_64DigitFingerprint.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/_64DigitFingerprint.kt index f5447d61..465787ea 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/_64DigitFingerprint.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/_64DigitFingerprint.kt @@ -4,14 +4,11 @@ package org.pgpainless.key -import java.nio.Buffer -import java.nio.ByteBuffer -import java.nio.charset.Charset +import org.bouncycastle.bcpg.FingerprintUtil import org.bouncycastle.bcpg.KeyIdentifier import org.bouncycastle.openpgp.PGPKeyRing import org.bouncycastle.openpgp.PGPPublicKey import org.bouncycastle.openpgp.PGPSecretKey -import org.bouncycastle.util.encoders.Hex /** * This class represents a hex encoded, upper case OpenPGP v5 or v6 fingerprint. Since both @@ -35,18 +32,7 @@ open class _64DigitFingerprint : OpenPgpFingerprint { constructor(keys: PGPKeyRing) : super(keys) - override val keyId: Long - get() { - val bytes = Hex.decode(fingerprint.toByteArray(Charset.forName("UTF-8"))) - val buf = ByteBuffer.wrap(bytes) - - // The key id is the left-most 8 bytes (conveniently a long). - // We have to cast here in order to be compatible with java 8 - // https://github.com/eclipse/jetty.project/issues/3244 - (buf as Buffer).position(0) - - return buf.getLong() - } + override val keyId: Long = FingerprintUtil.keyIdFromV6Fingerprint(bytes) override fun getVersion(): Int { return -1 // might be v5 or v6 From 2f3b1fac9572815466f3d1c6110ed58a685c768f Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 19 Feb 2025 10:49:06 +0100 Subject: [PATCH 046/265] Rename and document members of SubkeyIdentifier --- .../org/pgpainless/key/SubkeyIdentifier.kt | 140 ++++++++++++++---- .../org/pgpainless/key/info/KeyRingInfo.kt | 4 +- 2 files changed, 110 insertions(+), 34 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/SubkeyIdentifier.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/SubkeyIdentifier.kt index 02966a51..2577385e 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/SubkeyIdentifier.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/SubkeyIdentifier.kt @@ -11,59 +11,135 @@ import org.bouncycastle.openpgp.api.OpenPGPCertificate.OpenPGPComponentKey import org.bouncycastle.openpgp.api.OpenPGPKey.OpenPGPPrivateKey /** - * Tuple class used to identify a subkey by fingerprints of the primary key of the subkeys key ring, - * as well as the subkeys fingerprint. + * Tuple class used to identify a subkey (component key) by fingerprints of the certificate, + * as well as the component keys fingerprint. */ class SubkeyIdentifier( - val primaryKeyFingerprint: OpenPgpFingerprint, - val subkeyFingerprint: OpenPgpFingerprint + val certificateFingerprint: OpenPgpFingerprint, + val componentKeyFingerprint: OpenPgpFingerprint ) { - constructor(fingerprint: OpenPgpFingerprint) : this(fingerprint, fingerprint) + /** + * Constructor for a [SubkeyIdentifier] pointing to the primary key identified by the + * [certificateFingerprint]. + * @param certificateFingerprint primary key fingerprint + */ + constructor(certificateFingerprint: OpenPgpFingerprint) : this(certificateFingerprint, certificateFingerprint) - constructor(keys: PGPKeyRing) : this(keys.publicKey) + /** + * Constructor for a [SubkeyIdentifier] pointing to the primary key of the given [PGPKeyRing]. + * + * @param certificate certificate + */ + constructor(certificate: PGPKeyRing) : this(certificate.publicKey) - constructor(key: PGPPublicKey) : this(OpenPgpFingerprint.of(key)) + /** + * Constructor for a [SubkeyIdentifier] pointing to the given [primaryKey]. + * + * @param primaryKey primary key + */ + constructor(primaryKey: PGPPublicKey) : this(OpenPgpFingerprint.of(primaryKey)) - constructor(keys: PGPKeyRing, keyId: Long) : this(keys, KeyIdentifier(keyId)) + /** + * Constructor for a [SubkeyIdentifier] pointing to a component key (identified by + * [componentKeyId]) from the given [certificate]. + */ + @Deprecated("Pass in a KeyIdentifier instead of a keyId.") + constructor(certificate: PGPKeyRing, componentKeyId: Long) : this(certificate, KeyIdentifier(componentKeyId)) + /** + * Constructor for a [SubkeyIdentifier] pointing to the given [componentKey]. + * + * @param componentKey component key + */ constructor( - key: OpenPGPComponentKey + componentKey: OpenPGPComponentKey ) : this( - OpenPgpFingerprint.of(key.certificate.pgpPublicKeyRing), - OpenPgpFingerprint.of(key.pgpPublicKey)) + OpenPgpFingerprint.of(componentKey.certificate), + OpenPgpFingerprint.of(componentKey)) - constructor(key: OpenPGPPrivateKey) : this(key.secretKey) + /** + * Constructor for a [SubkeyIdentifier] pointing to the given [componentKey]. + */ + constructor(componentKey: OpenPGPPrivateKey) : this(componentKey.secretKey) + /** + * Constructor for a [SubkeyIdentifier] pointing to a component key (identified by + * the [componentKeyFingerprint]) of the given [certificate]. + * + * @param certificate certificate + * @param componentKeyFingerprint fingerprint of the component key + */ constructor( - keys: PGPKeyRing, - subkeyFingerprint: OpenPgpFingerprint - ) : this(OpenPgpFingerprint.of(keys), subkeyFingerprint) + certificate: PGPKeyRing, + componentKeyFingerprint: OpenPgpFingerprint + ) : this(OpenPgpFingerprint.of(certificate), componentKeyFingerprint) + /** + * Constructor for a [SubkeyIdentifier] pointing to a component key (identified by the + * [componentKeyIdentifier]) of the given [certificate]. + * + * @param certificate certificate + * @param componentKeyIdentifier identifier of the component key + */ constructor( - keys: PGPKeyRing, - subkeyIdentifier: KeyIdentifier + certificate: PGPKeyRing, + componentKeyIdentifier: KeyIdentifier ) : this( - OpenPgpFingerprint.of(keys), + OpenPgpFingerprint.of(certificate), OpenPgpFingerprint.of( - keys.getPublicKey(subkeyIdentifier) + certificate.getPublicKey(componentKeyIdentifier) ?: throw NoSuchElementException( - "OpenPGP key does not contain subkey $subkeyIdentifier"))) + "OpenPGP key does not contain subkey $componentKeyIdentifier"))) - val keyIdentifier = KeyIdentifier(subkeyFingerprint.bytes) - val subkeyIdentifier = keyIdentifier - val primaryKeyIdentifier = KeyIdentifier(primaryKeyFingerprint.bytes) + @Deprecated("Use certificateFingerprint instead.", + replaceWith = ReplaceWith("certificateFingerprint") + ) + val primaryKeyFingerprint: OpenPgpFingerprint = certificateFingerprint + @Deprecated("Use componentKeyFingerprint instead.", + replaceWith = ReplaceWith("componentKeyFingerprint")) + val subkeyFingerprint: OpenPgpFingerprint = componentKeyFingerprint + + /** + * [KeyIdentifier] of the component key. + */ + val keyIdentifier = componentKeyFingerprint.keyIdentifier + + /** + * [KeyIdentifier] of the component key. + */ + val componentKeyIdentifier = keyIdentifier + + /** + * [KeyIdentifier] of the primary key of the certificate the component key belongs to. + */ + val certificateIdentifier = certificateFingerprint.keyIdentifier + + /** + * Key-ID of the component key. + */ @Deprecated("Use of key-ids is discouraged.") val keyId = keyIdentifier.keyId - val fingerprint = subkeyFingerprint - @Deprecated("Use of key-ids is discouraged.") val subkeyId = subkeyIdentifier.keyId - @Deprecated("Use of key-ids is discouraged.") val primaryKeyId = primaryKeyIdentifier.keyId + /** + * Fingerprint of the component key. + */ + val fingerprint = componentKeyFingerprint - val isPrimaryKey = primaryKeyIdentifier == subkeyIdentifier + /** + * Key-ID of the component key. + */ + @Deprecated("Use of key-ids is discouraged.") val subkeyId = componentKeyIdentifier.keyId + + /** + * Key-ID of the primary key of the certificate the component key belongs to. + */ + @Deprecated("Use of key-ids is discouraged.") val primaryKeyId = certificateIdentifier.keyId + + val isPrimaryKey = certificateIdentifier.matches(componentKeyIdentifier) fun matches(fingerprint: OpenPgpFingerprint) = - primaryKeyFingerprint == fingerprint || subkeyFingerprint == fingerprint + certificateFingerprint == fingerprint || componentKeyFingerprint == fingerprint override fun equals(other: Any?): Boolean { if (other == null) { @@ -76,13 +152,13 @@ class SubkeyIdentifier( return false } - return primaryKeyFingerprint == other.primaryKeyFingerprint && - subkeyFingerprint == other.subkeyFingerprint + return certificateFingerprint == other.certificateFingerprint && + componentKeyFingerprint == other.componentKeyFingerprint } override fun hashCode(): Int { - return primaryKeyFingerprint.hashCode() + 31 * subkeyFingerprint.hashCode() + return certificateFingerprint.hashCode() + 31 * componentKeyFingerprint.hashCode() } - override fun toString(): String = "$subkeyFingerprint $primaryKeyFingerprint" + override fun toString(): String = "$componentKeyFingerprint $certificateFingerprint" } diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/info/KeyRingInfo.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/info/KeyRingInfo.kt index cb10b060..0d1480fa 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/info/KeyRingInfo.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/info/KeyRingInfo.kt @@ -594,7 +594,7 @@ class KeyRingInfo( require(publicKey.keyIdentifier.equals(identifier.keyIdentifier)) { "Mismatching primary key ID." } - return getPublicKey(identifier.subkeyIdentifier) + return getPublicKey(identifier.componentKeyIdentifier) } /** @@ -605,7 +605,7 @@ class KeyRingInfo( * key of the key. */ fun getSecretKey(identifier: SubkeyIdentifier): OpenPGPComponentKey? = - getSecretKey(identifier.subkeyIdentifier) + getSecretKey(identifier.componentKeyIdentifier) fun isKeyValidlyBound(keyIdentifier: KeyIdentifier): Boolean { return isKeyValidlyBound(keyIdentifier.keyId) From 8b41f80ca08a72ffe5c63b6efaa9726f65d8fe2f Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 19 Feb 2025 12:43:38 +0100 Subject: [PATCH 047/265] Port SignatureBuilders over to new classes --- .../OpenPgpMessageInputStream.kt | 3 +- .../org/pgpainless/key/SubkeyIdentifier.kt | 62 +++----- .../key/certification/CertifyCertificate.kt | 150 ++++++++++++++---- .../secretkeyring/SecretKeyRingEditor.kt | 46 +++--- .../builder/AbstractSignatureBuilder.kt | 31 ++-- .../builder/DirectKeySelfSignatureBuilder.kt | 26 ++- .../PrimaryKeyBindingSignatureBuilder.kt | 11 +- .../builder/RevocationSignatureBuilder.kt | 27 ++-- .../signature/builder/SelfSignatureBuilder.kt | 14 +- .../builder/SubkeyBindingSignatureBuilder.kt | 13 +- ...ThirdPartyCertificationSignatureBuilder.kt | 39 ++++- .../ThirdPartyDirectKeySignatureBuilder.kt | 26 ++- .../builder/UniversalSignatureBuilder.kt | 6 +- .../certification/CertifyCertificateTest.java | 96 ++++++----- ...bkeyAndPrimaryKeyBindingSignatureTest.java | 10 +- ...artyCertificationSignatureBuilderTest.java | 43 ++--- ...irdPartyDirectKeySignatureBuilderTest.java | 22 +-- .../UniversalSignatureBuilderTest.java | 17 +- 18 files changed, 397 insertions(+), 245 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.kt index 10d60c75..422fc25a 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.kt @@ -409,7 +409,8 @@ class OpenPgpMessageInputStream( val decryptionKeyCandidates = getDecryptionKeys(pkesk) for (decryptionKeys in decryptionKeyCandidates) { val secretKey = decryptionKeys.getSecretKeyFor(pkesk)!! - if (!secretKey.isEncryptionKey && !options.getAllowDecryptionWithNonEncryptionKey()) { + if (!secretKey.isEncryptionKey && + !options.getAllowDecryptionWithNonEncryptionKey()) { LOGGER.debug( "Message is encrypted for ${secretKey.keyIdentifier}, but the key is not encryption capable.") continue diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/SubkeyIdentifier.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/SubkeyIdentifier.kt index 2577385e..bc425629 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/SubkeyIdentifier.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/SubkeyIdentifier.kt @@ -11,8 +11,8 @@ import org.bouncycastle.openpgp.api.OpenPGPCertificate.OpenPGPComponentKey import org.bouncycastle.openpgp.api.OpenPGPKey.OpenPGPPrivateKey /** - * Tuple class used to identify a subkey (component key) by fingerprints of the certificate, - * as well as the component keys fingerprint. + * Tuple class used to identify a subkey (component key) by fingerprints of the certificate, as well + * as the component keys fingerprint. */ class SubkeyIdentifier( val certificateFingerprint: OpenPgpFingerprint, @@ -22,9 +22,12 @@ class SubkeyIdentifier( /** * Constructor for a [SubkeyIdentifier] pointing to the primary key identified by the * [certificateFingerprint]. + * * @param certificateFingerprint primary key fingerprint */ - constructor(certificateFingerprint: OpenPgpFingerprint) : this(certificateFingerprint, certificateFingerprint) + constructor( + certificateFingerprint: OpenPgpFingerprint + ) : this(certificateFingerprint, certificateFingerprint) /** * Constructor for a [SubkeyIdentifier] pointing to the primary key of the given [PGPKeyRing]. @@ -45,7 +48,10 @@ class SubkeyIdentifier( * [componentKeyId]) from the given [certificate]. */ @Deprecated("Pass in a KeyIdentifier instead of a keyId.") - constructor(certificate: PGPKeyRing, componentKeyId: Long) : this(certificate, KeyIdentifier(componentKeyId)) + constructor( + certificate: PGPKeyRing, + componentKeyId: Long + ) : this(certificate, KeyIdentifier(componentKeyId)) /** * Constructor for a [SubkeyIdentifier] pointing to the given [componentKey]. @@ -54,18 +60,14 @@ class SubkeyIdentifier( */ constructor( componentKey: OpenPGPComponentKey - ) : this( - OpenPgpFingerprint.of(componentKey.certificate), - OpenPgpFingerprint.of(componentKey)) + ) : this(OpenPgpFingerprint.of(componentKey.certificate), OpenPgpFingerprint.of(componentKey)) - /** - * Constructor for a [SubkeyIdentifier] pointing to the given [componentKey]. - */ + /** Constructor for a [SubkeyIdentifier] pointing to the given [componentKey]. */ constructor(componentKey: OpenPGPPrivateKey) : this(componentKey.secretKey) /** - * Constructor for a [SubkeyIdentifier] pointing to a component key (identified by - * the [componentKeyFingerprint]) of the given [certificate]. + * Constructor for a [SubkeyIdentifier] pointing to a component key (identified by the + * [componentKeyFingerprint]) of the given [certificate]. * * @param certificate certificate * @param componentKeyFingerprint fingerprint of the component key @@ -92,48 +94,34 @@ class SubkeyIdentifier( ?: throw NoSuchElementException( "OpenPGP key does not contain subkey $componentKeyIdentifier"))) - @Deprecated("Use certificateFingerprint instead.", - replaceWith = ReplaceWith("certificateFingerprint") - ) + @Deprecated( + "Use certificateFingerprint instead.", replaceWith = ReplaceWith("certificateFingerprint")) val primaryKeyFingerprint: OpenPgpFingerprint = certificateFingerprint - @Deprecated("Use componentKeyFingerprint instead.", + @Deprecated( + "Use componentKeyFingerprint instead.", replaceWith = ReplaceWith("componentKeyFingerprint")) val subkeyFingerprint: OpenPgpFingerprint = componentKeyFingerprint - /** - * [KeyIdentifier] of the component key. - */ + /** [KeyIdentifier] of the component key. */ val keyIdentifier = componentKeyFingerprint.keyIdentifier - /** - * [KeyIdentifier] of the component key. - */ + /** [KeyIdentifier] of the component key. */ val componentKeyIdentifier = keyIdentifier - /** - * [KeyIdentifier] of the primary key of the certificate the component key belongs to. - */ + /** [KeyIdentifier] of the primary key of the certificate the component key belongs to. */ val certificateIdentifier = certificateFingerprint.keyIdentifier - /** - * Key-ID of the component key. - */ + /** Key-ID of the component key. */ @Deprecated("Use of key-ids is discouraged.") val keyId = keyIdentifier.keyId - /** - * Fingerprint of the component key. - */ + /** Fingerprint of the component key. */ val fingerprint = componentKeyFingerprint - /** - * Key-ID of the component key. - */ + /** Key-ID of the component key. */ @Deprecated("Use of key-ids is discouraged.") val subkeyId = componentKeyIdentifier.keyId - /** - * Key-ID of the primary key of the certificate the component key belongs to. - */ + /** Key-ID of the primary key of the certificate the component key belongs to. */ @Deprecated("Use of key-ids is discouraged.") val primaryKeyId = certificateIdentifier.keyId val isPrimaryKey = certificateIdentifier.matches(componentKeyIdentifier) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/certification/CertifyCertificate.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/certification/CertifyCertificate.kt index e75dc5bf..90865d67 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/certification/CertifyCertificate.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/certification/CertifyCertificate.kt @@ -7,9 +7,11 @@ package org.pgpainless.key.certification import java.util.* import org.bouncycastle.openpgp.PGPException import org.bouncycastle.openpgp.PGPPublicKeyRing -import org.bouncycastle.openpgp.PGPSecretKey import org.bouncycastle.openpgp.PGPSecretKeyRing import org.bouncycastle.openpgp.PGPSignature +import org.bouncycastle.openpgp.api.OpenPGPCertificate +import org.bouncycastle.openpgp.api.OpenPGPKey +import org.bouncycastle.openpgp.api.OpenPGPSignature import org.pgpainless.PGPainless import org.pgpainless.algorithm.CertificationType import org.pgpainless.algorithm.KeyFlag @@ -42,17 +44,34 @@ class CertifyCertificate { * @param certificate certificate * @return API */ + @JvmOverloads + fun userIdOnCertificate( + userId: CharSequence, + certificate: OpenPGPCertificate, + certificationType: CertificationType = CertificationType.GENERIC + ): CertificationOnUserId = CertificationOnUserId(userId, certificate, certificationType) + + /** + * Create a certification over a User-Id. By default, this method will use + * [CertificationType.GENERIC] to create the signature. + * + * @param userId user-id to certify + * @param certificate certificate + * @return API + */ + @Deprecated("Pass in an OpenPGPCertificate instead of PGPPublicKeyRing.") fun userIdOnCertificate(userId: String, certificate: PGPPublicKeyRing): CertificationOnUserId = userIdOnCertificate(userId, certificate, CertificationType.GENERIC) /** * Create a certification of the given [CertificationType] over a User-Id. * - * @param userid user-id to certify + * @param userId user-id to certify * @param certificate certificate * @param certificationType type of signature * @return API */ + @Deprecated("Pass in an OpenPGPCertificate instead of PGPPublicKeyRing.") fun userIdOnCertificate( userId: String, certificate: PGPPublicKeyRing, @@ -67,6 +86,19 @@ class CertifyCertificate { * @param certificate certificate * @return API */ + @JvmOverloads + fun certificate(certificate: OpenPGPCertificate, trustworthiness: Trustworthiness? = null) = + DelegationOnCertificate(certificate, trustworthiness) + + /** + * Create a delegation (direct key signature) over a certificate. This can be used to mark a + * certificate as a trusted introducer (see [certificate] method with [Trustworthiness] + * argument). + * + * @param certificate certificate + * @return API + */ + @Deprecated("Pass in an OpenPGPCertificate instead of PGPPublicKeyRing.") fun certificate(certificate: PGPPublicKeyRing): DelegationOnCertificate = certificate(certificate, null) @@ -79,15 +111,35 @@ class CertifyCertificate { * @param trustworthiness trustworthiness of the certificate * @return API */ + @Deprecated("Pass in an OpenPGPCertificate instead of PGPPublicKeyRing.") fun certificate(certificate: PGPPublicKeyRing, trustworthiness: Trustworthiness?) = DelegationOnCertificate(certificate, trustworthiness) class CertificationOnUserId( - val userId: String, - val certificate: PGPPublicKeyRing, + val userId: CharSequence, + val certificate: OpenPGPCertificate, val certificationType: CertificationType ) { + @Deprecated("Use primary constructor instead.") + constructor( + userId: String, + certificate: PGPPublicKeyRing, + certificationType: CertificationType + ) : this(userId, PGPainless.getInstance().toCertificate(certificate), certificationType) + + fun withKey( + key: OpenPGPKey, + protector: SecretKeyRingProtector + ): CertificationOnUserIdWithSubpackets { + val secretKey = getCertifyingSecretKey(key) + val sigBuilder = + ThirdPartyCertificationSignatureBuilder( + certificationType.asSignatureType(), secretKey, protector) + + return CertificationOnUserIdWithSubpackets(certificate, userId, sigBuilder) + } + /** * Create the certification using the given key. * @@ -96,26 +148,27 @@ class CertifyCertificate { * @return API * @throws PGPException in case of an OpenPGP related error */ + @Deprecated("Pass in an OpenPGPKey instead of a PGPSecretKeyRing.") fun withKey( certificationKey: PGPSecretKeyRing, protector: SecretKeyRingProtector - ): CertificationOnUserIdWithSubpackets { - - val secretKey = getCertifyingSecretKey(certificationKey) - val sigBuilder = - ThirdPartyCertificationSignatureBuilder( - certificationType.asSignatureType(), secretKey, protector) - - return CertificationOnUserIdWithSubpackets(certificate, userId, sigBuilder) - } + ): CertificationOnUserIdWithSubpackets = + withKey(PGPainless.getInstance().toKey(certificationKey), protector) } class CertificationOnUserIdWithSubpackets( - val certificate: PGPPublicKeyRing, - val userId: String, + val certificate: OpenPGPCertificate, + val userId: CharSequence, val sigBuilder: ThirdPartyCertificationSignatureBuilder ) { + @Deprecated("Pass in an OpenPGPCertificate instead of a PGPPublicKeyRing.") + constructor( + certificate: PGPPublicKeyRing, + userId: String, + sigBuilder: ThirdPartyCertificationSignatureBuilder + ) : this(PGPainless.getInstance().toCertificate(certificate), userId, sigBuilder) + /** * Apply the given signature subpackets and build the certification. * @@ -139,16 +192,38 @@ class CertifyCertificate { fun build(): CertificationResult { val signature = sigBuilder.build(certificate, userId) val certifiedCertificate = - KeyRingUtils.injectCertification(certificate, userId, signature) + OpenPGPCertificate( + KeyRingUtils.injectCertification( + certificate.pgpPublicKeyRing, userId, signature.signature)) + return CertificationResult(certifiedCertificate, signature) } } class DelegationOnCertificate( - val certificate: PGPPublicKeyRing, + val certificate: OpenPGPCertificate, val trustworthiness: Trustworthiness? ) { + @Deprecated("Pass in an OpenPGPCertificate instead of PGPPublicKeyRing.") + constructor( + certificate: PGPPublicKeyRing, + trustworthiness: Trustworthiness? + ) : this(PGPainless.getInstance().toCertificate(certificate), trustworthiness) + + fun withKey( + key: OpenPGPKey, + protector: SecretKeyRingProtector + ): DelegationOnCertificateWithSubpackets { + val secretKey = getCertifyingSecretKey(key) + val sigBuilder = ThirdPartyDirectKeySignatureBuilder(secretKey, protector) + if (trustworthiness != null) { + sigBuilder.hashedSubpackets.setTrust( + true, trustworthiness.depth, trustworthiness.amount) + } + return DelegationOnCertificateWithSubpackets(certificate, sigBuilder) + } + /** * Build the delegation using the given certification key. * @@ -157,25 +232,25 @@ class CertifyCertificate { * @return API * @throws PGPException in case of an OpenPGP related error */ + @Deprecated("Pass in an OpenPGPKey instead of PGPSecretKeyRing.") fun withKey( certificationKey: PGPSecretKeyRing, protector: SecretKeyRingProtector - ): DelegationOnCertificateWithSubpackets { - val secretKey = getCertifyingSecretKey(certificationKey) - val sigBuilder = ThirdPartyDirectKeySignatureBuilder(secretKey, protector) - if (trustworthiness != null) { - sigBuilder.hashedSubpackets.setTrust( - true, trustworthiness.depth, trustworthiness.amount) - } - return DelegationOnCertificateWithSubpackets(certificate, sigBuilder) - } + ): DelegationOnCertificateWithSubpackets = + withKey(PGPainless.getInstance().toKey(certificationKey), protector) } class DelegationOnCertificateWithSubpackets( - val certificate: PGPPublicKeyRing, + val certificate: OpenPGPCertificate, val sigBuilder: ThirdPartyDirectKeySignatureBuilder ) { + @Deprecated("Pass in an OpenPGPCertificate instead of a PGPPublicKeyRing.") + constructor( + certificate: PGPPublicKeyRing, + sigBuilder: ThirdPartyDirectKeySignatureBuilder + ) : this(PGPainless.getInstance().toCertificate(certificate), sigBuilder) + /** * Apply the given signature subpackets and build the delegation signature. * @@ -197,10 +272,14 @@ class CertifyCertificate { * @throws PGPException in case of an OpenPGP related error */ fun build(): CertificationResult { - val delegatedKey = certificate.publicKey + val delegatedKey = certificate.primaryKey val delegation = sigBuilder.build(delegatedKey) val delegatedCertificate = - KeyRingUtils.injectCertification(certificate, delegatedKey, delegation) + OpenPGPCertificate( + KeyRingUtils.injectCertification( + certificate.pgpPublicKeyRing, + delegatedKey.pgpPublicKey, + delegation.signature)) return CertificationResult(delegatedCertificate, delegation) } } @@ -212,13 +291,18 @@ class CertifyCertificate { * @param certification the newly created signature */ data class CertificationResult( - val certifiedCertificate: PGPPublicKeyRing, - val certification: PGPSignature - ) + val certifiedCertificate: OpenPGPCertificate, + val certification: OpenPGPSignature + ) { + val publicKeyRing: PGPPublicKeyRing = certifiedCertificate.pgpPublicKeyRing + val pgpSignature: PGPSignature = certification.signature + } companion object { @JvmStatic - private fun getCertifyingSecretKey(certificationKey: PGPSecretKeyRing): PGPSecretKey { + private fun getCertifyingSecretKey( + certificationKey: OpenPGPKey + ): OpenPGPKey.OpenPGPSecretKey { val now = Date() val info = PGPainless.inspectKeyRing(certificationKey, now) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.kt index 7202cff7..f22e44bb 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.kt @@ -12,6 +12,8 @@ import openpgp.openPgpKeyId import org.bouncycastle.bcpg.KeyIdentifier import org.bouncycastle.bcpg.sig.KeyExpirationTime import org.bouncycastle.openpgp.* +import org.bouncycastle.openpgp.api.OpenPGPKey +import org.bouncycastle.openpgp.api.OpenPGPSignature import org.pgpainless.PGPainless import org.pgpainless.PGPainless.Companion.inspectKeyRing import org.pgpainless.algorithm.AlgorithmSuite @@ -38,10 +40,16 @@ import org.pgpainless.signature.subpackets.* import org.pgpainless.util.Passphrase import org.pgpainless.util.selection.userid.SelectUserId -class SecretKeyRingEditor( - var secretKeyRing: PGPSecretKeyRing, - override val referenceTime: Date = Date() -) : SecretKeyRingEditorInterface { +class SecretKeyRingEditor(var key: OpenPGPKey, override val referenceTime: Date = Date()) : + SecretKeyRingEditorInterface { + + private var secretKeyRing: PGPSecretKeyRing = key.pgpSecretKeyRing + + @JvmOverloads + constructor( + secretKeyRing: PGPSecretKeyRing, + referenceTime: Date = Date() + ) : this(PGPainless.getInstance().toKey(secretKeyRing), referenceTime) override fun addUserId( userId: CharSequence, @@ -74,7 +82,7 @@ class SecretKeyRingEditor( } val builder = - SelfSignatureBuilder(primaryKey, protector).apply { + SelfSignatureBuilder(key.primarySecretKey, protector).apply { hashedSubpackets.setSignatureCreationTime(referenceTime) setSignatureType(SignatureType.POSITIVE_CERTIFICATION) } @@ -88,6 +96,7 @@ class SecretKeyRingEditor( builder.applyCallback(callback) secretKeyRing = injectCertification(secretKeyRing, sanitizedUserId, builder.build(sanitizedUserId)) + key = PGPainless.getInstance().toKey(secretKeyRing) return this } @@ -294,13 +303,14 @@ class SecretKeyRingEditor( false, subkeyProtector.getEncryptor(subkey.keyID)) val skBindingBuilder = - SubkeyBindingSignatureBuilder(primaryKey, primaryKeyProtector, hashAlgorithm) + SubkeyBindingSignatureBuilder(key.primarySecretKey, primaryKeyProtector, hashAlgorithm) skBindingBuilder.apply { hashedSubpackets.setSignatureCreationTime(referenceTime) hashedSubpackets.setKeyFlags(flags) if (subkeyAlgorithm.isSigningCapable()) { val pkBindingBuilder = - PrimaryKeyBindingSignatureBuilder(secretSubkey, subkeyProtector, hashAlgorithm) + PrimaryKeyBindingSignatureBuilder( + key.primarySecretKey, subkeyProtector, hashAlgorithm) pkBindingBuilder.hashedSubpackets.setSignatureCreationTime(referenceTime) hashedSubpackets.addEmbeddedSignature(pkBindingBuilder.build(primaryKey.publicKey)) } @@ -430,7 +440,7 @@ class SecretKeyRingEditor( injectCertification( secretKeyRing, secretKeyRing.publicKey, - reissueDirectKeySignature(expiration, protector, prevDirectKeySig)) + reissueDirectKeySignature(expiration, protector, prevDirectKeySig).signature) } val primaryUserId = @@ -591,12 +601,11 @@ class SecretKeyRingEditor( revokeeSubkey: PGPPublicKey, callback: RevocationSignatureSubpackets.Callback? ): PGPSignature { - val primaryKey = secretKeyRing.secretKey val signatureType = if (revokeeSubkey.isMasterKey) SignatureType.KEY_REVOCATION else SignatureType.SUBKEY_REVOCATION - return RevocationSignatureBuilder(signatureType, primaryKey, protector) + return RevocationSignatureBuilder(signatureType, key.primarySecretKey, protector) .apply { applyCallback(callback) } .build(revokeeSubkey) } @@ -607,7 +616,7 @@ class SecretKeyRingEditor( callback: RevocationSignatureSubpackets.Callback? ): SecretKeyRingEditorInterface { RevocationSignatureBuilder( - SignatureType.CERTIFICATION_REVOCATION, secretKeyRing.secretKey, protector) + SignatureType.CERTIFICATION_REVOCATION, key.primarySecretKey, protector) .apply { hashedSubpackets.setSignatureCreationTime(referenceTime) applyCallback(callback) @@ -636,7 +645,7 @@ class SecretKeyRingEditor( prevUserIdSig: PGPSignature ): PGPSignature { val builder = - SelfSignatureBuilder(secretKeyRing.secretKey, secretKeyRingProtector, prevUserIdSig) + SelfSignatureBuilder(key.primarySecretKey, secretKeyRingProtector, prevUserIdSig) builder.hashedSubpackets.setSignatureCreationTime(referenceTime) builder.applyCallback( object : SelfSignatureSubpackets.Callback { @@ -655,7 +664,7 @@ class SecretKeyRingEditor( @Nonnull primaryUserId: String, @Nonnull prevUserIdSig: PGPSignature ): PGPSignature { - return SelfSignatureBuilder(secretKeyRing.secretKey, secretKeyRingProtector, prevUserIdSig) + return SelfSignatureBuilder(key.primarySecretKey, secretKeyRingProtector, prevUserIdSig) .apply { hashedSubpackets.setSignatureCreationTime(referenceTime) applyCallback( @@ -681,9 +690,9 @@ class SecretKeyRingEditor( expiration: Date?, secretKeyRingProtector: SecretKeyRingProtector, prevDirectKeySig: PGPSignature - ): PGPSignature { + ): OpenPGPSignature { return DirectKeySelfSignatureBuilder( - secretKeyRing.secretKey, secretKeyRingProtector, prevDirectKeySig) + secretKeyRing, secretKeyRingProtector, prevDirectKeySig) .apply { hashedSubpackets.setSignatureCreationTime(referenceTime) applyCallback( @@ -710,11 +719,11 @@ class SecretKeyRingEditor( prevSubkeyBindingSignature: PGPSignature ): PGPSignature { val primaryKey = secretKeyRing.publicKey - val secretPrimaryKey = secretKeyRing.secretKey val secretSubkey: PGPSecretKey? = secretKeyRing.getSecretKey(subkey.keyID) val builder = - SubkeyBindingSignatureBuilder(secretPrimaryKey, protector, prevSubkeyBindingSignature) + SubkeyBindingSignatureBuilder( + key.primarySecretKey, protector, prevSubkeyBindingSignature) builder.hashedSubpackets.apply { // set expiration setSignatureCreationTime(referenceTime) @@ -733,7 +742,8 @@ class SecretKeyRingEditor( // create new embedded back-sig clearEmbeddedSignatures() addEmbeddedSignature( - PrimaryKeyBindingSignatureBuilder(secretSubkey, protector) + PrimaryKeyBindingSignatureBuilder( + key.getSecretKey(subkey.keyIdentifier), protector) .build(primaryKey)) } } diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/builder/AbstractSignatureBuilder.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/builder/AbstractSignatureBuilder.kt index f7f94202..bdc1895f 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/builder/AbstractSignatureBuilder.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/builder/AbstractSignatureBuilder.kt @@ -6,11 +6,11 @@ package org.pgpainless.signature.builder import java.util.function.Predicate import org.bouncycastle.openpgp.PGPException -import org.bouncycastle.openpgp.PGPPrivateKey import org.bouncycastle.openpgp.PGPPublicKey -import org.bouncycastle.openpgp.PGPSecretKey import org.bouncycastle.openpgp.PGPSignature import org.bouncycastle.openpgp.PGPSignatureGenerator +import org.bouncycastle.openpgp.api.OpenPGPCertificate.OpenPGPComponentKey +import org.bouncycastle.openpgp.api.OpenPGPKey import org.pgpainless.PGPainless import org.pgpainless.algorithm.HashAlgorithm import org.pgpainless.algorithm.SignatureType @@ -23,8 +23,7 @@ import org.pgpainless.signature.subpackets.SignatureSubpackets import org.pgpainless.signature.subpackets.SignatureSubpacketsHelper abstract class AbstractSignatureBuilder>( - protected val privateSigningKey: PGPPrivateKey, - protected val publicSigningKey: PGPPublicKey, + protected val signingKey: OpenPGPKey.OpenPGPPrivateKey, protected var _hashAlgorithm: HashAlgorithm, protected var _signatureType: SignatureType, protected val _hashedSubpackets: SignatureSubpackets, @@ -42,14 +41,13 @@ abstract class AbstractSignatureBuilder>( @Throws(PGPException::class) protected constructor( signatureType: SignatureType, - signingKey: PGPSecretKey, + signingKey: OpenPGPKey.OpenPGPSecretKey, protector: SecretKeyRingProtector, hashAlgorithm: HashAlgorithm, hashedSubpackets: SignatureSubpackets, unhashedSubpackets: SignatureSubpackets ) : this( UnlockSecretKey.unlockSecretKey(signingKey, protector), - signingKey.publicKey, hashAlgorithm, signatureType, hashedSubpackets, @@ -58,27 +56,28 @@ abstract class AbstractSignatureBuilder>( @Throws(PGPException::class) constructor( signatureType: SignatureType, - signingKey: PGPSecretKey, + signingKey: OpenPGPKey.OpenPGPSecretKey, protector: SecretKeyRingProtector ) : this( signatureType, signingKey, protector, - negotiateHashAlgorithm(signingKey.publicKey), - SignatureSubpackets.createHashedSubpackets(signingKey.publicKey), + negotiateHashAlgorithm(signingKey), + SignatureSubpackets.createHashedSubpackets(signingKey.pgpSecretKey.publicKey), SignatureSubpackets.createEmptySubpackets()) @Throws(PGPException::class) constructor( - signingKey: PGPSecretKey, + signingKey: OpenPGPKey.OpenPGPSecretKey, protector: SecretKeyRingProtector, archetypeSignature: PGPSignature ) : this( SignatureType.requireFromCode(archetypeSignature.signatureType), signingKey, protector, - negotiateHashAlgorithm(signingKey.publicKey), - SignatureSubpackets.refreshHashedSubpackets(signingKey.publicKey, archetypeSignature), + negotiateHashAlgorithm(signingKey), + SignatureSubpackets.refreshHashedSubpackets( + signingKey.publicKey.pgpPublicKey, archetypeSignature), SignatureSubpackets.refreshUnhashedSubpackets(archetypeSignature)) val hashAlgorithm = _hashAlgorithm @@ -113,11 +112,11 @@ abstract class AbstractSignatureBuilder>( PGPSignatureGenerator( ImplementationFactory.getInstance() .getPGPContentSignerBuilder( - publicSigningKey.algorithm, hashAlgorithm.algorithmId)) + signingKey.publicKey.pgpPublicKey.algorithm, hashAlgorithm.algorithmId)) .apply { setUnhashedSubpackets(SignatureSubpacketsHelper.toVector(_unhashedSubpackets)) setHashedSubpackets(SignatureSubpacketsHelper.toVector(_hashedSubpackets)) - init(_signatureType.code, privateSigningKey) + init(_signatureType.code, signingKey.keyPair.privateKey) } companion object { @@ -133,5 +132,9 @@ abstract class AbstractSignatureBuilder>( HashAlgorithmNegotiator.negotiateSignatureHashAlgorithm(PGPainless.getPolicy()) .negotiateHashAlgorithm( OpenPgpKeyAttributeUtil.getOrGuessPreferredHashAlgorithms(publicKey)) + + @JvmStatic + fun negotiateHashAlgorithm(key: OpenPGPComponentKey): HashAlgorithm = + negotiateHashAlgorithm(key.pgpPublicKey) } } diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/builder/DirectKeySelfSignatureBuilder.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/builder/DirectKeySelfSignatureBuilder.kt index c4d11ea9..8fc18ba4 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/builder/DirectKeySelfSignatureBuilder.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/builder/DirectKeySelfSignatureBuilder.kt @@ -6,8 +6,12 @@ package org.pgpainless.signature.builder import java.util.function.Predicate import org.bouncycastle.openpgp.PGPException -import org.bouncycastle.openpgp.PGPSecretKey +import org.bouncycastle.openpgp.PGPSecretKeyRing import org.bouncycastle.openpgp.PGPSignature +import org.bouncycastle.openpgp.api.OpenPGPCertificate.OpenPGPComponentSignature +import org.bouncycastle.openpgp.api.OpenPGPKey +import org.bouncycastle.openpgp.api.OpenPGPSignature +import org.pgpainless.PGPainless import org.pgpainless.algorithm.SignatureType import org.pgpainless.key.protection.SecretKeyRingProtector import org.pgpainless.signature.subpackets.SelfSignatureSubpackets @@ -23,14 +27,24 @@ class DirectKeySelfSignatureBuilder : AbstractSignatureBuilder { +class RevocationSignatureBuilder +@Throws(PGPException::class) +constructor( + signatureType: SignatureType, + signingKey: OpenPGPKey.OpenPGPSecretKey, + protector: SecretKeyRingProtector +) : AbstractSignatureBuilder(signatureType, signingKey, protector) { override val signatureTypePredicate: Predicate get() = @@ -26,15 +32,6 @@ class RevocationSignatureBuilder : AbstractSignatureBuilder { @Throws(PGPException::class) constructor( - signingKey: PGPSecretKey, + signingKey: OpenPGPKey.OpenPGPSecretKey, protector: SecretKeyRingProtector ) : super(SignatureType.GENERIC_CERTIFICATION, signingKey, protector) @Throws(PGPException::class) constructor( signatureType: SignatureType, - signingKey: PGPSecretKey, + signingKey: OpenPGPKey.OpenPGPSecretKey, protector: SecretKeyRingProtector ) : super(signatureType, signingKey, protector) @Throws(PGPException::class) constructor( - primaryKey: PGPSecretKey, + primaryKey: OpenPGPKey.OpenPGPSecretKey, primaryKeyProtector: SecretKeyRingProtector, oldCertification: PGPSignature ) : super(primaryKey, primaryKeyProtector, oldCertification) @@ -61,9 +61,11 @@ class SelfSignatureBuilder : AbstractSignatureBuilder { @Throws(PGPException::class) fun build(userId: CharSequence): PGPSignature = - buildAndInitSignatureGenerator().generateCertification(userId.toString(), publicSigningKey) + buildAndInitSignatureGenerator() + .generateCertification(userId.toString(), signingKey.publicKey.pgpPublicKey) @Throws(PGPException::class) fun build(userAttributes: PGPUserAttributeSubpacketVector): PGPSignature = - buildAndInitSignatureGenerator().generateCertification(userAttributes, publicSigningKey) + buildAndInitSignatureGenerator() + .generateCertification(userAttributes, signingKey.publicKey.pgpPublicKey) } diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/builder/SubkeyBindingSignatureBuilder.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/builder/SubkeyBindingSignatureBuilder.kt index 6e2694e3..90a7f18e 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/builder/SubkeyBindingSignatureBuilder.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/builder/SubkeyBindingSignatureBuilder.kt @@ -7,8 +7,8 @@ package org.pgpainless.signature.builder import java.util.function.Predicate import org.bouncycastle.openpgp.PGPException import org.bouncycastle.openpgp.PGPPublicKey -import org.bouncycastle.openpgp.PGPSecretKey import org.bouncycastle.openpgp.PGPSignature +import org.bouncycastle.openpgp.api.OpenPGPKey import org.pgpainless.algorithm.HashAlgorithm import org.pgpainless.algorithm.SignatureType import org.pgpainless.key.protection.SecretKeyRingProtector @@ -26,13 +26,13 @@ class SubkeyBindingSignatureBuilder : AbstractSignatureBuilder") - .getPGPSecretKeyRing(); + OpenPGPKey alice = PGPainless.generateKeyRing().modernKeyRing("Alice "); String bobUserId = "Bob "; - PGPSecretKeyRing bob = PGPainless.generateKeyRing().modernKeyRing(bobUserId) - .getPGPSecretKeyRing(); + OpenPGPKey bob = PGPainless.generateKeyRing().modernKeyRing(bobUserId); - PGPPublicKeyRing bobCertificate = PGPainless.extractCertificate(bob); + OpenPGPCertificate bobCertificate = bob.toCertificate(); CertifyCertificate.CertificationResult result = PGPainless.certify() .userIdOnCertificate(bobUserId, bobCertificate) @@ -50,35 +49,33 @@ public class CertifyCertificateTest { .build(); assertNotNull(result); - PGPSignature signature = result.getCertification(); + PGPSignature signature = result.getPgpSignature(); assertNotNull(signature); assertEquals(SignatureType.GENERIC_CERTIFICATION, SignatureType.valueOf(signature.getSignatureType())); - assertEquals(alice.getPublicKey().getKeyID(), signature.getKeyID()); + assertEquals(alice.getPrimaryKey().getPGPPublicKey().getKeyID(), signature.getKeyID()); assertTrue(SignatureVerifier.verifyUserIdCertification( - bobUserId, signature, alice.getPublicKey(), bob.getPublicKey(), PGPainless.getPolicy(), DateUtil.now())); + bobUserId, signature, alice.getPrimaryKey().getPGPPublicKey(), bob.getPrimaryKey().getPGPPublicKey(), PGPainless.getPolicy(), DateUtil.now())); - PGPPublicKeyRing bobCertified = result.getCertifiedCertificate(); - PGPPublicKey bobCertifiedKey = bobCertified.getPublicKey(); + OpenPGPCertificate bobCertified = result.getCertifiedCertificate(); + PGPPublicKey bobCertifiedKey = bobCertified.getPrimaryKey().getPGPPublicKey(); // There are 2 sigs now, bobs own and alice' assertEquals(2, CollectionUtils.iteratorToList(bobCertifiedKey.getSignaturesForID(bobUserId)).size()); List sigsByAlice = CollectionUtils.iteratorToList( - bobCertifiedKey.getSignaturesForKeyID(alice.getPublicKey().getKeyID())); + bobCertifiedKey.getSignaturesForKeyID(alice.getPrimaryKey().getPGPPublicKey().getKeyID())); assertEquals(1, sigsByAlice.size()); assertEquals(signature, sigsByAlice.get(0)); - assertFalse(Arrays.areEqual(bobCertificate.getEncoded(), bobCertified.getEncoded())); + assertFalse(Arrays.areEqual(bobCertificate.getPGPPublicKeyRing().getEncoded(), bobCertified.getPGPPublicKeyRing().getEncoded())); } @Test public void testKeyDelegation() throws PGPException, IOException { SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys(); - PGPSecretKeyRing alice = PGPainless.generateKeyRing().modernKeyRing("Alice ") - .getPGPSecretKeyRing(); - PGPSecretKeyRing bob = PGPainless.generateKeyRing().modernKeyRing("Bob ") - .getPGPSecretKeyRing(); + OpenPGPKey alice = PGPainless.generateKeyRing().modernKeyRing("Alice "); + OpenPGPKey bob = PGPainless.generateKeyRing().modernKeyRing("Bob "); - PGPPublicKeyRing bobCertificate = PGPainless.extractCertificate(bob); + OpenPGPCertificate bobCertificate = bob.toCertificate(); CertifyCertificate.CertificationResult result = PGPainless.certify() .certificate(bobCertificate, Trustworthiness.fullyTrusted().introducer()) @@ -86,11 +83,12 @@ public class CertifyCertificateTest { .build(); assertNotNull(result); - PGPSignature signature = result.getCertification(); + OpenPGPSignature signature = result.getCertification(); + PGPSignature pgpSignature = signature.getSignature(); assertNotNull(signature); - assertEquals(SignatureType.DIRECT_KEY, SignatureType.valueOf(signature.getSignatureType())); - assertEquals(alice.getPublicKey().getKeyID(), signature.getKeyID()); - TrustSignature trustSignaturePacket = signature.getHashedSubPackets().getTrust(); + assertEquals(SignatureType.DIRECT_KEY, SignatureType.valueOf(pgpSignature.getSignatureType())); + assertEquals(alice.getPrimaryKey().getPGPPublicKey().getKeyID(), pgpSignature.getKeyID()); + TrustSignature trustSignaturePacket = pgpSignature.getHashedSubPackets().getTrust(); assertNotNull(trustSignaturePacket); Trustworthiness trustworthiness = new Trustworthiness(trustSignaturePacket.getTrustAmount(), trustSignaturePacket.getDepth()); assertTrue(trustworthiness.isFullyTrusted()); @@ -98,29 +96,27 @@ public class CertifyCertificateTest { assertFalse(trustworthiness.canIntroduce(1)); assertTrue(SignatureVerifier.verifyDirectKeySignature( - signature, alice.getPublicKey(), bob.getPublicKey(), PGPainless.getPolicy(), DateUtil.now())); + pgpSignature, alice.getPrimaryKey().getPGPPublicKey(), bob.getPrimaryKey().getPGPPublicKey(), PGPainless.getPolicy(), DateUtil.now())); - PGPPublicKeyRing bobCertified = result.getCertifiedCertificate(); - PGPPublicKey bobCertifiedKey = bobCertified.getPublicKey(); + OpenPGPCertificate bobCertified = result.getCertifiedCertificate(); + PGPPublicKey bobCertifiedKey = bobCertified.getPrimaryKey().getPGPPublicKey(); List sigsByAlice = CollectionUtils.iteratorToList( - bobCertifiedKey.getSignaturesForKeyID(alice.getPublicKey().getKeyID())); + bobCertifiedKey.getSignaturesForKeyID(alice.getPrimaryKey().getPGPPublicKey().getKeyID())); assertEquals(1, sigsByAlice.size()); - assertEquals(signature, sigsByAlice.get(0)); + assertEquals(signature.getSignature(), sigsByAlice.get(0)); - assertFalse(Arrays.areEqual(bobCertificate.getEncoded(), bobCertified.getEncoded())); + assertFalse(Arrays.areEqual(bobCertificate.getPGPPublicKeyRing().getEncoded(), bobCertified.getPGPPublicKeyRing().getEncoded())); } @Test public void testPetNameCertification() { - PGPSecretKeyRing aliceKey = PGPainless.generateKeyRing() - .modernKeyRing("Alice ") - .getPGPSecretKeyRing(); - PGPSecretKeyRing bobKey = PGPainless.generateKeyRing() - .modernKeyRing("Bob ") - .getPGPSecretKeyRing(); + OpenPGPKey aliceKey = PGPainless.generateKeyRing() + .modernKeyRing("Alice "); + OpenPGPKey bobKey = PGPainless.generateKeyRing() + .modernKeyRing("Bob "); - PGPPublicKeyRing bobCert = PGPainless.extractCertificate(bobKey); + OpenPGPCertificate bobCert = bobKey.toCertificate(); String petName = "Bobby"; CertifyCertificate.CertificationResult result = PGPainless.certify() @@ -133,11 +129,12 @@ public class CertifyCertificateTest { } }); - PGPSignature certification = result.getCertification(); - assertEquals(aliceKey.getPublicKey().getKeyID(), certification.getKeyID()); - assertEquals(CertificationType.GENERIC.asSignatureType().getCode(), certification.getSignatureType()); + OpenPGPSignature certification = result.getCertification(); + PGPSignature signature = certification.getSignature(); + assertEquals(aliceKey.getPrimaryKey().getPGPPublicKey().getKeyID(), signature.getKeyID()); + assertEquals(CertificationType.GENERIC.asSignatureType().getCode(), signature.getSignatureType()); - PGPPublicKeyRing certWithPetName = result.getCertifiedCertificate(); + OpenPGPCertificate certWithPetName = result.getCertifiedCertificate(); KeyRingInfo info = PGPainless.inspectKeyRing(certWithPetName); assertTrue(info.getUserIds().contains(petName)); assertFalse(info.getValidUserIds().contains(petName)); @@ -145,13 +142,11 @@ public class CertifyCertificateTest { @Test public void testScopedDelegation() { - PGPSecretKeyRing aliceKey = PGPainless.generateKeyRing() - .modernKeyRing("Alice ") - .getPGPSecretKeyRing(); - PGPSecretKeyRing caKey = PGPainless.generateKeyRing() - .modernKeyRing("CA ") - .getPGPSecretKeyRing(); - PGPPublicKeyRing caCert = PGPainless.extractCertificate(caKey); + OpenPGPKey aliceKey = PGPainless.generateKeyRing() + .modernKeyRing("Alice "); + OpenPGPKey caKey = PGPainless.generateKeyRing() + .modernKeyRing("CA "); + OpenPGPCertificate caCert = caKey.toCertificate(); CertifyCertificate.CertificationResult result = PGPainless.certify() .certificate(caCert, Trustworthiness.fullyTrusted().introducer()) @@ -163,9 +158,10 @@ public class CertifyCertificateTest { } }); - PGPSignature certification = result.getCertification(); - assertEquals(SignatureType.DIRECT_KEY.getCode(), certification.getSignatureType()); + OpenPGPSignature certification = result.getCertification(); + PGPSignature signature = certification.getSignature(); + assertEquals(SignatureType.DIRECT_KEY.getCode(), signature.getSignatureType()); assertEquals("^.*<.+@example.com>.*$", - certification.getHashedSubPackets().getRegularExpression().getRegex()); + signature.getHashedSubPackets().getRegularExpression().getRegex()); } } diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/builder/SubkeyAndPrimaryKeyBindingSignatureTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/builder/SubkeyAndPrimaryKeyBindingSignatureTest.java index e4275636..719ca980 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/builder/SubkeyAndPrimaryKeyBindingSignatureTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/builder/SubkeyAndPrimaryKeyBindingSignatureTest.java @@ -14,10 +14,10 @@ import java.util.HashSet; import java.util.Set; import org.bouncycastle.openpgp.PGPException; -import org.bouncycastle.openpgp.PGPSecretKey; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.PGPSignature; import org.bouncycastle.openpgp.api.OpenPGPCertificate; +import org.bouncycastle.openpgp.api.OpenPGPKey; import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; import org.pgpainless.algorithm.EncryptionPurpose; @@ -33,10 +33,10 @@ public class SubkeyAndPrimaryKeyBindingSignatureTest { @Test public void testRebindSubkey() throws PGPException, IOException { - PGPSecretKeyRing secretKeys = TestKeys.getEmilSecretKeyRing(); + OpenPGPKey secretKeys = PGPainless.getInstance().toKey(TestKeys.getEmilSecretKeyRing()); KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys); - PGPSecretKey primaryKey = secretKeys.getSecretKey(); + OpenPGPKey.OpenPGPSecretKey primaryKey = secretKeys.getPrimarySecretKey(); OpenPGPCertificate.OpenPGPComponentKey encryptionSubkey = info.getEncryptionSubkeys(EncryptionPurpose.ANY).get(0); assertNotNull(encryptionSubkey); @@ -57,9 +57,9 @@ public class SubkeyAndPrimaryKeyBindingSignatureTest { }); PGPSignature binding = sbb.build(encryptionSubkey.getPGPPublicKey()); - secretKeys = KeyRingUtils.injectCertification(secretKeys, encryptionSubkey.getPGPPublicKey(), binding); + PGPSecretKeyRing secretKeyRing = KeyRingUtils.injectCertification(secretKeys.getPGPKeyRing(), encryptionSubkey.getPGPPublicKey(), binding); - info = PGPainless.inspectKeyRing(secretKeys); + info = PGPainless.inspectKeyRing(secretKeyRing); assertEquals(Collections.singleton(HashAlgorithm.SHA512), info.getPreferredHashAlgorithms(encryptionSubkey.getKeyIdentifier())); } } diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/builder/ThirdPartyCertificationSignatureBuilderTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/builder/ThirdPartyCertificationSignatureBuilderTest.java index d9df7cf5..f3752519 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/builder/ThirdPartyCertificationSignatureBuilderTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/builder/ThirdPartyCertificationSignatureBuilderTest.java @@ -4,11 +4,13 @@ package org.pgpainless.signature.builder; +import org.bouncycastle.bcpg.KeyIdentifier; import org.bouncycastle.bcpg.sig.Exportable; import org.bouncycastle.openpgp.PGPException; -import org.bouncycastle.openpgp.PGPPublicKeyRing; -import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.PGPSignature; +import org.bouncycastle.openpgp.api.OpenPGPCertificate; +import org.bouncycastle.openpgp.api.OpenPGPKey; +import org.bouncycastle.openpgp.api.OpenPGPSignature; import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; import org.pgpainless.algorithm.SignatureType; @@ -28,28 +30,25 @@ public class ThirdPartyCertificationSignatureBuilderTest { @Test public void testInvalidSignatureTypeThrows() { - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() - .modernKeyRing("Alice") - .getPGPSecretKeyRing(); + OpenPGPKey secretKeys = PGPainless.generateKeyRing() + .modernKeyRing("Alice"); assertThrows(IllegalArgumentException.class, () -> new ThirdPartyCertificationSignatureBuilder( SignatureType.BINARY_DOCUMENT, // invalid type - secretKeys.getSecretKey(), + secretKeys.getPrimarySecretKey(), SecretKeyRingProtector.unprotectedKeys())); } @Test public void testUserIdCertification() throws PGPException { - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() - .modernKeyRing("Alice") - .getPGPSecretKeyRing(); + OpenPGPKey secretKeys = PGPainless.generateKeyRing() + .modernKeyRing("Alice"); - PGPPublicKeyRing bobsPublicKeys = PGPainless.extractCertificate( - PGPainless.generateKeyRing().modernKeyRing("Bob") - .getPGPSecretKeyRing()); + OpenPGPCertificate bobsPublicKeys = PGPainless.generateKeyRing().modernKeyRing("Bob") + .toCertificate(); ThirdPartyCertificationSignatureBuilder signatureBuilder = new ThirdPartyCertificationSignatureBuilder( - secretKeys.getSecretKey(), + secretKeys.getPrimarySecretKey(), SecretKeyRingProtector.unprotectedKeys()); signatureBuilder.applyCallback(new CertificationSubpackets.Callback() { @@ -59,16 +58,20 @@ public class ThirdPartyCertificationSignatureBuilderTest { } }); - PGPSignature certification = signatureBuilder.build(bobsPublicKeys, "Bob"); - assertEquals(SignatureType.GENERIC_CERTIFICATION, SignatureType.valueOf(certification.getSignatureType())); - assertEquals(secretKeys.getPublicKey().getKeyID(), certification.getKeyID()); - assertArrayEquals(secretKeys.getPublicKey().getFingerprint(), certification.getHashedSubPackets().getIssuerFingerprint().getFingerprint()); - Exportable exportable = SignatureSubpacketsUtil.getExportableCertification(certification); + OpenPGPSignature certification = signatureBuilder.build(bobsPublicKeys, "Bob"); + PGPSignature signature = certification.getSignature(); + assertEquals(SignatureType.GENERIC_CERTIFICATION, SignatureType.valueOf(signature.getSignatureType())); + assertTrue(KeyIdentifier.matches(signature.getKeyIdentifiers(), secretKeys.getKeyIdentifier(), true)); + assertArrayEquals( + secretKeys.getPrimaryKey().getPGPPublicKey().getFingerprint(), + signature.getHashedSubPackets().getIssuerFingerprint().getFingerprint()); + Exportable exportable = SignatureSubpacketsUtil.getExportableCertification(signature); assertNotNull(exportable); assertFalse(exportable.isExportable()); // test sig correctness - certification.init(ImplementationFactory.getInstance().getPgpContentVerifierBuilderProvider(), secretKeys.getPublicKey()); - assertTrue(certification.verifyCertification("Bob", bobsPublicKeys.getPublicKey())); + signature.init(ImplementationFactory.getInstance().getPgpContentVerifierBuilderProvider(), + secretKeys.getPrimaryKey().getPGPPublicKey()); + assertTrue(signature.verifyCertification("Bob", bobsPublicKeys.getPrimaryKey().getPGPPublicKey())); } } diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/builder/ThirdPartyDirectKeySignatureBuilderTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/builder/ThirdPartyDirectKeySignatureBuilderTest.java index 9c860916..616b538e 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/builder/ThirdPartyDirectKeySignatureBuilderTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/builder/ThirdPartyDirectKeySignatureBuilderTest.java @@ -14,6 +14,8 @@ import java.util.Date; import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.PGPSignature; +import org.bouncycastle.openpgp.api.OpenPGPKey; +import org.bouncycastle.openpgp.api.OpenPGPSignature; import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; import org.pgpainless.algorithm.CompressionAlgorithm; @@ -32,12 +34,11 @@ public class ThirdPartyDirectKeySignatureBuilderTest { @Test public void testDirectKeySignatureBuilding() throws PGPException { - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() - .modernKeyRing("Alice") - .getPGPSecretKeyRing(); + OpenPGPKey secretKeys = PGPainless.generateKeyRing() + .modernKeyRing("Alice"); DirectKeySelfSignatureBuilder dsb = new DirectKeySelfSignatureBuilder( - secretKeys.getSecretKey(), + secretKeys.getPrimarySecretKey(), SecretKeyRingProtector.unprotectedKeys()); Date now = new Date(); @@ -54,11 +55,14 @@ public class ThirdPartyDirectKeySignatureBuilderTest { } }); - PGPSignature directKeySig = dsb.build(); + OpenPGPSignature directKeySig = dsb.build(); assertNotNull(directKeySig); - secretKeys = KeyRingUtils.injectCertification(secretKeys, secretKeys.getPublicKey(), directKeySig); + PGPSecretKeyRing secretKeyRing = KeyRingUtils.injectCertification( + secretKeys.getPGPSecretKeyRing(), + secretKeys.getPrimaryKey().getPGPPublicKey(), + directKeySig.getSignature()); - KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys, t1); + KeyRingInfo info = PGPainless.inspectKeyRing(secretKeyRing, t1); PGPSignature signature = info.getLatestDirectKeySelfSignature(); assertNotNull(signature); @@ -69,7 +73,7 @@ public class ThirdPartyDirectKeySignatureBuilderTest { assertEquals(Collections.singleton(HashAlgorithm.SHA512), SignatureSubpacketsUtil.parsePreferredHashAlgorithms(signature)); assertEquals(Collections.singleton(CompressionAlgorithm.ZIP), SignatureSubpacketsUtil.parsePreferredCompressionAlgorithms(signature)); assertEquals(Collections.singleton(SymmetricKeyAlgorithm.AES_256), SignatureSubpacketsUtil.parsePreferredSymmetricKeyAlgorithms(signature)); - assertEquals(secretKeys.getPublicKey().getKeyID(), signature.getKeyID()); - assertArrayEquals(secretKeys.getPublicKey().getFingerprint(), signature.getHashedSubPackets().getIssuerFingerprint().getFingerprint()); + assertEquals(secretKeyRing.getPublicKey().getKeyID(), signature.getKeyID()); + assertArrayEquals(secretKeyRing.getPublicKey().getFingerprint(), signature.getHashedSubPackets().getIssuerFingerprint().getFingerprint()); } } diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/builder/UniversalSignatureBuilderTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/builder/UniversalSignatureBuilderTest.java index 37bc6fd3..8eb287c2 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/builder/UniversalSignatureBuilderTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/builder/UniversalSignatureBuilderTest.java @@ -6,15 +6,16 @@ package org.pgpainless.signature.builder; import static org.junit.jupiter.api.Assertions.assertEquals; import static org.junit.jupiter.api.Assertions.assertFalse; +import static org.junit.jupiter.api.Assertions.assertTrue; import java.io.IOException; +import org.bouncycastle.bcpg.KeyIdentifier; import org.bouncycastle.bcpg.sig.PrimaryUserID; import org.bouncycastle.openpgp.PGPException; -import org.bouncycastle.openpgp.PGPSecretKey; -import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.PGPSignature; import org.bouncycastle.openpgp.PGPSignatureGenerator; +import org.bouncycastle.openpgp.api.OpenPGPKey; import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; @@ -51,18 +52,18 @@ public class UniversalSignatureBuilderTest { "=Dqbd\n" + "-----END PGP PRIVATE KEY BLOCK-----"; - private PGPSecretKeyRing secretKeys; + private OpenPGPKey secretKeys; private final SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys(); @BeforeEach public void parseKey() throws IOException { - secretKeys = PGPainless.readKeyRing().secretKeyRing(KEY); + secretKeys = PGPainless.getInstance().readKey().parseKey(KEY); } @Test public void createPetNameSignature() throws PGPException { - PGPSecretKey signingKey = secretKeys.getSecretKey(); - PGPSignature archetype = signingKey.getPublicKey().getSignatures().next(); + OpenPGPKey.OpenPGPSecretKey signingKey = secretKeys.getPrimarySecretKey(); + PGPSignature archetype = signingKey.getPublicKey().getPGPPublicKey().getSignatures().next(); UniversalSignatureBuilder builder = new UniversalSignatureBuilder( signingKey, protector, archetype); @@ -77,11 +78,11 @@ public class UniversalSignatureBuilderTest { PGPSignatureGenerator generator = builder.getSignatureGenerator(); String petName = "mykey"; - PGPSignature petNameSig = generator.generateCertification(petName, secretKeys.getPublicKey()); + PGPSignature petNameSig = generator.generateCertification(petName, secretKeys.getPrimarySecretKey().getPublicKey().getPGPPublicKey()); assertEquals(SignatureType.POSITIVE_CERTIFICATION.getCode(), petNameSig.getSignatureType()); assertEquals(4, petNameSig.getVersion()); - assertEquals(signingKey.getKeyID(), petNameSig.getKeyID()); + assertTrue(KeyIdentifier.matches(petNameSig.getKeyIdentifiers(), signingKey.getKeyIdentifier(), true)); assertEquals(HashAlgorithm.SHA512.getAlgorithmId(), petNameSig.getHashAlgorithm()); assertEquals(KeyFlag.toBitmask(KeyFlag.CERTIFY_OTHER), petNameSig.getHashedSubPackets().getKeyFlags()); assertFalse(petNameSig.getHashedSubPackets().isExportable()); From d5a0c83abe216d39588bd8d669d3e1ce6b59d7a9 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 19 Feb 2025 15:34:42 +0100 Subject: [PATCH 048/265] Fix some tests --- .../decryption_verification/ConsumerOptions.kt | 4 ++-- .../modification/secretkeyring/SecretKeyRingEditor.kt | 2 +- .../PreventDecryptionUsingNonEncryptionKeyTest.java | 6 ++++-- .../EncryptionWithMissingKeyFlagsTest.java | 4 +++- ...SubkeyWithModifiedBindingSignatureSubpacketsTest.java | 9 +++++---- .../builder/ThirdPartyDirectKeySignatureBuilderTest.java | 2 +- 6 files changed, 16 insertions(+), 11 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/ConsumerOptions.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/ConsumerOptions.kt index 1ab218e5..9e85d71d 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/ConsumerOptions.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/ConsumerOptions.kt @@ -329,8 +329,8 @@ class ConsumerOptions { fun isIgnoreMDCErrors(): Boolean = ignoreMDCErrors - fun setAllowDecryptionWithNonEncryptionKey(allow: Boolean): ConsumerOptions = apply { - allowDecryptionWithNonEncryptionKey = allow + fun setAllowDecryptionWithMissingKeyFlags(): ConsumerOptions = apply { + allowDecryptionWithNonEncryptionKey = true } fun getAllowDecryptionWithNonEncryptionKey(): Boolean { diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.kt index f22e44bb..55647f52 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.kt @@ -310,7 +310,7 @@ class SecretKeyRingEditor(var key: OpenPGPKey, override val referenceTime: Date if (subkeyAlgorithm.isSigningCapable()) { val pkBindingBuilder = PrimaryKeyBindingSignatureBuilder( - key.primarySecretKey, subkeyProtector, hashAlgorithm) + key.primarySecretKey, primaryKeyProtector, hashAlgorithm) pkBindingBuilder.hashedSubpackets.setSignatureCreationTime(referenceTime) hashedSubpackets.addEmbeddedSignature(pkBindingBuilder.build(primaryKey.publicKey)) } diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/PreventDecryptionUsingNonEncryptionKeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/PreventDecryptionUsingNonEncryptionKeyTest.java index 9a80667d..be30f40d 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/PreventDecryptionUsingNonEncryptionKeyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/PreventDecryptionUsingNonEncryptionKeyTest.java @@ -195,7 +195,9 @@ public class PreventDecryptionUsingNonEncryptionKeyTest { ByteArrayInputStream msgIn = new ByteArrayInputStream(MSG.getBytes(StandardCharsets.UTF_8)); DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() .onInputStream(msgIn) - .withOptions(ConsumerOptions.get().addDecryptionKey(secretKeys)); + .withOptions(ConsumerOptions.get() + .setAllowDecryptionWithMissingKeyFlags() + .addDecryptionKey(secretKeys)); Streams.drain(decryptionStream); decryptionStream.close(); @@ -225,7 +227,7 @@ public class PreventDecryptionUsingNonEncryptionKeyTest { DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() .onInputStream(msgIn) .withOptions(ConsumerOptions.get() - .setAllowDecryptionWithNonEncryptionKey(true) + .setAllowDecryptionWithMissingKeyFlags() .addDecryptionKey(secretKeys)); byte[] decrypted = Streams.readAll(decryptionStream); diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptionWithMissingKeyFlagsTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptionWithMissingKeyFlagsTest.java index 5fd4a674..10b1656c 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptionWithMissingKeyFlagsTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptionWithMissingKeyFlagsTest.java @@ -179,7 +179,9 @@ public class EncryptionWithMissingKeyFlagsTest { ByteArrayInputStream in = new ByteArrayInputStream(out.toByteArray()); DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() .onInputStream(in) - .withOptions(ConsumerOptions.get().addDecryptionKey(secretKeys)); + .withOptions(ConsumerOptions.get() + .setAllowDecryptionWithMissingKeyFlags() + .addDecryptionKey(secretKeys)); ByteArrayOutputStream plain = new ByteArrayOutputStream(); // Decrypt diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddSubkeyWithModifiedBindingSignatureSubpacketsTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddSubkeyWithModifiedBindingSignatureSubpacketsTest.java index 043c1188..a3aea2f0 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddSubkeyWithModifiedBindingSignatureSubpacketsTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddSubkeyWithModifiedBindingSignatureSubpacketsTest.java @@ -43,6 +43,7 @@ public class AddSubkeyWithModifiedBindingSignatureSubpacketsTest { .modernKeyRing("Alice ") .getPGPSecretKeyRing(); KeyRingInfo before = PGPainless.inspectKeyRing(secretKeys); + List signingKeysBefore = before.getSigningSubkeys(); PGPKeyPair secretSubkey = KeyRingBuilder.generateKeyPair( KeySpec.getBuilder(KeyType.EDDSA_LEGACY(EdDSALegacyCurve._Ed25519), KeyFlag.SIGN_DATA).build(), @@ -60,11 +61,11 @@ public class AddSubkeyWithModifiedBindingSignatureSubpacketsTest { .done(); KeyRingInfo after = PGPainless.inspectKeyRing(secretKeys); - List signingKeys = after.getSigningSubkeys(); - signingKeys.removeAll(before.getSigningSubkeys()); - assertFalse(signingKeys.isEmpty()); + List signingKeysAfter = after.getSigningSubkeys(); + signingKeysAfter.removeAll(signingKeysBefore); + assertFalse(signingKeysAfter.isEmpty()); - OpenPGPCertificate.OpenPGPComponentKey newKey = signingKeys.get(0); + OpenPGPCertificate.OpenPGPComponentKey newKey = signingKeysAfter.get(0); Date newExpirationDate = after.getSubkeyExpirationDate(new OpenPgpV4Fingerprint(newKey.getPGPPublicKey())); assertNotNull(newExpirationDate); Date now = new Date(); diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/builder/ThirdPartyDirectKeySignatureBuilderTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/builder/ThirdPartyDirectKeySignatureBuilderTest.java index 616b538e..d0e2aa39 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/builder/ThirdPartyDirectKeySignatureBuilderTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/builder/ThirdPartyDirectKeySignatureBuilderTest.java @@ -66,7 +66,7 @@ public class ThirdPartyDirectKeySignatureBuilderTest { PGPSignature signature = info.getLatestDirectKeySelfSignature(); assertNotNull(signature); - assertEquals(directKeySig, signature); + assertEquals(directKeySig.getSignature(), signature); assertEquals(SignatureType.DIRECT_KEY, SignatureType.valueOf(signature.getSignatureType())); assertEquals(Collections.singletonList(KeyFlag.CERTIFY_OTHER), SignatureSubpacketsUtil.parseKeyFlags(signature)); From 2eca5f0ef084f31e2700bf7d7d41e8f7aa9644e5 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 24 Feb 2025 12:32:45 +0100 Subject: [PATCH 049/265] Fix addSubkey method --- .../secretkeyring/SecretKeyRingEditor.kt | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.kt index 55647f52..a5513cb3 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.kt @@ -12,7 +12,9 @@ import openpgp.openPgpKeyId import org.bouncycastle.bcpg.KeyIdentifier import org.bouncycastle.bcpg.sig.KeyExpirationTime import org.bouncycastle.openpgp.* +import org.bouncycastle.openpgp.api.OpenPGPCertificate.OpenPGPSubkey import org.bouncycastle.openpgp.api.OpenPGPKey +import org.bouncycastle.openpgp.api.OpenPGPKey.OpenPGPSecretKey import org.bouncycastle.openpgp.api.OpenPGPSignature import org.pgpainless.PGPainless import org.pgpainless.PGPainless.Companion.inspectKeyRing @@ -302,6 +304,13 @@ class SecretKeyRingEditor(var key: OpenPGPKey, override val referenceTime: Date ImplementationFactory.getInstance().v4FingerprintCalculator, false, subkeyProtector.getEncryptor(subkey.keyID)) + + val componentKey = + OpenPGPSecretKey( + OpenPGPSubkey(subkey.publicKey, key), + secretSubkey, + PGPainless.getInstance().implementation.pbeSecretKeyDecryptorBuilderProvider()) + val skBindingBuilder = SubkeyBindingSignatureBuilder(key.primarySecretKey, primaryKeyProtector, hashAlgorithm) skBindingBuilder.apply { @@ -309,8 +318,7 @@ class SecretKeyRingEditor(var key: OpenPGPKey, override val referenceTime: Date hashedSubpackets.setKeyFlags(flags) if (subkeyAlgorithm.isSigningCapable()) { val pkBindingBuilder = - PrimaryKeyBindingSignatureBuilder( - key.primarySecretKey, primaryKeyProtector, hashAlgorithm) + PrimaryKeyBindingSignatureBuilder(componentKey, subkeyProtector, hashAlgorithm) pkBindingBuilder.hashedSubpackets.setSignatureCreationTime(referenceTime) hashedSubpackets.addEmbeddedSignature(pkBindingBuilder.build(primaryKey.publicKey)) } From 35c6116643f0d1c8f28642e66e8041f5f8c20103 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 24 Feb 2025 12:33:04 +0100 Subject: [PATCH 050/265] Migrate from MissingPublicKeyCallback to OpenPGPCertifcateProvider --- .../ConsumerOptions.kt | 12 ++++---- .../MissingPublicKeyCallback.kt | 28 ------------------- .../OpenPgpMessageInputStream.kt | 6 ++-- ...erifyWithMissingPublicKeyCallbackTest.java | 11 ++++---- 4 files changed, 15 insertions(+), 42 deletions(-) delete mode 100644 pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/MissingPublicKeyCallback.kt diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/ConsumerOptions.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/ConsumerOptions.kt index 9e85d71d..55c781ae 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/ConsumerOptions.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/ConsumerOptions.kt @@ -12,6 +12,7 @@ import org.bouncycastle.openpgp.* import org.bouncycastle.openpgp.api.OpenPGPCertificate import org.bouncycastle.openpgp.api.OpenPGPImplementation import org.bouncycastle.openpgp.api.OpenPGPKey +import org.bouncycastle.openpgp.api.OpenPGPKeyMaterialProvider.OpenPGPCertificateProvider import org.bouncycastle.openpgp.api.OpenPGPSignature.OpenPGPDocumentSignature import org.bouncycastle.openpgp.operator.PublicKeyDataDecryptorFactory import org.pgpainless.PGPainless @@ -34,7 +35,7 @@ class ConsumerOptions { private val certificates = CertificateSource() private val detachedSignatures = mutableSetOf() - private var missingCertificateCallback: MissingPublicKeyCallback? = null + private var missingCertificateCallback: OpenPGPCertificateProvider? = null private var sessionKey: SessionKey? = null private val customDecryptorFactories = @@ -164,9 +165,10 @@ class ConsumerOptions { * @param callback callback * @return options */ - fun setMissingCertificateCallback(callback: MissingPublicKeyCallback): ConsumerOptions = apply { - this.missingCertificateCallback = callback - } + fun setMissingCertificateCallback(callback: OpenPGPCertificateProvider): ConsumerOptions = + apply { + this.missingCertificateCallback = callback + } /** * Attempt decryption using a session key. @@ -283,7 +285,7 @@ class ConsumerOptions { * * @return missing public key callback */ - fun getMissingCertificateCallback(): MissingPublicKeyCallback? = missingCertificateCallback + fun getMissingCertificateCallback(): OpenPGPCertificateProvider? = missingCertificateCallback /** * Return the [SecretKeyRingProtector] for the given [PGPSecretKeyRing]. diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/MissingPublicKeyCallback.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/MissingPublicKeyCallback.kt deleted file mode 100644 index 9da5eb06..00000000 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/MissingPublicKeyCallback.kt +++ /dev/null @@ -1,28 +0,0 @@ -// SPDX-FileCopyrightText: 2023 Paul Schaub -// -// SPDX-License-Identifier: Apache-2.0 - -package org.pgpainless.decryption_verification - -import org.bouncycastle.bcpg.KeyIdentifier -import org.bouncycastle.openpgp.api.OpenPGPCertificate - -fun interface MissingPublicKeyCallback { - - /** - * This method gets called if we encounter a signature made by a key which was not provided for - * signature verification. If you cannot provide the requested key, it is safe to return null - * here. PGPainless will then continue verification with the next signature. - * - * Note: The key-id might belong to a subkey, so be aware that when looking up the - * [OpenPGPCertificate], you may not only search for the key-id on the key rings primary key! - * - * It would be super cool to provide the OpenPgp fingerprint here, but unfortunately - * one-pass-signatures only contain the key id. - * - * @param keyIdentifier ID of the missing signing (sub)key - * @return keyring containing the key or null - * @see RFC - */ - fun onMissingPublicKeyEncountered(keyIdentifier: KeyIdentifier): OpenPGPCertificate? -} diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.kt index 422fc25a..680344ca 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.kt @@ -912,7 +912,7 @@ class OpenPgpMessageInputStream( if (options.getMissingCertificateCallback() != null) { return options .getMissingCertificateCallback()!! - .onMissingPublicKeyEncountered(signature.keyIdentifiers.first()) + .provide(signature.keyIdentifiers.first()) } return null // TODO: Missing cert for sig } @@ -924,9 +924,7 @@ class OpenPgpMessageInputStream( } if (options.getMissingCertificateCallback() != null) { - return options - .getMissingCertificateCallback()!! - .onMissingPublicKeyEncountered(signature.keyIdentifier) + return options.getMissingCertificateCallback()!!.provide(signature.keyIdentifier) } return null // TODO: Missing cert for sig } diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifyWithMissingPublicKeyCallbackTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifyWithMissingPublicKeyCallbackTest.java index 3bc2c5f0..c8112cfa 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifyWithMissingPublicKeyCallbackTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifyWithMissingPublicKeyCallbackTest.java @@ -18,6 +18,7 @@ import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPPublicKeyRing; import org.bouncycastle.openpgp.api.OpenPGPCertificate; import org.bouncycastle.openpgp.api.OpenPGPKey; +import org.bouncycastle.openpgp.api.OpenPGPKeyMaterialProvider; import org.bouncycastle.util.io.Streams; import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; @@ -32,9 +33,9 @@ import org.pgpainless.key.protection.SecretKeyRingProtector; import javax.annotation.Nonnull; /** - * Test functionality of the {@link MissingPublicKeyCallback} which is called when during signature verification, - * a signature is encountered which was made by a key that was not provided in - * {@link ConsumerOptions#addVerificationCert(PGPPublicKeyRing)}. + * Test functionality of the {@link org.bouncycastle.openpgp.api.OpenPGPKeyMaterialProvider.OpenPGPCertificateProvider} + * which is called when during signature verification, a signature is encountered which was made by a key that was + * not provided in {@link ConsumerOptions#addVerificationCert(PGPPublicKeyRing)}. */ public class VerifyWithMissingPublicKeyCallbackTest { @@ -63,9 +64,9 @@ public class VerifyWithMissingPublicKeyCallbackTest { .onInputStream(new ByteArrayInputStream(signOut.toByteArray())) .withOptions(new ConsumerOptions() .addVerificationCert(unrelatedKeys) - .setMissingCertificateCallback(new MissingPublicKeyCallback() { + .setMissingCertificateCallback(new OpenPGPKeyMaterialProvider.OpenPGPCertificateProvider() { @Override - public OpenPGPCertificate onMissingPublicKeyEncountered(@Nonnull KeyIdentifier keyIdentifier) { + public OpenPGPCertificate provide(@Nonnull KeyIdentifier keyIdentifier) { assertEquals(signingKey.getKeyIdentifier(), keyIdentifier, "Signing key-ID mismatch."); return signingPubKeys; } From 6eaa4836506009859044a313c79d445f8d6e4a1f Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 24 Feb 2025 13:47:53 +0100 Subject: [PATCH 051/265] Improve KeyRingInfos getPreferences implementations --- .../pgpainless/algorithm/AEADCipherMode.kt | 15 +++ .../OpenPGPCertificateExtensions.kt | 4 + .../extensions/OpenPGPKeyExtensions.kt | 4 + .../PreferredAEADCipherSuitesExtensions.kt | 12 +++ .../PreferredAlgorithmsExtensions.kt | 25 +++++ .../org/pgpainless/key/info/KeyAccessor.kt | 4 + .../org/pgpainless/key/info/KeyRingInfo.kt | 93 +++++++++++++------ .../subpackets/SignatureSubpacketsUtil.kt | 9 ++ 8 files changed, 139 insertions(+), 27 deletions(-) create mode 100644 pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/AEADCipherMode.kt create mode 100644 pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/PreferredAEADCipherSuitesExtensions.kt create mode 100644 pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/PreferredAlgorithmsExtensions.kt diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/AEADCipherMode.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/AEADCipherMode.kt new file mode 100644 index 00000000..5cd29e6c --- /dev/null +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/AEADCipherMode.kt @@ -0,0 +1,15 @@ +// SPDX-FileCopyrightText: 2025 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + +package org.pgpainless.algorithm + +import org.bouncycastle.bcpg.sig.PreferredAEADCiphersuites.Combination + +data class AEADCipherMode(val aeadAlgorithm: AEADAlgorithm, val ciphermode: SymmetricKeyAlgorithm) { + constructor( + combination: Combination + ) : this( + AEADAlgorithm.requireFromId(combination.aeadAlgorithm), + SymmetricKeyAlgorithm.requireFromId(combination.symmetricAlgorithm)) +} diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/OpenPGPCertificateExtensions.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/OpenPGPCertificateExtensions.kt index 31e4fae6..8cc954fa 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/OpenPGPCertificateExtensions.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/OpenPGPCertificateExtensions.kt @@ -1,3 +1,7 @@ +// SPDX-FileCopyrightText: 2025 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.bouncycastle.extensions import org.bouncycastle.openpgp.PGPOnePassSignature diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/OpenPGPKeyExtensions.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/OpenPGPKeyExtensions.kt index c78a79db..6be48f4a 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/OpenPGPKeyExtensions.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/OpenPGPKeyExtensions.kt @@ -1,3 +1,7 @@ +// SPDX-FileCopyrightText: 2025 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.bouncycastle.extensions import org.bouncycastle.openpgp.PGPPublicKeyEncryptedData diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/PreferredAEADCipherSuitesExtensions.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/PreferredAEADCipherSuitesExtensions.kt new file mode 100644 index 00000000..fec2dcc1 --- /dev/null +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/PreferredAEADCipherSuitesExtensions.kt @@ -0,0 +1,12 @@ +// SPDX-FileCopyrightText: 2025 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + +package org.pgpainless.bouncycastle.extensions + +import org.bouncycastle.bcpg.sig.PreferredAEADCiphersuites +import org.pgpainless.algorithm.AEADCipherMode + +fun PreferredAEADCiphersuites?.toAEADCipherModes(): Set { + return this?.algorithms?.asSequence()?.map { AEADCipherMode(it) }?.toSet() ?: setOf() +} diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/PreferredAlgorithmsExtensions.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/PreferredAlgorithmsExtensions.kt new file mode 100644 index 00000000..e78e7568 --- /dev/null +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/PreferredAlgorithmsExtensions.kt @@ -0,0 +1,25 @@ +// SPDX-FileCopyrightText: 2025 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + +package org.pgpainless.bouncycastle.extensions + +import org.bouncycastle.bcpg.sig.PreferredAlgorithms +import org.pgpainless.algorithm.CompressionAlgorithm +import org.pgpainless.algorithm.HashAlgorithm +import org.pgpainless.algorithm.SymmetricKeyAlgorithm + +fun PreferredAlgorithms?.toHashAlgorithms(): Set { + return this?.preferences?.asSequence()?.map { HashAlgorithm.requireFromId(it) }?.toSet() + ?: setOf() +} + +fun PreferredAlgorithms?.toSymmetricKeyAlgorithms(): Set { + return this?.preferences?.asSequence()?.map { SymmetricKeyAlgorithm.requireFromId(it) }?.toSet() + ?: setOf() +} + +fun PreferredAlgorithms?.toCompressionAlgorithms(): Set { + return this?.preferences?.asSequence()?.map { CompressionAlgorithm.requireFromId(it) }?.toSet() + ?: setOf() +} diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/info/KeyAccessor.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/info/KeyAccessor.kt index 935c4f48..b16c5b3b 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/info/KeyAccessor.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/info/KeyAccessor.kt @@ -5,6 +5,7 @@ package org.pgpainless.key.info import org.bouncycastle.openpgp.PGPSignature +import org.pgpainless.algorithm.AEADCipherMode import org.pgpainless.algorithm.CompressionAlgorithm import org.pgpainless.algorithm.HashAlgorithm import org.pgpainless.algorithm.SymmetricKeyAlgorithm @@ -40,6 +41,9 @@ abstract class KeyAccessor(protected val info: KeyRingInfo, protected val key: S get() = SignatureSubpacketsUtil.parsePreferredCompressionAlgorithms(signatureWithPreferences) + val preferredAEADCipherSuites: Set + get() = SignatureSubpacketsUtil.parsePreferredAEADCipherSuites(signatureWithPreferences) + /** * Address the key via a user-id (e.g. `Alice `). In this case we are * sourcing preferred algorithms from the user-id certification first. diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/info/KeyRingInfo.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/info/KeyRingInfo.kt index 0d1480fa..35aa03e5 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/info/KeyRingInfo.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/info/KeyRingInfo.kt @@ -5,6 +5,7 @@ package org.pgpainless.key.info import java.util.* +import kotlin.NoSuchElementException import openpgp.openPgpKeyId import org.bouncycastle.bcpg.KeyIdentifier import org.bouncycastle.openpgp.* @@ -249,6 +250,11 @@ class KeyRingInfo( primaryUserId?.let { getPreferredCompressionAlgorithms(it) } ?: getPreferredCompressionAlgorithms(keyIdentifier) + val preferredAEADCipherSuites: Set + get() = + primaryUserId?.let { getPreferredAEADCipherSuites(it) } + ?: getPreferredAEADCipherSuites(keyIdentifier) + /** * Return the expiration date of the subkey with the provided fingerprint. * @@ -649,70 +655,103 @@ class KeyRingInfo( /** [HashAlgorithm] preferences of the given user-ID. */ fun getPreferredHashAlgorithms(userId: CharSequence): Set { - return getKeyAccessor(userId, keyIdentifier).preferredHashAlgorithms + return keys + .getUserId(userId.toString()) + ?.getHashAlgorithmPreferences(referenceDate) + ?.toHashAlgorithms() + ?: throw NoSuchElementException("No user-id '$userId' found on this key.") } fun getPreferredHashAlgorithms(keyIdentifier: KeyIdentifier): Set { - return getPreferredHashAlgorithms(keyIdentifier.keyId) + return keys + .getKey(keyIdentifier) + ?.getHashAlgorithmPreferences(referenceDate) + ?.toHashAlgorithms() + ?: throw NoSuchElementException( + "No subkey with key-id $keyIdentifier found on this key.") } /** [HashAlgorithm] preferences of the given key. */ + @Deprecated("Pass KeyIdentifier instead.") fun getPreferredHashAlgorithms(keyId: Long): Set { - return KeyAccessor.SubKey(this, SubkeyIdentifier(keys.pgpKeyRing, keyId)) - .preferredHashAlgorithms + return getPreferredHashAlgorithms(KeyIdentifier(keyId)) } /** [SymmetricKeyAlgorithm] preferences of the given user-ID. */ fun getPreferredSymmetricKeyAlgorithms(userId: CharSequence): Set { - return getKeyAccessor(userId, keyIdentifier).preferredSymmetricKeyAlgorithms + return keys + .getUserId(userId.toString()) + ?.getSymmetricCipherPreferences(referenceDate) + ?.toSymmetricKeyAlgorithms() + ?: throw NoSuchElementException("No user-id '$userId' found on this key.") } fun getPreferredSymmetricKeyAlgorithms( keyIdentifier: KeyIdentifier ): Set { - return getPreferredSymmetricKeyAlgorithms(keyIdentifier.keyId) + return keys + .getKey(keyIdentifier) + ?.getSymmetricCipherPreferences(referenceDate) + ?.toSymmetricKeyAlgorithms() + ?: throw NoSuchElementException( + "No subkey with key-id $keyIdentifier found on this key.") } /** [SymmetricKeyAlgorithm] preferences of the given key. */ + @Deprecated("Pass KeyIdentifier instead.") fun getPreferredSymmetricKeyAlgorithms(keyId: Long): Set { - return KeyAccessor.SubKey(this, SubkeyIdentifier(keys.pgpKeyRing, keyId)) - .preferredSymmetricKeyAlgorithms + return getPreferredSymmetricKeyAlgorithms(KeyIdentifier(keyId)) } /** [CompressionAlgorithm] preferences of the given user-ID. */ fun getPreferredCompressionAlgorithms(userId: CharSequence): Set { - return getKeyAccessor(userId, keyIdentifier).preferredCompressionAlgorithms + return keys + .getUserId(userId.toString()) + ?.getCompressionAlgorithmPreferences(referenceDate) + ?.toCompressionAlgorithms() + ?: throw NoSuchElementException("No user-id '$userId' found on this key.") } fun getPreferredCompressionAlgorithms(keyIdentifier: KeyIdentifier): Set { - return getPreferredCompressionAlgorithms(keyIdentifier.keyId) + return keys + .getKey(keyIdentifier) + ?.getCompressionAlgorithmPreferences(referenceDate) + ?.toCompressionAlgorithms() + ?: throw NoSuchElementException( + "No subkey with key-id $keyIdentifier found on this key.") } /** [CompressionAlgorithm] preferences of the given key. */ fun getPreferredCompressionAlgorithms(keyId: Long): Set { - return KeyAccessor.SubKey(this, SubkeyIdentifier(keys.pgpKeyRing, keyId)) - .preferredCompressionAlgorithms + return getPreferredCompressionAlgorithms(KeyIdentifier(keyId)) + } + + fun getPreferredAEADCipherSuites(userId: CharSequence): Set { + return keys + .getUserId(userId.toString()) + ?.getAEADCipherSuitePreferences(referenceDate) + ?.toAEADCipherModes() + ?: throw NoSuchElementException("No user-id '$userId' found on this key.") + } + + fun getPreferredAEADCipherSuites(keyIdentifier: KeyIdentifier): Set { + return keys + .getKey(keyIdentifier) + ?.getAEADCipherSuitePreferences(referenceDate) + ?.toAEADCipherModes() + ?: throw NoSuchElementException( + "No subkey with key-id $keyIdentifier found on this key.") + } + + @Deprecated("Pass KeyIdentifier instead.") + fun getPreferredAEADCipherSuites(keyId: Long): Set { + return getPreferredAEADCipherSuites(KeyIdentifier(keyId)) } val isUsableForThirdPartyCertification: Boolean = isKeyValidlyBound(keyIdentifier) && getKeyFlagsOf(keyIdentifier).contains(KeyFlag.CERTIFY_OTHER) - private fun getKeyAccessor(userId: CharSequence?, keyIdentifier: KeyIdentifier): KeyAccessor { - if (getPublicKey(keyIdentifier) == null) { - throw NoSuchElementException("No subkey with key-id $keyIdentifier found on this key.") - } - if (userId != null && !userIds.contains(userId)) { - throw NoSuchElementException("No user-id '$userId' found on this key.") - } - return if (userId != null) { - KeyAccessor.ViaUserId( - this, SubkeyIdentifier(keys.pgpKeyRing, keyIdentifier.keyId), userId) - } else { - KeyAccessor.ViaKeyId(this, SubkeyIdentifier(keys.pgpKeyRing, keyIdentifier.keyId)) - } - } - companion object { /** Evaluate the key for the given signature. */ diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/SignatureSubpacketsUtil.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/SignatureSubpacketsUtil.kt index dcc85630..15ee2897 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/SignatureSubpacketsUtil.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/SignatureSubpacketsUtil.kt @@ -269,6 +269,15 @@ class SignatureSubpacketsUtil { ?.toSet() ?: setOf() + @JvmStatic + fun parsePreferredAEADCipherSuites(signature: PGPSignature): Set = + getPreferredAeadAlgorithms(signature) + ?.algorithms + ?.asSequence() + ?.map { AEADCipherMode(it) } + ?.toSet() + ?: setOf() + @JvmStatic fun getPreferredAeadAlgorithms(signature: PGPSignature): PreferredAEADCiphersuites? = hashed(signature, SignatureSubpacket.preferredAEADAlgorithms) From c886b56faf00cf5cac00bdecd5aad3677d028289 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 26 Feb 2025 13:40:56 +0100 Subject: [PATCH 052/265] Replace KeyRingInfo.publicKey with primaryKey --- .../org/pgpainless/key/info/KeyRingInfo.kt | 38 ++++++++++--------- 1 file changed, 20 insertions(+), 18 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/info/KeyRingInfo.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/info/KeyRingInfo.kt index 35aa03e5..80e3f6c9 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/info/KeyRingInfo.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/info/KeyRingInfo.kt @@ -47,13 +47,15 @@ class KeyRingInfo( referenceDate: Date = Date() ) : this(keys, PGPainless.getPolicy(), referenceDate) - // private val signatures: Signatures = Signatures(keys.pgpKeyRing, referenceDate, policy) + /** Primary [OpenPGPCertificate.OpenPGPPrimaryKey]. */ + val primaryKey: OpenPGPCertificate.OpenPGPPrimaryKey = keys.primaryKey /** Primary [OpenPGPCertificate.OpenPGPPrimaryKey]. */ - val publicKey: OpenPGPCertificate.OpenPGPPrimaryKey = keys.primaryKey + @Deprecated("Use primaryKey instead.", replaceWith = ReplaceWith("primaryKey")) + val publicKey: OpenPGPCertificate.OpenPGPPrimaryKey = primaryKey /** Primary key ID. */ - val keyIdentifier: KeyIdentifier = publicKey.keyIdentifier + val keyIdentifier: KeyIdentifier = primaryKey.keyIdentifier @Deprecated( "Use of raw key-ids is deprecated in favor of key-identifiers", @@ -61,17 +63,17 @@ class KeyRingInfo( val keyId: Long = keyIdentifier.keyId /** Primary key fingerprint. */ - val fingerprint: OpenPgpFingerprint = OpenPgpFingerprint.of(publicKey.pgpPublicKey) + val fingerprint: OpenPgpFingerprint = OpenPgpFingerprint.of(primaryKey.pgpPublicKey) /** All User-IDs (valid, expired, revoked). */ - val userIds: List = KeyRingUtils.getUserIdsIgnoringInvalidUTF8(publicKey.pgpPublicKey) + val userIds: List = KeyRingUtils.getUserIdsIgnoringInvalidUTF8(primaryKey.pgpPublicKey) /** Primary User-ID. */ val primaryUserId: String? = keys.getPrimaryUserId(referenceDate)?.userId /** Revocation State. */ val revocationState: RevocationState = - publicKey.getLatestSelfSignature(referenceDate)?.let { + primaryKey.getLatestSelfSignature(referenceDate)?.let { if (!it.isRevocation) RevocationState.notRevoked() else if (it.isHardRevocation) RevocationState.hardRevoked() else RevocationState.softRevoked(it.creationTime) @@ -94,7 +96,7 @@ class KeyRingInfo( } else null /** OpenPGP key version. */ - val version: Int = publicKey.version + val version: Int = primaryKey.version /** * Return all [public component keys][OpenPGPComponentKey] of this key ring. The first key in @@ -133,18 +135,18 @@ class KeyRingInfo( /** Newest direct-key self-signature on the primary key. */ val latestDirectKeySelfSignature: PGPSignature? = - publicKey.getLatestDirectKeySelfSignature(referenceDate)?.signature + primaryKey.getLatestDirectKeySelfSignature(referenceDate)?.signature /** Newest primary-key revocation self-signature. */ val revocationSelfSignature: PGPSignature? = - publicKey.getLatestKeyRevocationSignature(referenceDate)?.signature + primaryKey.getLatestKeyRevocationSignature(referenceDate)?.signature /** Public-key encryption-algorithm of the primary key. */ val algorithm: PublicKeyAlgorithm = - PublicKeyAlgorithm.requireFromId(publicKey.pgpPublicKey.algorithm) + PublicKeyAlgorithm.requireFromId(primaryKey.pgpPublicKey.algorithm) /** Creation date of the primary key. */ - val creationDate: Date = publicKey.creationTime!! + val creationDate: Date = primaryKey.creationTime!! /** Latest date at which the key was modified (either by adding a subkey or self-signature). */ val lastModified: Date = keys.lastModificationDate @@ -186,14 +188,14 @@ class KeyRingInfo( get() { val directKeyExpirationDate: Date? = latestDirectKeySelfSignature?.let { - getKeyExpirationTimeAsDate(it, publicKey.pgpPublicKey) + getKeyExpirationTimeAsDate(it, primaryKey.pgpPublicKey) } val possiblyExpiredPrimaryUserId = getPossiblyExpiredPrimaryUserId() val primaryUserIdCertification = possiblyExpiredPrimaryUserId?.let { getLatestUserIdCertification(it) } val userIdExpirationDate: Date? = primaryUserIdCertification?.let { - getKeyExpirationTimeAsDate(it, publicKey.pgpPublicKey) + getKeyExpirationTimeAsDate(it, primaryKey.pgpPublicKey) } if (latestDirectKeySelfSignature == null && primaryUserIdCertification == null) { @@ -276,7 +278,7 @@ class KeyRingInfo( * @return expiration date */ fun getSubkeyExpirationDate(keyId: Long): Date? { - if (publicKey.keyIdentifier.keyId == keyId) return primaryKeyExpirationDate + if (primaryKey.keyIdentifier.keyId == keyId) return primaryKeyExpirationDate val subkey = getPublicKey(keyId) ?: throw NoSuchElementException( @@ -353,7 +355,7 @@ class KeyRingInfo( ): List { if (userId != null && !isUserIdValid(userId)) { throw UnboundUserIdException( - OpenPgpFingerprint.of(publicKey.pgpPublicKey), + OpenPgpFingerprint.of(primaryKey.pgpPublicKey), userId.toString(), getLatestUserIdCertification(userId), getUserIdRevocation(userId)) @@ -488,7 +490,7 @@ class KeyRingInfo( * @return list of key flags */ fun getKeyFlagsOf(keyId: Long): List = - if (keyId == publicKey.keyIdentifier.keyId) { + if (keyId == primaryKey.keyIdentifier.keyId) { latestDirectKeySelfSignature?.let { sig -> SignatureSubpacketsUtil.parseKeyFlags(sig)?.let { flags -> return flags @@ -597,7 +599,7 @@ class KeyRingInfo( * key of the key. */ fun getPublicKey(identifier: SubkeyIdentifier): OpenPGPComponentKey? { - require(publicKey.keyIdentifier.equals(identifier.keyIdentifier)) { + require(primaryKey.keyIdentifier.equals(identifier.keyIdentifier)) { "Mismatching primary key ID." } return getPublicKey(identifier.componentKeyIdentifier) @@ -645,7 +647,7 @@ class KeyRingInfo( fun isUserIdValid(userId: CharSequence): Boolean { var valid = isUserIdBound(userId) if (primaryUserId != null) valid = valid && isUserIdBound(primaryUserId) - valid = valid && isKeyValidlyBound(publicKey.keyIdentifier) + valid = valid && isKeyValidlyBound(primaryKey.keyIdentifier) return valid } From f37d4a4450535cf0acaef582f999324cd521126b Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 26 Feb 2025 14:59:39 +0100 Subject: [PATCH 053/265] Complete migration of KeyRingInfo to KeyIdentifier, javadoc --- .../org/pgpainless/key/info/KeyRingInfo.kt | 242 +++++++++++++----- 1 file changed, 185 insertions(+), 57 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/info/KeyRingInfo.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/info/KeyRingInfo.kt index 80e3f6c9..f7d873d0 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/info/KeyRingInfo.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/info/KeyRingInfo.kt @@ -6,7 +6,6 @@ package org.pgpainless.key.info import java.util.* import kotlin.NoSuchElementException -import openpgp.openPgpKeyId import org.bouncycastle.bcpg.KeyIdentifier import org.bouncycastle.openpgp.* import org.bouncycastle.openpgp.api.OpenPGPCertificate @@ -232,6 +231,14 @@ class KeyRingInfo( val isUsableForSigning: Boolean = isSigningCapable && signingSubkeys.any { isSecretKeyAvailable(it.keyIdentifier) } + /** + * True, if the [OpenPGPCertificate] can be used to certify other + * [OpenPGPCertificates][OpenPGPCertificate]. + */ + val isUsableForThirdPartyCertification: Boolean = + isKeyValidlyBound(keyIdentifier) && + getKeyFlagsOf(keyIdentifier).contains(KeyFlag.CERTIFY_OTHER) + /** [HashAlgorithm] preferences of the primary user-ID or if absent, of the primary key. */ val preferredHashAlgorithms: Set get() = @@ -252,6 +259,7 @@ class KeyRingInfo( primaryUserId?.let { getPreferredCompressionAlgorithms(it) } ?: getPreferredCompressionAlgorithms(keyIdentifier) + /** [AEADCipherMode] preferences of the primary user-id, or if absent, the primary key. */ val preferredAEADCipherSuites: Set get() = primaryUserId?.let { getPreferredAEADCipherSuites(it) } @@ -264,11 +272,24 @@ class KeyRingInfo( * @return expiration date or null */ fun getSubkeyExpirationDate(fingerprint: OpenPgpFingerprint): Date? { - return getSubkeyExpirationDate(fingerprint.keyId) + return getSubkeyExpirationDate(fingerprint.keyIdentifier) } + /** + * Return the expiration date of the [OpenPGPComponentKey] with the provided [keyIdentifier]. + * + * @param keyIdentifier subkey KeyIdentifier + * @return expiration date + */ fun getSubkeyExpirationDate(keyIdentifier: KeyIdentifier): Date? { - return getSubkeyExpirationDate(keyIdentifier.keyId) + if (primaryKey.keyIdentifier.matches(keyIdentifier)) return primaryKeyExpirationDate + val subkey = + getPublicKey(keyIdentifier) + ?: throw NoSuchElementException("No subkey with key-ID ${keyIdentifier} found.") + val bindingSig = + getCurrentSubkeyBindingSignature(keyIdentifier) + ?: throw AssertionError("Subkey has no valid binding signature.") + return bindingSig.getKeyExpirationDate(subkey.creationTime) } /** @@ -277,16 +298,9 @@ class KeyRingInfo( * @param keyId subkey keyId * @return expiration date */ + @Deprecated("Pass in a KeyIdentifer instead.") fun getSubkeyExpirationDate(keyId: Long): Date? { - if (primaryKey.keyIdentifier.keyId == keyId) return primaryKeyExpirationDate - val subkey = - getPublicKey(keyId) - ?: throw NoSuchElementException( - "No subkey with key-ID ${keyId.openPgpKeyId()} found.") - val bindingSig = - getCurrentSubkeyBindingSignature(keyId) - ?: throw AssertionError("Subkey has no valid binding signature.") - return bindingSig.getKeyExpirationDate(subkey.creationTime) + return getSubkeyExpirationDate(KeyIdentifier(keyId)) } /** @@ -465,32 +479,51 @@ class KeyRingInfo( keys.getUserId(userId.toString())?.getRevocation(referenceDate)?.signature /** - * Return the current binding signature for the subkey with the given key-ID. + * Return the current binding signature for the subkey with the given [keyIdentifier]. * + * @param keyIdentifier subkey identifier * @return current subkey binding signature */ + fun getCurrentSubkeyBindingSignature(keyIdentifier: KeyIdentifier): PGPSignature? = + keys.getKey(keyIdentifier)?.getCertification(referenceDate)?.signature + + /** + * Return the current binding signature for the subkey with the given key-ID. + * + * @param keyId key-ID + * @return current subkey binding signature + */ + @Deprecated("Pass in a KeyIdentifier instead.") fun getCurrentSubkeyBindingSignature(keyId: Long): PGPSignature? = - keys.getKey(KeyIdentifier(keyId))?.getCertification(referenceDate)?.signature + getCurrentSubkeyBindingSignature(KeyIdentifier(keyId)) + + /** + * Return the current revocation signature for the subkey with the given [keyIdentifier]. + * + * @param keyIdentifier subkey identifier + * @return current subkey revocation signature + */ + fun getSubkeyRevocationSignature(keyIdentifier: KeyIdentifier): PGPSignature? = + keys.getKey(keyIdentifier)?.getRevocation(referenceDate)?.signature /** * Return the current revocation signature for the subkey with the given key-ID. * * @return current subkey revocation signature */ + @Deprecated("Pass in a KeyIdentifier instead.") fun getSubkeyRevocationSignature(keyId: Long): PGPSignature? = - keys.getKey(KeyIdentifier(keyId))?.getRevocation(referenceDate)?.signature - - fun getKeyFlagsOf(keyIdentifier: KeyIdentifier): List = - getKeyFlagsOf(keyIdentifier.keyId) + getSubkeyRevocationSignature(KeyIdentifier(keyId)) /** - * Return a list of [KeyFlags][KeyFlag] that apply to the subkey with the provided key id. + * Return a list of [KeyFlags][KeyFlag] that apply to the subkey with the provided + * [keyIdentifier]. * - * @param keyId key-id + * @param keyIdentifier keyIdentifier * @return list of key flags */ - fun getKeyFlagsOf(keyId: Long): List = - if (keyId == primaryKey.keyIdentifier.keyId) { + fun getKeyFlagsOf(keyIdentifier: KeyIdentifier): List = + if (primaryKey.keyIdentifier.matches(keyIdentifier)) { latestDirectKeySelfSignature?.let { sig -> SignatureSubpacketsUtil.parseKeyFlags(sig)?.let { flags -> return flags @@ -505,7 +538,7 @@ class KeyRingInfo( } listOf() } else { - getCurrentSubkeyBindingSignature(keyId)?.let { + getCurrentSubkeyBindingSignature(keyIdentifier)?.let { SignatureSubpacketsUtil.parseKeyFlags(it)?.let { flags -> return flags } @@ -513,6 +546,15 @@ class KeyRingInfo( listOf() } + /** + * Return a list of [KeyFlags][KeyFlag] that apply to the subkey with the provided key id. + * + * @param keyId key-id + * @return list of key flags + */ + @Deprecated("Pass in a KeyIdentifier instead.") + fun getKeyFlagsOf(keyId: Long): List = getKeyFlagsOf(KeyIdentifier(keyId)) + /** * Return a list of [KeyFlags][KeyFlag] that apply to the given user-id. * @@ -530,13 +572,35 @@ class KeyRingInfo( "While user-id '$userId' was reported as valid, there appears to be no certification for it.") } + /** + * Return the [OpenPGPComponentKey] with the given [keyIdentifier] from this + * [OpenPGPCertificate] or [OpenPGPKey]. + * + * @param keyIdentifier keyIdentifier + * @return public component key or null + */ + fun getPublicKey(keyIdentifier: KeyIdentifier): OpenPGPComponentKey? = + keys.getKey(keyIdentifier) + /** * Return the public key with the given key id from the provided key ring. * * @param keyId key id * @return public key or null */ - fun getPublicKey(keyId: Long): OpenPGPComponentKey? = keys.getKey(KeyIdentifier(keyId)) + @Deprecated("Pass in a KeyIdentifier instead.") + fun getPublicKey(keyId: Long): OpenPGPComponentKey? = getPublicKey(KeyIdentifier(keyId)) + + /** + * Return the [OpenPGPSecretKey] component with the given [keyIdentifier]. + * + * @param keyIdentifier keyIdentifier + * @return secret key or null + */ + fun getSecretKey(keyIdentifier: KeyIdentifier): OpenPGPSecretKey? = + if (keys.isSecretKey) { + (keys as OpenPGPKey).getSecretKey(keyIdentifier) + } else null /** * Return the secret key with the given key id. @@ -544,20 +608,12 @@ class KeyRingInfo( * @param keyId key id * @return secret key or null */ + @Deprecated("Pass in a KeyIdentifier instead.") fun getSecretKey(keyId: Long): OpenPGPSecretKey? = getSecretKey(KeyIdentifier(keyId)) - fun getSecretKey(keyIdentifier: KeyIdentifier): OpenPGPSecretKey? = - if (keys.isSecretKey) { - (keys as OpenPGPKey).getSecretKey(keyIdentifier) - } else null - - fun isSecretKeyAvailable(keyId: Long): Boolean { - return isSecretKeyAvailable(KeyIdentifier(keyId)) - } - /** - * Return true, if the secret-key with the given key-ID is available (i.e. not moved to a - * smart-card). + * Return true, if the secret-key with the given [keyIdentifier] is available (i.e. part of the + * certificate AND not moved to a smart-card). * * @return availability of the secret key */ @@ -569,6 +625,11 @@ class KeyRingInfo( ?: false // Missing secret key } + @Deprecated("Pass in a KeyIdentifier instead.") + fun isSecretKeyAvailable(keyId: Long): Boolean { + return isSecretKeyAvailable(KeyIdentifier(keyId)) + } + /** * Return the public key with the given fingerprint. * @@ -576,7 +637,7 @@ class KeyRingInfo( * @return public key or null */ fun getPublicKey(fingerprint: OpenPgpFingerprint): OpenPGPComponentKey? = - keys.getKey(KeyIdentifier(fingerprint.bytes)) + keys.getKey(fingerprint.keyIdentifier) /** * Return the secret key with the given fingerprint. @@ -585,11 +646,7 @@ class KeyRingInfo( * @return secret key or null */ fun getSecretKey(fingerprint: OpenPgpFingerprint): OpenPGPSecretKey? = - getSecretKey(KeyIdentifier(fingerprint.bytes)) - - fun getPublicKey(keyIdentifier: KeyIdentifier): OpenPGPComponentKey? { - return keys.getKey(keyIdentifier) - } + getSecretKey(fingerprint.keyIdentifier) /** * Return the public key matching the given [SubkeyIdentifier]. @@ -599,7 +656,7 @@ class KeyRingInfo( * key of the key. */ fun getPublicKey(identifier: SubkeyIdentifier): OpenPGPComponentKey? { - require(primaryKey.keyIdentifier.equals(identifier.keyIdentifier)) { + require(primaryKey.keyIdentifier.matches(identifier.keyIdentifier)) { "Mismatching primary key ID." } return getPublicKey(identifier.componentKeyIdentifier) @@ -612,11 +669,22 @@ class KeyRingInfo( * @throws IllegalArgumentException if the identifier's primary key does not match the primary * key of the key. */ - fun getSecretKey(identifier: SubkeyIdentifier): OpenPGPComponentKey? = - getSecretKey(identifier.componentKeyIdentifier) + fun getSecretKey(identifier: SubkeyIdentifier): OpenPGPComponentKey? { + require(primaryKey.keyIdentifier.matches(identifier.keyIdentifier)) { + "Mismatching primary key ID." + } + return getSecretKey(identifier.componentKeyIdentifier) + } + /** + * Return true if the [OpenPGPComponentKey] with the given [keyIdentifier] is bound to the + * [OpenPGPCertificate] properly. + * + * @param keyIdentifier identifier of the component key + * @return true if key is bound validly + */ fun isKeyValidlyBound(keyIdentifier: KeyIdentifier): Boolean { - return isKeyValidlyBound(keyIdentifier.keyId) + return keys.getKey(keyIdentifier)?.isBoundAt(referenceDate) ?: false } /** @@ -625,9 +693,8 @@ class KeyRingInfo( * @param keyId key id * @return true if key is bound validly */ - fun isKeyValidlyBound(keyId: Long): Boolean { - return keys.getKey(KeyIdentifier(keyId))?.isBoundAt(referenceDate) ?: false - } + @Deprecated("Pass in a KeyIdentifier instead.") + fun isKeyValidlyBound(keyId: Long): Boolean = isKeyValidlyBound(KeyIdentifier(keyId)) /** * Return the current primary user-id of the key ring. @@ -643,7 +710,12 @@ class KeyRingInfo( return keys.primaryKey.getExplicitOrImplicitPrimaryUserId(referenceDate)?.userId } - /** Return true, if the primary user-ID, as well as the given user-ID are valid and bound. */ + /** + * Return true, if the primary user-ID, as well as the given user-ID are valid and bound. + * + * @param userId user-id + * @return true if the primary user-ID and the given user-ID are valid. + */ fun isUserIdValid(userId: CharSequence): Boolean { var valid = isUserIdBound(userId) if (primaryUserId != null) valid = valid && isUserIdBound(primaryUserId) @@ -651,11 +723,21 @@ class KeyRingInfo( return valid } - /** Return true, if the given user-ID is validly bound. */ + /** + * Return true, if the given user-ID is validly bound. + * + * @param userId user-id + * @return true if the user-id is validly bound to the [OpenPGPCertificate] + */ fun isUserIdBound(userId: CharSequence): Boolean = keys.getUserId(userId.toString())?.isBoundAt(referenceDate) ?: false - /** [HashAlgorithm] preferences of the given user-ID. */ + /** + * Return the [HashAlgorithm] preferences of the given [userId]. + * + * @param userId user-id + * @return ordered set of preferred [HashAlgorithms][HashAlgorithm] (descending order) + */ fun getPreferredHashAlgorithms(userId: CharSequence): Set { return keys .getUserId(userId.toString()) @@ -664,6 +746,12 @@ class KeyRingInfo( ?: throw NoSuchElementException("No user-id '$userId' found on this key.") } + /** + * Return the [HashAlgorithm] preferences of the component key with the given [KeyIdentifier]. + * + * @param keyIdentifier identifier of a [OpenPGPComponentKey] + * @return ordered set of preferred [HashAlgorithms][HashAlgorithm] (descending order) + */ fun getPreferredHashAlgorithms(keyIdentifier: KeyIdentifier): Set { return keys .getKey(keyIdentifier) @@ -679,7 +767,13 @@ class KeyRingInfo( return getPreferredHashAlgorithms(KeyIdentifier(keyId)) } - /** [SymmetricKeyAlgorithm] preferences of the given user-ID. */ + /** + * Return the [SymmetricKeyAlgorithm] preferences of the given [userId]. + * + * @param userId user-id + * @return ordered set of preferred [SymmetricKeyAlgorithms][SymmetricKeyAlgorithm] (descending + * order) + */ fun getPreferredSymmetricKeyAlgorithms(userId: CharSequence): Set { return keys .getUserId(userId.toString()) @@ -688,6 +782,14 @@ class KeyRingInfo( ?: throw NoSuchElementException("No user-id '$userId' found on this key.") } + /** + * Return the [SymmetricKeyAlgorithm] preferences of the [OpenPGPComponentKey] with the given + * [keyIdentifier]. + * + * @param keyIdentifier identifier of the [OpenPGPComponentKey] + * @return ordered set of preferred [SymmetricKeyAlgorithms][SymmetricKeyAlgorithm] (descending + * order) + */ fun getPreferredSymmetricKeyAlgorithms( keyIdentifier: KeyIdentifier ): Set { @@ -705,7 +807,13 @@ class KeyRingInfo( return getPreferredSymmetricKeyAlgorithms(KeyIdentifier(keyId)) } - /** [CompressionAlgorithm] preferences of the given user-ID. */ + /** + * Return the [CompressionAlgorithm] preferences of the given [userId]. + * + * @param userId user-id + * @return ordered set of preferred [CompressionAlgorithms][CompressionAlgorithm] (descending + * order) + */ fun getPreferredCompressionAlgorithms(userId: CharSequence): Set { return keys .getUserId(userId.toString()) @@ -714,6 +822,14 @@ class KeyRingInfo( ?: throw NoSuchElementException("No user-id '$userId' found on this key.") } + /** + * Return the [CompressionAlgorithm] preferences of the [OpenPGPComponentKey] with the given + * [keyIdentifier]. + * + * @param keyIdentifier identifier of the [OpenPGPComponentKey] + * @return ordered set of preferred [CompressionAlgorithms][CompressionAlgorithm] (descending + * order) + */ fun getPreferredCompressionAlgorithms(keyIdentifier: KeyIdentifier): Set { return keys .getKey(keyIdentifier) @@ -724,10 +840,18 @@ class KeyRingInfo( } /** [CompressionAlgorithm] preferences of the given key. */ + @Deprecated("Pass in a KeyIdentifier instead.") fun getPreferredCompressionAlgorithms(keyId: Long): Set { return getPreferredCompressionAlgorithms(KeyIdentifier(keyId)) } + /** + * Return the [AEADCipherMode] preferences of the given [userId]. + * + * @param userId user-ID + * @return ordered set of [AEADCipherModes][AEADCipherMode] (descending order, including + * implicitly supported AEAD modes) + */ fun getPreferredAEADCipherSuites(userId: CharSequence): Set { return keys .getUserId(userId.toString()) @@ -736,6 +860,14 @@ class KeyRingInfo( ?: throw NoSuchElementException("No user-id '$userId' found on this key.") } + /** + * Return the [AEADCipherMode] preferences of the [OpenPGPComponentKey] with the given + * [keyIdentifier]. + * + * @param keyIdentifier component key identifier + * @return ordered set of [AEADCipherModes][AEADCipherMode] (descending order, including + * implicitly supported AEAD modes) + */ fun getPreferredAEADCipherSuites(keyIdentifier: KeyIdentifier): Set { return keys .getKey(keyIdentifier) @@ -750,10 +882,6 @@ class KeyRingInfo( return getPreferredAEADCipherSuites(KeyIdentifier(keyId)) } - val isUsableForThirdPartyCertification: Boolean = - isKeyValidlyBound(keyIdentifier) && - getKeyFlagsOf(keyIdentifier).contains(KeyFlag.CERTIFY_OTHER) - companion object { /** Evaluate the key for the given signature. */ From b8bdb5bbe5edf870c01bdf9c2444701783d7b3bf Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 26 Feb 2025 16:25:53 +0100 Subject: [PATCH 054/265] Clean up KeyAccessor class --- .../org/pgpainless/key/info/KeyAccessor.kt | 30 +++++++------------ 1 file changed, 10 insertions(+), 20 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/info/KeyAccessor.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/info/KeyAccessor.kt index b16c5b3b..735d4490 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/info/KeyAccessor.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/info/KeyAccessor.kt @@ -41,6 +41,7 @@ abstract class KeyAccessor(protected val info: KeyRingInfo, protected val key: S get() = SignatureSubpacketsUtil.parsePreferredCompressionAlgorithms(signatureWithPreferences) + /** Preferred AEAD algorithm suites. */ val preferredAEADCipherSuites: Set get() = SignatureSubpacketsUtil.parsePreferredAEADCipherSuites(signatureWithPreferences) @@ -64,30 +65,19 @@ abstract class KeyAccessor(protected val info: KeyRingInfo, protected val key: S class ViaKeyId(info: KeyRingInfo, key: SubkeyIdentifier) : KeyAccessor(info, key) { override val signatureWithPreferences: PGPSignature get() { - // If the key is located by Key ID, the algorithm of the primary User ID of the key - // provides the - // preferred symmetric algorithm. - info.primaryUserId?.let { userId -> - info.getLatestUserIdCertification(userId).let { if (it != null) return it } + if (key.isPrimaryKey) { + // If the key is located by Key ID, the algorithm of the primary User ID of the + // key + // provides the + // preferred symmetric algorithm. + info.primaryUserId?.let { userId -> + info.getLatestUserIdCertification(userId).let { if (it != null) return it } + } } - return info.getCurrentSubkeyBindingSignature(key.subkeyId) + return info.getCurrentSubkeyBindingSignature(key.keyIdentifier) ?: throw NoSuchElementException( "Key does not carry acceptable self-signature signature.") } } - - class SubKey(info: KeyRingInfo, key: SubkeyIdentifier) : KeyAccessor(info, key) { - override val signatureWithPreferences: PGPSignature - get() = - checkNotNull( - if (key.isPrimaryKey) { - info.latestDirectKeySelfSignature - ?: info.primaryUserId?.let { info.getLatestUserIdCertification(it) } - } else { - info.getCurrentSubkeyBindingSignature(key.subkeyId) - }) { - "No valid signature found." - } - } } From b9ee09a77467d5f7bfa3b1b5bfdc08aa7df1d1e1 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 26 Feb 2025 16:29:59 +0100 Subject: [PATCH 055/265] Add javadoc --- .../kotlin/org/pgpainless/key/SubkeyIdentifier.kt | 11 +++++++++++ .../kotlin/org/pgpainless/sop/VerificationHelper.kt | 4 ++-- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/SubkeyIdentifier.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/SubkeyIdentifier.kt index bc425629..d3e73e65 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/SubkeyIdentifier.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/SubkeyIdentifier.kt @@ -15,7 +15,13 @@ import org.bouncycastle.openpgp.api.OpenPGPKey.OpenPGPPrivateKey * as the component keys fingerprint. */ class SubkeyIdentifier( + /** + * Fingerprint of the certificate. + */ val certificateFingerprint: OpenPgpFingerprint, + /** + * Fingerprint of the target component key. + */ val componentKeyFingerprint: OpenPgpFingerprint ) { @@ -124,8 +130,13 @@ class SubkeyIdentifier( /** Key-ID of the primary key of the certificate the component key belongs to. */ @Deprecated("Use of key-ids is discouraged.") val primaryKeyId = certificateIdentifier.keyId + /** True, if the component key is the primary key. */ val isPrimaryKey = certificateIdentifier.matches(componentKeyIdentifier) + /** + * Return true, if the provided [fingerprint] matches either the [certificateFingerprint] + * or [componentKeyFingerprint]. + */ fun matches(fingerprint: OpenPgpFingerprint) = certificateFingerprint == fingerprint || componentKeyFingerprint == fingerprint diff --git a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/VerificationHelper.kt b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/VerificationHelper.kt index 9198e3b7..bc64ecd3 100644 --- a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/VerificationHelper.kt +++ b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/VerificationHelper.kt @@ -24,8 +24,8 @@ class VerificationHelper { fun mapVerification(sigVerification: SignatureVerification): Verification = Verification( sigVerification.signature.creationTime, - sigVerification.signingKey.subkeyFingerprint.toString(), - sigVerification.signingKey.primaryKeyFingerprint.toString(), + sigVerification.signingKey.componentKeyFingerprint.toString(), + sigVerification.signingKey.certificateFingerprint.toString(), getMode(sigVerification.signature), null) From a23e573658ef4bec1d4f6e1b727152201137b146 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Fri, 28 Feb 2025 10:21:13 +0100 Subject: [PATCH 056/265] Add comments to HashAlgorithm --- .../main/kotlin/org/pgpainless/algorithm/HashAlgorithm.kt | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/HashAlgorithm.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/HashAlgorithm.kt index 3360e7fe..a8004eec 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/HashAlgorithm.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/HashAlgorithm.kt @@ -11,15 +11,19 @@ package org.pgpainless.algorithm */ enum class HashAlgorithm(val algorithmId: Int, val algorithmName: String) { + // 0 is reserved @Deprecated("MD5 is deprecated") MD5(1, "MD5"), SHA1(2, "SHA1"), RIPEMD160(3, "RIPEMD160"), + // 4 - 7 are reserved SHA256(8, "SHA256"), SHA384(9, "SHA384"), SHA512(10, "SHA512"), SHA224(11, "SHA224"), SHA3_256(12, "SHA3-256"), + // 13 is reserved SHA3_512(14, "SHA3-512"), + // 100 - 110 are private / experimental ; companion object { @@ -57,12 +61,14 @@ enum class HashAlgorithm(val algorithmId: Int, val algorithmName: String) { * for a list of algorithms and names. * * @param name text name - * @return enum value + * @return enum value or null */ @JvmStatic fun fromName(name: String): HashAlgorithm? { return name.uppercase().let { algoName -> + // find value where it.algorithmName == ALGO-NAME values().firstOrNull { it.algorithmName == algoName } + // else, find value where it.algorithmName == ALGONAME ?: values().firstOrNull { it.algorithmName == algoName.replace("-", "") } } } From b563e43c78e963b2186c232cba16d1b14513fcf6 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Fri, 28 Feb 2025 10:39:29 +0100 Subject: [PATCH 057/265] Add comments to OpenPGPKeyVersion --- .../pgpainless/algorithm/OpenPGPKeyVersion.kt | 40 +++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/OpenPGPKeyVersion.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/OpenPGPKeyVersion.kt index a2267825..7f919867 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/OpenPGPKeyVersion.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/OpenPGPKeyVersion.kt @@ -5,9 +5,49 @@ package org.pgpainless.algorithm enum class OpenPGPKeyVersion(val numeric: Int) { + // Version 2 packets are identical in format to Version 3 packets, but are generated by + // PGP 2.5 or before. V2 packets are deprecated and they MUST NOT be generated. + + /** + * Version 3 packets were first generated by PGP 2.6. + * Version 3 keys are deprecated. They contain three weaknesses. + * First, it is relatively easy to construct a version 3 key that has the same Key ID as + * any other key because the Key ID is simply the low 64 bits of the public modulus. + * Second, because the fingerprint of a version 3 key hashes the key material, but not + * its length, there is an increased opportunity for fingerprint collisions. + * Third, there are weaknesses in the MD5 hash algorithm that cause developers to prefer + * other algorithms. + */ @Deprecated("V3 keys are deprecated.") v3(3), + + /** + * Version 4 packets are used in RFC2440, RFC4880, RFC9580. + * The version 4 format is widely supported by various implementations. + * + * @see [RFC2440](https://www.rfc-editor.org/rfc/rfc2440.html) + * @see [RFC4880](https://www.rfc-editor.org/rfc/rfc4880.html) + * @see [RFC9580](https://www.rfc-editor.org/rfc/rfc9580.html) + */ v4(4), + + /** + * "V5"-keys are introduced in the LibrePGP document. + * These are NOT OpenPGP keys and are primarily supported by GnuPG and RNP. + * + * @see [LibrePGP](https://datatracker.ietf.org/doc/draft-koch-librepgp/) + */ librePgp(5), + + /** + * Version 6 packets are introduced in RFC9580. + * The version 6 format is similar to the version 4 format except for the addition of + * a count for the key material. This count helps parsing Secret Key packets (which + * are an extension of the Public Key packet format) in the case of an unknown algorithm. + * In addition, fingerprints of version 6 keys are calculated differently from version 4 keys, + * preventing the KOpenPGP attack. + * + * @see [RFC9580](https://www.rfc-editor.org/rfc/rfc9580.html) + */ v6(6), ; From 7af4689bb7fc6f518dd91ae30595488b2680e850 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Fri, 28 Feb 2025 10:45:34 +0100 Subject: [PATCH 058/265] Fix spotless error --- .../src/main/kotlin/org/pgpainless/algorithm/HashAlgorithm.kt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/HashAlgorithm.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/HashAlgorithm.kt index a8004eec..686666cf 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/HashAlgorithm.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/HashAlgorithm.kt @@ -68,8 +68,8 @@ enum class HashAlgorithm(val algorithmId: Int, val algorithmName: String) { return name.uppercase().let { algoName -> // find value where it.algorithmName == ALGO-NAME values().firstOrNull { it.algorithmName == algoName } - // else, find value where it.algorithmName == ALGONAME - ?: values().firstOrNull { it.algorithmName == algoName.replace("-", "") } + // else, find value where it.algorithmName == ALGONAME + ?: values().firstOrNull { it.algorithmName == algoName.replace("-", "") } } } } From 853de42bc29aac95c3419bd69151a17391a0c619 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Fri, 28 Feb 2025 10:46:12 +0100 Subject: [PATCH 059/265] Fix more spotless formatting errors --- .../kotlin/org/pgpainless/key/SubkeyIdentifier.kt | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/SubkeyIdentifier.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/SubkeyIdentifier.kt index d3e73e65..ee8bb043 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/SubkeyIdentifier.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/SubkeyIdentifier.kt @@ -15,13 +15,9 @@ import org.bouncycastle.openpgp.api.OpenPGPKey.OpenPGPPrivateKey * as the component keys fingerprint. */ class SubkeyIdentifier( - /** - * Fingerprint of the certificate. - */ + /** Fingerprint of the certificate. */ val certificateFingerprint: OpenPgpFingerprint, - /** - * Fingerprint of the target component key. - */ + /** Fingerprint of the target component key. */ val componentKeyFingerprint: OpenPgpFingerprint ) { @@ -134,8 +130,8 @@ class SubkeyIdentifier( val isPrimaryKey = certificateIdentifier.matches(componentKeyIdentifier) /** - * Return true, if the provided [fingerprint] matches either the [certificateFingerprint] - * or [componentKeyFingerprint]. + * Return true, if the provided [fingerprint] matches either the [certificateFingerprint] or + * [componentKeyFingerprint]. */ fun matches(fingerprint: OpenPgpFingerprint) = certificateFingerprint == fingerprint || componentKeyFingerprint == fingerprint From d95534123199dd03c2758883f279d4a195ee2e88 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Fri, 28 Feb 2025 10:52:01 +0100 Subject: [PATCH 060/265] Add getKeyVersion() extension methods to certificate + subclasses and use it in KeyRingInfo.version --- .../pgpainless/algorithm/OpenPGPKeyVersion.kt | 33 +++++++++---------- .../OpenPGPCertificateExtensions.kt | 7 ++++ .../org/pgpainless/key/info/KeyRingInfo.kt | 2 +- .../pgpainless/key/info/KeyRingInfoTest.java | 5 +-- 4 files changed, 26 insertions(+), 21 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/OpenPGPKeyVersion.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/OpenPGPKeyVersion.kt index 7f919867..f053dd06 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/OpenPGPKeyVersion.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/OpenPGPKeyVersion.kt @@ -9,20 +9,18 @@ enum class OpenPGPKeyVersion(val numeric: Int) { // PGP 2.5 or before. V2 packets are deprecated and they MUST NOT be generated. /** - * Version 3 packets were first generated by PGP 2.6. - * Version 3 keys are deprecated. They contain three weaknesses. - * First, it is relatively easy to construct a version 3 key that has the same Key ID as - * any other key because the Key ID is simply the low 64 bits of the public modulus. - * Second, because the fingerprint of a version 3 key hashes the key material, but not - * its length, there is an increased opportunity for fingerprint collisions. - * Third, there are weaknesses in the MD5 hash algorithm that cause developers to prefer - * other algorithms. + * Version 3 packets were first generated by PGP 2.6. Version 3 keys are deprecated. They + * contain three weaknesses. First, it is relatively easy to construct a version 3 key that has + * the same Key ID as any other key because the Key ID is simply the low 64 bits of the public + * modulus. Second, because the fingerprint of a version 3 key hashes the key material, but not + * its length, there is an increased opportunity for fingerprint collisions. Third, there are + * weaknesses in the MD5 hash algorithm that cause developers to prefer other algorithms. */ @Deprecated("V3 keys are deprecated.") v3(3), /** - * Version 4 packets are used in RFC2440, RFC4880, RFC9580. - * The version 4 format is widely supported by various implementations. + * Version 4 packets are used in RFC2440, RFC4880, RFC9580. The version 4 format is widely + * supported by various implementations. * * @see [RFC2440](https://www.rfc-editor.org/rfc/rfc2440.html) * @see [RFC4880](https://www.rfc-editor.org/rfc/rfc4880.html) @@ -31,20 +29,19 @@ enum class OpenPGPKeyVersion(val numeric: Int) { v4(4), /** - * "V5"-keys are introduced in the LibrePGP document. - * These are NOT OpenPGP keys and are primarily supported by GnuPG and RNP. + * "V5"-keys are introduced in the LibrePGP document. These are NOT OpenPGP keys and are + * primarily supported by GnuPG and RNP. * * @see [LibrePGP](https://datatracker.ietf.org/doc/draft-koch-librepgp/) */ librePgp(5), /** - * Version 6 packets are introduced in RFC9580. - * The version 6 format is similar to the version 4 format except for the addition of - * a count for the key material. This count helps parsing Secret Key packets (which - * are an extension of the Public Key packet format) in the case of an unknown algorithm. - * In addition, fingerprints of version 6 keys are calculated differently from version 4 keys, - * preventing the KOpenPGP attack. + * Version 6 packets are introduced in RFC9580. The version 6 format is similar to the version 4 + * format except for the addition of a count for the key material. This count helps parsing + * Secret Key packets (which are an extension of the Public Key packet format) in the case of an + * unknown algorithm. In addition, fingerprints of version 6 keys are calculated differently + * from version 4 keys, preventing the KOpenPGP attack. * * @see [RFC9580](https://www.rfc-editor.org/rfc/rfc9580.html) */ diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/OpenPGPCertificateExtensions.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/OpenPGPCertificateExtensions.kt index 8cc954fa..008ed758 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/OpenPGPCertificateExtensions.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/OpenPGPCertificateExtensions.kt @@ -7,6 +7,13 @@ package org.pgpainless.bouncycastle.extensions import org.bouncycastle.openpgp.PGPOnePassSignature import org.bouncycastle.openpgp.api.OpenPGPCertificate import org.bouncycastle.openpgp.api.OpenPGPCertificate.OpenPGPComponentKey +import org.pgpainless.algorithm.OpenPGPKeyVersion fun OpenPGPCertificate.getSigningKeyFor(ops: PGPOnePassSignature): OpenPGPComponentKey? = this.getKey(ops.keyIdentifier) + +/** Return the [OpenPGPKeyVersion] of the certificates primary key. */ +fun OpenPGPCertificate.getKeyVersion(): OpenPGPKeyVersion = primaryKey.getKeyVersion() + +/** Return the [OpenPGPKeyVersion] of the component key. */ +fun OpenPGPComponentKey.getKeyVersion(): OpenPGPKeyVersion = OpenPGPKeyVersion.from(this.version) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/info/KeyRingInfo.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/info/KeyRingInfo.kt index f7d873d0..dd1e5a0c 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/info/KeyRingInfo.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/info/KeyRingInfo.kt @@ -95,7 +95,7 @@ class KeyRingInfo( } else null /** OpenPGP key version. */ - val version: Int = primaryKey.version + val version: OpenPGPKeyVersion = keys.getKeyVersion() /** * Return all [public component keys][OpenPGPComponentKey] of this key ring. The first key in diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java index 0a12c04c..3d56dc1b 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java @@ -37,6 +37,7 @@ import org.pgpainless.algorithm.CompressionAlgorithm; import org.pgpainless.algorithm.EncryptionPurpose; import org.pgpainless.algorithm.HashAlgorithm; import org.pgpainless.algorithm.KeyFlag; +import org.pgpainless.algorithm.OpenPGPKeyVersion; import org.pgpainless.algorithm.PublicKeyAlgorithm; import org.pgpainless.algorithm.SymmetricKeyAlgorithm; import org.pgpainless.key.OpenPgpV4Fingerprint; @@ -87,8 +88,8 @@ public class KeyRingInfoTest { assertEquals(Collections.singletonList(""), pInfo.getUserIds()); assertEquals(Collections.singletonList("emil@email.user"), sInfo.getEmailAddresses()); assertEquals(Collections.singletonList("emil@email.user"), pInfo.getEmailAddresses()); - assertEquals(4, sInfo.getVersion()); - assertEquals(4, pInfo.getVersion()); + assertEquals(OpenPGPKeyVersion.v4, sInfo.getVersion()); + assertEquals(OpenPGPKeyVersion.v4, pInfo.getVersion()); assertTrue(sInfo.isSecretKey()); assertFalse(pInfo.isSecretKey()); From 3c28660f26e97809068a9d31e885c07f82b45a68 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Fri, 28 Feb 2025 12:32:42 +0100 Subject: [PATCH 061/265] Add documentation to PolicyAdapter --- .../pgpainless/bouncycastle/PolicyAdapter.kt | 74 ++++++++++++++++++- 1 file changed, 70 insertions(+), 4 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/PolicyAdapter.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/PolicyAdapter.kt index eed5e24c..bb8e9f0f 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/PolicyAdapter.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/PolicyAdapter.kt @@ -9,8 +9,16 @@ import org.bouncycastle.openpgp.api.OpenPGPPolicy import org.bouncycastle.openpgp.api.OpenPGPPolicy.OpenPGPNotationRegistry import org.pgpainless.policy.Policy +/** Adapter class that adapts a PGPainless [Policy] object to Bouncy Castles [OpenPGPPolicy]. */ class PolicyAdapter(val policy: Policy = Policy.getInstance()) : OpenPGPPolicy { + /** + * Determine, whether the hash algorithm of a document signature is acceptable. + * + * @param algorithmId hash algorithm ID + * @param signatureCreationTime optional signature creation time + * @return boolean indicating whether the hash algorithm is acceptable + */ override fun isAcceptableDocumentSignatureHashAlgorithm( algorithmId: Int, signatureCreationTime: Date? @@ -21,6 +29,13 @@ class PolicyAdapter(val policy: Policy = Policy.getInstance()) : OpenPGPPolicy { policy.dataSignatureHashAlgorithmPolicy.isAcceptable(algorithmId, signatureCreationTime) } + /** + * Determine, whether the hash algorithm of a revocation signature is acceptable. + * + * @param algorithmId hash algorithm ID + * @param revocationCreationTime optional revocation signature creation time + * @return boolean indicating whether the hash algorithm is acceptable + */ override fun isAcceptableRevocationSignatureHashAlgorithm( algorithmId: Int, revocationCreationTime: Date? @@ -32,6 +47,13 @@ class PolicyAdapter(val policy: Policy = Policy.getInstance()) : OpenPGPPolicy { algorithmId, revocationCreationTime) } + /** + * Determine, whether the hash algorithm of a certification signature is acceptable. + * + * @param algorithmId hash algorithm ID + * @param certificationCreationTime optional certification signature creation time + * @return boolean indicating whether the hash algorithm is acceptable + */ override fun isAcceptableCertificationSignatureHashAlgorithm( algorithmId: Int, certificationCreationTime: Date? @@ -43,32 +65,76 @@ class PolicyAdapter(val policy: Policy = Policy.getInstance()) : OpenPGPPolicy { algorithmId, certificationCreationTime) } + /** + * Return the default hash algorithm for certification signatures. This is used as fallback if + * not suitable hash algorithm can be negotiated. + * + * @return default certification signature hash algorithm + */ override fun getDefaultCertificationSignatureHashAlgorithm(): Int { return policy.certificationSignatureHashAlgorithmPolicy.defaultHashAlgorithm.algorithmId } + /** + * Return the default hash algorithm for document signatures. This is used as fallback if not + * suitable hash algorithm can be negotiated. + * + * @return default document signature hash algorithm + */ override fun getDefaultDocumentSignatureHashAlgorithm(): Int { return policy.dataSignatureHashAlgorithmPolicy.defaultHashAlgorithm.algorithmId } - override fun isAcceptableSymmetricKeyAlgorithm(p0: Int): Boolean { - return policy.symmetricKeyEncryptionAlgorithmPolicy.isAcceptable(p0) + /** + * Determine, whether the given symmetric encryption algorithm is acceptable. + * + * @param algorithmId symmetric encryption algorithm ID + * @return boolean indicating, whether the encryption algorithm is acceptable + */ + override fun isAcceptableSymmetricKeyAlgorithm(algorithmId: Int): Boolean { + return policy.symmetricKeyEncryptionAlgorithmPolicy.isAcceptable(algorithmId) } - + /** + * Return the default symmetric encryption algorithm. This algorithm is used as fallback to + * encrypt messages if no suitable symmetric encryption algorithm can be negotiated. + * + * @return default symmetric encryption algorithm + */ override fun getDefaultSymmetricKeyAlgorithm(): Int { return policy.symmetricKeyEncryptionAlgorithmPolicy.defaultSymmetricKeyAlgorithm.algorithmId } + /** + * Determine, whether the [bitStrength] of an asymmetric public key of the given algorithm is + * strong enough. + * + * @param algorithmId public key algorithm ID + * @param bitStrength strength of the key in bits + * @return boolean indicating whether the bit strength is sufficient + */ override fun isAcceptablePublicKeyStrength(algorithmId: Int, bitStrength: Int): Boolean { return policy.publicKeyAlgorithmPolicy.isAcceptable(algorithmId, bitStrength) } - override fun getNotationRegistry(): OpenPGPPolicy.OpenPGPNotationRegistry { + /** + * Adapt PGPainless' [org.pgpainless.util.NotationRegistry] to Bouncy Castles + * [OpenPGPNotationRegistry]. + * + * @return adapted [OpenPGPNotationRegistry] + */ + override fun getNotationRegistry(): OpenPGPNotationRegistry { return object : OpenPGPNotationRegistry() { + + /** Determine, whether the given [notationName] is known by the registry. */ override fun isNotationKnown(notationName: String?): Boolean { return notationName?.let { policy.notationRegistry.isKnownNotation(it) } ?: false } + /** + * Add a known notation name to the registry. + * + * @param notationName notation name + */ override fun addKnownNotation(notationName: String?) { notationName?.let { policy.notationRegistry.addKnownNotation(it) } } From 1e2e9c2125b850fdbb4a31f84d99d2c7bcc64ad3 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Fri, 28 Feb 2025 13:08:15 +0100 Subject: [PATCH 062/265] Rework OnePassSignatureCheck --- .../consumer/OnePassSignatureCheck.kt | 25 ++++++++++++------- 1 file changed, 16 insertions(+), 9 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/consumer/OnePassSignatureCheck.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/consumer/OnePassSignatureCheck.kt index 7536776e..97248420 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/consumer/OnePassSignatureCheck.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/consumer/OnePassSignatureCheck.kt @@ -5,31 +5,38 @@ package org.pgpainless.signature.consumer import org.bouncycastle.openpgp.PGPOnePassSignature -import org.bouncycastle.openpgp.PGPPublicKeyRing import org.bouncycastle.openpgp.PGPSignature import org.bouncycastle.openpgp.api.OpenPGPCertificate +import org.bouncycastle.openpgp.api.OpenPGPCertificate.OpenPGPComponentKey +import org.pgpainless.bouncycastle.extensions.getSigningKeyFor import org.pgpainless.key.SubkeyIdentifier /** - * Tuple-class that bundles together a [PGPOnePassSignature] object, a [PGPPublicKeyRing] destined - * to verify the signature, the [PGPSignature] itself and a record of whether the signature was - * verified. + * Tuple-class that bundles together a [PGPOnePassSignature] object, an [OpenPGPCertificate] + * destined to verify the signature. * * @param onePassSignature the one-pass-signature packet * @param verificationKeys certificate containing the signing subkey - * @param signature the signature packet */ data class OnePassSignatureCheck( val onePassSignature: PGPOnePassSignature, - val verificationKeys: OpenPGPCertificate, - var signature: PGPSignature? = null + val verificationKeys: OpenPGPCertificate ) { + var signature: PGPSignature? = null + + constructor( + onePassSignature: PGPOnePassSignature, + verificationKey: OpenPGPComponentKey + ) : this(onePassSignature, verificationKey.certificate) + + val signingKey: OpenPGPComponentKey? = verificationKeys.getSigningKeyFor(onePassSignature) + /** * Return an identifier for the signing key. * * @return signing key fingerprint */ - val signingKey: SubkeyIdentifier - get() = SubkeyIdentifier(verificationKeys.pgpPublicKeyRing, onePassSignature.keyID) + val signingKeyIdentifier: SubkeyIdentifier? + get() = signingKey?.let { SubkeyIdentifier(it) } } From 8e3ad2c9efca9b1cab75a527c08007a3cbbe133d Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Fri, 28 Feb 2025 14:13:48 +0100 Subject: [PATCH 063/265] Add some missing documentation to ConsumerOptions --- .../decryption_verification/ConsumerOptions.kt | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/ConsumerOptions.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/ConsumerOptions.kt index 55c781ae..5606d10f 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/ConsumerOptions.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/ConsumerOptions.kt @@ -417,6 +417,7 @@ class ConsumerOptions { * @param certificate certificate */ @JvmOverloads + @Deprecated("Pass in an OpenPGPCertificate instead.") fun addCertificate( certificate: PGPPublicKeyRing, implementation: OpenPGPImplementation = PGPainless.getInstance().implementation @@ -424,6 +425,11 @@ class ConsumerOptions { explicitCertificates.add(OpenPGPCertificate(certificate, implementation)) } + /** + * Add a certificate as explicitly provided verification cert. + * + * @param certificate explicit verification cert + */ fun addCertificate(certificate: OpenPGPCertificate) { explicitCertificates.add(certificate) } @@ -445,14 +451,24 @@ class ConsumerOptions { * @param keyId key id * @return certificate */ + @Deprecated("Pass in a KeyIdentifier instead.") fun getCertificate(keyId: Long): OpenPGPCertificate? { return getCertificate(KeyIdentifier(keyId)) } + /** + * Return a certificate which contains a component key for the given [identifier]. This + * method first checks all explicitly provided verification certs and if no cert is found it + * consults the certificate stores. + * + * @param identifier key identifier + * @return certificate or null if no match is found + */ fun getCertificate(identifier: KeyIdentifier): OpenPGPCertificate? { return explicitCertificates.firstOrNull { it.getKey(identifier) != null } } + /** Find a certificate containing the issuer component key for the given [signature]. */ fun getCertificate(signature: PGPSignature): OpenPGPCertificate? = explicitCertificates.firstOrNull { it.getSigningKeyFor(signature) != null } } From b3c088275e33621655c4c4c231f63c83d4c1cadf Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Fri, 28 Feb 2025 15:03:42 +0100 Subject: [PATCH 064/265] Start working on migration guide --- docs/source/index.rst | 3 +- docs/source/pgpainless-core/migration_2.0.md | 80 ++++++++++++++++++++ 2 files changed, 82 insertions(+), 1 deletion(-) create mode 100644 docs/source/pgpainless-core/migration_2.0.md diff --git a/docs/source/index.rst b/docs/source/index.rst index 06c115ec..6ff985e0 100644 --- a/docs/source/index.rst +++ b/docs/source/index.rst @@ -35,4 +35,5 @@ Contents quickstart.md pgpainless-cli/usage.md sop.md - pgpainless-core/indepth.rst \ No newline at end of file + pgpainless-core/indepth.rst + pgpainless-core/migration_2.0.md \ No newline at end of file diff --git a/docs/source/pgpainless-core/migration_2.0.md b/docs/source/pgpainless-core/migration_2.0.md new file mode 100644 index 00000000..58deebca --- /dev/null +++ b/docs/source/pgpainless-core/migration_2.0.md @@ -0,0 +1,80 @@ +# Migration Guide PGPainless 2.0 + +PGPainless 2.0 makes use of Bouncy Castles new High Level API. +As a consequence, the use of certain "mid-level" classes, such as `PGPPublicKeyRing`, `PGPSecretKeyRing` is now +discouraged in favor of their high-level counterparts, e.g. `OpenPGPCertificate`, `OpenPGPKey`. + +## Terminology Changes + +Bouncy Castles high level API uses OpenPGP terminology as described in the book [OpenPGP for application developers](https://openpgp.dev/book/). +Therefore, some terms used in the mid-level API are no longer used. + +| Old Term | New Term | Description | +|-----------------|----------------------------|------------------------------------------------------| +| key ring | OpenPGP certificate or key | | +| public key ring | certificate | | +| secret key ring | key | | +| subkey | component key | A component key is either a primary key, or a subkey | + + +## Key Material + +The use of `PGPPublicKeyRing` objects is now discouraged in favor of `OpenPGPCertificate`. +Appropriately, `OpenPGPKey` replaces `PGPSecretKeyRing`. `OpenPGPKey` extends the `OpenPGPCertificate` class, but also +contains secret key material. + +An `OpenPGPCertificate` consists of `OpenPGPComponentSignature`s and `OpenPGPCertificateComponent`s, +such as `OpenPGPComponentKey`s and `OpenPGPIdentityComponent`s. +`OpenPGPIdentityComponent`s are either `OpenPGPUserId`s or `OpenPGPUserAttribute`s. +Components of an OpenPGP certificate, which contain key material (public keys, secret keys, subkeys...) are represented +by the `OpenPGPComponentKey` class, from which `OpenPGPPrimaryKey`, `OpenPGPSubkey` and `OpenPGPSecretKey` inherit. + +`OpenPGPCertificateComponent`s are bound to the certificate by `OpenPGPSignature`s, which Bouncy Castle organizes into +`OpenPGPSignatureChains` internally. + +## `KeyIdentifier` +OpenPGP has evolved over time and with it the way to identify individual keys. +Old protocol versions rely on 64-bit key-ids, which are nowadays deprecated, as 64-bits are not exactly collision-resistant. +For some time already, the use of fingerprints is therefore encouraged as a replacement. +However, key-ids were not everywhere at once in the protocol, so many artifacts still contain elements with key-ids in them. +An example for this are public-key encrypted session-key packets, which in version 1 still only contain the recipients +key-id. +In signatures, both key-ids and fingerprints are present. + +To solve this inconsistency, Bouncy Castle introduced the `KeyIdentifier` type as an abstraction of both key-ids and fingerprints. +Now most methods that take some sort of identifier, be it fingerprint or key-id, now also accept a `KeyIdentifier` object. + +Consequently, `KeyIdentifier` is now also the preferred way to reference keys in PGPainless and many places where previously +a key-id or fingerprint was exepcted, now also accept `KeyIdentifier` objects. + +## Differences between BCs high level API and PGPainless + +With Bouncy Castle now introducing its own high-level API, you might ask, what differences there are between +high-level PGPainless classes and their new Bouncy Castle counterparts. + +### `KeyRingInfo` vs. `OpenPGPCertificate`/`OpenPGPKey` + +PGPainless' `KeyRingInfo` class fulfils a similar task as the new `OpenPGPCertificate`/`OpenPGPKey` classes, +namely evaluating OpenPGP key material, checking self signatures, exposing certain properties like +subkeys, algorithm preferences etc. in a way accessible for the user, all with respect to a given reference time. + +However, `KeyRingInfo` historically gets instantiated *per reference time*, while`OpenPGPCertificate`/`OpenPGPKey` +is instantiated only *once* and expects you to pass in the reference time each time you are using a +property getter, lazily evaluating applicable signatures as needed. +Under the hood, the Bouncy Castle classes now cache expensive signature verification results for later use. +Consequently, `KeyRingInfo` now wraps `OpenPGPCertificate`/`OpenPGPKey`, forwarding method calls while passing along +the chosen reference time and mapping basic data types to PGPainless' high level types / enums. + +## Replacements + +| Old | New | Comment | +|------------------------------|-----------------------|---------------------------------------------------------------------| +| `PGPPublicKeyRing` | `OpenPGPCertificate` | Self-Signatures are automagically evaluated | +| `PGPSecretKeyRing` | `OpenPGPKey` | Same as `OpenPGPCertificate`, but also contains secret key material | +| `PGPPublicKey` (primary key) | `OpenPGPPrimaryKey` | - | +| `PGPPublicKey` (subkey) | `OpenPGPComponentKey` | - | +| `PGPSecretKey` (primary key) | `OpenPGPSecretKey` | - | +| `PGPSecretKey` (subkey) | `OpenPGPSecretKey` | - | +| `PGPPrivateKey` | `OpenPGPPrivateKey` | - | +| `Long` (Key-ID) | `KeyIdentifier` | - | +| `byte[]` (Key Fingerprint) | `KeyIdentifier` | - | \ No newline at end of file From 350b67bb9ee038ad5b3eeaa1cd8d3fc61f1e2a8e Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 3 Mar 2025 12:55:33 +0100 Subject: [PATCH 065/265] Progress on the migration guide --- docs/source/pgpainless-core/migration_2.0.md | 117 +++++++++++++------ 1 file changed, 84 insertions(+), 33 deletions(-) diff --git a/docs/source/pgpainless-core/migration_2.0.md b/docs/source/pgpainless-core/migration_2.0.md index 58deebca..432ccc6e 100644 --- a/docs/source/pgpainless-core/migration_2.0.md +++ b/docs/source/pgpainless-core/migration_2.0.md @@ -1,20 +1,36 @@ # Migration Guide PGPainless 2.0 -PGPainless 2.0 makes use of Bouncy Castles new High Level API. +PGPainless 2.0 makes use of Bouncy Castles new High-Level API. As a consequence, the use of certain "mid-level" classes, such as `PGPPublicKeyRing`, `PGPSecretKeyRing` is now discouraged in favor of their high-level counterparts, e.g. `OpenPGPCertificate`, `OpenPGPKey`. + ## Terminology Changes -Bouncy Castles high level API uses OpenPGP terminology as described in the book [OpenPGP for application developers](https://openpgp.dev/book/). +Bouncy Castles high-level API uses OpenPGP terminology as described in the book [OpenPGP for application developers](https://openpgp.dev/book/). Therefore, some terms used in the mid-level API are no longer used. -| Old Term | New Term | Description | -|-----------------|----------------------------|------------------------------------------------------| -| key ring | OpenPGP certificate or key | | -| public key ring | certificate | | -| secret key ring | key | | -| subkey | component key | A component key is either a primary key, or a subkey | +| Old Term | New Term | Description | +|------------------------|----------------------------|------------------------------------------------------| +| key ring | OpenPGP certificate or key | | +| master key | primary key | | +| public key ring | (OpenPGP) certificate | | +| secret key ring | (OpenPGP) key | | +| subkey | component key | A component key is either a primary key, or a subkey | +| primary key identifier | certificate identifier | | +| subkey identifier | component key identifier | | + + +## API + +PGPainless 2.0 switches away from the Singleton pattern. + +The API entrypoints for PGPainless 1.X were static methods of the `PGPainless` class. +Configuration was done by modifying singletons, e.g. `Policy`. + +With PGPainless 2.X, the recommended way to use the API is to create individual instances of the `PGPainless` class, +which provide non-static methods for different OpenPGP operations. +That way, you can have multiple API instances with different, per-instance configurations. ## Key Material @@ -23,31 +39,55 @@ The use of `PGPPublicKeyRing` objects is now discouraged in favor of `OpenPGPCer Appropriately, `OpenPGPKey` replaces `PGPSecretKeyRing`. `OpenPGPKey` extends the `OpenPGPCertificate` class, but also contains secret key material. -An `OpenPGPCertificate` consists of `OpenPGPComponentSignature`s and `OpenPGPCertificateComponent`s, -such as `OpenPGPComponentKey`s and `OpenPGPIdentityComponent`s. -`OpenPGPIdentityComponent`s are either `OpenPGPUserId`s or `OpenPGPUserAttribute`s. +An `OpenPGPCertificate` consists of `OpenPGPCertificateComponent`s such as `OpenPGPComponentKey`s and +`OpenPGPIdentityComponent`s, which are bound to the certificate with `OpenPGPComponentSignature`s. +`OpenPGPIdentityComponent`s are either `OpenPGPUserId`s or `OpenPGPUserAttribute`s (the latter being more or less +deprecated). Components of an OpenPGP certificate, which contain key material (public keys, secret keys, subkeys...) are represented by the `OpenPGPComponentKey` class, from which `OpenPGPPrimaryKey`, `OpenPGPSubkey` and `OpenPGPSecretKey` inherit. -`OpenPGPCertificateComponent`s are bound to the certificate by `OpenPGPSignature`s, which Bouncy Castle organizes into -`OpenPGPSignatureChains` internally. +As stated above, `OpenPGPCertificateComponent`s are bound to the certificate using `OpenPGPSignature`s, +which Bouncy Castle arranges into `OpenPGPSignatureChains` internally. +This chain structure is evaluated to determine the status of a certificate component at a given time, as well as +its applicable properties (algorithm preferences, features, key flags...) + +In places, where you cannot switch to using `OpenPGPCertificate`, you can access the underlying `PGPPublicKeyRing` +by calling `certificate.getPGPPublicKeyRing()`. +Analog, you can access the underlying `PGPSecretKeyRing` of an `OpenPGPKey` via `key.getPGPSecretKeyRing()`. + + +### Key Versions + +PGPainless 1.X primarily supported OpenPGP keys of version 4. +The 2.X release introduces support for OpenPGP v6 as well, which makes it necessary to specify the desired key version +e.g. when generating keys. + +This can be done by passing an `OpenPGPKeyVersion` enum. + ## `KeyIdentifier` + OpenPGP has evolved over time and with it the way to identify individual keys. -Old protocol versions rely on 64-bit key-ids, which are nowadays deprecated, as 64-bits are not exactly collision-resistant. +Old protocol versions rely on 64-bit key-ids, which are nowadays deprecated, as 64-bits are not exactly +collision-resistant. For some time already, the use of fingerprints is therefore encouraged as a replacement. -However, key-ids were not everywhere at once in the protocol, so many artifacts still contain elements with key-ids in them. +However, key-ids were not everywhere at once in the protocol, so many artifacts still contain elements with +key-ids in them. An example for this are public-key encrypted session-key packets, which in version 1 still only contain the recipients key-id. In signatures, both key-ids and fingerprints are present. -To solve this inconsistency, Bouncy Castle introduced the `KeyIdentifier` type as an abstraction of both key-ids and fingerprints. -Now most methods that take some sort of identifier, be it fingerprint or key-id, now also accept a `KeyIdentifier` object. +To solve this inconsistency, Bouncy Castle introduced the `KeyIdentifier` type as an abstraction of both key-ids +and fingerprints. +Now most methods that take some sort of identifier, be it fingerprint or key-id, now also accept a `KeyIdentifier` +object. -Consequently, `KeyIdentifier` is now also the preferred way to reference keys in PGPainless and many places where previously -a key-id or fingerprint was exepcted, now also accept `KeyIdentifier` objects. +Consequently, `KeyIdentifier` is now also the preferred way to reference keys in PGPainless and many places where +previously a key-id or fingerprint was expected, now also accept `KeyIdentifier` objects. +In places, where you need to access a 64-bit key-id, you can call `keyIdentifier.getKeyId()`. -## Differences between BCs high level API and PGPainless + +## Differences between BCs high-level API and PGPainless With Bouncy Castle now introducing its own high-level API, you might ask, what differences there are between high-level PGPainless classes and their new Bouncy Castle counterparts. @@ -63,18 +103,29 @@ is instantiated only *once* and expects you to pass in the reference time each t property getter, lazily evaluating applicable signatures as needed. Under the hood, the Bouncy Castle classes now cache expensive signature verification results for later use. Consequently, `KeyRingInfo` now wraps `OpenPGPCertificate`/`OpenPGPKey`, forwarding method calls while passing along -the chosen reference time and mapping basic data types to PGPainless' high level types / enums. +the chosen reference time and mapping basic data types to PGPainless' high-level types / enums. -## Replacements -| Old | New | Comment | -|------------------------------|-----------------------|---------------------------------------------------------------------| -| `PGPPublicKeyRing` | `OpenPGPCertificate` | Self-Signatures are automagically evaluated | -| `PGPSecretKeyRing` | `OpenPGPKey` | Same as `OpenPGPCertificate`, but also contains secret key material | -| `PGPPublicKey` (primary key) | `OpenPGPPrimaryKey` | - | -| `PGPPublicKey` (subkey) | `OpenPGPComponentKey` | - | -| `PGPSecretKey` (primary key) | `OpenPGPSecretKey` | - | -| `PGPSecretKey` (subkey) | `OpenPGPSecretKey` | - | -| `PGPPrivateKey` | `OpenPGPPrivateKey` | - | -| `Long` (Key-ID) | `KeyIdentifier` | - | -| `byte[]` (Key Fingerprint) | `KeyIdentifier` | - | \ No newline at end of file +## Type Replacements + +| Old | New | Comment | +|------------------------------|------------------------------|---------------------------------------------------------------------| +| `PGPPublicKeyRing` | `OpenPGPCertificate` | Self-Signatures are automagically evaluated | +| `PGPSecretKeyRing` | `OpenPGPKey` | Same as `OpenPGPCertificate`, but also contains secret key material | +| `PGPPublicKey` (primary key) | `OpenPGPPrimaryKey` | Primary keys provide getters to access bound user identities | +| `PGPPublicKey` (subkey) | `OpenPGPComponentKey` | - | +| `PGPSecretKey` (primary key) | `OpenPGPSecretKey` | - | +| `PGPSecretKey` (subkey) | `OpenPGPSecretKey` | - | +| `PGPPrivateKey` | `OpenPGPPrivateKey` | - | +| `Long` (Key-ID) | `KeyIdentifier` | - | +| `byte[]` (Key Fingerprint) | `KeyIdentifier` | - | +| `MissingPublicKeyCallback` | `OpenPGPCertificateProvider` | - | +| (detached) `PGPSignature` | `OpenPGPDocumentSignature` | - | + + +## Algorithm Support + +The use of ElGamal as public key algorithm is now deprecated. Consequently, it is no longer possible to generate +ElGamal keys. + +RFC9580 introduced new key types `Ed25519`, `Ed448`, `X25519`, `X448`. \ No newline at end of file From 5ccd68cdd9467a0520cb366e7f6f0c8ad5433128 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 5 Mar 2025 10:57:06 +0100 Subject: [PATCH 066/265] Fix: Do not set IssuerKeyId on v6 key-signatures --- .../pgpainless/key/generation/KeyRingBuilder.kt | 2 +- .../subpackets/BaseSignatureSubpackets.kt | 13 +++++++++++++ .../signature/subpackets/SignatureSubpackets.kt | 16 ++++++++++++++-- 3 files changed, 28 insertions(+), 3 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingBuilder.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingBuilder.kt index ee842982..86c4cbb9 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingBuilder.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingBuilder.kt @@ -97,7 +97,7 @@ class KeyRingBuilder( val signatureGenerator = PGPSignatureGenerator(signer, certKey.publicKey) val hashedSubPacketGenerator = primaryKeySpec!!.subpacketGenerator - hashedSubPacketGenerator.setIssuerFingerprintAndKeyId(certKey.publicKey) + hashedSubPacketGenerator.setAppropriateIssuerInfo(certKey.publicKey, version) expirationDate?.let { hashedSubPacketGenerator.setKeyExpirationTime(certKey.publicKey, it) } if (userIds.isNotEmpty()) { hashedSubPacketGenerator.setPrimaryUserId() diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/BaseSignatureSubpackets.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/BaseSignatureSubpackets.kt index b9d7fb3f..f3e22faf 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/BaseSignatureSubpackets.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/BaseSignatureSubpackets.kt @@ -11,12 +11,25 @@ import org.bouncycastle.bcpg.sig.* import org.bouncycastle.openpgp.PGPPublicKey import org.bouncycastle.openpgp.PGPSignature import org.pgpainless.algorithm.HashAlgorithm +import org.pgpainless.algorithm.OpenPGPKeyVersion import org.pgpainless.algorithm.PublicKeyAlgorithm interface BaseSignatureSubpackets { interface Callback : SignatureSubpacketCallback + fun setAppropriateIssuerInfo(key: PGPPublicKey): BaseSignatureSubpackets + + /** + * Depending on the given [version], use the appropriate means of setting issuer information. + * V6 signatures for example MUST NOT contain an [IssuerKeyID] packet. + * + * @param key issuer key + * @param version signature version + * @return this + */ + fun setAppropriateIssuerInfo(key: PGPPublicKey, version: OpenPGPKeyVersion): BaseSignatureSubpackets + /** * Add both an [IssuerKeyID] and [IssuerFingerprint] subpacket pointing to the given key. * diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/SignatureSubpackets.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/SignatureSubpackets.kt index 886cedb6..d91b8659 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/SignatureSubpackets.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/SignatureSubpackets.kt @@ -72,7 +72,7 @@ class SignatureSubpackets : issuer: PGPPublicKey, base: PGPSignatureSubpacketVector ): SignatureSubpackets { - return createSubpacketsFrom(base).apply { setIssuerFingerprintAndKeyId(issuer) } + return createSubpacketsFrom(base).apply { setAppropriateIssuerInfo(issuer) } } @JvmStatic @@ -82,7 +82,7 @@ class SignatureSubpackets : @JvmStatic fun createHashedSubpackets(issuer: PGPPublicKey): SignatureSubpackets { - return createEmptySubpackets().setIssuerFingerprintAndKeyId(issuer) + return createEmptySubpackets().setAppropriateIssuerInfo(issuer) } @JvmStatic @@ -352,6 +352,18 @@ class SignatureSubpackets : this.featuresSubpacket = features } + override fun setAppropriateIssuerInfo(key: PGPPublicKey) = apply { + setAppropriateIssuerInfo(key, OpenPGPKeyVersion.from(key.version)) + } + + override fun setAppropriateIssuerInfo(key: PGPPublicKey, version: OpenPGPKeyVersion) = apply { + when (version) { + OpenPGPKeyVersion.v3 -> setIssuerKeyId(key.keyID) + OpenPGPKeyVersion.v4 -> setIssuerFingerprintAndKeyId(key) + OpenPGPKeyVersion.librePgp, OpenPGPKeyVersion.v6 -> setIssuerFingerprint(key) + } + } + override fun setIssuerFingerprintAndKeyId(key: PGPPublicKey): SignatureSubpackets = apply { setIssuerKeyId(key.keyID) setIssuerFingerprint(key) From 1141bdf1f855fc3e5d972b7c3f388d4a4340d7dc Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 5 Mar 2025 15:15:13 +0100 Subject: [PATCH 067/265] Work on AlgorithmSuite --- .../main/kotlin/org/pgpainless/PGPainless.kt | 20 ++++- .../pgpainless/algorithm/AlgorithmSuite.kt | 46 +++++++++-- .../key/generation/KeyRingTemplates.kt | 6 +- .../key/generation/KeySpecBuilder.kt | 14 ++-- .../subpackets/BaseSignatureSubpackets.kt | 9 ++- .../subpackets/SelfSignatureSubpackets.kt | 2 + .../subpackets/SignatureSubpackets.kt | 3 +- .../key/generation/GenerateV6KeyTest.java | 78 +++++++++++++++++++ 8 files changed, 158 insertions(+), 20 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt index f9e009cf..2b43958c 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt @@ -14,6 +14,7 @@ import org.bouncycastle.openpgp.api.OpenPGPApi import org.bouncycastle.openpgp.api.OpenPGPCertificate import org.bouncycastle.openpgp.api.OpenPGPImplementation import org.bouncycastle.openpgp.api.OpenPGPKey +import org.bouncycastle.openpgp.api.OpenPGPKeyGenerator import org.bouncycastle.openpgp.api.OpenPGPKeyReader import org.bouncycastle.openpgp.api.bc.BcOpenPGPApi import org.pgpainless.algorithm.OpenPGPKeyVersion @@ -43,8 +44,23 @@ class PGPainless( api = BcOpenPGPApi(implementation) } - fun generateKey(version: OpenPGPKeyVersion = OpenPGPKeyVersion.v4): KeyRingTemplates = - KeyRingTemplates(version) + @JvmOverloads + fun generateKey( + version: OpenPGPKeyVersion = OpenPGPKeyVersion.v4, + creationTime: Date = Date() + ): KeyRingTemplates = KeyRingTemplates(version, creationTime) + + @JvmOverloads + fun buildKey( + version: OpenPGPKeyVersion = OpenPGPKeyVersion.v4, + creationTime: Date = Date() + ): OpenPGPKeyGenerator = + OpenPGPKeyGenerator( + implementation, version.numeric, version == OpenPGPKeyVersion.v6, creationTime) + .apply { + val genAlgs = algorithmPolicy.keyGenerationAlgorithmSuite + setDefaultFeatures(genAlgs.features.toSignatureSubpacketsFunction(true)) + } fun readKey(): OpenPGPKeyReader = api.readKeyOrCertificate() diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/AlgorithmSuite.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/AlgorithmSuite.kt index 867bf1b8..2012e2e1 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/AlgorithmSuite.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/AlgorithmSuite.kt @@ -4,15 +4,30 @@ package org.pgpainless.algorithm +import org.bouncycastle.openpgp.api.SignatureSubpacketsFunction + class AlgorithmSuite( - symmetricKeyAlgorithms: List, - hashAlgorithms: List, - compressionAlgorithms: List + symmetricKeyAlgorithms: List?, + hashAlgorithms: List?, + compressionAlgorithms: List?, + aeadAlgorithms: List?, + features: List ) { - val symmetricKeyAlgorithms: Set = symmetricKeyAlgorithms.toSet() - val hashAlgorithms: Set = hashAlgorithms.toSet() - val compressionAlgorithms: Set = compressionAlgorithms.toSet() + val symmetricKeyAlgorithms: Set? = symmetricKeyAlgorithms?.toSet() + val hashAlgorithms: Set? = hashAlgorithms?.toSet() + val compressionAlgorithms: Set? = compressionAlgorithms?.toSet() + val aeadAlgorithms: Set? = aeadAlgorithms?.toSet() + val features: FeatureSet = FeatureSet(features.toSet()) + + class FeatureSet(val features: Set) { + fun toSignatureSubpacketsFunction(critical: Boolean = true): SignatureSubpacketsFunction { + return SignatureSubpacketsFunction { + val b = Feature.toBitmask(*features.toTypedArray()) + it.apply { setFeature(critical, b) } + } + } + } companion object { @@ -39,9 +54,26 @@ class AlgorithmSuite( CompressionAlgorithm.ZIP, CompressionAlgorithm.UNCOMPRESSED) + @JvmStatic + val defaultAEADAlgorithmSuites = + listOf( + AEADCipherMode(AEADAlgorithm.EAX, SymmetricKeyAlgorithm.AES_256), + AEADCipherMode(AEADAlgorithm.OCB, SymmetricKeyAlgorithm.AES_256), + AEADCipherMode(AEADAlgorithm.GCM, SymmetricKeyAlgorithm.AES_256), + AEADCipherMode(AEADAlgorithm.EAX, SymmetricKeyAlgorithm.AES_192), + AEADCipherMode(AEADAlgorithm.EAX, SymmetricKeyAlgorithm.AES_192)) + + @JvmStatic + val defaultFeatures = + listOf(Feature.MODIFICATION_DETECTION, Feature.MODIFICATION_DETECTION_2) + @JvmStatic val defaultAlgorithmSuite = AlgorithmSuite( - defaultSymmetricKeyAlgorithms, defaultHashAlgorithms, defaultCompressionAlgorithms) + defaultSymmetricKeyAlgorithms, + defaultHashAlgorithms, + defaultCompressionAlgorithms, + defaultAEADAlgorithmSuites, + defaultFeatures) } } diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingTemplates.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingTemplates.kt index cbb5a9df..7ee032ae 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingTemplates.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingTemplates.kt @@ -4,6 +4,7 @@ package org.pgpainless.key.generation +import java.util.* import org.bouncycastle.openpgp.api.OpenPGPKey import org.pgpainless.PGPainless.Companion.buildKeyRing import org.pgpainless.algorithm.KeyFlag @@ -15,7 +16,10 @@ import org.pgpainless.key.generation.type.rsa.RsaLength import org.pgpainless.key.generation.type.xdh_legacy.XDHLegacySpec import org.pgpainless.util.Passphrase -class KeyRingTemplates(private val version: OpenPGPKeyVersion) { +class KeyRingTemplates( + private val version: OpenPGPKeyVersion, + private val creationTime: Date = Date() +) { /** * Generate an RSA OpenPGP key consisting of an RSA primary key used for certification, a diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeySpecBuilder.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeySpecBuilder.kt index 0e7f9aae..b934698e 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeySpecBuilder.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeySpecBuilder.kt @@ -20,11 +20,12 @@ constructor( private val hashedSubpackets: SelfSignatureSubpackets = SignatureSubpackets() private val algorithmSuite: AlgorithmSuite = PGPainless.getPolicy().keyGenerationAlgorithmSuite - private var preferredCompressionAlgorithms: Set = + private var preferredCompressionAlgorithms: Set? = algorithmSuite.compressionAlgorithms - private var preferredHashAlgorithms: Set = algorithmSuite.hashAlgorithms - private var preferredSymmetricAlgorithms: Set = + private var preferredHashAlgorithms: Set? = algorithmSuite.hashAlgorithms + private var preferredSymmetricAlgorithms: Set? = algorithmSuite.symmetricKeyAlgorithms + private var preferredAEADAlgorithms: Set? = algorithmSuite.aeadAlgorithms private var keyCreationDate: Date? = null constructor(type: KeyType, vararg keyFlags: KeyFlag) : this(type, listOf(*keyFlags)) @@ -59,9 +60,10 @@ constructor( return hashedSubpackets .apply { setKeyFlags(keyFlags) - setPreferredCompressionAlgorithms(preferredCompressionAlgorithms) - setPreferredHashAlgorithms(preferredHashAlgorithms) - setPreferredSymmetricKeyAlgorithms(preferredSymmetricAlgorithms) + preferredCompressionAlgorithms?.let { setPreferredCompressionAlgorithms(it) } + preferredHashAlgorithms?.let { setPreferredHashAlgorithms(it) } + preferredSymmetricAlgorithms?.let { setPreferredSymmetricKeyAlgorithms(it) } + preferredAEADAlgorithms?.let { setPreferredAEADCiphersuites(it) } setFeatures(Feature.MODIFICATION_DETECTION) } .let { KeySpec(type, hashedSubpackets as SignatureSubpackets, false, keyCreationDate) } diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/BaseSignatureSubpackets.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/BaseSignatureSubpackets.kt index f3e22faf..2349ed9a 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/BaseSignatureSubpackets.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/BaseSignatureSubpackets.kt @@ -21,14 +21,17 @@ interface BaseSignatureSubpackets { fun setAppropriateIssuerInfo(key: PGPPublicKey): BaseSignatureSubpackets /** - * Depending on the given [version], use the appropriate means of setting issuer information. - * V6 signatures for example MUST NOT contain an [IssuerKeyID] packet. + * Depending on the given [version], use the appropriate means of setting issuer information. V6 + * signatures for example MUST NOT contain an [IssuerKeyID] packet. * * @param key issuer key * @param version signature version * @return this */ - fun setAppropriateIssuerInfo(key: PGPPublicKey, version: OpenPGPKeyVersion): BaseSignatureSubpackets + fun setAppropriateIssuerInfo( + key: PGPPublicKey, + version: OpenPGPKeyVersion + ): BaseSignatureSubpackets /** * Add both an [IssuerKeyID] and [IssuerFingerprint] subpacket pointing to the given key. diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/SelfSignatureSubpackets.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/SelfSignatureSubpackets.kt index 318b7adf..7e7c8236 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/SelfSignatureSubpackets.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/SelfSignatureSubpackets.kt @@ -112,6 +112,8 @@ interface SelfSignatureSubpackets : BaseSignatureSubpackets { fun setPreferredHashAlgorithms(algorithms: PreferredAlgorithms?): SelfSignatureSubpackets + fun setPreferredAEADCiphersuites(aeadAlgorithms: Set) + fun addRevocationKey(revocationKey: PGPPublicKey): SelfSignatureSubpackets fun addRevocationKey(isCritical: Boolean, revocationKey: PGPPublicKey): SelfSignatureSubpackets diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/SignatureSubpackets.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/SignatureSubpackets.kt index d91b8659..93796ca8 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/SignatureSubpackets.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/SignatureSubpackets.kt @@ -360,7 +360,8 @@ class SignatureSubpackets : when (version) { OpenPGPKeyVersion.v3 -> setIssuerKeyId(key.keyID) OpenPGPKeyVersion.v4 -> setIssuerFingerprintAndKeyId(key) - OpenPGPKeyVersion.librePgp, OpenPGPKeyVersion.v6 -> setIssuerFingerprint(key) + OpenPGPKeyVersion.librePgp, + OpenPGPKeyVersion.v6 -> setIssuerFingerprint(key) } } diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateV6KeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateV6KeyTest.java index 8ad1daeb..a524eea6 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateV6KeyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateV6KeyTest.java @@ -4,12 +4,24 @@ package org.pgpainless.key.generation; +import org.bouncycastle.bcpg.SignatureSubpacketTags; +import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPSecretKeyRing; +import org.bouncycastle.openpgp.api.OpenPGPCertificate; +import org.bouncycastle.openpgp.api.OpenPGPKey; +import org.bouncycastle.openpgp.api.SignatureParameters; +import org.bouncycastle.openpgp.operator.PGPKeyPairGenerator; import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; +import org.pgpainless.algorithm.KeyFlag; import org.pgpainless.algorithm.OpenPGPKeyVersion; +import org.pgpainless.algorithm.PublicKeyAlgorithm; + +import java.io.IOException; import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.assertFalse; +import static org.junit.jupiter.api.Assertions.assertTrue; public class GenerateV6KeyTest { @@ -20,4 +32,70 @@ public class GenerateV6KeyTest { .getPGPSecretKeyRing(); assertEquals(6, secretKey.getPublicKey().getVersion()); } + + @Test + public void buildMinimalEd25519V6Key() throws PGPException { + OpenPGPKey key = PGPainless.getInstance().buildKey(OpenPGPKeyVersion.v6) + .withPrimaryKey(PGPKeyPairGenerator::generateEd25519KeyPair, new SignatureParameters.Callback() { + @Override + public SignatureParameters apply(SignatureParameters parameters) { + return parameters.setHashedSubpacketsFunction(pgpSignatureSubpacketGenerator -> { + // TODO: Remove once https://github.com/bcgit/bc-java/pull/2013 lands + pgpSignatureSubpacketGenerator.removePacketsOfType(SignatureSubpacketTags.KEY_FLAGS); + pgpSignatureSubpacketGenerator.setKeyFlags(KeyFlag.SIGN_DATA.getFlag()); + return pgpSignatureSubpacketGenerator; + }); + } + }) + .build(); + + assertTrue(key.isSecretKey()); + + assertEquals(1, key.getKeys().size()); + OpenPGPCertificate.OpenPGPPrimaryKey primaryKey = key.getPrimaryKey(); + assertEquals(6, primaryKey.getVersion()); + assertTrue(primaryKey.isPrimaryKey()); + assertEquals(PublicKeyAlgorithm.ED25519.getAlgorithmId(), primaryKey.getPGPPublicKey().getAlgorithm()); + assertEquals(primaryKey, key.getSigningKeys().get(0)); + assertTrue(key.getEncryptionKeys().isEmpty()); + + OpenPGPKey.OpenPGPSecretKey primarySecretKey = key.getPrimarySecretKey(); + assertEquals(primarySecretKey, key.getSecretKey(primaryKey)); + } + + @Test + public void buildCompositeCurve25519V6Key() + throws PGPException, IOException { + OpenPGPKey key = PGPainless.getInstance().buildKey(OpenPGPKeyVersion.v6) + .withPrimaryKey(PGPKeyPairGenerator::generateEd25519KeyPair) + .addSigningSubkey(PGPKeyPairGenerator::generateEd25519KeyPair) + .addEncryptionSubkey(PGPKeyPairGenerator::generateX25519KeyPair) + .addUserId("Alice ") + .build(); + + assertTrue(key.isSecretKey()); + assertEquals(3, key.getKeys().size()); + OpenPGPCertificate.OpenPGPPrimaryKey primaryKey = key.getPrimaryKey(); + assertEquals(PublicKeyAlgorithm.ED25519.getAlgorithmId(), primaryKey.getPGPPublicKey().getAlgorithm()); + assertEquals(6, primaryKey.getVersion()); + assertTrue(primaryKey.isPrimaryKey()); + assertEquals(primaryKey, key.getKeys().get(0)); + + OpenPGPCertificate.OpenPGPComponentKey signingKey = key.getKeys().get(1); + assertTrue(key.getSigningKeys().contains(signingKey)); + assertEquals(6, signingKey.getVersion()); + assertEquals(PublicKeyAlgorithm.ED25519.getAlgorithmId(), signingKey.getPGPPublicKey().getAlgorithm()); + assertFalse(signingKey.isPrimaryKey()); + + OpenPGPCertificate.OpenPGPComponentKey encryptionKey = key.getKeys().get(2); + assertTrue(key.getEncryptionKeys().contains(encryptionKey)); + assertEquals(6, encryptionKey.getVersion()); + assertEquals(PublicKeyAlgorithm.X25519.getAlgorithmId(), encryptionKey.getPGPPublicKey().getAlgorithm()); + assertFalse(encryptionKey.isPrimaryKey()); + + OpenPGPCertificate certificate = key.toCertificate(); + assertFalse(certificate.isSecretKey()); + + System.out.println(certificate.toAsciiArmoredString()); + } } From b5386d844e5a968e225ea2d8e763e8a51c82e597 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 6 Mar 2025 09:26:35 +0100 Subject: [PATCH 068/265] Add missing method implementations --- .../key/modification/secretkeyring/SecretKeyRingEditor.kt | 6 +++--- .../signature/subpackets/SelfSignatureSubpackets.kt | 2 +- .../pgpainless/signature/subpackets/SignatureSubpackets.kt | 5 +++++ 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.kt index a5513cb3..710b7d32 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.kt @@ -90,9 +90,9 @@ class SecretKeyRingEditor(var key: OpenPGPKey, override val referenceTime: Date } builder.hashedSubpackets.apply { setKeyFlags(info.getKeyFlagsOf(primaryKey.keyID)) - setPreferredHashAlgorithms(hashAlgorithmPreferences) - setPreferredSymmetricKeyAlgorithms(symmetricKeyAlgorithmPreferences) - setPreferredCompressionAlgorithms(compressionAlgorithmPreferences) + hashAlgorithmPreferences?.let { setPreferredHashAlgorithms(it) } + symmetricKeyAlgorithmPreferences?.let { setPreferredSymmetricKeyAlgorithms(it) } + compressionAlgorithmPreferences?.let { setPreferredCompressionAlgorithms(it) } setFeatures(Feature.MODIFICATION_DETECTION) } builder.applyCallback(callback) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/SelfSignatureSubpackets.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/SelfSignatureSubpackets.kt index 7e7c8236..7d160c5c 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/SelfSignatureSubpackets.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/SelfSignatureSubpackets.kt @@ -112,7 +112,7 @@ interface SelfSignatureSubpackets : BaseSignatureSubpackets { fun setPreferredHashAlgorithms(algorithms: PreferredAlgorithms?): SelfSignatureSubpackets - fun setPreferredAEADCiphersuites(aeadAlgorithms: Set) + fun setPreferredAEADCiphersuites(aeadAlgorithms: Set): SelfSignatureSubpackets fun addRevocationKey(revocationKey: PGPPublicKey): SelfSignatureSubpackets diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/SignatureSubpackets.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/SignatureSubpackets.kt index 93796ca8..192412c9 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/SignatureSubpackets.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/SignatureSubpackets.kt @@ -42,6 +42,7 @@ class SignatureSubpackets : var preferredCompressionAlgorithmsSubpacket: PreferredAlgorithms? = null var preferredSymmetricKeyAlgorithmsSubpacket: PreferredAlgorithms? = null var preferredHashAlgorithmsSubpacket: PreferredAlgorithms? = null + var preferredAEADCiphersuites: List? = null val embeddedSignatureSubpackets: List = mutableListOf() var signerUserIdSubpacket: SignerUserID? = null var keyExpirationTimeSubpacket: KeyExpirationTime? = null @@ -312,6 +313,10 @@ class SignatureSubpackets : this.preferredHashAlgorithmsSubpacket = algorithms } + override fun setPreferredAEADCiphersuites( + aeadAlgorithms: Set + ): SignatureSubpackets = apply { this.preferredAEADCiphersuites = aeadAlgorithms.toList() } + override fun addRevocationKey(revocationKey: PGPPublicKey): SignatureSubpackets = apply { addRevocationKey(true, revocationKey) } From deaf9fa4045f8714a67ad6cc82fe586b35ef9554 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 6 Mar 2025 10:38:58 +0100 Subject: [PATCH 069/265] buildKey(): Use BC KeyGenerator, but apply PGPainless algorithm preferences --- .../main/kotlin/org/pgpainless/PGPainless.kt | 17 +++- .../pgpainless/algorithm/AlgorithmSuite.kt | 13 +-- .../SignatureSubpacketsFunctionHelper.kt | 90 +++++++++++++++++++ .../secretkeyring/SecretKeyRingEditor.kt | 1 + 4 files changed, 108 insertions(+), 13 deletions(-) create mode 100644 pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/helpers/SignatureSubpacketsFunctionHelper.kt diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt index 2b43958c..c7f7b8b2 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt @@ -19,6 +19,7 @@ import org.bouncycastle.openpgp.api.OpenPGPKeyReader import org.bouncycastle.openpgp.api.bc.BcOpenPGPApi import org.pgpainless.algorithm.OpenPGPKeyVersion import org.pgpainless.bouncycastle.PolicyAdapter +import org.pgpainless.bouncycastle.helpers.SignatureSubpacketsFunctionHelper import org.pgpainless.decryption_verification.DecryptionBuilder import org.pgpainless.encryption_signing.EncryptionBuilder import org.pgpainless.key.certification.CertifyCertificate @@ -59,7 +60,21 @@ class PGPainless( implementation, version.numeric, version == OpenPGPKeyVersion.v6, creationTime) .apply { val genAlgs = algorithmPolicy.keyGenerationAlgorithmSuite - setDefaultFeatures(genAlgs.features.toSignatureSubpacketsFunction(true)) + // Set default algorithm preferences from AlgorithmSuite + setDefaultFeatures( + SignatureSubpacketsFunctionHelper.applyFeatures(true, genAlgs.features)) + setDefaultSymmetricKeyPreferences( + SignatureSubpacketsFunctionHelper.applySymmetricAlgorithmPreferences( + true, genAlgs.symmetricKeyAlgorithms)) + setDefaultHashAlgorithmPreferences( + SignatureSubpacketsFunctionHelper.applyHashAlgorithmPreferences( + true, genAlgs.hashAlgorithms)) + setDefaultCompressionAlgorithmPreferences( + SignatureSubpacketsFunctionHelper.applyCompressionAlgorithmPreferences( + true, genAlgs.compressionAlgorithms)) + setDefaultAeadAlgorithmPreferences( + SignatureSubpacketsFunctionHelper.applyAEADAlgorithmSuites( + false, genAlgs.aeadAlgorithms)) } fun readKey(): OpenPGPKeyReader = api.readKeyOrCertificate() diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/AlgorithmSuite.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/AlgorithmSuite.kt index 2012e2e1..801e674c 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/AlgorithmSuite.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/AlgorithmSuite.kt @@ -4,8 +4,6 @@ package org.pgpainless.algorithm -import org.bouncycastle.openpgp.api.SignatureSubpacketsFunction - class AlgorithmSuite( symmetricKeyAlgorithms: List?, hashAlgorithms: List?, @@ -18,16 +16,7 @@ class AlgorithmSuite( val hashAlgorithms: Set? = hashAlgorithms?.toSet() val compressionAlgorithms: Set? = compressionAlgorithms?.toSet() val aeadAlgorithms: Set? = aeadAlgorithms?.toSet() - val features: FeatureSet = FeatureSet(features.toSet()) - - class FeatureSet(val features: Set) { - fun toSignatureSubpacketsFunction(critical: Boolean = true): SignatureSubpacketsFunction { - return SignatureSubpacketsFunction { - val b = Feature.toBitmask(*features.toTypedArray()) - it.apply { setFeature(critical, b) } - } - } - } + val features: Set = features.toSet() companion object { diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/helpers/SignatureSubpacketsFunctionHelper.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/helpers/SignatureSubpacketsFunctionHelper.kt new file mode 100644 index 00000000..80feda8d --- /dev/null +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/helpers/SignatureSubpacketsFunctionHelper.kt @@ -0,0 +1,90 @@ +// SPDX-FileCopyrightText: 2025 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + +package org.pgpainless.bouncycastle.helpers + +import org.bouncycastle.bcpg.sig.PreferredAEADCiphersuites +import org.bouncycastle.openpgp.api.SignatureSubpacketsFunction +import org.pgpainless.algorithm.AEADCipherMode +import org.pgpainless.algorithm.CompressionAlgorithm +import org.pgpainless.algorithm.Feature +import org.pgpainless.algorithm.HashAlgorithm +import org.pgpainless.algorithm.SymmetricKeyAlgorithm + +class SignatureSubpacketsFunctionHelper { + + companion object { + + @JvmStatic + fun applySymmetricAlgorithmPreferences( + critical: Boolean = true, + symmetricAlgorithms: Set? + ): SignatureSubpacketsFunction { + return symmetricAlgorithms?.let { algorithms -> + val algorithmIds = algorithms.map { it.algorithmId }.toIntArray() + SignatureSubpacketsFunction { + it.apply { setPreferredSymmetricAlgorithms(critical, algorithmIds) } + } + } + ?: SignatureSubpacketsFunction { it } + } + + @JvmStatic + fun applyHashAlgorithmPreferences( + critical: Boolean = true, + hashAlgorithms: Set? + ): SignatureSubpacketsFunction { + return hashAlgorithms?.let { algorithms -> + val algorithmIds = algorithms.map { it.algorithmId }.toIntArray() + SignatureSubpacketsFunction { + it.apply { setPreferredHashAlgorithms(critical, algorithmIds) } + } + } + ?: SignatureSubpacketsFunction { it } + } + + @JvmStatic + fun applyCompressionAlgorithmPreferences( + critical: Boolean = true, + compressionAlgorithms: Set? + ): SignatureSubpacketsFunction { + return compressionAlgorithms?.let { algorithms -> + val algorithmIds = algorithms.map { it.algorithmId }.toIntArray() + SignatureSubpacketsFunction { + it.apply { setPreferredCompressionAlgorithms(critical, algorithmIds) } + } + } + ?: SignatureSubpacketsFunction { it } + } + + @JvmStatic + fun applyAEADAlgorithmSuites( + critical: Boolean = true, + aeadAlgorithms: Set? + ): SignatureSubpacketsFunction { + return aeadAlgorithms?.let { algorithms -> + SignatureSubpacketsFunction { + val builder = PreferredAEADCiphersuites.builder(critical) + for (ciphermode: AEADCipherMode in algorithms) { + builder.addCombination( + ciphermode.ciphermode.algorithmId, ciphermode.aeadAlgorithm.algorithmId) + } + it.apply { setPreferredAEADCiphersuites(builder) } + } + } + ?: SignatureSubpacketsFunction { it } + } + + @JvmStatic + fun applyFeatures( + critical: Boolean = true, + features: Set + ): SignatureSubpacketsFunction { + return SignatureSubpacketsFunction { + val b = Feature.toBitmask(*features.toTypedArray()) + it.apply { setFeature(critical, b) } + } + } + } +} diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.kt index 710b7d32..659db88c 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.kt @@ -90,6 +90,7 @@ class SecretKeyRingEditor(var key: OpenPGPKey, override val referenceTime: Date } builder.hashedSubpackets.apply { setKeyFlags(info.getKeyFlagsOf(primaryKey.keyID)) + hashAlgorithmPreferences hashAlgorithmPreferences?.let { setPreferredHashAlgorithms(it) } symmetricKeyAlgorithmPreferences?.let { setPreferredSymmetricKeyAlgorithms(it) } compressionAlgorithmPreferences?.let { setPreferredCompressionAlgorithms(it) } From 4dadc7c445636a7a279c16bf523d15878a6f7bac Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 6 Mar 2025 11:41:36 +0100 Subject: [PATCH 070/265] Implement applying algorithm preferences as extension functions --- .../main/kotlin/org/pgpainless/PGPainless.kt | 21 +-- .../OpenPGPKeyGeneratorExtensions.kt | 126 ++++++++++++++++++ .../SignatureSubpacketsFunctionHelper.kt | 90 ------------- .../key/generation/GenerateV6KeyTest.java | 2 + 4 files changed, 130 insertions(+), 109 deletions(-) create mode 100644 pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/OpenPGPKeyGeneratorExtensions.kt delete mode 100644 pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/helpers/SignatureSubpacketsFunctionHelper.kt diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt index c7f7b8b2..98ff0603 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt @@ -19,7 +19,7 @@ import org.bouncycastle.openpgp.api.OpenPGPKeyReader import org.bouncycastle.openpgp.api.bc.BcOpenPGPApi import org.pgpainless.algorithm.OpenPGPKeyVersion import org.pgpainless.bouncycastle.PolicyAdapter -import org.pgpainless.bouncycastle.helpers.SignatureSubpacketsFunctionHelper +import org.pgpainless.bouncycastle.extensions.setAlgorithmSuite import org.pgpainless.decryption_verification.DecryptionBuilder import org.pgpainless.encryption_signing.EncryptionBuilder import org.pgpainless.key.certification.CertifyCertificate @@ -58,24 +58,7 @@ class PGPainless( ): OpenPGPKeyGenerator = OpenPGPKeyGenerator( implementation, version.numeric, version == OpenPGPKeyVersion.v6, creationTime) - .apply { - val genAlgs = algorithmPolicy.keyGenerationAlgorithmSuite - // Set default algorithm preferences from AlgorithmSuite - setDefaultFeatures( - SignatureSubpacketsFunctionHelper.applyFeatures(true, genAlgs.features)) - setDefaultSymmetricKeyPreferences( - SignatureSubpacketsFunctionHelper.applySymmetricAlgorithmPreferences( - true, genAlgs.symmetricKeyAlgorithms)) - setDefaultHashAlgorithmPreferences( - SignatureSubpacketsFunctionHelper.applyHashAlgorithmPreferences( - true, genAlgs.hashAlgorithms)) - setDefaultCompressionAlgorithmPreferences( - SignatureSubpacketsFunctionHelper.applyCompressionAlgorithmPreferences( - true, genAlgs.compressionAlgorithms)) - setDefaultAeadAlgorithmPreferences( - SignatureSubpacketsFunctionHelper.applyAEADAlgorithmSuites( - false, genAlgs.aeadAlgorithms)) - } + .setAlgorithmSuite(algorithmPolicy.keyGenerationAlgorithmSuite) fun readKey(): OpenPGPKeyReader = api.readKeyOrCertificate() diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/OpenPGPKeyGeneratorExtensions.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/OpenPGPKeyGeneratorExtensions.kt new file mode 100644 index 00000000..05a812d0 --- /dev/null +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/OpenPGPKeyGeneratorExtensions.kt @@ -0,0 +1,126 @@ +// SPDX-FileCopyrightText: 2025 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + +package org.pgpainless.bouncycastle.extensions + +import org.bouncycastle.bcpg.sig.PreferredAEADCiphersuites +import org.bouncycastle.openpgp.api.OpenPGPKeyGenerator +import org.pgpainless.algorithm.AEADCipherMode +import org.pgpainless.algorithm.AlgorithmSuite +import org.pgpainless.algorithm.CompressionAlgorithm +import org.pgpainless.algorithm.Feature +import org.pgpainless.algorithm.HashAlgorithm +import org.pgpainless.algorithm.SymmetricKeyAlgorithm + +/** + * Apply different algorithm preferences (features, symmetric-key-, hash-, compression- and AEAD + * algorithm preferences to the [OpenPGPKeyGenerator] for key generation. The preferences will be + * set on preference-signatures on the generated keys. + * + * @param algorithms algorithm suite + * @return this + */ +fun OpenPGPKeyGenerator.setAlgorithmSuite(algorithms: AlgorithmSuite): OpenPGPKeyGenerator { + setDefaultFeatures(true, algorithms.features) + setDefaultSymmetricKeyPreferences(true, algorithms.symmetricKeyAlgorithms) + setDefaultHashAlgorithmPreferences(true, algorithms.hashAlgorithms) + setDefaultCompressionAlgorithmPreferences(true, algorithms.compressionAlgorithms) + setDefaultAeadAlgorithmPreferences(false, algorithms.aeadAlgorithms) + return this +} + +fun OpenPGPKeyGenerator.setDefaultFeatures( + critical: Boolean = true, + features: Set +): OpenPGPKeyGenerator { + this.setDefaultFeatures { + val b = Feature.toBitmask(*features.toTypedArray()) + it.apply { setFeature(critical, b) } + } + return this +} + +/** + * Define [SymmetricKeyAlgorithms][SymmetricKeyAlgorithm] that will be applied as symmetric key + * algorithm preferences to preference-signatures on freshly generated keys. + * + * @param critical whether to mark the preference subpacket as critical + * @param symmetricKeyAlgorithms ordered set of preferred symmetric key algorithms + * @return this + */ +fun OpenPGPKeyGenerator.setDefaultSymmetricKeyPreferences( + critical: Boolean = true, + symmetricKeyAlgorithms: Set? +): OpenPGPKeyGenerator = apply { + symmetricKeyAlgorithms?.let { algorithms -> + this.setDefaultSymmetricKeyPreferences { + val algorithmIds = algorithms.map { a -> a.algorithmId }.toIntArray() + it.apply { setPreferredSymmetricAlgorithms(critical, algorithmIds) } + } + } +} + +/** + * Define [HashAlgorithms][HashAlgorithm] that will be applied as hash algorithm preferences to + * preference-signatures on freshly generated keys. + * + * @param critical whether to mark the preference subpacket as critical + * @param hashAlgorithms ordered set of preferred hash algorithms + * @return this + */ +fun OpenPGPKeyGenerator.setDefaultHashAlgorithmPreferences( + critical: Boolean = true, + hashAlgorithms: Set? +): OpenPGPKeyGenerator = apply { + hashAlgorithms?.let { algorithms -> + this.setDefaultHashAlgorithmPreferences { + val algorithmIds = algorithms.map { a -> a.algorithmId }.toIntArray() + it.apply { setPreferredHashAlgorithms(critical, algorithmIds) } + } + } +} + +/** + * Define [CompressionAlgorithms][CompressionAlgorithm] that will be applied as compression + * algorithm preferences to preference-signatures on freshly generated keys. + * + * @param critical whether to mark the preference subpacket as critical + * @param compressionAlgorithms ordered set of preferred compression algorithms + * @return this + */ +fun OpenPGPKeyGenerator.setDefaultCompressionAlgorithmPreferences( + critical: Boolean = true, + compressionAlgorithms: Set? +): OpenPGPKeyGenerator = apply { + compressionAlgorithms?.let { algorithms -> + this.setDefaultCompressionAlgorithmPreferences { + val algorithmIds = algorithms.map { a -> a.algorithmId }.toIntArray() + it.apply { setPreferredCompressionAlgorithms(critical, algorithmIds) } + } + } +} + +/** + * Define [AEADCipherModes][AEADCipherMode] that will be applied as AEAD algorithm preferences to + * preference signatures on freshly generated keys. + * + * @param critical whether to mark the preferences subpacket as critical + * @param aeadAlgorithms ordered set of AEAD preferences + * @return this + */ +fun OpenPGPKeyGenerator.setDefaultAeadAlgorithmPreferences( + critical: Boolean = false, + aeadAlgorithms: Set? +): OpenPGPKeyGenerator = apply { + aeadAlgorithms?.let { algorithms -> + this.setDefaultAeadAlgorithmPreferences { + val builder = PreferredAEADCiphersuites.builder(critical) + for (ciphermode: AEADCipherMode in algorithms) { + builder.addCombination( + ciphermode.ciphermode.algorithmId, ciphermode.aeadAlgorithm.algorithmId) + } + it.apply { setPreferredAEADCiphersuites(builder) } + } + } +} diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/helpers/SignatureSubpacketsFunctionHelper.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/helpers/SignatureSubpacketsFunctionHelper.kt deleted file mode 100644 index 80feda8d..00000000 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/helpers/SignatureSubpacketsFunctionHelper.kt +++ /dev/null @@ -1,90 +0,0 @@ -// SPDX-FileCopyrightText: 2025 Paul Schaub -// -// SPDX-License-Identifier: Apache-2.0 - -package org.pgpainless.bouncycastle.helpers - -import org.bouncycastle.bcpg.sig.PreferredAEADCiphersuites -import org.bouncycastle.openpgp.api.SignatureSubpacketsFunction -import org.pgpainless.algorithm.AEADCipherMode -import org.pgpainless.algorithm.CompressionAlgorithm -import org.pgpainless.algorithm.Feature -import org.pgpainless.algorithm.HashAlgorithm -import org.pgpainless.algorithm.SymmetricKeyAlgorithm - -class SignatureSubpacketsFunctionHelper { - - companion object { - - @JvmStatic - fun applySymmetricAlgorithmPreferences( - critical: Boolean = true, - symmetricAlgorithms: Set? - ): SignatureSubpacketsFunction { - return symmetricAlgorithms?.let { algorithms -> - val algorithmIds = algorithms.map { it.algorithmId }.toIntArray() - SignatureSubpacketsFunction { - it.apply { setPreferredSymmetricAlgorithms(critical, algorithmIds) } - } - } - ?: SignatureSubpacketsFunction { it } - } - - @JvmStatic - fun applyHashAlgorithmPreferences( - critical: Boolean = true, - hashAlgorithms: Set? - ): SignatureSubpacketsFunction { - return hashAlgorithms?.let { algorithms -> - val algorithmIds = algorithms.map { it.algorithmId }.toIntArray() - SignatureSubpacketsFunction { - it.apply { setPreferredHashAlgorithms(critical, algorithmIds) } - } - } - ?: SignatureSubpacketsFunction { it } - } - - @JvmStatic - fun applyCompressionAlgorithmPreferences( - critical: Boolean = true, - compressionAlgorithms: Set? - ): SignatureSubpacketsFunction { - return compressionAlgorithms?.let { algorithms -> - val algorithmIds = algorithms.map { it.algorithmId }.toIntArray() - SignatureSubpacketsFunction { - it.apply { setPreferredCompressionAlgorithms(critical, algorithmIds) } - } - } - ?: SignatureSubpacketsFunction { it } - } - - @JvmStatic - fun applyAEADAlgorithmSuites( - critical: Boolean = true, - aeadAlgorithms: Set? - ): SignatureSubpacketsFunction { - return aeadAlgorithms?.let { algorithms -> - SignatureSubpacketsFunction { - val builder = PreferredAEADCiphersuites.builder(critical) - for (ciphermode: AEADCipherMode in algorithms) { - builder.addCombination( - ciphermode.ciphermode.algorithmId, ciphermode.aeadAlgorithm.algorithmId) - } - it.apply { setPreferredAEADCiphersuites(builder) } - } - } - ?: SignatureSubpacketsFunction { it } - } - - @JvmStatic - fun applyFeatures( - critical: Boolean = true, - features: Set - ): SignatureSubpacketsFunction { - return SignatureSubpacketsFunction { - val b = Feature.toBitmask(*features.toTypedArray()) - it.apply { setFeature(critical, b) } - } - } - } -} diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateV6KeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateV6KeyTest.java index a524eea6..a479093d 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateV6KeyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateV6KeyTest.java @@ -96,6 +96,8 @@ public class GenerateV6KeyTest { OpenPGPCertificate certificate = key.toCertificate(); assertFalse(certificate.isSecretKey()); + // CHECKSTYLE:OFF System.out.println(certificate.toAsciiArmoredString()); + // CHECKSTYLE:ON } } From d28b47c1f1d1588d0f8336ad51ddb37f46771d49 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Fri, 7 Mar 2025 12:00:57 +0100 Subject: [PATCH 071/265] Policy: Change default compression algorithm to UNCOMPRESSED --- pgpainless-core/src/main/kotlin/org/pgpainless/policy/Policy.kt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/policy/Policy.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/policy/Policy.kt index 454407f7..c8bc3754 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/policy/Policy.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/policy/Policy.kt @@ -305,7 +305,7 @@ class Policy( @JvmStatic fun anyCompressionAlgorithmPolicy() = CompressionAlgorithmPolicy( - CompressionAlgorithm.ZIP, + CompressionAlgorithm.UNCOMPRESSED, listOf( CompressionAlgorithm.UNCOMPRESSED, CompressionAlgorithm.ZIP, From 0bc80d86d3f57fed29bc6775705ef722e536b1ce Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Fri, 7 Mar 2025 12:01:40 +0100 Subject: [PATCH 072/265] SigningOptions: Properly init PGPSignatureGenerator to support v6 keys --- .../pgpainless/encryption_signing/SigningOptions.kt | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/SigningOptions.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/SigningOptions.kt index cc675619..9159a71e 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/SigningOptions.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/SigningOptions.kt @@ -450,7 +450,7 @@ class SigningOptions { } val generator: PGPSignatureGenerator = - createSignatureGenerator(signingKey.keyPair.privateKey, hashAlgorithm, signatureType) + createSignatureGenerator(signingKey.keyPair, hashAlgorithm, signatureType) // Subpackets val hashedSubpackets = @@ -491,16 +491,15 @@ class SigningOptions { @Throws(PGPException::class) private fun createSignatureGenerator( - privateKey: PGPPrivateKey, + signingKey: PGPKeyPair, hashAlgorithm: HashAlgorithm, signatureType: DocumentSignatureType ): PGPSignatureGenerator { return ImplementationFactory.getInstance() - .getPGPContentSignerBuilder( - privateKey.publicKeyPacket.algorithm, hashAlgorithm.algorithmId) + .getPGPContentSignerBuilder(signingKey.publicKey.algorithm, hashAlgorithm.algorithmId) .let { csb -> - PGPSignatureGenerator(csb).also { - it.init(signatureType.signatureType.code, privateKey) + PGPSignatureGenerator(csb, signingKey.publicKey).also { + it.init(signatureType.signatureType.code, signingKey.privateKey) } } } From 76963ec3ecfa2e0554fd9b907620c2c10b4c213a Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Fri, 7 Mar 2025 14:48:03 +0100 Subject: [PATCH 073/265] Remove ImplementationFactory in favor of BCs OpenPGPImplementation --- docs/source/pgpainless-core/migration_2.0.md | 6 + .../MessageInspector.kt | 8 +- .../OpenPgpMessageInputStream.kt | 16 +-- .../ClearsignedMessageUtil.kt | 4 +- .../encryption_signing/EncryptionOptions.kt | 13 +- .../encryption_signing/EncryptionStream.kt | 8 +- .../encryption_signing/SigningOptions.kt | 6 +- .../implementation/BcImplementationFactory.kt | 114 ----------------- .../implementation/ImplementationFactory.kt | 117 ------------------ .../JceImplementationFactory.kt | 112 ----------------- .../key/collection/PGPKeyRingCollection.kt | 6 +- .../key/generation/KeyRingBuilder.kt | 41 +++--- .../secretkeyring/SecretKeyRingEditor.kt | 9 +- .../pgpainless/key/parsing/KeyRingReader.kt | 21 ++-- .../protection/BaseSecretKeyRingProtector.kt | 22 ++-- .../CachingSecretKeyRingProtector.kt | 4 +- .../key/protection/SecretKeyRingProtector.kt | 36 ++++-- .../protection/UnprotectedKeysProtector.kt | 3 +- .../key/protection/fixes/S2KUsageFix.kt | 13 +- .../org/pgpainless/key/util/KeyRingUtils.kt | 8 +- .../util/PublicKeyParameterValidationUtil.kt | 25 ++-- .../pgpainless/signature/SignatureUtils.kt | 4 +- .../builder/AbstractSignatureBuilder.kt | 9 +- .../signature/consumer/SignatureValidator.kt | 13 +- .../signature/consumer/SignatureVerifier.kt | 4 +- ...vestigateMultiSEIPMessageHandlingTest.java | 15 +-- .../VerifyVersion3SignaturePacketTest.java | 4 +- .../pgpainless/key/ImportExportKeyTest.java | 6 +- .../java/org/pgpainless/key/WeirdKeys.java | 7 +- .../key/generation/GenerateV6KeyTest.java | 64 ++++++++-- .../ChangeSecretKeyRingPassphraseTest.java | 9 +- .../key/parsing/KeyRingReaderTest.java | 4 +- .../CachingSecretKeyRingProtectorTest.java | 6 +- .../PassphraseProtectedKeyTest.java | 11 +- .../SecretKeyRingProtectorTest.java | 5 +- .../UnprotectedKeysProtectorTest.java | 5 - .../pgpainless/key/util/KeyRingUtilTest.java | 6 +- .../OnePassSignatureBracketingTest.java | 10 +- .../SignatureOverUserAttributesTest.java | 12 +- .../SignatureSubpacketsUtilTest.java | 4 +- ...artyCertificationSignatureBuilderTest.java | 4 +- .../subpackets/SignatureSubpacketsTest.java | 7 +- .../org/pgpainless/util/ArmorUtilsTest.java | 6 +- .../util/TestAllImplementations.java | 22 ++-- .../org/pgpainless/sop/InlineDetachImpl.kt | 9 +- .../sop/MatchMakingSecretKeyRingProtector.kt | 5 +- .../org/pgpainless/sop/InlineDetachTest.java | 6 +- ...MatchMakingSecretKeyRingProtectorTest.java | 4 +- 48 files changed, 303 insertions(+), 550 deletions(-) delete mode 100644 pgpainless-core/src/main/kotlin/org/pgpainless/implementation/BcImplementationFactory.kt delete mode 100644 pgpainless-core/src/main/kotlin/org/pgpainless/implementation/ImplementationFactory.kt delete mode 100644 pgpainless-core/src/main/kotlin/org/pgpainless/implementation/JceImplementationFactory.kt diff --git a/docs/source/pgpainless-core/migration_2.0.md b/docs/source/pgpainless-core/migration_2.0.md index 432ccc6e..cfed6744 100644 --- a/docs/source/pgpainless-core/migration_2.0.md +++ b/docs/source/pgpainless-core/migration_2.0.md @@ -86,6 +86,12 @@ Consequently, `KeyIdentifier` is now also the preferred way to reference keys in previously a key-id or fingerprint was expected, now also accept `KeyIdentifier` objects. In places, where you need to access a 64-bit key-id, you can call `keyIdentifier.getKeyId()`. +## `SecretKeyRingProtector` + +When an OpenPGP v6 key is encrypted, the public key parts are incorporated as authenticated data into the encryption +process. Therefore, when instantiating a `PBESecretKeyEncryptor`, the public key needs to be passed in. +As a consequence, the API of `SecretKeyRingProtector` changed and now a `PGPPublicKey` needs to be passed in, +instead of merely a key-id or `KeyIdentifier`. ## Differences between BCs high-level API and PGPainless diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/MessageInspector.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/MessageInspector.kt index acfcba51..e6d08dae 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/MessageInspector.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/MessageInspector.kt @@ -7,7 +7,7 @@ package org.pgpainless.decryption_verification import java.io.IOException import java.io.InputStream import org.bouncycastle.openpgp.* -import org.pgpainless.implementation.ImplementationFactory +import org.bouncycastle.openpgp.api.OpenPGPImplementation import org.pgpainless.util.ArmorUtils /** @@ -68,7 +68,7 @@ class MessageInspector { @JvmStatic @Throws(PGPException::class, IOException::class) private fun processMessage(inputStream: InputStream): EncryptionInfo { - var objectFactory = ImplementationFactory.getInstance().getPGPObjectFactory(inputStream) + var objectFactory = OpenPGPImplementation.getInstance().pgpObjectFactory(inputStream) var n: Any? while (objectFactory.nextObject().also { n = it } != null) { @@ -94,8 +94,8 @@ class MessageInspector { } is PGPCompressedData -> { objectFactory = - ImplementationFactory.getInstance() - .getPGPObjectFactory(PGPUtil.getDecoderStream(next.dataStream)) + OpenPGPImplementation.getInstance() + .pgpObjectFactory(PGPUtil.getDecoderStream(next.dataStream)) continue } is PGPLiteralData -> { diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.kt index 680344ca..d10b9750 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.kt @@ -23,8 +23,10 @@ import org.bouncycastle.openpgp.PGPOnePassSignature import org.bouncycastle.openpgp.PGPPBEEncryptedData import org.bouncycastle.openpgp.PGPPublicKey import org.bouncycastle.openpgp.PGPPublicKeyEncryptedData +import org.bouncycastle.openpgp.PGPSessionKey import org.bouncycastle.openpgp.PGPSignature import org.bouncycastle.openpgp.api.OpenPGPCertificate +import org.bouncycastle.openpgp.api.OpenPGPImplementation import org.bouncycastle.openpgp.api.OpenPGPKey import org.bouncycastle.openpgp.api.OpenPGPKey.OpenPGPPrivateKey import org.bouncycastle.openpgp.api.OpenPGPKey.OpenPGPSecretKey @@ -57,7 +59,6 @@ import org.pgpainless.exception.MissingPassphraseException import org.pgpainless.exception.SignatureValidationException import org.pgpainless.exception.UnacceptableAlgorithmException import org.pgpainless.exception.WrongPassphraseException -import org.pgpainless.implementation.ImplementationFactory import org.pgpainless.key.SubkeyIdentifier import org.pgpainless.key.protection.UnlockSecretKey.Companion.unlockSecretKey import org.pgpainless.policy.Policy @@ -360,8 +361,9 @@ class OpenPgpMessageInputStream( LOGGER.debug("Attempt decryption with provided session key.") throwIfUnacceptable(sk.algorithm) + val pgpSk = PGPSessionKey(sk.algorithm.algorithmId, sk.key) val decryptorFactory = - ImplementationFactory.getInstance().getSessionKeyDataDecryptorFactory(sk) + OpenPGPImplementation.getInstance().sessionKeyDataDecryptorFactory(pgpSk) val layer = EncryptedData(sk.algorithm, layerMetadata.depth + 1) val skEncData = encDataList.extractSessionKeyEncryptedData() try { @@ -393,7 +395,8 @@ class OpenPgpMessageInputStream( } val decryptorFactory = - ImplementationFactory.getInstance().getPBEDataDecryptorFactory(passphrase) + OpenPGPImplementation.getInstance() + .pbeDataDecryptorFactory(passphrase.getChars()) if (decryptSKESKAndStream(esks, skesk, decryptorFactory)) { return true } @@ -515,8 +518,7 @@ class OpenPgpMessageInputStream( pkesk: PGPPublicKeyEncryptedData ): Boolean { val decryptorFactory = - ImplementationFactory.getInstance() - .getPublicKeyDataDecryptorFactory(privateKey.privateKey) + OpenPGPImplementation.getInstance().publicKeyDataDecryptorFactory(privateKey.privateKey) return decryptPKESKAndStream(esks, decryptionKeyId, decryptorFactory, pkesk) } @@ -1046,7 +1048,7 @@ class OpenPgpMessageInputStream( @JvmStatic private fun initialize(signature: PGPSignature, publicKey: PGPPublicKey) { val verifierProvider = - ImplementationFactory.getInstance().pgpContentVerifierBuilderProvider + OpenPGPImplementation.getInstance().pgpContentVerifierBuilderProvider() try { signature.init(verifierProvider, publicKey) } catch (e: PGPException) { @@ -1057,7 +1059,7 @@ class OpenPgpMessageInputStream( @JvmStatic private fun initialize(ops: PGPOnePassSignature, publicKey: PGPPublicKey) { val verifierProvider = - ImplementationFactory.getInstance().pgpContentVerifierBuilderProvider + OpenPGPImplementation.getInstance().pgpContentVerifierBuilderProvider() try { ops.init(verifierProvider, publicKey) } catch (e: PGPException) { diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/cleartext_signatures/ClearsignedMessageUtil.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/cleartext_signatures/ClearsignedMessageUtil.kt index 78614a96..bf277743 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/cleartext_signatures/ClearsignedMessageUtil.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/cleartext_signatures/ClearsignedMessageUtil.kt @@ -8,9 +8,9 @@ import java.io.* import kotlin.jvm.Throws import org.bouncycastle.bcpg.ArmoredInputStream import org.bouncycastle.openpgp.PGPSignatureList +import org.bouncycastle.openpgp.api.OpenPGPImplementation import org.bouncycastle.util.Strings import org.pgpainless.exception.WrongConsumingMethodException -import org.pgpainless.implementation.ImplementationFactory import org.pgpainless.util.ArmoredInputStreamFactory /** @@ -72,7 +72,7 @@ class ClearsignedMessageUtil { } } - val objectFactory = ImplementationFactory.getInstance().getPGPObjectFactory(input) + val objectFactory = OpenPGPImplementation.getInstance().pgpObjectFactory(input) val next = objectFactory.nextObject() ?: PGPSignatureList(arrayOf()) return next as PGPSignatureList } diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionOptions.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionOptions.kt index d130a4f1..957d08af 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionOptions.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionOptions.kt @@ -8,6 +8,7 @@ import java.util.* import org.bouncycastle.openpgp.PGPPublicKeyRing import org.bouncycastle.openpgp.api.OpenPGPCertificate import org.bouncycastle.openpgp.api.OpenPGPCertificate.OpenPGPComponentKey +import org.bouncycastle.openpgp.api.OpenPGPImplementation import org.bouncycastle.openpgp.operator.PGPKeyEncryptionMethodGenerator import org.pgpainless.PGPainless.Companion.inspectKeyRing import org.pgpainless.algorithm.EncryptionPurpose @@ -16,7 +17,6 @@ import org.pgpainless.authentication.CertificateAuthority import org.pgpainless.bouncycastle.extensions.toOpenPGPCertificate import org.pgpainless.encryption_signing.EncryptionOptions.EncryptionKeySelector import org.pgpainless.exception.KeyException.* -import org.pgpainless.implementation.ImplementationFactory import org.pgpainless.key.SubkeyIdentifier import org.pgpainless.key.info.KeyAccessor import org.pgpainless.key.info.KeyRingInfo @@ -326,13 +326,13 @@ class EncryptionOptions(private val purpose: EncryptionPurpose) { } } - private fun addRecipientKey(key: OpenPGPComponentKey, wildcardKeyId: Boolean) { + private fun addRecipientKey(key: OpenPGPComponentKey, wildcardRecipient: Boolean) { _encryptionKeys.add(key) _encryptionKeyIdentifiers.add(SubkeyIdentifier(key)) addEncryptionMethod( - ImplementationFactory.getInstance() - .getPublicKeyKeyEncryptionMethodGenerator(key.pgpPublicKey) - .also { it.setUseWildcardKeyID(wildcardKeyId) }) + OpenPGPImplementation.getInstance() + .publicKeyKeyEncryptionMethodGenerator(key.pgpPublicKey) + .also { it.setUseWildcardRecipient(wildcardRecipient) }) } /** @@ -355,7 +355,8 @@ class EncryptionOptions(private val purpose: EncryptionPurpose) { fun addMessagePassphrase(passphrase: Passphrase) = apply { require(!passphrase.isEmpty) { "Passphrase MUST NOT be empty." } addEncryptionMethod( - ImplementationFactory.getInstance().getPBEKeyEncryptionMethodGenerator(passphrase)) + OpenPGPImplementation.getInstance() + .pbeKeyEncryptionMethodGenerator(passphrase.getChars())) } /** diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionStream.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionStream.kt index 5d226d06..0594d101 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionStream.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionStream.kt @@ -13,10 +13,10 @@ import org.bouncycastle.openpgp.PGPCompressedDataGenerator import org.bouncycastle.openpgp.PGPEncryptedDataGenerator import org.bouncycastle.openpgp.PGPException import org.bouncycastle.openpgp.PGPLiteralDataGenerator +import org.bouncycastle.openpgp.api.OpenPGPImplementation import org.pgpainless.algorithm.CompressionAlgorithm import org.pgpainless.algorithm.StreamEncoding import org.pgpainless.algorithm.SymmetricKeyAlgorithm -import org.pgpainless.implementation.ImplementationFactory import org.pgpainless.key.SubkeyIdentifier import org.pgpainless.util.ArmoredOutputStreamFactory import org.slf4j.LoggerFactory @@ -89,9 +89,9 @@ class EncryptionStream( LOGGER.debug("Encrypt message using symmetric algorithm $it.") val encryptedDataGenerator = PGPEncryptedDataGenerator( - ImplementationFactory.getInstance().getPGPDataEncryptorBuilder(it).apply { - setWithIntegrityPacket(true) - }) + OpenPGPImplementation.getInstance() + .pgpDataEncryptorBuilder(it.algorithmId) + .apply { setWithIntegrityPacket(true) }) options.encryptionOptions.encryptionMethods.forEach { m -> encryptedDataGenerator.addMethod(m) } diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/SigningOptions.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/SigningOptions.kt index 9159a71e..8b2baeef 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/SigningOptions.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/SigningOptions.kt @@ -7,6 +7,7 @@ package org.pgpainless.encryption_signing import java.util.* import org.bouncycastle.bcpg.KeyIdentifier import org.bouncycastle.openpgp.* +import org.bouncycastle.openpgp.api.OpenPGPImplementation import org.bouncycastle.openpgp.api.OpenPGPKey import org.bouncycastle.openpgp.api.OpenPGPKey.OpenPGPPrivateKey import org.bouncycastle.openpgp.api.OpenPGPKey.OpenPGPSecretKey @@ -19,7 +20,6 @@ import org.pgpainless.algorithm.negotiation.HashAlgorithmNegotiator.Companion.ne import org.pgpainless.bouncycastle.extensions.toOpenPGPKey import org.pgpainless.exception.KeyException import org.pgpainless.exception.KeyException.* -import org.pgpainless.implementation.ImplementationFactory import org.pgpainless.key.OpenPgpFingerprint.Companion.of import org.pgpainless.key.protection.SecretKeyRingProtector import org.pgpainless.key.protection.UnlockSecretKey.Companion.unlockSecretKey @@ -495,8 +495,8 @@ class SigningOptions { hashAlgorithm: HashAlgorithm, signatureType: DocumentSignatureType ): PGPSignatureGenerator { - return ImplementationFactory.getInstance() - .getPGPContentSignerBuilder(signingKey.publicKey.algorithm, hashAlgorithm.algorithmId) + return OpenPGPImplementation.getInstance() + .pgpContentSignerBuilder(signingKey.publicKey.algorithm, hashAlgorithm.algorithmId) .let { csb -> PGPSignatureGenerator(csb, signingKey.publicKey).also { it.init(signatureType.signatureType.code, signingKey.privateKey) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/implementation/BcImplementationFactory.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/implementation/BcImplementationFactory.kt deleted file mode 100644 index dcf594ea..00000000 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/implementation/BcImplementationFactory.kt +++ /dev/null @@ -1,114 +0,0 @@ -// SPDX-FileCopyrightText: 2023 Paul Schaub -// -// SPDX-License-Identifier: Apache-2.0 - -package org.pgpainless.implementation - -import java.io.InputStream -import java.security.KeyPair -import java.util.* -import org.bouncycastle.crypto.AsymmetricCipherKeyPair -import org.bouncycastle.openpgp.* -import org.bouncycastle.openpgp.bc.BcPGPObjectFactory -import org.bouncycastle.openpgp.operator.* -import org.bouncycastle.openpgp.operator.bc.BcKeyFingerprintCalculator -import org.bouncycastle.openpgp.operator.bc.BcPBEDataDecryptorFactory -import org.bouncycastle.openpgp.operator.bc.BcPBEKeyEncryptionMethodGenerator -import org.bouncycastle.openpgp.operator.bc.BcPBESecretKeyDecryptorBuilder -import org.bouncycastle.openpgp.operator.bc.BcPBESecretKeyEncryptorBuilder -import org.bouncycastle.openpgp.operator.bc.BcPGPContentSignerBuilder -import org.bouncycastle.openpgp.operator.bc.BcPGPContentVerifierBuilderProvider -import org.bouncycastle.openpgp.operator.bc.BcPGPDataEncryptorBuilder -import org.bouncycastle.openpgp.operator.bc.BcPGPDigestCalculatorProvider -import org.bouncycastle.openpgp.operator.bc.BcPGPKeyConverter -import org.bouncycastle.openpgp.operator.bc.BcPGPKeyPair -import org.bouncycastle.openpgp.operator.bc.BcPublicKeyDataDecryptorFactory -import org.bouncycastle.openpgp.operator.bc.BcPublicKeyKeyEncryptionMethodGenerator -import org.bouncycastle.openpgp.operator.bc.BcSessionKeyDataDecryptorFactory -import org.bouncycastle.openpgp.operator.jcajce.JcaPGPKeyPair -import org.pgpainless.algorithm.HashAlgorithm -import org.pgpainless.algorithm.PublicKeyAlgorithm -import org.pgpainless.algorithm.SymmetricKeyAlgorithm -import org.pgpainless.util.Passphrase - -class BcImplementationFactory : ImplementationFactory() { - override val pgpDigestCalculatorProvider: BcPGPDigestCalculatorProvider = - BcPGPDigestCalculatorProvider() - override val pgpContentVerifierBuilderProvider: BcPGPContentVerifierBuilderProvider = - BcPGPContentVerifierBuilderProvider() - override val keyFingerprintCalculator: BcKeyFingerprintCalculator = BcKeyFingerprintCalculator() - - override fun getPBESecretKeyEncryptor( - symmetricKeyAlgorithm: SymmetricKeyAlgorithm, - digestCalculator: PGPDigestCalculator, - passphrase: Passphrase - ): PBESecretKeyEncryptor = - BcPBESecretKeyEncryptorBuilder(symmetricKeyAlgorithm.algorithmId, digestCalculator) - .build(passphrase.getChars()) - - override fun getPBESecretKeyEncryptor( - encryptionAlgorithm: SymmetricKeyAlgorithm, - hashAlgorithm: HashAlgorithm, - s2kCount: Int, - passphrase: Passphrase - ): PBESecretKeyEncryptor = - BcPBESecretKeyEncryptorBuilder( - encryptionAlgorithm.algorithmId, getPGPDigestCalculator(hashAlgorithm), s2kCount) - .build(passphrase.getChars()) - - override fun getPBESecretKeyDecryptor(passphrase: Passphrase): PBESecretKeyDecryptor = - BcPBESecretKeyDecryptorBuilder(pgpDigestCalculatorProvider).build(passphrase.getChars()) - - override fun getPGPContentSignerBuilder( - keyAlgorithm: Int, - hashAlgorithm: Int - ): PGPContentSignerBuilder = BcPGPContentSignerBuilder(keyAlgorithm, hashAlgorithm) - - override fun getPBEDataDecryptorFactory(passphrase: Passphrase): PBEDataDecryptorFactory = - BcPBEDataDecryptorFactory(passphrase.getChars(), pgpDigestCalculatorProvider) - - override fun getPublicKeyDataDecryptorFactory( - privateKey: PGPPrivateKey - ): PublicKeyDataDecryptorFactory = BcPublicKeyDataDecryptorFactory(privateKey) - - override fun getSessionKeyDataDecryptorFactory( - sessionKey: PGPSessionKey - ): SessionKeyDataDecryptorFactory = BcSessionKeyDataDecryptorFactory(sessionKey) - - override fun getPublicKeyKeyEncryptionMethodGenerator( - key: PGPPublicKey - ): PublicKeyKeyEncryptionMethodGenerator = BcPublicKeyKeyEncryptionMethodGenerator(key) - - override fun getPBEKeyEncryptionMethodGenerator( - passphrase: Passphrase - ): PBEKeyEncryptionMethodGenerator = BcPBEKeyEncryptionMethodGenerator(passphrase.getChars()) - - override fun getPGPDataEncryptorBuilder(symmetricKeyAlgorithm: Int): PGPDataEncryptorBuilder = - BcPGPDataEncryptorBuilder(symmetricKeyAlgorithm) - - override fun getPGPKeyPair( - publicKeyAlgorithm: PublicKeyAlgorithm, - keyPair: KeyPair, - creationDate: Date - ): PGPKeyPair = - BcPGPKeyPair( - publicKeyAlgorithm.algorithmId, - jceToBcKeyPair(publicKeyAlgorithm, keyPair, creationDate), - creationDate) - - override fun getPGPObjectFactory(inputStream: InputStream): PGPObjectFactory = - BcPGPObjectFactory(inputStream) - - private fun jceToBcKeyPair( - publicKeyAlgorithm: PublicKeyAlgorithm, - keyPair: KeyPair, - creationDate: Date - ): AsymmetricCipherKeyPair = - BcPGPKeyConverter().let { converter -> - JcaPGPKeyPair(publicKeyAlgorithm.algorithmId, keyPair, creationDate).let { pair -> - AsymmetricCipherKeyPair( - converter.getPublicKey(pair.publicKey), - converter.getPrivateKey(pair.privateKey)) - } - } -} diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/implementation/ImplementationFactory.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/implementation/ImplementationFactory.kt deleted file mode 100644 index 58478379..00000000 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/implementation/ImplementationFactory.kt +++ /dev/null @@ -1,117 +0,0 @@ -// SPDX-FileCopyrightText: 2023 Paul Schaub -// -// SPDX-License-Identifier: Apache-2.0 - -package org.pgpainless.implementation - -import java.io.InputStream -import java.security.KeyPair -import java.util.* -import org.bouncycastle.openpgp.* -import org.bouncycastle.openpgp.operator.* -import org.pgpainless.algorithm.HashAlgorithm -import org.pgpainless.algorithm.PublicKeyAlgorithm -import org.pgpainless.algorithm.SymmetricKeyAlgorithm -import org.pgpainless.util.Passphrase -import org.pgpainless.util.SessionKey - -abstract class ImplementationFactory { - - companion object { - @JvmStatic private var instance: ImplementationFactory = BcImplementationFactory() - - @JvmStatic fun getInstance() = instance - - @JvmStatic - fun setFactoryImplementation(implementation: ImplementationFactory) = apply { - instance = implementation - } - } - - abstract val pgpDigestCalculatorProvider: PGPDigestCalculatorProvider - abstract val pgpContentVerifierBuilderProvider: PGPContentVerifierBuilderProvider - abstract val keyFingerprintCalculator: KeyFingerPrintCalculator - - val v4FingerprintCalculator: PGPDigestCalculator - get() = getPGPDigestCalculator(HashAlgorithm.SHA1) - - @Throws(PGPException::class) - abstract fun getPBESecretKeyEncryptor( - symmetricKeyAlgorithm: SymmetricKeyAlgorithm, - digestCalculator: PGPDigestCalculator, - passphrase: Passphrase - ): PBESecretKeyEncryptor - - @Throws(PGPException::class) - abstract fun getPBESecretKeyDecryptor(passphrase: Passphrase): PBESecretKeyDecryptor - - @Throws(PGPException::class) - abstract fun getPBESecretKeyEncryptor( - encryptionAlgorithm: SymmetricKeyAlgorithm, - hashAlgorithm: HashAlgorithm, - s2kCount: Int, - passphrase: Passphrase - ): PBESecretKeyEncryptor - - fun getPGPDigestCalculator(hashAlgorithm: HashAlgorithm): PGPDigestCalculator = - getPGPDigestCalculator(hashAlgorithm.algorithmId) - - fun getPGPDigestCalculator(hashAlgorithm: Int): PGPDigestCalculator = - pgpDigestCalculatorProvider.get(hashAlgorithm) - - fun getPGPContentSignerBuilder( - keyAlgorithm: PublicKeyAlgorithm, - hashAlgorithm: HashAlgorithm - ): PGPContentSignerBuilder = - getPGPContentSignerBuilder(keyAlgorithm.algorithmId, hashAlgorithm.algorithmId) - - abstract fun getPGPContentSignerBuilder( - keyAlgorithm: Int, - hashAlgorithm: Int - ): PGPContentSignerBuilder - - @Throws(PGPException::class) - abstract fun getPBEDataDecryptorFactory(passphrase: Passphrase): PBEDataDecryptorFactory - - abstract fun getPublicKeyDataDecryptorFactory( - privateKey: PGPPrivateKey - ): PublicKeyDataDecryptorFactory - - fun getSessionKeyDataDecryptorFactory(sessionKey: SessionKey): SessionKeyDataDecryptorFactory = - getSessionKeyDataDecryptorFactory( - PGPSessionKey(sessionKey.algorithm.algorithmId, sessionKey.key)) - - abstract fun getSessionKeyDataDecryptorFactory( - sessionKey: PGPSessionKey - ): SessionKeyDataDecryptorFactory - - abstract fun getPublicKeyKeyEncryptionMethodGenerator( - key: PGPPublicKey - ): PublicKeyKeyEncryptionMethodGenerator - - abstract fun getPBEKeyEncryptionMethodGenerator( - passphrase: Passphrase - ): PBEKeyEncryptionMethodGenerator - - fun getPGPDataEncryptorBuilder( - symmetricKeyAlgorithm: SymmetricKeyAlgorithm - ): PGPDataEncryptorBuilder = getPGPDataEncryptorBuilder(symmetricKeyAlgorithm.algorithmId) - - abstract fun getPGPDataEncryptorBuilder(symmetricKeyAlgorithm: Int): PGPDataEncryptorBuilder - - @Throws(PGPException::class) - abstract fun getPGPKeyPair( - publicKeyAlgorithm: PublicKeyAlgorithm, - keyPair: KeyPair, - creationDate: Date - ): PGPKeyPair - - fun getPGPObjectFactory(bytes: ByteArray): PGPObjectFactory = - getPGPObjectFactory(bytes.inputStream()) - - abstract fun getPGPObjectFactory(inputStream: InputStream): PGPObjectFactory - - override fun toString(): String { - return javaClass.simpleName - } -} diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/implementation/JceImplementationFactory.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/implementation/JceImplementationFactory.kt deleted file mode 100644 index 865f1e0d..00000000 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/implementation/JceImplementationFactory.kt +++ /dev/null @@ -1,112 +0,0 @@ -// SPDX-FileCopyrightText: 2023 Paul Schaub -// -// SPDX-License-Identifier: Apache-2.0 - -package org.pgpainless.implementation - -import java.io.InputStream -import java.security.KeyPair -import java.util.* -import org.bouncycastle.openpgp.* -import org.bouncycastle.openpgp.operator.* -import org.bouncycastle.openpgp.operator.jcajce.JcaKeyFingerprintCalculator -import org.bouncycastle.openpgp.operator.jcajce.JcaPGPContentSignerBuilder -import org.bouncycastle.openpgp.operator.jcajce.JcaPGPContentVerifierBuilderProvider -import org.bouncycastle.openpgp.operator.jcajce.JcaPGPDigestCalculatorProviderBuilder -import org.bouncycastle.openpgp.operator.jcajce.JcaPGPKeyPair -import org.bouncycastle.openpgp.operator.jcajce.JcePBEDataDecryptorFactoryBuilder -import org.bouncycastle.openpgp.operator.jcajce.JcePBEKeyEncryptionMethodGenerator -import org.bouncycastle.openpgp.operator.jcajce.JcePBESecretKeyDecryptorBuilder -import org.bouncycastle.openpgp.operator.jcajce.JcePBESecretKeyEncryptorBuilder -import org.bouncycastle.openpgp.operator.jcajce.JcePGPDataEncryptorBuilder -import org.bouncycastle.openpgp.operator.jcajce.JcePublicKeyDataDecryptorFactoryBuilder -import org.bouncycastle.openpgp.operator.jcajce.JcePublicKeyKeyEncryptionMethodGenerator -import org.bouncycastle.openpgp.operator.jcajce.JceSessionKeyDataDecryptorFactoryBuilder -import org.pgpainless.algorithm.HashAlgorithm -import org.pgpainless.algorithm.PublicKeyAlgorithm -import org.pgpainless.algorithm.SymmetricKeyAlgorithm -import org.pgpainless.provider.ProviderFactory -import org.pgpainless.util.Passphrase - -class JceImplementationFactory : ImplementationFactory() { - override val pgpDigestCalculatorProvider: PGPDigestCalculatorProvider = - JcaPGPDigestCalculatorProviderBuilder().setProvider(ProviderFactory.provider).build() - override val pgpContentVerifierBuilderProvider: PGPContentVerifierBuilderProvider = - JcaPGPContentVerifierBuilderProvider().setProvider(ProviderFactory.provider) - override val keyFingerprintCalculator: KeyFingerPrintCalculator = - JcaKeyFingerprintCalculator().setProvider(ProviderFactory.provider) - - override fun getPBESecretKeyEncryptor( - symmetricKeyAlgorithm: SymmetricKeyAlgorithm, - digestCalculator: PGPDigestCalculator, - passphrase: Passphrase - ): PBESecretKeyEncryptor = - JcePBESecretKeyEncryptorBuilder(symmetricKeyAlgorithm.algorithmId, digestCalculator) - .setProvider(ProviderFactory.provider) - .build(passphrase.getChars()) - - override fun getPBESecretKeyEncryptor( - encryptionAlgorithm: SymmetricKeyAlgorithm, - hashAlgorithm: HashAlgorithm, - s2kCount: Int, - passphrase: Passphrase - ): PBESecretKeyEncryptor = - JcePBESecretKeyEncryptorBuilder( - encryptionAlgorithm.algorithmId, getPGPDigestCalculator(hashAlgorithm), s2kCount) - .setProvider(ProviderFactory.provider) - .build(passphrase.getChars()) - - override fun getPBESecretKeyDecryptor(passphrase: Passphrase): PBESecretKeyDecryptor = - JcePBESecretKeyDecryptorBuilder(pgpDigestCalculatorProvider) - .setProvider(ProviderFactory.provider) - .build(passphrase.getChars()) - - override fun getPGPContentSignerBuilder( - keyAlgorithm: Int, - hashAlgorithm: Int - ): PGPContentSignerBuilder = - JcaPGPContentSignerBuilder(keyAlgorithm, hashAlgorithm) - .setProvider(ProviderFactory.provider) - - override fun getPBEDataDecryptorFactory(passphrase: Passphrase): PBEDataDecryptorFactory = - JcePBEDataDecryptorFactoryBuilder(pgpDigestCalculatorProvider) - .setProvider(ProviderFactory.provider) - .build(passphrase.getChars()) - - override fun getPublicKeyDataDecryptorFactory( - privateKey: PGPPrivateKey - ): PublicKeyDataDecryptorFactory = - JcePublicKeyDataDecryptorFactoryBuilder() - .setProvider(ProviderFactory.provider) - .build(privateKey) - - override fun getSessionKeyDataDecryptorFactory( - sessionKey: PGPSessionKey - ): SessionKeyDataDecryptorFactory = - JceSessionKeyDataDecryptorFactoryBuilder() - .setProvider(ProviderFactory.provider) - .build(sessionKey) - - override fun getPublicKeyKeyEncryptionMethodGenerator( - key: PGPPublicKey - ): PublicKeyKeyEncryptionMethodGenerator = - JcePublicKeyKeyEncryptionMethodGenerator(key).setProvider(ProviderFactory.provider) - - override fun getPBEKeyEncryptionMethodGenerator( - passphrase: Passphrase - ): PBEKeyEncryptionMethodGenerator = - JcePBEKeyEncryptionMethodGenerator(passphrase.getChars()) - .setProvider(ProviderFactory.provider) - - override fun getPGPDataEncryptorBuilder(symmetricKeyAlgorithm: Int): PGPDataEncryptorBuilder = - JcePGPDataEncryptorBuilder(symmetricKeyAlgorithm).setProvider(ProviderFactory.provider) - - override fun getPGPKeyPair( - publicKeyAlgorithm: PublicKeyAlgorithm, - keyPair: KeyPair, - creationDate: Date - ): PGPKeyPair = JcaPGPKeyPair(publicKeyAlgorithm.algorithmId, keyPair, creationDate) - - override fun getPGPObjectFactory(inputStream: InputStream): PGPObjectFactory = - PGPObjectFactory(inputStream, keyFingerprintCalculator) -} diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/collection/PGPKeyRingCollection.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/collection/PGPKeyRingCollection.kt index f69d4a08..ce3a2ddd 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/collection/PGPKeyRingCollection.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/collection/PGPKeyRingCollection.kt @@ -6,7 +6,7 @@ package org.pgpainless.key.collection import java.io.InputStream import org.bouncycastle.openpgp.* -import org.pgpainless.implementation.ImplementationFactory +import org.bouncycastle.openpgp.api.OpenPGPImplementation import org.pgpainless.util.ArmorUtils /** @@ -55,8 +55,8 @@ class PGPKeyRingCollection( val certificates = mutableListOf() // Double getDecoderStream because of #96 val objectFactory = - ImplementationFactory.getInstance() - .getPGPObjectFactory(ArmorUtils.getDecoderStream(inputStream)) + OpenPGPImplementation.getInstance() + .pgpObjectFactory(ArmorUtils.getDecoderStream(inputStream)) for (obj in objectFactory) { if (obj == null) { diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingBuilder.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingBuilder.kt index 86c4cbb9..2eb86dcc 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingBuilder.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingBuilder.kt @@ -6,20 +6,19 @@ package org.pgpainless.key.generation import java.io.IOException import java.util.* +import org.bouncycastle.bcpg.HashAlgorithmTags import org.bouncycastle.openpgp.* import org.bouncycastle.openpgp.api.OpenPGPImplementation import org.bouncycastle.openpgp.api.OpenPGPKey import org.bouncycastle.openpgp.operator.PBESecretKeyDecryptor import org.bouncycastle.openpgp.operator.PBESecretKeyEncryptor import org.bouncycastle.openpgp.operator.PGPContentSignerBuilder -import org.bouncycastle.openpgp.operator.PGPDigestCalculator import org.bouncycastle.util.Strings import org.pgpainless.PGPainless import org.pgpainless.algorithm.KeyFlag import org.pgpainless.algorithm.OpenPGPKeyVersion import org.pgpainless.algorithm.SignatureType import org.pgpainless.bouncycastle.extensions.unlock -import org.pgpainless.implementation.ImplementationFactory import org.pgpainless.policy.Policy import org.pgpainless.signature.subpackets.SelfSignatureSubpackets import org.pgpainless.signature.subpackets.SignatureSubpackets @@ -84,15 +83,20 @@ class KeyRingBuilder( private fun keyIsCertificationCapable(keySpec: KeySpec) = keySpec.keyType.canCertify override fun build(): OpenPGPKey { - val keyFingerprintCalculator = ImplementationFactory.getInstance().v4FingerprintCalculator - val secretKeyEncryptor = buildSecretKeyEncryptor(keyFingerprintCalculator) - val secretKeyDecryptor = buildSecretKeyDecryptor() - - passphrase.clear() // Passphrase was used above, so we can get rid of it + val keyFingerprintCalculator = + OpenPGPImplementation.getInstance() + .pgpDigestCalculatorProvider() + .get(HashAlgorithmTags.SHA1) // generate primary key requireNotNull(primaryKeySpec) { "Primary Key spec required." } val certKey = generateKeyPair(primaryKeySpec!!, version) + + val secretKeyEncryptor = buildSecretKeyEncryptor(certKey.publicKey, false) + val secretKeyDecryptor = buildSecretKeyDecryptor() + + passphrase.clear() // Passphrase was used above, so we can get rid of it + val signer = buildContentSigner(certKey) val signatureGenerator = PGPSignatureGenerator(signer, certKey.publicKey) @@ -220,29 +224,30 @@ class KeyRingBuilder( private fun buildContentSigner(certKey: PGPKeyPair): PGPContentSignerBuilder { val hashAlgorithm = PGPainless.getPolicy().certificationSignatureHashAlgorithmPolicy.defaultHashAlgorithm - return ImplementationFactory.getInstance() - .getPGPContentSignerBuilder(certKey.publicKey.algorithm, hashAlgorithm.algorithmId) + return OpenPGPImplementation.getInstance() + .pgpContentSignerBuilder(certKey.publicKey.algorithm, hashAlgorithm.algorithmId) } private fun buildSecretKeyEncryptor( - keyFingerprintCalculator: PGPDigestCalculator + publicKey: PGPPublicKey, + aead: Boolean ): PBESecretKeyEncryptor? { - val keyEncryptionAlgorithm = - PGPainless.getPolicy() - .symmetricKeyEncryptionAlgorithmPolicy - .defaultSymmetricKeyAlgorithm check(passphrase.isValid) { "Passphrase was cleared." } return if (passphrase.isEmpty) null else - ImplementationFactory.getInstance() - .getPBESecretKeyEncryptor( - keyEncryptionAlgorithm, keyFingerprintCalculator, passphrase) + OpenPGPImplementation.getInstance() + .pbeSecretKeyEncryptorFactory(aead) + .build(passphrase.getChars(), publicKey.publicKeyPacket) } private fun buildSecretKeyDecryptor(): PBESecretKeyDecryptor? { check(passphrase.isValid) { "Passphrase was cleared." } return if (passphrase.isEmpty) null - else ImplementationFactory.getInstance().getPBESecretKeyDecryptor(passphrase) + else + OpenPGPImplementation.getInstance() + .pbeSecretKeyDecryptorBuilderProvider() + .provide() + .build(passphrase.getChars()) } companion object { diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.kt index 659db88c..197a2f68 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.kt @@ -9,10 +9,12 @@ import java.util.function.Predicate import javax.annotation.Nonnull import kotlin.NoSuchElementException import openpgp.openPgpKeyId +import org.bouncycastle.bcpg.HashAlgorithmTags import org.bouncycastle.bcpg.KeyIdentifier import org.bouncycastle.bcpg.sig.KeyExpirationTime import org.bouncycastle.openpgp.* import org.bouncycastle.openpgp.api.OpenPGPCertificate.OpenPGPSubkey +import org.bouncycastle.openpgp.api.OpenPGPImplementation import org.bouncycastle.openpgp.api.OpenPGPKey import org.bouncycastle.openpgp.api.OpenPGPKey.OpenPGPSecretKey import org.bouncycastle.openpgp.api.OpenPGPSignature @@ -27,7 +29,6 @@ import org.pgpainless.algorithm.negotiation.HashAlgorithmNegotiator import org.pgpainless.bouncycastle.extensions.getKeyExpirationDate import org.pgpainless.bouncycastle.extensions.publicKeyAlgorithm import org.pgpainless.bouncycastle.extensions.requirePublicKey -import org.pgpainless.implementation.ImplementationFactory import org.pgpainless.key.OpenPgpFingerprint import org.pgpainless.key.generation.KeyRingBuilder import org.pgpainless.key.generation.KeySpec @@ -302,9 +303,11 @@ class SecretKeyRingEditor(var key: OpenPGPKey, override val referenceTime: Date PGPSecretKey( subkey.privateKey, subkey.publicKey, - ImplementationFactory.getInstance().v4FingerprintCalculator, + OpenPGPImplementation.getInstance() + .pgpDigestCalculatorProvider() + .get(HashAlgorithmTags.SHA1), false, - subkeyProtector.getEncryptor(subkey.keyID)) + subkeyProtector.getEncryptor(subkey.publicKey)) val componentKey = OpenPGPSecretKey( diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/parsing/KeyRingReader.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/parsing/KeyRingReader.kt index 6f6bde61..7fddc903 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/parsing/KeyRingReader.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/parsing/KeyRingReader.kt @@ -9,9 +9,9 @@ import java.io.InputStream import java.nio.charset.Charset import kotlin.jvm.Throws import org.bouncycastle.openpgp.* +import org.bouncycastle.openpgp.api.OpenPGPImplementation import org.bouncycastle.util.io.Streams import org.pgpainless.PGPainless -import org.pgpainless.implementation.ImplementationFactory import org.pgpainless.key.collection.PGPKeyRingCollection import org.pgpainless.util.ArmorUtils @@ -130,8 +130,8 @@ class KeyRingReader { maxIterations: Int = MAX_ITERATIONS ): PGPKeyRing? { val objectFactory = - ImplementationFactory.getInstance() - .getPGPObjectFactory(ArmorUtils.getDecoderStream(inputStream)) + OpenPGPImplementation.getInstance() + .pgpObjectFactory(ArmorUtils.getDecoderStream(inputStream)) try { for ((i, next) in objectFactory.withIndex()) { @@ -172,8 +172,8 @@ class KeyRingReader { maxIterations: Int = MAX_ITERATIONS ): PGPPublicKeyRing? { val objectFactory = - ImplementationFactory.getInstance() - .getPGPObjectFactory(ArmorUtils.getDecoderStream(inputStream)) + OpenPGPImplementation.getInstance() + .pgpObjectFactory(ArmorUtils.getDecoderStream(inputStream)) try { for ((i, next) in objectFactory.withIndex()) { @@ -213,8 +213,8 @@ class KeyRingReader { maxIterations: Int = MAX_ITERATIONS ): PGPPublicKeyRingCollection { val objectFactory = - ImplementationFactory.getInstance() - .getPGPObjectFactory(ArmorUtils.getDecoderStream(inputStream)) + OpenPGPImplementation.getInstance() + .pgpObjectFactory(ArmorUtils.getDecoderStream(inputStream)) val certificates = mutableListOf() try { for ((i, next) in objectFactory.withIndex()) { @@ -260,8 +260,7 @@ class KeyRingReader { maxIterations: Int = MAX_ITERATIONS ): PGPSecretKeyRing? { val decoderStream = ArmorUtils.getDecoderStream(inputStream) - val objectFactory = - ImplementationFactory.getInstance().getPGPObjectFactory(decoderStream) + val objectFactory = OpenPGPImplementation.getInstance().pgpObjectFactory(decoderStream) try { for ((i, next) in objectFactory.withIndex()) { @@ -300,8 +299,8 @@ class KeyRingReader { maxIterations: Int = MAX_ITERATIONS ): PGPSecretKeyRingCollection { val objectFactory = - ImplementationFactory.getInstance() - .getPGPObjectFactory(ArmorUtils.getDecoderStream(inputStream)) + OpenPGPImplementation.getInstance() + .pgpObjectFactory(ArmorUtils.getDecoderStream(inputStream)) val secretKeys = mutableListOf() try { diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/BaseSecretKeyRingProtector.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/BaseSecretKeyRingProtector.kt index 35a6ebee..56e681ef 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/BaseSecretKeyRingProtector.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/BaseSecretKeyRingProtector.kt @@ -5,10 +5,11 @@ package org.pgpainless.key.protection import org.bouncycastle.bcpg.KeyIdentifier +import org.bouncycastle.openpgp.PGPPublicKey +import org.bouncycastle.openpgp.api.OpenPGPImplementation import org.bouncycastle.openpgp.api.OpenPGPKey import org.bouncycastle.openpgp.operator.PBESecretKeyDecryptor import org.bouncycastle.openpgp.operator.PBESecretKeyEncryptor -import org.pgpainless.implementation.ImplementationFactory import org.pgpainless.key.protection.passphrase_provider.SecretKeyPassphraseProvider /** @@ -34,19 +35,20 @@ open class BaseSecretKeyRingProtector( override fun getDecryptor(keyIdentifier: KeyIdentifier): PBESecretKeyDecryptor? = passphraseProvider.getPassphraseFor(keyIdentifier)?.let { if (it.isEmpty) null - else ImplementationFactory.getInstance().getPBESecretKeyDecryptor(it) + else + OpenPGPImplementation.getInstance() + .pbeSecretKeyDecryptorBuilderProvider() + .provide() + .build(it.getChars()) } - override fun getEncryptor(keyIdentifier: KeyIdentifier): PBESecretKeyEncryptor? { - return passphraseProvider.getPassphraseFor(keyIdentifier)?.let { + override fun getEncryptor(key: PGPPublicKey): PBESecretKeyEncryptor? { + return passphraseProvider.getPassphraseFor(key.keyIdentifier)?.let { if (it.isEmpty) null else - ImplementationFactory.getInstance() - .getPBESecretKeyEncryptor( - protectionSettings.encryptionAlgorithm, - protectionSettings.hashAlgorithm, - protectionSettings.s2kCount, - it) + OpenPGPImplementation.getInstance() + .pbeSecretKeyEncryptorFactory(false) + .build(it.getChars(), key.publicKeyPacket) } } diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/CachingSecretKeyRingProtector.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/CachingSecretKeyRingProtector.kt index 75ba146c..32bd4732 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/CachingSecretKeyRingProtector.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/CachingSecretKeyRingProtector.kt @@ -184,8 +184,8 @@ class CachingSecretKeyRingProtector : SecretKeyRingProtector, SecretKeyPassphras override fun getDecryptor(keyIdentifier: KeyIdentifier): PBESecretKeyDecryptor? = protector.getDecryptor(keyIdentifier) - override fun getEncryptor(keyIdentifier: KeyIdentifier): PBESecretKeyEncryptor? = - protector.getEncryptor(keyIdentifier) + override fun getEncryptor(key: PGPPublicKey): PBESecretKeyEncryptor? = + protector.getEncryptor(key) override fun getKeyPassword(p0: OpenPGPKey.OpenPGPSecretKey): CharArray? = getPassphraseFor(p0.keyIdentifier)?.getChars() diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/SecretKeyRingProtector.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/SecretKeyRingProtector.kt index ccab4c27..9fe2ea8f 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/SecretKeyRingProtector.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/SecretKeyRingProtector.kt @@ -7,9 +7,11 @@ package org.pgpainless.key.protection import kotlin.Throws import org.bouncycastle.bcpg.KeyIdentifier import org.bouncycastle.openpgp.PGPException +import org.bouncycastle.openpgp.PGPPublicKey import org.bouncycastle.openpgp.PGPSecretKey import org.bouncycastle.openpgp.PGPSecretKeyRing import org.bouncycastle.openpgp.api.KeyPassphraseProvider +import org.bouncycastle.openpgp.api.OpenPGPCertificate.OpenPGPComponentKey import org.bouncycastle.openpgp.operator.PBESecretKeyDecryptor import org.bouncycastle.openpgp.operator.PBESecretKeyEncryptor import org.pgpainless.key.protection.passphrase_provider.SecretKeyPassphraseProvider @@ -32,8 +34,15 @@ interface SecretKeyRingProtector : KeyPassphraseProvider { * @param keyId key id * @return true if it has a passphrase, false otherwise */ + @Deprecated("Pass in a KeyIdentifier instead.") fun hasPassphraseFor(keyId: Long): Boolean = hasPassphraseFor(KeyIdentifier(keyId)) + /** + * Returns true, if the protector has a passphrase for the key with the given [keyIdentifier]. + * + * @param keyIdentifier key identifier + * @return true if it has a passphrase, false otherwise + */ fun hasPassphraseFor(keyIdentifier: KeyIdentifier): Boolean /** @@ -43,24 +52,37 @@ interface SecretKeyRingProtector : KeyPassphraseProvider { * @param keyId id of the key * @return decryptor for the key */ + @Deprecated("Pass in a KeyIdentifier instead.") @Throws(PGPException::class) fun getDecryptor(keyId: Long): PBESecretKeyDecryptor? = getDecryptor(KeyIdentifier(keyId)) + /** + * Return a decryptor for the key with the given [keyIdentifier]. This method returns null if + * the key is unprotected. + * + * @param keyIdentifier identifier of the key + * @return decryptor for the key + */ @Throws(PGPException::class) fun getDecryptor(keyIdentifier: KeyIdentifier): PBESecretKeyDecryptor? /** - * Return an encryptor for the key of id `keyId`. This method returns null if the key is - * unprotected. + * Return an encryptor for the given key. * - * @param keyId id of the key - * @return encryptor for the key + * @param key component key + * @return encryptor or null if the key shall not be encrypted */ @Throws(PGPException::class) - fun getEncryptor(keyId: Long): PBESecretKeyEncryptor? = getEncryptor(KeyIdentifier(keyId)) + fun getEncryptor(key: OpenPGPComponentKey): PBESecretKeyEncryptor? = + getEncryptor(key.pgpPublicKey) - @Throws(PGPException::class) - fun getEncryptor(keyIdentifier: KeyIdentifier): PBESecretKeyEncryptor? + /** + * Return an encryptor for the given key. + * + * @param key component key + * @return encryptor or null if the key shall not be encrypted + */ + @Throws(PGPException::class) fun getEncryptor(key: PGPPublicKey): PBESecretKeyEncryptor? companion object { diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/UnprotectedKeysProtector.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/UnprotectedKeysProtector.kt index 8d81973d..993f97af 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/UnprotectedKeysProtector.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/UnprotectedKeysProtector.kt @@ -4,6 +4,7 @@ package org.pgpainless.key.protection import org.bouncycastle.bcpg.KeyIdentifier +import org.bouncycastle.openpgp.PGPPublicKey import org.bouncycastle.openpgp.api.OpenPGPKey import org.bouncycastle.openpgp.operator.PBESecretKeyDecryptor import org.bouncycastle.openpgp.operator.PBESecretKeyEncryptor @@ -17,7 +18,7 @@ class UnprotectedKeysProtector : SecretKeyRingProtector { override fun getDecryptor(keyIdentifier: KeyIdentifier): PBESecretKeyDecryptor? = null - override fun getEncryptor(keyIdentifier: KeyIdentifier): PBESecretKeyEncryptor? = null + override fun getEncryptor(key: PGPPublicKey): PBESecretKeyEncryptor? = null override fun getKeyPassword(p0: OpenPGPKey.OpenPGPSecretKey?): CharArray? = null } diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/fixes/S2KUsageFix.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/fixes/S2KUsageFix.kt index a1a9f6c2..3e843e60 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/fixes/S2KUsageFix.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/fixes/S2KUsageFix.kt @@ -4,14 +4,15 @@ package org.pgpainless.key.protection.fixes +import org.bouncycastle.bcpg.HashAlgorithmTags import org.bouncycastle.bcpg.SecretKeyPacket import org.bouncycastle.openpgp.PGPSecretKey import org.bouncycastle.openpgp.PGPSecretKeyRing -import org.pgpainless.algorithm.HashAlgorithm +import org.bouncycastle.openpgp.api.OpenPGPImplementation import org.pgpainless.bouncycastle.extensions.unlock import org.pgpainless.exception.WrongPassphraseException -import org.pgpainless.implementation.ImplementationFactory import org.pgpainless.key.protection.SecretKeyRingProtector +import org.pgpainless.key.protection.fixes.S2KUsageFix.Companion.replaceUsageChecksumWithUsageSha1 /** * Repair class to fix keys which use S2K usage of value [SecretKeyPacket.USAGE_CHECKSUM]. The @@ -48,7 +49,9 @@ class S2KUsageFix { skipKeysWithMissingPassphrase: Boolean = false ): PGPSecretKeyRing { val digestCalculator = - ImplementationFactory.getInstance().getPGPDigestCalculator(HashAlgorithm.SHA1) + OpenPGPImplementation.getInstance() + .pgpDigestCalculatorProvider() + .get(HashAlgorithmTags.SHA1) val keyList = mutableListOf() for (key in keys) { // CHECKSUM is not recommended @@ -58,7 +61,7 @@ class S2KUsageFix { } val keyId = key.keyID - val encryptor = protector.getEncryptor(keyId) + val encryptor = protector.getEncryptor(key.publicKey) if (encryptor == null) { if (skipKeysWithMissingPassphrase) { keyList.add(key) @@ -76,7 +79,7 @@ class S2KUsageFix { key.publicKey, digestCalculator, key.isMasterKey, - protector.getEncryptor(keyId)) + protector.getEncryptor(key.publicKey)) keyList.add(fixedKey) } return PGPSecretKeyRing(keyList) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/util/KeyRingUtils.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/util/KeyRingUtils.kt index 02624fd1..5e789d3d 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/util/KeyRingUtils.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/util/KeyRingUtils.kt @@ -11,11 +11,11 @@ import org.bouncycastle.bcpg.KeyIdentifier import org.bouncycastle.bcpg.S2K import org.bouncycastle.bcpg.SecretKeyPacket import org.bouncycastle.openpgp.* +import org.bouncycastle.openpgp.api.OpenPGPImplementation import org.bouncycastle.util.Strings import org.pgpainless.bouncycastle.extensions.certificate import org.pgpainless.bouncycastle.extensions.requireSecretKey import org.pgpainless.exception.MissingPassphraseException -import org.pgpainless.implementation.ImplementationFactory import org.pgpainless.key.protection.SecretKeyRingProtector import org.pgpainless.key.protection.fixes.S2KUsageFix import org.slf4j.Logger @@ -436,7 +436,7 @@ class KeyRingUtils { } secretKeys.extraPublicKeys.forEach { it.encode(out) } return PGPSecretKeyRing( - out.toByteArray(), ImplementationFactory.getInstance().keyFingerprintCalculator) + out.toByteArray(), OpenPGPImplementation.getInstance().keyFingerPrintCalculator()) } /** @@ -450,7 +450,7 @@ class KeyRingUtils { fun getStrippedDownPublicKey(bloatedKey: PGPPublicKey): PGPPublicKey { return PGPPublicKey( bloatedKey.publicKeyPacket, - ImplementationFactory.getInstance().keyFingerprintCalculator) + OpenPGPImplementation.getInstance().keyFingerPrintCalculator()) } @JvmStatic @@ -510,7 +510,7 @@ class KeyRingUtils { return PGPSecretKey.copyWithNewPassword( secretKey, oldProtector.getDecryptor(secretKey.keyID), - newProtector.getEncryptor(secretKey.keyID)) + newProtector.getEncryptor(secretKey.publicKey)) } @JvmStatic diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/util/PublicKeyParameterValidationUtil.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/util/PublicKeyParameterValidationUtil.kt index a1e79bf3..fa91b1aa 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/util/PublicKeyParameterValidationUtil.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/util/PublicKeyParameterValidationUtil.kt @@ -10,15 +10,12 @@ import java.math.BigInteger import java.security.SecureRandom import org.bouncycastle.bcpg.* import org.bouncycastle.openpgp.* +import org.bouncycastle.openpgp.api.OpenPGPImplementation import org.bouncycastle.util.Arrays import org.bouncycastle.util.io.Streams -import org.pgpainless.algorithm.HashAlgorithm -import org.pgpainless.algorithm.PublicKeyAlgorithm.Companion.requireFromId import org.pgpainless.algorithm.SignatureType -import org.pgpainless.algorithm.SymmetricKeyAlgorithm import org.pgpainless.bouncycastle.extensions.publicKeyAlgorithm import org.pgpainless.exception.KeyIntegrityException -import org.pgpainless.implementation.ImplementationFactory.Companion.getInstance /** * Utility class to verify keys against Key Overwriting (KO) attacks. This class of attacks is only @@ -224,9 +221,9 @@ class PublicKeyParameterValidationUtil { val data = ByteArray(512).also { SecureRandom().nextBytes(it) } val signatureGenerator = PGPSignatureGenerator( - getInstance() - .getPGPContentSignerBuilder( - requireFromId(publicKey.algorithm), HashAlgorithm.SHA256)) + OpenPGPImplementation.getInstance() + .pgpContentSignerBuilder(publicKey.algorithm, HashAlgorithmTags.SHA256), + publicKey) return try { signatureGenerator .apply { @@ -235,7 +232,9 @@ class PublicKeyParameterValidationUtil { } .generate() .apply { - init(getInstance().pgpContentVerifierBuilderProvider, publicKey) + init( + OpenPGPImplementation.getInstance().pgpContentVerifierBuilderProvider(), + publicKey) update(data) } .verify() @@ -257,9 +256,12 @@ class PublicKeyParameterValidationUtil { val data = ByteArray(1024).also { SecureRandom().nextBytes(it) } val encryptedDataGenerator = PGPEncryptedDataGenerator( - getInstance().getPGPDataEncryptorBuilder(SymmetricKeyAlgorithm.AES_256)) + OpenPGPImplementation.getInstance() + .pgpDataEncryptorBuilder(SymmetricKeyAlgorithmTags.AES_256)) .apply { - addMethod(getInstance().getPublicKeyKeyEncryptionMethodGenerator(publicKey)) + addMethod( + OpenPGPImplementation.getInstance() + .publicKeyKeyEncryptionMethodGenerator(publicKey)) } var out = ByteArrayOutputStream() @@ -268,7 +270,8 @@ class PublicKeyParameterValidationUtil { outputStream.write(data) encryptedDataGenerator.close() val encryptedDataList = PGPEncryptedDataList(out.toByteArray()) - val decryptorFactory = getInstance().getPublicKeyDataDecryptorFactory(privateKey) + val decryptorFactory = + OpenPGPImplementation.getInstance().publicKeyDataDecryptorFactory(privateKey) val encryptedData = encryptedDataList.encryptedDataObjects.next() as PGPPublicKeyEncryptedData val decrypted = encryptedData.getDataStream(decryptorFactory) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/SignatureUtils.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/SignatureUtils.kt index 770dfc56..e4136cc0 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/SignatureUtils.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/SignatureUtils.kt @@ -10,10 +10,10 @@ import java.util.* import openpgp.plusSeconds import org.bouncycastle.bcpg.sig.KeyExpirationTime import org.bouncycastle.openpgp.* +import org.bouncycastle.openpgp.api.OpenPGPImplementation import org.bouncycastle.util.encoders.Hex import org.bouncycastle.util.io.Streams import org.pgpainless.bouncycastle.extensions.* -import org.pgpainless.implementation.ImplementationFactory import org.pgpainless.key.OpenPgpFingerprint import org.pgpainless.key.util.RevocationAttributes.Reason import org.pgpainless.util.ArmorUtils @@ -153,7 +153,7 @@ class SignatureUtils { fun readSignatures(inputStream: InputStream, maxIterations: Int): List { val signatures = mutableListOf() val pgpIn = ArmorUtils.getDecoderStream(inputStream) - val objectFactory = ImplementationFactory.getInstance().getPGPObjectFactory(pgpIn) + val objectFactory = OpenPGPImplementation.getInstance().pgpObjectFactory(pgpIn) var i = 0 var nextObject: Any? = null diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/builder/AbstractSignatureBuilder.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/builder/AbstractSignatureBuilder.kt index bdc1895f..a7b95f76 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/builder/AbstractSignatureBuilder.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/builder/AbstractSignatureBuilder.kt @@ -10,12 +10,12 @@ import org.bouncycastle.openpgp.PGPPublicKey import org.bouncycastle.openpgp.PGPSignature import org.bouncycastle.openpgp.PGPSignatureGenerator import org.bouncycastle.openpgp.api.OpenPGPCertificate.OpenPGPComponentKey +import org.bouncycastle.openpgp.api.OpenPGPImplementation import org.bouncycastle.openpgp.api.OpenPGPKey import org.pgpainless.PGPainless import org.pgpainless.algorithm.HashAlgorithm import org.pgpainless.algorithm.SignatureType import org.pgpainless.algorithm.negotiation.HashAlgorithmNegotiator -import org.pgpainless.implementation.ImplementationFactory import org.pgpainless.key.protection.SecretKeyRingProtector import org.pgpainless.key.protection.UnlockSecretKey import org.pgpainless.key.util.OpenPgpKeyAttributeUtil @@ -110,9 +110,10 @@ abstract class AbstractSignatureBuilder>( @Throws(PGPException::class) protected fun buildAndInitSignatureGenerator(): PGPSignatureGenerator = PGPSignatureGenerator( - ImplementationFactory.getInstance() - .getPGPContentSignerBuilder( - signingKey.publicKey.pgpPublicKey.algorithm, hashAlgorithm.algorithmId)) + OpenPGPImplementation.getInstance() + .pgpContentSignerBuilder( + signingKey.keyPair.publicKey.algorithm, hashAlgorithm.algorithmId), + signingKey.keyPair.publicKey) .apply { setUnhashedSubpackets(SignatureSubpacketsHelper.toVector(_unhashedSubpackets)) setHashedSubpackets(SignatureSubpacketsHelper.toVector(_hashedSubpackets)) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/consumer/SignatureValidator.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/consumer/SignatureValidator.kt index 7cc384e1..046aa714 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/consumer/SignatureValidator.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/consumer/SignatureValidator.kt @@ -12,17 +12,16 @@ import org.bouncycastle.openpgp.PGPException import org.bouncycastle.openpgp.PGPPublicKey import org.bouncycastle.openpgp.PGPSignature import org.bouncycastle.openpgp.PGPUserAttributeSubpacketVector +import org.bouncycastle.openpgp.api.OpenPGPImplementation import org.pgpainless.algorithm.KeyFlag import org.pgpainless.algorithm.SignatureSubpacket import org.pgpainless.algorithm.SignatureType import org.pgpainless.bouncycastle.extensions.fingerprint -import org.pgpainless.bouncycastle.extensions.isHardRevocation import org.pgpainless.bouncycastle.extensions.isOfType import org.pgpainless.bouncycastle.extensions.publicKeyAlgorithm import org.pgpainless.bouncycastle.extensions.signatureExpirationDate import org.pgpainless.bouncycastle.extensions.signatureHashAlgorithm import org.pgpainless.exception.SignatureValidationException -import org.pgpainless.implementation.ImplementationFactory import org.pgpainless.key.OpenPgpFingerprint import org.pgpainless.policy.Policy import org.pgpainless.signature.subpackets.SignatureSubpacketsUtil @@ -486,7 +485,7 @@ abstract class SignatureValidator { } try { signature.init( - ImplementationFactory.getInstance().pgpContentVerifierBuilderProvider, + OpenPGPImplementation.getInstance().pgpContentVerifierBuilderProvider(), primaryKey) if (!signature.verifyCertification(primaryKey, subkey)) { throw SignatureValidationException("Signature is not correct.") @@ -521,7 +520,7 @@ abstract class SignatureValidator { } try { signature.init( - ImplementationFactory.getInstance().pgpContentVerifierBuilderProvider, + OpenPGPImplementation.getInstance().pgpContentVerifierBuilderProvider(), subkey) if (!signature.verifyCertification(primaryKey, subkey)) { throw SignatureValidationException( @@ -554,7 +553,7 @@ abstract class SignatureValidator { override fun verify(signature: PGPSignature) { try { signature.init( - ImplementationFactory.getInstance().pgpContentVerifierBuilderProvider, + OpenPGPImplementation.getInstance().pgpContentVerifierBuilderProvider(), signingKey) val valid = if (signingKey.keyID == signedKey.keyID || @@ -625,7 +624,7 @@ abstract class SignatureValidator { override fun verify(signature: PGPSignature) { try { signature.init( - ImplementationFactory.getInstance().pgpContentVerifierBuilderProvider, + OpenPGPImplementation.getInstance().pgpContentVerifierBuilderProvider(), certifyingKey) if (!signature.verifyCertification(userId.toString(), certifiedKey)) { throw SignatureValidationException( @@ -660,7 +659,7 @@ abstract class SignatureValidator { override fun verify(signature: PGPSignature) { try { signature.init( - ImplementationFactory.getInstance().pgpContentVerifierBuilderProvider, + OpenPGPImplementation.getInstance().pgpContentVerifierBuilderProvider(), certifyingKey) if (!signature.verifyCertification(userAttributes, certifiedKey)) { throw SignatureValidationException( diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/consumer/SignatureVerifier.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/consumer/SignatureVerifier.kt index d51b2379..1ac204cf 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/consumer/SignatureVerifier.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/consumer/SignatureVerifier.kt @@ -12,9 +12,9 @@ import org.bouncycastle.openpgp.PGPException import org.bouncycastle.openpgp.PGPPublicKey import org.bouncycastle.openpgp.PGPSignature import org.bouncycastle.openpgp.PGPUserAttributeSubpacketVector +import org.bouncycastle.openpgp.api.OpenPGPImplementation import org.pgpainless.algorithm.SignatureType import org.pgpainless.exception.SignatureValidationException -import org.pgpainless.implementation.ImplementationFactory.Companion.getInstance import org.pgpainless.policy.Policy import org.pgpainless.signature.consumer.SignatureValidator.Companion.correctSignatureOverKey import org.pgpainless.signature.consumer.SignatureValidator.Companion.correctSignatureOverUserAttributes @@ -479,7 +479,7 @@ class SignatureVerifier { ) { try { signature.init( - getInstance().pgpContentVerifierBuilderProvider, + OpenPGPImplementation.getInstance().pgpContentVerifierBuilderProvider(), signingKey, ) var read: Int diff --git a/pgpainless-core/src/test/java/investigations/InvestigateMultiSEIPMessageHandlingTest.java b/pgpainless-core/src/test/java/investigations/InvestigateMultiSEIPMessageHandlingTest.java index 28488fac..7ce8f393 100644 --- a/pgpainless-core/src/test/java/investigations/InvestigateMultiSEIPMessageHandlingTest.java +++ b/pgpainless-core/src/test/java/investigations/InvestigateMultiSEIPMessageHandlingTest.java @@ -14,6 +14,7 @@ import java.nio.charset.StandardCharsets; import java.util.Date; import org.bouncycastle.bcpg.ArmoredOutputStream; +import org.bouncycastle.bcpg.SymmetricKeyAlgorithmTags; import org.bouncycastle.openpgp.PGPEncryptedDataGenerator; import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPLiteralDataGenerator; @@ -21,6 +22,7 @@ import org.bouncycastle.openpgp.PGPPublicKey; import org.bouncycastle.openpgp.PGPSecretKey; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.PGPSignatureGenerator; +import org.bouncycastle.openpgp.api.OpenPGPImplementation; import org.bouncycastle.openpgp.api.OpenPGPKey; import org.bouncycastle.openpgp.operator.PGPDataEncryptorBuilder; import org.bouncycastle.util.io.Streams; @@ -29,11 +31,9 @@ import org.pgpainless.PGPainless; import org.pgpainless.algorithm.EncryptionPurpose; import org.pgpainless.algorithm.HashAlgorithm; import org.pgpainless.algorithm.SignatureType; -import org.pgpainless.algorithm.SymmetricKeyAlgorithm; import org.pgpainless.decryption_verification.ConsumerOptions; import org.pgpainless.decryption_verification.DecryptionStream; import org.pgpainless.exception.MalformedOpenPgpMessageException; -import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.key.info.KeyRingInfo; import org.pgpainless.key.protection.UnlockSecretKey; import org.pgpainless.util.Passphrase; @@ -130,7 +130,7 @@ public class InvestigateMultiSEIPMessageHandlingTest { ByteArrayOutputStream out = new ByteArrayOutputStream(); ArmoredOutputStream armorOut = new ArmoredOutputStream(out); - PGPDataEncryptorBuilder cryptBuilder = ImplementationFactory.getInstance().getPGPDataEncryptorBuilder(SymmetricKeyAlgorithm.AES_256); + PGPDataEncryptorBuilder cryptBuilder = OpenPGPImplementation.getInstance().pgpDataEncryptorBuilder(SymmetricKeyAlgorithmTags.AES_256); cryptBuilder.setWithIntegrityPacket(true); encryptAndSign(cryptKey1, signKey1, armorOut, data1.getBytes(StandardCharsets.UTF_8)); @@ -145,15 +145,16 @@ public class InvestigateMultiSEIPMessageHandlingTest { private void encryptAndSign(PGPPublicKey cryptKey, PGPSecretKey signKey, ArmoredOutputStream armorOut, byte[] data) throws IOException, PGPException { - PGPDataEncryptorBuilder cryptBuilder = ImplementationFactory.getInstance().getPGPDataEncryptorBuilder(SymmetricKeyAlgorithm.AES_256); + PGPDataEncryptorBuilder cryptBuilder = OpenPGPImplementation.getInstance().pgpDataEncryptorBuilder(SymmetricKeyAlgorithmTags.AES_256); cryptBuilder.setWithIntegrityPacket(true); PGPEncryptedDataGenerator cryptGen = new PGPEncryptedDataGenerator(cryptBuilder); - cryptGen.addMethod(ImplementationFactory.getInstance().getPublicKeyKeyEncryptionMethodGenerator(cryptKey)); + cryptGen.addMethod(OpenPGPImplementation.getInstance().publicKeyKeyEncryptionMethodGenerator(cryptKey)); OutputStream cryptStream = cryptGen.open(armorOut, new byte[512]); - PGPSignatureGenerator sigGen = new PGPSignatureGenerator(ImplementationFactory.getInstance() - .getPGPContentSignerBuilder(signKey.getPublicKey().getAlgorithm(), HashAlgorithm.SHA512.getAlgorithmId())); + PGPSignatureGenerator sigGen = new PGPSignatureGenerator(OpenPGPImplementation.getInstance() + .pgpContentSignerBuilder(signKey.getPublicKey().getAlgorithm(), HashAlgorithm.SHA512.getAlgorithmId()), + signKey.getPublicKey()); sigGen.init(SignatureType.BINARY_DOCUMENT.getCode(), UnlockSecretKey .unlockSecretKey(signKey, (Passphrase) null)); diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifyVersion3SignaturePacketTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifyVersion3SignaturePacketTest.java index 6de4dc72..833de609 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifyVersion3SignaturePacketTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifyVersion3SignaturePacketTest.java @@ -9,6 +9,7 @@ import org.bouncycastle.openpgp.PGPPrivateKey; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.PGPSignature; import org.bouncycastle.openpgp.PGPV3SignatureGenerator; +import org.bouncycastle.openpgp.api.OpenPGPImplementation; import org.bouncycastle.openpgp.operator.PGPContentSignerBuilder; import org.bouncycastle.util.io.Streams; import org.junit.jupiter.api.Test; @@ -16,7 +17,6 @@ import org.pgpainless.PGPainless; import org.pgpainless.algorithm.HashAlgorithm; import org.pgpainless.algorithm.PublicKeyAlgorithm; import org.pgpainless.algorithm.SignatureType; -import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.key.TestKeys; import org.pgpainless.key.protection.SecretKeyRingProtector; @@ -48,7 +48,7 @@ class VerifyVersion3SignaturePacketTest { } private static PGPSignature generateV3Signature() throws IOException, PGPException { - PGPContentSignerBuilder builder = ImplementationFactory.getInstance().getPGPContentSignerBuilder(PublicKeyAlgorithm.ECDSA, HashAlgorithm.SHA512); + PGPContentSignerBuilder builder = OpenPGPImplementation.getInstance().pgpContentSignerBuilder(PublicKeyAlgorithm.ECDSA.getAlgorithmId(), HashAlgorithm.SHA512.getAlgorithmId()); PGPV3SignatureGenerator signatureGenerator = new PGPV3SignatureGenerator(builder); PGPSecretKeyRing secretKeys = TestKeys.getEmilSecretKeyRing(); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/ImportExportKeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/ImportExportKeyTest.java index 52dac288..90a3e2a4 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/ImportExportKeyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/ImportExportKeyTest.java @@ -12,10 +12,10 @@ import java.io.IOException; import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPPublicKeyRing; import org.bouncycastle.openpgp.PGPSecretKeyRing; +import org.bouncycastle.openpgp.api.OpenPGPImplementation; import org.bouncycastle.openpgp.operator.KeyFingerPrintCalculator; import org.junit.jupiter.api.TestTemplate; import org.junit.jupiter.api.extension.ExtendWith; -import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.util.TestAllImplementations; public class ImportExportKeyTest { @@ -29,7 +29,7 @@ public class ImportExportKeyTest { public void testExportImportPublicKeyRing() throws IOException { PGPPublicKeyRing publicKeys = TestKeys.getJulietPublicKeyRing(); - KeyFingerPrintCalculator calc = ImplementationFactory.getInstance().getKeyFingerprintCalculator(); + KeyFingerPrintCalculator calc = OpenPGPImplementation.getInstance().keyFingerPrintCalculator(); byte[] bytes = publicKeys.getEncoded(); PGPPublicKeyRing parsed = new PGPPublicKeyRing(bytes, calc); assertArrayEquals(publicKeys.getEncoded(), parsed.getEncoded()); @@ -40,7 +40,7 @@ public class ImportExportKeyTest { public void testExportImportSecretKeyRing() throws IOException, PGPException { PGPSecretKeyRing secretKeys = TestKeys.getRomeoSecretKeyRing(); - KeyFingerPrintCalculator calc = ImplementationFactory.getInstance().getKeyFingerprintCalculator(); + KeyFingerPrintCalculator calc = OpenPGPImplementation.getInstance().keyFingerPrintCalculator(); byte[] bytes = secretKeys.getEncoded(); PGPSecretKeyRing parsed = new PGPSecretKeyRing(bytes, calc); assertArrayEquals(secretKeys.getEncoded(), parsed.getEncoded()); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/WeirdKeys.java b/pgpainless-core/src/test/java/org/pgpainless/key/WeirdKeys.java index a272b12b..97637c99 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/WeirdKeys.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/WeirdKeys.java @@ -20,11 +20,11 @@ import org.bouncycastle.openpgp.PGPSecretKey; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.PGPSignature; import org.bouncycastle.openpgp.PGPSignatureGenerator; +import org.bouncycastle.openpgp.api.OpenPGPImplementation; import org.bouncycastle.util.Strings; import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; import org.pgpainless.algorithm.SignatureType; -import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.key.info.KeyRingInfo; import org.pgpainless.key.protection.UnlockSecretKey; import org.pgpainless.util.Passphrase; @@ -121,9 +121,10 @@ public class WeirdKeys { assertThrows(IllegalArgumentException.class, () -> Strings.fromUTF8ByteArray(idBytes)); PGPSignatureGenerator sigGen = new PGPSignatureGenerator( - ImplementationFactory.getInstance().getPGPContentSignerBuilder( + OpenPGPImplementation.getInstance().pgpContentSignerBuilder( pubKey.getAlgorithm(), - HashAlgorithmTags.SHA512)); + HashAlgorithmTags.SHA512), + pubKey); sigGen.init(SignatureType.GENERIC_CERTIFICATION.getCode(), privKey); // We have to manually generate the signature over the user-ID diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateV6KeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateV6KeyTest.java index a479093d..516c2bea 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateV6KeyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateV6KeyTest.java @@ -6,7 +6,6 @@ package org.pgpainless.key.generation; import org.bouncycastle.bcpg.SignatureSubpacketTags; import org.bouncycastle.openpgp.PGPException; -import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.api.OpenPGPCertificate; import org.bouncycastle.openpgp.api.OpenPGPKey; import org.bouncycastle.openpgp.api.SignatureParameters; @@ -16,6 +15,7 @@ import org.pgpainless.PGPainless; import org.pgpainless.algorithm.KeyFlag; import org.pgpainless.algorithm.OpenPGPKeyVersion; import org.pgpainless.algorithm.PublicKeyAlgorithm; +import org.pgpainless.key.generation.type.rsa.RsaLength; import java.io.IOException; @@ -27,10 +27,25 @@ public class GenerateV6KeyTest { @Test public void generateModernV6Key() { - PGPSecretKeyRing secretKey = PGPainless.generateKeyRing(OpenPGPKeyVersion.v6) - .modernKeyRing("Alice ") - .getPGPSecretKeyRing(); - assertEquals(6, secretKey.getPublicKey().getVersion()); + OpenPGPKey key = PGPainless.generateKeyRing(OpenPGPKeyVersion.v6) + .modernKeyRing("Alice "); + assertEquals(3, key.getKeys().size()); + + OpenPGPCertificate.OpenPGPPrimaryKey primaryKey = key.getPrimaryKey(); + assertEquals(primaryKey, key.getCertificationKeys().get(0)); + assertEquals(6, primaryKey.getVersion()); + assertEquals(PublicKeyAlgorithm.ED25519.getAlgorithmId(), + primaryKey.getAlgorithm()); + + OpenPGPCertificate.OpenPGPComponentKey signingKey = key.getSigningKeys().get(0); + assertEquals(6, signingKey.getVersion()); + assertEquals(PublicKeyAlgorithm.ED25519.getAlgorithmId(), + signingKey.getAlgorithm()); + + OpenPGPCertificate.OpenPGPComponentKey encryptionKey = key.getEncryptionKeys().get(0); + assertEquals(6, encryptionKey.getVersion()); + assertEquals(PublicKeyAlgorithm.X25519.getAlgorithmId(), + encryptionKey.getAlgorithm()); } @Test @@ -53,9 +68,11 @@ public class GenerateV6KeyTest { assertEquals(1, key.getKeys().size()); OpenPGPCertificate.OpenPGPPrimaryKey primaryKey = key.getPrimaryKey(); + assertTrue(key.getCertificationKeys().isEmpty()); assertEquals(6, primaryKey.getVersion()); assertTrue(primaryKey.isPrimaryKey()); - assertEquals(PublicKeyAlgorithm.ED25519.getAlgorithmId(), primaryKey.getPGPPublicKey().getAlgorithm()); + assertEquals(PublicKeyAlgorithm.ED25519.getAlgorithmId(), + primaryKey.getAlgorithm()); assertEquals(primaryKey, key.getSigningKeys().get(0)); assertTrue(key.getEncryptionKeys().isEmpty()); @@ -76,7 +93,8 @@ public class GenerateV6KeyTest { assertTrue(key.isSecretKey()); assertEquals(3, key.getKeys().size()); OpenPGPCertificate.OpenPGPPrimaryKey primaryKey = key.getPrimaryKey(); - assertEquals(PublicKeyAlgorithm.ED25519.getAlgorithmId(), primaryKey.getPGPPublicKey().getAlgorithm()); + assertEquals(primaryKey, key.getCertificationKeys().get(0)); + assertEquals(PublicKeyAlgorithm.ED25519.getAlgorithmId(), primaryKey.getAlgorithm()); assertEquals(6, primaryKey.getVersion()); assertTrue(primaryKey.isPrimaryKey()); assertEquals(primaryKey, key.getKeys().get(0)); @@ -84,13 +102,13 @@ public class GenerateV6KeyTest { OpenPGPCertificate.OpenPGPComponentKey signingKey = key.getKeys().get(1); assertTrue(key.getSigningKeys().contains(signingKey)); assertEquals(6, signingKey.getVersion()); - assertEquals(PublicKeyAlgorithm.ED25519.getAlgorithmId(), signingKey.getPGPPublicKey().getAlgorithm()); + assertEquals(PublicKeyAlgorithm.ED25519.getAlgorithmId(), signingKey.getAlgorithm()); assertFalse(signingKey.isPrimaryKey()); OpenPGPCertificate.OpenPGPComponentKey encryptionKey = key.getKeys().get(2); assertTrue(key.getEncryptionKeys().contains(encryptionKey)); assertEquals(6, encryptionKey.getVersion()); - assertEquals(PublicKeyAlgorithm.X25519.getAlgorithmId(), encryptionKey.getPGPPublicKey().getAlgorithm()); + assertEquals(PublicKeyAlgorithm.X25519.getAlgorithmId(), encryptionKey.getAlgorithm()); assertFalse(encryptionKey.isPrimaryKey()); OpenPGPCertificate certificate = key.toCertificate(); @@ -100,4 +118,32 @@ public class GenerateV6KeyTest { System.out.println(certificate.toAsciiArmoredString()); // CHECKSTYLE:ON } + + @Test + public void buildMonolithicRSAKey() { + OpenPGPKey key = PGPainless.getInstance().generateKey(OpenPGPKeyVersion.v6) + .simpleRsaKeyRing("Alice ", RsaLength._4096); + + OpenPGPCertificate.OpenPGPPrimaryKey primaryKey = key.getPrimaryKey(); + // Primary key is used for all purposes + assertEquals(primaryKey, key.getCertificationKeys().get(0)); + assertEquals(primaryKey, key.getSigningKeys().get(0)); + assertEquals(primaryKey, key.getEncryptionKeys().get(0)); + } + + @Test + public void generateAEADProtectedModernKey() + throws IOException { + OpenPGPKey key = PGPainless.getInstance() + .generateKey(OpenPGPKeyVersion.v6) + .modernKeyRing("Alice ", "p455w0rd"); + + String armored = key.toAsciiArmoredString(); + + OpenPGPKey parsed = PGPainless.getInstance().readKey().parseKey(armored); + + OpenPGPKey.OpenPGPSecretKey primaryKey = key.getPrimarySecretKey(); + + assertEquals(armored, parsed.toAsciiArmoredString()); + } } diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeSecretKeyRingPassphraseTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeSecretKeyRingPassphraseTest.java index bfafa0a1..96f57303 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeSecretKeyRingPassphraseTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeSecretKeyRingPassphraseTest.java @@ -16,6 +16,7 @@ import java.util.Iterator; import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPSecretKey; import org.bouncycastle.openpgp.PGPSecretKeyRing; +import org.bouncycastle.openpgp.api.OpenPGPImplementation; import org.bouncycastle.openpgp.operator.PBESecretKeyDecryptor; import org.bouncycastle.util.io.Streams; import org.junit.jupiter.api.TestTemplate; @@ -26,7 +27,6 @@ import org.pgpainless.algorithm.SymmetricKeyAlgorithm; import org.pgpainless.encryption_signing.EncryptionStream; import org.pgpainless.encryption_signing.ProducerOptions; import org.pgpainless.encryption_signing.SigningOptions; -import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.key.protection.KeyRingProtectionSettings; import org.pgpainless.key.protection.PasswordBasedSecretKeyRingProtector; import org.pgpainless.key.protection.UnlockSecretKey; @@ -166,7 +166,12 @@ public class ChangeSecretKeyRingPassphraseTest { } else if (!passphrase.isEmpty() && secretKey.getKeyEncryptionAlgorithm() == SymmetricKeyAlgorithm.NULL.getAlgorithmId()) { throw new PGPException("Cannot unlock unprotected private key with non-empty passphrase."); } - PBESecretKeyDecryptor decryptor = passphrase.isEmpty() ? null : ImplementationFactory.getInstance().getPBESecretKeyDecryptor(passphrase); + PBESecretKeyDecryptor decryptor = passphrase.isEmpty() ? + null : + OpenPGPImplementation.getInstance() + .pbeSecretKeyDecryptorBuilderProvider() + .provide() + .build(passphrase.getChars()); UnlockSecretKey.unlockSecretKey(secretKey, decryptor); } diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/parsing/KeyRingReaderTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/parsing/KeyRingReaderTest.java index 680ba46e..9bda5137 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/parsing/KeyRingReaderTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/parsing/KeyRingReaderTest.java @@ -29,11 +29,11 @@ import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.PGPSecretKeyRingCollection; import org.bouncycastle.openpgp.PGPSignature; import org.bouncycastle.openpgp.PGPUtil; +import org.bouncycastle.openpgp.api.OpenPGPImplementation; import org.bouncycastle.util.io.Streams; import org.junit.jupiter.api.Test; import org.opentest4j.TestAbortedException; import org.pgpainless.PGPainless; -import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.key.OpenPgpV4Fingerprint; import org.pgpainless.key.collection.PGPKeyRingCollection; import org.pgpainless.key.util.KeyRingUtils; @@ -63,7 +63,7 @@ class KeyRingReaderTest { InputStream possiblyArmored = PGPUtil.getDecoderStream(PGPUtil.getDecoderStream(inputStream)); PGPPublicKeyRingCollection collection = new PGPPublicKeyRingCollection( - possiblyArmored, ImplementationFactory.getInstance().getKeyFingerprintCalculator()); + possiblyArmored, OpenPGPImplementation.getInstance().keyFingerPrintCalculator()); assertEquals(10, collection.size()); } diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/protection/CachingSecretKeyRingProtectorTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/protection/CachingSecretKeyRingProtectorTest.java index d77466bf..a6f90734 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/protection/CachingSecretKeyRingProtectorTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/protection/CachingSecretKeyRingProtectorTest.java @@ -53,7 +53,6 @@ public class CachingSecretKeyRingProtectorTest { @Test public void noCallbackReturnsNullForUnknownKeyId() throws PGPException { assertNull(protector.getDecryptor(123L)); - assertNull(protector.getEncryptor(123L)); } @Test @@ -61,7 +60,6 @@ public class CachingSecretKeyRingProtectorTest { Passphrase passphrase = Passphrase.fromPassword("HelloWorld"); protector.addPassphrase(new KeyIdentifier(123L), passphrase); assertEquals(passphrase, protector.getPassphraseFor(123L)); - assertNotNull(protector.getEncryptor(123L)); assertNotNull(protector.getDecryptor(123L)); assertNull(protector.getPassphraseFor(999L)); @@ -88,7 +86,7 @@ public class CachingSecretKeyRingProtectorTest { while (it.hasNext()) { PGPSecretKey key = it.next(); assertEquals(passphrase, protector.getPassphraseFor(key)); - assertNotNull(protector.getEncryptor(key.getKeyID())); + assertNotNull(protector.getEncryptor(key.getPublicKey())); assertNotNull(protector.getDecryptor(key.getKeyID())); } @@ -100,7 +98,7 @@ public class CachingSecretKeyRingProtectorTest { while (it.hasNext()) { PGPSecretKey key = it.next(); assertNull(protector.getPassphraseFor(key)); - assertNull(protector.getEncryptor(key.getKeyID())); + assertNull(protector.getEncryptor(key.getPublicKey())); assertNull(protector.getDecryptor(key.getKeyID())); } } diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/protection/PassphraseProtectedKeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/protection/PassphraseProtectedKeyTest.java index 495d569e..10c02bc2 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/protection/PassphraseProtectedKeyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/protection/PassphraseProtectedKeyTest.java @@ -7,6 +7,7 @@ package org.pgpainless.key.protection; import static org.junit.jupiter.api.Assertions.assertNotNull; import static org.junit.jupiter.api.Assertions.assertNull; +import java.io.IOException; import java.util.Iterator; import javax.annotation.Nullable; @@ -46,14 +47,14 @@ public class PassphraseProtectedKeyTest { }); @Test - public void testReturnsNonNullDecryptorEncryptorForPassword() throws PGPException { - assertNotNull(protector.getEncryptor(TestKeys.CRYPTIE_KEY_ID)); + public void testReturnsNonNullDecryptorEncryptorForPassword() throws IOException { + assertNotNull(protector.getEncryptor(TestKeys.getCryptiePublicKeyRing().getPublicKey(TestKeys.CRYPTIE_KEY_ID))); assertNotNull(protector.getDecryptor(TestKeys.CRYPTIE_KEY_ID)); } @Test - public void testReturnsNullDecryptorEncryptorForNoPassword() throws PGPException { - assertNull(protector.getEncryptor(TestKeys.JULIET_KEY_ID)); + public void testReturnsNullDecryptorEncryptorForNoPassword() throws IOException { + assertNull(protector.getEncryptor(TestKeys.getJulietPublicKeyRing().getPublicKey(TestKeys.JULIET_KEY_ID))); assertNull(protector.getDecryptor(TestKeys.JULIET_KEY_ID)); } @@ -64,7 +65,7 @@ public class PassphraseProtectedKeyTest { SecretKeyRingProtector protector = PasswordBasedSecretKeyRingProtector.forKey(secretKeys, Passphrase.fromPassword("passphrase")); for (Iterator it = secretKeys.getPublicKeys(); it.hasNext(); ) { PGPPublicKey subkey = it.next(); - assertNotNull(protector.getEncryptor(subkey.getKeyID())); + assertNotNull(protector.getEncryptor(subkey)); assertNotNull(protector.getDecryptor(subkey.getKeyID())); } } diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/protection/SecretKeyRingProtectorTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/protection/SecretKeyRingProtectorTest.java index 73258713..9abc4f4f 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/protection/SecretKeyRingProtectorTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/protection/SecretKeyRingProtectorTest.java @@ -62,7 +62,6 @@ public class SecretKeyRingProtectorTest { SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys(); for (int i = 0; i < 10; i++) { Long keyId = random.nextLong(); - assertNull(protector.getEncryptor(keyId)); assertNull(protector.getDecryptor(keyId)); } } @@ -80,8 +79,8 @@ public class SecretKeyRingProtectorTest { SecretKeyRingProtector protector = SecretKeyRingProtector.unlockSingleKeyWith(TestKeys.CRYPTIE_PASSPHRASE, secretKey); assertNotNull(protector.getDecryptor(secretKey.getKeyID())); - assertNotNull(protector.getEncryptor(secretKey.getKeyID())); - assertNull(protector.getEncryptor(subKey.getKeyID())); + assertNotNull(protector.getEncryptor(secretKey.getPublicKey())); + assertNull(protector.getEncryptor(subKey.getPublicKey())); assertNull(protector.getDecryptor(subKey.getKeyID())); } diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/protection/UnprotectedKeysProtectorTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/protection/UnprotectedKeysProtectorTest.java index 4f590c8b..dcb35175 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/protection/UnprotectedKeysProtectorTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/protection/UnprotectedKeysProtectorTest.java @@ -17,9 +17,4 @@ public class UnprotectedKeysProtectorTest { public void testKeyProtectorReturnsNullDecryptor() throws PGPException { assertNull(protector.getDecryptor(0L)); } - - @Test - public void testKeyProtectorReturnsNullEncryptor() throws PGPException { - assertNull(protector.getEncryptor(0L)); - } } diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/util/KeyRingUtilTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/util/KeyRingUtilTest.java index 6e6ca5aa..8e445d29 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/util/KeyRingUtilTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/util/KeyRingUtilTest.java @@ -14,13 +14,13 @@ import org.bouncycastle.openpgp.PGPSignature; import org.bouncycastle.openpgp.PGPSignatureGenerator; import org.bouncycastle.openpgp.PGPUserAttributeSubpacketVector; import org.bouncycastle.openpgp.PGPUserAttributeSubpacketVectorGenerator; +import org.bouncycastle.openpgp.api.OpenPGPImplementation; import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; import org.pgpainless.algorithm.HashAlgorithm; import org.pgpainless.algorithm.KeyFlag; import org.pgpainless.algorithm.OpenPGPKeyVersion; import org.pgpainless.algorithm.SignatureType; -import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.key.generation.KeyRingBuilder; import org.pgpainless.key.generation.KeySpec; import org.pgpainless.key.generation.type.KeyType; @@ -57,9 +57,9 @@ public class KeyRingUtilTest { // create sig PGPSignatureGenerator sigGen = new PGPSignatureGenerator( - ImplementationFactory.getInstance().getPGPContentSignerBuilder( + OpenPGPImplementation.getInstance().pgpContentSignerBuilder( secretKeys.getPublicKey().getAlgorithm(), HashAlgorithm.SHA512.getAlgorithmId() - )); + ), secretKeys.getPublicKey()); sigGen.init( SignatureType.POSITIVE_CERTIFICATION.getCode(), UnlockSecretKey.unlockSecretKey(secretKeys.getSecretKey(), SecretKeyRingProtector.unprotectedKeys())); diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/OnePassSignatureBracketingTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/OnePassSignatureBracketingTest.java index 4627f781..63ecace6 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/OnePassSignatureBracketingTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/OnePassSignatureBracketingTest.java @@ -29,6 +29,7 @@ import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.PGPSignature; import org.bouncycastle.openpgp.PGPSignatureList; import org.bouncycastle.openpgp.PGPUtil; +import org.bouncycastle.openpgp.api.OpenPGPImplementation; import org.bouncycastle.openpgp.operator.PublicKeyDataDecryptorFactory; import org.bouncycastle.util.io.Streams; import org.junit.jupiter.api.TestTemplate; @@ -42,7 +43,6 @@ import org.pgpainless.encryption_signing.EncryptionOptions; import org.pgpainless.encryption_signing.EncryptionStream; import org.pgpainless.encryption_signing.ProducerOptions; import org.pgpainless.encryption_signing.SigningOptions; -import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.key.protection.UnlockSecretKey; import org.pgpainless.util.TestAllImplementations; @@ -78,7 +78,7 @@ public class OnePassSignatureBracketingTest { ByteArrayInputStream ciphertextIn = new ByteArrayInputStream(out.toByteArray()); InputStream inputStream = PGPUtil.getDecoderStream(ciphertextIn); - PGPObjectFactory objectFactory = ImplementationFactory.getInstance().getPGPObjectFactory(inputStream); + PGPObjectFactory objectFactory = OpenPGPImplementation.getInstance().pgpObjectFactory(inputStream); PGPOnePassSignatureList onePassSignatures = null; PGPSignatureList signatures = null; @@ -95,9 +95,9 @@ public class OnePassSignatureBracketingTest { PGPPublicKeyEncryptedData publicKeyEncryptedData = (PGPPublicKeyEncryptedData) encryptedData; PGPSecretKey secretKey = key1.getSecretKey(publicKeyEncryptedData.getKeyID()); PGPPrivateKey privateKey = UnlockSecretKey.unlockSecretKey(secretKey, SecretKeyRingProtector.unprotectedKeys()); - PublicKeyDataDecryptorFactory decryptorFactory = ImplementationFactory.getInstance().getPublicKeyDataDecryptorFactory(privateKey); + PublicKeyDataDecryptorFactory decryptorFactory = OpenPGPImplementation.getInstance().publicKeyDataDecryptorFactory(privateKey); InputStream decryptionStream = publicKeyEncryptedData.getDataStream(decryptorFactory); - objectFactory = ImplementationFactory.getInstance().getPGPObjectFactory(decryptionStream); + objectFactory = OpenPGPImplementation.getInstance().pgpObjectFactory(decryptionStream); continue outerloop; } } @@ -107,7 +107,7 @@ public class OnePassSignatureBracketingTest { } else if (next instanceof PGPCompressedData) { PGPCompressedData compressed = (PGPCompressedData) next; InputStream decompressor = compressed.getDataStream(); - objectFactory = ImplementationFactory.getInstance().getPGPObjectFactory(decompressor); + objectFactory = OpenPGPImplementation.getInstance().pgpObjectFactory(decompressor); continue outerloop; } else if (next instanceof PGPLiteralData) { continue outerloop; diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureOverUserAttributesTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureOverUserAttributesTest.java index 16b241b4..f598fecc 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureOverUserAttributesTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureOverUserAttributesTest.java @@ -19,12 +19,12 @@ import org.bouncycastle.openpgp.PGPSignature; import org.bouncycastle.openpgp.PGPSignatureGenerator; import org.bouncycastle.openpgp.PGPUserAttributeSubpacketVector; import org.bouncycastle.openpgp.PGPUserAttributeSubpacketVectorGenerator; +import org.bouncycastle.openpgp.api.OpenPGPImplementation; import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; import org.pgpainless.algorithm.HashAlgorithm; import org.pgpainless.algorithm.SignatureType; import org.pgpainless.exception.SignatureValidationException; -import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.key.TestKeys; import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.key.protection.UnlockSecretKey; @@ -58,8 +58,9 @@ public class SignatureOverUserAttributesTest { PGPPrivateKey privateKey = UnlockSecretKey.unlockSecretKey(secretKey, SecretKeyRingProtector.unprotectedKeys()); PGPSignatureGenerator generator = new PGPSignatureGenerator( - ImplementationFactory.getInstance() - .getPGPContentSignerBuilder(secretKey.getPublicKey().getAlgorithm(), HashAlgorithm.SHA512.getAlgorithmId())); + OpenPGPImplementation.getInstance() + .pgpContentSignerBuilder(secretKey.getPublicKey().getAlgorithm(), HashAlgorithm.SHA512.getAlgorithmId()), + secretKey.getPublicKey()); generator.init(SignatureType.CASUAL_CERTIFICATION.getCode(), privateKey); PGPSignature signature = generator.generateCertification(attribute, publicKey); @@ -78,8 +79,9 @@ public class SignatureOverUserAttributesTest { PGPPrivateKey privateKey = UnlockSecretKey.unlockSecretKey(secretKey, SecretKeyRingProtector.unprotectedKeys()); PGPSignatureGenerator generator = new PGPSignatureGenerator( - ImplementationFactory.getInstance() - .getPGPContentSignerBuilder(secretKey.getPublicKey().getAlgorithm(), HashAlgorithm.SHA512.getAlgorithmId())); + OpenPGPImplementation.getInstance() + .pgpContentSignerBuilder(secretKey.getPublicKey().getAlgorithm(), HashAlgorithm.SHA512.getAlgorithmId()), + secretKey.getPublicKey()); generator.init(SignatureType.CERTIFICATION_REVOCATION.getCode(), privateKey); PGPSignature signature = generator.generateCertification(attribute, publicKey); diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureSubpacketsUtilTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureSubpacketsUtilTest.java index 68c125c8..3fcf712e 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureSubpacketsUtilTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureSubpacketsUtilTest.java @@ -33,13 +33,13 @@ import org.bouncycastle.openpgp.PGPSignature; import org.bouncycastle.openpgp.PGPSignatureGenerator; import org.bouncycastle.openpgp.PGPSignatureSubpacketGenerator; import org.bouncycastle.openpgp.api.OpenPGPCertificate; +import org.bouncycastle.openpgp.api.OpenPGPImplementation; import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; import org.pgpainless.algorithm.CompressionAlgorithm; import org.pgpainless.algorithm.Feature; import org.pgpainless.algorithm.HashAlgorithm; import org.pgpainless.algorithm.SignatureType; -import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.key.TestKeys; import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.key.protection.UnlockSecretKey; @@ -286,7 +286,7 @@ public class SignatureSubpacketsUtilTest { private PGPSignatureGenerator getSignatureGenerator(PGPPrivateKey signingKey, SignatureType signatureType) throws PGPException { PGPSignatureGenerator signatureGenerator = new PGPSignatureGenerator( - ImplementationFactory.getInstance().getPGPContentSignerBuilder( + OpenPGPImplementation.getInstance().pgpContentSignerBuilder( signingKey.getPublicKeyPacket().getAlgorithm(), HashAlgorithm.SHA512.getAlgorithmId())); signatureGenerator.init(signatureType.getCode(), signingKey); diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/builder/ThirdPartyCertificationSignatureBuilderTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/builder/ThirdPartyCertificationSignatureBuilderTest.java index f3752519..10f82f25 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/builder/ThirdPartyCertificationSignatureBuilderTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/builder/ThirdPartyCertificationSignatureBuilderTest.java @@ -9,12 +9,12 @@ import org.bouncycastle.bcpg.sig.Exportable; import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPSignature; import org.bouncycastle.openpgp.api.OpenPGPCertificate; +import org.bouncycastle.openpgp.api.OpenPGPImplementation; import org.bouncycastle.openpgp.api.OpenPGPKey; import org.bouncycastle.openpgp.api.OpenPGPSignature; import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; import org.pgpainless.algorithm.SignatureType; -import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.signature.subpackets.CertificationSubpackets; import org.pgpainless.signature.subpackets.SignatureSubpacketsUtil; @@ -70,7 +70,7 @@ public class ThirdPartyCertificationSignatureBuilderTest { assertFalse(exportable.isExportable()); // test sig correctness - signature.init(ImplementationFactory.getInstance().getPgpContentVerifierBuilderProvider(), + signature.init(OpenPGPImplementation.getInstance().pgpContentVerifierBuilderProvider(), secretKeys.getPrimaryKey().getPGPPublicKey()); assertTrue(signature.verifyCertification("Bob", bobsPublicKeys.getPrimaryKey().getPGPPublicKey())); } diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/subpackets/SignatureSubpacketsTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/subpackets/SignatureSubpacketsTest.java index 14eed4de..d4897a7b 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/subpackets/SignatureSubpacketsTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/subpackets/SignatureSubpacketsTest.java @@ -39,6 +39,7 @@ import org.bouncycastle.openpgp.PGPSignature; import org.bouncycastle.openpgp.PGPSignatureGenerator; import org.bouncycastle.openpgp.PGPSignatureSubpacketGenerator; import org.bouncycastle.openpgp.PGPSignatureSubpacketVector; +import org.bouncycastle.openpgp.api.OpenPGPImplementation; import org.junit.jupiter.api.BeforeAll; import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.Test; @@ -49,7 +50,6 @@ import org.pgpainless.algorithm.KeyFlag; import org.pgpainless.algorithm.PublicKeyAlgorithm; import org.pgpainless.algorithm.SignatureType; import org.pgpainless.algorithm.SymmetricKeyAlgorithm; -import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.key.OpenPgpFingerprint; import org.pgpainless.key.TestKeys; import org.pgpainless.key.protection.UnlockSecretKey; @@ -414,8 +414,9 @@ public class SignatureSubpacketsTest { Iterator secretKeyIterator = secretKeys.iterator(); PGPSecretKey primaryKey = secretKeyIterator.next(); PGPSignatureGenerator generator = new PGPSignatureGenerator( - ImplementationFactory.getInstance().getPGPContentSignerBuilder(primaryKey.getPublicKey().getAlgorithm(), HashAlgorithm.SHA512.getAlgorithmId()) - ); + OpenPGPImplementation.getInstance().pgpContentSignerBuilder( + primaryKey.getPublicKey().getAlgorithm(), HashAlgorithm.SHA512.getAlgorithmId()), + primaryKey.getPublicKey()); PGPPrivateKey privateKey = UnlockSecretKey.unlockSecretKey(primaryKey, (Passphrase) null); generator.init(SignatureType.DIRECT_KEY.getCode(), privateKey); diff --git a/pgpainless-core/src/test/java/org/pgpainless/util/ArmorUtilsTest.java b/pgpainless-core/src/test/java/org/pgpainless/util/ArmorUtilsTest.java index d3e27085..05a955f8 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/util/ArmorUtilsTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/util/ArmorUtilsTest.java @@ -26,6 +26,7 @@ import org.bouncycastle.openpgp.PGPPublicKeyRing; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.PGPSignature; import org.bouncycastle.openpgp.PGPUtil; +import org.bouncycastle.openpgp.api.OpenPGPImplementation; import org.bouncycastle.util.io.Streams; import org.junit.jupiter.api.AfterAll; import org.junit.jupiter.api.Assertions; @@ -35,7 +36,6 @@ import org.junit.jupiter.api.extension.ExtendWith; import org.pgpainless.PGPainless; import org.pgpainless.algorithm.HashAlgorithm; import org.pgpainless.algorithm.KeyFlag; -import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.key.TestKeys; import org.pgpainless.key.generation.KeySpec; import org.pgpainless.key.generation.type.ecc.EllipticCurve; @@ -257,9 +257,9 @@ public class ArmorUtilsTest { "-----END PGP MESSAGE-----"; InputStream inputStream = PGPUtil.getDecoderStream(new ByteArrayInputStream(armored.getBytes(StandardCharsets.UTF_8))); - PGPObjectFactory factory = ImplementationFactory.getInstance().getPGPObjectFactory(inputStream); + PGPObjectFactory factory = OpenPGPImplementation.getInstance().pgpObjectFactory(inputStream); PGPCompressedData compressed = (PGPCompressedData) factory.nextObject(); - factory = ImplementationFactory.getInstance().getPGPObjectFactory(compressed.getDataStream()); + factory = OpenPGPImplementation.getInstance().pgpObjectFactory(compressed.getDataStream()); PGPLiteralData literal = (PGPLiteralData) factory.nextObject(); ByteArrayOutputStream out = new ByteArrayOutputStream(); assertEquals("_CONSOLE", literal.getFileName()); diff --git a/pgpainless-core/src/test/java/org/pgpainless/util/TestAllImplementations.java b/pgpainless-core/src/test/java/org/pgpainless/util/TestAllImplementations.java index 2b874b6d..c9897acf 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/util/TestAllImplementations.java +++ b/pgpainless-core/src/test/java/org/pgpainless/util/TestAllImplementations.java @@ -9,18 +9,18 @@ import java.util.Collections; import java.util.List; import java.util.stream.Stream; +import org.bouncycastle.openpgp.api.OpenPGPImplementation; +import org.bouncycastle.openpgp.api.bc.BcOpenPGPImplementation; +import org.bouncycastle.openpgp.api.jcajce.JcaOpenPGPImplementation; import org.junit.jupiter.api.extension.BeforeTestExecutionCallback; import org.junit.jupiter.api.extension.Extension; import org.junit.jupiter.api.extension.ExtensionContext; import org.junit.jupiter.api.extension.TestTemplateInvocationContext; import org.junit.jupiter.api.extension.TestTemplateInvocationContextProvider; -import org.pgpainless.implementation.BcImplementationFactory; -import org.pgpainless.implementation.ImplementationFactory; -import org.pgpainless.implementation.JceImplementationFactory; /** - * InvocationContextProvider that sets different {@link ImplementationFactory} implementations before running annotated - * tests. + * InvocationContextProvider that sets different {@link org.bouncycastle.openpgp.api.OpenPGPImplementation} + * before running annotated tests. * * Example test annotation: * {@code @@ -35,9 +35,9 @@ import org.pgpainless.implementation.JceImplementationFactory; */ public class TestAllImplementations implements TestTemplateInvocationContextProvider { - private static final List IMPLEMENTATIONS = Arrays.asList( - new BcImplementationFactory(), - new JceImplementationFactory() + private static final List IMPLEMENTATIONS = Arrays.asList( + new BcOpenPGPImplementation(), + new JcaOpenPGPImplementation() ); @Override @@ -49,16 +49,16 @@ public class TestAllImplementations implements TestTemplateInvocationContextProv public Stream provideTestTemplateInvocationContexts(ExtensionContext context) { return IMPLEMENTATIONS.stream() - .map(implementationFactory -> new TestTemplateInvocationContext() { + .map(implementation -> new TestTemplateInvocationContext() { @Override public String getDisplayName(int invocationIndex) { - return context.getDisplayName() + " with " + implementationFactory.getClass().getSimpleName(); + return context.getDisplayName() + " with " + implementation.getClass().getSimpleName(); } @Override public List getAdditionalExtensions() { return Collections.singletonList( - (BeforeTestExecutionCallback) ctx -> ImplementationFactory.setFactoryImplementation(implementationFactory) + (BeforeTestExecutionCallback) ctx -> OpenPGPImplementation.setInstance(implementation) ); } }); diff --git a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/InlineDetachImpl.kt b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/InlineDetachImpl.kt index 88ca8c54..2d2ae063 100644 --- a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/InlineDetachImpl.kt +++ b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/InlineDetachImpl.kt @@ -13,11 +13,11 @@ import org.bouncycastle.openpgp.PGPException import org.bouncycastle.openpgp.PGPLiteralData import org.bouncycastle.openpgp.PGPOnePassSignatureList import org.bouncycastle.openpgp.PGPSignatureList +import org.bouncycastle.openpgp.api.OpenPGPImplementation import org.bouncycastle.util.io.Streams import org.pgpainless.decryption_verification.OpenPgpInputStream import org.pgpainless.decryption_verification.cleartext_signatures.ClearsignedMessageUtil import org.pgpainless.exception.WrongConsumingMethodException -import org.pgpainless.implementation.ImplementationFactory import org.pgpainless.util.ArmoredOutputStreamFactory import sop.ReadyWithResult import sop.Signatures @@ -72,8 +72,7 @@ class InlineDetachImpl : InlineDetach { } // handle binary OpenPGP data - var objectFactory = - ImplementationFactory.getInstance().getPGPObjectFactory(pgpIn) + var objectFactory = OpenPGPImplementation.getInstance().pgpObjectFactory(pgpIn) var next: Any? while (objectFactory.nextObject().also { next = it } != null) { @@ -95,8 +94,8 @@ class InlineDetachImpl : InlineDetach { // Decompress compressed data try { objectFactory = - ImplementationFactory.getInstance() - .getPGPObjectFactory((next as PGPCompressedData).dataStream) + OpenPGPImplementation.getInstance() + .pgpObjectFactory((next as PGPCompressedData).dataStream) } catch (e: PGPException) { throw SOPGPException.BadData( "Cannot decompress PGPCompressedData", e) diff --git a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/MatchMakingSecretKeyRingProtector.kt b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/MatchMakingSecretKeyRingProtector.kt index 74e79511..ea0753c4 100644 --- a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/MatchMakingSecretKeyRingProtector.kt +++ b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/MatchMakingSecretKeyRingProtector.kt @@ -6,6 +6,7 @@ package org.pgpainless.sop import org.bouncycastle.bcpg.KeyIdentifier import org.bouncycastle.openpgp.PGPException +import org.bouncycastle.openpgp.PGPPublicKey import org.bouncycastle.openpgp.PGPSecretKey import org.bouncycastle.openpgp.PGPSecretKeyRing import org.bouncycastle.openpgp.api.OpenPGPKey @@ -82,8 +83,8 @@ class MatchMakingSecretKeyRingProtector : SecretKeyRingProtector { override fun getDecryptor(keyIdentifier: KeyIdentifier): PBESecretKeyDecryptor? = protector.getDecryptor(keyIdentifier) - override fun getEncryptor(keyIdentifier: KeyIdentifier): PBESecretKeyEncryptor? = - protector.getEncryptor(keyIdentifier) + override fun getEncryptor(key: PGPPublicKey): PBESecretKeyEncryptor? = + protector.getEncryptor(key) override fun getKeyPassword(p0: OpenPGPKey.OpenPGPSecretKey): CharArray? = protector.getKeyPassword(p0) diff --git a/pgpainless-sop/src/test/java/org/pgpainless/sop/InlineDetachTest.java b/pgpainless-sop/src/test/java/org/pgpainless/sop/InlineDetachTest.java index 98279e4f..acbba821 100644 --- a/pgpainless-sop/src/test/java/org/pgpainless/sop/InlineDetachTest.java +++ b/pgpainless-sop/src/test/java/org/pgpainless/sop/InlineDetachTest.java @@ -22,10 +22,10 @@ import org.bouncycastle.openpgp.PGPObjectFactory; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.PGPSignature; import org.bouncycastle.openpgp.PGPSignatureList; +import org.bouncycastle.openpgp.api.OpenPGPImplementation; import org.bouncycastle.util.io.Streams; import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; -import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.key.OpenPgpV4Fingerprint; import sop.ByteArrayAndResult; import sop.SOP; @@ -153,13 +153,13 @@ public class InlineDetachTest { ByteArrayOutputStream literalDataAndSignatures = new ByteArrayOutputStream(); ArmoredInputStream armorIn = new ArmoredInputStream(new ByteArrayInputStream(inlineSigned)); - PGPObjectFactory objectFactory = ImplementationFactory.getInstance().getPGPObjectFactory(armorIn); + PGPObjectFactory objectFactory = OpenPGPImplementation.getInstance().pgpObjectFactory(armorIn); Object next; while ((next = objectFactory.nextObject()) != null) { if (next instanceof PGPCompressedData) { PGPCompressedData compressedData = (PGPCompressedData) next; try { - objectFactory = ImplementationFactory.getInstance().getPGPObjectFactory(compressedData.getDataStream()); + objectFactory = OpenPGPImplementation.getInstance().pgpObjectFactory(compressedData.getDataStream()); } catch (PGPException e) { throw new SOPGPException.BadData("Cannot decompress compressed data", e); } diff --git a/pgpainless-sop/src/test/java/org/pgpainless/sop/MatchMakingSecretKeyRingProtectorTest.java b/pgpainless-sop/src/test/java/org/pgpainless/sop/MatchMakingSecretKeyRingProtectorTest.java index 9dc2b6c6..d7b5a419 100644 --- a/pgpainless-sop/src/test/java/org/pgpainless/sop/MatchMakingSecretKeyRingProtectorTest.java +++ b/pgpainless-sop/src/test/java/org/pgpainless/sop/MatchMakingSecretKeyRingProtectorTest.java @@ -96,13 +96,13 @@ public class MatchMakingSecretKeyRingProtectorTest { MatchMakingSecretKeyRingProtector protector = new MatchMakingSecretKeyRingProtector(); protector.addSecretKey(unprotectedKey); assertTrue(protector.hasPassphraseFor(unprotectedKey.getPublicKey().getKeyID())); - assertNull(protector.getEncryptor(unprotectedKey.getPublicKey().getKeyID())); + assertNull(protector.getEncryptor(unprotectedKey.getPublicKey())); assertNull(protector.getDecryptor(unprotectedKey.getPublicKey().getKeyID())); PGPSecretKeyRing protectedKey = PGPainless.readKeyRing().secretKeyRing(PROTECTED_KEY); protector.addSecretKey(protectedKey); protector.addPassphrase(Passphrase.fromPassword(PASSWORD)); - assertNotNull(protector.getEncryptor(protectedKey.getPublicKey().getKeyID())); + assertNotNull(protector.getEncryptor(protectedKey.getPublicKey())); assertNotNull(protector.getDecryptor(protectedKey.getPublicKey().getKeyID())); } } From 622c62536a23b9cb2849355a4133d434d6303a06 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Sat, 8 Mar 2025 10:56:55 +0100 Subject: [PATCH 074/265] Tests: Avoid usage of now deprecated functionality --- .../java/org/gnupg/GnuPGDummyKeyUtil.java | 2 +- .../pgpainless/key/OpenPgpV4Fingerprint.kt | 6 ++ .../SecretKeyPassphraseProvider.kt | 2 + .../org/bouncycastle/AsciiArmorCRCTests.java | 10 +-- .../java/org/gnupg/GnuPGDummyKeyUtilTest.java | 2 +- .../BcHashContextSignerTest.java | 22 +++---- .../EncryptDecryptTest.java | 3 +- .../key/_64DigitFingerprintTest.java | 5 +- .../pgpainless/key/info/KeyRingInfoTest.java | 65 ++++++++++--------- .../key/modification/AddSubKeyTest.java | 19 +++--- .../key/modification/AddUserIdTest.java | 6 +- .../CachingSecretKeyRingProtectorTest.java | 36 +++++----- .../MapBasedPassphraseProviderTest.java | 8 +-- .../SecretKeyRingProtectorTest.java | 34 +++++----- 14 files changed, 119 insertions(+), 101 deletions(-) diff --git a/pgpainless-core/src/main/java/org/gnupg/GnuPGDummyKeyUtil.java b/pgpainless-core/src/main/java/org/gnupg/GnuPGDummyKeyUtil.java index 48390c59..4e7c46da 100644 --- a/pgpainless-core/src/main/java/org/gnupg/GnuPGDummyKeyUtil.java +++ b/pgpainless-core/src/main/java/org/gnupg/GnuPGDummyKeyUtil.java @@ -54,7 +54,7 @@ public final class GnuPGDummyKeyUtil { int mode = s2K.getProtectionMode(); // TODO: Is GNU_DUMMY_S2K appropriate? if (type == S2K.GNU_DUMMY_S2K && mode == S2K.GNU_PROTECTION_MODE_DIVERT_TO_CARD) { - SubkeyIdentifier hardwareBackedKey = new SubkeyIdentifier(secretKeys, secretKey.getKeyID()); + SubkeyIdentifier hardwareBackedKey = new SubkeyIdentifier(secretKeys, secretKey.getKeyIdentifier()); hardwareBackedKeys.add(hardwareBackedKey); } } diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/OpenPgpV4Fingerprint.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/OpenPgpV4Fingerprint.kt index f4bb41db..720d97f8 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/OpenPgpV4Fingerprint.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/OpenPgpV4Fingerprint.kt @@ -10,6 +10,8 @@ import org.bouncycastle.bcpg.KeyIdentifier import org.bouncycastle.openpgp.PGPKeyRing import org.bouncycastle.openpgp.PGPPublicKey import org.bouncycastle.openpgp.PGPSecretKey +import org.bouncycastle.openpgp.api.OpenPGPCertificate +import org.bouncycastle.openpgp.api.OpenPGPCertificate.OpenPGPComponentKey class OpenPgpV4Fingerprint : OpenPgpFingerprint { @@ -17,6 +19,10 @@ class OpenPgpV4Fingerprint : OpenPgpFingerprint { constructor(bytes: ByteArray) : super(bytes) + constructor(key: OpenPGPCertificate) : super(key.fingerprint) + + constructor(key: OpenPGPComponentKey) : super(key.pgpPublicKey) + constructor(key: PGPPublicKey) : super(key) constructor(key: PGPSecretKey) : super(key) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/passphrase_provider/SecretKeyPassphraseProvider.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/passphrase_provider/SecretKeyPassphraseProvider.kt index 268538f2..138d0632 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/passphrase_provider/SecretKeyPassphraseProvider.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/passphrase_provider/SecretKeyPassphraseProvider.kt @@ -31,10 +31,12 @@ interface SecretKeyPassphraseProvider { * @param keyId if of the secret key * @return passphrase or null, if no passphrase record has been found. */ + @Deprecated("Pass in a KeyIdentifier instead.") fun getPassphraseFor(keyId: Long): Passphrase? = getPassphraseFor(KeyIdentifier(keyId)) fun getPassphraseFor(keyIdentifier: KeyIdentifier): Passphrase? + @Deprecated("Pass in a KeyIdentifier instead.") fun hasPassphrase(keyId: Long): Boolean = hasPassphrase(KeyIdentifier(keyId)) fun hasPassphrase(keyIdentifier: KeyIdentifier): Boolean diff --git a/pgpainless-core/src/test/java/org/bouncycastle/AsciiArmorCRCTests.java b/pgpainless-core/src/test/java/org/bouncycastle/AsciiArmorCRCTests.java index 031c3e73..495bea5b 100644 --- a/pgpainless-core/src/test/java/org/bouncycastle/AsciiArmorCRCTests.java +++ b/pgpainless-core/src/test/java/org/bouncycastle/AsciiArmorCRCTests.java @@ -15,8 +15,8 @@ import java.nio.charset.StandardCharsets; import java.util.List; import org.bouncycastle.bcpg.ArmoredInputStream; -import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.PGPSignature; +import org.bouncycastle.openpgp.api.OpenPGPKey; import org.bouncycastle.util.io.Streams; import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; @@ -181,7 +181,7 @@ public class AsciiArmorCRCTests { "=AAAA\n" + "-----END PGP PRIVATE KEY BLOCK-----"; - assertThrows(IOException.class, () -> PGPainless.readKeyRing().secretKeyRing(KEY)); + assertThrows(IOException.class, () -> PGPainless.getInstance().readKey().parseKeysOrCertificates(KEY)); } @Test @@ -229,7 +229,7 @@ public class AsciiArmorCRCTests { "=AAAA\n" + "-----END PGP PUBLIC KEY BLOCK-----"; - assertThrows(IOException.class, () -> PGPainless.readKeyRing().publicKeyRing(CERT)); + assertThrows(IOException.class, () -> PGPainless.getInstance().readKey().parseCertificate(CERT)); } @Test @@ -364,7 +364,7 @@ public class AsciiArmorCRCTests { "xqAY9Bwizt4FWgXuLm1a4+So4V9j1TRCXd12Uc2l2RNmgDE=\n" + "-----END PGP PRIVATE KEY BLOCK-----"; - PGPSecretKeyRing key = PGPainless.readKeyRing().secretKeyRing(KEY); + OpenPGPKey key = PGPainless.getInstance().readKey().parseKey(KEY); assertNotNull(key); assertEquals(new OpenPgpV4Fingerprint("D1A66E1A23B182C9980F788CFBFCC82A015E7330"), new OpenPgpV4Fingerprint(key)); } @@ -540,7 +540,7 @@ public class AsciiArmorCRCTests { "=FdCC\n" + "-----END PGP MESSAGE-----\n"; - PGPSecretKeyRing key = PGPainless.readKeyRing().secretKeyRing(ASCII_KEY); + OpenPGPKey key = PGPainless.getInstance().readKey().parseKey(ASCII_KEY); assertThrows(IOException.class, () -> { DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() .onInputStream(new ByteArrayInputStream(message.getBytes(StandardCharsets.UTF_8))) diff --git a/pgpainless-core/src/test/java/org/gnupg/GnuPGDummyKeyUtilTest.java b/pgpainless-core/src/test/java/org/gnupg/GnuPGDummyKeyUtilTest.java index 51a6c4c5..0a32aa2c 100644 --- a/pgpainless-core/src/test/java/org/gnupg/GnuPGDummyKeyUtilTest.java +++ b/pgpainless-core/src/test/java/org/gnupg/GnuPGDummyKeyUtilTest.java @@ -275,7 +275,7 @@ public class GnuPGDummyKeyUtilTest { .divertPrivateKeysToCard(GnuPGDummyKeyUtil.KeyFilter.any()); Set expected = new HashSet<>(); for (PGPSecretKey key : secretKeys.getPGPSecretKeyRing()) { - expected.add(new SubkeyIdentifier(secretKeys.getPGPSecretKeyRing(), key.getKeyID())); + expected.add(new SubkeyIdentifier(secretKeys.getPGPSecretKeyRing(), key.getKeyIdentifier())); } Set hardwareBackedKeys = GnuPGDummyKeyUtil diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/BcHashContextSignerTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/BcHashContextSignerTest.java index 91c2d8c5..de6c9788 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/BcHashContextSignerTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/BcHashContextSignerTest.java @@ -16,9 +16,9 @@ import java.security.NoSuchAlgorithmException; import org.bouncycastle.jce.provider.BouncyCastleProvider; import org.bouncycastle.openpgp.PGPException; -import org.bouncycastle.openpgp.PGPPublicKeyRing; -import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.PGPSignature; +import org.bouncycastle.openpgp.api.OpenPGPCertificate; +import org.bouncycastle.openpgp.api.OpenPGPKey; import org.bouncycastle.util.io.Streams; import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; @@ -60,25 +60,23 @@ public class BcHashContextSignerTest { @Test public void signContextWithEdDSAKeys() throws PGPException, NoSuchAlgorithmException, IOException { - PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(KEY); + OpenPGPKey secretKeys = PGPainless.getInstance().readKey().parseKey(KEY); signWithKeys(secretKeys); } @Test public void signContextWithRSAKeys() throws PGPException, NoSuchAlgorithmException, IOException { - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().simpleRsaKeyRing("Sigfried", RsaLength._3072) - .getPGPSecretKeyRing(); + OpenPGPKey secretKeys = PGPainless.generateKeyRing().simpleRsaKeyRing("Sigfried", RsaLength._3072); signWithKeys(secretKeys); } @Test public void signContextWithEcKeys() throws PGPException, NoSuchAlgorithmException, IOException { - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().simpleEcKeyRing("Sigfried") - .getPGPSecretKeyRing(); + OpenPGPKey secretKeys = PGPainless.generateKeyRing().simpleEcKeyRing("Sigfried"); signWithKeys(secretKeys); } - private void signWithKeys(PGPSecretKeyRing secretKeys) throws PGPException, NoSuchAlgorithmException, IOException { + private void signWithKeys(OpenPGPKey secretKeys) throws PGPException, NoSuchAlgorithmException, IOException { for (HashAlgorithm hashAlgorithm : new HashAlgorithm[] { HashAlgorithm.SHA256, HashAlgorithm.SHA384, HashAlgorithm.SHA512 }) { @@ -86,9 +84,9 @@ public class BcHashContextSignerTest { } } - private void signFromContext(PGPSecretKeyRing secretKeys, HashAlgorithm hashAlgorithm) + private void signFromContext(OpenPGPKey secretKeys, HashAlgorithm hashAlgorithm) throws PGPException, NoSuchAlgorithmException, IOException { - PGPPublicKeyRing certificate = PGPainless.extractCertificate(secretKeys); + OpenPGPCertificate certificate = secretKeys.toCertificate(); byte[] messageBytes = message.getBytes(StandardCharsets.UTF_8); ByteArrayInputStream messageIn = new ByteArrayInputStream(messageBytes); @@ -110,13 +108,13 @@ public class BcHashContextSignerTest { assertTrue(metadata.isVerifiedSigned()); } - private PGPSignature signMessage(byte[] message, HashAlgorithm hashAlgorithm, PGPSecretKeyRing secretKeys) + private PGPSignature signMessage(byte[] message, HashAlgorithm hashAlgorithm, OpenPGPKey secretKeys) throws NoSuchAlgorithmException { // Prepare the hash context // This would be done by the caller application MessageDigest messageDigest = MessageDigest.getInstance(hashAlgorithm.getAlgorithmName(), new BouncyCastleProvider()); messageDigest.update(message); - return BcHashContextSigner.signHashContext(messageDigest, SignatureType.BINARY_DOCUMENT, secretKeys, SecretKeyRingProtector.unprotectedKeys()); + return BcHashContextSigner.signHashContext(messageDigest, SignatureType.BINARY_DOCUMENT, secretKeys.getPGPSecretKeyRing(), SecretKeyRingProtector.unprotectedKeys()); } } diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java index dbf75f6e..71e5085e 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java @@ -7,6 +7,7 @@ package org.pgpainless.encryption_signing; import static org.junit.jupiter.api.Assertions.assertArrayEquals; import static org.junit.jupiter.api.Assertions.assertEquals; import static org.junit.jupiter.api.Assertions.assertFalse; +import static org.junit.jupiter.api.Assertions.assertNotNull; import static org.junit.jupiter.api.Assertions.assertThrows; import static org.junit.jupiter.api.Assertions.assertTrue; @@ -148,7 +149,7 @@ public class EncryptDecryptTest { assertFalse(encryptionResult.getRecipients().isEmpty()); for (SubkeyIdentifier encryptionKey : encryptionResult.getRecipients()) { - assertTrue(KeyRingUtils.keyRingContainsKeyWithId(recipientPub, encryptionKey.getKeyId())); + assertNotNull(recipientPub.getPublicKey(encryptionKey.getKeyIdentifier())); } assertEquals(SymmetricKeyAlgorithm.AES_256, encryptionResult.getEncryptionAlgorithm()); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/_64DigitFingerprintTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/_64DigitFingerprintTest.java index a38fa61d..370a0157 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/_64DigitFingerprintTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/_64DigitFingerprintTest.java @@ -8,6 +8,7 @@ import org.bouncycastle.util.encoders.Hex; import org.junit.jupiter.api.Test; import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.assertInstanceOf; import static org.junit.jupiter.api.Assertions.assertNotEquals; import static org.junit.jupiter.api.Assertions.assertThrows; import static org.junit.jupiter.api.Assertions.assertTrue; @@ -19,7 +20,7 @@ public class _64DigitFingerprintTest { String prettyPrint = "76543210 ABCDEFAB 01AB23CD 1C0FFEE1 1EEFF0C1 DC32BA10 BAFEDCBA 01234567"; OpenPgpFingerprint parsed = OpenPgpFingerprint.parse(prettyPrint); - assertTrue(parsed instanceof _64DigitFingerprint); + assertInstanceOf(_64DigitFingerprint.class, parsed); assertEquals(prettyPrint, parsed.prettyPrint()); assertEquals(-1, parsed.getVersion()); } @@ -30,7 +31,7 @@ public class _64DigitFingerprintTest { byte[] binary = Hex.decode(hex); OpenPgpFingerprint fingerprint = OpenPgpFingerprint.parseFromBinary(binary); - assertTrue(fingerprint instanceof _64DigitFingerprint); + assertInstanceOf(_64DigitFingerprint.class, fingerprint); assertEquals(hex, fingerprint.toString()); OpenPgpV5Fingerprint v5 = new OpenPgpV5Fingerprint(binary); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java index 3d56dc1b..30195131 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java @@ -22,6 +22,7 @@ import java.util.List; import java.util.NoSuchElementException; import java.util.Set; +import org.bouncycastle.bcpg.KeyIdentifier; import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPPublicKeyRing; import org.bouncycastle.openpgp.PGPSecretKey; @@ -117,8 +118,8 @@ public class KeyRingInfoTest { assertEquals(revocationDate.getTime(), rInfo.getRevocationDate().getTime(), 5); assertEquals(revocationDate.getTime(), rInfo.getLastModified().getTime(), 5); - assertFalse(pInfo.isKeyValidlyBound(1230)); - assertFalse(sInfo.isKeyValidlyBound(1230)); + assertFalse(pInfo.isKeyValidlyBound(new KeyIdentifier(1230))); + assertFalse(sInfo.isKeyValidlyBound(new KeyIdentifier(1230))); } @Test @@ -162,7 +163,9 @@ public class KeyRingInfoTest { PGPPublicKeyRing publicKeys = KeyRingUtils.publicKeyRingFrom(secretKeys); KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys); - assertEquals(KeyRingUtils.requirePrimarySecretKeyFrom(secretKeys), info.getSecretKey().getPGPSecretKey()); + OpenPGPKey.OpenPGPSecretKey primarySecretKey = info.getSecretKey(); + assertNotNull(primarySecretKey); + assertEquals(KeyRingUtils.requirePrimarySecretKeyFrom(secretKeys), primarySecretKey.getPGPSecretKey()); info = PGPainless.inspectKeyRing(publicKeys); assertNull(info.getSecretKey()); @@ -173,7 +176,7 @@ public class KeyRingInfoTest { PGPSecretKeyRing secretKeys = TestKeys.getCryptieSecretKeyRing(); KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys); - assertEquals(KeyRingUtils.requirePrimaryPublicKeyFrom(secretKeys), info.getPublicKey().getPGPPublicKey()); + assertEquals(KeyRingUtils.requirePrimaryPublicKeyFrom(secretKeys), info.getPrimaryKey().getPGPPublicKey()); assertEquals(KeyRingUtils.requirePrimarySecretKeyFrom(secretKeys), KeyRingUtils.requireSecretKeyFrom(secretKeys, secretKeys.getPublicKey().getKeyID())); @@ -213,8 +216,8 @@ public class KeyRingInfoTest { "=gU+0\n" + "-----END PGP PRIVATE KEY BLOCK-----\n"; - PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(withDummyS2K); - assertTrue(new KeyInfo(secretKeys.getSecretKey()).hasDummyS2K()); + OpenPGPKey secretKeys = PGPainless.getInstance().readKey().parseKey(withDummyS2K); + assertTrue(new KeyInfo(secretKeys.getPrimarySecretKey().getPGPSecretKey()).hasDummyS2K()); } @TestTemplate @@ -350,11 +353,11 @@ public class KeyRingInfoTest { "crH02GDG8CotAnEHkLTz9GPO80q8mowzBV0EtHsXb4TeAFw5T5Qd0a5I+wk=\n" + "=Vcb3\n" + "-----END PGP ARMORED FILE-----\n"; - PGPPublicKeyRing keys = PGPainless.readKeyRing().publicKeyRing(KEY); + OpenPGPCertificate certificate = PGPainless.getInstance().readKey().parseCertificate(KEY); - KeyRingInfo info = new KeyRingInfo(keys, DateUtil.parseUTCDate("2021-10-10 00:00:00 UTC")); + KeyRingInfo info = PGPainless.inspectKeyRing(certificate, DateUtil.parseUTCDate("2021-10-10 00:00:00 UTC")); // Subkey is hard revoked - assertFalse(info.isKeyValidlyBound(5364407983539305061L)); + assertFalse(info.isKeyValidlyBound(new KeyIdentifier(5364407983539305061L))); } @Test @@ -430,14 +433,14 @@ public class KeyRingInfoTest { "=7Feh\n" + "-----END PGP ARMORED FILE-----\n"; - PGPPublicKeyRing keys = PGPainless.readKeyRing().publicKeyRing(KEY); - final long subkeyId = 5364407983539305061L; + OpenPGPCertificate certificate = PGPainless.getInstance().readKey().parseCertificate(KEY); + final KeyIdentifier subkeyId = new KeyIdentifier(5364407983539305061L); - KeyRingInfo inspectDuringRevokedPeriod = new KeyRingInfo(keys, DateUtil.parseUTCDate("2019-01-02 00:00:00 UTC")); + KeyRingInfo inspectDuringRevokedPeriod = PGPainless.inspectKeyRing(certificate, DateUtil.parseUTCDate("2019-01-02 00:00:00 UTC")); assertFalse(inspectDuringRevokedPeriod.isKeyValidlyBound(subkeyId)); assertNotNull(inspectDuringRevokedPeriod.getSubkeyRevocationSignature(subkeyId)); - KeyRingInfo inspectAfterRebinding = new KeyRingInfo(keys, DateUtil.parseUTCDate("2020-01-02 00:00:00 UTC")); + KeyRingInfo inspectAfterRebinding = PGPainless.inspectKeyRing(certificate, DateUtil.parseUTCDate("2020-01-02 00:00:00 UTC")); assertTrue(inspectAfterRebinding.isKeyValidlyBound(subkeyId)); } @@ -514,11 +517,11 @@ public class KeyRingInfoTest { "=MhJL\n" + "-----END PGP ARMORED FILE-----\n"; - PGPPublicKeyRing keys = PGPainless.readKeyRing().publicKeyRing(KEY); + OpenPGPCertificate keys = PGPainless.getInstance().readKey().parseCertificate(KEY); KeyRingInfo info = PGPainless.inspectKeyRing(keys); // Primary key is hard revoked - assertFalse(info.isKeyValidlyBound(keys.getPublicKey().getKeyID())); + assertFalse(info.isKeyValidlyBound(keys.getKeyIdentifier())); assertFalse(info.isFullyEncrypted()); } @@ -531,7 +534,7 @@ public class KeyRingInfoTest { OpenPgpV4Fingerprint primaryKeyFingerprint = new OpenPgpV4Fingerprint(secretKeys); OpenPGPKey.OpenPGPSecretKey primaryKey = info.getSecretKey(primaryKeyFingerprint); - + assertNotNull(primaryKey); assertEquals(key.getPrimarySecretKey().getKeyIdentifier(), primaryKey.getKeyIdentifier()); } @@ -597,10 +600,10 @@ public class KeyRingInfoTest { "=7gbt\n" + "-----END PGP PRIVATE KEY BLOCK-----"; - PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(KEY); - final long pkid = 6643807985200014832L; - final long skid1 = -2328413746552029063L; - final long skid2 = -3276877650571760552L; + OpenPGPKey secretKeys = PGPainless.getInstance().readKey().parseKey(KEY); + final KeyIdentifier pkid = new KeyIdentifier(6643807985200014832L); + final KeyIdentifier skid1 = new KeyIdentifier(-2328413746552029063L); + final KeyIdentifier skid2 = new KeyIdentifier(-3276877650571760552L); Set preferredHashAlgorithms = new LinkedHashSet<>( Arrays.asList(HashAlgorithm.SHA512, HashAlgorithm.SHA384, HashAlgorithm.SHA256, HashAlgorithm.SHA224)); Set preferredCompressionAlgorithms = new LinkedHashSet<>( @@ -612,7 +615,7 @@ public class KeyRingInfoTest { // Bob is an invalid userId assertThrows(NoSuchElementException.class, () -> info.getPreferredSymmetricKeyAlgorithms("Bob")); // 123 is an invalid keyid - assertThrows(NoSuchElementException.class, () -> info.getPreferredSymmetricKeyAlgorithms(123L)); + assertThrows(NoSuchElementException.class, () -> info.getPreferredSymmetricKeyAlgorithms(new KeyIdentifier(123L))); assertEquals(preferredHashAlgorithms, info.getPreferredHashAlgorithms("Alice")); assertEquals(preferredHashAlgorithms, info.getPreferredHashAlgorithms(pkid)); @@ -622,7 +625,7 @@ public class KeyRingInfoTest { // Bob is an invalid userId assertThrows(NoSuchElementException.class, () -> info.getPreferredCompressionAlgorithms("Bob")); // 123 is an invalid keyid - assertThrows(NoSuchElementException.class, () -> info.getPreferredCompressionAlgorithms(123L)); + assertThrows(NoSuchElementException.class, () -> info.getPreferredCompressionAlgorithms(new KeyIdentifier(123L))); assertEquals(preferredCompressionAlgorithms, info.getPreferredCompressionAlgorithms("Alice")); assertEquals(preferredCompressionAlgorithms, info.getPreferredCompressionAlgorithms(pkid)); @@ -632,7 +635,7 @@ public class KeyRingInfoTest { // Bob is an invalid userId assertThrows(NoSuchElementException.class, () -> info.getPreferredSymmetricKeyAlgorithms("Bob")); // 123 is an invalid keyid - assertThrows(NoSuchElementException.class, () -> info.getPreferredSymmetricKeyAlgorithms(123L)); + assertThrows(NoSuchElementException.class, () -> info.getPreferredSymmetricKeyAlgorithms(new KeyIdentifier(123L))); assertEquals(preferredSymmetricAlgorithms, info.getPreferredSymmetricKeyAlgorithms("Alice")); assertEquals(preferredSymmetricAlgorithms, info.getPreferredSymmetricKeyAlgorithms(pkid)); @@ -691,11 +694,11 @@ public class KeyRingInfoTest { "=A3B8\n" + "-----END PGP PUBLIC KEY BLOCK-----\n"; - PGPPublicKeyRing certificate = PGPainless.readKeyRing().publicKeyRing(KEY); + OpenPGPCertificate certificate = PGPainless.getInstance().readKey().parseCertificate(KEY); OpenPgpV4Fingerprint unboundKey = new OpenPgpV4Fingerprint("D622C916384E0F6D364907E55D918BBD521CCD10"); KeyRingInfo info = PGPainless.inspectKeyRing(certificate); - assertFalse(info.isKeyValidlyBound(unboundKey.getKeyId())); + assertFalse(info.isKeyValidlyBound(unboundKey.getKeyIdentifier())); List encryptionSubkeys = info.getEncryptionSubkeys(EncryptionPurpose.ANY); assertTrue(encryptionSubkeys.stream() @@ -709,11 +712,11 @@ public class KeyRingInfoTest { .noneMatch(f -> f.equals(unboundKey)), "Unbound subkey MUST NOT be considered a valid signing subkey"); - assertTrue(info.getKeyFlagsOf(unboundKey.getKeyId()).isEmpty()); + assertTrue(info.getKeyFlagsOf(unboundKey.getKeyIdentifier()).isEmpty()); Date latestModification = info.getLastModified(); Date latestKeyCreation = info.getLatestKeyCreationDate(); - Date unboundKeyCreation = certificate.getPublicKey(unboundKey.getKeyId()).getCreationTime(); + Date unboundKeyCreation = certificate.getKey(unboundKey.getKeyIdentifier()).getCreationTime(); assertTrue(unboundKeyCreation.after(latestModification)); assertTrue(unboundKeyCreation.after(latestKeyCreation)); } @@ -770,7 +773,7 @@ public class KeyRingInfoTest { "=ZRAy\n" + "-----END PGP PRIVATE KEY BLOCK-----\n"; - PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(KEY); + OpenPGPKey secretKeys = PGPainless.getInstance().readKey().parseKey(KEY); KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys); List emails = info.getEmailAddresses(); @@ -802,7 +805,7 @@ public class KeyRingInfoTest { "=nFoO\n" + "-----END PGP PUBLIC KEY BLOCK-----"; - PGPPublicKeyRing cert = PGPainless.readKeyRing().publicKeyRing(CERT); + OpenPGPCertificate cert = PGPainless.getInstance().readKey().parseCertificate(CERT); KeyRingInfo info = PGPainless.inspectKeyRing(cert); assertTrue(info.isUsableForEncryption()); } @@ -830,7 +833,7 @@ public class KeyRingInfoTest { "=etPP\n" + "-----END PGP PUBLIC KEY BLOCK-----"; - PGPPublicKeyRing publicKeys = PGPainless.readKeyRing().publicKeyRing(CERT); + OpenPGPCertificate publicKeys = PGPainless.getInstance().readKey().parseCertificate(CERT); KeyRingInfo info = PGPainless.inspectKeyRing(publicKeys); assertTrue(info.isUsableForEncryption(EncryptionPurpose.COMMUNICATIONS)); @@ -866,7 +869,7 @@ public class KeyRingInfoTest { "AQCjeV+3VT+u1movwIYv4XkzB6gB+B2C+DK9nvG5sXZhBg==\n" + "=uqmO\n" + "-----END PGP PUBLIC KEY BLOCK-----"; - PGPPublicKeyRing publicKeys = PGPainless.readKeyRing().publicKeyRing(CERT); + OpenPGPCertificate publicKeys = PGPainless.getInstance().readKey().parseCertificate(CERT); KeyRingInfo info = PGPainless.inspectKeyRing(publicKeys); assertFalse(info.isUsableForEncryption()); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddSubKeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddSubKeyTest.java index ab58bc75..02967ad3 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddSubKeyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddSubKeyTest.java @@ -13,6 +13,7 @@ import java.util.Collections; import java.util.Iterator; import java.util.List; +import org.bouncycastle.bcpg.KeyIdentifier; import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPPublicKey; import org.bouncycastle.openpgp.PGPSecretKey; @@ -40,9 +41,9 @@ public class AddSubKeyTest { throws IOException, PGPException { PGPSecretKeyRing secretKeys = TestKeys.getCryptieSecretKeyRing(); - List keyIdsBefore = new ArrayList<>(); + List keyIdentifiersBefore = new ArrayList<>(); for (Iterator it = secretKeys.getPublicKeys(); it.hasNext(); ) { - keyIdsBefore.add(it.next().getKeyID()); + keyIdentifiersBefore.add(it.next().getKeyIdentifier()); } secretKeys = PGPainless.modifyKeyRing(secretKeys) @@ -52,21 +53,21 @@ public class AddSubKeyTest { PasswordBasedSecretKeyRingProtector.forKey(secretKeys, Passphrase.fromPassword("password123"))) .done(); - List keyIdsAfter = new ArrayList<>(); + List keyIdentifiersAfter = new ArrayList<>(); for (Iterator it = secretKeys.getPublicKeys(); it.hasNext(); ) { - keyIdsAfter.add(it.next().getKeyID()); + keyIdentifiersAfter.add(it.next().getKeyIdentifier()); } - assertNotEquals(keyIdsAfter, keyIdsBefore); + assertNotEquals(keyIdentifiersAfter, keyIdentifiersBefore); - keyIdsAfter.removeAll(keyIdsBefore); - long subKeyId = keyIdsAfter.get(0); + keyIdentifiersAfter.removeAll(keyIdentifiersBefore); + KeyIdentifier subKeyIdentifier = keyIdentifiersAfter.get(0); - PGPSecretKey subKey = secretKeys.getSecretKey(subKeyId); + PGPSecretKey subKey = secretKeys.getSecretKey(subKeyIdentifier); SecretKeyRingProtector protector = SecretKeyRingProtector.unlockEachKeyWith( Passphrase.fromPassword("subKeyPassphrase"), secretKeys); UnlockSecretKey.unlockSecretKey(subKey, protector); KeyRingInfo info = new KeyRingInfo(secretKeys); - assertEquals(Collections.singletonList(KeyFlag.SIGN_DATA), info.getKeyFlagsOf(subKeyId)); + assertEquals(Collections.singletonList(KeyFlag.SIGN_DATA), info.getKeyFlagsOf(subKeyIdentifier)); } } diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddUserIdTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddUserIdTest.java index 92fd7e3e..f070c9fa 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddUserIdTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddUserIdTest.java @@ -17,6 +17,7 @@ import java.util.NoSuchElementException; import openpgp.DateExtensionsKt; import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPSecretKeyRing; +import org.bouncycastle.openpgp.api.OpenPGPKey; import org.junit.jupiter.api.Test; import org.junit.jupiter.api.TestTemplate; import org.junit.jupiter.api.extension.ExtendWith; @@ -95,7 +96,8 @@ public class AddUserIdTest { "=bk4o\r\n" + "-----END PGP PRIVATE KEY BLOCK-----\r\n"; - PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(ARMORED_PRIVATE_KEY); + OpenPGPKey key = PGPainless.getInstance().readKey().parseKey(ARMORED_PRIVATE_KEY); + PGPSecretKeyRing secretKeys = key.getPGPSecretKeyRing(); KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys); Iterator userIds = info.getValidUserIds().iterator(); assertEquals("", userIds.next()); @@ -119,7 +121,7 @@ public class AddUserIdTest { PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() .modernKeyRing("Alice") .getPGPSecretKeyRing(); - UserId bob = UserId.newBuilder().withName("Bob").noEmail().noComment().build(); + UserId bob = UserId.builder().withName("Bob").noEmail().noComment().build(); assertNotEquals("Bob", PGPainless.inspectKeyRing(secretKeys).getPrimaryUserId()); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/protection/CachingSecretKeyRingProtectorTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/protection/CachingSecretKeyRingProtectorTest.java index a6f90734..18c341da 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/protection/CachingSecretKeyRingProtectorTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/protection/CachingSecretKeyRingProtectorTest.java @@ -51,27 +51,29 @@ public class CachingSecretKeyRingProtectorTest { } @Test - public void noCallbackReturnsNullForUnknownKeyId() throws PGPException { - assertNull(protector.getDecryptor(123L)); + public void noCallbackReturnsNullForUnknownKeyId() { + assertNull(protector.getDecryptor(new KeyIdentifier(123L))); } @Test - public void testAddPassphrase() throws PGPException { + public void testAddPassphrase() { + KeyIdentifier k123 = new KeyIdentifier(123L); Passphrase passphrase = Passphrase.fromPassword("HelloWorld"); - protector.addPassphrase(new KeyIdentifier(123L), passphrase); - assertEquals(passphrase, protector.getPassphraseFor(123L)); - assertNotNull(protector.getDecryptor(123L)); + protector.addPassphrase(k123, passphrase); + assertEquals(passphrase, protector.getPassphraseFor(k123)); + assertNotNull(protector.getDecryptor(k123)); - assertNull(protector.getPassphraseFor(999L)); + assertNull(protector.getPassphraseFor(new KeyIdentifier(999L))); } @Test public void testForgetPassphrase() { + KeyIdentifier k123 = new KeyIdentifier(123L); Passphrase passphrase = Passphrase.fromPassword("amnesiac"); - protector.addPassphrase(123L, passphrase); - assertEquals(passphrase, protector.getPassphraseFor(123L)); - protector.forgetPassphrase(123L); - assertNull(protector.getPassphraseFor(123L)); + protector.addPassphrase(k123, passphrase); + assertEquals(passphrase, protector.getPassphraseFor(k123)); + protector.forgetPassphrase(k123); + assertNull(protector.getPassphraseFor(k123)); } @Test @@ -87,11 +89,11 @@ public class CachingSecretKeyRingProtectorTest { PGPSecretKey key = it.next(); assertEquals(passphrase, protector.getPassphraseFor(key)); assertNotNull(protector.getEncryptor(key.getPublicKey())); - assertNotNull(protector.getDecryptor(key.getKeyID())); + assertNotNull(protector.getDecryptor(key.getKeyIdentifier())); } long nonMatching = findNonMatchingKeyId(keys); - assertNull(protector.getPassphraseFor(nonMatching)); + assertNull(protector.getPassphraseFor(new KeyIdentifier(nonMatching))); protector.forgetPassphrase(keys); it = keys.getSecretKeys(); @@ -99,7 +101,7 @@ public class CachingSecretKeyRingProtectorTest { PGPSecretKey key = it.next(); assertNull(protector.getPassphraseFor(key)); assertNull(protector.getEncryptor(key.getPublicKey())); - assertNull(protector.getDecryptor(key.getKeyID())); + assertNull(protector.getDecryptor(key.getKeyIdentifier())); } } @@ -123,13 +125,13 @@ public class CachingSecretKeyRingProtectorTest { CachingSecretKeyRingProtector withCallback = new CachingSecretKeyRingProtector(dummyCallback); for (int i = -5; i <= 5; i++) { - long x = i * 5; - long doubled = x * 2; + KeyIdentifier x = new KeyIdentifier(i * 5); + KeyIdentifier doubled = new KeyIdentifier(x.getKeyId() * 2); Passphrase passphrase = withCallback.getPassphraseFor(x); assertNotNull(passphrase); assertNotNull(passphrase.getChars()); - assertEquals(doubled, Long.parseLong(new String(passphrase.getChars()))); + assertEquals(doubled, new KeyIdentifier(Long.parseLong(new String(passphrase.getChars())))); } } diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/protection/MapBasedPassphraseProviderTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/protection/MapBasedPassphraseProviderTest.java index 9dd6ba33..6501095e 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/protection/MapBasedPassphraseProviderTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/protection/MapBasedPassphraseProviderTest.java @@ -29,10 +29,10 @@ public class MapBasedPassphraseProviderTest { passphraseMap.put(new KeyIdentifier(69696969L), Passphrase.emptyPassphrase()); MapBasedPassphraseProvider provider = new MapBasedPassphraseProvider(passphraseMap); - assertEquals(Passphrase.fromPassword("tiger"), provider.getPassphraseFor(1L)); - assertEquals(Passphrase.fromPassword("snake"), provider.getPassphraseFor(123123123L)); - assertEquals(Passphrase.emptyPassphrase(), provider.getPassphraseFor(69696969L)); - assertNull(provider.getPassphraseFor(555L)); + assertEquals(Passphrase.fromPassword("tiger"), provider.getPassphraseFor(new KeyIdentifier(1L))); + assertEquals(Passphrase.fromPassword("snake"), provider.getPassphraseFor(new KeyIdentifier((123123123L)))); + assertEquals(Passphrase.emptyPassphrase(), provider.getPassphraseFor(new KeyIdentifier(69696969L))); + assertNull(provider.getPassphraseFor(new KeyIdentifier(555L))); PGPSecretKeyRing secretKeys = TestKeys.getCryptieSecretKeyRing(); passphraseMap = new ConcurrentHashMap<>(); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/protection/SecretKeyRingProtectorTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/protection/SecretKeyRingProtectorTest.java index 9abc4f4f..d1b585a1 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/protection/SecretKeyRingProtectorTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/protection/SecretKeyRingProtectorTest.java @@ -41,7 +41,7 @@ public class SecretKeyRingProtectorTest { SecretKeyRingProtector protector = SecretKeyRingProtector.unlockEachKeyWith(TestKeys.CRYPTIE_PASSPHRASE, secretKeys); for (PGPSecretKey secretKey : secretKeys) { - PBESecretKeyDecryptor decryptor = protector.getDecryptor(secretKey.getKeyID()); + PBESecretKeyDecryptor decryptor = protector.getDecryptor(secretKey.getKeyIdentifier()); assertNotNull(decryptor); secretKey.extractPrivateKey(decryptor); } @@ -49,10 +49,10 @@ public class SecretKeyRingProtectorTest { "SecurePassword") .getPGPSecretKeyRing(); for (PGPSecretKey unrelatedKey : unrelatedKeys) { - PBESecretKeyDecryptor decryptor = protector.getDecryptor(unrelatedKey.getKeyID()); + PBESecretKeyDecryptor decryptor = protector.getDecryptor(unrelatedKey.getKeyIdentifier()); assertNull(decryptor); assertThrows(PGPException.class, - () -> unrelatedKey.extractPrivateKey(protector.getDecryptor(unrelatedKey.getKeyID()))); + () -> unrelatedKey.extractPrivateKey(protector.getDecryptor(unrelatedKey.getKeyIdentifier()))); } } @@ -61,8 +61,8 @@ public class SecretKeyRingProtectorTest { Random random = new Random(); SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys(); for (int i = 0; i < 10; i++) { - Long keyId = random.nextLong(); - assertNull(protector.getDecryptor(keyId)); + KeyIdentifier keyIdentifier = new KeyIdentifier(random.nextLong()); + assertNull(protector.getDecryptor(keyIdentifier)); } } @@ -78,27 +78,29 @@ public class SecretKeyRingProtectorTest { SecretKeyRingProtector protector = SecretKeyRingProtector.unlockSingleKeyWith(TestKeys.CRYPTIE_PASSPHRASE, secretKey); - assertNotNull(protector.getDecryptor(secretKey.getKeyID())); + assertNotNull(protector.getDecryptor(secretKey.getKeyIdentifier())); assertNotNull(protector.getEncryptor(secretKey.getPublicKey())); assertNull(protector.getEncryptor(subKey.getPublicKey())); - assertNull(protector.getDecryptor(subKey.getKeyID())); + assertNull(protector.getDecryptor(subKey.getKeyIdentifier())); } @Test public void testFromPassphraseMap() { Map passphraseMap = new ConcurrentHashMap<>(); - passphraseMap.put(new KeyIdentifier(1L), Passphrase.emptyPassphrase()); + KeyIdentifier k1 = new KeyIdentifier(1L); + KeyIdentifier k5 = new KeyIdentifier(5L); + passphraseMap.put(k1, Passphrase.emptyPassphrase()); CachingSecretKeyRingProtector protector = (CachingSecretKeyRingProtector) SecretKeyRingProtector.fromPassphraseMap(passphraseMap); - assertNotNull(protector.getPassphraseFor(1L)); - assertNull(protector.getPassphraseFor(5L)); + assertNotNull(protector.getPassphraseFor(k1)); + assertNull(protector.getPassphraseFor(k5)); - protector.addPassphrase(5L, Passphrase.fromPassword("pa55w0rd")); - protector.forgetPassphrase(1L); + protector.addPassphrase(k5, Passphrase.fromPassword("pa55w0rd")); + protector.forgetPassphrase(k1); - assertNull(protector.getPassphraseFor(1L)); - assertNotNull(protector.getPassphraseFor(5L)); + assertNull(protector.getPassphraseFor(k1)); + assertNotNull(protector.getPassphraseFor(k5)); } @Test @@ -118,7 +120,7 @@ public class SecretKeyRingProtectorTest { } }); - assertEquals(Passphrase.emptyPassphrase(), protector.getPassphraseFor(1L)); - assertEquals(Passphrase.fromPassword("missingP455w0rd"), protector.getPassphraseFor(3L)); + assertEquals(Passphrase.emptyPassphrase(), protector.getPassphraseFor(new KeyIdentifier(1L))); + assertEquals(Passphrase.fromPassword("missingP455w0rd"), protector.getPassphraseFor(new KeyIdentifier(3L))); } } From f30b01c298765de70f5e5388e24a1a61594a6228 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Sat, 8 Mar 2025 11:06:02 +0100 Subject: [PATCH 075/265] Avoid deprecated API and remove unnecessary code --- .../org/pgpainless/encryption_signing/EncryptionBuilder.kt | 6 +----- .../org/pgpainless/key/certification/CertifyCertificate.kt | 3 +-- 2 files changed, 2 insertions(+), 7 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionBuilder.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionBuilder.kt index 6b4713d6..43263a28 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionBuilder.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionBuilder.kt @@ -63,11 +63,7 @@ class EncryptionBuilder : EncryptionBuilderInterface { @JvmStatic fun negotiateCompressionAlgorithm(producerOptions: ProducerOptions): CompressionAlgorithm { - val compressionAlgorithmOverride = producerOptions.compressionAlgorithmOverride - return compressionAlgorithmOverride - ?: getPolicy().compressionAlgorithmPolicy.defaultCompressionAlgorithm() - - // TODO: Negotiation + return producerOptions.compressionAlgorithmOverride } } } diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/certification/CertifyCertificate.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/certification/CertifyCertificate.kt index 90865d67..8febadbb 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/certification/CertifyCertificate.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/certification/CertifyCertificate.kt @@ -323,8 +323,7 @@ class CertifyCertificate { } return certificationKey.getSecretKey(certificationPubKey.keyIdentifier) - ?: throw MissingSecretKeyException( - fingerprint, certificationPubKey.keyIdentifier.keyId) + ?: throw MissingSecretKeyException(fingerprint, certificationPubKey.keyIdentifier) } } } From 8c18cfc74e8e29503bcbf1bd1efa2f9467b602e0 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 10 Mar 2025 11:17:20 +0100 Subject: [PATCH 076/265] Transform SignatureSubpackets class into simple wrapper around PGPSignatureSubpacketGenerator --- .../key/generation/KeyRingBuilder.kt | 4 +- .../subpackets/BaseSignatureSubpackets.kt | 3 + .../subpackets/SelfSignatureSubpackets.kt | 10 + .../subpackets/SignatureSubpackets.kt | 183 ++++++++++-------- .../subpackets/SignatureSubpacketsHelper.kt | 67 +------ 5 files changed, 121 insertions(+), 146 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingBuilder.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingBuilder.kt index 2eb86dcc..662ae331 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingBuilder.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingBuilder.kt @@ -107,9 +107,7 @@ class KeyRingBuilder( hashedSubPacketGenerator.setPrimaryUserId() } - val generator = PGPSignatureSubpacketGenerator() - SignatureSubpacketsHelper.applyTo(hashedSubPacketGenerator, generator) - val hashedSubPackets = generator.generate() + val hashedSubPackets = hashedSubPacketGenerator.subpacketsGenerator.generate() val ringGenerator = if (userIds.isEmpty()) { PGPKeyRingGenerator( diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/BaseSignatureSubpackets.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/BaseSignatureSubpackets.kt index 2349ed9a..4b4c40d5 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/BaseSignatureSubpackets.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/BaseSignatureSubpackets.kt @@ -78,10 +78,13 @@ interface BaseSignatureSubpackets { expirationTime: SignatureExpirationTime? ): BaseSignatureSubpackets + @Deprecated("Usage of subpacket is discouraged") fun setSignerUserId(userId: CharSequence): BaseSignatureSubpackets + @Deprecated("Usage of subpacket is discouraged") fun setSignerUserId(isCritical: Boolean, userId: CharSequence): BaseSignatureSubpackets + @Deprecated("Usage of subpacket is discouraged") fun setSignerUserId(signerUserID: SignerUserID?): BaseSignatureSubpackets fun addNotationData( diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/SelfSignatureSubpackets.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/SelfSignatureSubpackets.kt index 7d160c5c..94e7b1c5 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/SelfSignatureSubpackets.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/SelfSignatureSubpackets.kt @@ -8,6 +8,7 @@ import java.util.* import org.bouncycastle.bcpg.sig.Features import org.bouncycastle.bcpg.sig.KeyExpirationTime import org.bouncycastle.bcpg.sig.KeyFlags +import org.bouncycastle.bcpg.sig.PreferredAEADCiphersuites import org.bouncycastle.bcpg.sig.PreferredAlgorithms import org.bouncycastle.bcpg.sig.PrimaryUserID import org.bouncycastle.bcpg.sig.RevocationKey @@ -114,18 +115,27 @@ interface SelfSignatureSubpackets : BaseSignatureSubpackets { fun setPreferredAEADCiphersuites(aeadAlgorithms: Set): SelfSignatureSubpackets + fun setPreferredAEADCiphersuites( + algorithms: PreferredAEADCiphersuites.Builder? + ): SelfSignatureSubpackets + + @Deprecated("Use of this subpacket is discouraged.") fun addRevocationKey(revocationKey: PGPPublicKey): SelfSignatureSubpackets + @Deprecated("Use of this subpacket is discouraged.") fun addRevocationKey(isCritical: Boolean, revocationKey: PGPPublicKey): SelfSignatureSubpackets + @Deprecated("Use of this subpacket is discouraged.") fun addRevocationKey( isCritical: Boolean, isSensitive: Boolean, revocationKey: PGPPublicKey ): SelfSignatureSubpackets + @Deprecated("Use of this subpacket is discouraged.") fun addRevocationKey(revocationKey: RevocationKey): SelfSignatureSubpackets + @Deprecated("Use of this subpacket is discouraged.") fun clearRevocationKeys(): SelfSignatureSubpackets fun setFeatures(vararg features: Feature): SelfSignatureSubpackets diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/SignatureSubpackets.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/SignatureSubpackets.kt index 192412c9..7869ca08 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/SignatureSubpackets.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/SignatureSubpackets.kt @@ -10,16 +10,18 @@ import java.util.* import kotlin.experimental.or import openpgp.secondsTill import openpgp.toSecondsPrecision -import org.bouncycastle.bcpg.SignatureSubpacket import org.bouncycastle.bcpg.SignatureSubpacketTags import org.bouncycastle.bcpg.sig.* import org.bouncycastle.openpgp.PGPPublicKey import org.bouncycastle.openpgp.PGPSignature +import org.bouncycastle.openpgp.PGPSignatureSubpacketGenerator import org.bouncycastle.openpgp.PGPSignatureSubpacketVector import org.pgpainless.algorithm.* import org.pgpainless.key.util.RevocationAttributes -class SignatureSubpackets : +class SignatureSubpackets( + val subpacketsGenerator: PGPSignatureSubpacketGenerator = PGPSignatureSubpacketGenerator() +) : BaseSignatureSubpackets, SelfSignatureSubpackets, CertificationSubpackets, @@ -27,32 +29,6 @@ class SignatureSubpackets : interface Callback : SignatureSubpacketCallback - var signatureCreationTimeSubpacket: SignatureCreationTime? = null - var signatureExpirationTimeSubpacket: SignatureExpirationTime? = null - var issuerKeyIdSubpacket: IssuerKeyID? = null - var issuerFingerprintSubpacket: IssuerFingerprint? = null - val notationDataSubpackets: List = mutableListOf() - val intendedRecipientFingerprintSubpackets: List = mutableListOf() - val revocationKeySubpackets: List = mutableListOf() - var exportableSubpacket: Exportable? = null - var signatureTargetSubpacket: SignatureTarget? = null - var featuresSubpacket: Features? = null - var keyFlagsSubpacket: KeyFlags? = null - var trustSubpacket: TrustSignature? = null - var preferredCompressionAlgorithmsSubpacket: PreferredAlgorithms? = null - var preferredSymmetricKeyAlgorithmsSubpacket: PreferredAlgorithms? = null - var preferredHashAlgorithmsSubpacket: PreferredAlgorithms? = null - var preferredAEADCiphersuites: List? = null - val embeddedSignatureSubpackets: List = mutableListOf() - var signerUserIdSubpacket: SignerUserID? = null - var keyExpirationTimeSubpacket: KeyExpirationTime? = null - var policyURISubpacket: PolicyURI? = null - var primaryUserIdSubpacket: PrimaryUserID? = null - var regularExpressionSubpacket: RegularExpression? = null - var revocableSubpacket: Revocable? = null - var revocationReasonSubpacket: RevocationReason? = null - val residualSubpackets: List = mutableListOf() - companion object { @JvmStatic @@ -78,7 +54,11 @@ class SignatureSubpackets : @JvmStatic fun createSubpacketsFrom(base: PGPSignatureSubpacketVector): SignatureSubpackets { - return SignatureSubpacketsHelper.applyFrom(base, SignatureSubpackets()) + return SignatureSubpackets(PGPSignatureSubpacketGenerator(base)).apply { + subpacketsGenerator.removePacketsOfType(SignatureSubpacketTags.ISSUER_KEY_ID) + subpacketsGenerator.removePacketsOfType(SignatureSubpacketTags.ISSUER_FINGERPRINT) + subpacketsGenerator.removePacketsOfType(SignatureSubpacketTags.CREATION_TIME) + } } @JvmStatic @@ -88,7 +68,7 @@ class SignatureSubpackets : @JvmStatic fun createEmptySubpackets(): SignatureSubpackets { - return SignatureSubpackets() + return SignatureSubpackets(PGPSignatureSubpacketGenerator()) } /** Factory method for a [Callback] that does nothing. */ @@ -158,7 +138,11 @@ class SignatureSubpackets : } override fun setRevocationReason(reason: RevocationReason?): SignatureSubpackets = apply { - this.revocationReasonSubpacket = reason + reason?.let { + subpacketsGenerator.removePacketsOfType(SignatureSubpacketTags.REVOCATION_REASON) + subpacketsGenerator.setRevocationReason( + it.isCritical, it.revocationReason, it.revocationDescription) + } } override fun setKeyFlags(vararg keyflags: KeyFlag): SignatureSubpackets = apply { @@ -175,7 +159,8 @@ class SignatureSubpackets : } override fun setKeyFlags(keyFlags: KeyFlags?): SignatureSubpackets = apply { - this.keyFlagsSubpacket = keyFlags + subpacketsGenerator.removePacketsOfType(SignatureSubpacketTags.KEY_FLAGS) + keyFlags?.let { subpacketsGenerator.setKeyFlags(it.isCritical, it.flags) } } override fun setPrimaryUserId(): SignatureSubpackets = apply { setPrimaryUserId(true) } @@ -185,7 +170,10 @@ class SignatureSubpackets : } override fun setPrimaryUserId(primaryUserID: PrimaryUserID?): SignatureSubpackets = apply { - this.primaryUserIdSubpacket = primaryUserID + subpacketsGenerator.removePacketsOfType(SignatureSubpacketTags.PRIMARY_USER_ID) + primaryUserID?.let { + subpacketsGenerator.setPrimaryUserID(it.isCritical, it.isPrimaryUserID) + } } override fun setKeyExpirationTime( @@ -222,7 +210,10 @@ class SignatureSubpackets : override fun setKeyExpirationTime(keyExpirationTime: KeyExpirationTime?): SignatureSubpackets = apply { - this.keyExpirationTimeSubpacket = keyExpirationTime + subpacketsGenerator.removePacketsOfType(SignatureSubpacketTags.KEY_EXPIRE_TIME) + keyExpirationTime?.let { + subpacketsGenerator.setKeyExpirationTime(it.isCritical, it.time) + } } override fun setPreferredCompressionAlgorithms( @@ -251,7 +242,10 @@ class SignatureSubpackets : algorithms == null || algorithms.type == SignatureSubpacketTags.PREFERRED_COMP_ALGS) { "Invalid preferred compression algorithms type." } - this.preferredCompressionAlgorithmsSubpacket = algorithms + subpacketsGenerator.removePacketsOfType(SignatureSubpacketTags.PREFERRED_COMP_ALGS) + algorithms?.let { + subpacketsGenerator.setPreferredCompressionAlgorithms(it.isCritical, it.preferences) + } } override fun setPreferredSymmetricKeyAlgorithms( @@ -280,7 +274,10 @@ class SignatureSubpackets : algorithms == null || algorithms.type == SignatureSubpacketTags.PREFERRED_SYM_ALGS) { "Invalid preferred symmetric algorithms type." } - this.preferredSymmetricKeyAlgorithmsSubpacket = algorithms + subpacketsGenerator.removePacketsOfType(SignatureSubpacketTags.PREFERRED_SYM_ALGS) + algorithms?.let { + subpacketsGenerator.setPreferredSymmetricAlgorithms(it.isCritical, it.preferences) + } } override fun setPreferredHashAlgorithms(vararg algorithms: HashAlgorithm): SignatureSubpackets = @@ -310,12 +307,29 @@ class SignatureSubpackets : algorithms.type == SignatureSubpacketTags.PREFERRED_HASH_ALGS) { "Invalid preferred hash algorithms type." } - this.preferredHashAlgorithmsSubpacket = algorithms + subpacketsGenerator.removePacketsOfType(SignatureSubpacketTags.PREFERRED_HASH_ALGS) + algorithms?.let { + subpacketsGenerator.setPreferredHashAlgorithms(it.isCritical, it.preferences) + } } override fun setPreferredAEADCiphersuites( aeadAlgorithms: Set - ): SignatureSubpackets = apply { this.preferredAEADCiphersuites = aeadAlgorithms.toList() } + ): SignatureSubpackets = + setPreferredAEADCiphersuites( + PreferredAEADCiphersuites.builder(false).apply { + for (algorithm in aeadAlgorithms) { + addCombination( + algorithm.ciphermode.algorithmId, algorithm.aeadAlgorithm.algorithmId) + } + }) + + override fun setPreferredAEADCiphersuites( + algorithms: PreferredAEADCiphersuites.Builder? + ): SignatureSubpackets = apply { + subpacketsGenerator.removePacketsOfType(SignatureSubpacketTags.PREFERRED_AEAD_ALGORITHMS) + algorithms?.let { subpacketsGenerator.setPreferredAEADCiphersuites(algorithms) } + } override fun addRevocationKey(revocationKey: PGPPublicKey): SignatureSubpackets = apply { addRevocationKey(true, revocationKey) @@ -331,17 +345,17 @@ class SignatureSubpackets : isSensitive: Boolean, revocationKey: PGPPublicKey ): SignatureSubpackets = apply { - val clazz = 0x80.toByte() or if (isSensitive) 0x40.toByte() else 0x00.toByte() + val clazz = if (isSensitive) 0x80.toByte() or 0x40.toByte() else 0x80.toByte() addRevocationKey( RevocationKey(isCritical, clazz, revocationKey.algorithm, revocationKey.fingerprint)) } override fun addRevocationKey(revocationKey: RevocationKey): SignatureSubpackets = apply { - (this.revocationKeySubpackets as MutableList).add(revocationKey) + subpacketsGenerator.addCustomSubpacket(revocationKey) } override fun clearRevocationKeys(): SignatureSubpackets = apply { - (this.revocationKeySubpackets as MutableList).clear() + subpacketsGenerator.removePacketsOfType(SignatureSubpacketTags.REVOCATION_KEY) } override fun setFeatures(vararg features: Feature): SignatureSubpackets = apply { @@ -354,7 +368,8 @@ class SignatureSubpackets : } override fun setFeatures(features: Features?): SignatureSubpackets = apply { - this.featuresSubpacket = features + subpacketsGenerator.removePacketsOfType(SignatureSubpacketTags.FEATURES) + features?.let { subpacketsGenerator.setFeature(it.isCritical, it.features) } } override fun setAppropriateIssuerInfo(key: PGPPublicKey) = apply { @@ -384,23 +399,22 @@ class SignatureSubpackets : } override fun setIssuerKeyId(issuerKeyID: IssuerKeyID?): SignatureSubpackets = apply { - this.issuerKeyIdSubpacket = issuerKeyID + subpacketsGenerator.removePacketsOfType(SignatureSubpacketTags.ISSUER_KEY_ID) + issuerKeyID?.let { subpacketsGenerator.setIssuerKeyID(it.isCritical, it.keyID) } } override fun setIssuerFingerprint( isCritical: Boolean, issuer: PGPPublicKey - ): SignatureSubpackets = apply { - setIssuerFingerprint(IssuerFingerprint(isCritical, issuer.version, issuer.fingerprint)) - } + ): SignatureSubpackets = apply { subpacketsGenerator.setIssuerFingerprint(isCritical, issuer) } - override fun setIssuerFingerprint(issuer: PGPPublicKey): SignatureSubpackets = apply { - setIssuerFingerprint(false, issuer) - } + override fun setIssuerFingerprint(issuer: PGPPublicKey): SignatureSubpackets = + setIssuerFingerprint(true, issuer) override fun setIssuerFingerprint(fingerprint: IssuerFingerprint?): SignatureSubpackets = apply { - this.issuerFingerprintSubpacket = fingerprint + subpacketsGenerator.removePacketsOfType(SignatureSubpacketTags.ISSUER_FINGERPRINT) + fingerprint?.let { subpacketsGenerator.addCustomSubpacket(it) } } override fun setSignatureCreationTime(creationTime: Date): SignatureSubpackets = apply { @@ -416,7 +430,10 @@ class SignatureSubpackets : override fun setSignatureCreationTime( creationTime: SignatureCreationTime? - ): SignatureSubpackets = apply { this.signatureCreationTimeSubpacket = creationTime } + ): SignatureSubpackets = apply { + subpacketsGenerator.removePacketsOfType(SignatureSubpacketTags.CREATION_TIME) + creationTime?.let { subpacketsGenerator.setSignatureCreationTime(it.isCritical, it.time) } + } override fun setSignatureExpirationTime( creationTime: Date, @@ -465,7 +482,12 @@ class SignatureSubpackets : override fun setSignatureExpirationTime( expirationTime: SignatureExpirationTime? - ): SignatureSubpackets = apply { this.signatureExpirationTimeSubpacket = expirationTime } + ): SignatureSubpackets = apply { + subpacketsGenerator.removePacketsOfType(SignatureSubpacketTags.EXPIRE_TIME) + expirationTime?.let { + subpacketsGenerator.setSignatureExpirationTime(it.isCritical, it.time) + } + } override fun setSignerUserId(userId: CharSequence): SignatureSubpackets = apply { setSignerUserId(false, userId) @@ -477,7 +499,8 @@ class SignatureSubpackets : } override fun setSignerUserId(signerUserID: SignerUserID?): SignatureSubpackets = apply { - this.signerUserIdSubpacket = signerUserID + subpacketsGenerator.removePacketsOfType(SignatureSubpacketTags.SIGNER_USER_ID) + signerUserID?.let { subpacketsGenerator.setSignerUserID(it.isCritical, it.rawID) } } override fun addNotationData( @@ -498,11 +521,15 @@ class SignatureSubpackets : } override fun addNotationData(notationData: NotationData): SignatureSubpackets = apply { - (this.notationDataSubpackets as MutableList).add(notationData) + subpacketsGenerator.addNotationData( + notationData.isCritical, + notationData.isHumanReadable, + notationData.notationName, + notationData.notationValue) } override fun clearNotationData(): SignatureSubpackets = apply { - (this.notationDataSubpackets as MutableList).clear() + subpacketsGenerator.removePacketsOfType(SignatureSubpacketTags.NOTATION_DATA) } override fun addIntendedRecipientFingerprint(recipientKey: PGPPublicKey): SignatureSubpackets = @@ -514,19 +541,16 @@ class SignatureSubpackets : isCritical: Boolean, recipientKey: PGPPublicKey ): SignatureSubpackets = apply { - addIntendedRecipientFingerprint( - IntendedRecipientFingerprint( - isCritical, recipientKey.version, recipientKey.fingerprint)) + subpacketsGenerator.addIntendedRecipientFingerprint(isCritical, recipientKey) } override fun addIntendedRecipientFingerprint( intendedRecipient: IntendedRecipientFingerprint - ): SignatureSubpackets = apply { - (this.intendedRecipientFingerprintSubpackets as MutableList).add(intendedRecipient) - } + ): SignatureSubpackets = apply { subpacketsGenerator.addCustomSubpacket(intendedRecipient) } override fun clearIntendedRecipientFingerprints(): SignatureSubpackets = apply { - (this.intendedRecipientFingerprintSubpackets as MutableList).clear() + subpacketsGenerator.removePacketsOfType( + SignatureSubpacketTags.INTENDED_RECIPIENT_FINGERPRINT) } override fun setExportable(): SignatureSubpackets = apply { setExportable(true) } @@ -541,7 +565,8 @@ class SignatureSubpackets : } override fun setExportable(exportable: Exportable?): SignatureSubpackets = apply { - this.exportableSubpacket = exportable + subpacketsGenerator.removePacketsOfType(SignatureSubpacketTags.EXPORTABLE) + exportable?.let { subpacketsGenerator.setExportable(it.isCritical, it.isExportable) } } override fun setPolicyUrl(policyUrl: URL): SignatureSubpackets = apply { @@ -553,7 +578,7 @@ class SignatureSubpackets : } override fun setPolicyUrl(policyUrl: PolicyURI?): SignatureSubpackets = apply { - this.policyURISubpacket = policyURISubpacket + policyUrl?.let { subpacketsGenerator.addPolicyURI(it.isCritical, it.uri) } } override fun setRegularExpression(regex: CharSequence): SignatureSubpackets = apply { @@ -568,7 +593,7 @@ class SignatureSubpackets : } override fun setRegularExpression(regex: RegularExpression?): SignatureSubpackets = apply { - this.regularExpressionSubpacket = regex + regex?.let { subpacketsGenerator.addRegularExpression(it.isCritical, it.regex) } } override fun setRevocable(): SignatureSubpackets = apply { setRevocable(true) } @@ -583,7 +608,8 @@ class SignatureSubpackets : } override fun setRevocable(revocable: Revocable?): SignatureSubpackets = apply { - this.revocableSubpacket = revocable + subpacketsGenerator.removePacketsOfType(SignatureSubpacketTags.REVOCABLE) + revocable?.let { subpacketsGenerator.setRevocable(it.isCritical, it.isRevocable) } } override fun setSignatureTarget( @@ -607,7 +633,11 @@ class SignatureSubpackets : override fun setSignatureTarget(signatureTarget: SignatureTarget?): SignatureSubpackets = apply { - this.signatureTargetSubpacket = signatureTarget + subpacketsGenerator.removePacketsOfType(SignatureSubpacketTags.SIGNATURE_TARGET) + signatureTarget?.let { + subpacketsGenerator.setSignatureTarget( + it.isCritical, it.publicKeyAlgorithm, it.hashAlgorithm, it.hashData) + } } override fun setTrust(depth: Int, amount: Int): SignatureSubpackets = apply { @@ -620,7 +650,8 @@ class SignatureSubpackets : } override fun setTrust(trust: TrustSignature?): SignatureSubpackets = apply { - this.trustSubpacket = trust + subpacketsGenerator.removePacketsOfType(SignatureSubpacketTags.TRUST_SIG) + trust?.let { subpacketsGenerator.setTrust(it.isCritical, it.depth, it.trustAmount) } } override fun addEmbeddedSignature(signature: PGPSignature): SignatureSubpackets = apply { @@ -631,27 +662,19 @@ class SignatureSubpackets : isCritical: Boolean, signature: PGPSignature ): SignatureSubpackets = apply { - val sig = signature.encoded - val data = - if (sig.size - 1 > 256) { - ByteArray(sig.size - 3) - } else { - ByteArray(sig.size - 2) - } - System.arraycopy(sig, sig.size - data.size, data, 0, data.size) - addEmbeddedSignature(EmbeddedSignature(isCritical, false, data)) + subpacketsGenerator.addEmbeddedSignature(isCritical, signature) } override fun addEmbeddedSignature(embeddedSignature: EmbeddedSignature): SignatureSubpackets = apply { - (this.embeddedSignatureSubpackets as MutableList).add(embeddedSignature) + subpacketsGenerator.addCustomSubpacket(embeddedSignature) } override fun clearEmbeddedSignatures(): SignatureSubpackets = apply { - (this.embeddedSignatureSubpackets as MutableList).clear() + subpacketsGenerator.removePacketsOfType(SignatureSubpacketTags.EMBEDDED_SIGNATURE) } fun addResidualSubpacket( subpacket: org.bouncycastle.bcpg.SignatureSubpacket - ): SignatureSubpackets = apply { (residualSubpackets as MutableList).add(subpacket) } + ): SignatureSubpackets = apply { subpacketsGenerator.addCustomSubpacket(subpacket) } } diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/SignatureSubpacketsHelper.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/SignatureSubpacketsHelper.kt index 8a6c16bf..ceb484d3 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/SignatureSubpacketsHelper.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/SignatureSubpacketsHelper.kt @@ -5,7 +5,6 @@ package org.pgpainless.signature.subpackets import org.bouncycastle.bcpg.sig.* -import org.bouncycastle.openpgp.PGPSignatureSubpacketGenerator import org.bouncycastle.openpgp.PGPSignatureSubpacketVector import org.pgpainless.algorithm.* import org.pgpainless.key.util.RevocationAttributes @@ -116,11 +115,11 @@ class SignatureSubpacketsHelper { } SignatureSubpacket.embeddedSignature -> (subpacket as EmbeddedSignature).let { - subpackets.addEmbeddedSignature(it) + subpackets.addResidualSubpacket(it) } SignatureSubpacket.intendedRecipientFingerprint -> (subpacket as IntendedRecipientFingerprint).let { - subpackets.addIntendedRecipientFingerprint(it) + subpackets.addResidualSubpacket(it) } SignatureSubpacket.policyUrl -> (subpacket as PolicyURI).let { subpackets.setPolicyUrl(it) } @@ -139,72 +138,14 @@ class SignatureSubpacketsHelper { } } - @JvmStatic - fun applyTo( - subpackets: SignatureSubpackets, - generator: PGPSignatureSubpacketGenerator - ): PGPSignatureSubpacketGenerator { - return generator.apply { - addSubpacket(subpackets.issuerKeyIdSubpacket) - addSubpacket(subpackets.issuerFingerprintSubpacket) - addSubpacket(subpackets.signatureCreationTimeSubpacket) - addSubpacket(subpackets.signatureExpirationTimeSubpacket) - addSubpacket(subpackets.exportableSubpacket) - addSubpacket(subpackets.policyURISubpacket) - addSubpacket(subpackets.regularExpressionSubpacket) - for (notation in subpackets.notationDataSubpackets) { - addSubpacket(notation) - } - for (recipient in subpackets.intendedRecipientFingerprintSubpackets) { - addSubpacket(recipient) - } - for (revocationKey in subpackets.revocationKeySubpackets) { - addSubpacket(revocationKey) - } - addSubpacket(subpackets.signatureTargetSubpacket) - addSubpacket(subpackets.featuresSubpacket) - addSubpacket(subpackets.keyFlagsSubpacket) - addSubpacket(subpackets.trustSubpacket) - addSubpacket(subpackets.preferredCompressionAlgorithmsSubpacket) - addSubpacket(subpackets.preferredSymmetricKeyAlgorithmsSubpacket) - addSubpacket(subpackets.preferredHashAlgorithmsSubpacket) - for (embedded in subpackets.embeddedSignatureSubpackets) { - addSubpacket(embedded) - } - addSubpacket(subpackets.signerUserIdSubpacket) - addSubpacket(subpackets.keyExpirationTimeSubpacket) - addSubpacket(subpackets.primaryUserIdSubpacket) - addSubpacket(subpackets.revocableSubpacket) - addSubpacket(subpackets.revocationReasonSubpacket) - for (residual in subpackets.residualSubpackets) { - addSubpacket(residual) - } - } - } - - @JvmStatic - private fun PGPSignatureSubpacketGenerator.addSubpacket( - subpacket: org.bouncycastle.bcpg.SignatureSubpacket? - ) { - if (subpacket != null) { - this.addCustomSubpacket(subpacket) - } - } - @JvmStatic fun toVector(subpackets: SignatureSubpackets): PGPSignatureSubpacketVector { - return PGPSignatureSubpacketGenerator().let { - applyTo(subpackets, it) - it.generate() - } + return subpackets.subpacketsGenerator.generate() } @JvmStatic fun toVector(subpackets: RevocationSignatureSubpackets): PGPSignatureSubpacketVector { - return PGPSignatureSubpacketGenerator().let { - applyTo(subpackets as SignatureSubpackets, it) - it.generate() - } + return (subpackets as SignatureSubpackets).subpacketsGenerator.generate() } } } From 36abac5fb33fa9b0119fe37f91d287514e48de79 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 10 Mar 2025 14:14:41 +0100 Subject: [PATCH 077/265] WIP: Migrate SecretKeyRingEditor --- .../negotiation/HashAlgorithmNegotiator.kt | 6 +- .../encryption_signing/SigningOptions.kt | 2 +- .../org/pgpainless/key/info/KeyRingInfo.kt | 98 +++++++++---------- .../secretkeyring/SecretKeyRingEditor.kt | 83 +++++++++------- .../subpackets/SelfSignatureSubpackets.kt | 4 +- .../subpackets/SignatureSubpackets.kt | 2 +- 6 files changed, 99 insertions(+), 96 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/negotiation/HashAlgorithmNegotiator.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/negotiation/HashAlgorithmNegotiator.kt index b9474247..cf398806 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/negotiation/HashAlgorithmNegotiator.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/negotiation/HashAlgorithmNegotiator.kt @@ -21,7 +21,7 @@ interface HashAlgorithmNegotiator { * @param orderedPrefs hash algorithm preferences * @return picked algorithms */ - fun negotiateHashAlgorithm(orderedPrefs: Set): HashAlgorithm + fun negotiateHashAlgorithm(orderedPrefs: Set?): HashAlgorithm companion object { @@ -62,9 +62,9 @@ interface HashAlgorithmNegotiator { ): HashAlgorithmNegotiator { return object : HashAlgorithmNegotiator { override fun negotiateHashAlgorithm( - orderedPrefs: Set + orderedPrefs: Set? ): HashAlgorithm { - return orderedPrefs.firstOrNull { hashAlgorithmPolicy.isAcceptable(it) } + return orderedPrefs?.firstOrNull { hashAlgorithmPolicy.isAcceptable(it) } ?: hashAlgorithmPolicy.defaultHashAlgorithm() } } diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/SigningOptions.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/SigningOptions.kt index 8b2baeef..7c008b82 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/SigningOptions.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/SigningOptions.kt @@ -482,7 +482,7 @@ class SigningOptions { * @return selected hash algorithm */ private fun negotiateHashAlgorithm( - preferences: Set, + preferences: Set?, policy: Policy ): HashAlgorithm { return _hashAlgorithmOverride diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/info/KeyRingInfo.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/info/KeyRingInfo.kt index dd1e5a0c..f0c1a755 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/info/KeyRingInfo.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/info/KeyRingInfo.kt @@ -240,7 +240,7 @@ class KeyRingInfo( getKeyFlagsOf(keyIdentifier).contains(KeyFlag.CERTIFY_OTHER) /** [HashAlgorithm] preferences of the primary user-ID or if absent, of the primary key. */ - val preferredHashAlgorithms: Set + val preferredHashAlgorithms: Set? get() = primaryUserId?.let { getPreferredHashAlgorithms(it) } ?: getPreferredHashAlgorithms(keyIdentifier) @@ -248,19 +248,19 @@ class KeyRingInfo( /** * [SymmetricKeyAlgorithm] preferences of the primary user-ID or if absent of the primary key. */ - val preferredSymmetricKeyAlgorithms: Set + val preferredSymmetricKeyAlgorithms: Set? get() = primaryUserId?.let { getPreferredSymmetricKeyAlgorithms(it) } ?: getPreferredSymmetricKeyAlgorithms(keyIdentifier) /** [CompressionAlgorithm] preferences of the primary user-ID or if absent, the primary key. */ - val preferredCompressionAlgorithms: Set + val preferredCompressionAlgorithms: Set? get() = primaryUserId?.let { getPreferredCompressionAlgorithms(it) } ?: getPreferredCompressionAlgorithms(keyIdentifier) /** [AEADCipherMode] preferences of the primary user-id, or if absent, the primary key. */ - val preferredAEADCipherSuites: Set + val preferredAEADCipherSuites: Set? get() = primaryUserId?.let { getPreferredAEADCipherSuites(it) } ?: getPreferredAEADCipherSuites(keyIdentifier) @@ -738,12 +738,11 @@ class KeyRingInfo( * @param userId user-id * @return ordered set of preferred [HashAlgorithms][HashAlgorithm] (descending order) */ - fun getPreferredHashAlgorithms(userId: CharSequence): Set { - return keys - .getUserId(userId.toString()) - ?.getHashAlgorithmPreferences(referenceDate) + fun getPreferredHashAlgorithms(userId: CharSequence): Set? { + return (keys.getUserId(userId.toString()) + ?: throw NoSuchElementException("No user-id '$userId' found on this key.")) + .getHashAlgorithmPreferences(referenceDate) ?.toHashAlgorithms() - ?: throw NoSuchElementException("No user-id '$userId' found on this key.") } /** @@ -752,18 +751,17 @@ class KeyRingInfo( * @param keyIdentifier identifier of a [OpenPGPComponentKey] * @return ordered set of preferred [HashAlgorithms][HashAlgorithm] (descending order) */ - fun getPreferredHashAlgorithms(keyIdentifier: KeyIdentifier): Set { - return keys - .getKey(keyIdentifier) - ?.getHashAlgorithmPreferences(referenceDate) + fun getPreferredHashAlgorithms(keyIdentifier: KeyIdentifier): Set? { + return (keys.getKey(keyIdentifier) + ?: throw NoSuchElementException( + "No subkey with key-id $keyIdentifier found on this key.")) + .getHashAlgorithmPreferences(referenceDate) ?.toHashAlgorithms() - ?: throw NoSuchElementException( - "No subkey with key-id $keyIdentifier found on this key.") } /** [HashAlgorithm] preferences of the given key. */ @Deprecated("Pass KeyIdentifier instead.") - fun getPreferredHashAlgorithms(keyId: Long): Set { + fun getPreferredHashAlgorithms(keyId: Long): Set? { return getPreferredHashAlgorithms(KeyIdentifier(keyId)) } @@ -774,12 +772,11 @@ class KeyRingInfo( * @return ordered set of preferred [SymmetricKeyAlgorithms][SymmetricKeyAlgorithm] (descending * order) */ - fun getPreferredSymmetricKeyAlgorithms(userId: CharSequence): Set { - return keys - .getUserId(userId.toString()) - ?.getSymmetricCipherPreferences(referenceDate) + fun getPreferredSymmetricKeyAlgorithms(userId: CharSequence): Set? { + return (keys.getUserId(userId.toString()) + ?: throw NoSuchElementException("No user-id '$userId' found on this key.")) + .getSymmetricCipherPreferences(referenceDate) ?.toSymmetricKeyAlgorithms() - ?: throw NoSuchElementException("No user-id '$userId' found on this key.") } /** @@ -792,18 +789,17 @@ class KeyRingInfo( */ fun getPreferredSymmetricKeyAlgorithms( keyIdentifier: KeyIdentifier - ): Set { - return keys - .getKey(keyIdentifier) - ?.getSymmetricCipherPreferences(referenceDate) + ): Set? { + return (keys.getKey(keyIdentifier) + ?: throw NoSuchElementException( + "No subkey with key-id $keyIdentifier found on this key.")) + .getSymmetricCipherPreferences(referenceDate) ?.toSymmetricKeyAlgorithms() - ?: throw NoSuchElementException( - "No subkey with key-id $keyIdentifier found on this key.") } /** [SymmetricKeyAlgorithm] preferences of the given key. */ @Deprecated("Pass KeyIdentifier instead.") - fun getPreferredSymmetricKeyAlgorithms(keyId: Long): Set { + fun getPreferredSymmetricKeyAlgorithms(keyId: Long): Set? { return getPreferredSymmetricKeyAlgorithms(KeyIdentifier(keyId)) } @@ -814,12 +810,11 @@ class KeyRingInfo( * @return ordered set of preferred [CompressionAlgorithms][CompressionAlgorithm] (descending * order) */ - fun getPreferredCompressionAlgorithms(userId: CharSequence): Set { - return keys - .getUserId(userId.toString()) - ?.getCompressionAlgorithmPreferences(referenceDate) + fun getPreferredCompressionAlgorithms(userId: CharSequence): Set? { + return (keys.getUserId(userId.toString()) + ?: throw NoSuchElementException("No user-id '$userId' found on this key.")) + .getCompressionAlgorithmPreferences(referenceDate) ?.toCompressionAlgorithms() - ?: throw NoSuchElementException("No user-id '$userId' found on this key.") } /** @@ -830,18 +825,19 @@ class KeyRingInfo( * @return ordered set of preferred [CompressionAlgorithms][CompressionAlgorithm] (descending * order) */ - fun getPreferredCompressionAlgorithms(keyIdentifier: KeyIdentifier): Set { - return keys - .getKey(keyIdentifier) - ?.getCompressionAlgorithmPreferences(referenceDate) + fun getPreferredCompressionAlgorithms( + keyIdentifier: KeyIdentifier + ): Set? { + return (keys.getKey(keyIdentifier) + ?: throw NoSuchElementException( + "No subkey with key-id $keyIdentifier found on this key.")) + .getCompressionAlgorithmPreferences(referenceDate) ?.toCompressionAlgorithms() - ?: throw NoSuchElementException( - "No subkey with key-id $keyIdentifier found on this key.") } /** [CompressionAlgorithm] preferences of the given key. */ @Deprecated("Pass in a KeyIdentifier instead.") - fun getPreferredCompressionAlgorithms(keyId: Long): Set { + fun getPreferredCompressionAlgorithms(keyId: Long): Set? { return getPreferredCompressionAlgorithms(KeyIdentifier(keyId)) } @@ -852,12 +848,11 @@ class KeyRingInfo( * @return ordered set of [AEADCipherModes][AEADCipherMode] (descending order, including * implicitly supported AEAD modes) */ - fun getPreferredAEADCipherSuites(userId: CharSequence): Set { - return keys - .getUserId(userId.toString()) - ?.getAEADCipherSuitePreferences(referenceDate) + fun getPreferredAEADCipherSuites(userId: CharSequence): Set? { + return (keys.getUserId(userId.toString()) + ?: throw NoSuchElementException("No user-id '$userId' found on this key.")) + .getAEADCipherSuitePreferences(referenceDate) ?.toAEADCipherModes() - ?: throw NoSuchElementException("No user-id '$userId' found on this key.") } /** @@ -868,17 +863,16 @@ class KeyRingInfo( * @return ordered set of [AEADCipherModes][AEADCipherMode] (descending order, including * implicitly supported AEAD modes) */ - fun getPreferredAEADCipherSuites(keyIdentifier: KeyIdentifier): Set { - return keys - .getKey(keyIdentifier) - ?.getAEADCipherSuitePreferences(referenceDate) + fun getPreferredAEADCipherSuites(keyIdentifier: KeyIdentifier): Set? { + return (keys.getKey(keyIdentifier) + ?: throw NoSuchElementException( + "No subkey with key-id $keyIdentifier found on this key.")) + .getAEADCipherSuitePreferences(referenceDate) ?.toAEADCipherModes() - ?: throw NoSuchElementException( - "No subkey with key-id $keyIdentifier found on this key.") } @Deprecated("Pass KeyIdentifier instead.") - fun getPreferredAEADCipherSuites(keyId: Long): Set { + fun getPreferredAEADCipherSuites(keyId: Long): Set? { return getPreferredAEADCipherSuites(KeyIdentifier(keyId)) } diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.kt index 197a2f68..63ceae13 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.kt @@ -17,11 +17,12 @@ import org.bouncycastle.openpgp.api.OpenPGPCertificate.OpenPGPSubkey import org.bouncycastle.openpgp.api.OpenPGPImplementation import org.bouncycastle.openpgp.api.OpenPGPKey import org.bouncycastle.openpgp.api.OpenPGPKey.OpenPGPSecretKey +import org.bouncycastle.openpgp.api.OpenPGPKeyEditor import org.bouncycastle.openpgp.api.OpenPGPSignature +import org.bouncycastle.openpgp.api.SignatureParameters import org.pgpainless.PGPainless import org.pgpainless.PGPainless.Companion.inspectKeyRing import org.pgpainless.algorithm.AlgorithmSuite -import org.pgpainless.algorithm.Feature import org.pgpainless.algorithm.KeyFlag import org.pgpainless.algorithm.OpenPGPKeyVersion import org.pgpainless.algorithm.SignatureType @@ -59,48 +60,54 @@ class SecretKeyRingEditor(var key: OpenPGPKey, override val referenceTime: Date callback: SelfSignatureSubpackets.Callback?, protector: SecretKeyRingProtector ): SecretKeyRingEditorInterface { - val sanitizedUserId = sanitizeUserId(userId).toString() - val primaryKey = secretKeyRing.secretKey - - val info = inspectKeyRing(secretKeyRing, referenceTime) + key = PGPainless.getInstance().toKey(secretKeyRing) + val info = inspectKeyRing(key, referenceTime) require(!info.isHardRevoked(userId)) { "User-ID $userId is hard revoked and cannot be re-certified." } - val ( - hashAlgorithmPreferences, - symmetricKeyAlgorithmPreferences, - compressionAlgorithmPreferences) = - try { - Triple( - info.preferredHashAlgorithms, - info.preferredSymmetricKeyAlgorithms, - info.preferredCompressionAlgorithms) - } catch (e: IllegalStateException) { // missing user-id sig - val algorithmSuite = AlgorithmSuite.defaultAlgorithmSuite - Triple( - algorithmSuite.hashAlgorithms, - algorithmSuite.symmetricKeyAlgorithms, - algorithmSuite.compressionAlgorithms) - } + val hashAlgorithmPreferences = + info.preferredHashAlgorithms ?: AlgorithmSuite.defaultHashAlgorithms + val symmetricAlgorithmPreferences = + info.preferredSymmetricKeyAlgorithms ?: AlgorithmSuite.defaultSymmetricKeyAlgorithms + val compressionAlgorithmPreferences = + info.preferredCompressionAlgorithms ?: AlgorithmSuite.defaultCompressionAlgorithms + val aeadAlgorithmPreferences = + info.preferredAEADCipherSuites ?: AlgorithmSuite.defaultAEADAlgorithmSuites - val builder = - SelfSignatureBuilder(key.primarySecretKey, protector).apply { - hashedSubpackets.setSignatureCreationTime(referenceTime) - setSignatureType(SignatureType.POSITIVE_CERTIFICATION) - } - builder.hashedSubpackets.apply { - setKeyFlags(info.getKeyFlagsOf(primaryKey.keyID)) - hashAlgorithmPreferences - hashAlgorithmPreferences?.let { setPreferredHashAlgorithms(it) } - symmetricKeyAlgorithmPreferences?.let { setPreferredSymmetricKeyAlgorithms(it) } - compressionAlgorithmPreferences?.let { setPreferredCompressionAlgorithms(it) } - setFeatures(Feature.MODIFICATION_DETECTION) - } - builder.applyCallback(callback) - secretKeyRing = - injectCertification(secretKeyRing, sanitizedUserId, builder.build(sanitizedUserId)) - key = PGPainless.getInstance().toKey(secretKeyRing) + key = + OpenPGPKeyEditor(key, protector) + .addUserId( + sanitizeUserId(userId).toString(), + object : SignatureParameters.Callback { + override fun apply(parameters: SignatureParameters): SignatureParameters { + return parameters + .setSignatureCreationTime(referenceTime) + .setHashedSubpacketsFunction { subpacketGenerator -> + val subpackets = SignatureSubpackets(subpacketGenerator) + subpackets.setAppropriateIssuerInfo(secretKeyRing.publicKey) + + subpackets.setKeyFlags(info.getKeyFlagsOf(key.keyIdentifier)) + subpackets.setPreferredHashAlgorithms(hashAlgorithmPreferences) + subpackets.setPreferredSymmetricKeyAlgorithms( + symmetricAlgorithmPreferences) + subpackets.setPreferredCompressionAlgorithms( + compressionAlgorithmPreferences) + subpackets.setPreferredAEADCiphersuites( + aeadAlgorithmPreferences) + + callback?.modifyHashedSubpackets(subpackets) + subpacketGenerator + } + .setUnhashedSubpacketsFunction { subpacketGenerator -> + callback?.modifyUnhashedSubpackets( + SignatureSubpackets(subpacketGenerator)) + subpacketGenerator + } + } + }) + .done() + secretKeyRing = key.pgpSecretKeyRing return this } diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/SelfSignatureSubpackets.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/SelfSignatureSubpackets.kt index 94e7b1c5..f15f0071 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/SelfSignatureSubpackets.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/SelfSignatureSubpackets.kt @@ -113,7 +113,9 @@ interface SelfSignatureSubpackets : BaseSignatureSubpackets { fun setPreferredHashAlgorithms(algorithms: PreferredAlgorithms?): SelfSignatureSubpackets - fun setPreferredAEADCiphersuites(aeadAlgorithms: Set): SelfSignatureSubpackets + fun setPreferredAEADCiphersuites( + aeadAlgorithms: Collection + ): SelfSignatureSubpackets fun setPreferredAEADCiphersuites( algorithms: PreferredAEADCiphersuites.Builder? diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/SignatureSubpackets.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/SignatureSubpackets.kt index 7869ca08..e30c6100 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/SignatureSubpackets.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/SignatureSubpackets.kt @@ -314,7 +314,7 @@ class SignatureSubpackets( } override fun setPreferredAEADCiphersuites( - aeadAlgorithms: Set + aeadAlgorithms: Collection ): SignatureSubpackets = setPreferredAEADCiphersuites( PreferredAEADCiphersuites.builder(false).apply { From 8a2b8c0ef00a71c5da3db78a5c2c57c0e95ed502 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 13 Mar 2025 15:31:44 +0100 Subject: [PATCH 078/265] Use relaxed PBE parameters --- .../org/pgpainless/key/generation/KeyRingBuilder.kt | 7 ++++++- .../key/protection/BaseSecretKeyRingProtector.kt | 5 ++++- .../key/protection/KeyRingProtectionSettings.kt | 13 ++++++++++--- .../protection/InvalidProtectionSettingsTest.java | 2 +- 4 files changed, 21 insertions(+), 6 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingBuilder.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingBuilder.kt index 662ae331..53bc1607 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingBuilder.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingBuilder.kt @@ -19,6 +19,7 @@ import org.pgpainless.algorithm.KeyFlag import org.pgpainless.algorithm.OpenPGPKeyVersion import org.pgpainless.algorithm.SignatureType import org.pgpainless.bouncycastle.extensions.unlock +import org.pgpainless.key.protection.KeyRingProtectionSettings import org.pgpainless.policy.Policy import org.pgpainless.signature.subpackets.SelfSignatureSubpackets import org.pgpainless.signature.subpackets.SignatureSubpackets @@ -231,10 +232,14 @@ class KeyRingBuilder( aead: Boolean ): PBESecretKeyEncryptor? { check(passphrase.isValid) { "Passphrase was cleared." } + val protectionSettings = KeyRingProtectionSettings.secureDefaultSettings() return if (passphrase.isEmpty) null else OpenPGPImplementation.getInstance() - .pbeSecretKeyEncryptorFactory(aead) + .pbeSecretKeyEncryptorFactory( + aead, + protectionSettings.encryptionAlgorithm.algorithmId, + protectionSettings.s2kCount) .build(passphrase.getChars(), publicKey.publicKeyPacket) } diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/BaseSecretKeyRingProtector.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/BaseSecretKeyRingProtector.kt index 56e681ef..708db62d 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/BaseSecretKeyRingProtector.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/BaseSecretKeyRingProtector.kt @@ -47,7 +47,10 @@ open class BaseSecretKeyRingProtector( if (it.isEmpty) null else OpenPGPImplementation.getInstance() - .pbeSecretKeyEncryptorFactory(false) + .pbeSecretKeyEncryptorFactory( + false, + protectionSettings.encryptionAlgorithm.algorithmId, + protectionSettings.s2kCount) .build(it.getChars(), key.publicKeyPacket) } } diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/KeyRingProtectionSettings.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/KeyRingProtectionSettings.kt index c7566f6d..e9cdb973 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/KeyRingProtectionSettings.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/KeyRingProtectionSettings.kt @@ -19,7 +19,8 @@ import org.pgpainless.algorithm.SymmetricKeyAlgorithm data class KeyRingProtectionSettings( val encryptionAlgorithm: SymmetricKeyAlgorithm, val hashAlgorithm: HashAlgorithm, - val s2kCount: Int + val s2kCount: Int, + val aead: Boolean ) { /** @@ -31,7 +32,7 @@ data class KeyRingProtectionSettings( */ constructor( encryptionAlgorithm: SymmetricKeyAlgorithm - ) : this(encryptionAlgorithm, HashAlgorithm.SHA1, 0x60) + ) : this(encryptionAlgorithm, HashAlgorithm.SHA1, 0x60, false) init { require(encryptionAlgorithm != SymmetricKeyAlgorithm.NULL) { @@ -50,6 +51,12 @@ data class KeyRingProtectionSettings( */ @JvmStatic fun secureDefaultSettings() = - KeyRingProtectionSettings(SymmetricKeyAlgorithm.AES_256, HashAlgorithm.SHA256, 0x60) + KeyRingProtectionSettings( + SymmetricKeyAlgorithm.AES_256, HashAlgorithm.SHA256, 0x60, false) + + @JvmStatic + fun aead() = + KeyRingProtectionSettings( + SymmetricKeyAlgorithm.AES_256, HashAlgorithm.SHA256, 0xff, true) } } diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/protection/InvalidProtectionSettingsTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/protection/InvalidProtectionSettingsTest.java index b0746398..40eb776a 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/protection/InvalidProtectionSettingsTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/protection/InvalidProtectionSettingsTest.java @@ -15,6 +15,6 @@ public class InvalidProtectionSettingsTest { @Test public void unencryptedKeyRingProtectionSettingsThrows() { assertThrows(IllegalArgumentException.class, () -> - new KeyRingProtectionSettings(SymmetricKeyAlgorithm.NULL, HashAlgorithm.SHA256, 0x60)); + new KeyRingProtectionSettings(SymmetricKeyAlgorithm.NULL, HashAlgorithm.SHA256, 0x60, false)); } } From 27edbd1682ea3efd0447bfc7637afdb7ee1e76a7 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 13 Mar 2025 15:39:13 +0100 Subject: [PATCH 079/265] Rename parameter --- .../pgpainless/key/protection/BaseSecretKeyRingProtector.kt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/BaseSecretKeyRingProtector.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/BaseSecretKeyRingProtector.kt index 708db62d..5546650e 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/BaseSecretKeyRingProtector.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/BaseSecretKeyRingProtector.kt @@ -55,7 +55,7 @@ open class BaseSecretKeyRingProtector( } } - override fun getKeyPassword(p0: OpenPGPKey.OpenPGPSecretKey): CharArray? { - return passphraseProvider.getPassphraseFor(p0.keyIdentifier)?.getChars() + override fun getKeyPassword(key: OpenPGPKey.OpenPGPSecretKey): CharArray? { + return passphraseProvider.getPassphraseFor(key.keyIdentifier)?.getChars() } } From 671dde0de9b67c126d0a5cf047397ab72042ce19 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 13 Mar 2025 15:41:18 +0100 Subject: [PATCH 080/265] Copy deprecation annotation --- .../org/pgpainless/key/protection/BaseSecretKeyRingProtector.kt | 1 + 1 file changed, 1 insertion(+) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/BaseSecretKeyRingProtector.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/BaseSecretKeyRingProtector.kt index 5546650e..4afe0b33 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/BaseSecretKeyRingProtector.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/BaseSecretKeyRingProtector.kt @@ -29,6 +29,7 @@ open class BaseSecretKeyRingProtector( return passphraseProvider.hasPassphrase(keyIdentifier) } + @Deprecated("Pass in a KeyIdentifier instead.") override fun getDecryptor(keyId: Long): PBESecretKeyDecryptor? = getDecryptor(KeyIdentifier(keyId)) From b1855d0a1381e4c25f44825e1442571a5e29843d Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 13 Mar 2025 16:12:43 +0100 Subject: [PATCH 081/265] Make secret key protection settings customizable via policy --- .../org/pgpainless/key/generation/KeyRingBuilder.kt | 8 +++----- .../key/protection/BaseSecretKeyRingProtector.kt | 2 +- .../main/kotlin/org/pgpainless/key/util/KeyRingUtils.kt | 2 +- .../src/main/kotlin/org/pgpainless/policy/Policy.kt | 3 +++ 4 files changed, 8 insertions(+), 7 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingBuilder.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingBuilder.kt index 53bc1607..fb1478e9 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingBuilder.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingBuilder.kt @@ -19,7 +19,6 @@ import org.pgpainless.algorithm.KeyFlag import org.pgpainless.algorithm.OpenPGPKeyVersion import org.pgpainless.algorithm.SignatureType import org.pgpainless.bouncycastle.extensions.unlock -import org.pgpainless.key.protection.KeyRingProtectionSettings import org.pgpainless.policy.Policy import org.pgpainless.signature.subpackets.SelfSignatureSubpackets import org.pgpainless.signature.subpackets.SignatureSubpackets @@ -93,7 +92,7 @@ class KeyRingBuilder( requireNotNull(primaryKeySpec) { "Primary Key spec required." } val certKey = generateKeyPair(primaryKeySpec!!, version) - val secretKeyEncryptor = buildSecretKeyEncryptor(certKey.publicKey, false) + val secretKeyEncryptor = buildSecretKeyEncryptor(certKey.publicKey) val secretKeyDecryptor = buildSecretKeyDecryptor() passphrase.clear() // Passphrase was used above, so we can get rid of it @@ -229,15 +228,14 @@ class KeyRingBuilder( private fun buildSecretKeyEncryptor( publicKey: PGPPublicKey, - aead: Boolean ): PBESecretKeyEncryptor? { check(passphrase.isValid) { "Passphrase was cleared." } - val protectionSettings = KeyRingProtectionSettings.secureDefaultSettings() + val protectionSettings = PGPainless.getPolicy().keyProtectionSettings return if (passphrase.isEmpty) null else OpenPGPImplementation.getInstance() .pbeSecretKeyEncryptorFactory( - aead, + protectionSettings.aead, protectionSettings.encryptionAlgorithm.algorithmId, protectionSettings.s2kCount) .build(passphrase.getChars(), publicKey.publicKeyPacket) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/BaseSecretKeyRingProtector.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/BaseSecretKeyRingProtector.kt index 4afe0b33..0be20c02 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/BaseSecretKeyRingProtector.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/BaseSecretKeyRingProtector.kt @@ -49,7 +49,7 @@ open class BaseSecretKeyRingProtector( else OpenPGPImplementation.getInstance() .pbeSecretKeyEncryptorFactory( - false, + protectionSettings.aead, protectionSettings.encryptionAlgorithm.algorithmId, protectionSettings.s2kCount) .build(it.getChars(), key.publicKeyPacket) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/util/KeyRingUtils.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/util/KeyRingUtils.kt index 5e789d3d..fd1baedf 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/util/KeyRingUtils.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/util/KeyRingUtils.kt @@ -509,7 +509,7 @@ class KeyRingUtils { return PGPSecretKey.copyWithNewPassword( secretKey, - oldProtector.getDecryptor(secretKey.keyID), + oldProtector.getDecryptor(secretKey.keyIdentifier), newProtector.getEncryptor(secretKey.publicKey)) } diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/policy/Policy.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/policy/Policy.kt index c8bc3754..61978792 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/policy/Policy.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/policy/Policy.kt @@ -6,6 +6,7 @@ package org.pgpainless.policy import java.util.* import org.pgpainless.algorithm.* +import org.pgpainless.key.protection.KeyRingProtectionSettings import org.pgpainless.util.DateUtil import org.pgpainless.util.NotationRegistry @@ -17,6 +18,7 @@ class Policy( var symmetricKeyDecryptionAlgorithmPolicy: SymmetricKeyAlgorithmPolicy, var compressionAlgorithmPolicy: CompressionAlgorithmPolicy, var publicKeyAlgorithmPolicy: PublicKeyAlgorithmPolicy, + var keyProtectionSettings: KeyRingProtectionSettings, var notationRegistry: NotationRegistry ) { @@ -29,6 +31,7 @@ class Policy( SymmetricKeyAlgorithmPolicy.symmetricKeyDecryptionPolicy2022(), CompressionAlgorithmPolicy.anyCompressionAlgorithmPolicy(), PublicKeyAlgorithmPolicy.bsi2021PublicKeyAlgorithmPolicy(), + KeyRingProtectionSettings.secureDefaultSettings(), NotationRegistry()) var keyGenerationAlgorithmSuite = AlgorithmSuite.defaultAlgorithmSuite From 502a755f20f3afc2acb41526add19fec7b485df1 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Fri, 14 Mar 2025 13:40:54 +0100 Subject: [PATCH 082/265] Replace usage of .let() --- .../key/generation/KeyRingBuilder.kt | 20 +++++++++---------- 1 file changed, 9 insertions(+), 11 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingBuilder.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingBuilder.kt index fb1478e9..573d01f0 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingBuilder.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingBuilder.kt @@ -118,17 +118,15 @@ class KeyRingBuilder( signer, secretKeyEncryptor) } else { - userIds.keys.first().let { primaryUserId -> - PGPKeyRingGenerator( - SignatureType.POSITIVE_CERTIFICATION.code, - certKey, - primaryUserId, - keyFingerprintCalculator, - hashedSubPackets, - null, - signer, - secretKeyEncryptor) - } + PGPKeyRingGenerator( + SignatureType.POSITIVE_CERTIFICATION.code, + certKey, + userIds.keys.first(), + keyFingerprintCalculator, + hashedSubPackets, + null, + signer, + secretKeyEncryptor) } addSubKeys(certKey, ringGenerator) From 14bfd5219146ae641f2735c32b8cf776f6cbf754 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Fri, 14 Mar 2025 14:00:56 +0100 Subject: [PATCH 083/265] Add OpenPGPImplementation.checksumCalculator() extension function --- .../OpenPGPImplementationExtensions.kt | 13 +++++++++++++ .../key/generation/KeyRingBuilder.kt | 19 +++++-------------- .../secretkeyring/SecretKeyRingEditor.kt | 6 ++---- .../key/protection/fixes/S2KUsageFix.kt | 7 ++----- 4 files changed, 22 insertions(+), 23 deletions(-) create mode 100644 pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/OpenPGPImplementationExtensions.kt diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/OpenPGPImplementationExtensions.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/OpenPGPImplementationExtensions.kt new file mode 100644 index 00000000..5a33b609 --- /dev/null +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/OpenPGPImplementationExtensions.kt @@ -0,0 +1,13 @@ +// SPDX-FileCopyrightText: 2025 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + +package org.pgpainless.bouncycastle.extensions + +import org.bouncycastle.bcpg.HashAlgorithmTags +import org.bouncycastle.openpgp.api.OpenPGPImplementation +import org.bouncycastle.openpgp.operator.PGPDigestCalculator + +fun OpenPGPImplementation.checksumCalculator(): PGPDigestCalculator { + return pgpDigestCalculatorProvider().get(HashAlgorithmTags.SHA1) +} diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingBuilder.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingBuilder.kt index 573d01f0..104eac59 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingBuilder.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingBuilder.kt @@ -6,7 +6,6 @@ package org.pgpainless.key.generation import java.io.IOException import java.util.* -import org.bouncycastle.bcpg.HashAlgorithmTags import org.bouncycastle.openpgp.* import org.bouncycastle.openpgp.api.OpenPGPImplementation import org.bouncycastle.openpgp.api.OpenPGPKey @@ -18,6 +17,7 @@ import org.pgpainless.PGPainless import org.pgpainless.algorithm.KeyFlag import org.pgpainless.algorithm.OpenPGPKeyVersion import org.pgpainless.algorithm.SignatureType +import org.pgpainless.bouncycastle.extensions.checksumCalculator import org.pgpainless.bouncycastle.extensions.unlock import org.pgpainless.policy.Policy import org.pgpainless.signature.subpackets.SelfSignatureSubpackets @@ -83,10 +83,7 @@ class KeyRingBuilder( private fun keyIsCertificationCapable(keySpec: KeySpec) = keySpec.keyType.canCertify override fun build(): OpenPGPKey { - val keyFingerprintCalculator = - OpenPGPImplementation.getInstance() - .pgpDigestCalculatorProvider() - .get(HashAlgorithmTags.SHA1) + val checksumCalculator = OpenPGPImplementation.getInstance().checksumCalculator() // generate primary key requireNotNull(primaryKeySpec) { "Primary Key spec required." } @@ -111,18 +108,13 @@ class KeyRingBuilder( val ringGenerator = if (userIds.isEmpty()) { PGPKeyRingGenerator( - certKey, - keyFingerprintCalculator, - hashedSubPackets, - null, - signer, - secretKeyEncryptor) + certKey, checksumCalculator, hashedSubPackets, null, signer, secretKeyEncryptor) } else { PGPKeyRingGenerator( SignatureType.POSITIVE_CERTIFICATION.code, certKey, userIds.keys.first(), - keyFingerprintCalculator, + checksumCalculator, hashedSubPackets, null, signer, @@ -165,8 +157,7 @@ class KeyRingBuilder( // Reassemble secret key ring with modified primary key val primarySecretKey = - PGPSecretKey( - privateKey, primaryPubKey, keyFingerprintCalculator, true, secretKeyEncryptor) + PGPSecretKey(privateKey, primaryPubKey, checksumCalculator, true, secretKeyEncryptor) val secretKeyList = mutableListOf(primarySecretKey) while (secretKeys.hasNext()) { secretKeyList.add(secretKeys.next()) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.kt index 63ceae13..4346dc74 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.kt @@ -9,7 +9,6 @@ import java.util.function.Predicate import javax.annotation.Nonnull import kotlin.NoSuchElementException import openpgp.openPgpKeyId -import org.bouncycastle.bcpg.HashAlgorithmTags import org.bouncycastle.bcpg.KeyIdentifier import org.bouncycastle.bcpg.sig.KeyExpirationTime import org.bouncycastle.openpgp.* @@ -27,6 +26,7 @@ import org.pgpainless.algorithm.KeyFlag import org.pgpainless.algorithm.OpenPGPKeyVersion import org.pgpainless.algorithm.SignatureType import org.pgpainless.algorithm.negotiation.HashAlgorithmNegotiator +import org.pgpainless.bouncycastle.extensions.checksumCalculator import org.pgpainless.bouncycastle.extensions.getKeyExpirationDate import org.pgpainless.bouncycastle.extensions.publicKeyAlgorithm import org.pgpainless.bouncycastle.extensions.requirePublicKey @@ -310,9 +310,7 @@ class SecretKeyRingEditor(var key: OpenPGPKey, override val referenceTime: Date PGPSecretKey( subkey.privateKey, subkey.publicKey, - OpenPGPImplementation.getInstance() - .pgpDigestCalculatorProvider() - .get(HashAlgorithmTags.SHA1), + OpenPGPImplementation.getInstance().checksumCalculator(), false, subkeyProtector.getEncryptor(subkey.publicKey)) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/fixes/S2KUsageFix.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/fixes/S2KUsageFix.kt index 3e843e60..b7447af7 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/fixes/S2KUsageFix.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/fixes/S2KUsageFix.kt @@ -4,11 +4,11 @@ package org.pgpainless.key.protection.fixes -import org.bouncycastle.bcpg.HashAlgorithmTags import org.bouncycastle.bcpg.SecretKeyPacket import org.bouncycastle.openpgp.PGPSecretKey import org.bouncycastle.openpgp.PGPSecretKeyRing import org.bouncycastle.openpgp.api.OpenPGPImplementation +import org.pgpainless.bouncycastle.extensions.checksumCalculator import org.pgpainless.bouncycastle.extensions.unlock import org.pgpainless.exception.WrongPassphraseException import org.pgpainless.key.protection.SecretKeyRingProtector @@ -48,10 +48,7 @@ class S2KUsageFix { protector: SecretKeyRingProtector, skipKeysWithMissingPassphrase: Boolean = false ): PGPSecretKeyRing { - val digestCalculator = - OpenPGPImplementation.getInstance() - .pgpDigestCalculatorProvider() - .get(HashAlgorithmTags.SHA1) + val digestCalculator = OpenPGPImplementation.getInstance().checksumCalculator() val keyList = mutableListOf() for (key in keys) { // CHECKSUM is not recommended From 38df5ee36e2a9e176aa47d9b6999690ea204240b Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Sat, 15 Mar 2025 12:56:42 +0100 Subject: [PATCH 084/265] PublicKeyAlgorithm: Ask PublicKeyUtils for algorithm capabilities, add persistent symmetric key algorithm ids --- .../algorithm/PublicKeyAlgorithm.kt | 62 +++++++++++++------ 1 file changed, 42 insertions(+), 20 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/PublicKeyAlgorithm.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/PublicKeyAlgorithm.kt index b8fc6836..dd4c900c 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/PublicKeyAlgorithm.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/PublicKeyAlgorithm.kt @@ -4,19 +4,17 @@ package org.pgpainless.algorithm +import org.bouncycastle.bcpg.PublicKeyUtils + /** * Enumeration of public key algorithms as defined in RFC4880. * * See [RFC4880: Public-Key Algorithms](https://tools.ietf.org/html/rfc4880#section-9.1) */ -enum class PublicKeyAlgorithm( - val algorithmId: Int, - val signingCapable: Boolean, - val encryptionCapable: Boolean -) { +enum class PublicKeyAlgorithm(val algorithmId: Int) { /** RSA capable of encryption and signatures. */ - RSA_GENERAL(1, true, true), + RSA_GENERAL(1), /** * RSA with usage encryption. @@ -25,7 +23,7 @@ enum class PublicKeyAlgorithm( * notice */ @Deprecated("RSA_ENCRYPT is deprecated in favor of RSA_GENERAL", ReplaceWith("RSA_GENERAL")) - RSA_ENCRYPT(2, false, true), + RSA_ENCRYPT(2), /** * RSA with usage of creating signatures. @@ -34,19 +32,19 @@ enum class PublicKeyAlgorithm( * notice */ @Deprecated("RSA_SIGN is deprecated in favor of RSA_GENERAL", ReplaceWith("RSA_GENERAL")) - RSA_SIGN(3, true, false), + RSA_SIGN(3), /** ElGamal with usage encryption. */ - ELGAMAL_ENCRYPT(16, false, true), + ELGAMAL_ENCRYPT(16), /** Digital Signature Algorithm. */ - DSA(17, true, false), + DSA(17), /** Elliptic Curve Diffie-Hellman. */ - ECDH(18, false, true), + ECDH(18), /** Elliptic Curve Digital Signature Algorithm. */ - ECDSA(19, true, false), + ECDSA(19), /** * ElGamal General. @@ -54,26 +52,50 @@ enum class PublicKeyAlgorithm( * @deprecated see Deprecation * notice */ - @Deprecated("ElGamal is deprecated") ELGAMAL_GENERAL(20, true, true), + @Deprecated("ElGamal is deprecated") ELGAMAL_GENERAL(20), /** Diffie-Hellman key exchange algorithm. */ - DIFFIE_HELLMAN(21, false, true), + DIFFIE_HELLMAN(21), /** Digital Signature Algorithm based on twisted Edwards Curves. */ - EDDSA_LEGACY(22, true, false), + EDDSA_LEGACY(22), /** X25519 encryption algorithm. */ - X25519(25, false, true), + X25519(25), /** X448 encryption algorithm. */ - X448(26, false, true), + X448(26), /** Ed25519 signature algorithm. */ - ED25519(27, true, false), + ED25519(27), /** Ed448 signature algorithm. */ - ED448(28, true, false), - ; + ED448(28), + + /** + * AEAD can be used as a persistent key symmetric encryption algorithm for message encryption. + * + * @see + * [Persistent Symmetric Keys in OpenPGP](https://datatracker.ietf.org/doc/draft-ietf-openpgp-persistent-symmetric-keys/) + */ + AEAD(128) { + override val signingCapable = false + override val encryptionCapable = true + }, + + /** + * HMAC can be used as a persistent key symmetric signing algorithm for message signing. + * + * @see + * [Persistent Symmetric Keys in OpenPGP](https://datatracker.ietf.org/doc/draft-ietf-openpgp-persistent-symmetric-keys/) + */ + HMAC(129) { + override val signingCapable = true + override val encryptionCapable = false + }; + + open val signingCapable: Boolean = PublicKeyUtils.isSigningAlgorithm(algorithmId) + open val encryptionCapable: Boolean = PublicKeyUtils.isEncryptionAlgorithm(algorithmId) fun isSigningCapable(): Boolean = signingCapable From abff76de389338845fa06befa3f7723ba38d4149 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Sat, 15 Mar 2025 13:00:34 +0100 Subject: [PATCH 085/265] PublicKeyAlgorithms: Update documentation --- .../org/pgpainless/algorithm/PublicKeyAlgorithm.kt | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/PublicKeyAlgorithm.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/PublicKeyAlgorithm.kt index dd4c900c..075316ed 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/PublicKeyAlgorithm.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/PublicKeyAlgorithm.kt @@ -7,12 +7,18 @@ package org.pgpainless.algorithm import org.bouncycastle.bcpg.PublicKeyUtils /** - * Enumeration of public key algorithms as defined in RFC4880. + * Enumeration of public key algorithms as defined in RFC4880, RFC9580, Persistent Symmetric Keys. * - * See [RFC4880: Public-Key Algorithms](https://tools.ietf.org/html/rfc4880#section-9.1) + * @see [RFC4880: Public-Key Algorithms](https://tools.ietf.org/html/rfc4880#section-9.1) + * @see + * [RFC9580: Public-Key Algorithms](https://www.rfc-editor.org/rfc/rfc9580.html#name-public-key-algorithms) + * @see + * [Persistent Symmetric Keys in OpenPGP](https://www.ietf.org/archive/id/draft-ietf-openpgp-persistent-symmetric-keys-01.html#name-persistent-symmetric-key-al) */ enum class PublicKeyAlgorithm(val algorithmId: Int) { + // RFC4880 + /** RSA capable of encryption and signatures. */ RSA_GENERAL(1), @@ -60,6 +66,8 @@ enum class PublicKeyAlgorithm(val algorithmId: Int) { /** Digital Signature Algorithm based on twisted Edwards Curves. */ EDDSA_LEGACY(22), + // RFC9580 + /** X25519 encryption algorithm. */ X25519(25), @@ -72,6 +80,8 @@ enum class PublicKeyAlgorithm(val algorithmId: Int) { /** Ed448 signature algorithm. */ ED448(28), + // Persistent Symmetric Keys in OpenPGP + /** * AEAD can be used as a persistent key symmetric encryption algorithm for message encryption. * From e46e9fa1f5a6a1278ba737a69f459e8c7bce1d89 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Sun, 16 Mar 2025 22:01:59 +0100 Subject: [PATCH 086/265] Rework Policy to be immutable. Changes are now done by calling policy.copy().withXYZ().build() --- .../main/kotlin/org/pgpainless/PGPainless.kt | 8 +- .../kotlin/org/pgpainless/policy/Policy.kt | 113 ++++++++++++++++-- .../EncryptDecryptTest.java | 5 +- .../org/pgpainless/example/ManagePolicy.java | 69 +++++------ .../GeneratingWeakKeyThrowsTest.java | 16 ++- .../RefuseToAddWeakSubkeyTest.java | 15 ++- .../pgpainless/policy/PolicySetterTest.java | 16 +-- .../org/pgpainless/policy/PolicyTest.java | 33 ++--- .../sop/VerifyLegacySignatureTest.java | 11 +- 9 files changed, 192 insertions(+), 94 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt index 98ff0603..c5768e99 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt @@ -34,7 +34,7 @@ import org.pgpainless.util.ArmorUtils class PGPainless( val implementation: OpenPGPImplementation = OpenPGPImplementation.getInstance(), - val algorithmPolicy: Policy = Policy.getInstance() + var algorithmPolicy: Policy = Policy.getInstance() ) { private var api: OpenPGPApi @@ -230,7 +230,11 @@ class PGPainless( * * @return policy */ - @JvmStatic fun getPolicy() = getInstance().algorithmPolicy + @Deprecated( + "Use PGPainless.getInstance().getAlgorithmPolicy() instead.", + replaceWith = ReplaceWith("getInstance().algorithmPolicy")) + @JvmStatic + fun getPolicy() = getInstance().algorithmPolicy /** * Create different kinds of signatures on other keys. diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/policy/Policy.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/policy/Policy.kt index 61978792..eb875e21 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/policy/Policy.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/policy/Policy.kt @@ -11,15 +11,16 @@ import org.pgpainless.util.DateUtil import org.pgpainless.util.NotationRegistry class Policy( - var certificationSignatureHashAlgorithmPolicy: HashAlgorithmPolicy, - var revocationSignatureHashAlgorithmPolicy: HashAlgorithmPolicy, - var dataSignatureHashAlgorithmPolicy: HashAlgorithmPolicy, - var symmetricKeyEncryptionAlgorithmPolicy: SymmetricKeyAlgorithmPolicy, - var symmetricKeyDecryptionAlgorithmPolicy: SymmetricKeyAlgorithmPolicy, - var compressionAlgorithmPolicy: CompressionAlgorithmPolicy, - var publicKeyAlgorithmPolicy: PublicKeyAlgorithmPolicy, - var keyProtectionSettings: KeyRingProtectionSettings, - var notationRegistry: NotationRegistry + val certificationSignatureHashAlgorithmPolicy: HashAlgorithmPolicy, + val revocationSignatureHashAlgorithmPolicy: HashAlgorithmPolicy, + val dataSignatureHashAlgorithmPolicy: HashAlgorithmPolicy, + val symmetricKeyEncryptionAlgorithmPolicy: SymmetricKeyAlgorithmPolicy, + val symmetricKeyDecryptionAlgorithmPolicy: SymmetricKeyAlgorithmPolicy, + val compressionAlgorithmPolicy: CompressionAlgorithmPolicy, + val publicKeyAlgorithmPolicy: PublicKeyAlgorithmPolicy, + val keyProtectionSettings: KeyRingProtectionSettings, + val notationRegistry: NotationRegistry, + val keyGenerationAlgorithmSuite: AlgorithmSuite ) { constructor() : @@ -32,12 +33,14 @@ class Policy( CompressionAlgorithmPolicy.anyCompressionAlgorithmPolicy(), PublicKeyAlgorithmPolicy.bsi2021PublicKeyAlgorithmPolicy(), KeyRingProtectionSettings.secureDefaultSettings(), - NotationRegistry()) + NotationRegistry(), + AlgorithmSuite.defaultAlgorithmSuite) - var keyGenerationAlgorithmSuite = AlgorithmSuite.defaultAlgorithmSuite var signerUserIdValidationLevel = SignerUserIdValidationLevel.DISABLED var enableKeyParameterValidation = false + fun copy() = Builder(this) + fun isEnableKeyParameterValidation() = enableKeyParameterValidation /** @@ -415,4 +418,92 @@ class Policy( fun getInstance() = INSTANCE ?: synchronized(this) { INSTANCE ?: Policy().also { INSTANCE = it } } } + + class Builder(private val origin: Policy) { + private var certificationSignatureHashAlgorithmPolicy: HashAlgorithmPolicy = + origin.certificationSignatureHashAlgorithmPolicy + private var revocationSignatureHashAlgorithmPolicy: HashAlgorithmPolicy = + origin.revocationSignatureHashAlgorithmPolicy + private var dataSignatureHashAlgorithmPolicy: HashAlgorithmPolicy = + origin.dataSignatureHashAlgorithmPolicy + private var symmetricKeyEncryptionAlgorithmPolicy: SymmetricKeyAlgorithmPolicy = + origin.symmetricKeyEncryptionAlgorithmPolicy + private var symmetricKeyDecryptionAlgorithmPolicy: SymmetricKeyAlgorithmPolicy = + origin.symmetricKeyDecryptionAlgorithmPolicy + private var compressionAlgorithmPolicy: CompressionAlgorithmPolicy = + origin.compressionAlgorithmPolicy + private var publicKeyAlgorithmPolicy: PublicKeyAlgorithmPolicy = + origin.publicKeyAlgorithmPolicy + private var keyProtectionSettings: KeyRingProtectionSettings = origin.keyProtectionSettings + private var notationRegistry: NotationRegistry = origin.notationRegistry + private var keyGenerationAlgorithmSuite: AlgorithmSuite = origin.keyGenerationAlgorithmSuite + + fun withCertificationSignatureHashAlgorithmPolicy( + certificationSignatureHashAlgorithmPolicy: HashAlgorithmPolicy + ) = apply { + this.certificationSignatureHashAlgorithmPolicy = + certificationSignatureHashAlgorithmPolicy + } + + fun withRevocationSignatureHashAlgorithmPolicy( + revocationSignatureHashAlgorithmPolicy: HashAlgorithmPolicy + ) = apply { + this.revocationSignatureHashAlgorithmPolicy = revocationSignatureHashAlgorithmPolicy + } + + fun withDataSignatureHashAlgorithmPolicy( + dataSignatureHashAlgorithmPolicy: HashAlgorithmPolicy + ) = apply { this.dataSignatureHashAlgorithmPolicy = dataSignatureHashAlgorithmPolicy } + + fun withSymmetricKeyEncryptionAlgorithmPolicy( + symmetricKeyEncryptionAlgorithmPolicy: SymmetricKeyAlgorithmPolicy + ) = apply { + this.symmetricKeyEncryptionAlgorithmPolicy = symmetricKeyEncryptionAlgorithmPolicy + } + + fun withSymmetricKeyDecryptionAlgorithmPolicy( + symmetricKeyDecryptionAlgorithmPolicy: SymmetricKeyAlgorithmPolicy + ) = apply { + this.symmetricKeyDecryptionAlgorithmPolicy = symmetricKeyDecryptionAlgorithmPolicy + } + + fun withCompressionAlgorithmPolicy(compressionAlgorithmPolicy: CompressionAlgorithmPolicy) = + apply { + this.compressionAlgorithmPolicy = compressionAlgorithmPolicy + } + + fun withPublicKeyAlgorithmPolicy(publicKeyAlgorithmPolicy: PublicKeyAlgorithmPolicy) = + apply { + this.publicKeyAlgorithmPolicy = publicKeyAlgorithmPolicy + } + + fun withKeyProtectionSettings(keyProtectionSettings: KeyRingProtectionSettings) = apply { + this.keyProtectionSettings = keyProtectionSettings + } + + fun withNotationRegistry(notationRegistry: NotationRegistry) = apply { + this.notationRegistry = notationRegistry + } + + fun withKeyGenerationAlgorithmSuite(keyGenerationAlgorithmSuite: AlgorithmSuite) = apply { + this.keyGenerationAlgorithmSuite = keyGenerationAlgorithmSuite + } + + fun build() = + Policy( + certificationSignatureHashAlgorithmPolicy, + revocationSignatureHashAlgorithmPolicy, + dataSignatureHashAlgorithmPolicy, + symmetricKeyEncryptionAlgorithmPolicy, + symmetricKeyDecryptionAlgorithmPolicy, + compressionAlgorithmPolicy, + publicKeyAlgorithmPolicy, + keyProtectionSettings, + notationRegistry, + keyGenerationAlgorithmSuite) + .apply { + enableKeyParameterValidation = origin.enableKeyParameterValidation + signerUserIdValidationLevel = origin.signerUserIdValidationLevel + } + } } diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java index 71e5085e..6352984a 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java @@ -59,10 +59,7 @@ public class EncryptDecryptTest { @BeforeEach public void setDefaultPolicy() { - PGPainless.getPolicy().setSymmetricKeyEncryptionAlgorithmPolicy( - Policy.SymmetricKeyAlgorithmPolicy.symmetricKeyEncryptionPolicy2022()); - PGPainless.getPolicy().setSymmetricKeyDecryptionAlgorithmPolicy( - Policy.SymmetricKeyAlgorithmPolicy.symmetricKeyDecryptionPolicy2022()); + PGPainless.getInstance().setAlgorithmPolicy(new Policy()); } @TestTemplate diff --git a/pgpainless-core/src/test/java/org/pgpainless/example/ManagePolicy.java b/pgpainless-core/src/test/java/org/pgpainless/example/ManagePolicy.java index 3b29e35d..c0cbc505 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/example/ManagePolicy.java +++ b/pgpainless-core/src/test/java/org/pgpainless/example/ManagePolicy.java @@ -25,13 +25,13 @@ import org.pgpainless.util.NotationRegistry; * can be rejected. * Note, that PGPainless distinguishes between hash algorithms used in revocation and non-revocation signatures, * and has different policies for those. - * + *

* Furthermore, PGPainless has policies for symmetric encryption algorithms (both for encrypting and decrypting), * for public key algorithms and key lengths, as well as compression algorithms. - * + *

* The following examples show how these policies can be modified. - * - * PGPainless' policy is being accessed by calling {@link PGPainless#getPolicy()}. + *

+ * PGPainless' policy is being accessed by calling {@link PGPainless#getAlgorithmPolicy()}. * Custom sub-policies can be set by calling the setter methods of {@link Policy}. */ public class ManagePolicy { @@ -43,50 +43,29 @@ public class ManagePolicy { @AfterEach public void resetPolicy() { // Policy for hash algorithms in non-revocation signatures - PGPainless.getPolicy().setCertificationSignatureHashAlgorithmPolicy( - Policy.HashAlgorithmPolicy.static2022SignatureHashAlgorithmPolicy()); - // Policy for hash algorithms in data signatures - PGPainless.getPolicy().setDataSignatureHashAlgorithmPolicy( - Policy.HashAlgorithmPolicy.static2022SignatureHashAlgorithmPolicy()); - // Policy for hash algorithms in revocation signatures - PGPainless.getPolicy().setRevocationSignatureHashAlgorithmPolicy( - Policy.HashAlgorithmPolicy.static2022RevocationSignatureHashAlgorithmPolicy()); - // Policy for public key algorithms and bit lengths - PGPainless.getPolicy().setPublicKeyAlgorithmPolicy( - Policy.PublicKeyAlgorithmPolicy.bsi2021PublicKeyAlgorithmPolicy()); - // Policy for acceptable symmetric encryption algorithms when decrypting messages - PGPainless.getPolicy().setSymmetricKeyDecryptionAlgorithmPolicy( - Policy.SymmetricKeyAlgorithmPolicy.symmetricKeyDecryptionPolicy2022()); - // Policy for acceptable symmetric encryption algorithms when encrypting messages - PGPainless.getPolicy().setSymmetricKeyEncryptionAlgorithmPolicy( - Policy.SymmetricKeyAlgorithmPolicy.symmetricKeyEncryptionPolicy2022()); - // Policy for acceptable compression algorithms - PGPainless.getPolicy().setCompressionAlgorithmPolicy( - Policy.CompressionAlgorithmPolicy.anyCompressionAlgorithmPolicy()); - // Known notations - PGPainless.getPolicy().getNotationRegistry().clear(); + PGPainless.getInstance().setAlgorithmPolicy(new Policy()); } /** * {@link HashAlgorithm Hash Algorithms} may get outdated with time. {@link HashAlgorithm#SHA1} is a prominent * example for an algorithm that is nowadays considered unsafe to use and which shall be avoided. - * + *

* PGPainless comes with a {@link Policy} class that defines which algorithms are trustworthy and acceptable. * It also allows the user to specify a custom policy tailored to their needs. - * + *

* Per default, PGPainless will reject non-revocation signatures that use SHA-1 as hash algorithm. * To inspect PGPainless' default signature hash algorithm policy, see * {@link Policy.HashAlgorithmPolicy#static2022SignatureHashAlgorithmPolicy()}. - * + *

* Since it may be a valid use-case to accept signatures made using SHA-1 as part of a less strict policy, * this example demonstrates how to set a custom signature hash algorithm policy. */ @Test public void setCustomSignatureHashPolicy() { - // Get PGPainless' policy singleton - Policy policy = PGPainless.getPolicy(); + // Get PGPainless' policy + Policy oldPolicy = PGPainless.getInstance().getAlgorithmPolicy(); - Policy.HashAlgorithmPolicy sigHashAlgoPolicy = policy.getDataSignatureHashAlgorithmPolicy(); + Policy.HashAlgorithmPolicy sigHashAlgoPolicy = oldPolicy.getDataSignatureHashAlgorithmPolicy(); assertTrue(sigHashAlgoPolicy.isAcceptable(HashAlgorithm.SHA512)); // Per default, non-revocation signatures using SHA-1 are rejected assertFalse(sigHashAlgoPolicy.isAcceptable(HashAlgorithm.SHA1)); @@ -98,12 +77,17 @@ public class ManagePolicy { // List of acceptable hash algorithms Arrays.asList(HashAlgorithm.SHA512, HashAlgorithm.SHA384, HashAlgorithm.SHA256, HashAlgorithm.SHA224, HashAlgorithm.SHA1)); // Set the hash algo policy as policy for non-revocation signatures - policy.setDataSignatureHashAlgorithmPolicy(customPolicy); + PGPainless.getInstance().setAlgorithmPolicy( + oldPolicy.copy().withDataSignatureHashAlgorithmPolicy(customPolicy).build() + ); - sigHashAlgoPolicy = policy.getDataSignatureHashAlgorithmPolicy(); + sigHashAlgoPolicy = PGPainless.getInstance().getAlgorithmPolicy().getDataSignatureHashAlgorithmPolicy(); assertTrue(sigHashAlgoPolicy.isAcceptable(HashAlgorithm.SHA512)); // SHA-1 is now acceptable as well assertTrue(sigHashAlgoPolicy.isAcceptable(HashAlgorithm.SHA1)); + + // reset old policy + PGPainless.getInstance().setAlgorithmPolicy(oldPolicy); } /** @@ -111,13 +95,13 @@ public class ManagePolicy { * Per default, PGPainless will reject signatures made by keys of unacceptable algorithm or length. * See {@link Policy.PublicKeyAlgorithmPolicy#bsi2021PublicKeyAlgorithmPolicy()} * to inspect PGPainless' defaults. - * + *

* This example demonstrates how to set a custom public key algorithm policy. */ @Test public void setCustomPublicKeyAlgorithmPolicy() { - Policy policy = PGPainless.getPolicy(); - Policy.PublicKeyAlgorithmPolicy pkAlgorithmPolicy = policy.getPublicKeyAlgorithmPolicy(); + Policy oldPolicy = PGPainless.getInstance().getAlgorithmPolicy(); + Policy.PublicKeyAlgorithmPolicy pkAlgorithmPolicy = oldPolicy.getPublicKeyAlgorithmPolicy(); assertTrue(pkAlgorithmPolicy.isAcceptable(PublicKeyAlgorithm.RSA_GENERAL, 4096)); assertTrue(pkAlgorithmPolicy.isAcceptable(PublicKeyAlgorithm.RSA_GENERAL, 2048)); assertFalse(pkAlgorithmPolicy.isAcceptable(PublicKeyAlgorithm.RSA_GENERAL, 1024)); @@ -131,27 +115,30 @@ public class ManagePolicy { put(PublicKeyAlgorithm.RSA_GENERAL, 3000); }} ); - policy.setPublicKeyAlgorithmPolicy(customPolicy); + PGPainless.getInstance().setAlgorithmPolicy(oldPolicy.copy().withPublicKeyAlgorithmPolicy(customPolicy).build()); - pkAlgorithmPolicy = policy.getPublicKeyAlgorithmPolicy(); + pkAlgorithmPolicy = PGPainless.getInstance().getAlgorithmPolicy().getPublicKeyAlgorithmPolicy(); assertTrue(pkAlgorithmPolicy.isAcceptable(PublicKeyAlgorithm.RSA_GENERAL, 4096)); // RSA 2048 is no longer acceptable assertFalse(pkAlgorithmPolicy.isAcceptable(PublicKeyAlgorithm.RSA_GENERAL, 2048)); // ECDSA is no longer acceptable, since it is no longer included in the policy at all assertFalse(pkAlgorithmPolicy.isAcceptable(PublicKeyAlgorithm.ECDSA, 256)); + + // Reset policy + PGPainless.getInstance().setAlgorithmPolicy(oldPolicy); } /** * OpenPGP requires implementations to reject signatures which contain critical notation data subpackets * which are not known to the implementation. - * + *

* PGPainless allows the user to define which notations should be considered known notations. * The following example demonstrates how to mark the notation value 'unknown@pgpainless.org' as known, * such that signatures containing a critical notation with that name are no longer being invalidated because of it. */ @Test public void manageKnownNotations() { - Policy policy = PGPainless.getPolicy(); + Policy policy = PGPainless.getInstance().getAlgorithmPolicy(); NotationRegistry notationRegistry = policy.getNotationRegistry(); assertFalse(notationRegistry.isKnownNotation("unknown@pgpainless.org")); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GeneratingWeakKeyThrowsTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GeneratingWeakKeyThrowsTest.java index 65dea167..49db0243 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GeneratingWeakKeyThrowsTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GeneratingWeakKeyThrowsTest.java @@ -22,9 +22,7 @@ public class GeneratingWeakKeyThrowsTest { @Test public void refuseToGenerateWeakPrimaryKeyTest() { // ensure we have default public key algorithm policy set - PGPainless.getPolicy().setPublicKeyAlgorithmPolicy( - Policy.PublicKeyAlgorithmPolicy.bsi2021PublicKeyAlgorithmPolicy()); - + PGPainless.getInstance().setAlgorithmPolicy(new Policy()); assertThrows(IllegalArgumentException.class, () -> PGPainless.buildKeyRing() .setPrimaryKey(KeySpec.getBuilder(KeyType.RSA(RsaLength._1024), @@ -34,8 +32,7 @@ public class GeneratingWeakKeyThrowsTest { @Test public void refuseToAddWeakSubkeyDuringGenerationTest() { // ensure we have default public key algorithm policy set - PGPainless.getPolicy().setPublicKeyAlgorithmPolicy( - Policy.PublicKeyAlgorithmPolicy.bsi2021PublicKeyAlgorithmPolicy()); + PGPainless.getInstance().setAlgorithmPolicy(new Policy()); KeyRingBuilder kb = PGPainless.buildKeyRing() .setPrimaryKey(KeySpec.getBuilder(KeyType.RSA(RsaLength._4096), @@ -52,8 +49,10 @@ public class GeneratingWeakKeyThrowsTest { Map bitStrengths = new HashMap<>(); bitStrengths.put(PublicKeyAlgorithm.RSA_GENERAL, 512); - PGPainless.getPolicy().setPublicKeyAlgorithmPolicy( - new Policy.PublicKeyAlgorithmPolicy(bitStrengths)); + Policy oldPolicy = PGPainless.getPolicy(); + PGPainless.getInstance().setAlgorithmPolicy(oldPolicy.copy() + .withPublicKeyAlgorithmPolicy(new Policy.PublicKeyAlgorithmPolicy(bitStrengths)) + .build()); PGPainless.buildKeyRing() .setPrimaryKey(KeySpec.getBuilder(KeyType.RSA(RsaLength._4096), @@ -64,7 +63,6 @@ public class GeneratingWeakKeyThrowsTest { .build(); // reset public key algorithm policy - PGPainless.getPolicy().setPublicKeyAlgorithmPolicy( - Policy.PublicKeyAlgorithmPolicy.bsi2021PublicKeyAlgorithmPolicy()); + PGPainless.getInstance().setAlgorithmPolicy(oldPolicy); } } diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/RefuseToAddWeakSubkeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/RefuseToAddWeakSubkeyTest.java index e640302e..925b4426 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/RefuseToAddWeakSubkeyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/RefuseToAddWeakSubkeyTest.java @@ -29,7 +29,11 @@ public class RefuseToAddWeakSubkeyTest { @Test public void testEditorRefusesToAddWeakSubkey() { // ensure default policy is set - PGPainless.getPolicy().setPublicKeyAlgorithmPolicy(Policy.PublicKeyAlgorithmPolicy.bsi2021PublicKeyAlgorithmPolicy()); + Policy oldPolicy = PGPainless.getPolicy(); + Policy adjusted = oldPolicy.copy().withPublicKeyAlgorithmPolicy( + Policy.PublicKeyAlgorithmPolicy.bsi2021PublicKeyAlgorithmPolicy() + ).build(); + PGPainless.getInstance().setAlgorithmPolicy(adjusted); PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() .modernKeyRing("Alice") @@ -39,6 +43,7 @@ public class RefuseToAddWeakSubkeyTest { assertThrows(IllegalArgumentException.class, () -> editor.addSubKey(spec, Passphrase.emptyPassphrase(), SecretKeyRingProtector.unprotectedKeys())); + PGPainless.getInstance().setAlgorithmPolicy(oldPolicy); } @Test @@ -47,6 +52,8 @@ public class RefuseToAddWeakSubkeyTest { .modernKeyRing("Alice") .getPGPSecretKeyRing(); + Policy oldPolicy = PGPainless.getPolicy(); + // set weak policy Map minimalBitStrengths = new EnumMap<>(PublicKeyAlgorithm.class); // §5.4.1 @@ -68,7 +75,9 @@ public class RefuseToAddWeakSubkeyTest { minimalBitStrengths.put(PublicKeyAlgorithm.DIFFIE_HELLMAN, 2000); // §7.2.2 minimalBitStrengths.put(PublicKeyAlgorithm.ECDH, 250); - PGPainless.getPolicy().setPublicKeyAlgorithmPolicy(new Policy.PublicKeyAlgorithmPolicy(minimalBitStrengths)); + PGPainless.getInstance().setAlgorithmPolicy(oldPolicy.copy() + .withPublicKeyAlgorithmPolicy(new Policy.PublicKeyAlgorithmPolicy(minimalBitStrengths)) + .build()); SecretKeyRingEditorInterface editor = PGPainless.modifyKeyRing(secretKeys); KeySpec spec = KeySpec.getBuilder(KeyType.RSA(RsaLength._1024), KeyFlag.ENCRYPT_COMMS) @@ -81,6 +90,6 @@ public class RefuseToAddWeakSubkeyTest { assertEquals(2, PGPainless.inspectKeyRing(secretKeys).getEncryptionSubkeys(EncryptionPurpose.ANY).size()); // reset default policy - PGPainless.getPolicy().setPublicKeyAlgorithmPolicy(Policy.PublicKeyAlgorithmPolicy.bsi2021PublicKeyAlgorithmPolicy()); + PGPainless.getInstance().setAlgorithmPolicy(oldPolicy); } } diff --git a/pgpainless-core/src/test/java/org/pgpainless/policy/PolicySetterTest.java b/pgpainless-core/src/test/java/org/pgpainless/policy/PolicySetterTest.java index 6e90847d..bd044b3b 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/policy/PolicySetterTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/policy/PolicySetterTest.java @@ -18,43 +18,43 @@ public class PolicySetterTest { @Test public void testSetCertificationSignatureHashAlgorithmPolicy_NullFails() { Policy policy = Policy.getInstance(); - assertThrows(NullPointerException.class, () -> policy.setCertificationSignatureHashAlgorithmPolicy(null)); + assertThrows(NullPointerException.class, () -> policy.copy().withCertificationSignatureHashAlgorithmPolicy(null)); } @Test public void testSetDataSignatureHashAlgorithmPolicy_NullFails() { Policy policy = Policy.getInstance(); - assertThrows(NullPointerException.class, () -> policy.setDataSignatureHashAlgorithmPolicy(null)); + assertThrows(NullPointerException.class, () -> policy.copy().withDataSignatureHashAlgorithmPolicy(null)); } @Test public void testSetRevocationSignatureHashAlgorithmPolicy_NullFails() { Policy policy = Policy.getInstance(); - assertThrows(NullPointerException.class, () -> policy.setRevocationSignatureHashAlgorithmPolicy(null)); + assertThrows(NullPointerException.class, () -> policy.copy().withRevocationSignatureHashAlgorithmPolicy(null)); } @Test public void testSetSymmetricKeyEncryptionAlgorithmPolicy_NullFails() { Policy policy = Policy.getInstance(); - assertThrows(NullPointerException.class, () -> policy.setSymmetricKeyEncryptionAlgorithmPolicy(null)); + assertThrows(NullPointerException.class, () -> policy.copy().withSymmetricKeyEncryptionAlgorithmPolicy(null)); } @Test public void testSetSymmetricKeyDecryptionAlgorithmPolicy_NullFails() { Policy policy = Policy.getInstance(); - assertThrows(NullPointerException.class, () -> policy.setSymmetricKeyDecryptionAlgorithmPolicy(null)); + assertThrows(NullPointerException.class, () -> policy.copy().withSymmetricKeyDecryptionAlgorithmPolicy(null)); } @Test public void testSetCompressionAlgorithmPolicy_NullFails() { Policy policy = Policy.getInstance(); - assertThrows(NullPointerException.class, () -> policy.setCompressionAlgorithmPolicy(null)); + assertThrows(NullPointerException.class, () -> policy.copy().withCompressionAlgorithmPolicy(null)); } @Test public void testSetPublicKeyAlgorithmPolicy_NullFails() { Policy policy = Policy.getInstance(); - assertThrows(NullPointerException.class, () -> policy.setPublicKeyAlgorithmPolicy(null)); + assertThrows(NullPointerException.class, () -> policy.copy().withPublicKeyAlgorithmPolicy(null)); } @Test @@ -62,7 +62,7 @@ public class PolicySetterTest { Policy policy = new Policy(); Map acceptableAlgorithms = new HashMap<>(); acceptableAlgorithms.put(PublicKeyAlgorithm.RSA_GENERAL, 2000); - policy.setPublicKeyAlgorithmPolicy(new Policy.PublicKeyAlgorithmPolicy(acceptableAlgorithms)); + policy = policy.copy().withPublicKeyAlgorithmPolicy(new Policy.PublicKeyAlgorithmPolicy(acceptableAlgorithms)).build(); // Policy does not contain ECDSA assertFalse(policy.getPublicKeyAlgorithmPolicy().isAcceptable(PublicKeyAlgorithm.ECDSA, 256)); diff --git a/pgpainless-core/src/test/java/org/pgpainless/policy/PolicyTest.java b/pgpainless-core/src/test/java/org/pgpainless/policy/PolicyTest.java index 9ff4df85..27288218 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/policy/PolicyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/policy/PolicyTest.java @@ -28,23 +28,12 @@ public class PolicyTest { @BeforeAll public static void setup() { - policy = new Policy(); - policy.setCompressionAlgorithmPolicy(new Policy.CompressionAlgorithmPolicy(CompressionAlgorithm.UNCOMPRESSED, - Arrays.asList(CompressionAlgorithm.ZIP, CompressionAlgorithm.ZLIB, CompressionAlgorithm.UNCOMPRESSED))); - - policy.setSymmetricKeyEncryptionAlgorithmPolicy(new Policy.SymmetricKeyAlgorithmPolicy(SymmetricKeyAlgorithm.AES_256, - Arrays.asList(SymmetricKeyAlgorithm.AES_256, SymmetricKeyAlgorithm.AES_192, SymmetricKeyAlgorithm.AES_128))); - - policy.setSymmetricKeyDecryptionAlgorithmPolicy(new Policy.SymmetricKeyAlgorithmPolicy(SymmetricKeyAlgorithm.AES_256, - Arrays.asList(SymmetricKeyAlgorithm.AES_256, SymmetricKeyAlgorithm.AES_192, SymmetricKeyAlgorithm.AES_128, SymmetricKeyAlgorithm.BLOWFISH))); - Map sigHashAlgoMap = new HashMap<>(); sigHashAlgoMap.put(HashAlgorithm.SHA512, null); sigHashAlgoMap.put(HashAlgorithm.SHA384, null); sigHashAlgoMap.put(HashAlgorithm.SHA256, null); sigHashAlgoMap.put(HashAlgorithm.SHA224, null); sigHashAlgoMap.put(HashAlgorithm.SHA1, DateUtil.parseUTCDate("2013-02-01 00:00:00 UTC")); - policy.setCertificationSignatureHashAlgorithmPolicy(new Policy.HashAlgorithmPolicy(HashAlgorithm.SHA512, sigHashAlgoMap)); Map revHashAlgoMap = new HashMap<>(); revHashAlgoMap.put(HashAlgorithm.SHA512, null); @@ -53,10 +42,26 @@ public class PolicyTest { revHashAlgoMap.put(HashAlgorithm.SHA224, null); revHashAlgoMap.put(HashAlgorithm.SHA1, DateUtil.parseUTCDate("2013-02-01 00:00:00 UTC")); revHashAlgoMap.put(HashAlgorithm.RIPEMD160, DateUtil.parseUTCDate("2013-02-01 00:00:00 UTC")); - policy.setRevocationSignatureHashAlgorithmPolicy(new Policy.HashAlgorithmPolicy(HashAlgorithm.SHA512, - revHashAlgoMap)); - policy.setPublicKeyAlgorithmPolicy(Policy.PublicKeyAlgorithmPolicy.bsi2021PublicKeyAlgorithmPolicy()); + policy = new Policy().copy() + + .withCompressionAlgorithmPolicy(new Policy.CompressionAlgorithmPolicy(CompressionAlgorithm.UNCOMPRESSED, + Arrays.asList(CompressionAlgorithm.ZIP, CompressionAlgorithm.ZLIB, CompressionAlgorithm.UNCOMPRESSED))) + + .withSymmetricKeyEncryptionAlgorithmPolicy(new Policy.SymmetricKeyAlgorithmPolicy(SymmetricKeyAlgorithm.AES_256, + Arrays.asList(SymmetricKeyAlgorithm.AES_256, SymmetricKeyAlgorithm.AES_192, SymmetricKeyAlgorithm.AES_128))) + + .withSymmetricKeyDecryptionAlgorithmPolicy(new Policy.SymmetricKeyAlgorithmPolicy(SymmetricKeyAlgorithm.AES_256, + Arrays.asList(SymmetricKeyAlgorithm.AES_256, SymmetricKeyAlgorithm.AES_192, SymmetricKeyAlgorithm.AES_128, SymmetricKeyAlgorithm.BLOWFISH))) + + .withCertificationSignatureHashAlgorithmPolicy(new Policy.HashAlgorithmPolicy(HashAlgorithm.SHA512, sigHashAlgoMap)) + + .withRevocationSignatureHashAlgorithmPolicy(new Policy.HashAlgorithmPolicy(HashAlgorithm.SHA512, + revHashAlgoMap)) + + .withPublicKeyAlgorithmPolicy(Policy.PublicKeyAlgorithmPolicy.bsi2021PublicKeyAlgorithmPolicy()) + + .build(); } @Test diff --git a/pgpainless-sop/src/test/java/org/pgpainless/sop/VerifyLegacySignatureTest.java b/pgpainless-sop/src/test/java/org/pgpainless/sop/VerifyLegacySignatureTest.java index 23fd9840..721c338d 100644 --- a/pgpainless-sop/src/test/java/org/pgpainless/sop/VerifyLegacySignatureTest.java +++ b/pgpainless-sop/src/test/java/org/pgpainless/sop/VerifyLegacySignatureTest.java @@ -134,8 +134,12 @@ public class VerifyLegacySignatureTest { assertFalse(result.getResult().isEmpty()); // Adjust data signature hash policy to accept new SHA-1 sigs - PGPainless.getPolicy().setDataSignatureHashAlgorithmPolicy( - Policy.HashAlgorithmPolicy.static2022RevocationSignatureHashAlgorithmPolicy()); + Policy policy = PGPainless.getPolicy(); + Policy adjusted = policy.copy() + .withDataSignatureHashAlgorithmPolicy( + Policy.HashAlgorithmPolicy.static2022RevocationSignatureHashAlgorithmPolicy() + ).build(); + PGPainless.getInstance().setAlgorithmPolicy(adjusted); // Sig generated in 2024 using SHA1 String newSig = "-----BEGIN PGP MESSAGE-----\n" + @@ -160,5 +164,8 @@ public class VerifyLegacySignatureTest { .toByteArrayAndResult(); assertFalse(result.getResult().isEmpty()); + + // Reset old policy + PGPainless.getInstance().setAlgorithmPolicy(policy); } } From 4f7aea6019937778300521556792d8f2f97469d6 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Sun, 16 Mar 2025 22:07:58 +0100 Subject: [PATCH 087/265] Fix GenerateV6KeyTest.generateAEADProtectedModernKey() test --- .../key/generation/GenerateV6KeyTest.java | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateV6KeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateV6KeyTest.java index 516c2bea..652afb33 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateV6KeyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateV6KeyTest.java @@ -4,6 +4,7 @@ package org.pgpainless.key.generation; +import org.bouncycastle.bcpg.SecretKeyPacket; import org.bouncycastle.bcpg.SignatureSubpacketTags; import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.api.OpenPGPCertificate; @@ -16,11 +17,14 @@ import org.pgpainless.algorithm.KeyFlag; import org.pgpainless.algorithm.OpenPGPKeyVersion; import org.pgpainless.algorithm.PublicKeyAlgorithm; import org.pgpainless.key.generation.type.rsa.RsaLength; +import org.pgpainless.key.protection.KeyRingProtectionSettings; +import org.pgpainless.policy.Policy; import java.io.IOException; import static org.junit.jupiter.api.Assertions.assertEquals; import static org.junit.jupiter.api.Assertions.assertFalse; +import static org.junit.jupiter.api.Assertions.assertNotNull; import static org.junit.jupiter.api.Assertions.assertTrue; public class GenerateV6KeyTest { @@ -133,7 +137,14 @@ public class GenerateV6KeyTest { @Test public void generateAEADProtectedModernKey() - throws IOException { + throws IOException, PGPException { + Policy oldPolicy = PGPainless.getInstance().getAlgorithmPolicy(); + + // Change Policy to use AEAD for secret key protection + PGPainless.getInstance().setAlgorithmPolicy( + oldPolicy.copy().withKeyProtectionSettings(KeyRingProtectionSettings.aead()).build() + ); + OpenPGPKey key = PGPainless.getInstance() .generateKey(OpenPGPKeyVersion.v6) .modernKeyRing("Alice ", "p455w0rd"); @@ -143,7 +154,13 @@ public class GenerateV6KeyTest { OpenPGPKey parsed = PGPainless.getInstance().readKey().parseKey(armored); OpenPGPKey.OpenPGPSecretKey primaryKey = key.getPrimarySecretKey(); + assertEquals(SecretKeyPacket.USAGE_AEAD, primaryKey.getPGPSecretKey().getS2KUsage()); + + OpenPGPKey.OpenPGPPrivateKey privateKey = primaryKey.unlock("p455w0rd".toCharArray()); + assertNotNull(privateKey); assertEquals(armored, parsed.toAsciiArmoredString()); + + PGPainless.getInstance().setAlgorithmPolicy(oldPolicy); } } From 9c591ef6d1fd01e2baf7116f88446769d34ab18d Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 17 Mar 2025 16:12:10 +0100 Subject: [PATCH 088/265] Allow passing creation time into KeyRingTemplates, replace deprecated methods --- .../main/kotlin/org/pgpainless/PGPainless.kt | 11 +++-- .../key/generation/KeyRingBuilder.kt | 31 +++++++------ .../key/generation/KeyRingTemplates.kt | 44 +++++++++++++------ .../secretkeyring/SecretKeyRingEditor.kt | 4 +- 4 files changed, 54 insertions(+), 36 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt index c5768e99..7cfb7ed2 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt @@ -48,8 +48,9 @@ class PGPainless( @JvmOverloads fun generateKey( version: OpenPGPKeyVersion = OpenPGPKeyVersion.v4, - creationTime: Date = Date() - ): KeyRingTemplates = KeyRingTemplates(version, creationTime) + creationTime: Date = Date(), + policy: Policy = algorithmPolicy + ): KeyRingTemplates = KeyRingTemplates(version, creationTime, policy) @JvmOverloads fun buildKey( @@ -98,8 +99,10 @@ class PGPainless( */ @JvmStatic @JvmOverloads - fun buildKeyRing(version: OpenPGPKeyVersion = OpenPGPKeyVersion.v4) = - KeyRingBuilder(version, getInstance().implementation) + fun buildKeyRing( + version: OpenPGPKeyVersion = OpenPGPKeyVersion.v4, + policy: Policy = getInstance().algorithmPolicy + ) = KeyRingBuilder(version, getInstance().implementation, policy) /** * Read an existing OpenPGP key ring. diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingBuilder.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingBuilder.kt index 104eac59..35b1485a 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingBuilder.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingBuilder.kt @@ -27,7 +27,8 @@ import org.pgpainless.util.Passphrase class KeyRingBuilder( private val version: OpenPGPKeyVersion, - private val implementation: OpenPGPImplementation + private val implementation: OpenPGPImplementation, + private val policy: Policy = PGPainless.getInstance().algorithmPolicy ) : KeyRingBuilderInterface { private var primaryKeySpec: KeySpec? = null @@ -37,13 +38,13 @@ class KeyRingBuilder( private var expirationDate: Date? = Date(System.currentTimeMillis() + (5 * MILLIS_IN_YEAR)) override fun setPrimaryKey(keySpec: KeySpec): KeyRingBuilder = apply { - verifyKeySpecCompliesToPolicy(keySpec, PGPainless.getPolicy()) + verifyKeySpecCompliesToPolicy(keySpec, policy) verifyPrimaryKeyCanCertify(keySpec) this.primaryKeySpec = keySpec } override fun addSubkey(keySpec: KeySpec): KeyRingBuilder = apply { - verifyKeySpecCompliesToPolicy(keySpec, PGPainless.getPolicy()) + verifyKeySpecCompliesToPolicy(keySpec, policy) subKeySpecs.add(keySpec) } @@ -83,11 +84,11 @@ class KeyRingBuilder( private fun keyIsCertificationCapable(keySpec: KeySpec) = keySpec.keyType.canCertify override fun build(): OpenPGPKey { - val checksumCalculator = OpenPGPImplementation.getInstance().checksumCalculator() + val checksumCalculator = implementation.checksumCalculator() // generate primary key requireNotNull(primaryKeySpec) { "Primary Key spec required." } - val certKey = generateKeyPair(primaryKeySpec!!, version) + val certKey = generateKeyPair(primaryKeySpec!!, version, implementation) val secretKeyEncryptor = buildSecretKeyEncryptor(certKey.publicKey) val secretKeyDecryptor = buildSecretKeyDecryptor() @@ -168,7 +169,7 @@ class KeyRingBuilder( private fun addSubKeys(primaryKey: PGPKeyPair, ringGenerator: PGPKeyRingGenerator) { for (subKeySpec in subKeySpecs) { - val subKey = generateKeyPair(subKeySpec, version) + val subKey = generateKeyPair(subKeySpec, version, implementation) if (subKeySpec.isInheritedSubPackets) { ringGenerator.addSubKey(subKey) } else { @@ -209,20 +210,19 @@ class KeyRingBuilder( } private fun buildContentSigner(certKey: PGPKeyPair): PGPContentSignerBuilder { - val hashAlgorithm = - PGPainless.getPolicy().certificationSignatureHashAlgorithmPolicy.defaultHashAlgorithm - return OpenPGPImplementation.getInstance() - .pgpContentSignerBuilder(certKey.publicKey.algorithm, hashAlgorithm.algorithmId) + val hashAlgorithm = policy.certificationSignatureHashAlgorithmPolicy.defaultHashAlgorithm + return implementation.pgpContentSignerBuilder( + certKey.publicKey.algorithm, hashAlgorithm.algorithmId) } private fun buildSecretKeyEncryptor( publicKey: PGPPublicKey, ): PBESecretKeyEncryptor? { check(passphrase.isValid) { "Passphrase was cleared." } - val protectionSettings = PGPainless.getPolicy().keyProtectionSettings + val protectionSettings = policy.keyProtectionSettings return if (passphrase.isEmpty) null else - OpenPGPImplementation.getInstance() + implementation .pbeSecretKeyEncryptorFactory( protectionSettings.aead, protectionSettings.encryptionAlgorithm.algorithmId, @@ -234,7 +234,7 @@ class KeyRingBuilder( check(passphrase.isValid) { "Passphrase was cleared." } return if (passphrase.isEmpty) null else - OpenPGPImplementation.getInstance() + implementation .pbeSecretKeyDecryptorBuilderProvider() .provide() .build(passphrase.getChars()) @@ -248,12 +248,11 @@ class KeyRingBuilder( fun generateKeyPair( spec: KeySpec, version: OpenPGPKeyVersion, + implementation: OpenPGPImplementation = PGPainless.getInstance().implementation, creationTime: Date = spec.keyCreationDate ?: Date() ): PGPKeyPair { val gen = - OpenPGPImplementation.getInstance() - .pgpKeyPairGeneratorProvider() - .get(version.numeric, creationTime) + implementation.pgpKeyPairGeneratorProvider().get(version.numeric, creationTime) return spec.keyType.generateKeyPair(gen) } diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingTemplates.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingTemplates.kt index 7ee032ae..94d79769 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingTemplates.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingTemplates.kt @@ -6,6 +6,7 @@ package org.pgpainless.key.generation import java.util.* import org.bouncycastle.openpgp.api.OpenPGPKey +import org.pgpainless.PGPainless import org.pgpainless.PGPainless.Companion.buildKeyRing import org.pgpainless.algorithm.KeyFlag import org.pgpainless.algorithm.OpenPGPKeyVersion @@ -14,11 +15,13 @@ import org.pgpainless.key.generation.type.KeyType import org.pgpainless.key.generation.type.eddsa_legacy.EdDSALegacyCurve import org.pgpainless.key.generation.type.rsa.RsaLength import org.pgpainless.key.generation.type.xdh_legacy.XDHLegacySpec +import org.pgpainless.policy.Policy import org.pgpainless.util.Passphrase class KeyRingTemplates( private val version: OpenPGPKeyVersion, - private val creationTime: Date = Date() + private val creationTime: Date = Date(), + private val policy: Policy = PGPainless.getInstance().algorithmPolicy ) { /** @@ -36,12 +39,17 @@ class KeyRingTemplates( length: RsaLength, passphrase: Passphrase = Passphrase.emptyPassphrase() ): OpenPGPKey = - buildKeyRing(version) + buildKeyRing(version, policy) .apply { - setPrimaryKey(getBuilder(KeyType.RSA(length), KeyFlag.CERTIFY_OTHER)) - addSubkey(getBuilder(KeyType.RSA(length), KeyFlag.SIGN_DATA)) + setPrimaryKey( + getBuilder(KeyType.RSA(length), KeyFlag.CERTIFY_OTHER) + .setKeyCreationDate(creationTime)) addSubkey( - getBuilder(KeyType.RSA(length), KeyFlag.ENCRYPT_COMMS, KeyFlag.ENCRYPT_STORAGE)) + getBuilder(KeyType.RSA(length), KeyFlag.SIGN_DATA) + .setKeyCreationDate(creationTime)) + addSubkey( + getBuilder(KeyType.RSA(length), KeyFlag.ENCRYPT_COMMS, KeyFlag.ENCRYPT_STORAGE) + .setKeyCreationDate(creationTime)) setPassphrase(passphrase) if (userId != null) { addUserId(userId) @@ -87,10 +95,11 @@ class KeyRingTemplates( .apply { setPrimaryKey( getBuilder( - KeyType.RSA(length), - KeyFlag.CERTIFY_OTHER, - KeyFlag.SIGN_DATA, - KeyFlag.ENCRYPT_COMMS)) + KeyType.RSA(length), + KeyFlag.CERTIFY_OTHER, + KeyFlag.SIGN_DATA, + KeyFlag.ENCRYPT_COMMS) + .setKeyCreationDate(creationTime)) setPassphrase(passphrase) if (userId != null) { addUserId(userId.toString()) @@ -138,9 +147,12 @@ class KeyRingTemplates( else KeyType.XDH_LEGACY(XDHLegacySpec._X25519) return buildKeyRing(version) .apply { - setPrimaryKey(getBuilder(signingKeyType, KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA)) + setPrimaryKey( + getBuilder(signingKeyType, KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA) + .setKeyCreationDate(creationTime)) addSubkey( - getBuilder(encryptionKeyType, KeyFlag.ENCRYPT_STORAGE, KeyFlag.ENCRYPT_COMMS)) + getBuilder(encryptionKeyType, KeyFlag.ENCRYPT_STORAGE, KeyFlag.ENCRYPT_COMMS) + .setKeyCreationDate(creationTime)) setPassphrase(passphrase) if (userId != null) { addUserId(userId.toString()) @@ -188,10 +200,14 @@ class KeyRingTemplates( else KeyType.XDH_LEGACY(XDHLegacySpec._X25519) return buildKeyRing(version) .apply { - setPrimaryKey(getBuilder(signingKeyType, KeyFlag.CERTIFY_OTHER)) + setPrimaryKey( + getBuilder(signingKeyType, KeyFlag.CERTIFY_OTHER) + .setKeyCreationDate(creationTime)) addSubkey( - getBuilder(encryptionKeyType, KeyFlag.ENCRYPT_COMMS, KeyFlag.ENCRYPT_STORAGE)) - addSubkey(getBuilder(signingKeyType, KeyFlag.SIGN_DATA)) + getBuilder(encryptionKeyType, KeyFlag.ENCRYPT_COMMS, KeyFlag.ENCRYPT_STORAGE) + .setKeyCreationDate(creationTime)) + addSubkey( + getBuilder(signingKeyType, KeyFlag.SIGN_DATA).setKeyCreationDate(creationTime)) setPassphrase(passphrase) if (userId != null) { addUserId(userId) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.kt index 4346dc74..b834dfa9 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.kt @@ -266,8 +266,8 @@ class SecretKeyRingEditor(var key: OpenPGPKey, override val referenceTime: Date callback: SelfSignatureSubpackets.Callback?, protector: SecretKeyRingProtector ): SecretKeyRingEditorInterface { - val version = OpenPGPKeyVersion.from(secretKeyRing.getPublicKey().version) - val keyPair = KeyRingBuilder.generateKeyPair(keySpec, OpenPGPKeyVersion.v4, referenceTime) + val version = OpenPGPKeyVersion.from(secretKeyRing.publicKey.version) + val keyPair = KeyRingBuilder.generateKeyPair(keySpec, version) val subkeyProtector = PasswordBasedSecretKeyRingProtector.forKeyId(keyPair.keyIdentifier, subkeyPassphrase) val keyFlags = KeyFlag.fromBitmask(keySpec.subpackets.keyFlags).toMutableList() From 1fee94bf9330fca604eb0ec0e091d83b6f60e580 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 17 Mar 2025 16:29:19 +0100 Subject: [PATCH 089/265] Code cleanup --- .../main/kotlin/org/pgpainless/PGPainless.kt | 7 ++++-- .../secretkeyring/SecretKeyRingEditor.kt | 22 ++++++++++--------- .../modification/ChangeExpirationTest.java | 1 - 3 files changed, 17 insertions(+), 13 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt index 7cfb7ed2..6d77c158 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt @@ -206,8 +206,11 @@ class PGPainless( */ @JvmStatic @JvmOverloads - fun modifyKeyRing(secretKey: PGPSecretKeyRing, referenceTime: Date = Date()) = - SecretKeyRingEditor(secretKey, referenceTime) + fun modifyKeyRing( + secretKey: PGPSecretKeyRing, + referenceTime: Date = Date(), + policy: Policy = getInstance().algorithmPolicy + ) = SecretKeyRingEditor(secretKey, policy, referenceTime) /** * Quickly access information about a [org.bouncycastle.openpgp.PGPPublicKeyRing] / diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.kt index b834dfa9..381f87bd 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.kt @@ -39,21 +39,26 @@ import org.pgpainless.key.util.KeyRingUtils import org.pgpainless.key.util.KeyRingUtils.Companion.changePassphrase import org.pgpainless.key.util.KeyRingUtils.Companion.injectCertification import org.pgpainless.key.util.RevocationAttributes +import org.pgpainless.policy.Policy import org.pgpainless.signature.builder.* import org.pgpainless.signature.subpackets.* import org.pgpainless.util.Passphrase import org.pgpainless.util.selection.userid.SelectUserId -class SecretKeyRingEditor(var key: OpenPGPKey, override val referenceTime: Date = Date()) : - SecretKeyRingEditorInterface { +class SecretKeyRingEditor( + var key: OpenPGPKey, + val policy: Policy = PGPainless.getInstance().algorithmPolicy, + override val referenceTime: Date = Date() +) : SecretKeyRingEditorInterface { private var secretKeyRing: PGPSecretKeyRing = key.pgpSecretKeyRing @JvmOverloads constructor( secretKeyRing: PGPSecretKeyRing, + policy: Policy = PGPainless.getInstance().algorithmPolicy, referenceTime: Date = Date() - ) : this(PGPainless.getInstance().toKey(secretKeyRing), referenceTime) + ) : this(PGPainless.getInstance().toKey(secretKeyRing), policy, referenceTime) override fun addUserId( userId: CharSequence, @@ -293,17 +298,14 @@ class SecretKeyRingEditor(var key: OpenPGPKey, override val referenceTime: Date SignatureSubpacketsUtil.assureKeyCanCarryFlags(subkeyAlgorithm) val bitStrength = subkey.publicKey.bitStrength - require( - PGPainless.getPolicy() - .publicKeyAlgorithmPolicy - .isAcceptable(subkeyAlgorithm, bitStrength)) { - "Public key algorithm policy violation: $subkeyAlgorithm with bit strength $bitStrength is not acceptable." - } + require(policy.publicKeyAlgorithmPolicy.isAcceptable(subkeyAlgorithm, bitStrength)) { + "Public key algorithm policy violation: $subkeyAlgorithm with bit strength $bitStrength is not acceptable." + } val primaryKey = secretKeyRing.secretKey val info = inspectKeyRing(secretKeyRing, referenceTime) val hashAlgorithm = - HashAlgorithmNegotiator.negotiateSignatureHashAlgorithm(PGPainless.getPolicy()) + HashAlgorithmNegotiator.negotiateSignatureHashAlgorithm(policy) .negotiateHashAlgorithm(info.preferredHashAlgorithms) var secretSubkey = diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeExpirationTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeExpirationTest.java index 6c0db287..7ddb2a27 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeExpirationTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeExpirationTest.java @@ -35,7 +35,6 @@ public class ChangeExpirationTest { @ExtendWith(TestAllImplementations.class) public void setExpirationDateAndThenUnsetIt_OnPrimaryKey() throws PGPException, IOException { - PGPSecretKeyRing secretKeys = TestKeys.getEmilSecretKeyRing(); KeyRingInfo sInfo = PGPainless.inspectKeyRing(secretKeys); From a0624d8ac1025baa54082241852095be35b3883f Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 17 Mar 2025 16:58:01 +0100 Subject: [PATCH 090/265] Add documentation --- .../main/kotlin/org/pgpainless/PGPainless.kt | 12 +++++- .../OpenPgpMessageInputStream.kt | 2 +- .../encryption_signing/SigningOptions.kt | 37 ++++++++----------- 3 files changed, 27 insertions(+), 24 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt index 6d77c158..7a1599fb 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt @@ -69,6 +69,13 @@ class PGPainless( fun toCertificate(publicKeyRing: PGPPublicKeyRing): OpenPGPCertificate = OpenPGPCertificate(publicKeyRing, implementation) + fun mergeCertificate( + originalCopy: OpenPGPCertificate, + updatedCopy: OpenPGPCertificate + ): OpenPGPCertificate { + return OpenPGPCertificate.join(originalCopy, updatedCopy) + } + companion object { @Volatile private var instance: PGPainless? = null @@ -120,7 +127,7 @@ class PGPainless( * @return public key certificate */ @JvmStatic - @Deprecated("Use toKey() and then .toCertificate() instead.") + @Deprecated("Use .toKey() and then .toCertificate() instead.") fun extractCertificate(secretKey: PGPSecretKeyRing) = KeyRingUtils.publicKeyRingFrom(secretKey) @@ -134,6 +141,7 @@ class PGPainless( * @throws PGPException in case of an error */ @JvmStatic + @Deprecated("Use mergeCertificate() instead.") fun mergeCertificate(originalCopy: PGPPublicKeyRing, updatedCopy: PGPPublicKeyRing) = PGPPublicKeyRing.join(originalCopy, updatedCopy) @@ -229,7 +237,7 @@ class PGPainless( @JvmStatic @JvmOverloads fun inspectKeyRing(key: OpenPGPCertificate, referenceTime: Date = Date()) = - KeyRingInfo(key, getPolicy(), referenceTime) + KeyRingInfo(key, getInstance().algorithmPolicy, referenceTime) /** * Access, and make changes to PGPainless policy on acceptable/default algorithms etc. diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.kt index d10b9750..756d326a 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.kt @@ -1075,7 +1075,7 @@ class OpenPgpMessageInputStream( @JvmStatic fun create(inputStream: InputStream, options: ConsumerOptions) = - create(inputStream, options, PGPainless.getPolicy()) + create(inputStream, options, PGPainless.getInstance().algorithmPolicy) @JvmStatic fun create(inputStream: InputStream, options: ConsumerOptions, policy: Policy) = diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/SigningOptions.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/SigningOptions.kt index 7c008b82..c7eceef6 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/SigningOptions.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/SigningOptions.kt @@ -11,13 +11,12 @@ import org.bouncycastle.openpgp.api.OpenPGPImplementation import org.bouncycastle.openpgp.api.OpenPGPKey import org.bouncycastle.openpgp.api.OpenPGPKey.OpenPGPPrivateKey import org.bouncycastle.openpgp.api.OpenPGPKey.OpenPGPSecretKey -import org.pgpainless.PGPainless.Companion.getPolicy +import org.pgpainless.PGPainless import org.pgpainless.PGPainless.Companion.inspectKeyRing import org.pgpainless.algorithm.DocumentSignatureType import org.pgpainless.algorithm.HashAlgorithm import org.pgpainless.algorithm.PublicKeyAlgorithm.Companion.requireFromId import org.pgpainless.algorithm.negotiation.HashAlgorithmNegotiator.Companion.negotiateSignatureHashAlgorithm -import org.pgpainless.bouncycastle.extensions.toOpenPGPKey import org.pgpainless.exception.KeyException import org.pgpainless.exception.KeyException.* import org.pgpainless.key.OpenPgpFingerprint.Companion.of @@ -28,7 +27,7 @@ import org.pgpainless.signature.subpackets.BaseSignatureSubpackets.Callback import org.pgpainless.signature.subpackets.SignatureSubpackets import org.pgpainless.signature.subpackets.SignatureSubpacketsHelper -class SigningOptions { +class SigningOptions(val api: PGPainless = PGPainless.getInstance()) { val signingMethods: Map = mutableMapOf() private var _hashAlgorithmOverride: HashAlgorithm? = null @@ -91,7 +90,7 @@ class SigningOptions { @Deprecated("Pass an OpenPGPKey instead.") @Throws(KeyException::class, PGPException::class) fun addSignature(signingKeyProtector: SecretKeyRingProtector, signingKey: PGPSecretKeyRing) = - addSignature(signingKeyProtector, signingKey.toOpenPGPKey()) + addSignature(signingKeyProtector, api.toKey(signingKey)) /** * Add inline signatures with all secret key rings in the provided secret key ring collection. @@ -137,7 +136,7 @@ class SigningOptions { signingKeyProtector: SecretKeyRingProtector, signingKey: PGPSecretKeyRing, signatureType: DocumentSignatureType - ) = addInlineSignature(signingKeyProtector, signingKey.toOpenPGPKey(), signatureType) + ) = addInlineSignature(signingKeyProtector, api.toKey(signingKey), signatureType) fun addInlineSignature( signingKeyProtector: SecretKeyRingProtector, @@ -169,7 +168,8 @@ class SigningOptions { val hashAlgorithms = if (userId != null) keyRingInfo.getPreferredHashAlgorithms(userId) else keyRingInfo.getPreferredHashAlgorithms(signingPubKey.keyIdentifier) - val hashAlgorithm: HashAlgorithm = negotiateHashAlgorithm(hashAlgorithms, getPolicy()) + val hashAlgorithm: HashAlgorithm = + negotiateHashAlgorithm(hashAlgorithms, api.algorithmPolicy) addSigningMethod( signingPrivKey, hashAlgorithm, signatureType, false, subpacketsCallback) } @@ -203,11 +203,7 @@ class SigningOptions { subpacketsCallback: Callback? = null ) = addInlineSignature( - signingKeyProtector, - signingKey.toOpenPGPKey(), - userId, - signatureType, - subpacketsCallback) + signingKeyProtector, api.toKey(signingKey), userId, signatureType, subpacketsCallback) fun addInlineSignature( signingKeyProtector: SecretKeyRingProtector, @@ -228,7 +224,8 @@ class SigningOptions { val signingPrivKey = unlockSecretKey(signingKey, signingKeyProtector) val hashAlgorithms = keyRingInfo.getPreferredHashAlgorithms(signingKey.keyIdentifier) - val hashAlgorithm: HashAlgorithm = negotiateHashAlgorithm(hashAlgorithms, getPolicy()) + val hashAlgorithm: HashAlgorithm = + negotiateHashAlgorithm(hashAlgorithms, api.algorithmPolicy) addSigningMethod(signingPrivKey, hashAlgorithm, signatureType, false, subpacketsCallback) } @@ -257,7 +254,7 @@ class SigningOptions { signatureType: DocumentSignatureType = DocumentSignatureType.BINARY_DOCUMENT, subpacketsCallback: Callback? = null ): SigningOptions { - val key = signingKey.toOpenPGPKey() + val key = api.toKey(signingKey) val subkeyIdentifier = KeyIdentifier(keyId) return addInlineSignature( signingKeyProtector, @@ -374,11 +371,7 @@ class SigningOptions { subpacketCallback: Callback? = null ) = addDetachedSignature( - signingKeyProtector, - signingKey.toOpenPGPKey(), - userId, - signatureType, - subpacketCallback) + signingKeyProtector, api.toKey(signingKey), userId, signatureType, subpacketCallback) fun addDetachedSignature( signingKeyProtector: SecretKeyRingProtector, @@ -392,7 +385,8 @@ class SigningOptions { val hashAlgorithms = if (userId != null) keyRingInfo.getPreferredHashAlgorithms(userId) else keyRingInfo.getPreferredHashAlgorithms(signingKey.keyIdentifier) - val hashAlgorithm: HashAlgorithm = negotiateHashAlgorithm(hashAlgorithms, getPolicy()) + val hashAlgorithm: HashAlgorithm = + negotiateHashAlgorithm(hashAlgorithms, api.algorithmPolicy) addSigningMethod(signingPrivKey, hashAlgorithm, signatureType, true, subpacketCallback) } @@ -422,7 +416,7 @@ class SigningOptions { signatureType: DocumentSignatureType = DocumentSignatureType.BINARY_DOCUMENT, subpacketsCallback: Callback? = null ): SigningOptions { - val key = signingKey.toOpenPGPKey() + val key = api.toKey(signingKey) val signingKeyIdentifier = KeyIdentifier(keyId) return addDetachedSignature( signingKeyProtector, @@ -443,7 +437,8 @@ class SigningOptions { val signingSecretKey: PGPSecretKey = signingKey.secretKey.pgpSecretKey val publicKeyAlgorithm = requireFromId(signingSecretKey.publicKey.algorithm) val bitStrength = signingSecretKey.publicKey.bitStrength - if (!getPolicy().publicKeyAlgorithmPolicy.isAcceptable(publicKeyAlgorithm, bitStrength)) { + if (!api.algorithmPolicy.publicKeyAlgorithmPolicy.isAcceptable( + publicKeyAlgorithm, bitStrength)) { throw UnacceptableSigningKeyException( PublicKeyAlgorithmPolicyException( signingKey.secretKey, publicKeyAlgorithm, bitStrength)) From 2ae2389666ad4b7925e20ccf463caed89fe7064e Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 18 Mar 2025 11:16:37 +0100 Subject: [PATCH 091/265] More code cleanup --- .../main/kotlin/org/pgpainless/PGPainless.kt | 2 +- .../encryption_signing/EncryptionBuilder.kt | 52 +++---------------- .../encryption_signing/EncryptionOptions.kt | 27 +++++++--- .../encryption_signing/EncryptionStream.kt | 22 +++----- .../encryption_signing/ProducerOptions.kt | 19 +++++-- .../weird_keys/TestTwoSubkeysEncryption.java | 3 +- 6 files changed, 51 insertions(+), 74 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt index 7a1599fb..d5839054 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt @@ -190,7 +190,7 @@ class PGPainless( * * @return builder */ - @JvmStatic fun encryptAndOrSign() = EncryptionBuilder() + @JvmStatic fun encryptAndOrSign() = EncryptionBuilder(getInstance()) /** * Create a [DecryptionBuilder], which can be used to decrypt and/or verify data using diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionBuilder.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionBuilder.kt index 43263a28..3f86aab5 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionBuilder.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionBuilder.kt @@ -5,65 +5,25 @@ package org.pgpainless.encryption_signing import java.io.OutputStream -import org.pgpainless.PGPainless.Companion.getPolicy -import org.pgpainless.algorithm.CompressionAlgorithm -import org.pgpainless.algorithm.SymmetricKeyAlgorithm -import org.pgpainless.algorithm.negotiation.SymmetricKeyAlgorithmNegotiator.Companion.byPopularity +import org.pgpainless.PGPainless import org.pgpainless.util.NullOutputStream -import org.slf4j.Logger -import org.slf4j.LoggerFactory -class EncryptionBuilder : EncryptionBuilderInterface { +class EncryptionBuilder(private val api: PGPainless) : EncryptionBuilderInterface { override fun onOutputStream( outputStream: OutputStream ): EncryptionBuilderInterface.WithOptions { - return WithOptionsImpl(outputStream) + return WithOptionsImpl(outputStream, api) } override fun discardOutput(): EncryptionBuilderInterface.WithOptions { return onOutputStream(NullOutputStream()) } - class WithOptionsImpl(val outputStream: OutputStream) : EncryptionBuilderInterface.WithOptions { + class WithOptionsImpl(val outputStream: OutputStream, private val api: PGPainless) : + EncryptionBuilderInterface.WithOptions { override fun withOptions(options: ProducerOptions): EncryptionStream { - return EncryptionStream(outputStream, options) - } - } - - companion object { - - @JvmStatic val LOGGER: Logger = LoggerFactory.getLogger(EncryptionBuilder::class.java) - - /** - * Negotiate the [SymmetricKeyAlgorithm] used for message encryption. - * - * @param encryptionOptions encryption options - * @return negotiated symmetric key algorithm - */ - @JvmStatic - fun negotiateSymmetricEncryptionAlgorithm( - encryptionOptions: EncryptionOptions - ): SymmetricKeyAlgorithm { - val preferences = - encryptionOptions.keyViews.values - .map { it.preferredSymmetricKeyAlgorithms } - .toList() - val algorithm = - byPopularity() - .negotiate( - getPolicy().symmetricKeyEncryptionAlgorithmPolicy, - encryptionOptions.encryptionAlgorithmOverride, - preferences) - LOGGER.debug( - "Negotiation resulted in {} being the symmetric encryption algorithm of choice.", - algorithm) - return algorithm - } - - @JvmStatic - fun negotiateCompressionAlgorithm(producerOptions: ProducerOptions): CompressionAlgorithm { - return producerOptions.compressionAlgorithmOverride + return EncryptionStream(outputStream, options, api) } } } diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionOptions.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionOptions.kt index 957d08af..b37c854f 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionOptions.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionOptions.kt @@ -10,11 +10,12 @@ import org.bouncycastle.openpgp.api.OpenPGPCertificate import org.bouncycastle.openpgp.api.OpenPGPCertificate.OpenPGPComponentKey import org.bouncycastle.openpgp.api.OpenPGPImplementation import org.bouncycastle.openpgp.operator.PGPKeyEncryptionMethodGenerator +import org.pgpainless.PGPainless import org.pgpainless.PGPainless.Companion.inspectKeyRing import org.pgpainless.algorithm.EncryptionPurpose import org.pgpainless.algorithm.SymmetricKeyAlgorithm +import org.pgpainless.algorithm.negotiation.SymmetricKeyAlgorithmNegotiator.Companion.byPopularity import org.pgpainless.authentication.CertificateAuthority -import org.pgpainless.bouncycastle.extensions.toOpenPGPCertificate import org.pgpainless.encryption_signing.EncryptionOptions.EncryptionKeySelector import org.pgpainless.exception.KeyException.* import org.pgpainless.key.SubkeyIdentifier @@ -22,7 +23,10 @@ import org.pgpainless.key.info.KeyAccessor import org.pgpainless.key.info.KeyRingInfo import org.pgpainless.util.Passphrase -class EncryptionOptions(private val purpose: EncryptionPurpose) { +class EncryptionOptions( + private val purpose: EncryptionPurpose, + private val api: PGPainless = PGPainless.getInstance() +) { private val _encryptionMethods: MutableSet = mutableSetOf() private val _encryptionKeys: MutableSet = mutableSetOf() private val _encryptionKeyIdentifiers: MutableSet = mutableSetOf() @@ -87,7 +91,7 @@ class EncryptionOptions(private val purpose: EncryptionPurpose) { .lookupByUserId(userId, email, evaluationDate, targetAmount) .filter { it.isAuthenticated() } .forEach { - addRecipient(it.certificate.toOpenPGPCertificate()).also { foundAcceptable = true } + addRecipient(api.toCertificate(it.certificate)).also { foundAcceptable = true } } require(foundAcceptable) { "Could not identify any trust-worthy certificates for '$userId' and target trust amount $targetAmount." @@ -225,7 +229,7 @@ class EncryptionOptions(private val purpose: EncryptionPurpose) { key: PGPPublicKeyRing, userId: CharSequence, encryptionKeySelector: EncryptionKeySelector - ) = addRecipient(key.toOpenPGPCertificate(), userId, encryptionKeySelector) + ) = addRecipient(api.toCertificate(key), userId, encryptionKeySelector) /** * Encrypt the message for the given recipients [OpenPGPCertificate], filtering encryption @@ -251,7 +255,7 @@ class EncryptionOptions(private val purpose: EncryptionPurpose) { replaceWith = ReplaceWith("addRecipient(key.toOpenPGPCertificate(), encryptionKeySelector)")) fun addRecipient(key: PGPPublicKeyRing, encryptionKeySelector: EncryptionKeySelector) = - addRecipient(key.toOpenPGPCertificate(), encryptionKeySelector) + addRecipient(api.toCertificate(key), encryptionKeySelector) /** * Encrypt the message for the recipients [OpenPGPCertificate], keeping the recipient anonymous @@ -282,7 +286,7 @@ class EncryptionOptions(private val purpose: EncryptionPurpose) { fun addHiddenRecipient( key: PGPPublicKeyRing, selector: EncryptionKeySelector = encryptionKeySelector - ) = addHiddenRecipient(key.toOpenPGPCertificate(), selector) + ) = addHiddenRecipient(api.toCertificate(key), selector) private fun addAsRecipient( cert: OpenPGPCertificate, @@ -406,6 +410,17 @@ class EncryptionOptions(private val purpose: EncryptionPurpose) { fun hasEncryptionMethod() = _encryptionMethods.isNotEmpty() + internal fun negotiateSymmetricEncryptionAlgorithm(): SymmetricKeyAlgorithm { + val preferences = keyViews.values.map { it.preferredSymmetricKeyAlgorithms }.toList() + val algorithm = + byPopularity() + .negotiate( + api.algorithmPolicy.symmetricKeyEncryptionAlgorithmPolicy, + encryptionAlgorithmOverride, + preferences) + return algorithm + } + fun interface EncryptionKeySelector { fun selectEncryptionSubkeys( encryptionCapableKeys: List diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionStream.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionStream.kt index 0594d101..322cf24d 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionStream.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionStream.kt @@ -13,13 +13,12 @@ import org.bouncycastle.openpgp.PGPCompressedDataGenerator import org.bouncycastle.openpgp.PGPEncryptedDataGenerator import org.bouncycastle.openpgp.PGPException import org.bouncycastle.openpgp.PGPLiteralDataGenerator -import org.bouncycastle.openpgp.api.OpenPGPImplementation +import org.pgpainless.PGPainless import org.pgpainless.algorithm.CompressionAlgorithm import org.pgpainless.algorithm.StreamEncoding import org.pgpainless.algorithm.SymmetricKeyAlgorithm import org.pgpainless.key.SubkeyIdentifier import org.pgpainless.util.ArmoredOutputStreamFactory -import org.slf4j.LoggerFactory // 1 << 8 causes wrong partial body length encoding // 1 << 9 fixes this. @@ -38,6 +37,7 @@ const val BUFFER_SIZE = 1 shl 9 class EncryptionStream( private var outermostStream: OutputStream, private val options: ProducerOptions, + private val api: PGPainless ) : OutputStream() { private val resultBuilder: EncryptionResult.Builder = EncryptionResult.builder() @@ -63,12 +63,10 @@ class EncryptionStream( private fun prepareArmor() { if (!options.isAsciiArmor) { - LOGGER.debug("Output will be unarmored.") return } outermostStream = BufferedOutputStream(outermostStream) - LOGGER.debug("Wrap encryption output in ASCII armor.") armorOutputStream = ArmoredOutputStreamFactory.get(outermostStream, options).also { outermostStream = it } } @@ -84,14 +82,13 @@ class EncryptionStream( "If EncryptionOptions are provided, at least one encryption method MUST be provided as well." } - EncryptionBuilder.negotiateSymmetricEncryptionAlgorithm(options.encryptionOptions).let { + options.encryptionOptions.negotiateSymmetricEncryptionAlgorithm().let { resultBuilder.setEncryptionAlgorithm(it) - LOGGER.debug("Encrypt message using symmetric algorithm $it.") val encryptedDataGenerator = PGPEncryptedDataGenerator( - OpenPGPImplementation.getInstance() - .pgpDataEncryptorBuilder(it.algorithmId) - .apply { setWithIntegrityPacket(true) }) + api.implementation.pgpDataEncryptorBuilder(it.algorithmId).apply { + setWithIntegrityPacket(true) + }) options.encryptionOptions.encryptionMethods.forEach { m -> encryptedDataGenerator.addMethod(m) } @@ -109,12 +106,11 @@ class EncryptionStream( @Throws(IOException::class) private fun prepareCompression() { - EncryptionBuilder.negotiateCompressionAlgorithm(options).let { + options.negotiateCompressionAlgorithm().let { resultBuilder.setCompressionAlgorithm(it) compressedDataGenerator = PGPCompressedDataGenerator(it.algorithmId) if (it == CompressionAlgorithm.UNCOMPRESSED) return - LOGGER.debug("Compress using $it.") basicCompressionStream = BCPGOutputStream(compressedDataGenerator!!.open(outermostStream)).also { stream -> outermostStream = stream @@ -267,8 +263,4 @@ class EncryptionStream( val isClosed get() = closed - - companion object { - @JvmStatic private val LOGGER = LoggerFactory.getLogger(EncryptionStream::class.java) - } } diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/ProducerOptions.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/ProducerOptions.kt index e77ef2e3..ac48a65b 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/ProducerOptions.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/ProducerOptions.kt @@ -10,10 +10,10 @@ import org.pgpainless.PGPainless import org.pgpainless.algorithm.CompressionAlgorithm import org.pgpainless.algorithm.StreamEncoding -class ProducerOptions -private constructor( +class ProducerOptions( val encryptionOptions: EncryptionOptions?, - val signingOptions: SigningOptions? + val signingOptions: SigningOptions?, + val api: PGPainless = PGPainless.getInstance() ) { private var _fileName: String = "" @@ -25,7 +25,7 @@ private constructor( var isDisableAsciiArmorCRC = false private var _compressionAlgorithmOverride: CompressionAlgorithm = - PGPainless.getPolicy().compressionAlgorithmPolicy.defaultCompressionAlgorithm + api.algorithmPolicy.compressionAlgorithmPolicy.defaultCompressionAlgorithm private var asciiArmor = true private var _comment: String? = null private var _version: String? = null @@ -104,6 +104,13 @@ private constructor( */ fun hasVersion() = version != null + /** + * Configure the resulting OpenPGP message to make use of the Cleartext Signature Framework + * (CSF). A CSF message MUST be signed using detached signatures only and MUST NOT be encrypted. + * + * @see + * [RFC9580: OpenPGP - Cleartext Signature Framework](https://www.rfc-editor.org/rfc/rfc9580.html#name-cleartext-signature-framewo) + */ fun setCleartextSigned() = apply { require(signingOptions != null) { "Signing Options cannot be null if cleartext signing is enabled." @@ -230,6 +237,10 @@ private constructor( _hideArmorHeaders = hideArmorHeaders } + internal fun negotiateCompressionAlgorithm(): CompressionAlgorithm { + return compressionAlgorithmOverride + } + companion object { /** * Sign and encrypt some data. diff --git a/pgpainless-core/src/test/java/org/pgpainless/weird_keys/TestTwoSubkeysEncryption.java b/pgpainless-core/src/test/java/org/pgpainless/weird_keys/TestTwoSubkeysEncryption.java index 4b715a76..373396df 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/weird_keys/TestTwoSubkeysEncryption.java +++ b/pgpainless-core/src/test/java/org/pgpainless/weird_keys/TestTwoSubkeysEncryption.java @@ -17,7 +17,6 @@ import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.util.io.Streams; import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; -import org.pgpainless.algorithm.EncryptionPurpose; import org.pgpainless.encryption_signing.EncryptionOptions; import org.pgpainless.encryption_signing.EncryptionResult; import org.pgpainless.encryption_signing.EncryptionStream; @@ -51,7 +50,7 @@ public class TestTwoSubkeysEncryption { EncryptionStream encryptionStream = PGPainless.encryptAndOrSign() .onOutputStream(out) .withOptions( - ProducerOptions.encrypt(new EncryptionOptions(EncryptionPurpose.ANY) + ProducerOptions.encrypt(EncryptionOptions.get() .addRecipient(publicKeys, EncryptionOptions.encryptToAllCapableSubkeys()) ) .setAsciiArmor(false) From 17c31349a1225211eb4f2028fc4ff1d02c51d7fe Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 18 Mar 2025 11:46:31 +0100 Subject: [PATCH 092/265] Pass down API instance --- .../main/kotlin/org/pgpainless/PGPainless.kt | 8 ++-- .../key/certification/CertifyCertificate.kt | 35 ++++++++++------- .../org/pgpainless/key/info/KeyRingInfo.kt | 11 +++--- .../secretkeyring/SecretKeyRingEditor.kt | 38 ++++++++++-------- .../builder/AbstractSignatureBuilder.kt | 39 +++++++++++-------- .../builder/DirectKeySelfSignatureBuilder.kt | 18 ++++----- .../PrimaryKeyBindingSignatureBuilder.kt | 12 ++++-- .../builder/RevocationSignatureBuilder.kt | 8 +++- .../signature/builder/SelfSignatureBuilder.kt | 16 +++++--- .../builder/SubkeyBindingSignatureBuilder.kt | 18 ++++++--- ...ThirdPartyCertificationSignatureBuilder.kt | 20 +++++----- .../ThirdPartyDirectKeySignatureBuilder.kt | 12 +++--- .../builder/UniversalSignatureBuilder.kt | 11 ++++-- ...bkeyAndPrimaryKeyBindingSignatureTest.java | 5 ++- ...artyCertificationSignatureBuilderTest.java | 11 ++++-- ...irdPartyDirectKeySignatureBuilderTest.java | 4 +- .../UniversalSignatureBuilderTest.java | 3 +- 17 files changed, 157 insertions(+), 112 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt index d5839054..8625efdd 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt @@ -217,8 +217,8 @@ class PGPainless( fun modifyKeyRing( secretKey: PGPSecretKeyRing, referenceTime: Date = Date(), - policy: Policy = getInstance().algorithmPolicy - ) = SecretKeyRingEditor(secretKey, policy, referenceTime) + api: PGPainless = getInstance() + ) = SecretKeyRingEditor(secretKey, api, referenceTime) /** * Quickly access information about a [org.bouncycastle.openpgp.PGPPublicKeyRing] / @@ -237,7 +237,7 @@ class PGPainless( @JvmStatic @JvmOverloads fun inspectKeyRing(key: OpenPGPCertificate, referenceTime: Date = Date()) = - KeyRingInfo(key, getInstance().algorithmPolicy, referenceTime) + KeyRingInfo(key, getInstance(), referenceTime) /** * Access, and make changes to PGPainless policy on acceptable/default algorithms etc. @@ -255,6 +255,6 @@ class PGPainless( * * @return builder */ - @JvmStatic fun certify() = CertifyCertificate() + @JvmStatic fun certify() = CertifyCertificate(getInstance()) } } diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/certification/CertifyCertificate.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/certification/CertifyCertificate.kt index 8febadbb..e43b30d8 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/certification/CertifyCertificate.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/certification/CertifyCertificate.kt @@ -34,7 +34,7 @@ import org.pgpainless.signature.subpackets.CertificationSubpackets * really belongs to the owner of the certificate. A delegation over a key can be used to delegate * trust by marking the certificate as a trusted introducer. */ -class CertifyCertificate { +class CertifyCertificate(private val api: PGPainless) { /** * Create a certification over a User-Id. By default, this method will use @@ -49,7 +49,7 @@ class CertifyCertificate { userId: CharSequence, certificate: OpenPGPCertificate, certificationType: CertificationType = CertificationType.GENERIC - ): CertificationOnUserId = CertificationOnUserId(userId, certificate, certificationType) + ): CertificationOnUserId = CertificationOnUserId(userId, certificate, certificationType, api) /** * Create a certification over a User-Id. By default, this method will use @@ -76,7 +76,7 @@ class CertifyCertificate { userId: String, certificate: PGPPublicKeyRing, certificationType: CertificationType - ) = CertificationOnUserId(userId, certificate, certificationType) + ) = CertificationOnUserId(userId, certificate, certificationType, api) /** * Create a delegation (direct key signature) over a certificate. This can be used to mark a @@ -88,7 +88,7 @@ class CertifyCertificate { */ @JvmOverloads fun certificate(certificate: OpenPGPCertificate, trustworthiness: Trustworthiness? = null) = - DelegationOnCertificate(certificate, trustworthiness) + DelegationOnCertificate(certificate, trustworthiness, api) /** * Create a delegation (direct key signature) over a certificate. This can be used to mark a @@ -113,20 +113,22 @@ class CertifyCertificate { */ @Deprecated("Pass in an OpenPGPCertificate instead of PGPPublicKeyRing.") fun certificate(certificate: PGPPublicKeyRing, trustworthiness: Trustworthiness?) = - DelegationOnCertificate(certificate, trustworthiness) + DelegationOnCertificate(certificate, trustworthiness, api) class CertificationOnUserId( val userId: CharSequence, val certificate: OpenPGPCertificate, - val certificationType: CertificationType + val certificationType: CertificationType, + private val api: PGPainless ) { @Deprecated("Use primary constructor instead.") constructor( userId: String, certificate: PGPPublicKeyRing, - certificationType: CertificationType - ) : this(userId, PGPainless.getInstance().toCertificate(certificate), certificationType) + certificationType: CertificationType, + api: PGPainless + ) : this(userId, api.toCertificate(certificate), certificationType, api) fun withKey( key: OpenPGPKey, @@ -135,7 +137,7 @@ class CertifyCertificate { val secretKey = getCertifyingSecretKey(key) val sigBuilder = ThirdPartyCertificationSignatureBuilder( - certificationType.asSignatureType(), secretKey, protector) + certificationType.asSignatureType(), secretKey, protector, api) return CertificationOnUserIdWithSubpackets(certificate, userId, sigBuilder) } @@ -166,8 +168,9 @@ class CertifyCertificate { constructor( certificate: PGPPublicKeyRing, userId: String, - sigBuilder: ThirdPartyCertificationSignatureBuilder - ) : this(PGPainless.getInstance().toCertificate(certificate), userId, sigBuilder) + sigBuilder: ThirdPartyCertificationSignatureBuilder, + api: PGPainless + ) : this(api.toCertificate(certificate), userId, sigBuilder) /** * Apply the given signature subpackets and build the certification. @@ -202,21 +205,23 @@ class CertifyCertificate { class DelegationOnCertificate( val certificate: OpenPGPCertificate, - val trustworthiness: Trustworthiness? + val trustworthiness: Trustworthiness?, + private val api: PGPainless ) { @Deprecated("Pass in an OpenPGPCertificate instead of PGPPublicKeyRing.") constructor( certificate: PGPPublicKeyRing, - trustworthiness: Trustworthiness? - ) : this(PGPainless.getInstance().toCertificate(certificate), trustworthiness) + trustworthiness: Trustworthiness?, + api: PGPainless + ) : this(api.toCertificate(certificate), trustworthiness, api) fun withKey( key: OpenPGPKey, protector: SecretKeyRingProtector ): DelegationOnCertificateWithSubpackets { val secretKey = getCertifyingSecretKey(key) - val sigBuilder = ThirdPartyDirectKeySignatureBuilder(secretKey, protector) + val sigBuilder = ThirdPartyDirectKeySignatureBuilder(secretKey, protector, api) if (trustworthiness != null) { sigBuilder.hashedSubpackets.setTrust( true, trustworthiness.depth, trustworthiness.amount) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/info/KeyRingInfo.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/info/KeyRingInfo.kt index f0c1a755..42c15dc9 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/info/KeyRingInfo.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/info/KeyRingInfo.kt @@ -19,7 +19,6 @@ import org.pgpainless.exception.KeyException.UnboundUserIdException import org.pgpainless.key.OpenPgpFingerprint import org.pgpainless.key.SubkeyIdentifier import org.pgpainless.key.util.KeyRingUtils -import org.pgpainless.policy.Policy import org.pgpainless.signature.subpackets.SignatureSubpacketsUtil import org.pgpainless.signature.subpackets.SignatureSubpacketsUtil.Companion.getKeyExpirationTimeAsDate import org.pgpainless.util.DateUtil @@ -27,24 +26,24 @@ import org.slf4j.LoggerFactory class KeyRingInfo( val keys: OpenPGPCertificate, - val policy: Policy = PGPainless.getPolicy(), - val referenceDate: Date = Date() + private val api: PGPainless = PGPainless.getInstance(), + private val referenceDate: Date = Date() ) { constructor( keys: PGPKeyRing, - policy: Policy = PGPainless.getPolicy(), + api: PGPainless = PGPainless.getInstance(), referenceDate: Date = Date() ) : this( if (keys is PGPSecretKeyRing) OpenPGPKey(keys) else OpenPGPCertificate(keys), - policy, + api, referenceDate) @JvmOverloads constructor( keys: PGPKeyRing, referenceDate: Date = Date() - ) : this(keys, PGPainless.getPolicy(), referenceDate) + ) : this(keys, PGPainless.getInstance(), referenceDate) /** Primary [OpenPGPCertificate.OpenPGPPrimaryKey]. */ val primaryKey: OpenPGPCertificate.OpenPGPPrimaryKey = keys.primaryKey diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.kt index 381f87bd..6c94c120 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.kt @@ -39,7 +39,6 @@ import org.pgpainless.key.util.KeyRingUtils import org.pgpainless.key.util.KeyRingUtils.Companion.changePassphrase import org.pgpainless.key.util.KeyRingUtils.Companion.injectCertification import org.pgpainless.key.util.RevocationAttributes -import org.pgpainless.policy.Policy import org.pgpainless.signature.builder.* import org.pgpainless.signature.subpackets.* import org.pgpainless.util.Passphrase @@ -47,7 +46,7 @@ import org.pgpainless.util.selection.userid.SelectUserId class SecretKeyRingEditor( var key: OpenPGPKey, - val policy: Policy = PGPainless.getInstance().algorithmPolicy, + val api: PGPainless = PGPainless.getInstance(), override val referenceTime: Date = Date() ) : SecretKeyRingEditorInterface { @@ -56,9 +55,9 @@ class SecretKeyRingEditor( @JvmOverloads constructor( secretKeyRing: PGPSecretKeyRing, - policy: Policy = PGPainless.getInstance().algorithmPolicy, + api: PGPainless = PGPainless.getInstance(), referenceTime: Date = Date() - ) : this(PGPainless.getInstance().toKey(secretKeyRing), policy, referenceTime) + ) : this(PGPainless.getInstance().toKey(secretKeyRing), api, referenceTime) override fun addUserId( userId: CharSequence, @@ -298,14 +297,16 @@ class SecretKeyRingEditor( SignatureSubpacketsUtil.assureKeyCanCarryFlags(subkeyAlgorithm) val bitStrength = subkey.publicKey.bitStrength - require(policy.publicKeyAlgorithmPolicy.isAcceptable(subkeyAlgorithm, bitStrength)) { - "Public key algorithm policy violation: $subkeyAlgorithm with bit strength $bitStrength is not acceptable." - } + require( + api.algorithmPolicy.publicKeyAlgorithmPolicy.isAcceptable( + subkeyAlgorithm, bitStrength)) { + "Public key algorithm policy violation: $subkeyAlgorithm with bit strength $bitStrength is not acceptable." + } val primaryKey = secretKeyRing.secretKey val info = inspectKeyRing(secretKeyRing, referenceTime) val hashAlgorithm = - HashAlgorithmNegotiator.negotiateSignatureHashAlgorithm(policy) + HashAlgorithmNegotiator.negotiateSignatureHashAlgorithm(api.algorithmPolicy) .negotiateHashAlgorithm(info.preferredHashAlgorithms) var secretSubkey = @@ -323,13 +324,15 @@ class SecretKeyRingEditor( PGPainless.getInstance().implementation.pbeSecretKeyDecryptorBuilderProvider()) val skBindingBuilder = - SubkeyBindingSignatureBuilder(key.primarySecretKey, primaryKeyProtector, hashAlgorithm) + SubkeyBindingSignatureBuilder( + key.primarySecretKey, primaryKeyProtector, hashAlgorithm, api) skBindingBuilder.apply { hashedSubpackets.setSignatureCreationTime(referenceTime) hashedSubpackets.setKeyFlags(flags) if (subkeyAlgorithm.isSigningCapable()) { val pkBindingBuilder = - PrimaryKeyBindingSignatureBuilder(componentKey, subkeyProtector, hashAlgorithm) + PrimaryKeyBindingSignatureBuilder( + componentKey, subkeyProtector, hashAlgorithm, api) pkBindingBuilder.hashedSubpackets.setSignatureCreationTime(referenceTime) hashedSubpackets.addEmbeddedSignature(pkBindingBuilder.build(primaryKey.publicKey)) } @@ -624,7 +627,7 @@ class SecretKeyRingEditor( if (revokeeSubkey.isMasterKey) SignatureType.KEY_REVOCATION else SignatureType.SUBKEY_REVOCATION - return RevocationSignatureBuilder(signatureType, key.primarySecretKey, protector) + return RevocationSignatureBuilder(signatureType, key.primarySecretKey, protector, api) .apply { applyCallback(callback) } .build(revokeeSubkey) } @@ -635,7 +638,7 @@ class SecretKeyRingEditor( callback: RevocationSignatureSubpackets.Callback? ): SecretKeyRingEditorInterface { RevocationSignatureBuilder( - SignatureType.CERTIFICATION_REVOCATION, key.primarySecretKey, protector) + SignatureType.CERTIFICATION_REVOCATION, key.primarySecretKey, protector, api) .apply { hashedSubpackets.setSignatureCreationTime(referenceTime) applyCallback(callback) @@ -664,7 +667,7 @@ class SecretKeyRingEditor( prevUserIdSig: PGPSignature ): PGPSignature { val builder = - SelfSignatureBuilder(key.primarySecretKey, secretKeyRingProtector, prevUserIdSig) + SelfSignatureBuilder(key.primarySecretKey, secretKeyRingProtector, prevUserIdSig, api) builder.hashedSubpackets.setSignatureCreationTime(referenceTime) builder.applyCallback( object : SelfSignatureSubpackets.Callback { @@ -683,7 +686,8 @@ class SecretKeyRingEditor( @Nonnull primaryUserId: String, @Nonnull prevUserIdSig: PGPSignature ): PGPSignature { - return SelfSignatureBuilder(key.primarySecretKey, secretKeyRingProtector, prevUserIdSig) + return SelfSignatureBuilder( + key.primarySecretKey, secretKeyRingProtector, prevUserIdSig, api) .apply { hashedSubpackets.setSignatureCreationTime(referenceTime) applyCallback( @@ -711,7 +715,7 @@ class SecretKeyRingEditor( prevDirectKeySig: PGPSignature ): OpenPGPSignature { return DirectKeySelfSignatureBuilder( - secretKeyRing, secretKeyRingProtector, prevDirectKeySig) + secretKeyRing, secretKeyRingProtector, prevDirectKeySig, api) .apply { hashedSubpackets.setSignatureCreationTime(referenceTime) applyCallback( @@ -742,7 +746,7 @@ class SecretKeyRingEditor( val builder = SubkeyBindingSignatureBuilder( - key.primarySecretKey, protector, prevSubkeyBindingSignature) + key.primarySecretKey, protector, prevSubkeyBindingSignature, api) builder.hashedSubpackets.apply { // set expiration setSignatureCreationTime(referenceTime) @@ -762,7 +766,7 @@ class SecretKeyRingEditor( clearEmbeddedSignatures() addEmbeddedSignature( PrimaryKeyBindingSignatureBuilder( - key.getSecretKey(subkey.keyIdentifier), protector) + key.getSecretKey(subkey.keyIdentifier), protector, api) .build(primaryKey)) } } diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/builder/AbstractSignatureBuilder.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/builder/AbstractSignatureBuilder.kt index a7b95f76..4fa7ba31 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/builder/AbstractSignatureBuilder.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/builder/AbstractSignatureBuilder.kt @@ -10,7 +10,6 @@ import org.bouncycastle.openpgp.PGPPublicKey import org.bouncycastle.openpgp.PGPSignature import org.bouncycastle.openpgp.PGPSignatureGenerator import org.bouncycastle.openpgp.api.OpenPGPCertificate.OpenPGPComponentKey -import org.bouncycastle.openpgp.api.OpenPGPImplementation import org.bouncycastle.openpgp.api.OpenPGPKey import org.pgpainless.PGPainless import org.pgpainless.algorithm.HashAlgorithm @@ -27,7 +26,8 @@ abstract class AbstractSignatureBuilder>( protected var _hashAlgorithm: HashAlgorithm, protected var _signatureType: SignatureType, protected val _hashedSubpackets: SignatureSubpackets, - protected val _unhashedSubpackets: SignatureSubpackets + protected val _unhashedSubpackets: SignatureSubpackets, + protected val api: PGPainless ) { protected abstract val signatureTypePredicate: Predicate @@ -45,40 +45,46 @@ abstract class AbstractSignatureBuilder>( protector: SecretKeyRingProtector, hashAlgorithm: HashAlgorithm, hashedSubpackets: SignatureSubpackets, - unhashedSubpackets: SignatureSubpackets + unhashedSubpackets: SignatureSubpackets, + api: PGPainless ) : this( UnlockSecretKey.unlockSecretKey(signingKey, protector), hashAlgorithm, signatureType, hashedSubpackets, - unhashedSubpackets) + unhashedSubpackets, + api) @Throws(PGPException::class) constructor( signatureType: SignatureType, signingKey: OpenPGPKey.OpenPGPSecretKey, - protector: SecretKeyRingProtector + protector: SecretKeyRingProtector, + api: PGPainless ) : this( signatureType, signingKey, protector, - negotiateHashAlgorithm(signingKey), + negotiateHashAlgorithm(signingKey, api), SignatureSubpackets.createHashedSubpackets(signingKey.pgpSecretKey.publicKey), - SignatureSubpackets.createEmptySubpackets()) + SignatureSubpackets.createEmptySubpackets(), + api) @Throws(PGPException::class) constructor( signingKey: OpenPGPKey.OpenPGPSecretKey, protector: SecretKeyRingProtector, - archetypeSignature: PGPSignature + archetypeSignature: PGPSignature, + api: PGPainless ) : this( SignatureType.requireFromCode(archetypeSignature.signatureType), signingKey, protector, - negotiateHashAlgorithm(signingKey), + negotiateHashAlgorithm(signingKey, api), SignatureSubpackets.refreshHashedSubpackets( signingKey.publicKey.pgpPublicKey, archetypeSignature), - SignatureSubpackets.refreshUnhashedSubpackets(archetypeSignature)) + SignatureSubpackets.refreshUnhashedSubpackets(archetypeSignature), + api) val hashAlgorithm = _hashAlgorithm @@ -110,9 +116,8 @@ abstract class AbstractSignatureBuilder>( @Throws(PGPException::class) protected fun buildAndInitSignatureGenerator(): PGPSignatureGenerator = PGPSignatureGenerator( - OpenPGPImplementation.getInstance() - .pgpContentSignerBuilder( - signingKey.keyPair.publicKey.algorithm, hashAlgorithm.algorithmId), + api.implementation.pgpContentSignerBuilder( + signingKey.keyPair.publicKey.algorithm, hashAlgorithm.algorithmId), signingKey.keyPair.publicKey) .apply { setUnhashedSubpackets(SignatureSubpacketsHelper.toVector(_unhashedSubpackets)) @@ -129,13 +134,13 @@ abstract class AbstractSignatureBuilder>( * @return hash algorithm */ @JvmStatic - fun negotiateHashAlgorithm(publicKey: PGPPublicKey): HashAlgorithm = - HashAlgorithmNegotiator.negotiateSignatureHashAlgorithm(PGPainless.getPolicy()) + fun negotiateHashAlgorithm(publicKey: PGPPublicKey, api: PGPainless): HashAlgorithm = + HashAlgorithmNegotiator.negotiateSignatureHashAlgorithm(api.algorithmPolicy) .negotiateHashAlgorithm( OpenPgpKeyAttributeUtil.getOrGuessPreferredHashAlgorithms(publicKey)) @JvmStatic - fun negotiateHashAlgorithm(key: OpenPGPComponentKey): HashAlgorithm = - negotiateHashAlgorithm(key.pgpPublicKey) + fun negotiateHashAlgorithm(key: OpenPGPComponentKey, api: PGPainless): HashAlgorithm = + negotiateHashAlgorithm(key.pgpPublicKey, api) } } diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/builder/DirectKeySelfSignatureBuilder.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/builder/DirectKeySelfSignatureBuilder.kt index 8fc18ba4..c8faa73e 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/builder/DirectKeySelfSignatureBuilder.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/builder/DirectKeySelfSignatureBuilder.kt @@ -29,24 +29,24 @@ class DirectKeySelfSignatureBuilder : AbstractSignatureBuilder(signatureType, signingKey, protector) { + protector: SecretKeyRingProtector, + api: PGPainless +) : + AbstractSignatureBuilder( + signatureType, signingKey, protector, api) { override val signatureTypePredicate: Predicate get() = diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/builder/SelfSignatureBuilder.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/builder/SelfSignatureBuilder.kt index 54f5bab0..3a32f927 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/builder/SelfSignatureBuilder.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/builder/SelfSignatureBuilder.kt @@ -9,6 +9,7 @@ import org.bouncycastle.openpgp.PGPException import org.bouncycastle.openpgp.PGPSignature import org.bouncycastle.openpgp.PGPUserAttributeSubpacketVector import org.bouncycastle.openpgp.api.OpenPGPKey +import org.pgpainless.PGPainless import org.pgpainless.algorithm.SignatureType import org.pgpainless.key.protection.SecretKeyRingProtector import org.pgpainless.signature.subpackets.SelfSignatureSubpackets @@ -32,22 +33,25 @@ class SelfSignatureBuilder : AbstractSignatureBuilder { @Throws(PGPException::class) constructor( signingKey: OpenPGPKey.OpenPGPSecretKey, - protector: SecretKeyRingProtector - ) : super(SignatureType.GENERIC_CERTIFICATION, signingKey, protector) + protector: SecretKeyRingProtector, + api: PGPainless + ) : super(SignatureType.GENERIC_CERTIFICATION, signingKey, protector, api) @Throws(PGPException::class) constructor( signatureType: SignatureType, signingKey: OpenPGPKey.OpenPGPSecretKey, - protector: SecretKeyRingProtector - ) : super(signatureType, signingKey, protector) + protector: SecretKeyRingProtector, + api: PGPainless + ) : super(signatureType, signingKey, protector, api) @Throws(PGPException::class) constructor( primaryKey: OpenPGPKey.OpenPGPSecretKey, primaryKeyProtector: SecretKeyRingProtector, - oldCertification: PGPSignature - ) : super(primaryKey, primaryKeyProtector, oldCertification) + oldCertification: PGPSignature, + api: PGPainless + ) : super(primaryKey, primaryKeyProtector, oldCertification, api) val hashedSubpackets: SelfSignatureSubpackets = _hashedSubpackets val unhashedSubpackets: SelfSignatureSubpackets = _unhashedSubpackets diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/builder/SubkeyBindingSignatureBuilder.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/builder/SubkeyBindingSignatureBuilder.kt index 90a7f18e..9816ee29 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/builder/SubkeyBindingSignatureBuilder.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/builder/SubkeyBindingSignatureBuilder.kt @@ -9,6 +9,7 @@ import org.bouncycastle.openpgp.PGPException import org.bouncycastle.openpgp.PGPPublicKey import org.bouncycastle.openpgp.PGPSignature import org.bouncycastle.openpgp.api.OpenPGPKey +import org.pgpainless.PGPainless import org.pgpainless.algorithm.HashAlgorithm import org.pgpainless.algorithm.SignatureType import org.pgpainless.key.protection.SecretKeyRingProtector @@ -27,27 +28,31 @@ class SubkeyBindingSignatureBuilder : AbstractSignatureBuilder new ThirdPartyCertificationSignatureBuilder( SignatureType.BINARY_DOCUMENT, // invalid type secretKeys.getPrimarySecretKey(), - SecretKeyRingProtector.unprotectedKeys())); + SecretKeyRingProtector.unprotectedKeys(), + api)); } @Test public void testUserIdCertification() throws PGPException { + PGPainless api = PGPainless.getInstance(); OpenPGPKey secretKeys = PGPainless.generateKeyRing() .modernKeyRing("Alice"); @@ -49,7 +51,8 @@ public class ThirdPartyCertificationSignatureBuilderTest { ThirdPartyCertificationSignatureBuilder signatureBuilder = new ThirdPartyCertificationSignatureBuilder( secretKeys.getPrimarySecretKey(), - SecretKeyRingProtector.unprotectedKeys()); + SecretKeyRingProtector.unprotectedKeys(), + api); signatureBuilder.applyCallback(new CertificationSubpackets.Callback() { @Override @@ -70,7 +73,7 @@ public class ThirdPartyCertificationSignatureBuilderTest { assertFalse(exportable.isExportable()); // test sig correctness - signature.init(OpenPGPImplementation.getInstance().pgpContentVerifierBuilderProvider(), + signature.init(api.getImplementation().pgpContentVerifierBuilderProvider(), secretKeys.getPrimaryKey().getPGPPublicKey()); assertTrue(signature.verifyCertification("Bob", bobsPublicKeys.getPrimaryKey().getPGPPublicKey())); } diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/builder/ThirdPartyDirectKeySignatureBuilderTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/builder/ThirdPartyDirectKeySignatureBuilderTest.java index d0e2aa39..afa3710c 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/builder/ThirdPartyDirectKeySignatureBuilderTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/builder/ThirdPartyDirectKeySignatureBuilderTest.java @@ -34,12 +34,14 @@ public class ThirdPartyDirectKeySignatureBuilderTest { @Test public void testDirectKeySignatureBuilding() throws PGPException { + PGPainless api = PGPainless.getInstance(); OpenPGPKey secretKeys = PGPainless.generateKeyRing() .modernKeyRing("Alice"); DirectKeySelfSignatureBuilder dsb = new DirectKeySelfSignatureBuilder( secretKeys.getPrimarySecretKey(), - SecretKeyRingProtector.unprotectedKeys()); + SecretKeyRingProtector.unprotectedKeys(), + api); Date now = new Date(); Date t1 = new Date(now.getTime() + 1000 * 60 * 60); diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/builder/UniversalSignatureBuilderTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/builder/UniversalSignatureBuilderTest.java index 8eb287c2..c308877a 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/builder/UniversalSignatureBuilderTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/builder/UniversalSignatureBuilderTest.java @@ -62,10 +62,11 @@ public class UniversalSignatureBuilderTest { @Test public void createPetNameSignature() throws PGPException { + PGPainless api = PGPainless.getInstance(); OpenPGPKey.OpenPGPSecretKey signingKey = secretKeys.getPrimarySecretKey(); PGPSignature archetype = signingKey.getPublicKey().getPGPPublicKey().getSignatures().next(); UniversalSignatureBuilder builder = new UniversalSignatureBuilder( - signingKey, protector, archetype); + signingKey, protector, archetype, api); builder.applyCallback(new SignatureSubpackets.Callback() { @Override From b9d7f1281f6ddaf011b6b6e45a842c2399937c54 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 18 Mar 2025 12:51:13 +0100 Subject: [PATCH 093/265] Pass down API instance in more places --- .../main/kotlin/org/pgpainless/PGPainless.kt | 9 +++--- .../key/generation/KeyRingBuilder.kt | 30 +++++++++---------- .../key/generation/KeyRingTemplates.kt | 5 ++-- .../secretkeyring/SecretKeyRingEditor.kt | 2 +- 4 files changed, 21 insertions(+), 25 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt index 8625efdd..3da6d805 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt @@ -48,9 +48,8 @@ class PGPainless( @JvmOverloads fun generateKey( version: OpenPGPKeyVersion = OpenPGPKeyVersion.v4, - creationTime: Date = Date(), - policy: Policy = algorithmPolicy - ): KeyRingTemplates = KeyRingTemplates(version, creationTime, policy) + creationTime: Date = Date() + ): KeyRingTemplates = KeyRingTemplates(version, creationTime, this) @JvmOverloads fun buildKey( @@ -108,8 +107,8 @@ class PGPainless( @JvmOverloads fun buildKeyRing( version: OpenPGPKeyVersion = OpenPGPKeyVersion.v4, - policy: Policy = getInstance().algorithmPolicy - ) = KeyRingBuilder(version, getInstance().implementation, policy) + api: PGPainless = getInstance() + ) = KeyRingBuilder(version, api) /** * Read an existing OpenPGP key ring. diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingBuilder.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingBuilder.kt index 35b1485a..6d6481bd 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingBuilder.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingBuilder.kt @@ -25,11 +25,8 @@ import org.pgpainless.signature.subpackets.SignatureSubpackets import org.pgpainless.signature.subpackets.SignatureSubpacketsHelper import org.pgpainless.util.Passphrase -class KeyRingBuilder( - private val version: OpenPGPKeyVersion, - private val implementation: OpenPGPImplementation, - private val policy: Policy = PGPainless.getInstance().algorithmPolicy -) : KeyRingBuilderInterface { +class KeyRingBuilder(private val version: OpenPGPKeyVersion, private val api: PGPainless) : + KeyRingBuilderInterface { private var primaryKeySpec: KeySpec? = null private val subKeySpecs = mutableListOf() @@ -38,13 +35,13 @@ class KeyRingBuilder( private var expirationDate: Date? = Date(System.currentTimeMillis() + (5 * MILLIS_IN_YEAR)) override fun setPrimaryKey(keySpec: KeySpec): KeyRingBuilder = apply { - verifyKeySpecCompliesToPolicy(keySpec, policy) + verifyKeySpecCompliesToPolicy(keySpec, api.algorithmPolicy) verifyPrimaryKeyCanCertify(keySpec) this.primaryKeySpec = keySpec } override fun addSubkey(keySpec: KeySpec): KeyRingBuilder = apply { - verifyKeySpecCompliesToPolicy(keySpec, policy) + verifyKeySpecCompliesToPolicy(keySpec, api.algorithmPolicy) subKeySpecs.add(keySpec) } @@ -84,11 +81,11 @@ class KeyRingBuilder( private fun keyIsCertificationCapable(keySpec: KeySpec) = keySpec.keyType.canCertify override fun build(): OpenPGPKey { - val checksumCalculator = implementation.checksumCalculator() + val checksumCalculator = api.implementation.checksumCalculator() // generate primary key requireNotNull(primaryKeySpec) { "Primary Key spec required." } - val certKey = generateKeyPair(primaryKeySpec!!, version, implementation) + val certKey = generateKeyPair(primaryKeySpec!!, version, api.implementation) val secretKeyEncryptor = buildSecretKeyEncryptor(certKey.publicKey) val secretKeyDecryptor = buildSecretKeyDecryptor() @@ -164,12 +161,12 @@ class KeyRingBuilder( secretKeyList.add(secretKeys.next()) } val pgpSecretKeyRing = PGPSecretKeyRing(secretKeyList) - return OpenPGPKey(pgpSecretKeyRing, implementation) + return OpenPGPKey(pgpSecretKeyRing, api.implementation) } private fun addSubKeys(primaryKey: PGPKeyPair, ringGenerator: PGPKeyRingGenerator) { for (subKeySpec in subKeySpecs) { - val subKey = generateKeyPair(subKeySpec, version, implementation) + val subKey = generateKeyPair(subKeySpec, version, api.implementation) if (subKeySpec.isInheritedSubPackets) { ringGenerator.addSubKey(subKey) } else { @@ -210,8 +207,9 @@ class KeyRingBuilder( } private fun buildContentSigner(certKey: PGPKeyPair): PGPContentSignerBuilder { - val hashAlgorithm = policy.certificationSignatureHashAlgorithmPolicy.defaultHashAlgorithm - return implementation.pgpContentSignerBuilder( + val hashAlgorithm = + api.algorithmPolicy.certificationSignatureHashAlgorithmPolicy.defaultHashAlgorithm + return api.implementation.pgpContentSignerBuilder( certKey.publicKey.algorithm, hashAlgorithm.algorithmId) } @@ -219,10 +217,10 @@ class KeyRingBuilder( publicKey: PGPPublicKey, ): PBESecretKeyEncryptor? { check(passphrase.isValid) { "Passphrase was cleared." } - val protectionSettings = policy.keyProtectionSettings + val protectionSettings = api.algorithmPolicy.keyProtectionSettings return if (passphrase.isEmpty) null else - implementation + api.implementation .pbeSecretKeyEncryptorFactory( protectionSettings.aead, protectionSettings.encryptionAlgorithm.algorithmId, @@ -234,7 +232,7 @@ class KeyRingBuilder( check(passphrase.isValid) { "Passphrase was cleared." } return if (passphrase.isEmpty) null else - implementation + api.implementation .pbeSecretKeyDecryptorBuilderProvider() .provide() .build(passphrase.getChars()) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingTemplates.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingTemplates.kt index 94d79769..54948878 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingTemplates.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingTemplates.kt @@ -15,13 +15,12 @@ import org.pgpainless.key.generation.type.KeyType import org.pgpainless.key.generation.type.eddsa_legacy.EdDSALegacyCurve import org.pgpainless.key.generation.type.rsa.RsaLength import org.pgpainless.key.generation.type.xdh_legacy.XDHLegacySpec -import org.pgpainless.policy.Policy import org.pgpainless.util.Passphrase class KeyRingTemplates( private val version: OpenPGPKeyVersion, private val creationTime: Date = Date(), - private val policy: Policy = PGPainless.getInstance().algorithmPolicy + private val api: PGPainless = PGPainless.getInstance() ) { /** @@ -39,7 +38,7 @@ class KeyRingTemplates( length: RsaLength, passphrase: Passphrase = Passphrase.emptyPassphrase() ): OpenPGPKey = - buildKeyRing(version, policy) + buildKeyRing(version, api) .apply { setPrimaryKey( getBuilder(KeyType.RSA(length), KeyFlag.CERTIFY_OTHER) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.kt index 6c94c120..4b513210 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.kt @@ -271,7 +271,7 @@ class SecretKeyRingEditor( protector: SecretKeyRingProtector ): SecretKeyRingEditorInterface { val version = OpenPGPKeyVersion.from(secretKeyRing.publicKey.version) - val keyPair = KeyRingBuilder.generateKeyPair(keySpec, version) + val keyPair = KeyRingBuilder.generateKeyPair(keySpec, version, api.implementation) val subkeyProtector = PasswordBasedSecretKeyRingProtector.forKeyId(keyPair.keyIdentifier, subkeyPassphrase) val keyFlags = KeyFlag.fromBitmask(keySpec.subpackets.keyFlags).toMutableList() From 37f6fd100af21a6c2fbf07108f468ed1497e6a7a Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 18 Mar 2025 13:16:58 +0100 Subject: [PATCH 094/265] Cleanup PGPainless class --- .../main/kotlin/org/pgpainless/PGPainless.kt | 58 +++++++++++++------ 1 file changed, 41 insertions(+), 17 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt index 3da6d805..41aa437c 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt @@ -75,12 +75,22 @@ class PGPainless( return OpenPGPCertificate.join(originalCopy, updatedCopy) } + /** Generate an encrypted and/or signed OpenPGP message. */ + fun generateMessage(): EncryptionBuilder = EncryptionBuilder(this) + + /** + * Create certification signatures on third-party [OpenPGPCertificates][OpenPGPCertificate]. + * + * @return builder + */ + fun generateCertification(): CertifyCertificate = CertifyCertificate(this) + companion object { @Volatile private var instance: PGPainless? = null @JvmStatic - fun getInstance() = + fun getInstance(): PGPainless = instance ?: synchronized(this) { instance ?: PGPainless().also { instance = it } } @JvmStatic @@ -89,13 +99,16 @@ class PGPainless( } /** - * Generate a fresh OpenPGP key ring from predefined templates. + * Generate a fresh [OpenPGPKey] from predefined templates. * * @return templates */ @JvmStatic @JvmOverloads - fun generateKeyRing(version: OpenPGPKeyVersion = OpenPGPKeyVersion.v4) = + @Deprecated( + "Call .generateKey() on an instance of PGPainless instead.", + replaceWith = ReplaceWith("generateKey(version)")) + fun generateKeyRing(version: OpenPGPKeyVersion = OpenPGPKeyVersion.v4): KeyRingTemplates = getInstance().generateKey(version) /** @@ -108,7 +121,7 @@ class PGPainless( fun buildKeyRing( version: OpenPGPKeyVersion = OpenPGPKeyVersion.v4, api: PGPainless = getInstance() - ) = KeyRingBuilder(version, api) + ): KeyRingBuilder = KeyRingBuilder(version, api) /** * Read an existing OpenPGP key ring. @@ -117,7 +130,7 @@ class PGPainless( */ @Deprecated("Use readKey() instead.", replaceWith = ReplaceWith("readKey()")) @JvmStatic - fun readKeyRing() = KeyRingReader() + fun readKeyRing(): KeyRingReader = KeyRingReader() /** * Extract a public key certificate from a secret key. @@ -127,7 +140,7 @@ class PGPainless( */ @JvmStatic @Deprecated("Use .toKey() and then .toCertificate() instead.") - fun extractCertificate(secretKey: PGPSecretKeyRing) = + fun extractCertificate(secretKey: PGPSecretKeyRing): PGPPublicKeyRing = KeyRingUtils.publicKeyRingFrom(secretKey) /** @@ -141,8 +154,10 @@ class PGPainless( */ @JvmStatic @Deprecated("Use mergeCertificate() instead.") - fun mergeCertificate(originalCopy: PGPPublicKeyRing, updatedCopy: PGPPublicKeyRing) = - PGPPublicKeyRing.join(originalCopy, updatedCopy) + fun mergeCertificate( + originalCopy: PGPPublicKeyRing, + updatedCopy: PGPPublicKeyRing + ): PGPPublicKeyRing = PGPPublicKeyRing.join(originalCopy, updatedCopy) /** * Wrap a key or certificate in ASCII armor. @@ -152,7 +167,7 @@ class PGPainless( * @throws IOException in case of an error during the armoring process */ @JvmStatic - fun asciiArmor(key: PGPKeyRing) = + fun asciiArmor(key: PGPKeyRing): String = if (key is PGPSecretKeyRing) ArmorUtils.toAsciiArmoredString(key) else ArmorUtils.toAsciiArmoredString(key as PGPPublicKeyRing) @@ -181,7 +196,8 @@ class PGPainless( * @throws IOException in case of an error during the armoring process */ @JvmStatic - fun asciiArmor(signature: PGPSignature) = ArmorUtils.toAsciiArmoredString(signature) + @Deprecated("Covert to OpenPGPSignature and call .toAsciiArmoredString() instead.") + fun asciiArmor(signature: PGPSignature): String = ArmorUtils.toAsciiArmoredString(signature) /** * Create an [EncryptionBuilder], which can be used to encrypt and/or sign data using @@ -189,7 +205,11 @@ class PGPainless( * * @return builder */ - @JvmStatic fun encryptAndOrSign() = EncryptionBuilder(getInstance()) + @Deprecated( + "Call generateMessage() on an instance of PGPainless instead.", + replaceWith = ReplaceWith("generateMessage()")) + @JvmStatic + fun encryptAndOrSign(): EncryptionBuilder = getInstance().generateMessage() /** * Create a [DecryptionBuilder], which can be used to decrypt and/or verify data using @@ -197,7 +217,7 @@ class PGPainless( * * @return builder */ - @JvmStatic fun decryptAndOrVerify() = DecryptionBuilder() + @JvmStatic fun decryptAndOrVerify(): DecryptionBuilder = DecryptionBuilder() /** * Make changes to a secret key at the given reference time. This method can be used to @@ -217,7 +237,7 @@ class PGPainless( secretKey: PGPSecretKeyRing, referenceTime: Date = Date(), api: PGPainless = getInstance() - ) = SecretKeyRingEditor(secretKey, api, referenceTime) + ): SecretKeyRingEditor = SecretKeyRingEditor(secretKey, api, referenceTime) /** * Quickly access information about a [org.bouncycastle.openpgp.PGPPublicKeyRing] / @@ -230,12 +250,12 @@ class PGPainless( */ @JvmStatic @JvmOverloads - fun inspectKeyRing(key: PGPKeyRing, referenceTime: Date = Date()) = + fun inspectKeyRing(key: PGPKeyRing, referenceTime: Date = Date()): KeyRingInfo = KeyRingInfo(key, referenceTime) @JvmStatic @JvmOverloads - fun inspectKeyRing(key: OpenPGPCertificate, referenceTime: Date = Date()) = + fun inspectKeyRing(key: OpenPGPCertificate, referenceTime: Date = Date()): KeyRingInfo = KeyRingInfo(key, getInstance(), referenceTime) /** @@ -247,13 +267,17 @@ class PGPainless( "Use PGPainless.getInstance().getAlgorithmPolicy() instead.", replaceWith = ReplaceWith("getInstance().algorithmPolicy")) @JvmStatic - fun getPolicy() = getInstance().algorithmPolicy + fun getPolicy(): Policy = getInstance().algorithmPolicy /** * Create different kinds of signatures on other keys. * * @return builder */ - @JvmStatic fun certify() = CertifyCertificate(getInstance()) + @Deprecated( + "Call .generateCertification() on an instance of PGPainless instead.", + replaceWith = ReplaceWith("generateCertification()")) + @JvmStatic + fun certify(): CertifyCertificate = getInstance().generateCertification() } } From 35b0cdde7e75f1005ef80f567093cc7f02e0f3d7 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 18 Mar 2025 13:52:19 +0100 Subject: [PATCH 095/265] More API down-handing --- .../main/kotlin/org/pgpainless/PGPainless.kt | 2 +- .../DecryptionBuilder.kt | 10 +- .../MessageMetadata.kt | 15 ++- .../OpenPgpMessageInputStream.kt | 103 +++++++----------- .../encryption_signing/EncryptionOptions.kt | 10 +- .../OpenPgpMessageInputStreamTest.java | 2 +- 6 files changed, 62 insertions(+), 80 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt index 41aa437c..fc3b182b 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt @@ -217,7 +217,7 @@ class PGPainless( * * @return builder */ - @JvmStatic fun decryptAndOrVerify(): DecryptionBuilder = DecryptionBuilder() + @JvmStatic fun decryptAndOrVerify(): DecryptionBuilder = DecryptionBuilder(getInstance()) /** * Make changes to a secret key at the given reference time. This method can be used to diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/DecryptionBuilder.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/DecryptionBuilder.kt index d1d4f8b2..147fa62a 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/DecryptionBuilder.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/DecryptionBuilder.kt @@ -5,22 +5,24 @@ package org.pgpainless.decryption_verification import java.io.InputStream +import org.pgpainless.PGPainless /** * Builder class that takes an [InputStream] of ciphertext (or plaintext signed data) and combines * it with a configured [ConsumerOptions] object to form a [DecryptionStream] which can be used to * decrypt an OpenPGP message or verify signatures. */ -class DecryptionBuilder : DecryptionBuilderInterface { +class DecryptionBuilder(private val api: PGPainless) : DecryptionBuilderInterface { override fun onInputStream(inputStream: InputStream): DecryptionBuilderInterface.DecryptWith { - return DecryptWithImpl(inputStream) + return DecryptWithImpl(inputStream, api) } - class DecryptWithImpl(val inputStream: InputStream) : DecryptionBuilderInterface.DecryptWith { + class DecryptWithImpl(val inputStream: InputStream, val api: PGPainless) : + DecryptionBuilderInterface.DecryptWith { override fun withOptions(consumerOptions: ConsumerOptions): DecryptionStream { - return OpenPgpMessageInputStream.create(inputStream, consumerOptions) + return OpenPgpMessageInputStream.create(inputStream, consumerOptions, api) } } } diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/MessageMetadata.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/MessageMetadata.kt index 79a0ca98..3a62bc72 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/MessageMetadata.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/MessageMetadata.kt @@ -51,7 +51,7 @@ class MessageMetadata(val message: Message) { fun isEncryptedFor(cert: OpenPGPCertificate): Boolean { return encryptionLayers.asSequence().any { - it.recipients.any { keyId -> cert.getKey(KeyIdentifier(keyId)) != null } + it.recipients.any { identifier -> cert.getKey(identifier) != null } } } @@ -87,12 +87,15 @@ class MessageMetadata(val message: Message) { /** List containing all recipient keyIDs. */ val recipientKeyIds: List + get() = recipientKeyIdentifiers.map { it.keyId }.toList() + + val recipientKeyIdentifiers: List get() = encryptionLayers .asSequence() .map { it.recipients.toMutableList() } - .reduce { all, keyIds -> - all.addAll(keyIds) + .reduce { all, keyIdentifiers -> + all.addAll(keyIdentifiers) all } .toList() @@ -475,9 +478,11 @@ class MessageMetadata(val message: Message) { var sessionKey: SessionKey? = null /** List of all recipient key ids to which the packet was encrypted for. */ - val recipients: List = mutableListOf() + val recipients: List = mutableListOf() - fun addRecipients(keyIds: List) = apply { (recipients as MutableList).addAll(keyIds) } + fun addRecipients(keyIds: List) = apply { + (recipients as MutableList).addAll(keyIds) + } /** * Identifier of the subkey that was used to decrypt the packet (in case of a public key diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.kt index 756d326a..904ba78e 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.kt @@ -26,7 +26,6 @@ import org.bouncycastle.openpgp.PGPPublicKeyEncryptedData import org.bouncycastle.openpgp.PGPSessionKey import org.bouncycastle.openpgp.PGPSignature import org.bouncycastle.openpgp.api.OpenPGPCertificate -import org.bouncycastle.openpgp.api.OpenPGPImplementation import org.bouncycastle.openpgp.api.OpenPGPKey import org.bouncycastle.openpgp.api.OpenPGPKey.OpenPGPPrivateKey import org.bouncycastle.openpgp.api.OpenPGPKey.OpenPGPSecretKey @@ -74,10 +73,10 @@ class OpenPgpMessageInputStream( inputStream: InputStream, private val options: ConsumerOptions, private val layerMetadata: Layer, - private val policy: Policy + private val api: PGPainless ) : DecryptionStream() { - private val signatures: Signatures = Signatures(options) + private val signatures: Signatures = Signatures(options, api) private var packetInputStream: TeeBCPGInputStream? = null private var nestedInputStream: InputStream? = null private val syntaxVerifier = PDA() @@ -131,8 +130,8 @@ class OpenPgpMessageInputStream( inputStream: InputStream, options: ConsumerOptions, metadata: Layer, - policy: Policy - ) : this(Type.standard, inputStream, options, metadata, policy) + api: PGPainless + ) : this(Type.standard, inputStream, options, metadata, api) private fun consumePackets() { val pIn = packetInputStream ?: return @@ -232,7 +231,7 @@ class OpenPgpMessageInputStream( LOGGER.debug( "Compressed Data Packet (${compressionLayer.algorithm}) at depth ${layerMetadata.depth} encountered.") nestedInputStream = - OpenPgpMessageInputStream(decompress(compressedData), options, compressionLayer, policy) + OpenPgpMessageInputStream(decompress(compressedData), options, compressionLayer, api) } private fun decompress(compressedData: PGPCompressedData): InputStream { @@ -313,7 +312,8 @@ class OpenPgpMessageInputStream( signatures .leaveNesting() // TODO: Only leave nesting if all OPSs of the nesting layer are // dealt with - signatures.addCorrespondingOnePassSignature(signature, layerMetadata, policy) + signatures.addCorrespondingOnePassSignature( + signature, layerMetadata, api.algorithmPolicy) } else { LOGGER.debug( "Prepended Signature Packet by key ${keyId.openPgpKeyId()} at depth ${layerMetadata.depth} encountered.") @@ -345,7 +345,7 @@ class OpenPgpMessageInputStream( esks.pkesks .filter { // find matching PKESK - it.keyID == key.subkeyId + it.keyIdentifier == key.keyIdentifier } .forEach { // attempt decryption @@ -362,8 +362,7 @@ class OpenPgpMessageInputStream( throwIfUnacceptable(sk.algorithm) val pgpSk = PGPSessionKey(sk.algorithm.algorithmId, sk.key) - val decryptorFactory = - OpenPGPImplementation.getInstance().sessionKeyDataDecryptorFactory(pgpSk) + val decryptorFactory = api.implementation.sessionKeyDataDecryptorFactory(pgpSk) val layer = EncryptedData(sk.algorithm, layerMetadata.depth + 1) val skEncData = encDataList.extractSessionKeyEncryptedData() try { @@ -372,7 +371,7 @@ class OpenPgpMessageInputStream( val integrityProtected = IntegrityProtectedInputStream(decrypted, skEncData, options) nestedInputStream = - OpenPgpMessageInputStream(integrityProtected, options, layer, policy) + OpenPgpMessageInputStream(integrityProtected, options, layer, api) LOGGER.debug("Successfully decrypted data using provided session key") return true } catch (e: PGPException) { @@ -395,8 +394,7 @@ class OpenPgpMessageInputStream( } val decryptorFactory = - OpenPGPImplementation.getInstance() - .pbeDataDecryptorFactory(passphrase.getChars()) + api.implementation.pbeDataDecryptorFactory(passphrase.getChars()) if (decryptSKESKAndStream(esks, skesk, decryptorFactory)) { return true } @@ -518,7 +516,7 @@ class OpenPgpMessageInputStream( pkesk: PGPPublicKeyEncryptedData ): Boolean { val decryptorFactory = - OpenPGPImplementation.getInstance().publicKeyDataDecryptorFactory(privateKey.privateKey) + api.implementation.publicKeyDataDecryptorFactory(privateKey.privateKey) return decryptPKESKAndStream(esks, decryptionKeyId, decryptorFactory, pkesk) } @@ -545,11 +543,11 @@ class OpenPgpMessageInputStream( throwIfUnacceptable(sessionKey.algorithm) val encryptedData = EncryptedData(sessionKey.algorithm, layerMetadata.depth + 1) encryptedData.sessionKey = sessionKey - encryptedData.addRecipients(esks.pkesks.map { it.keyID }) + encryptedData.addRecipients(esks.pkesks.map { it.keyIdentifier }) LOGGER.debug("Successfully decrypted data with passphrase") val integrityProtected = IntegrityProtectedInputStream(decrypted, skesk, options) nestedInputStream = - OpenPgpMessageInputStream(integrityProtected, options, encryptedData, policy) + OpenPgpMessageInputStream(integrityProtected, options, encryptedData, api) return true } catch (e: UnacceptableAlgorithmException) { throw e @@ -578,11 +576,11 @@ class OpenPgpMessageInputStream( layerMetadata.depth + 1) encryptedData.decryptionKey = decryptionKeyId encryptedData.sessionKey = sessionKey - encryptedData.addRecipients(esks.pkesks.plus(esks.anonPkesks).map { it.keyID }) + encryptedData.addRecipients(esks.pkesks.plus(esks.anonPkesks).map { it.keyIdentifier }) LOGGER.debug("Successfully decrypted data with key $decryptionKeyId") val integrityProtected = IntegrityProtectedInputStream(decrypted, pkesk, options) nestedInputStream = - OpenPgpMessageInputStream(integrityProtected, options, encryptedData, policy) + OpenPgpMessageInputStream(integrityProtected, options, encryptedData, api) return true } catch (e: UnacceptableAlgorithmException) { throw e @@ -620,7 +618,7 @@ class OpenPgpMessageInputStream( throw RuntimeException(e) } } - signatures.finish(layerMetadata, policy) + signatures.finish(layerMetadata, api.algorithmPolicy) } return r } @@ -647,7 +645,7 @@ class OpenPgpMessageInputStream( throw RuntimeException(e) } } - signatures.finish(layerMetadata, policy) + signatures.finish(layerMetadata, api.algorithmPolicy) } return r } @@ -693,16 +691,6 @@ class OpenPgpMessageInputStream( return MessageMetadata((layerMetadata as Message)) } - private fun getDecryptionKey(keyId: Long): OpenPGPKey? = - options.getDecryptionKeys().firstOrNull { - it.pgpSecretKeyRing - .any { k -> k.keyID == keyId } - .and( - PGPainless.inspectKeyRing(it).decryptionSubkeys.any { k -> - k.keyIdentifier.keyId == keyId - }) - } - private fun getDecryptionKey(pkesk: PGPPublicKeyEncryptedData): OpenPGPKey? = options.getDecryptionKeys().firstOrNull { it.pgpSecretKeyRing.getSecretKeyFor(pkesk) != null && @@ -737,7 +725,7 @@ class OpenPgpMessageInputStream( } private fun isAcceptable(algorithm: SymmetricKeyAlgorithm): Boolean = - policy.symmetricKeyDecryptionAlgorithmPolicy.isAcceptable(algorithm) + api.algorithmPolicy.symmetricKeyDecryptionAlgorithmPolicy.isAcceptable(algorithm) private fun throwIfUnacceptable(algorithm: SymmetricKeyAlgorithm) { if (!isAcceptable(algorithm)) { @@ -774,7 +762,7 @@ class OpenPgpMessageInputStream( get() = skesks.plus(pkesks).plus(anonPkesks) } - private class Signatures(val options: ConsumerOptions) : OutputStream() { + private class Signatures(val options: ConsumerOptions, val api: PGPainless) : OutputStream() { val detachedSignatures = mutableListOf() val prependedSignatures = mutableListOf() val onePassSignatures = mutableListOf() @@ -1044,27 +1032,21 @@ class OpenPgpMessageInputStream( } } - companion object { - @JvmStatic - private fun initialize(signature: PGPSignature, publicKey: PGPPublicKey) { - val verifierProvider = - OpenPGPImplementation.getInstance().pgpContentVerifierBuilderProvider() - try { - signature.init(verifierProvider, publicKey) - } catch (e: PGPException) { - throw RuntimeException(e) - } + private fun initialize(signature: PGPSignature, publicKey: PGPPublicKey) { + val verifierProvider = api.implementation.pgpContentVerifierBuilderProvider() + try { + signature.init(verifierProvider, publicKey) + } catch (e: PGPException) { + throw RuntimeException(e) } + } - @JvmStatic - private fun initialize(ops: PGPOnePassSignature, publicKey: PGPPublicKey) { - val verifierProvider = - OpenPGPImplementation.getInstance().pgpContentVerifierBuilderProvider() - try { - ops.init(verifierProvider, publicKey) - } catch (e: PGPException) { - throw RuntimeException(e) - } + private fun initialize(ops: PGPOnePassSignature, publicKey: PGPPublicKey) { + val verifierProvider = api.implementation.pgpContentVerifierBuilderProvider() + try { + ops.init(verifierProvider, publicKey) + } catch (e: PGPException) { + throw RuntimeException(e) } } } @@ -1074,32 +1056,27 @@ class OpenPgpMessageInputStream( private val LOGGER = LoggerFactory.getLogger(OpenPgpMessageInputStream::class.java) @JvmStatic - fun create(inputStream: InputStream, options: ConsumerOptions) = - create(inputStream, options, PGPainless.getInstance().algorithmPolicy) - - @JvmStatic - fun create(inputStream: InputStream, options: ConsumerOptions, policy: Policy) = - create(inputStream, options, Message(), policy) + fun create(inputStream: InputStream, options: ConsumerOptions, api: PGPainless) = + create(inputStream, options, Message(), api) @JvmStatic internal fun create( inputStream: InputStream, options: ConsumerOptions, metadata: Layer, - policy: Policy + api: PGPainless ): OpenPgpMessageInputStream { val openPgpIn = OpenPgpInputStream(inputStream) openPgpIn.reset() if (openPgpIn.isNonOpenPgp || options.isForceNonOpenPgpData()) { return OpenPgpMessageInputStream( - Type.non_openpgp, openPgpIn, options, metadata, policy) + Type.non_openpgp, openPgpIn, options, metadata, api) } if (openPgpIn.isBinaryOpenPgp) { // Simply consume OpenPGP message - return OpenPgpMessageInputStream( - Type.standard, openPgpIn, options, metadata, policy) + return OpenPgpMessageInputStream(Type.standard, openPgpIn, options, metadata, api) } return if (openPgpIn.isAsciiArmored) { @@ -1107,10 +1084,10 @@ class OpenPgpMessageInputStream( if (armorIn.isClearText) { (metadata as Message).setCleartextSigned() OpenPgpMessageInputStream( - Type.cleartext_signed, armorIn, options, metadata, policy) + Type.cleartext_signed, armorIn, options, metadata, api) } else { // Simply consume dearmored OpenPGP message - OpenPgpMessageInputStream(Type.standard, armorIn, options, metadata, policy) + OpenPgpMessageInputStream(Type.standard, armorIn, options, metadata, api) } } else { throw AssertionError("Cannot deduce type of data.") diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionOptions.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionOptions.kt index b37c854f..ac975356 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionOptions.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionOptions.kt @@ -8,7 +8,6 @@ import java.util.* import org.bouncycastle.openpgp.PGPPublicKeyRing import org.bouncycastle.openpgp.api.OpenPGPCertificate import org.bouncycastle.openpgp.api.OpenPGPCertificate.OpenPGPComponentKey -import org.bouncycastle.openpgp.api.OpenPGPImplementation import org.bouncycastle.openpgp.operator.PGPKeyEncryptionMethodGenerator import org.pgpainless.PGPainless import org.pgpainless.PGPainless.Companion.inspectKeyRing @@ -334,9 +333,9 @@ class EncryptionOptions( _encryptionKeys.add(key) _encryptionKeyIdentifiers.add(SubkeyIdentifier(key)) addEncryptionMethod( - OpenPGPImplementation.getInstance() - .publicKeyKeyEncryptionMethodGenerator(key.pgpPublicKey) - .also { it.setUseWildcardRecipient(wildcardRecipient) }) + api.implementation.publicKeyKeyEncryptionMethodGenerator(key.pgpPublicKey).also { + it.setUseWildcardRecipient(wildcardRecipient) + }) } /** @@ -359,8 +358,7 @@ class EncryptionOptions( fun addMessagePassphrase(passphrase: Passphrase) = apply { require(!passphrase.isEmpty) { "Passphrase MUST NOT be empty." } addEncryptionMethod( - OpenPGPImplementation.getInstance() - .pbeKeyEncryptionMethodGenerator(passphrase.getChars())) + api.implementation.pbeKeyEncryptionMethodGenerator(passphrase.getChars())) } /** diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStreamTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStreamTest.java index ed57fee5..20008a85 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStreamTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStreamTest.java @@ -697,7 +697,7 @@ public class OpenPgpMessageInputStreamTest { throws IOException { ByteArrayInputStream bytesIn = new ByteArrayInputStream(armored.getBytes(StandardCharsets.UTF_8)); ArmoredInputStream armorIn = ArmoredInputStreamFactory.get(bytesIn); - OpenPgpMessageInputStream pgpIn = OpenPgpMessageInputStream.create(armorIn, options); + OpenPgpMessageInputStream pgpIn = OpenPgpMessageInputStream.create(armorIn, options, PGPainless.getInstance()); return pgpIn; } } From 24892370719aa5ef5c1b3e9c285eb301ebb8a051 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 18 Mar 2025 13:59:35 +0100 Subject: [PATCH 096/265] ConsumerOptions: Pass down API --- .../ConsumerOptions.kt | 30 ++++++++----------- 1 file changed, 12 insertions(+), 18 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/ConsumerOptions.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/ConsumerOptions.kt index 5606d10f..3a3e1455 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/ConsumerOptions.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/ConsumerOptions.kt @@ -10,7 +10,6 @@ import java.util.* import org.bouncycastle.bcpg.KeyIdentifier import org.bouncycastle.openpgp.* import org.bouncycastle.openpgp.api.OpenPGPCertificate -import org.bouncycastle.openpgp.api.OpenPGPImplementation import org.bouncycastle.openpgp.api.OpenPGPKey import org.bouncycastle.openpgp.api.OpenPGPKeyMaterialProvider.OpenPGPCertificateProvider import org.bouncycastle.openpgp.api.OpenPGPSignature.OpenPGPDocumentSignature @@ -25,7 +24,7 @@ import org.pgpainless.util.Passphrase import org.pgpainless.util.SessionKey /** Options for decryption and signature verification. */ -class ConsumerOptions { +class ConsumerOptions(private val api: PGPainless = PGPainless.getInstance()) { private var ignoreMDCErrors = false var isDisableAsciiArmorCRC = false @@ -33,7 +32,7 @@ class ConsumerOptions { private var verifyNotBefore: Date? = null private var verifyNotAfter: Date? = Date() - private val certificates = CertificateSource() + private val certificates = CertificateSource(api) private val detachedSignatures = mutableSetOf() private var missingCertificateCallback: OpenPGPCertificateProvider? = null @@ -91,7 +90,7 @@ class ConsumerOptions { */ @Deprecated("Pass OpenPGPCertificate instead.") fun addVerificationCert(verificationCert: PGPPublicKeyRing): ConsumerOptions = apply { - this.certificates.addCertificate(verificationCert) + this.certificates.addCertificate(api.toCertificate(verificationCert)) } /** @@ -104,7 +103,7 @@ class ConsumerOptions { fun addVerificationCerts(verificationCerts: PGPPublicKeyRingCollection): ConsumerOptions = apply { for (cert in verificationCerts) { - addVerificationCert(cert) + addVerificationCert(api.toCertificate(cert)) } } @@ -195,22 +194,21 @@ class ConsumerOptions { * used to decrypt it when needed. * * @param key key - * @param keyRingProtector protector for the secret key + * @param protector protector for the secret key * @return options */ @JvmOverloads @Deprecated("Pass OpenPGPKey instead.") fun addDecryptionKey( key: PGPSecretKeyRing, - protector: SecretKeyRingProtector = SecretKeyRingProtector.unprotectedKeys(), - implementation: OpenPGPImplementation = PGPainless.getInstance().implementation - ) = addDecryptionKey(OpenPGPKey(key, implementation), protector) + protector: SecretKeyRingProtector = SecretKeyRingProtector.unprotectedKeys() + ) = addDecryptionKey(api.toKey(key), protector) /** * Add the keys in the provided key collection for message decryption. * * @param keys key collection - * @param keyRingProtector protector for encrypted secret keys + * @param protector protector for encrypted secret keys * @return options */ @JvmOverloads @@ -220,7 +218,7 @@ class ConsumerOptions { protector: SecretKeyRingProtector = SecretKeyRingProtector.unprotectedKeys() ) = apply { for (key in keys) { - addDecryptionKey(key, protector) + addDecryptionKey(api.toKey(key), protector) } } @@ -408,7 +406,7 @@ class ConsumerOptions { * Source for OpenPGP certificates. When verifying signatures on a message, this object holds * available signer certificates. */ - class CertificateSource { + class CertificateSource(private val api: PGPainless) { private val explicitCertificates: MutableSet = mutableSetOf() /** @@ -416,13 +414,9 @@ class ConsumerOptions { * * @param certificate certificate */ - @JvmOverloads @Deprecated("Pass in an OpenPGPCertificate instead.") - fun addCertificate( - certificate: PGPPublicKeyRing, - implementation: OpenPGPImplementation = PGPainless.getInstance().implementation - ) { - explicitCertificates.add(OpenPGPCertificate(certificate, implementation)) + fun addCertificate(certificate: PGPPublicKeyRing) { + explicitCertificates.add(api.toCertificate(certificate)) } /** From 3ea51f77be6c6e8e7666538bbeaa454831800d32 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 18 Mar 2025 14:24:49 +0100 Subject: [PATCH 097/265] Move default parameters of Options classes to factory methods --- .../ConsumerOptions.kt | 6 ++-- .../encryption_signing/EncryptionOptions.kt | 21 ++++++++------ .../encryption_signing/ProducerOptions.kt | 28 +++++++++++++++---- .../encryption_signing/SigningOptions.kt | 6 ++-- .../CanonicalizedDataEncryptionTest.java | 8 +++--- .../CertificateWithMissingSecretKeyTest.java | 2 +- .../CleartextSignatureVerificationTest.java | 10 +++---- .../MissingPassphraseForDecryptionTest.java | 4 +-- .../ModificationDetectionTests.java | 22 +++++++-------- .../OpenPgpInputStreamTest.java | 2 +- .../RecursionDepthTest.java | 2 +- ...ymmetricAlgorithmDuringDecryptionTest.java | 8 +++--- ...erifyWithMissingPublicKeyCallbackTest.java | 4 +-- .../WrongSignerUserIdTest.java | 2 +- .../BcHashContextSignerTest.java | 2 +- .../EncryptDecryptTest.java | 10 +++---- .../EncryptionOptionsTest.java | 20 ++++++------- .../FileInformationTest.java | 6 ++-- ...ymmetricAlgorithmDuringEncryptionTest.java | 6 ++-- .../encryption_signing/SigningTest.java | 18 ++++++------ .../java/org/pgpainless/example/Encrypt.java | 8 +++--- ...upidAlgorithmPreferenceEncryptionTest.java | 2 +- ...dDoesNotBreakEncryptionCapabilityTest.java | 4 +-- .../key/protection/fixes/S2KUsageFixTest.java | 2 +- .../signature/CertificateValidatorTest.java | 2 +- .../signature/IgnoreMarkerPacketsTest.java | 4 +-- 26 files changed, 117 insertions(+), 92 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/ConsumerOptions.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/ConsumerOptions.kt index 3a3e1455..d8433f25 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/ConsumerOptions.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/ConsumerOptions.kt @@ -24,7 +24,7 @@ import org.pgpainless.util.Passphrase import org.pgpainless.util.SessionKey /** Options for decryption and signature verification. */ -class ConsumerOptions(private val api: PGPainless = PGPainless.getInstance()) { +class ConsumerOptions(private val api: PGPainless) { private var ignoreMDCErrors = false var isDisableAsciiArmorCRC = false @@ -468,6 +468,8 @@ class ConsumerOptions(private val api: PGPainless = PGPainless.getInstance()) { } companion object { - @JvmStatic fun get() = ConsumerOptions() + @JvmOverloads + @JvmStatic + fun get(api: PGPainless = PGPainless.getInstance()) = ConsumerOptions(api) } } diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionOptions.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionOptions.kt index ac975356..c4adf3b3 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionOptions.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionOptions.kt @@ -22,10 +22,7 @@ import org.pgpainless.key.info.KeyAccessor import org.pgpainless.key.info.KeyRingInfo import org.pgpainless.util.Passphrase -class EncryptionOptions( - private val purpose: EncryptionPurpose, - private val api: PGPainless = PGPainless.getInstance() -) { +class EncryptionOptions(private val purpose: EncryptionPurpose, private val api: PGPainless) { private val _encryptionMethods: MutableSet = mutableSetOf() private val _encryptionKeys: MutableSet = mutableSetOf() private val _encryptionKeyIdentifiers: MutableSet = mutableSetOf() @@ -55,7 +52,7 @@ class EncryptionOptions( val encryptionAlgorithmOverride get() = _encryptionAlgorithmOverride - constructor() : this(EncryptionPurpose.ANY) + constructor(api: PGPainless) : this(EncryptionPurpose.ANY, api) /** * Set the evaluation date for certificate evaluation. @@ -426,11 +423,19 @@ class EncryptionOptions( } companion object { - @JvmStatic fun get() = EncryptionOptions() + @JvmOverloads + @JvmStatic + fun get(api: PGPainless = PGPainless.getInstance()) = EncryptionOptions(api) - @JvmStatic fun encryptCommunications() = EncryptionOptions(EncryptionPurpose.COMMUNICATIONS) + @JvmOverloads + @JvmStatic + fun encryptCommunications(api: PGPainless = PGPainless.getInstance()) = + EncryptionOptions(EncryptionPurpose.COMMUNICATIONS, api) - @JvmStatic fun encryptDataAtRest() = EncryptionOptions(EncryptionPurpose.STORAGE) + @JvmOverloads + @JvmStatic + fun encryptDataAtRest(api: PGPainless = PGPainless.getInstance()) = + EncryptionOptions(EncryptionPurpose.STORAGE, api) /** * Only encrypt to the first valid encryption capable subkey we stumble upon. diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/ProducerOptions.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/ProducerOptions.kt index ac48a65b..1bb99433 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/ProducerOptions.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/ProducerOptions.kt @@ -13,7 +13,7 @@ import org.pgpainless.algorithm.StreamEncoding class ProducerOptions( val encryptionOptions: EncryptionOptions?, val signingOptions: SigningOptions?, - val api: PGPainless = PGPainless.getInstance() + val api: PGPainless ) { private var _fileName: String = "" @@ -249,9 +249,13 @@ class ProducerOptions( * @param signingOptions signing options * @return builder */ + @JvmOverloads @JvmStatic - fun signAndEncrypt(encryptionOptions: EncryptionOptions, signingOptions: SigningOptions) = - ProducerOptions(encryptionOptions, signingOptions) + fun signAndEncrypt( + encryptionOptions: EncryptionOptions, + signingOptions: SigningOptions, + api: PGPainless = PGPainless.getInstance() + ): ProducerOptions = ProducerOptions(encryptionOptions, signingOptions, api) /** * Sign some data without encryption. @@ -259,7 +263,12 @@ class ProducerOptions( * @param signingOptions signing options * @return builder */ - @JvmStatic fun sign(signingOptions: SigningOptions) = ProducerOptions(null, signingOptions) + @JvmOverloads + @JvmStatic + fun sign( + signingOptions: SigningOptions, + api: PGPainless = PGPainless.getInstance() + ): ProducerOptions = ProducerOptions(null, signingOptions, api) /** * Encrypt some data without signing. @@ -267,14 +276,21 @@ class ProducerOptions( * @param encryptionOptions encryption options * @return builder */ + @JvmOverloads @JvmStatic - fun encrypt(encryptionOptions: EncryptionOptions) = ProducerOptions(encryptionOptions, null) + fun encrypt( + encryptionOptions: EncryptionOptions, + api: PGPainless = PGPainless.getInstance() + ): ProducerOptions = ProducerOptions(encryptionOptions, null, api) /** * Only wrap the data in an OpenPGP packet. No encryption or signing will be applied. * * @return builder */ - @JvmStatic fun noEncryptionNoSigning() = ProducerOptions(null, null) + @JvmOverloads + @JvmStatic + fun noEncryptionNoSigning(api: PGPainless = PGPainless.getInstance()): ProducerOptions = + ProducerOptions(null, null, api) } } diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/SigningOptions.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/SigningOptions.kt index c7eceef6..51be8167 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/SigningOptions.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/SigningOptions.kt @@ -27,7 +27,7 @@ import org.pgpainless.signature.subpackets.BaseSignatureSubpackets.Callback import org.pgpainless.signature.subpackets.SignatureSubpackets import org.pgpainless.signature.subpackets.SignatureSubpacketsHelper -class SigningOptions(val api: PGPainless = PGPainless.getInstance()) { +class SigningOptions(private val api: PGPainless) { val signingMethods: Map = mutableMapOf() private var _hashAlgorithmOverride: HashAlgorithm? = null @@ -500,7 +500,9 @@ class SigningOptions(val api: PGPainless = PGPainless.getInstance()) { } companion object { - @JvmStatic fun get() = SigningOptions() + @JvmOverloads + @JvmStatic + fun get(api: PGPainless = PGPainless.getInstance()) = SigningOptions(api) } /** A method of signing. */ diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CanonicalizedDataEncryptionTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CanonicalizedDataEncryptionTest.java index d59edcaf..9ce0b106 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CanonicalizedDataEncryptionTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CanonicalizedDataEncryptionTest.java @@ -299,7 +299,7 @@ public class CanonicalizedDataEncryptionTest { ByteArrayInputStream in = new ByteArrayInputStream(encrypted.getBytes(StandardCharsets.UTF_8)); DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() .onInputStream(in) - .withOptions(new ConsumerOptions() + .withOptions(ConsumerOptions.get() .addDecryptionKey(secretKeys, SecretKeyRingProtector.unprotectedKeys()) .addVerificationCert(publicKeys)); @@ -329,7 +329,7 @@ public class CanonicalizedDataEncryptionTest { ByteArrayInputStream in = new ByteArrayInputStream(encrypted.getBytes(StandardCharsets.UTF_8)); DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() .onInputStream(in) - .withOptions(new ConsumerOptions() + .withOptions(ConsumerOptions.get() .addDecryptionKey(secretKeys, SecretKeyRingProtector.unprotectedKeys()) .addVerificationCert(publicKeys)); @@ -375,7 +375,7 @@ public class CanonicalizedDataEncryptionTest { ByteArrayInputStream in = new ByteArrayInputStream(msg.getBytes(StandardCharsets.UTF_8)); DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() .onInputStream(in) - .withOptions(new ConsumerOptions() + .withOptions(ConsumerOptions.get() .addDecryptionKey(secretKeys, SecretKeyRingProtector.unprotectedKeys()) .addVerificationCert(publicKeys)); @@ -446,7 +446,7 @@ public class CanonicalizedDataEncryptionTest { ByteArrayOutputStream decrypted = new ByteArrayOutputStream(); DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() .onInputStream(cipherIn) - .withOptions(new ConsumerOptions() + .withOptions(ConsumerOptions.get() .addVerificationCert(publicKeys)); Streams.pipeAll(decryptionStream, decrypted); diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CertificateWithMissingSecretKeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CertificateWithMissingSecretKeyTest.java index 3ddd89eb..70f655ef 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CertificateWithMissingSecretKeyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CertificateWithMissingSecretKeyTest.java @@ -136,7 +136,7 @@ public class CertificateWithMissingSecretKeyTest { // Test decryption ByteArrayInputStream cipherIn = new ByteArrayInputStream(out.toByteArray()); - ConsumerOptions consumerOptions = new ConsumerOptions() + ConsumerOptions consumerOptions = ConsumerOptions.get() .addDecryptionKey(missingDecryptionSecKey); assertThrows(MissingDecryptionMethodException.class, () -> diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CleartextSignatureVerificationTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CleartextSignatureVerificationTest.java index 1bf4f9bf..8b423cba 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CleartextSignatureVerificationTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CleartextSignatureVerificationTest.java @@ -81,7 +81,7 @@ public class CleartextSignatureVerificationTest { public void cleartextSignVerification_InMemoryMultiPassStrategy() throws IOException, PGPException { PGPPublicKeyRing signingKeys = TestKeys.getEmilPublicKeyRing(); - ConsumerOptions options = new ConsumerOptions() + ConsumerOptions options = ConsumerOptions.get() .addVerificationCert(signingKeys); InMemoryMultiPassStrategy multiPassStrategy = MultiPassStrategy.keepMessageInMemory(); @@ -108,7 +108,7 @@ public class CleartextSignatureVerificationTest { public void cleartextSignVerification_FileBasedMultiPassStrategy() throws IOException, PGPException { PGPPublicKeyRing signingKeys = TestKeys.getEmilPublicKeyRing(); - ConsumerOptions options = new ConsumerOptions() + ConsumerOptions options = ConsumerOptions.get() .addVerificationCert(signingKeys); File tempDir = TestUtils.createTempDirectory(); @@ -164,7 +164,7 @@ public class CleartextSignatureVerificationTest { throws IOException, PGPException { PGPSignature signature = SignatureUtils.readSignatures(SIGNATURE).get(0); - ConsumerOptions options = new ConsumerOptions() + ConsumerOptions options = ConsumerOptions.get() .addVerificationCert(TestKeys.getEmilPublicKeyRing()) .addVerificationOfDetachedSignature(signature); @@ -201,7 +201,7 @@ public class CleartextSignatureVerificationTest { ByteArrayInputStream signedIn = new ByteArrayInputStream(signed.getBytes(StandardCharsets.UTF_8)); DecryptionStream verificationStream = PGPainless.decryptAndOrVerify() .onInputStream(signedIn) - .withOptions(new ConsumerOptions() + .withOptions(ConsumerOptions.get() .addVerificationCert(TestKeys.getEmilPublicKeyRing())); ByteArrayOutputStream msgOut = new ByteArrayOutputStream(); @@ -236,7 +236,7 @@ public class CleartextSignatureVerificationTest { ByteArrayInputStream in = new ByteArrayInputStream(cleartextSigned.getBytes(StandardCharsets.UTF_8)); DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() .onInputStream(in) - .withOptions(new ConsumerOptions() + .withOptions(ConsumerOptions.get() .addVerificationCert(PGPainless.extractCertificate(secretKeys))); out = new ByteArrayOutputStream(); diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/MissingPassphraseForDecryptionTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/MissingPassphraseForDecryptionTest.java index 6ff534b0..5037786f 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/MissingPassphraseForDecryptionTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/MissingPassphraseForDecryptionTest.java @@ -74,7 +74,7 @@ public class MissingPassphraseForDecryptionTest { return true; } }; - ConsumerOptions options = new ConsumerOptions() + ConsumerOptions options = ConsumerOptions.get() .setMissingKeyPassphraseStrategy(MissingKeyPassphraseStrategy.INTERACTIVE) .addDecryptionKey(secretKeys, SecretKeyRingProtector.defaultSecretKeyRingProtector(callback)); @@ -108,7 +108,7 @@ public class MissingPassphraseForDecryptionTest { } }; - ConsumerOptions options = new ConsumerOptions() + ConsumerOptions options = ConsumerOptions.get() .setMissingKeyPassphraseStrategy(MissingKeyPassphraseStrategy.THROW_EXCEPTION) .addDecryptionKey(secretKeys, SecretKeyRingProtector.defaultSecretKeyRingProtector(callback)); diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/ModificationDetectionTests.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/ModificationDetectionTests.java index 59021f95..84953983 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/ModificationDetectionTests.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/ModificationDetectionTests.java @@ -217,7 +217,7 @@ public class ModificationDetectionTests { InputStream in = new ByteArrayInputStream(MESSAGE_MISSING_MDC.getBytes(StandardCharsets.UTF_8)); DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() .onInputStream(in) - .withOptions(new ConsumerOptions() + .withOptions(ConsumerOptions.get() .addDecryptionKeys(secretKeyRings, SecretKeyRingProtector.unprotectedKeys()) ); @@ -234,7 +234,7 @@ public class ModificationDetectionTests { ByteArrayInputStream in = new ByteArrayInputStream(MESSAGE_TAMPERED_CIPHERTEXT.getBytes(StandardCharsets.UTF_8)); DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() .onInputStream(in) - .withOptions(new ConsumerOptions() + .withOptions(ConsumerOptions.get() .addDecryptionKeys(getDecryptionKey(), SecretKeyRingProtector.unprotectedKeys()) ); @@ -251,7 +251,7 @@ public class ModificationDetectionTests { ByteArrayInputStream in = new ByteArrayInputStream(MESSAGE_TAMPERED_CIPHERTEXT.getBytes(StandardCharsets.UTF_8)); DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() .onInputStream(in) - .withOptions(new ConsumerOptions() + .withOptions(ConsumerOptions.get() .addDecryptionKeys(getDecryptionKey(), SecretKeyRingProtector.unprotectedKeys()) .setIgnoreMDCErrors(true) ); @@ -267,7 +267,7 @@ public class ModificationDetectionTests { ByteArrayInputStream in = new ByteArrayInputStream(MESSAGE_TAMPERED_MDC.getBytes(StandardCharsets.UTF_8)); DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() .onInputStream(in) - .withOptions(new ConsumerOptions() + .withOptions(ConsumerOptions.get() .addDecryptionKeys(getDecryptionKey(), SecretKeyRingProtector.unprotectedKeys()) ); @@ -284,7 +284,7 @@ public class ModificationDetectionTests { ByteArrayInputStream in = new ByteArrayInputStream(MESSAGE_TAMPERED_MDC.getBytes(StandardCharsets.UTF_8)); DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() .onInputStream(in) - .withOptions(new ConsumerOptions() + .withOptions(ConsumerOptions.get() .addDecryptionKeys(getDecryptionKey(), SecretKeyRingProtector.unprotectedKeys()) .setIgnoreMDCErrors(true) ); @@ -299,7 +299,7 @@ public class ModificationDetectionTests { ByteArrayInputStream in = new ByteArrayInputStream(MESSAGE_TRUNCATED_MDC.getBytes(StandardCharsets.UTF_8)); DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() .onInputStream(in) - .withOptions(new ConsumerOptions() + .withOptions(ConsumerOptions.get() .addDecryptionKeys(getDecryptionKey(), SecretKeyRingProtector.unprotectedKeys()) ); @@ -313,7 +313,7 @@ public class ModificationDetectionTests { ByteArrayInputStream in = new ByteArrayInputStream(MESSAGE_MDC_WITH_BAD_CTB.getBytes(StandardCharsets.UTF_8)); DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() .onInputStream(in) - .withOptions(new ConsumerOptions() + .withOptions(ConsumerOptions.get() .addDecryptionKeys(getDecryptionKey(), SecretKeyRingProtector.unprotectedKeys()) ); @@ -330,7 +330,7 @@ public class ModificationDetectionTests { ByteArrayInputStream in = new ByteArrayInputStream(MESSAGE_MDC_WITH_BAD_CTB.getBytes(StandardCharsets.UTF_8)); DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() .onInputStream(in) - .withOptions(new ConsumerOptions() + .withOptions(ConsumerOptions.get() .addDecryptionKeys(getDecryptionKey(), SecretKeyRingProtector.unprotectedKeys()) .setIgnoreMDCErrors(true) ); @@ -346,7 +346,7 @@ public class ModificationDetectionTests { ByteArrayInputStream in = new ByteArrayInputStream(MESSAGE_MDC_WITH_BAD_LENGTH.getBytes(StandardCharsets.UTF_8)); DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() .onInputStream(in) - .withOptions(new ConsumerOptions() + .withOptions(ConsumerOptions.get() .addDecryptionKeys(getDecryptionKey(), SecretKeyRingProtector.unprotectedKeys()) ); @@ -363,7 +363,7 @@ public class ModificationDetectionTests { ByteArrayInputStream in = new ByteArrayInputStream(MESSAGE_MDC_WITH_BAD_LENGTH.getBytes(StandardCharsets.UTF_8)); DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() .onInputStream(in) - .withOptions(new ConsumerOptions() + .withOptions(ConsumerOptions.get() .addDecryptionKeys(getDecryptionKey(), SecretKeyRingProtector.unprotectedKeys()) .setIgnoreMDCErrors(true) ); @@ -534,7 +534,7 @@ public class ModificationDetectionTests { assertThrows(MessageNotIntegrityProtectedException.class, () -> PGPainless.decryptAndOrVerify() .onInputStream(new ByteArrayInputStream(ciphertext.getBytes(StandardCharsets.UTF_8))) - .withOptions(new ConsumerOptions().addDecryptionKey(secretKeyRing, + .withOptions(ConsumerOptions.get().addDecryptionKey(secretKeyRing, SecretKeyRingProtector.unlockAnyKeyWith(passphrase))) ); diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpInputStreamTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpInputStreamTest.java index 4944c85f..c6b4e0d3 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpInputStreamTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpInputStreamTest.java @@ -743,7 +743,7 @@ public class OpenPgpInputStreamTest { ByteArrayOutputStream signedOut = new ByteArrayOutputStream(); EncryptionStream signer = PGPainless.encryptAndOrSign() .onOutputStream(signedOut) - .withOptions(ProducerOptions.sign(new SigningOptions() + .withOptions(ProducerOptions.sign(SigningOptions.get() .addSignature(SecretKeyRingProtector.unprotectedKeys(), secretKeys)) .setAsciiArmor(false) .overrideCompressionAlgorithm(CompressionAlgorithm.UNCOMPRESSED)); diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/RecursionDepthTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/RecursionDepthTest.java index 52c5a906..e79b5213 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/RecursionDepthTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/RecursionDepthTest.java @@ -146,7 +146,7 @@ public class RecursionDepthTest { assertThrows(MalformedOpenPgpMessageException.class, () -> { DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() .onInputStream(new ByteArrayInputStream(msg.getBytes(StandardCharsets.UTF_8))) - .withOptions(new ConsumerOptions().addDecryptionKey(secretKey)); + .withOptions(ConsumerOptions.get().addDecryptionKey(secretKey)); ByteArrayOutputStream outputStream = new ByteArrayOutputStream(); Streams.pipeAll(decryptionStream, outputStream); diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/RejectWeakSymmetricAlgorithmDuringDecryptionTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/RejectWeakSymmetricAlgorithmDuringDecryptionTest.java index 1201ef69..6b512bde 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/RejectWeakSymmetricAlgorithmDuringDecryptionTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/RejectWeakSymmetricAlgorithmDuringDecryptionTest.java @@ -140,7 +140,7 @@ public class RejectWeakSymmetricAlgorithmDuringDecryptionTest { assertThrows(UnacceptableAlgorithmException.class, () -> PGPainless.decryptAndOrVerify() .onInputStream(messageIn) - .withOptions(new ConsumerOptions().addDecryptionKey(secretKeys)) + .withOptions(ConsumerOptions.get().addDecryptionKey(secretKeys)) ); } @@ -168,7 +168,7 @@ public class RejectWeakSymmetricAlgorithmDuringDecryptionTest { assertThrows(UnacceptableAlgorithmException.class, () -> PGPainless.decryptAndOrVerify() .onInputStream(messageIn) - .withOptions(new ConsumerOptions().addDecryptionKey(secretKeys)) + .withOptions(ConsumerOptions.get().addDecryptionKey(secretKeys)) ); } @@ -194,7 +194,7 @@ public class RejectWeakSymmetricAlgorithmDuringDecryptionTest { InputStream messageIn = new ByteArrayInputStream(message.getBytes(StandardCharsets.UTF_8)); assertThrows(UnacceptableAlgorithmException.class, () -> PGPainless.decryptAndOrVerify().onInputStream(messageIn) - .withOptions(new ConsumerOptions().addDecryptionKey(secretKeys)) + .withOptions(ConsumerOptions.get().addDecryptionKey(secretKeys)) ); } @@ -219,7 +219,7 @@ public class RejectWeakSymmetricAlgorithmDuringDecryptionTest { InputStream messageIn = new ByteArrayInputStream(message.getBytes(StandardCharsets.UTF_8)); PGPainless.decryptAndOrVerify().onInputStream(messageIn) - .withOptions(new ConsumerOptions().addDecryptionKey(secretKeys)); + .withOptions(ConsumerOptions.get().addDecryptionKey(secretKeys)); } } diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifyWithMissingPublicKeyCallbackTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifyWithMissingPublicKeyCallbackTest.java index c8112cfa..0b875901 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifyWithMissingPublicKeyCallbackTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifyWithMissingPublicKeyCallbackTest.java @@ -53,7 +53,7 @@ public class VerifyWithMissingPublicKeyCallbackTest { "is no different than saying you don't care about free speech because you have nothing to say."; ByteArrayOutputStream signOut = new ByteArrayOutputStream(); EncryptionStream signingStream = PGPainless.encryptAndOrSign().onOutputStream(signOut) - .withOptions(ProducerOptions.sign(new SigningOptions().addInlineSignature( + .withOptions(ProducerOptions.sign(SigningOptions.get().addInlineSignature( SecretKeyRingProtector.unprotectedKeys(), signingSecKeys.getPGPSecretKeyRing(), DocumentSignatureType.CANONICAL_TEXT_DOCUMENT ))); @@ -62,7 +62,7 @@ public class VerifyWithMissingPublicKeyCallbackTest { DecryptionStream verificationStream = PGPainless.decryptAndOrVerify() .onInputStream(new ByteArrayInputStream(signOut.toByteArray())) - .withOptions(new ConsumerOptions() + .withOptions(ConsumerOptions.get() .addVerificationCert(unrelatedKeys) .setMissingCertificateCallback(new OpenPGPKeyMaterialProvider.OpenPGPCertificateProvider() { @Override diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/WrongSignerUserIdTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/WrongSignerUserIdTest.java index f3336373..61e06cf5 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/WrongSignerUserIdTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/WrongSignerUserIdTest.java @@ -94,7 +94,7 @@ public class WrongSignerUserIdTest { DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify().onInputStream( new ByteArrayInputStream(messageWithWrongUserId.getBytes(StandardCharsets.UTF_8))) - .withOptions(new ConsumerOptions() + .withOptions(ConsumerOptions.get() .addDecryptionKey(secretKeys) .addVerificationCert(certificate)); diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/BcHashContextSignerTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/BcHashContextSignerTest.java index de6c9788..660001fa 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/BcHashContextSignerTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/BcHashContextSignerTest.java @@ -96,7 +96,7 @@ public class BcHashContextSignerTest { DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() .onInputStream(messageIn) - .withOptions(new ConsumerOptions() + .withOptions(ConsumerOptions.get() .addVerificationCert(certificate) .addVerificationOfDetachedSignature(signature)); diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java index 6352984a..5ec70502 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java @@ -135,7 +135,7 @@ public class EncryptDecryptTest { .onOutputStream(envelope) .withOptions(ProducerOptions.signAndEncrypt( EncryptionOptions.encryptCommunications().addRecipient(recipientPub), - new SigningOptions().addInlineSignature(keyDecryptor, senderSec, DocumentSignatureType.BINARY_DOCUMENT) + SigningOptions.get().addInlineSignature(keyDecryptor, senderSec, DocumentSignatureType.BINARY_DOCUMENT) )); Streams.pipeAll(new ByteArrayInputStream(secretMessage), encryptor); @@ -156,7 +156,7 @@ public class EncryptDecryptTest { ByteArrayInputStream envelopeIn = new ByteArrayInputStream(encryptedSecretMessage); DecryptionStream decryptor = PGPainless.decryptAndOrVerify() .onInputStream(envelopeIn) - .withOptions(new ConsumerOptions() + .withOptions(ConsumerOptions.get() .addDecryptionKey(recipientSec, keyDecryptor) .addVerificationCert(senderPub) ); @@ -184,7 +184,7 @@ public class EncryptDecryptTest { ByteArrayOutputStream dummyOut = new ByteArrayOutputStream(); EncryptionStream signer = PGPainless.encryptAndOrSign().onOutputStream(dummyOut) .withOptions(ProducerOptions.sign( - new SigningOptions().addDetachedSignature(keyRingProtector, signingKeys, DocumentSignatureType.BINARY_DOCUMENT) + SigningOptions.get().addDetachedSignature(keyRingProtector, signingKeys, DocumentSignatureType.BINARY_DOCUMENT) )); Streams.pipeAll(inputStream, signer); signer.close(); @@ -205,7 +205,7 @@ public class EncryptDecryptTest { inputStream = new ByteArrayInputStream(testMessage.getBytes()); DecryptionStream verifier = PGPainless.decryptAndOrVerify() .onInputStream(inputStream) - .withOptions(new ConsumerOptions() + .withOptions(ConsumerOptions.get() .addVerificationOfDetachedSignatures(new ByteArrayInputStream(armorSig.getBytes())) .addVerificationCert(KeyRingUtils.publicKeyRingFrom(signingKeys)) ); @@ -237,7 +237,7 @@ public class EncryptDecryptTest { inputStream = new ByteArrayInputStream(signOut.toByteArray()); DecryptionStream verifier = PGPainless.decryptAndOrVerify() .onInputStream(inputStream) - .withOptions(new ConsumerOptions() + .withOptions(ConsumerOptions.get() .addVerificationCert(KeyRingUtils.publicKeyRingFrom(signingKeys)) ); signOut = new ByteArrayOutputStream(); diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptionOptionsTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptionOptionsTest.java index b81313e1..d364a84d 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptionOptionsTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptionOptionsTest.java @@ -66,7 +66,7 @@ public class EncryptionOptionsTest { @Test public void testOverrideEncryptionAlgorithmFailsForNULL() { - EncryptionOptions options = new EncryptionOptions(); + EncryptionOptions options = EncryptionOptions.get(); assertNull(options.getEncryptionAlgorithmOverride()); assertThrows(IllegalArgumentException.class, () -> options.overrideEncryptionAlgorithm(SymmetricKeyAlgorithm.NULL)); @@ -76,7 +76,7 @@ public class EncryptionOptionsTest { @Test public void testOverrideEncryptionOptions() { - EncryptionOptions options = new EncryptionOptions(); + EncryptionOptions options = EncryptionOptions.get(); assertNull(options.getEncryptionAlgorithmOverride()); options.overrideEncryptionAlgorithm(SymmetricKeyAlgorithm.AES_128); @@ -105,7 +105,7 @@ public class EncryptionOptionsTest { @Test public void testAddRecipients_AllKeys() { - EncryptionOptions options = new EncryptionOptions(); + EncryptionOptions options = EncryptionOptions.get(); options.addRecipient(publicKeys, EncryptionOptions.encryptToAllCapableSubkeys()); Set encryptionKeys = options.getEncryptionKeys(); @@ -117,7 +117,7 @@ public class EncryptionOptionsTest { @Test public void testAddEmptyRecipientsFails() { - EncryptionOptions options = new EncryptionOptions(); + EncryptionOptions options = EncryptionOptions.get(); assertThrows(IllegalArgumentException.class, () -> options.addRecipients(Collections.emptyList())); assertThrows(IllegalArgumentException.class, () -> options.addRecipients(Collections.emptyList(), ArrayList::new)); @@ -125,14 +125,14 @@ public class EncryptionOptionsTest { @Test public void testAddEmptyPassphraseFails() { - EncryptionOptions options = new EncryptionOptions(); + EncryptionOptions options = EncryptionOptions.get(); assertThrows(IllegalArgumentException.class, () -> options.addMessagePassphrase(Passphrase.emptyPassphrase())); } @Test public void testAddRecipient_KeyWithoutEncryptionKeyFails() { - EncryptionOptions options = new EncryptionOptions(); + EncryptionOptions options = EncryptionOptions.get(); OpenPGPKey secretKeys = PGPainless.buildKeyRing() .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA_LEGACY(EdDSALegacyCurve._Ed25519), KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA)) .addUserId("test@pgpainless.org") @@ -144,7 +144,7 @@ public class EncryptionOptionsTest { @Test public void testEncryptionKeySelectionStrategyEmpty_ThrowsAssertionError() { - EncryptionOptions options = new EncryptionOptions(); + EncryptionOptions options = EncryptionOptions.get(); assertThrows(KeyException.UnacceptableEncryptionKeyException.class, () -> options.addRecipient(publicKeys, new EncryptionOptions.EncryptionKeySelector() { @@ -173,14 +173,14 @@ public class EncryptionOptionsTest { PGPPublicKeyRingCollection collection = new PGPPublicKeyRingCollection( Arrays.asList(publicKeys.getPGPPublicKeyRing(), secondKeyRing)); - EncryptionOptions options = new EncryptionOptions(); + EncryptionOptions options = EncryptionOptions.get(); options.addRecipients(collection, EncryptionOptions.encryptToFirstSubkey()); assertEquals(2, options.getEncryptionKeyIdentifiers().size()); } @Test public void testAddRecipient_withValidUserId() { - EncryptionOptions options = new EncryptionOptions(); + EncryptionOptions options = EncryptionOptions.get(); options.addRecipient(publicKeys, "test@pgpainless.org", EncryptionOptions.encryptToFirstSubkey()); assertEquals(1, options.getEncryptionMethods().size()); @@ -188,7 +188,7 @@ public class EncryptionOptionsTest { @Test public void testAddRecipient_withInvalidUserId() { - EncryptionOptions options = new EncryptionOptions(); + EncryptionOptions options = EncryptionOptions.get(); assertThrows(KeyException.UnboundUserIdException.class, () -> options.addRecipient(publicKeys, "invalid@user.id")); } } diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/FileInformationTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/FileInformationTest.java index 799e0f9e..0684c81e 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/FileInformationTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/FileInformationTest.java @@ -74,7 +74,7 @@ public class FileInformationTest { DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() .onInputStream(cryptIn) - .withOptions(new ConsumerOptions() + .withOptions(ConsumerOptions.get() .addDecryptionKey(secretKey)); Streams.pipeAll(decryptionStream, plainOut); @@ -113,7 +113,7 @@ public class FileInformationTest { DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() .onInputStream(cryptIn) - .withOptions(new ConsumerOptions() + .withOptions(ConsumerOptions.get() .addDecryptionKey(secretKey)); Streams.pipeAll(decryptionStream, plainOut); @@ -155,7 +155,7 @@ public class FileInformationTest { DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() .onInputStream(cryptIn) - .withOptions(new ConsumerOptions() + .withOptions(ConsumerOptions.get() .addDecryptionKey(secretKey)); Streams.pipeAll(decryptionStream, plainOut); diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/RespectPreferredSymmetricAlgorithmDuringEncryptionTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/RespectPreferredSymmetricAlgorithmDuringEncryptionTest.java index 55564d84..d0350628 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/RespectPreferredSymmetricAlgorithmDuringEncryptionTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/RespectPreferredSymmetricAlgorithmDuringEncryptionTest.java @@ -55,7 +55,7 @@ public class RespectPreferredSymmetricAlgorithmDuringEncryptionTest { ByteArrayOutputStream out = new ByteArrayOutputStream(); EncryptionStream encryptionStream = PGPainless.encryptAndOrSign().onOutputStream(out) .withOptions( - ProducerOptions.encrypt(new EncryptionOptions() + ProducerOptions.encrypt(EncryptionOptions.get() .addRecipient(publicKeys) // no user-id passed )); @@ -67,7 +67,7 @@ public class RespectPreferredSymmetricAlgorithmDuringEncryptionTest { out = new ByteArrayOutputStream(); encryptionStream = PGPainless.encryptAndOrSign().onOutputStream(out) .withOptions( - ProducerOptions.encrypt(new EncryptionOptions() + ProducerOptions.encrypt(EncryptionOptions.get() .addRecipient(publicKeys, "Bob Babbage ") )); @@ -79,7 +79,7 @@ public class RespectPreferredSymmetricAlgorithmDuringEncryptionTest { out = new ByteArrayOutputStream(); encryptionStream = PGPainless.encryptAndOrSign().onOutputStream(out) .withOptions( - ProducerOptions.encrypt(new EncryptionOptions() + ProducerOptions.encrypt(EncryptionOptions.get() .addRecipient(publicKeys, "Bobby128 ") )); diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/SigningTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/SigningTest.java index 74ec8377..2356be1f 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/SigningTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/SigningTest.java @@ -69,7 +69,7 @@ public class SigningTest { EncryptionOptions.encryptDataAtRest() .addRecipients(keys) .addRecipient(KeyRingUtils.publicKeyRingFrom(cryptieKeys)), - new SigningOptions().addInlineSignature( + SigningOptions.get().addInlineSignature( SecretKeyRingProtector.unlockSingleKeyWith(TestKeys.CRYPTIE_PASSPHRASE, cryptieSigningKey), cryptieKeys, TestKeys.CRYPTIE_UID, DocumentSignatureType.CANONICAL_TEXT_DOCUMENT) ).setAsciiArmor(true)); @@ -94,7 +94,7 @@ public class SigningTest { DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() .onInputStream(cryptIn) - .withOptions(new ConsumerOptions() + .withOptions(ConsumerOptions.get() .addDecryptionKeys(secretKeys, SecretKeyRingProtector.unprotectedKeys()) .addVerificationCerts(verificationKeys) ); @@ -119,7 +119,7 @@ public class SigningTest { .getPGPSecretKeyRing(); SecretKeyRingProtector protector = SecretKeyRingProtector.unlockAnyKeyWith(Passphrase.fromPassword("password123")); - SigningOptions opts = new SigningOptions(); + SigningOptions opts = SigningOptions.get(); // "bob" is not a valid user-id assertThrows(KeyException.UnboundUserIdException.class, () -> opts.addInlineSignature(protector, secretKeys, "bob", @@ -141,7 +141,7 @@ public class SigningTest { final PGPSecretKeyRing fSecretKeys = secretKeys; - SigningOptions opts = new SigningOptions(); + SigningOptions opts = SigningOptions.get(); // "alice" has been revoked assertThrows(KeyException.UnboundUserIdException.class, () -> opts.addInlineSignature(protector, fSecretKeys, "alice", @@ -154,7 +154,7 @@ public class SigningTest { PGPSecretKeyRing secretKeys = TestKeys.getEmilSecretKeyRing(); SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys(); - SigningOptions options = new SigningOptions(); + SigningOptions options = SigningOptions.get(); assertNull(options.getHashAlgorithmOverride()); options.overrideHashAlgorithm(HashAlgorithm.SHA224); @@ -192,7 +192,7 @@ public class SigningTest { .build() .getPGPSecretKeyRing(); - SigningOptions options = new SigningOptions() + SigningOptions options = SigningOptions.get() .addDetachedSignature(SecretKeyRingProtector.unprotectedKeys(), secretKeys, DocumentSignatureType.BINARY_DOCUMENT); String data = "Hello, World!\n"; @@ -223,7 +223,7 @@ public class SigningTest { .build() .getPGPSecretKeyRing(); - SigningOptions options = new SigningOptions() + SigningOptions options = SigningOptions.get() .addDetachedSignature(SecretKeyRingProtector.unprotectedKeys(), secretKeys, DocumentSignatureType.BINARY_DOCUMENT); String data = "Hello, World!\n"; @@ -251,7 +251,7 @@ public class SigningTest { .build() .getPGPSecretKeyRing(); - SigningOptions options = new SigningOptions(); + SigningOptions options = SigningOptions.get(); assertThrows(KeyException.UnacceptableSigningKeyException.class, () -> options.addDetachedSignature( SecretKeyRingProtector.unprotectedKeys(), secretKeys, DocumentSignatureType.BINARY_DOCUMENT)); assertThrows(KeyException.UnacceptableSigningKeyException.class, () -> options.addInlineSignature( @@ -268,7 +268,7 @@ public class SigningTest { .build() .getPGPSecretKeyRing(); - SigningOptions options = new SigningOptions(); + SigningOptions options = SigningOptions.get(); assertThrows(KeyException.UnboundUserIdException.class, () -> options.addDetachedSignature(SecretKeyRingProtector.unprotectedKeys(), secretKeys, "Bob", DocumentSignatureType.BINARY_DOCUMENT)); diff --git a/pgpainless-core/src/test/java/org/pgpainless/example/Encrypt.java b/pgpainless-core/src/test/java/org/pgpainless/example/Encrypt.java index 9d352cc8..bcf30e83 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/example/Encrypt.java +++ b/pgpainless-core/src/test/java/org/pgpainless/example/Encrypt.java @@ -154,7 +154,7 @@ public class Encrypt { EncryptionOptions.encryptCommunications() .addRecipient(certificateBob) .addRecipient(certificateAlice), - new SigningOptions() + SigningOptions.get() .addInlineSignature(protectorAlice, keyAlice, DocumentSignatureType.CANONICAL_TEXT_DOCUMENT) ).setAsciiArmor(true) ); @@ -167,7 +167,7 @@ public class Encrypt { // Decrypt and verify signatures DecryptionStream decryptor = PGPainless.decryptAndOrVerify() .onInputStream(new ByteArrayInputStream(encryptedMessage.getBytes(StandardCharsets.UTF_8))) - .withOptions(new ConsumerOptions() + .withOptions(ConsumerOptions.get() .addDecryptionKey(keyBob, protectorBob) .addVerificationCert(certificateAlice) ); @@ -209,7 +209,7 @@ public class Encrypt { // Decrypt DecryptionStream decryptor = PGPainless.decryptAndOrVerify() .onInputStream(new ByteArrayInputStream(asciiCiphertext.getBytes(StandardCharsets.UTF_8))) - .withOptions(new ConsumerOptions().addMessagePassphrase(Passphrase.fromPassword("p4ssphr4s3"))); + .withOptions(ConsumerOptions.get().addMessagePassphrase(Passphrase.fromPassword("p4ssphr4s3"))); ByteArrayOutputStream plaintext = new ByteArrayOutputStream(); Streams.pipeAll(decryptor, plaintext); @@ -273,7 +273,7 @@ public class Encrypt { // Decrypt and verify signatures DecryptionStream decryptor = PGPainless.decryptAndOrVerify() .onInputStream(new ByteArrayInputStream(encryptedMessage.getBytes(StandardCharsets.UTF_8))) - .withOptions(new ConsumerOptions() + .withOptions(ConsumerOptions.get() .addDecryptionKey(keyBob, protectorBob) .addVerificationCert(certificateAlice) ); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/StupidAlgorithmPreferenceEncryptionTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/StupidAlgorithmPreferenceEncryptionTest.java index 19d5fdd1..95071088 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/generation/StupidAlgorithmPreferenceEncryptionTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/StupidAlgorithmPreferenceEncryptionTest.java @@ -106,7 +106,7 @@ public class StupidAlgorithmPreferenceEncryptionTest { EncryptionStream encryptionStream = PGPainless.encryptAndOrSign() .onOutputStream(out) .withOptions(ProducerOptions.encrypt( - new EncryptionOptions().addRecipient(certificate) + EncryptionOptions.get().addRecipient(certificate) )); encryptionStream.write("Hello".getBytes(StandardCharsets.UTF_8)); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/FixUserIdDoesNotBreakEncryptionCapabilityTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/FixUserIdDoesNotBreakEncryptionCapabilityTest.java index 3053bc7b..ce851da3 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/FixUserIdDoesNotBreakEncryptionCapabilityTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/FixUserIdDoesNotBreakEncryptionCapabilityTest.java @@ -144,7 +144,7 @@ public class FixUserIdDoesNotBreakEncryptionCapabilityTest { ByteArrayOutputStream out = new ByteArrayOutputStream(); EncryptionStream encryptionStream = PGPainless.encryptAndOrSign() .onOutputStream(out) - .withOptions(ProducerOptions.encrypt(new EncryptionOptions() + .withOptions(ProducerOptions.encrypt(EncryptionOptions.get() .addRecipient(cert))); encryptionStream.write("Hello".getBytes(StandardCharsets.UTF_8)); @@ -157,7 +157,7 @@ public class FixUserIdDoesNotBreakEncryptionCapabilityTest { ByteArrayOutputStream plain = new ByteArrayOutputStream(); DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() .onInputStream(in) - .withOptions(new ConsumerOptions() + .withOptions(ConsumerOptions.get() .addDecryptionKey(edited)); Streams.pipeAll(decryptionStream, plain); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/protection/fixes/S2KUsageFixTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/protection/fixes/S2KUsageFixTest.java index e84d16e4..f13f8ab0 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/protection/fixes/S2KUsageFixTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/protection/fixes/S2KUsageFixTest.java @@ -111,7 +111,7 @@ public class S2KUsageFixTest { ByteArrayInputStream in = new ByteArrayInputStream(MESSAGE.getBytes(StandardCharsets.UTF_8)); DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() .onInputStream(in) - .withOptions(new ConsumerOptions() + .withOptions(ConsumerOptions.get() .addDecryptionKey(keys, protector)); ByteArrayOutputStream out = new ByteArrayOutputStream(); Streams.pipeAll(decryptionStream, out); diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/CertificateValidatorTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/CertificateValidatorTest.java index 0aba7e18..b1e70445 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/CertificateValidatorTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/CertificateValidatorTest.java @@ -1384,7 +1384,7 @@ public class CertificateValidatorTest { DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() .onInputStream(new ByteArrayInputStream(DATA.getBytes(StandardCharsets.UTF_8))) - .withOptions(new ConsumerOptions() + .withOptions(ConsumerOptions.get() .addVerificationCert(PGPainless.readKeyRing().publicKeyRing(CERT)) .addVerificationOfDetachedSignatures(new ByteArrayInputStream(SIG.getBytes(StandardCharsets.UTF_8)))); diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/IgnoreMarkerPacketsTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/IgnoreMarkerPacketsTest.java index ff26506d..a5c61ac3 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/IgnoreMarkerPacketsTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/IgnoreMarkerPacketsTest.java @@ -144,7 +144,7 @@ public class IgnoreMarkerPacketsTest { InputStream messageIn = new ByteArrayInputStream(data.getBytes(StandardCharsets.UTF_8)); DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() .onInputStream(messageIn) - .withOptions(new ConsumerOptions() + .withOptions(ConsumerOptions.get() .addVerificationCert(publicKeys) .addVerificationOfDetachedSignature(signature) ); @@ -193,7 +193,7 @@ public class IgnoreMarkerPacketsTest { InputStream messageIn = new ByteArrayInputStream(msg.getBytes(StandardCharsets.UTF_8)); DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() .onInputStream(messageIn) - .withOptions(new ConsumerOptions() + .withOptions(ConsumerOptions.get() .addDecryptionKey(secretKeys) .addVerificationCert(publicKeys) ); From 2f6e9abf23c14baa5f6994bc0bc643c234e4a0af Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 19 Mar 2025 10:17:20 +0100 Subject: [PATCH 098/265] Remove deprecated KeyInfo class If you relied on it, replace its usage with the Kotlin extension functions as documented. If you are using Java, use static methods from PGPPublicKeyExtensionsKt and PGPSecretKeyExtensionsKt instead. --- .../kotlin/org/pgpainless/key/info/KeyInfo.kt | 81 ------------------- .../BrainpoolKeyGenerationTest.java | 41 ++++------ .../pgpainless/key/info/KeyRingInfoTest.java | 3 +- 3 files changed, 18 insertions(+), 107 deletions(-) delete mode 100644 pgpainless-core/src/main/kotlin/org/pgpainless/key/info/KeyInfo.kt diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/info/KeyInfo.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/info/KeyInfo.kt deleted file mode 100644 index 75a35140..00000000 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/info/KeyInfo.kt +++ /dev/null @@ -1,81 +0,0 @@ -// SPDX-FileCopyrightText: 2023 Paul Schaub , 2021 Flowcrypt a.s. -// -// SPDX-License-Identifier: Apache-2.0 - -package org.pgpainless.key.info - -import org.bouncycastle.openpgp.PGPPublicKey -import org.bouncycastle.openpgp.PGPSecretKey -import org.pgpainless.bouncycastle.extensions.getCurveName -import org.pgpainless.bouncycastle.extensions.hasDummyS2K -import org.pgpainless.bouncycastle.extensions.isDecrypted -import org.pgpainless.bouncycastle.extensions.isEncrypted - -@Deprecated("Deprecated in favor of extension functions to PGPSecretKey and PGPPublicKey.") -class KeyInfo private constructor(val secretKey: PGPSecretKey?, val publicKey: PGPPublicKey) { - - constructor(secretKey: PGPSecretKey) : this(secretKey, secretKey.publicKey) - - constructor(publicKey: PGPPublicKey) : this(null, publicKey) - - /** - * Return the name of the elliptic curve used by this key, or throw an - * [IllegalArgumentException] if the key is not based on elliptic curves, or on an unknown - * curve. - */ - @Deprecated( - "Deprecated in favor of calling getCurveName() on the PGPPublicKey itself.", - ReplaceWith("publicKey.getCurveName()")) - val curveName: String - get() = publicKey.getCurveName() - - /** - * Return true, if the secret key is encrypted. This method returns false, if the secret key is - * null. - */ - @Deprecated( - "Deprecated in favor of calling isEncrypted() on the PGPSecretKey itself.", - ReplaceWith("secretKey.isEncrypted()")) - val isEncrypted: Boolean - get() = secretKey?.isEncrypted() ?: false - - /** - * Return true, if the secret key is decrypted. This method returns true, if the secret key is - * null. - */ - @Deprecated( - "Deprecated in favor of calling isDecrypted() on the PGPSecretKey itself.", - ReplaceWith("secretKey.isDecrypted()")) - val isDecrypted: Boolean - get() = secretKey?.isDecrypted() ?: true - - /** - * Return true, if the secret key is using the GNU_DUMMY_S2K s2k type. This method returns - * false, if the secret key is null. - */ - @Deprecated( - "Deprecated in favor of calling hasDummyS2K() on the PGPSecretKey itself.", - ReplaceWith("secretKey.hasDummyS2K()")) - val hasDummyS2K: Boolean - @JvmName("hasDummyS2K") get() = secretKey?.hasDummyS2K() ?: false - - companion object { - @JvmStatic - @Deprecated( - "Deprecated in favor of calling isEncrypted() on the PGPSecretKey itself.", - ReplaceWith("secretKey.isEncrypted()")) - fun isEncrypted(secretKey: PGPSecretKey?) = secretKey.isEncrypted() - - @JvmStatic - @Deprecated( - "Deprecated in favor of calling isDecrypted() on the PGPSecretKey itself.", - ReplaceWith("secretKey.isDecrypted()")) - fun isDecrypted(secretKey: PGPSecretKey?) = secretKey.isDecrypted() - - @JvmStatic - @Deprecated( - "Deprecated in favor of calling hasDummyS2K() on the PGPSecretKey itself.", - ReplaceWith("secretKey.hasDummyS2K()")) - fun hasDummyS2K(secretKey: PGPSecretKey?) = secretKey.hasDummyS2K() - } -} diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/BrainpoolKeyGenerationTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/BrainpoolKeyGenerationTest.java index f68be6c6..0192e395 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/generation/BrainpoolKeyGenerationTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/BrainpoolKeyGenerationTest.java @@ -11,7 +11,6 @@ import static org.junit.jupiter.api.Assertions.assertTrue; import java.util.Iterator; -import org.bouncycastle.openpgp.PGPPublicKey; import org.bouncycastle.openpgp.PGPSecretKey; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.junit.jupiter.api.TestTemplate; @@ -19,12 +18,13 @@ import org.junit.jupiter.api.extension.ExtendWith; import org.pgpainless.PGPainless; import org.pgpainless.algorithm.KeyFlag; import org.pgpainless.algorithm.PublicKeyAlgorithm; +import org.pgpainless.bouncycastle.extensions.PGPPublicKeyExtensionsKt; +import org.pgpainless.bouncycastle.extensions.PGPSecretKeyExtensionsKt; import org.pgpainless.key.generation.type.KeyType; import org.pgpainless.key.generation.type.ecc.EllipticCurve; import org.pgpainless.key.generation.type.eddsa_legacy.EdDSALegacyCurve; import org.pgpainless.key.generation.type.rsa.RsaLength; import org.pgpainless.key.generation.type.xdh_legacy.XDHLegacySpec; -import org.pgpainless.key.info.KeyInfo; import org.pgpainless.key.util.UserId; import org.pgpainless.util.Passphrase; import org.pgpainless.util.TestAllImplementations; @@ -47,15 +47,13 @@ public class BrainpoolKeyGenerationTest { Iterator secretKeyIterator = secretKeys.iterator(); PGPSecretKey primaryKey = secretKeyIterator.next(); - KeyInfo primaryInfo = new KeyInfo(primaryKey); - assertEquals(curve.getName(), primaryInfo.getCurveName()); - assertFalse(primaryInfo.isEncrypted()); - assertTrue(primaryInfo.isDecrypted()); - assertFalse(primaryInfo.hasDummyS2K()); + assertEquals(curve.getName(), PGPPublicKeyExtensionsKt.getCurveName(primaryKey.getPublicKey())); + assertFalse(PGPSecretKeyExtensionsKt.isEncrypted(primaryKey)); + assertTrue(PGPSecretKeyExtensionsKt.isDecrypted(primaryKey)); + assertFalse(PGPSecretKeyExtensionsKt.hasDummyS2K(primaryKey)); PGPSecretKey subKey = secretKeyIterator.next(); - KeyInfo subInfo = new KeyInfo(subKey); - assertEquals(curve.getName(), subInfo.getCurveName()); + assertEquals(curve.getName(), PGPPublicKeyExtensionsKt.getCurveName(subKey.getPublicKey())); } } @@ -77,35 +75,28 @@ public class BrainpoolKeyGenerationTest { .getPGPSecretKeyRing(); for (PGPSecretKey key : secretKeys) { - KeyInfo info = new KeyInfo(key); - assertTrue(info.isEncrypted()); - assertFalse(info.isDecrypted()); - - PGPPublicKey pubKey = key.getPublicKey(); - assertFalse(new KeyInfo(pubKey).isEncrypted()); - assertTrue(new KeyInfo(pubKey).isDecrypted()); - assertFalse(new KeyInfo(pubKey).hasDummyS2K()); + assertTrue(PGPSecretKeyExtensionsKt.isEncrypted(key)); + assertFalse(PGPSecretKeyExtensionsKt.isDecrypted(key)); + assertFalse(PGPSecretKeyExtensionsKt.hasDummyS2K(key)); } Iterator iterator = secretKeys.iterator(); PGPSecretKey ecdsaPrim = iterator.next(); - KeyInfo ecdsaInfo = new KeyInfo(ecdsaPrim); - assertEquals(EllipticCurve._BRAINPOOLP384R1.getName(), ecdsaInfo.getCurveName()); + assertEquals(EllipticCurve._BRAINPOOLP384R1.getName(), PGPPublicKeyExtensionsKt.getCurveName(ecdsaPrim.getPublicKey())); assertEquals(384, ecdsaPrim.getPublicKey().getBitStrength()); PGPSecretKey eddsaSub = iterator.next(); - KeyInfo eddsaInfo = new KeyInfo(eddsaSub); - assertEquals(EdDSALegacyCurve._Ed25519.getName(), eddsaInfo.getCurveName()); + assertEquals(EdDSALegacyCurve._Ed25519.getName(), PGPPublicKeyExtensionsKt.getCurveName(eddsaSub.getPublicKey())); assertEquals(256, eddsaSub.getPublicKey().getBitStrength()); PGPSecretKey xdhSub = iterator.next(); - KeyInfo xdhInfo = new KeyInfo(xdhSub); - assertEquals(XDHLegacySpec._X25519.getCurveName(), xdhInfo.getCurveName()); + assertEquals(XDHLegacySpec._X25519.getCurveName(), PGPPublicKeyExtensionsKt.getCurveName(xdhSub.getPublicKey())); assertEquals(256, xdhSub.getPublicKey().getBitStrength()); PGPSecretKey rsaSub = iterator.next(); - KeyInfo rsaInfo = new KeyInfo(rsaSub); - assertThrows(IllegalArgumentException.class, rsaInfo::getCurveName, "RSA is not a curve-based encryption system"); + assertThrows(IllegalArgumentException.class, + () -> PGPPublicKeyExtensionsKt.getCurveName(rsaSub.getPublicKey()), + "RSA is not a curve-based encryption system"); assertEquals(3072, rsaSub.getPublicKey().getBitStrength()); } diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java index 30195131..e79e03ae 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java @@ -41,6 +41,7 @@ import org.pgpainless.algorithm.KeyFlag; import org.pgpainless.algorithm.OpenPGPKeyVersion; import org.pgpainless.algorithm.PublicKeyAlgorithm; import org.pgpainless.algorithm.SymmetricKeyAlgorithm; +import org.pgpainless.bouncycastle.extensions.PGPSecretKeyExtensionsKt; import org.pgpainless.key.OpenPgpV4Fingerprint; import org.pgpainless.key.TestKeys; import org.pgpainless.key.generation.KeySpec; @@ -217,7 +218,7 @@ public class KeyRingInfoTest { "-----END PGP PRIVATE KEY BLOCK-----\n"; OpenPGPKey secretKeys = PGPainless.getInstance().readKey().parseKey(withDummyS2K); - assertTrue(new KeyInfo(secretKeys.getPrimarySecretKey().getPGPSecretKey()).hasDummyS2K()); + assertTrue(PGPSecretKeyExtensionsKt.hasDummyS2K(secretKeys.getPrimarySecretKey().getPGPSecretKey())); } @TestTemplate From b543c2ed2a542d112dbafb01d66a19944c5c63f5 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 19 Mar 2025 10:22:07 +0100 Subject: [PATCH 099/265] Replace deprecated method usage and make policy injectable in UnlockSecretKey utility class --- .../pgpainless/key/protection/UnlockSecretKey.kt | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/UnlockSecretKey.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/UnlockSecretKey.kt index a4526f61..f83b8336 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/UnlockSecretKey.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/UnlockSecretKey.kt @@ -18,6 +18,7 @@ import org.pgpainless.bouncycastle.extensions.isEncrypted import org.pgpainless.exception.KeyIntegrityException import org.pgpainless.exception.WrongPassphraseException import org.pgpainless.key.util.PublicKeyParameterValidationUtil +import org.pgpainless.policy.Policy import org.pgpainless.util.Passphrase class UnlockSecretKey { @@ -31,17 +32,19 @@ class UnlockSecretKey { protector: SecretKeyRingProtector ): PGPPrivateKey { return if (secretKey.isEncrypted()) { - unlockSecretKey(secretKey, protector.getDecryptor(secretKey.keyID)) + unlockSecretKey(secretKey, protector.getDecryptor(secretKey.keyIdentifier)) } else { unlockSecretKey(secretKey, null as PBESecretKeyDecryptor?) } } @JvmStatic + @JvmOverloads @Throws(PGPException::class) fun unlockSecretKey( secretKey: OpenPGPSecretKey, - protector: SecretKeyRingProtector + protector: SecretKeyRingProtector, + policy: Policy = PGPainless.getInstance().algorithmPolicy ): OpenPGPPrivateKey { val privateKey = try { @@ -59,7 +62,7 @@ class UnlockSecretKey { throw PGPException("Cannot decrypt secret key.") } - if (PGPainless.getPolicy().isEnableKeyParameterValidation()) { + if (policy.isEnableKeyParameterValidation()) { PublicKeyParameterValidationUtil.verifyPublicKeyParameterIntegrity( privateKey.keyPair.privateKey, privateKey.keyPair.publicKey) } @@ -68,10 +71,12 @@ class UnlockSecretKey { } @JvmStatic + @JvmOverloads @Throws(PGPException::class) fun unlockSecretKey( secretKey: PGPSecretKey, - decryptor: PBESecretKeyDecryptor? + decryptor: PBESecretKeyDecryptor?, + policy: Policy = PGPainless.getInstance().algorithmPolicy ): PGPPrivateKey { val privateKey = try { @@ -89,7 +94,7 @@ class UnlockSecretKey { throw PGPException("Cannot decrypt secret key.") } - if (PGPainless.getPolicy().isEnableKeyParameterValidation()) { + if (policy.isEnableKeyParameterValidation()) { PublicKeyParameterValidationUtil.verifyPublicKeyParameterIntegrity( privateKey, secretKey.publicKey) } From e7954ff6f19f3dc2fd41c1c2fc1f66349dfd3cd2 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 19 Mar 2025 10:36:45 +0100 Subject: [PATCH 100/265] KeyRingUtils: Replace deprecated method usage --- .../org/pgpainless/key/util/KeyRingUtils.kt | 50 +++++++++++-------- 1 file changed, 30 insertions(+), 20 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/util/KeyRingUtils.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/util/KeyRingUtils.kt index fd1baedf..2286da28 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/util/KeyRingUtils.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/util/KeyRingUtils.kt @@ -52,13 +52,7 @@ class KeyRingUtils { */ @JvmStatic fun getPrimarySecretKeyFrom(secretKeys: PGPSecretKeyRing): PGPSecretKey? { - return secretKeys.secretKey.let { - if (it.isMasterKey) { - it - } else { - null - } - } + return if (secretKeys.secretKey.isMasterKey) secretKeys.secretKey else null } /** @@ -82,13 +76,7 @@ class KeyRingUtils { */ @JvmStatic fun getPrimaryPublicKey(keyRing: PGPKeyRing): PGPPublicKey? { - return keyRing.publicKey.let { - if (it.isMasterKey) { - it - } else { - null - } - } + return if (keyRing.publicKey.isMasterKey) keyRing.publicKey else null } /** @@ -245,7 +233,7 @@ class KeyRingUtils { certificate.publicKeys .asSequence() .map { - if (it.keyID == certifiedKey.keyID) { + if (it.keyIdentifier == certifiedKey.keyIdentifier) { PGPPublicKey.addCertification(it, certification) } else { it @@ -415,18 +403,40 @@ class KeyRingUtils { * @throws PGPException in case of a broken key */ @JvmStatic - fun stripSecretKey(secretKeys: PGPSecretKeyRing, keyId: Long): PGPSecretKeyRing { - require(keyId != secretKeys.publicKey.keyID) { + @Deprecated("Pass in a KeyIdentifier instead.") + fun stripSecretKey(secretKeys: PGPSecretKeyRing, keyId: Long): PGPSecretKeyRing = + stripSecretKey(secretKeys, KeyIdentifier(keyId)) + + /** + * Remove the secret key of the subkey identified by the given [keyIdentifier] from the key + * ring. The public part stays attached to the key ring, so that it can still be used for + * encryption / verification of signatures. + * + * This method is intended to be used to remove secret primary keys from live keys when + * those are kept in offline storage. + * + * @param secretKeys secret key ring + * @param keyIdentifier identifier of the secret key to remove + * @return secret key ring with removed secret key + * @throws IOException in case of an error during serialization / deserialization of the key + * @throws PGPException in case of a broken key + */ + @JvmStatic + fun stripSecretKey( + secretKeys: PGPSecretKeyRing, + keyIdentifier: KeyIdentifier + ): PGPSecretKeyRing { + require(keyIdentifier != secretKeys.publicKey.keyIdentifier) { "Bouncy Castle currently cannot deal with stripped primary secret keys." } - if (secretKeys.getSecretKey(keyId) == null) { + if (secretKeys.getSecretKey(keyIdentifier) == null) { throw NoSuchElementException( - "PGPSecretKeyRing does not contain secret key ${keyId.openPgpKeyId()}.") + "PGPSecretKeyRing does not contain secret key ${keyIdentifier}.") } val out = ByteArrayOutputStream() secretKeys.forEach { - if (it.keyID == keyId) { + if (it.keyIdentifier == keyIdentifier) { // only encode the public key it.publicKey.encode(out) } else { From e68c365296e521ec2345de4a16b25cbf02ecf330 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 19 Mar 2025 10:46:35 +0100 Subject: [PATCH 101/265] UserId: Remove deprecated method usage --- .../kotlin/org/pgpainless/key/util/UserId.kt | 16 ++----- .../java/org/pgpainless/key/UserIdTest.java | 44 +++++++++---------- .../selection/userid/SelectUserIdTest.java | 2 +- 3 files changed, 26 insertions(+), 36 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/util/UserId.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/util/UserId.kt index c2b81700..2f2be16d 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/util/UserId.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/util/UserId.kt @@ -6,15 +6,9 @@ package org.pgpainless.key.util class UserId internal constructor(name: String?, comment: String?, email: String?) : CharSequence { - private val _name: String? - val comment: String? - val email: String? - - init { - this._name = name?.trim() - this.comment = comment?.trim() - this.email = email?.trim() - } + private val _name: String? = name?.trim() + val comment: String? = comment?.trim() + val email: String? = email?.trim() val full: String = buildString { if (name?.isNotBlank() == true) { @@ -170,10 +164,6 @@ class UserId internal constructor(name: String?, comment: String?, email: String fun compare(u1: UserId?, u2: UserId?, comparator: Comparator) = comparator.compare(u1, u2) - @JvmStatic - @Deprecated("Deprecated in favor of builde() method.", ReplaceWith("builder()")) - fun newBuilder() = builder() - @JvmStatic fun builder() = Builder() } diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/UserIdTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/UserIdTest.java index 1290ad9c..2b1bd895 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/UserIdTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/UserIdTest.java @@ -19,7 +19,7 @@ public class UserIdTest { public void testFormatOnlyName() { assertEquals( "Juliet Capulet", - UserId.newBuilder().withName("Juliet Capulet") + UserId.builder().withName("Juliet Capulet") .build().toString()); } @@ -27,7 +27,7 @@ public class UserIdTest { public void testFormatNameAndComment() { assertEquals( "Juliet Capulet (from the play)", - UserId.newBuilder().withName("Juliet Capulet") + UserId.builder().withName("Juliet Capulet") .withComment("from the play") .noEmail().build().toString()); } @@ -35,7 +35,7 @@ public class UserIdTest { @Test public void testFormatNameCommentAndMail() { assertEquals("Juliet Capulet (from the play) ", - UserId.newBuilder().withName("Juliet Capulet") + UserId.builder().withName("Juliet Capulet") .withComment("from the play") .withEmail("juliet@capulet.lit") .build() @@ -45,7 +45,7 @@ public class UserIdTest { @Test public void testFormatNameAndEmail() { assertEquals("Juliet Capulet ", - UserId.newBuilder().withName("Juliet Capulet") + UserId.builder().withName("Juliet Capulet") .noComment() .withEmail("juliet@capulet.lit") .build() @@ -60,7 +60,7 @@ public class UserIdTest { @Test void testBuilderWithName() { - final UserId userId = UserId.newBuilder().withName("John Smith").build(); + final UserId userId = UserId.builder().withName("John Smith").build(); assertEquals("John Smith", userId.getName()); assertNull(userId.getComment()); assertNull(userId.getEmail()); @@ -68,7 +68,7 @@ public class UserIdTest { @Test void testBuilderWithComment() { - final UserId userId = UserId.newBuilder().withComment("Sales Dept.").build(); + final UserId userId = UserId.builder().withComment("Sales Dept.").build(); assertNull(userId.getName()); assertEquals("Sales Dept.", userId.getComment()); assertNull(userId.getEmail()); @@ -76,7 +76,7 @@ public class UserIdTest { @Test void testBuilderWithEmail() { - final UserId userId = UserId.newBuilder().withEmail("john.smith@example.com").build(); + final UserId userId = UserId.builder().withEmail("john.smith@example.com").build(); assertNull(userId.getName()); assertNull(userId.getComment()); assertEquals("john.smith@example.com", userId.getEmail()); @@ -84,7 +84,7 @@ public class UserIdTest { @Test void testBuilderWithAll() { - final UserId userId = UserId.newBuilder().withEmail("john.smith@example.com") + final UserId userId = UserId.builder().withEmail("john.smith@example.com") .withName("John Smith") .withEmail("john.smith@example.com") .withComment("Sales Dept.").build(); @@ -95,7 +95,7 @@ public class UserIdTest { @Test void testBuilderNoName() { - final UserId.Builder builder = UserId.newBuilder() + final UserId.Builder builder = UserId.builder() .withEmail("john.smith@example.com") .withName("John Smith") .withComment("Sales Dept.").build().toBuilder(); @@ -107,7 +107,7 @@ public class UserIdTest { @Test void testBuilderNoComment() { - final UserId.Builder builder = UserId.newBuilder() + final UserId.Builder builder = UserId.builder() .withEmail("john.smith@example.com") .withName("John Smith") .withComment("Sales Dept.").build().toBuilder(); @@ -119,7 +119,7 @@ public class UserIdTest { @Test void testBuilderNoEmail() { - final UserId.Builder builder = UserId.newBuilder() + final UserId.Builder builder = UserId.builder() .withEmail("john.smith@example.com") .withName("John Smith") .withComment("Sales Dept.").build().toBuilder(); @@ -143,7 +143,7 @@ public class UserIdTest { @Test void testEmptyNameAndEmptyCommentAndValidEmailFormatting() { - final UserId userId = UserId.newBuilder() + final UserId userId = UserId.builder() .withComment("") .withName("") .withEmail("john.smith@example.com") @@ -157,8 +157,8 @@ public class UserIdTest { final String comment = "Sales Dept."; final String email = "john.smith@example.com"; final String upperEmail = email.toUpperCase(); - final UserId userId1 = UserId.newBuilder().withComment(comment).withName(name).withEmail(email).build(); - final UserId userId2 = UserId.newBuilder().withComment(comment).withName(name).withEmail(upperEmail).build(); + final UserId userId1 = UserId.builder().withComment(comment).withName(name).withEmail(email).build(); + final UserId userId2 = UserId.builder().withComment(comment).withName(name).withEmail(upperEmail).build(); assertEquals(userId1, userId2); } @@ -168,8 +168,8 @@ public class UserIdTest { final String name2 = "Don Duck"; final String comment = "Sales Dept."; final String email = "john.smith@example.com"; - final UserId userId1 = UserId.newBuilder().withComment(comment).withName(name1).withEmail(email).build(); - final UserId userId2 = UserId.newBuilder().withComment(comment).withName(name2).withEmail(email).build(); + final UserId userId1 = UserId.builder().withComment(comment).withName(name1).withEmail(email).build(); + final UserId userId2 = UserId.builder().withComment(comment).withName(name2).withEmail(email).build(); assertNotEquals(userId1, userId2); } @@ -179,8 +179,8 @@ public class UserIdTest { final String comment1 = "Sales Dept."; final String comment2 = "Legal Dept."; final String email = "john.smith@example.com"; - final UserId userId1 = UserId.newBuilder().withComment(comment1).withName(name).withEmail(email).build(); - final UserId userId2 = UserId.newBuilder().withComment(comment2).withName(name).withEmail(email).build(); + final UserId userId1 = UserId.builder().withComment(comment1).withName(name).withEmail(email).build(); + final UserId userId2 = UserId.builder().withComment(comment2).withName(name).withEmail(email).build(); assertNotEquals(userId1, userId2); } @@ -220,8 +220,8 @@ public class UserIdTest { UserId id2 = UserId.onlyEmail("alice@gnupg.org"); UserId id3 = UserId.nameAndEmail("Alice", "alice@pgpainless.org"); UserId id3_ = UserId.nameAndEmail("Alice", "alice@pgpainless.org"); - UserId id4 = UserId.newBuilder().withName("Alice").build(); - UserId id5 = UserId.newBuilder().withName("Alice").withComment("Work Mail").withEmail("alice@pgpainless.org").build(); + UserId id4 = UserId.builder().withName("Alice").build(); + UserId id5 = UserId.builder().withName("Alice").withComment("Work Mail").withEmail("alice@pgpainless.org").build(); assertEquals(id3.hashCode(), id3_.hashCode()); assertNotEquals(id2.hashCode(), id3.hashCode()); @@ -250,8 +250,8 @@ public class UserIdTest { UserId id1 = UserId.nameAndEmail("Alice", "alice@pgpainless.org"); UserId id2 = UserId.nameAndEmail("alice", "alice@pgpainless.org"); UserId id3 = UserId.nameAndEmail("Alice", "Alice@Pgpainless.Org"); - UserId id4 = UserId.newBuilder().withName("Alice").withComment("Work Email").withEmail("Alice@Pgpainless.Org").build(); - UserId id5 = UserId.newBuilder().withName("alice").withComment("work email").withEmail("alice@pgpainless.org").build(); + UserId id4 = UserId.builder().withName("Alice").withComment("Work Email").withEmail("Alice@Pgpainless.Org").build(); + UserId id5 = UserId.builder().withName("alice").withComment("work email").withEmail("alice@pgpainless.org").build(); UserId id6 = UserId.nameAndEmail("Bob", "bob@pgpainless.org"); Comparator c = new UserId.DefaultIgnoreCaseComparator(); diff --git a/pgpainless-core/src/test/java/org/pgpainless/util/selection/userid/SelectUserIdTest.java b/pgpainless-core/src/test/java/org/pgpainless/util/selection/userid/SelectUserIdTest.java index 71851b2a..d45594e6 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/util/selection/userid/SelectUserIdTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/util/selection/userid/SelectUserIdTest.java @@ -29,7 +29,7 @@ public class SelectUserIdTest { .getPGPSecretKeyRing(); secretKeys = PGPainless.modifyKeyRing(secretKeys) .addUserId( - UserId.newBuilder().withName("Alice Liddell").noComment() + UserId.builder().withName("Alice Liddell").noComment() .withEmail("crazy@the-rabbit.hole").build(), SecretKeyRingProtector.unprotectedKeys()) .done(); From 6951911520a180ade0b237869c1479d7e9882e51 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 19 Mar 2025 10:59:05 +0100 Subject: [PATCH 102/265] Fix javadoc parameter names --- .../src/main/kotlin/org/pgpainless/key/OpenPgpFingerprint.kt | 4 ++-- .../src/main/kotlin/org/pgpainless/policy/Policy.kt | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/OpenPgpFingerprint.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/OpenPgpFingerprint.kt index 31347f99..d4925252 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/OpenPgpFingerprint.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/OpenPgpFingerprint.kt @@ -64,7 +64,7 @@ abstract class OpenPgpFingerprint : CharSequence, Comparable /** * Check, whether the fingerprint consists of 40 valid hexadecimal characters. * - * @param fp fingerprint to check. + * @param fingerprint fingerprint to check. * @return true if fingerprint is valid. */ protected abstract fun isValid(fingerprint: String): Boolean @@ -127,7 +127,7 @@ abstract class OpenPgpFingerprint : CharSequence, Comparable * Return the fingerprint of the primary key of the given key ring. This method * automatically matches key versions to fingerprint implementations. * - * @param ring key ring + * @param keys key ring * @return fingerprint */ @JvmStatic fun of(keys: PGPKeyRing): OpenPgpFingerprint = of(keys.publicKey) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/policy/Policy.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/policy/Policy.kt index eb875e21..315c04d0 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/policy/Policy.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/policy/Policy.kt @@ -50,7 +50,7 @@ class Policy( * regardless of usage date. * * @param defaultHashAlgorithm default hash algorithm - * @param algorithmTerminationDates map of acceptable algorithms and their termination dates + * @param acceptableHashAlgorithmsAndTerminationDates map of acceptable algorithms and their termination dates */ class HashAlgorithmPolicy( val defaultHashAlgorithm: HashAlgorithm, From 5f64e92724ababc26aae7c7ee3d0628f45d6ef33 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 19 Mar 2025 11:08:03 +0100 Subject: [PATCH 103/265] Remove ProviderFactory classes It is no longer possible to inject custom SecurityProviders. Instead, you can create and inject your own implementation of BCs OpenPGPImplementation --- .../kotlin/org/pgpainless/policy/Policy.kt | 3 +- .../provider/BouncyCastleProviderFactory.kt | 12 ----- .../pgpainless/provider/ProviderFactory.kt | 33 ------------- .../key/BouncycastleExportSubkeys.java | 19 ++++---- .../provider/ProviderFactoryTest.java | 46 ------------------- 5 files changed, 11 insertions(+), 102 deletions(-) delete mode 100644 pgpainless-core/src/main/kotlin/org/pgpainless/provider/BouncyCastleProviderFactory.kt delete mode 100644 pgpainless-core/src/main/kotlin/org/pgpainless/provider/ProviderFactory.kt delete mode 100644 pgpainless-core/src/test/java/org/pgpainless/provider/ProviderFactoryTest.java diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/policy/Policy.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/policy/Policy.kt index 315c04d0..a82875ec 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/policy/Policy.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/policy/Policy.kt @@ -50,7 +50,8 @@ class Policy( * regardless of usage date. * * @param defaultHashAlgorithm default hash algorithm - * @param acceptableHashAlgorithmsAndTerminationDates map of acceptable algorithms and their termination dates + * @param acceptableHashAlgorithmsAndTerminationDates map of acceptable algorithms and their + * termination dates */ class HashAlgorithmPolicy( val defaultHashAlgorithm: HashAlgorithm, diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/provider/BouncyCastleProviderFactory.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/provider/BouncyCastleProviderFactory.kt deleted file mode 100644 index 27192953..00000000 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/provider/BouncyCastleProviderFactory.kt +++ /dev/null @@ -1,12 +0,0 @@ -// SPDX-FileCopyrightText: 2023 Paul Schaub -// -// SPDX-License-Identifier: Apache-2.0 - -package org.pgpainless.provider - -import java.security.Provider -import org.bouncycastle.jce.provider.BouncyCastleProvider - -class BouncyCastleProviderFactory : ProviderFactory() { - override val securityProvider: Provider = BouncyCastleProvider() -} diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/provider/ProviderFactory.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/provider/ProviderFactory.kt deleted file mode 100644 index 531ae54b..00000000 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/provider/ProviderFactory.kt +++ /dev/null @@ -1,33 +0,0 @@ -// SPDX-FileCopyrightText: 2023 Paul Schaub -// -// SPDX-License-Identifier: Apache-2.0 - -package org.pgpainless.provider - -import java.security.Provider - -/** - * Allow the use of different [Provider] implementations to provide cryptographic primitives by - * setting a [ProviderFactory] singleton. By default, the class is initialized with a - * [BouncyCastleProviderFactory]. To make use of your own custom [Provider], call [setFactory], - * passing your own custom [ProviderFactory] instance. - */ -abstract class ProviderFactory { - - protected abstract val securityProvider: Provider - protected open val securityProviderName: String - get() = securityProvider.name - - companion object { - // singleton instance - @JvmStatic var factory: ProviderFactory = BouncyCastleProviderFactory() - - @JvmStatic - val provider: Provider - @JvmName("getProvider") get() = factory.securityProvider - - @JvmStatic - val providerName: String - get() = factory.securityProviderName - } -} diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/BouncycastleExportSubkeys.java b/pgpainless-core/src/test/java/org/pgpainless/key/BouncycastleExportSubkeys.java index f8ea991b..9836e077 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/BouncycastleExportSubkeys.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/BouncycastleExportSubkeys.java @@ -8,6 +8,7 @@ import java.security.InvalidAlgorithmParameterException; import java.security.KeyPair; import java.security.KeyPairGenerator; import java.security.NoSuchAlgorithmException; +import java.security.Provider; import java.util.Date; import org.bouncycastle.bcpg.CompressionAlgorithmTags; @@ -16,6 +17,7 @@ import org.bouncycastle.bcpg.PublicKeyAlgorithmTags; import org.bouncycastle.bcpg.SymmetricKeyAlgorithmTags; import org.bouncycastle.bcpg.sig.Features; import org.bouncycastle.bcpg.sig.KeyFlags; +import org.bouncycastle.jce.provider.BouncyCastleProvider; import org.bouncycastle.jce.spec.ECNamedCurveGenParameterSpec; import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPKeyPair; @@ -29,22 +31,19 @@ import org.bouncycastle.openpgp.operator.PGPDigestCalculator; import org.bouncycastle.openpgp.operator.jcajce.JcaPGPContentSignerBuilder; import org.bouncycastle.openpgp.operator.jcajce.JcaPGPDigestCalculatorProviderBuilder; import org.bouncycastle.openpgp.operator.jcajce.JcaPGPKeyPair; -import org.junit.jupiter.api.TestTemplate; -import org.junit.jupiter.api.extension.ExtendWith; -import org.pgpainless.provider.ProviderFactory; -import org.pgpainless.util.TestAllImplementations; +import org.junit.jupiter.api.Test; public class BouncycastleExportSubkeys { - @TestTemplate - @ExtendWith(TestAllImplementations.class) + @Test public void testExportImport() throws NoSuchAlgorithmException, InvalidAlgorithmParameterException, PGPException { + Provider provider = new BouncyCastleProvider(); KeyPairGenerator generator; KeyPair pair; // Generate master key - generator = KeyPairGenerator.getInstance("ECDSA", ProviderFactory.getProvider()); + generator = KeyPairGenerator.getInstance("ECDSA", provider); generator.initialize(new ECNamedCurveGenParameterSpec("P-256")); pair = generator.generateKeyPair(); @@ -70,7 +69,7 @@ public class BouncycastleExportSubkeys { // Generate sub key - generator = KeyPairGenerator.getInstance("ECDH", ProviderFactory.getProvider()); + generator = KeyPairGenerator.getInstance("ECDH", provider); generator.initialize(new ECNamedCurveGenParameterSpec("P-256")); pair = generator.generateKeyPair(); @@ -79,13 +78,13 @@ public class BouncycastleExportSubkeys { // Assemble key PGPDigestCalculator calculator = new JcaPGPDigestCalculatorProviderBuilder() - .setProvider(ProviderFactory.getProvider()) + .setProvider(provider) .build() .get(HashAlgorithmTags.SHA1); PGPContentSignerBuilder signerBuilder = new JcaPGPContentSignerBuilder( pgpMasterKey.getPublicKey().getAlgorithm(), HashAlgorithmTags.SHA512) - .setProvider(ProviderFactory.getProvider()); + .setProvider(provider); PGPKeyRingGenerator pgpGenerator = new PGPKeyRingGenerator(PGPSignature.POSITIVE_CERTIFICATION, pgpMasterKey, "alice@wonderland.lit", calculator, subPackets.generate(), null, diff --git a/pgpainless-core/src/test/java/org/pgpainless/provider/ProviderFactoryTest.java b/pgpainless-core/src/test/java/org/pgpainless/provider/ProviderFactoryTest.java deleted file mode 100644 index 5489a11c..00000000 --- a/pgpainless-core/src/test/java/org/pgpainless/provider/ProviderFactoryTest.java +++ /dev/null @@ -1,46 +0,0 @@ -// SPDX-FileCopyrightText: 2020 Paul Schaub -// -// SPDX-License-Identifier: Apache-2.0 - -package org.pgpainless.provider; - -import static org.junit.jupiter.api.Assertions.assertEquals; - -import java.security.Provider; - -import org.junit.jupiter.api.AfterEach; -import org.junit.jupiter.api.Test; - -public class ProviderFactoryTest { - - private final ProviderFactory customProviderFactory = new ProviderFactory() { - - @SuppressWarnings("deprecation") - final Provider provider = new Provider("PL", 1L, "PGPainlessTestProvider") { - - }; - - @Override - protected Provider getSecurityProvider() { - return provider; - } - - }; - - @Test - public void providerFactoryDefaultIsBouncyCastleTest() { - assertEquals("BC", ProviderFactory.getProviderName()); - } - - @Test - public void setCustomProviderTest() { - ProviderFactory.setFactory(customProviderFactory); - assertEquals("PL", ProviderFactory.getProviderName()); - } - - @AfterEach - public void resetToDefault() { - // Reset back to BouncyCastle - ProviderFactory.setFactory(new BouncyCastleProviderFactory()); - } -} From 777ecb9ee7ad4c4435bc06503c756e610479042d Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 19 Mar 2025 11:19:22 +0100 Subject: [PATCH 104/265] GnuPGDummyKeyUtil: Migrate to KeyIdentifier --- .../java/org/gnupg/GnuPGDummyKeyUtil.java | 23 +++++++++++++++---- 1 file changed, 18 insertions(+), 5 deletions(-) diff --git a/pgpainless-core/src/main/java/org/gnupg/GnuPGDummyKeyUtil.java b/pgpainless-core/src/main/java/org/gnupg/GnuPGDummyKeyUtil.java index 4e7c46da..d2f1dedb 100644 --- a/pgpainless-core/src/main/java/org/gnupg/GnuPGDummyKeyUtil.java +++ b/pgpainless-core/src/main/java/org/gnupg/GnuPGDummyKeyUtil.java @@ -4,6 +4,7 @@ package org.gnupg; +import org.bouncycastle.bcpg.KeyIdentifier; import org.bouncycastle.bcpg.PublicKeyPacket; import org.bouncycastle.bcpg.S2K; import org.bouncycastle.bcpg.SecretKeyPacket; @@ -132,7 +133,7 @@ public final class GnuPGDummyKeyUtil { List secretKeyList = new ArrayList<>(); for (PGPSecretKey secretKey : keys) { - if (!filter.filter(secretKey.getKeyID())) { + if (!filter.filter(secretKey.getKeyIdentifier())) { // No conversion, do not modify subkey secretKeyList.add(secretKey); continue; @@ -177,10 +178,10 @@ public final class GnuPGDummyKeyUtil { /** * Return true, if the given key should be selected, false otherwise. * - * @param keyId id of the key + * @param keyIdentifier id of the key * @return select */ - boolean filter(long keyId); + boolean filter(KeyIdentifier keyIdentifier); /** * Select any key. @@ -196,9 +197,21 @@ public final class GnuPGDummyKeyUtil { * * @param onlyKeyId only acceptable key id * @return filter + * @deprecated use {@link #only(KeyIdentifier)} instead. */ + @Deprecated static KeyFilter only(long onlyKeyId) { - return keyId -> keyId == onlyKeyId; + return only(new KeyIdentifier(onlyKeyId)); + } + + /** + * Select only the given keyIdentifier. + * + * @param onlyKeyIdentifier only acceptable key identifier + * @return filter + */ + static KeyFilter only(KeyIdentifier onlyKeyIdentifier) { + return keyIdentifier -> keyIdentifier.matches(onlyKeyIdentifier); } /** @@ -207,7 +220,7 @@ public final class GnuPGDummyKeyUtil { * @param ids set of acceptable keyIds * @return filter */ - static KeyFilter selected(Collection ids) { + static KeyFilter selected(Collection ids) { // noinspection Convert2MethodRef return keyId -> ids.contains(keyId); } From 21a167ce24da75f02f57b4b8760e9957b184a217 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 19 Mar 2025 14:26:25 +0100 Subject: [PATCH 105/265] Add more deprecation annotations, workaround for BC armor bug --- .../main/kotlin/org/pgpainless/PGPainless.kt | 19 ++++++++++++++++++- .../key/parsing/KeyRingReaderTest.java | 9 ++++++--- 2 files changed, 24 insertions(+), 4 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt index fc3b182b..190d926e 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt @@ -60,6 +60,16 @@ class PGPainless( implementation, version.numeric, version == OpenPGPKeyVersion.v6, creationTime) .setAlgorithmSuite(algorithmPolicy.keyGenerationAlgorithmSuite) + /** + * Inspect an [OpenPGPKey] or [OpenPGPCertificate], gaining convenient access to its properties. + * + * @param keyOrCertificate [OpenPGPKey] or [OpenPGPCertificate] + * @param referenceTime reference time for evaluation + * @return [KeyRingInfo] wrapper + */ + fun inspect(keyOrCertificate: OpenPGPCertificate, referenceTime: Date = Date()): KeyRingInfo = + KeyRingInfo(keyOrCertificate, this, referenceTime) + fun readKey(): OpenPGPKeyReader = api.readKeyOrCertificate() fun toKey(secretKeyRing: PGPSecretKeyRing): OpenPGPKey = @@ -118,6 +128,7 @@ class PGPainless( */ @JvmStatic @JvmOverloads + @Deprecated("Call buildKey() on an instance of PGPainless instead.") fun buildKeyRing( version: OpenPGPKeyVersion = OpenPGPKeyVersion.v4, api: PGPainless = getInstance() @@ -128,8 +139,8 @@ class PGPainless( * * @return builder */ - @Deprecated("Use readKey() instead.", replaceWith = ReplaceWith("readKey()")) @JvmStatic + @Deprecated("Use readKey() instead.", replaceWith = ReplaceWith("readKey()")) fun readKeyRing(): KeyRingReader = KeyRingReader() /** @@ -250,11 +261,17 @@ class PGPainless( */ @JvmStatic @JvmOverloads + @Deprecated( + "Use inspect(key) on an instance of PGPainless instead.", + replaceWith = ReplaceWith("inspect(key)")) fun inspectKeyRing(key: PGPKeyRing, referenceTime: Date = Date()): KeyRingInfo = KeyRingInfo(key, referenceTime) @JvmStatic @JvmOverloads + @Deprecated( + "Use inspect(key) on an instance of PGPainless instead.", + replaceWith = ReplaceWith("inspect(key)")) fun inspectKeyRing(key: OpenPGPCertificate, referenceTime: Date = Date()): KeyRingInfo = KeyRingInfo(key, getInstance(), referenceTime) diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/parsing/KeyRingReaderTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/parsing/KeyRingReaderTest.java index 9bda5137..7bfffe92 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/parsing/KeyRingReaderTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/parsing/KeyRingReaderTest.java @@ -21,6 +21,7 @@ import java.util.List; import org.bouncycastle.bcpg.ArmoredOutputStream; import org.bouncycastle.bcpg.BCPGOutputStream; import org.bouncycastle.bcpg.MarkerPacket; +import org.bouncycastle.bcpg.PacketFormat; import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPKeyRing; import org.bouncycastle.openpgp.PGPPublicKeyRing; @@ -30,6 +31,7 @@ import org.bouncycastle.openpgp.PGPSecretKeyRingCollection; import org.bouncycastle.openpgp.PGPSignature; import org.bouncycastle.openpgp.PGPUtil; import org.bouncycastle.openpgp.api.OpenPGPImplementation; +import org.bouncycastle.openpgp.api.OpenPGPKey; import org.bouncycastle.util.io.Streams; import org.junit.jupiter.api.Test; import org.opentest4j.TestAbortedException; @@ -614,9 +616,10 @@ class KeyRingReaderTest { @Test public void testReadKeyRingWithArmoredSecretKey() throws IOException { - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("Alice ") - .getPGPSecretKeyRing(); - String armored = PGPainless.asciiArmor(secretKeys); + PGPainless api = PGPainless.getInstance(); + OpenPGPKey secretKeys = api.generateKey().modernKeyRing("Alice "); + // remove PacketFormat argument once https://github.com/bcgit/bc-java/pull/1993 lands in BC + String armored = secretKeys.toAsciiArmoredString(PacketFormat.LEGACY); PGPKeyRing keyRing = PGPainless.readKeyRing() .keyRing(armored); From 4c7d39932f14df4da04c5193d90666b6263b220d Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 19 Mar 2025 17:24:04 +0100 Subject: [PATCH 106/265] Port SecretKeyRingEditor, replace Singleton usage with API instance calls --- .../main/kotlin/org/pgpainless/PGPainless.kt | 5 + .../OpenPgpMessageInputStream.kt | 6 +- .../encryption_signing/EncryptionOptions.kt | 5 +- .../encryption_signing/EncryptionResult.kt | 4 + .../encryption_signing/SigningOptions.kt | 10 +- .../key/certification/CertifyCertificate.kt | 9 +- .../secretkeyring/SecretKeyRingEditor.kt | 155 ++++++++++-------- .../SecretKeyRingEditorInterface.kt | 83 +++++++--- .../PasswordBasedSecretKeyRingProtector.kt | 20 +++ .../key/protection/SecretKeyRingProtector.kt | 5 + .../PrimaryKeyBindingSignatureBuilder.kt | 5 + .../builder/RevocationSignatureBuilder.kt | 14 ++ .../builder/SubkeyBindingSignatureBuilder.kt | 5 + .../util/selection/userid/SelectUserId.kt | 9 + .../encryption_signing/SigningTest.java | 11 +- .../org/pgpainless/example/ModifyKeys.java | 76 +++++---- .../java/org/pgpainless/key/TestKeys.java | 35 ++++ .../KeyGenerationSubpacketsTest.java | 42 ++--- .../pgpainless/key/info/KeyRingInfoTest.java | 154 ++++++++--------- .../key/info/PrimaryUserIdTest.java | 10 +- .../key/info/UserIdRevocationTest.java | 49 +++--- .../key/modification/AddSubKeyTest.java | 16 +- ...odifiedBindingSignatureSubpacketsTest.java | 14 +- .../key/modification/AddUserIdTest.java | 39 ++--- ...nOnKeyWithDifferentSignatureTypesTest.java | 16 +- .../modification/ChangeExpirationTest.java | 40 ++--- ...gePrimaryUserIdAndExpirationDatesTest.java | 83 +++++----- .../ChangeSecretKeyRingPassphraseTest.java | 54 +++--- .../ChangeSubkeyExpirationTimeTest.java | 27 +-- ...dDoesNotBreakEncryptionCapabilityTest.java | 41 +++-- .../GnuDummyS2KChangePassphraseTest.java | 11 +- ...ureSubpacketsArePreservedOnNewSigTest.java | 14 +- .../RefuseToAddWeakSubkeyTest.java | 32 ++-- .../RevocationCertificateTest.java | 58 ++++--- ...WithGenericCertificationSignatureTest.java | 24 +-- ...ithoutPreferredAlgorithmsOnPrimaryKey.java | 9 +- .../key/modification/RevokeSubKeyTest.java | 73 +++++---- .../key/modification/RevokeUserIdsTest.java | 47 +++--- .../key/protection/fixes/S2KUsageFixTest.java | 24 +-- .../SignatureSubpacketsUtilTest.java | 23 +-- .../selection/userid/SelectUserIdTest.java | 42 ++--- .../org/pgpainless/sop/RevokeKeyImpl.kt | 11 +- .../PGPainlessChangeKeyPasswordTest.java | 12 +- 43 files changed, 811 insertions(+), 611 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt index 190d926e..e2918389 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt @@ -67,9 +67,14 @@ class PGPainless( * @param referenceTime reference time for evaluation * @return [KeyRingInfo] wrapper */ + @JvmOverloads fun inspect(keyOrCertificate: OpenPGPCertificate, referenceTime: Date = Date()): KeyRingInfo = KeyRingInfo(keyOrCertificate, this, referenceTime) + @JvmOverloads + fun modify(key: OpenPGPKey, referenceTime: Date = Date()): SecretKeyRingEditor = + SecretKeyRingEditor(key, this, referenceTime) + fun readKey(): OpenPGPKeyReader = api.readKeyOrCertificate() fun toKey(secretKeyRing: PGPSecretKeyRing): OpenPGPKey = diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.kt index 904ba78e..1241b110 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.kt @@ -694,7 +694,7 @@ class OpenPgpMessageInputStream( private fun getDecryptionKey(pkesk: PGPPublicKeyEncryptedData): OpenPGPKey? = options.getDecryptionKeys().firstOrNull { it.pgpSecretKeyRing.getSecretKeyFor(pkesk) != null && - PGPainless.inspectKeyRing(it).decryptionSubkeys.any { subkey -> + api.inspect(it).decryptionSubkeys.any { subkey -> pkesk.keyIdentifier.matches(subkey.keyIdentifier) } } @@ -702,7 +702,7 @@ class OpenPgpMessageInputStream( private fun getDecryptionKeys(pkesk: PGPPublicKeyEncryptedData): List = options.getDecryptionKeys().filter { it.pgpSecretKeyRing.getSecretKeyFor(pkesk) != null && - PGPainless.inspectKeyRing(it).decryptionSubkeys.any { subkey -> + api.inspect(it).decryptionSubkeys.any { subkey -> pkesk.keyIdentifier.matches(subkey.keyIdentifier) } } @@ -713,7 +713,7 @@ class OpenPgpMessageInputStream( val algorithm = pkesk.algorithm val candidates = mutableListOf() options.getDecryptionKeys().forEach { - val info = PGPainless.inspectKeyRing(it) + val info = api.inspect(it) for (key in info.decryptionSubkeys) { if (key.pgpPublicKey.algorithm == algorithm && info.isSecretKeyAvailable(key.keyIdentifier)) { diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionOptions.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionOptions.kt index c4adf3b3..d6aef95d 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionOptions.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionOptions.kt @@ -10,7 +10,6 @@ import org.bouncycastle.openpgp.api.OpenPGPCertificate import org.bouncycastle.openpgp.api.OpenPGPCertificate.OpenPGPComponentKey import org.bouncycastle.openpgp.operator.PGPKeyEncryptionMethodGenerator import org.pgpainless.PGPainless -import org.pgpainless.PGPainless.Companion.inspectKeyRing import org.pgpainless.algorithm.EncryptionPurpose import org.pgpainless.algorithm.SymmetricKeyAlgorithm import org.pgpainless.algorithm.negotiation.SymmetricKeyAlgorithmNegotiator.Companion.byPopularity @@ -191,7 +190,7 @@ class EncryptionOptions(private val purpose: EncryptionPurpose, private val api: userId: CharSequence, encryptionKeySelector: EncryptionKeySelector ) = apply { - val info = inspectKeyRing(cert, evaluationDate) + val info = api.inspect(cert, evaluationDate) val subkeys = encryptionKeySelector.selectEncryptionSubkeys( info.getEncryptionSubkeys(userId, purpose)) @@ -289,7 +288,7 @@ class EncryptionOptions(private val purpose: EncryptionPurpose, private val api: selector: EncryptionKeySelector, wildcardKeyId: Boolean ) = apply { - val info = inspectKeyRing(cert, evaluationDate) + val info = api.inspect(cert, evaluationDate) val primaryKeyExpiration = try { info.primaryKeyExpirationDate diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionResult.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionResult.kt index 4f6e6978..a969d8c3 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionResult.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionResult.kt @@ -8,6 +8,7 @@ import java.util.* import org.bouncycastle.openpgp.PGPLiteralData import org.bouncycastle.openpgp.PGPPublicKeyRing import org.bouncycastle.openpgp.PGPSignature +import org.bouncycastle.openpgp.api.OpenPGPCertificate import org.pgpainless.algorithm.CompressionAlgorithm import org.pgpainless.algorithm.StreamEncoding import org.pgpainless.algorithm.SymmetricKeyAlgorithm @@ -34,6 +35,9 @@ data class EncryptionResult( val isForYourEyesOnly: Boolean get() = PGPLiteralData.CONSOLE == fileName + fun isEncryptedFor(certificate: OpenPGPCertificate) = + recipients.any { certificate.getKey(it.keyIdentifier) != null } + /** * Returns true, if the message was encrypted for at least one subkey of the given certificate. * diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/SigningOptions.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/SigningOptions.kt index 51be8167..0d518c96 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/SigningOptions.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/SigningOptions.kt @@ -12,7 +12,6 @@ import org.bouncycastle.openpgp.api.OpenPGPKey import org.bouncycastle.openpgp.api.OpenPGPKey.OpenPGPPrivateKey import org.bouncycastle.openpgp.api.OpenPGPKey.OpenPGPSecretKey import org.pgpainless.PGPainless -import org.pgpainless.PGPainless.Companion.inspectKeyRing import org.pgpainless.algorithm.DocumentSignatureType import org.pgpainless.algorithm.HashAlgorithm import org.pgpainless.algorithm.PublicKeyAlgorithm.Companion.requireFromId @@ -138,6 +137,7 @@ class SigningOptions(private val api: PGPainless) { signatureType: DocumentSignatureType ) = addInlineSignature(signingKeyProtector, api.toKey(signingKey), signatureType) + @JvmOverloads fun addInlineSignature( signingKeyProtector: SecretKeyRingProtector, signingKey: OpenPGPKey, @@ -145,7 +145,7 @@ class SigningOptions(private val api: PGPainless) { signatureType: DocumentSignatureType = DocumentSignatureType.BINARY_DOCUMENT, subpacketsCallback: Callback? = null ) = apply { - val keyRingInfo = inspectKeyRing(signingKey, evaluationDate) + val keyRingInfo = api.inspect(signingKey, evaluationDate) if (userId != null && !keyRingInfo.isUserIdValid(userId)) { throw UnboundUserIdException( of(signingKey), @@ -212,7 +212,7 @@ class SigningOptions(private val api: PGPainless) { subpacketsCallback: Callback? = null ): SigningOptions = apply { val openPGPKey = signingKey.openPGPKey - val keyRingInfo = inspectKeyRing(openPGPKey, evaluationDate) + val keyRingInfo = api.inspect(openPGPKey, evaluationDate) val signingPubKeys = keyRingInfo.signingSubkeys if (signingPubKeys.isEmpty()) { throw UnacceptableSigningKeyException(openPGPKey) @@ -319,7 +319,7 @@ class SigningOptions(private val api: PGPainless) { signatureType: DocumentSignatureType = DocumentSignatureType.BINARY_DOCUMENT, subpacketCallback: Callback? = null ): SigningOptions = apply { - val keyRingInfo = inspectKeyRing(signingKey, evaluationDate) + val keyRingInfo = api.inspect(signingKey, evaluationDate) if (userId != null && !keyRingInfo.isUserIdValid(userId)) { throw UnboundUserIdException( of(signingKey), @@ -380,7 +380,7 @@ class SigningOptions(private val api: PGPainless) { signatureType: DocumentSignatureType = DocumentSignatureType.BINARY_DOCUMENT, subpacketCallback: Callback? = null ): SigningOptions = apply { - val keyRingInfo = inspectKeyRing(signingKey.openPGPKey, evaluationDate) + val keyRingInfo = api.inspect(signingKey.openPGPKey, evaluationDate) val signingPrivKey: OpenPGPPrivateKey = signingKey.unlock(signingKeyProtector) val hashAlgorithms = if (userId != null) keyRingInfo.getPreferredHashAlgorithms(userId) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/certification/CertifyCertificate.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/certification/CertifyCertificate.kt index e43b30d8..f30b7539 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/certification/CertifyCertificate.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/certification/CertifyCertificate.kt @@ -134,7 +134,7 @@ class CertifyCertificate(private val api: PGPainless) { key: OpenPGPKey, protector: SecretKeyRingProtector ): CertificationOnUserIdWithSubpackets { - val secretKey = getCertifyingSecretKey(key) + val secretKey = getCertifyingSecretKey(key, api) val sigBuilder = ThirdPartyCertificationSignatureBuilder( certificationType.asSignatureType(), secretKey, protector, api) @@ -220,7 +220,7 @@ class CertifyCertificate(private val api: PGPainless) { key: OpenPGPKey, protector: SecretKeyRingProtector ): DelegationOnCertificateWithSubpackets { - val secretKey = getCertifyingSecretKey(key) + val secretKey = getCertifyingSecretKey(key, api) val sigBuilder = ThirdPartyDirectKeySignatureBuilder(secretKey, protector, api) if (trustworthiness != null) { sigBuilder.hashedSubpackets.setTrust( @@ -306,10 +306,11 @@ class CertifyCertificate(private val api: PGPainless) { companion object { @JvmStatic private fun getCertifyingSecretKey( - certificationKey: OpenPGPKey + certificationKey: OpenPGPKey, + api: PGPainless ): OpenPGPKey.OpenPGPSecretKey { val now = Date() - val info = PGPainless.inspectKeyRing(certificationKey, now) + val info = api.inspect(certificationKey, now) val fingerprint = info.fingerprint val certificationPubKey = info.getPublicKey(fingerprint) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.kt index 4b513210..cece7657 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.kt @@ -8,10 +8,11 @@ import java.util.* import java.util.function.Predicate import javax.annotation.Nonnull import kotlin.NoSuchElementException -import openpgp.openPgpKeyId import org.bouncycastle.bcpg.KeyIdentifier import org.bouncycastle.bcpg.sig.KeyExpirationTime import org.bouncycastle.openpgp.* +import org.bouncycastle.openpgp.api.OpenPGPCertificate +import org.bouncycastle.openpgp.api.OpenPGPCertificate.OpenPGPComponentKey import org.bouncycastle.openpgp.api.OpenPGPCertificate.OpenPGPSubkey import org.bouncycastle.openpgp.api.OpenPGPImplementation import org.bouncycastle.openpgp.api.OpenPGPKey @@ -20,7 +21,6 @@ import org.bouncycastle.openpgp.api.OpenPGPKeyEditor import org.bouncycastle.openpgp.api.OpenPGPSignature import org.bouncycastle.openpgp.api.SignatureParameters import org.pgpainless.PGPainless -import org.pgpainless.PGPainless.Companion.inspectKeyRing import org.pgpainless.algorithm.AlgorithmSuite import org.pgpainless.algorithm.KeyFlag import org.pgpainless.algorithm.OpenPGPKeyVersion @@ -29,7 +29,6 @@ import org.pgpainless.algorithm.negotiation.HashAlgorithmNegotiator import org.pgpainless.bouncycastle.extensions.checksumCalculator import org.pgpainless.bouncycastle.extensions.getKeyExpirationDate import org.pgpainless.bouncycastle.extensions.publicKeyAlgorithm -import org.pgpainless.bouncycastle.extensions.requirePublicKey import org.pgpainless.key.OpenPgpFingerprint import org.pgpainless.key.generation.KeyRingBuilder import org.pgpainless.key.generation.KeySpec @@ -50,8 +49,6 @@ class SecretKeyRingEditor( override val referenceTime: Date = Date() ) : SecretKeyRingEditorInterface { - private var secretKeyRing: PGPSecretKeyRing = key.pgpSecretKeyRing - @JvmOverloads constructor( secretKeyRing: PGPSecretKeyRing, @@ -64,8 +61,7 @@ class SecretKeyRingEditor( callback: SelfSignatureSubpackets.Callback?, protector: SecretKeyRingProtector ): SecretKeyRingEditorInterface { - key = PGPainless.getInstance().toKey(secretKeyRing) - val info = inspectKeyRing(key, referenceTime) + val info = api.inspect(key, referenceTime) require(!info.isHardRevoked(userId)) { "User-ID $userId is hard revoked and cannot be re-certified." } @@ -89,7 +85,7 @@ class SecretKeyRingEditor( .setSignatureCreationTime(referenceTime) .setHashedSubpacketsFunction { subpacketGenerator -> val subpackets = SignatureSubpackets(subpacketGenerator) - subpackets.setAppropriateIssuerInfo(secretKeyRing.publicKey) + subpackets.setAppropriateIssuerInfo(key.primaryKey.pgpPublicKey) subpackets.setKeyFlags(info.getKeyFlagsOf(key.keyIdentifier)) subpackets.setPreferredHashAlgorithms(hashAlgorithmPreferences) @@ -111,7 +107,6 @@ class SecretKeyRingEditor( } }) .done() - secretKeyRing = key.pgpSecretKeyRing return this } @@ -120,8 +115,8 @@ class SecretKeyRingEditor( protector: SecretKeyRingProtector ): SecretKeyRingEditorInterface { val uid = sanitizeUserId(userId) - val primaryKey = secretKeyRing.publicKey - var info = inspectKeyRing(secretKeyRing, referenceTime) + val primaryKey = key.primaryKey.pgpPublicKey + var info = api.inspect(key, referenceTime) val primaryUserId = info.primaryUserId val signature = if (primaryUserId == null) info.latestDirectKeySelfSignature @@ -144,7 +139,7 @@ class SecretKeyRingEditor( protector) // unmark previous primary user-ids to be non-primary - info = inspectKeyRing(secretKeyRing, referenceTime) + info = api.inspect(key, referenceTime) info.validAndExpiredUserIds .filterNot { it == uid } .forEach { otherUserId -> @@ -215,7 +210,7 @@ class SecretKeyRingEditor( require(oldUID.isNotBlank()) { "Old user-ID cannot be empty." } require(newUID.isNotBlank()) { "New user-ID cannot be empty." } - val info = inspectKeyRing(secretKeyRing, referenceTime) + val info = api.inspect(key, referenceTime) if (!info.isUserIdValid(oldUID)) { throw NoSuchElementException( "Key does not carry user-ID '$oldUID', or it is not valid.") @@ -244,7 +239,6 @@ class SecretKeyRingEditor( } }, protector) - return revokeUserId(oldUID, protector) } @@ -270,7 +264,7 @@ class SecretKeyRingEditor( callback: SelfSignatureSubpackets.Callback?, protector: SecretKeyRingProtector ): SecretKeyRingEditorInterface { - val version = OpenPGPKeyVersion.from(secretKeyRing.publicKey.version) + val version = OpenPGPKeyVersion.from(key.primarySecretKey.version) val keyPair = KeyRingBuilder.generateKeyPair(keySpec, version, api.implementation) val subkeyProtector = PasswordBasedSecretKeyRingProtector.forKeyId(keyPair.keyIdentifier, subkeyPassphrase) @@ -303,8 +297,8 @@ class SecretKeyRingEditor( "Public key algorithm policy violation: $subkeyAlgorithm with bit strength $bitStrength is not acceptable." } - val primaryKey = secretKeyRing.secretKey - val info = inspectKeyRing(secretKeyRing, referenceTime) + val primaryKey = key.primarySecretKey.pgpSecretKey + val info = api.inspect(key, referenceTime) val hashAlgorithm = HashAlgorithmNegotiator.negotiateSignatureHashAlgorithm(api.algorithmPolicy) .negotiateHashAlgorithm(info.preferredHashAlgorithms) @@ -341,7 +335,8 @@ class SecretKeyRingEditor( secretSubkey = KeyRingUtils.secretKeyPlusSignature( secretSubkey, skBindingBuilder.build(secretSubkey.publicKey)) - secretKeyRing = KeyRingUtils.keysPlusSecretKey(secretKeyRing, secretSubkey) + val secretKeyRing = KeyRingUtils.keysPlusSecretKey(key.pgpSecretKeyRing, secretSubkey) + key = api.toKey(secretKeyRing) return this } @@ -356,26 +351,33 @@ class SecretKeyRingEditor( protector: SecretKeyRingProtector, callback: RevocationSignatureSubpackets.Callback? ): SecretKeyRingEditorInterface { - return revokeSubKey(secretKeyRing.secretKey.keyID, protector, callback) + return revokeSubKey(key.keyIdentifier, protector, callback) } override fun revokeSubKey( - subkeyId: Long, + subkeyIdentifier: KeyIdentifier, protector: SecretKeyRingProtector, revocationAttributes: RevocationAttributes? ): SecretKeyRingEditorInterface { return revokeSubKey( - subkeyId, protector, callbackFromRevocationAttributes(revocationAttributes)) + subkeyIdentifier, protector, callbackFromRevocationAttributes(revocationAttributes)) } override fun revokeSubKey( - subkeyId: Long, + subkeyIdentifier: KeyIdentifier, protector: SecretKeyRingProtector, callback: RevocationSignatureSubpackets.Callback? ): SecretKeyRingEditorInterface { - val revokeeSubKey = secretKeyRing.requirePublicKey(subkeyId) + var secretKeyRing = key.pgpSecretKeyRing + val revokeeSubKey = + key.getKey(subkeyIdentifier) + ?: throw NoSuchElementException( + "Certificate ${key.keyIdentifier} does not contain subkey $subkeyIdentifier") val subkeyRevocation = generateRevocation(protector, revokeeSubKey, callback) - secretKeyRing = injectCertification(secretKeyRing, revokeeSubKey, subkeyRevocation) + secretKeyRing = + injectCertification( + secretKeyRing, revokeeSubKey.pgpPublicKey, subkeyRevocation.signature) + key = api.toKey(secretKeyRing) return this } @@ -451,6 +453,7 @@ class SecretKeyRingEditor( expiration: Date?, protector: SecretKeyRingProtector ): SecretKeyRingEditorInterface { + var secretKeyRing = key.pgpSecretKeyRing require(secretKeyRing.secretKey.isMasterKey) { "OpenPGP key does not appear to contain a primary secret key." } @@ -465,8 +468,9 @@ class SecretKeyRingEditor( reissueDirectKeySignature(expiration, protector, prevDirectKeySig).signature) } - val primaryUserId = - inspectKeyRing(secretKeyRing, referenceTime).getPossiblyExpiredPrimaryUserId() + val info = api.inspect(key, referenceTime) + + val primaryUserId = info.getPossiblyExpiredPrimaryUserId() if (primaryUserId != null) { val prevUserIdSig = getPreviousUserIdSignatures(primaryUserId) val userIdSig = @@ -474,7 +478,6 @@ class SecretKeyRingEditor( secretKeyRing = injectCertification(secretKeyRing, primaryUserId, userIdSig) } - val info = inspectKeyRing(secretKeyRing, referenceTime) for (userId in info.validUserIds) { if (userId == primaryUserId) { continue @@ -493,35 +496,40 @@ class SecretKeyRingEditor( } } + key = api.toKey(secretKeyRing) return this } override fun setExpirationDateOfSubkey( expiration: Date?, - keyId: Long, + keyId: KeyIdentifier, protector: SecretKeyRingProtector ): SecretKeyRingEditorInterface = apply { + var secretKeyRing = key.pgpSecretKeyRing + // is primary key - if (keyId == secretKeyRing.publicKey.keyID) { + if (keyId.matches(key.keyIdentifier)) { return setExpirationDate(expiration, protector) } // is subkey val subkey = - secretKeyRing.getPublicKey(keyId) - ?: throw NoSuchElementException("No subkey with ID ${keyId.openPgpKeyId()} found.") + key.getKey(keyId) ?: throw NoSuchElementException("No subkey with ID $keyId found.") val prevBinding = - inspectKeyRing(secretKeyRing).getCurrentSubkeyBindingSignature(keyId) + api.inspect(key).getCurrentSubkeyBindingSignature(keyId) ?: throw NoSuchElementException( - "Previous subkey binding signature for ${keyId.openPgpKeyId()} MUST NOT be null.") + "Previous subkey binding signature for $keyId MUST NOT be null.") val bindingSig = reissueSubkeyBindingSignature(subkey, expiration, protector, prevBinding) - secretKeyRing = injectCertification(secretKeyRing, subkey, bindingSig) + secretKeyRing = + injectCertification(secretKeyRing, subkey.pgpPublicKey, bindingSig.signature) + + key = api.toKey(secretKeyRing) } override fun createMinimalRevocationCertificate( protector: SecretKeyRingProtector, revocationAttributes: RevocationAttributes? - ): PGPPublicKeyRing { + ): OpenPGPCertificate { // Check reason if (revocationAttributes != null) { require(RevocationAttributes.Reason.isKeyRevocation(revocationAttributes.reason)) { @@ -530,49 +538,47 @@ class SecretKeyRingEditor( } val revocation = createRevocation(protector, revocationAttributes) - var primaryKey = secretKeyRing.secretKey.publicKey + var primaryKey = key.primaryKey.pgpPublicKey primaryKey = KeyRingUtils.getStrippedDownPublicKey(primaryKey) - primaryKey = PGPPublicKey.addCertification(primaryKey, revocation) - return PGPPublicKeyRing(listOf(primaryKey)) + primaryKey = PGPPublicKey.addCertification(primaryKey, revocation.signature) + return api.toCertificate(PGPPublicKeyRing(listOf(primaryKey))) } override fun createRevocation( protector: SecretKeyRingProtector, revocationAttributes: RevocationAttributes? - ): PGPSignature { + ): OpenPGPSignature { return generateRevocation( - protector, - secretKeyRing.publicKey, - callbackFromRevocationAttributes(revocationAttributes)) + protector, key.primaryKey, callbackFromRevocationAttributes(revocationAttributes)) } override fun createRevocation( - subkeyId: Long, + subkeyIdentifier: KeyIdentifier, protector: SecretKeyRingProtector, revocationAttributes: RevocationAttributes? - ): PGPSignature { + ): OpenPGPSignature { return generateRevocation( protector, - secretKeyRing.requirePublicKey(subkeyId), + key.getKey(subkeyIdentifier), callbackFromRevocationAttributes(revocationAttributes)) } override fun createRevocation( - subkeyId: Long, + subkeyIdentifier: KeyIdentifier, protector: SecretKeyRingProtector, callback: RevocationSignatureSubpackets.Callback? - ): PGPSignature { - return generateRevocation(protector, secretKeyRing.requirePublicKey(subkeyId), callback) + ): OpenPGPSignature { + return generateRevocation(protector, key.getKey(subkeyIdentifier), callback) } override fun createRevocation( subkeyFingerprint: OpenPgpFingerprint, protector: SecretKeyRingProtector, revocationAttributes: RevocationAttributes? - ): PGPSignature { + ): OpenPGPSignature { return generateRevocation( protector, - secretKeyRing.requirePublicKey(subkeyFingerprint), + key.getKey(subkeyFingerprint.keyIdentifier), callbackFromRevocationAttributes(revocationAttributes)) } @@ -599,8 +605,8 @@ class SecretKeyRingEditor( mapOf(keyIdentifier to oldPassphrase), oldProtectionSettings, null)) } - override fun done(): PGPSecretKeyRing { - return secretKeyRing + override fun done(): OpenPGPKey { + return key } private fun sanitizeUserId(userId: CharSequence): CharSequence = @@ -620,11 +626,11 @@ class SecretKeyRingEditor( private fun generateRevocation( protector: SecretKeyRingProtector, - revokeeSubkey: PGPPublicKey, + revokeeSubkey: OpenPGPComponentKey, callback: RevocationSignatureSubpackets.Callback? - ): PGPSignature { + ): OpenPGPSignature { val signatureType = - if (revokeeSubkey.isMasterKey) SignatureType.KEY_REVOCATION + if (revokeeSubkey.isPrimaryKey) SignatureType.KEY_REVOCATION else SignatureType.SUBKEY_REVOCATION return RevocationSignatureBuilder(signatureType, key.primarySecretKey, protector, api) @@ -644,19 +650,20 @@ class SecretKeyRingEditor( applyCallback(callback) } .let { - secretKeyRing = - injectCertification(secretKeyRing, userId, it.build(userId.toString())) + val secretKeyRing = + injectCertification(key.pgpSecretKeyRing, userId, it.build(userId.toString())) + key = api.toKey(secretKeyRing) } return this } private fun getPreviousDirectKeySignature(): PGPSignature? { - val info = inspectKeyRing(secretKeyRing, referenceTime) + val info = api.inspect(key, referenceTime) return info.latestDirectKeySelfSignature } private fun getPreviousUserIdSignatures(userId: String): PGPSignature? { - val info = inspectKeyRing(secretKeyRing, referenceTime) + val info = api.inspect(key, referenceTime) return info.getLatestUserIdCertification(userId) } @@ -697,7 +704,7 @@ class SecretKeyRingEditor( ) { if (expiration != null) { hashedSubpackets.setKeyExpirationTime( - true, secretKeyRing.publicKey.creationTime, expiration) + true, key.primaryKey.creationTime, expiration) } else { hashedSubpackets.setKeyExpirationTime(KeyExpirationTime(true, 0)) } @@ -714,6 +721,7 @@ class SecretKeyRingEditor( secretKeyRingProtector: SecretKeyRingProtector, prevDirectKeySig: PGPSignature ): OpenPGPSignature { + val secretKeyRing = key.pgpSecretKeyRing return DirectKeySelfSignatureBuilder( secretKeyRing, secretKeyRingProtector, prevDirectKeySig, api) .apply { @@ -736,13 +744,13 @@ class SecretKeyRingEditor( } private fun reissueSubkeyBindingSignature( - subkey: PGPPublicKey, + subkey: OpenPGPComponentKey, expiration: Date?, protector: SecretKeyRingProtector, prevSubkeyBindingSignature: PGPSignature - ): PGPSignature { - val primaryKey = secretKeyRing.publicKey - val secretSubkey: PGPSecretKey? = secretKeyRing.getSecretKey(subkey.keyID) + ): OpenPGPSignature { + val primaryKey = key.primaryKey + val secretSubkey: OpenPGPSecretKey? = key.getSecretKey(subkey) val builder = SubkeyBindingSignatureBuilder( @@ -750,7 +758,7 @@ class SecretKeyRingEditor( builder.hashedSubpackets.apply { // set expiration setSignatureCreationTime(referenceTime) - setKeyExpirationTime(subkey, expiration) + setKeyExpirationTime(subkey.pgpPublicKey, expiration) setSignatureExpirationTime(null) // avoid copying sig exp time // signing-capable subkeys need embedded primary key binding sig @@ -759,7 +767,7 @@ class SecretKeyRingEditor( if (secretSubkey == null) { throw NoSuchElementException( "Secret key does not contain secret-key" + - " component for subkey ${subkey.keyID.openPgpKeyId()}") + " component for subkey ${subkey.keyIdentifier}") } // create new embedded back-sig @@ -767,7 +775,8 @@ class SecretKeyRingEditor( addEmbeddedSignature( PrimaryKeyBindingSignatureBuilder( key.getSecretKey(subkey.keyIdentifier), protector, api) - .build(primaryKey)) + .build(primaryKey) + .signature) } } } @@ -776,7 +785,7 @@ class SecretKeyRingEditor( } private fun selectUserIds(predicate: Predicate): List = - inspectKeyRing(secretKeyRing).validUserIds.filter { predicate.test(it) } + key.validUserIds.map { it.userId }.filter { predicate.test(it) }.toList() private class WithKeyRingEncryptionSettingsImpl( private val editor: SecretKeyRingEditor, @@ -806,15 +815,17 @@ class SecretKeyRingEditor( val protector = PasswordBasedSecretKeyRingProtector( newProtectionSettings, SolitaryPassphraseProvider(passphrase)) - val secretKeys = changePassphrase(keyId, editor.secretKeyRing, oldProtector, protector) - editor.secretKeyRing = secretKeys + val secretKeys = + changePassphrase(keyId, editor.key.pgpSecretKeyRing, oldProtector, protector) + editor.key = editor.api.toKey(secretKeys) return editor } override fun toNoPassphrase(): SecretKeyRingEditorInterface { val protector = UnprotectedKeysProtector() - val secretKeys = changePassphrase(keyId, editor.secretKeyRing, oldProtector, protector) - editor.secretKeyRing = secretKeys + val secretKeys = + changePassphrase(keyId, editor.key.pgpSecretKeyRing, oldProtector, protector) + editor.key = editor.api.toKey(secretKeys) return editor } } diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditorInterface.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditorInterface.kt index ad8e36ff..4a1f70ff 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditorInterface.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditorInterface.kt @@ -10,6 +10,9 @@ import java.security.NoSuchAlgorithmException import java.util.* import org.bouncycastle.bcpg.KeyIdentifier import org.bouncycastle.openpgp.* +import org.bouncycastle.openpgp.api.OpenPGPCertificate +import org.bouncycastle.openpgp.api.OpenPGPKey +import org.bouncycastle.openpgp.api.OpenPGPSignature import org.pgpainless.algorithm.KeyFlag import org.pgpainless.key.OpenPgpFingerprint import org.pgpainless.key.generation.KeySpec @@ -262,26 +265,37 @@ interface SecretKeyRingEditorInterface { protector: SecretKeyRingProtector, revocationAttributes: RevocationAttributes? = null ): SecretKeyRingEditorInterface = - revokeSubKey(fingerprint.keyId, protector, revocationAttributes) + revokeSubKey(fingerprint.keyIdentifier, protector, revocationAttributes) + + @Deprecated("Pass in a KeyIdentifier instead of keyId") + fun revokeSubKey(subkeyId: Long, protector: SecretKeyRingProtector) = + revokeSubKey(KeyIdentifier(subkeyId), protector) /** * Revoke the subkey binding signature of a subkey. The subkey with the provided key-id will be * revoked. If no suitable subkey is found, a [NoSuchElementException] will be thrown. * - * @param subkeyId id of the subkey + * @param subkeyIdentifier id of the subkey * @param protector protector to unlock the primary key * @return the builder * @throws PGPException in case we cannot generate a revocation signature for the subkey */ @Throws(PGPException::class) - fun revokeSubKey(subkeyId: Long, protector: SecretKeyRingProtector) = - revokeSubKey(subkeyId, protector, null as RevocationAttributes?) + fun revokeSubKey(subkeyIdentifier: KeyIdentifier, protector: SecretKeyRingProtector) = + revokeSubKey(subkeyIdentifier, protector, null as RevocationAttributes?) + + @Deprecated("Pass in a KeyIdentifier instead of keyId") + fun revokeSubKey( + subkeyId: Long, + protector: SecretKeyRingProtector, + revocationAttributes: RevocationAttributes? = null + ) = revokeSubKey(KeyIdentifier(subkeyId), protector, revocationAttributes) /** * Revoke the subkey binding signature of a subkey. The subkey with the provided key-id will be * revoked. If no suitable subkey is found, a [NoSuchElementException] will be thrown. * - * @param subkeyId id of the subkey + * @param subkeyIdentifier id of the subkey * @param protector protector to unlock the primary key * @param revocationAttributes reason for the revocation * @return the builder @@ -289,18 +303,25 @@ interface SecretKeyRingEditorInterface { */ @Throws(PGPException::class) fun revokeSubKey( - subkeyId: Long, + subkeyIdentifier: KeyIdentifier, protector: SecretKeyRingProtector, revocationAttributes: RevocationAttributes? = null ): SecretKeyRingEditorInterface + @Deprecated("Pass in a KeyIdentifier instead of keyId.") + fun revokeSubKey( + keyId: Long, + protector: SecretKeyRingProtector, + callback: RevocationSignatureSubpackets.Callback? + ) = revokeSubKey(KeyIdentifier(keyId), protector, callback) + /** * Revoke the subkey binding signature of a subkey. The subkey with the provided key-id will be * revoked. If no suitable subkey is found, a [NoSuchElementException] will be thrown. * * The provided subpackets callback is used to modify the revocation signatures subpackets. * - * @param subkeyId id of the subkey + * @param subkeyIdentifier id of the subkey * @param protector protector to unlock the secret key ring * @param callback callback which can be used to modify the subpackets of the revocation * signature @@ -309,7 +330,7 @@ interface SecretKeyRingEditorInterface { */ @Throws(PGPException::class) fun revokeSubKey( - subkeyId: Long, + subkeyIdentifier: KeyIdentifier, protector: SecretKeyRingProtector, callback: RevocationSignatureSubpackets.Callback? ): SecretKeyRingEditorInterface @@ -470,6 +491,14 @@ interface SecretKeyRingEditorInterface { protector: SecretKeyRingProtector ): SecretKeyRingEditorInterface + @Deprecated("Pass in a KeyIdentifier instead of keyId") + @Throws(PGPException::class) + fun setExpirationDateOfSubkey( + expiration: Date?, + keyId: Long, + protector: SecretKeyRingProtector + ) = setExpirationDateOfSubkey(expiration, KeyIdentifier(keyId), protector) + /** * Set the expiration date for the subkey identified by the given keyId to the given expiration * date. If the key is supposed to never expire, then an expiration date of null is expected. @@ -484,7 +513,7 @@ interface SecretKeyRingEditorInterface { @Throws(PGPException::class) fun setExpirationDateOfSubkey( expiration: Date?, - keyId: Long, + keyId: KeyIdentifier, protector: SecretKeyRingProtector ): SecretKeyRingEditorInterface @@ -502,7 +531,7 @@ interface SecretKeyRingEditorInterface { fun createMinimalRevocationCertificate( protector: SecretKeyRingProtector, revocationAttributes: RevocationAttributes? - ): PGPPublicKeyRing + ): OpenPGPCertificate /** * Create a detached revocation certificate, which can be used to revoke the whole key. The @@ -517,13 +546,21 @@ interface SecretKeyRingEditorInterface { fun createRevocation( protector: SecretKeyRingProtector, revocationAttributes: RevocationAttributes? - ): PGPSignature + ): OpenPGPSignature + + @Throws(PGPException::class) + @Deprecated("Pass in a KeyIdentifier instead of a keyId") + fun createRevocation( + subkeyId: Long, + protector: SecretKeyRingProtector, + revocationAttributes: RevocationAttributes? + ) = createRevocation(KeyIdentifier(subkeyId), protector, revocationAttributes) /** * Create a detached revocation certificate, which can be used to revoke the specified subkey. * The original key will not be modified by this method. * - * @param subkeyId id of the subkey to be revoked + * @param subkeyIdentifier id of the subkey to be revoked * @param protector protector to unlock the primary key. * @param revocationAttributes reason for the revocation * @return revocation certificate @@ -531,16 +568,24 @@ interface SecretKeyRingEditorInterface { */ @Throws(PGPException::class) fun createRevocation( - subkeyId: Long, + subkeyIdentifier: KeyIdentifier, protector: SecretKeyRingProtector, revocationAttributes: RevocationAttributes? - ): PGPSignature + ): OpenPGPSignature + + @Deprecated("Pass in a KeyIdentifier instead of keyId") + @Throws(PGPException::class) + fun createRevocation( + subkeyId: Long, + protector: SecretKeyRingProtector, + callback: RevocationSignatureSubpackets.Callback? + ) = createRevocation(KeyIdentifier(subkeyId), protector, callback) /** * Create a detached revocation certificate, which can be used to revoke the specified subkey. * The original key will not be modified by this method. * - * @param subkeyId id of the subkey to be revoked + * @param subkeyIdentifier id of the subkey to be revoked * @param protector protector to unlock the primary key. * @param callback callback to modify the subpackets of the revocation certificate. * @return revocation certificate @@ -548,10 +593,10 @@ interface SecretKeyRingEditorInterface { */ @Throws(PGPException::class) fun createRevocation( - subkeyId: Long, + subkeyIdentifier: KeyIdentifier, protector: SecretKeyRingProtector, callback: RevocationSignatureSubpackets.Callback? - ): PGPSignature + ): OpenPGPSignature /** * Create a detached revocation certificate, which can be used to revoke the specified subkey. @@ -568,7 +613,7 @@ interface SecretKeyRingEditorInterface { subkeyFingerprint: OpenPgpFingerprint, protector: SecretKeyRingProtector, revocationAttributes: RevocationAttributes? - ): PGPSignature + ): OpenPGPSignature /** * Change the passphrase of the whole key ring. @@ -676,7 +721,7 @@ interface SecretKeyRingEditorInterface { * * @return the key */ - fun done(): PGPSecretKeyRing + fun done(): OpenPGPKey fun addSubKey( keySpec: KeySpec, diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/PasswordBasedSecretKeyRingProtector.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/PasswordBasedSecretKeyRingProtector.kt index a4f9d2bb..1a1125e6 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/PasswordBasedSecretKeyRingProtector.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/PasswordBasedSecretKeyRingProtector.kt @@ -7,6 +7,7 @@ package org.pgpainless.key.protection import org.bouncycastle.bcpg.KeyIdentifier import org.bouncycastle.openpgp.PGPKeyRing import org.bouncycastle.openpgp.PGPSecretKey +import org.bouncycastle.openpgp.api.OpenPGPCertificate import org.pgpainless.key.protection.passphrase_provider.SecretKeyPassphraseProvider import org.pgpainless.util.Passphrase @@ -32,6 +33,25 @@ class PasswordBasedSecretKeyRingProtector : BaseSecretKeyRingProtector { ) : super(passphraseProvider, settings) companion object { + + @JvmStatic + fun forKey( + cert: OpenPGPCertificate, + passphrase: Passphrase + ): PasswordBasedSecretKeyRingProtector { + return object : SecretKeyPassphraseProvider { + + override fun getPassphraseFor(keyIdentifier: KeyIdentifier): Passphrase? { + return if (hasPassphrase(keyIdentifier)) passphrase else null + } + + override fun hasPassphrase(keyIdentifier: KeyIdentifier): Boolean { + return cert.getKey(keyIdentifier) != null + } + } + .let { PasswordBasedSecretKeyRingProtector(it) } + } + @JvmStatic fun forKey( keyRing: PGPKeyRing, diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/SecretKeyRingProtector.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/SecretKeyRingProtector.kt index 9fe2ea8f..23f455e7 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/SecretKeyRingProtector.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/SecretKeyRingProtector.kt @@ -12,6 +12,7 @@ import org.bouncycastle.openpgp.PGPSecretKey import org.bouncycastle.openpgp.PGPSecretKeyRing import org.bouncycastle.openpgp.api.KeyPassphraseProvider import org.bouncycastle.openpgp.api.OpenPGPCertificate.OpenPGPComponentKey +import org.bouncycastle.openpgp.api.OpenPGPKey import org.bouncycastle.openpgp.operator.PBESecretKeyDecryptor import org.bouncycastle.openpgp.operator.PBESecretKeyEncryptor import org.pgpainless.key.protection.passphrase_provider.SecretKeyPassphraseProvider @@ -105,6 +106,10 @@ interface SecretKeyRingProtector : KeyPassphraseProvider { KeyRingProtectionSettings.secureDefaultSettings(), missingPassphraseCallback) + @JvmStatic + fun unlockEachKeyWith(passphrase: Passphrase, keys: OpenPGPKey): SecretKeyRingProtector = + fromPassphraseMap(keys.secretKeys.keys.associateWith { passphrase }) + /** * Use the provided passphrase to lock/unlock all keys in the provided key ring. * diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/builder/PrimaryKeyBindingSignatureBuilder.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/builder/PrimaryKeyBindingSignatureBuilder.kt index 8c610930..6fde2686 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/builder/PrimaryKeyBindingSignatureBuilder.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/builder/PrimaryKeyBindingSignatureBuilder.kt @@ -8,6 +8,8 @@ import java.util.function.Predicate import org.bouncycastle.openpgp.PGPException import org.bouncycastle.openpgp.PGPPublicKey import org.bouncycastle.openpgp.PGPSignature +import org.bouncycastle.openpgp.api.OpenPGPCertificate.OpenPGPComponentSignature +import org.bouncycastle.openpgp.api.OpenPGPCertificate.OpenPGPPrimaryKey import org.bouncycastle.openpgp.api.OpenPGPKey import org.pgpainless.PGPainless import org.pgpainless.algorithm.HashAlgorithm @@ -63,4 +65,7 @@ class PrimaryKeyBindingSignatureBuilder : fun build(primaryKey: PGPPublicKey): PGPSignature = buildAndInitSignatureGenerator() .generateCertification(primaryKey, signingKey.publicKey.pgpPublicKey) + + fun build(primaryKey: OpenPGPPrimaryKey): OpenPGPComponentSignature = + OpenPGPComponentSignature(build(primaryKey.pgpPublicKey), primaryKey, primaryKey) } diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/builder/RevocationSignatureBuilder.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/builder/RevocationSignatureBuilder.kt index 60879ebc..e41e4308 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/builder/RevocationSignatureBuilder.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/builder/RevocationSignatureBuilder.kt @@ -8,7 +8,11 @@ import java.util.function.Predicate import org.bouncycastle.openpgp.PGPException import org.bouncycastle.openpgp.PGPPublicKey import org.bouncycastle.openpgp.PGPSignature +import org.bouncycastle.openpgp.api.OpenPGPCertificate.OpenPGPComponentKey +import org.bouncycastle.openpgp.api.OpenPGPCertificate.OpenPGPComponentSignature +import org.bouncycastle.openpgp.api.OpenPGPCertificate.OpenPGPUserId import org.bouncycastle.openpgp.api.OpenPGPKey +import org.bouncycastle.openpgp.api.OpenPGPSignature import org.pgpainless.PGPainless import org.pgpainless.algorithm.SignatureType import org.pgpainless.key.protection.SecretKeyRingProtector @@ -59,6 +63,11 @@ constructor( } } + fun build(revokeeKey: OpenPGPComponentKey): OpenPGPSignature { + return OpenPGPComponentSignature( + build(revokeeKey.pgpPublicKey), signingKey.publicKey, revokeeKey) + } + @Throws(PGPException::class) fun build(revokeeUserId: CharSequence): PGPSignature = buildAndInitSignatureGenerator() @@ -69,6 +78,11 @@ constructor( } .generateCertification(revokeeUserId.toString(), signingKey.publicKey.pgpPublicKey) + fun build(revokeeUserId: OpenPGPUserId): OpenPGPComponentSignature { + return OpenPGPComponentSignature( + build(revokeeUserId.userId), signingKey.publicKey, revokeeUserId) + } + init { hashedSubpackets.setRevocable(false) } diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/builder/SubkeyBindingSignatureBuilder.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/builder/SubkeyBindingSignatureBuilder.kt index 9816ee29..1dcfa966 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/builder/SubkeyBindingSignatureBuilder.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/builder/SubkeyBindingSignatureBuilder.kt @@ -8,6 +8,8 @@ import java.util.function.Predicate import org.bouncycastle.openpgp.PGPException import org.bouncycastle.openpgp.PGPPublicKey import org.bouncycastle.openpgp.PGPSignature +import org.bouncycastle.openpgp.api.OpenPGPCertificate.OpenPGPComponentKey +import org.bouncycastle.openpgp.api.OpenPGPCertificate.OpenPGPComponentSignature import org.bouncycastle.openpgp.api.OpenPGPKey import org.pgpainless.PGPainless import org.pgpainless.algorithm.HashAlgorithm @@ -77,4 +79,7 @@ class SubkeyBindingSignatureBuilder : AbstractSignatureBuilder, (String) -> Boolean { @@ -72,6 +73,14 @@ abstract class SelectUserId : Predicate, (String) -> Boolean { @JvmStatic fun byEmail(email: CharSequence) = or(exactMatch(email), containsEmailAddress(email)) + @JvmStatic + fun validUserId(key: OpenPGPCertificate) = + object : SelectUserId() { + private val info = PGPainless.getInstance().inspect(key) + + override fun invoke(userId: String): Boolean = info.isUserIdValid(userId) + } + @JvmStatic fun validUserId(keyRing: PGPKeyRing) = object : SelectUserId() { diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/SigningTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/SigningTest.java index 2356be1f..6fb0192b 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/SigningTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/SigningTest.java @@ -23,6 +23,7 @@ import org.bouncycastle.openpgp.PGPSecretKey; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.PGPSecretKeyRingCollection; import org.bouncycastle.openpgp.PGPSignature; +import org.bouncycastle.openpgp.api.OpenPGPKey; import org.bouncycastle.util.io.Streams; import org.junit.jupiter.api.TestTemplate; import org.junit.jupiter.api.extension.ExtendWith; @@ -130,16 +131,16 @@ public class SigningTest { @ExtendWith(TestAllImplementations.class) public void testSignWithRevokedUserIdFails() throws PGPException { - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() - .modernKeyRing("alice", "password123") - .getPGPSecretKeyRing(); + PGPainless api = PGPainless.getInstance(); + OpenPGPKey secretKeys = api.generateKey() + .modernKeyRing("alice", "password123"); SecretKeyRingProtector protector = SecretKeyRingProtector.unlockAnyKeyWith( Passphrase.fromPassword("password123")); - secretKeys = PGPainless.modifyKeyRing(secretKeys) + secretKeys = api.modify(secretKeys) .revokeUserId("alice", protector) .done(); - final PGPSecretKeyRing fSecretKeys = secretKeys; + final OpenPGPKey fSecretKeys = secretKeys; SigningOptions opts = SigningOptions.get(); // "alice" has been revoked diff --git a/pgpainless-core/src/test/java/org/pgpainless/example/ModifyKeys.java b/pgpainless-core/src/test/java/org/pgpainless/example/ModifyKeys.java index 696a17ae..487a8817 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/example/ModifyKeys.java +++ b/pgpainless-core/src/test/java/org/pgpainless/example/ModifyKeys.java @@ -9,14 +9,14 @@ import static org.junit.jupiter.api.Assertions.assertFalse; import static org.junit.jupiter.api.Assertions.assertThrows; import static org.junit.jupiter.api.Assertions.assertTrue; +import java.io.IOException; import java.util.Date; import java.util.List; import org.bouncycastle.bcpg.KeyIdentifier; import org.bouncycastle.openpgp.PGPException; -import org.bouncycastle.openpgp.PGPPublicKeyRing; -import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.api.OpenPGPCertificate; +import org.bouncycastle.openpgp.api.OpenPGPKey; import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; @@ -34,25 +34,25 @@ import org.pgpainless.util.Passphrase; /** * PGPainless offers a simple API to modify keys by adding and replacing signatures and/or subkeys. - * The main entry point to this API is {@link PGPainless#modifyKeyRing(PGPSecretKeyRing)}. + * The main entry point to this API is {@link PGPainless#modify(OpenPGPKey)}. */ public class ModifyKeys { private final String userId = "alice@pgpainless.org"; private final String originalPassphrase = "p4ssw0rd"; - private PGPSecretKeyRing secretKey; - private long primaryKeyId; + private OpenPGPKey secretKey; + private KeyIdentifier primaryKeyId; private KeyIdentifier encryptionSubkeyId; private KeyIdentifier signingSubkeyId; @BeforeEach public void generateKey() { - secretKey = PGPainless.generateKeyRing() - .modernKeyRing(userId, originalPassphrase) - .getPGPSecretKeyRing(); + PGPainless api = PGPainless.getInstance(); + secretKey = api.generateKey() + .modernKeyRing(userId, originalPassphrase); - KeyRingInfo info = PGPainless.inspectKeyRing(secretKey); - primaryKeyId = info.getKeyIdentifier().getKeyId(); + KeyRingInfo info = api.inspect(secretKey); + primaryKeyId = info.getKeyIdentifier(); encryptionSubkeyId = info.getEncryptionSubkeys(EncryptionPurpose.ANY).get(0).getKeyIdentifier(); signingSubkeyId = info.getSigningSubkeys().get(0).getKeyIdentifier(); } @@ -63,9 +63,9 @@ public class ModifyKeys { @Test public void extractPublicKey() { // the certificate consists of only the public keys - PGPPublicKeyRing certificate = PGPainless.extractCertificate(secretKey); + OpenPGPCertificate certificate = secretKey.toCertificate(); - KeyRingInfo info = PGPainless.inspectKeyRing(certificate); + KeyRingInfo info = PGPainless.getInstance().inspect(certificate); assertFalse(info.isSecretKey()); } @@ -73,11 +73,11 @@ public class ModifyKeys { * This example demonstrates how to export a secret key or certificate to an ASCII armored string. */ @Test - public void toAsciiArmoredString() { - PGPPublicKeyRing certificate = PGPainless.extractCertificate(secretKey); + public void toAsciiArmoredString() throws IOException { + OpenPGPCertificate certificate = secretKey.toCertificate(); - String asciiArmoredSecretKey = PGPainless.asciiArmor(secretKey); - String asciiArmoredCertificate = PGPainless.asciiArmor(certificate); + String asciiArmoredSecretKey = secretKey.toAsciiArmoredString(); + String asciiArmoredCertificate = certificate.toAsciiArmoredString(); assertTrue(asciiArmoredSecretKey.startsWith("-----BEGIN PGP PRIVATE KEY BLOCK-----")); assertTrue(asciiArmoredCertificate.startsWith("-----BEGIN PGP PUBLIC KEY BLOCK-----")); @@ -88,7 +88,8 @@ public class ModifyKeys { */ @Test public void changePassphrase() throws PGPException { - secretKey = PGPainless.modifyKeyRing(secretKey) + PGPainless api = PGPainless.getInstance(); + secretKey = api.modify(secretKey) .changePassphraseFromOldPassphrase(Passphrase.fromPassword(originalPassphrase)) .withSecureDefaultSettings() .toNewPassphrase(Passphrase.fromPassword("n3wP4ssW0rD")) @@ -96,9 +97,9 @@ public class ModifyKeys { // Old passphrase no longer works assertThrows(WrongPassphraseException.class, () -> - UnlockSecretKey.unlockSecretKey(secretKey.getSecretKey(), Passphrase.fromPassword(originalPassphrase))); + UnlockSecretKey.unlockSecretKey(secretKey.getPGPSecretKeyRing().getSecretKey(), Passphrase.fromPassword(originalPassphrase))); // But the new one does - UnlockSecretKey.unlockSecretKey(secretKey.getSecretKey(), Passphrase.fromPassword("n3wP4ssW0rD")); + UnlockSecretKey.unlockSecretKey(secretKey.getPGPSecretKeyRing().getSecretKey(), Passphrase.fromPassword("n3wP4ssW0rD")); } /** @@ -107,9 +108,10 @@ public class ModifyKeys { */ @Test public void changeSingleSubkeyPassphrase() throws PGPException { - secretKey = PGPainless.modifyKeyRing(secretKey) + PGPainless api = PGPainless.getInstance(); + secretKey = api.modify(secretKey) // Here we change the passphrase of the encryption subkey - .changeSubKeyPassphraseFromOldPassphrase(encryptionSubkeyId.getKeyId(), Passphrase.fromPassword(originalPassphrase)) + .changeSubKeyPassphraseFromOldPassphrase(encryptionSubkeyId, Passphrase.fromPassword(originalPassphrase)) .withSecureDefaultSettings() .toNewPassphrase(Passphrase.fromPassword("cryptP4ssphr4s3")) .done(); @@ -117,12 +119,12 @@ public class ModifyKeys { // encryption key can now only be unlocked using the new passphrase assertThrows(WrongPassphraseException.class, () -> UnlockSecretKey.unlockSecretKey( - secretKey.getSecretKey(encryptionSubkeyId), Passphrase.fromPassword(originalPassphrase))); + secretKey.getSecretKey(encryptionSubkeyId).getPGPSecretKey(), Passphrase.fromPassword(originalPassphrase))); UnlockSecretKey.unlockSecretKey( - secretKey.getSecretKey(encryptionSubkeyId), Passphrase.fromPassword("cryptP4ssphr4s3")); + secretKey.getSecretKey(encryptionSubkeyId).getPGPSecretKey(), Passphrase.fromPassword("cryptP4ssphr4s3")); // primary key remains unchanged UnlockSecretKey.unlockSecretKey( - secretKey.getSecretKey(primaryKeyId), Passphrase.fromPassword(originalPassphrase)); + secretKey.getSecretKey(primaryKeyId).getPGPSecretKey(), Passphrase.fromPassword(originalPassphrase)); } /** @@ -130,13 +132,14 @@ public class ModifyKeys { */ @Test public void addUserId() throws PGPException { + PGPainless api = PGPainless.getInstance(); SecretKeyRingProtector protector = SecretKeyRingProtector.unlockEachKeyWith(Passphrase.fromPassword(originalPassphrase), secretKey); - secretKey = PGPainless.modifyKeyRing(secretKey) + secretKey = api.modify(secretKey) .addUserId("additional@user.id", protector) .done(); - KeyRingInfo info = PGPainless.inspectKeyRing(secretKey); + KeyRingInfo info = api.inspect(secretKey); assertTrue(info.isUserIdValid("additional@user.id")); assertFalse(info.isUserIdValid("another@user.id")); } @@ -156,11 +159,12 @@ public class ModifyKeys { */ @Test public void addSubkey() { + PGPainless api = PGPainless.getInstance(); // Protector for unlocking the existing secret key SecretKeyRingProtector protector = SecretKeyRingProtector.unlockEachKeyWith(Passphrase.fromPassword(originalPassphrase), secretKey); Passphrase subkeyPassphrase = Passphrase.fromPassword("subk3yP4ssphr4s3"); - secretKey = PGPainless.modifyKeyRing(secretKey) + secretKey = api.modify(secretKey) .addSubKey( KeySpec.getBuilder(KeyType.ECDH(EllipticCurve._BRAINPOOLP512R1), KeyFlag.ENCRYPT_COMMS) .build(), @@ -168,7 +172,7 @@ public class ModifyKeys { protector) .done(); - KeyRingInfo info = PGPainless.inspectKeyRing(secretKey); + KeyRingInfo info = api.inspect(secretKey); assertEquals(4, info.getSecretKeys().size()); assertEquals(4, info.getPublicKeys().size()); List encryptionSubkeys = info.getEncryptionSubkeys(EncryptionPurpose.COMMUNICATIONS); @@ -176,7 +180,7 @@ public class ModifyKeys { OpenPGPCertificate.OpenPGPComponentKey addedKey = encryptionSubkeys.stream() .filter(it -> !it.getKeyIdentifier().matches(encryptionSubkeyId)).findFirst() .get(); - UnlockSecretKey.unlockSecretKey(secretKey.getSecretKey(addedKey.getKeyIdentifier()), subkeyPassphrase); + UnlockSecretKey.unlockSecretKey(secretKey.getSecretKey(addedKey.getKeyIdentifier()).getPGPSecretKey(), subkeyPassphrase); } /** @@ -185,15 +189,16 @@ public class ModifyKeys { */ @Test public void setKeyExpirationDate() { + PGPainless api = PGPainless.getInstance(); Date expirationDate = DateUtil.parseUTCDate("2030-06-24 12:44:56 UTC"); SecretKeyRingProtector protector = SecretKeyRingProtector .unlockEachKeyWith(Passphrase.fromPassword(originalPassphrase), secretKey); - secretKey = PGPainless.modifyKeyRing(secretKey) + secretKey = api.modify(secretKey) .setExpirationDate(expirationDate, protector) .done(); - KeyRingInfo info = PGPainless.inspectKeyRing(secretKey); + KeyRingInfo info = api.inspect(secretKey); assertEquals(DateUtil.formatUTCDate(expirationDate), DateUtil.formatUTCDate(info.getPrimaryKeyExpirationDate())); assertEquals(DateUtil.formatUTCDate(expirationDate), @@ -207,19 +212,20 @@ public class ModifyKeys { */ @Test public void revokeUserId() throws PGPException { + PGPainless api = PGPainless.getInstance(); SecretKeyRingProtector protector = SecretKeyRingProtector.unlockEachKeyWith( Passphrase.fromPassword(originalPassphrase), secretKey); - secretKey = PGPainless.modifyKeyRing(secretKey) + secretKey = api.modify(secretKey) .addUserId("alcie@pgpainless.org", protector) .done(); // Initially the user-id is valid - assertTrue(PGPainless.inspectKeyRing(secretKey).isUserIdValid("alcie@pgpainless.org")); + assertTrue(api.inspect(secretKey).isUserIdValid("alcie@pgpainless.org")); // Revoke the second user-id - secretKey = PGPainless.modifyKeyRing(secretKey) + secretKey = api.modify(secretKey) .revokeUserId("alcie@pgpainless.org", protector) .done(); // Now the user-id is no longer valid - assertFalse(PGPainless.inspectKeyRing(secretKey).isUserIdValid("alcie@pgpainless.org")); + assertFalse(api.inspect(secretKey).isUserIdValid("alcie@pgpainless.org")); } } diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/TestKeys.java b/pgpainless-core/src/test/java/org/pgpainless/key/TestKeys.java index cd4c7319..38ba2a2d 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/TestKeys.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/TestKeys.java @@ -14,8 +14,11 @@ import org.bouncycastle.openpgp.PGPPublicKeyRingCollection; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.PGPSecretKeyRingCollection; import org.bouncycastle.openpgp.PGPUtil; +import org.bouncycastle.openpgp.api.OpenPGPCertificate; +import org.bouncycastle.openpgp.api.OpenPGPKey; import org.bouncycastle.openpgp.operator.KeyFingerPrintCalculator; import org.bouncycastle.openpgp.operator.bc.BcKeyFingerprintCalculator; +import org.pgpainless.PGPainless; import org.pgpainless.util.Passphrase; public class TestKeys { @@ -265,6 +268,10 @@ public class TestKeys { "=1d67\n" + "-----END PGP PRIVATE KEY BLOCK-----"; + public static OpenPGPKey getJulietKey() throws PGPException, IOException { + return PGPainless.getInstance().toKey(getJulietSecretKeyRing()); + } + public static PGPSecretKeyRing getJulietSecretKeyRing() throws IOException, PGPException { if (julietSecretKeyRing == null) { julietSecretKeyRing = new PGPSecretKeyRing( @@ -281,6 +288,10 @@ public class TestKeys { return julietSecretKeyRingCollection; } + public static OpenPGPCertificate getJulietCertificate() throws IOException { + return PGPainless.getInstance().toCertificate(getJulietPublicKeyRing()); + } + public static PGPPublicKeyRing getJulietPublicKeyRing() throws IOException { if (julietPublicKeyRing == null) { julietPublicKeyRing = new PGPPublicKeyRing( @@ -297,6 +308,10 @@ public class TestKeys { return julietPublicKeyRingCollection; } + public static OpenPGPKey getRomeoKey() throws PGPException, IOException { + return PGPainless.getInstance().toKey(getRomeoSecretKeyRing()); + } + public static PGPSecretKeyRing getRomeoSecretKeyRing() throws IOException, PGPException { if (romeoSecretKeyRing == null) { romeoSecretKeyRing = new PGPSecretKeyRing( @@ -313,6 +328,10 @@ public class TestKeys { return romeoSecretKeyRingCollection; } + public static OpenPGPCertificate getRomeoCertificate() throws IOException { + return PGPainless.getInstance().toCertificate(getRomeoPublicKeyRing()); + } + public static PGPPublicKeyRing getRomeoPublicKeyRing() throws IOException { if (romeoPublicKeyRing == null) { romeoPublicKeyRing = new PGPPublicKeyRing( @@ -329,6 +348,10 @@ public class TestKeys { return romeoPublicKeyRingCollection; } + public static OpenPGPKey getEmilKey() throws PGPException, IOException { + return PGPainless.getInstance().toKey(getEmilSecretKeyRing()); + } + public static PGPSecretKeyRing getEmilSecretKeyRing() throws IOException, PGPException { if (emilSecretKeyRing == null) { emilSecretKeyRing = new PGPSecretKeyRing( @@ -345,6 +368,10 @@ public class TestKeys { return emilSecretKeyRingCollection; } + public static OpenPGPCertificate getEmilCertificate() throws IOException { + return PGPainless.getInstance().toCertificate(getEmilPublicKeyRing()); + } + public static PGPPublicKeyRing getEmilPublicKeyRing() throws IOException { if (emilPublicKeyRing == null) { emilPublicKeyRing = new PGPPublicKeyRing( @@ -361,6 +388,10 @@ public class TestKeys { return emilPublicKeyRingCollection; } + public static OpenPGPKey getCryptieKey() throws PGPException, IOException { + return PGPainless.getInstance().toKey(getCryptieSecretKeyRing()); + } + public static PGPSecretKeyRing getCryptieSecretKeyRing() throws IOException, PGPException { if (cryptieSecretKeyRing == null) { cryptieSecretKeyRing = new PGPSecretKeyRing( @@ -377,6 +408,10 @@ public class TestKeys { return cryptieSecretKeyRingCollection; } + public static OpenPGPCertificate getCryptieCertificate() throws IOException { + return PGPainless.getInstance().toCertificate(getCryptiePublicKeyRing()); + } + public static PGPPublicKeyRing getCryptiePublicKeyRing() throws IOException { if (cryptiePublicKeyRing == null) { cryptiePublicKeyRing = new PGPPublicKeyRing( diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/KeyGenerationSubpacketsTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/KeyGenerationSubpacketsTest.java index b5c5a3a3..c8b86159 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/generation/KeyGenerationSubpacketsTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/KeyGenerationSubpacketsTest.java @@ -18,10 +18,10 @@ import java.util.List; import org.bouncycastle.bcpg.sig.IssuerFingerprint; import org.bouncycastle.openpgp.PGPException; -import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.PGPSignature; import org.bouncycastle.openpgp.PGPSignatureSubpacketVector; import org.bouncycastle.openpgp.api.OpenPGPCertificate; +import org.bouncycastle.openpgp.api.OpenPGPKey; import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; import org.pgpainless.algorithm.HashAlgorithm; @@ -39,10 +39,10 @@ public class KeyGenerationSubpacketsTest { @Test public void verifyDefaultSubpacketsForUserIdSignatures() throws PGPException { - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("Alice") - .getPGPSecretKeyRing(); - Date plus1Sec = new Date(secretKeys.getPublicKey().getCreationTime().getTime() + 1000); - KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys); + PGPainless api = PGPainless.getInstance(); + OpenPGPKey secretKeys = api.generateKey().modernKeyRing("Alice"); + Date plus1Sec = new Date(secretKeys.getPrimarySecretKey().getCreationTime().getTime() + 1000); + KeyRingInfo info = api.inspect(secretKeys); PGPSignature userIdSig = info.getLatestUserIdCertification("Alice"); assertNotNull(userIdSig); int keyFlags = userIdSig.getHashedSubPackets().getKeyFlags(); @@ -54,7 +54,7 @@ public class KeyGenerationSubpacketsTest { assertEquals("Alice", info.getPrimaryUserId()); - secretKeys = PGPainless.modifyKeyRing(secretKeys, plus1Sec) + secretKeys = api.modify(secretKeys, plus1Sec) .addUserId("Bob", new SelfSignatureSubpackets.Callback() { @Override @@ -66,7 +66,7 @@ public class KeyGenerationSubpacketsTest { .addUserId("Alice", SecretKeyRingProtector.unprotectedKeys()) .done(); - info = PGPainless.inspectKeyRing(secretKeys, plus1Sec); + info = api.inspect(secretKeys, plus1Sec); userIdSig = info.getLatestUserIdCertification("Alice"); assertNotNull(userIdSig); @@ -89,7 +89,7 @@ public class KeyGenerationSubpacketsTest { Date now = plus1Sec; Date t1 = new Date(now.getTime() + 1000 * 60 * 60); - secretKeys = PGPainless.modifyKeyRing(secretKeys, t1) + secretKeys = api.modify(secretKeys, t1) .addUserId("Alice", new SelfSignatureSubpackets.Callback() { @Override public void modifyHashedSubpackets(SelfSignatureSubpackets hashedSubpackets) { @@ -98,7 +98,7 @@ public class KeyGenerationSubpacketsTest { } }, SecretKeyRingProtector.unprotectedKeys()) .done(); - info = PGPainless.inspectKeyRing(secretKeys, t1); + info = api.inspect(secretKeys, t1); assertEquals("Alice", info.getPrimaryUserId()); assertEquals(Collections.singleton(HashAlgorithm.SHA1), info.getPreferredHashAlgorithms("Alice")); } @@ -106,29 +106,29 @@ public class KeyGenerationSubpacketsTest { @Test public void verifyDefaultSubpacketsForSubkeyBindingSignatures() throws PGPException { - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("Alice") - .getPGPSecretKeyRing(); - KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys); + PGPainless api = PGPainless.getInstance(); + OpenPGPKey secretKeys = api.generateKey().modernKeyRing("Alice"); + KeyRingInfo info = api.inspect(secretKeys); List keysBefore = info.getPublicKeys(); - secretKeys = PGPainless.modifyKeyRing(secretKeys) + secretKeys = api.modify(secretKeys) .addSubKey(KeySpec.getBuilder(KeyType.EDDSA_LEGACY(EdDSALegacyCurve._Ed25519), KeyFlag.SIGN_DATA).build(), Passphrase.emptyPassphrase(), SecretKeyRingProtector.unprotectedKeys()) .done(); - info = PGPainless.inspectKeyRing(secretKeys); + info = api.inspect(secretKeys); List keysAfter = new ArrayList<>(info.getPublicKeys()); keysAfter.removeAll(keysBefore); assertEquals(1, keysAfter.size()); OpenPGPCertificate.OpenPGPComponentKey newSigningKey = keysAfter.get(0); - PGPSignature bindingSig = info.getCurrentSubkeyBindingSignature(newSigningKey.getKeyIdentifier().getKeyId()); + PGPSignature bindingSig = info.getCurrentSubkeyBindingSignature(newSigningKey.getKeyIdentifier()); assertNotNull(bindingSig); assureSignatureHasDefaultSubpackets(bindingSig, secretKeys, KeyFlag.SIGN_DATA); assertNotNull(bindingSig.getHashedSubPackets().getEmbeddedSignatures().get(0)); - secretKeys = PGPainless.modifyKeyRing(secretKeys) + secretKeys = api.modify(secretKeys) .addSubKey(KeySpec.getBuilder(KeyType.XDH_LEGACY(XDHLegacySpec._X25519), KeyFlag.ENCRYPT_COMMS).build(), Passphrase.emptyPassphrase(), new SelfSignatureSubpackets.Callback() { @@ -139,24 +139,24 @@ public class KeyGenerationSubpacketsTest { }, SecretKeyRingProtector.unprotectedKeys()) .done(); - info = PGPainless.inspectKeyRing(secretKeys); + info = api.inspect(secretKeys); keysAfter = new ArrayList<>(info.getPublicKeys()); keysAfter.removeAll(keysBefore); keysAfter.remove(newSigningKey); assertEquals(1, keysAfter.size()); OpenPGPCertificate.OpenPGPComponentKey newEncryptionKey = keysAfter.get(0); - bindingSig = info.getCurrentSubkeyBindingSignature(newEncryptionKey.getKeyIdentifier().getKeyId()); + bindingSig = info.getCurrentSubkeyBindingSignature(newEncryptionKey.getKeyIdentifier()); assertNotNull(bindingSig); assertNull(bindingSig.getHashedSubPackets().getIssuerFingerprint()); assertEquals(KeyFlag.toBitmask(KeyFlag.ENCRYPT_COMMS), bindingSig.getHashedSubPackets().getKeyFlags()); } - private void assureSignatureHasDefaultSubpackets(PGPSignature signature, PGPSecretKeyRing secretKeys, KeyFlag... keyFlags) { + private void assureSignatureHasDefaultSubpackets(PGPSignature signature, OpenPGPKey secretKeys, KeyFlag... keyFlags) { PGPSignatureSubpacketVector hashedSubpackets = signature.getHashedSubPackets(); assertNotNull(hashedSubpackets.getIssuerFingerprint()); - assertEquals(secretKeys.getPublicKey().getKeyID(), hashedSubpackets.getIssuerKeyID()); + assertEquals(secretKeys.getKeyIdentifier().getKeyId(), hashedSubpackets.getIssuerKeyID()); assertArrayEquals( - secretKeys.getPublicKey().getFingerprint(), + secretKeys.getFingerprint(), hashedSubpackets.getIssuerFingerprint().getFingerprint()); assertEquals(hashedSubpackets.getKeyFlags(), KeyFlag.toBitmask(keyFlags)); } diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java index e79e03ae..c7d20491 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java @@ -24,9 +24,7 @@ import java.util.Set; import org.bouncycastle.bcpg.KeyIdentifier; import org.bouncycastle.openpgp.PGPException; -import org.bouncycastle.openpgp.PGPPublicKeyRing; import org.bouncycastle.openpgp.PGPSecretKey; -import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.api.OpenPGPCertificate; import org.bouncycastle.openpgp.api.OpenPGPKey; import org.junit.JUtils; @@ -50,7 +48,6 @@ import org.pgpainless.key.generation.type.ecc.EllipticCurve; import org.pgpainless.key.generation.type.eddsa_legacy.EdDSALegacyCurve; import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.key.protection.UnprotectedKeysProtector; -import org.pgpainless.key.util.KeyRingUtils; import org.pgpainless.key.util.RevocationAttributes; import org.pgpainless.key.util.UserId; import org.pgpainless.util.DateUtil; @@ -62,11 +59,12 @@ public class KeyRingInfoTest { @TestTemplate @ExtendWith(TestAllImplementations.class) public void testWithEmilsKeys() throws IOException, PGPException { + PGPainless api = PGPainless.getInstance(); - PGPSecretKeyRing secretKeys = TestKeys.getEmilSecretKeyRing(); - PGPPublicKeyRing publicKeys = TestKeys.getEmilPublicKeyRing(); - KeyRingInfo sInfo = PGPainless.inspectKeyRing(secretKeys); - KeyRingInfo pInfo = PGPainless.inspectKeyRing(publicKeys); + OpenPGPKey secretKeys = TestKeys.getEmilKey(); + OpenPGPCertificate publicKeys = TestKeys.getEmilCertificate(); + KeyRingInfo sInfo = api.inspect(secretKeys); + KeyRingInfo pInfo = api.inspect(publicKeys); assertEquals(TestKeys.EMIL_KEY_ID, sInfo.getKeyIdentifier().getKeyId()); assertEquals(TestKeys.EMIL_KEY_ID, pInfo.getKeyIdentifier().getKeyId()); @@ -108,13 +106,13 @@ public class KeyRingInfoTest { assertNull(sInfo.getRevocationDate()); assertNull(pInfo.getRevocationDate()); Date revocationDate = DateUtil.now(); - PGPSecretKeyRing revoked = PGPainless.modifyKeyRing(secretKeys).revoke( + OpenPGPKey revoked = api.modify(secretKeys).revoke( new UnprotectedKeysProtector(), RevocationAttributes.createKeyRevocation() .withReason(RevocationAttributes.Reason.KEY_RETIRED) .withoutDescription() ).done(); - KeyRingInfo rInfo = PGPainless.inspectKeyRing(revoked); + KeyRingInfo rInfo = api.inspect(revoked); assertNotNull(rInfo.getRevocationDate()); assertEquals(revocationDate.getTime(), rInfo.getRevocationDate().getTime(), 5); assertEquals(revocationDate.getTime(), rInfo.getLastModified().getTime(), 5); @@ -125,32 +123,34 @@ public class KeyRingInfoTest { @Test public void testIsFullyDecrypted() throws IOException, PGPException { - PGPSecretKeyRing secretKeys = TestKeys.getEmilSecretKeyRing(); - KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys); + PGPainless api = PGPainless.getInstance(); + OpenPGPKey secretKeys = TestKeys.getEmilKey(); + KeyRingInfo info = api.inspect(secretKeys); assertTrue(info.isFullyDecrypted()); - secretKeys = encryptSecretKeys(secretKeys); - info = PGPainless.inspectKeyRing(secretKeys); + secretKeys = encryptSecretKeys(secretKeys, api); + info = api.inspect(secretKeys); assertFalse(info.isFullyDecrypted()); } @Test public void testIsFullyEncrypted() throws IOException, PGPException { - PGPSecretKeyRing secretKeys = TestKeys.getEmilSecretKeyRing(); - KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys); + PGPainless api = PGPainless.getInstance(); + OpenPGPKey secretKeys = TestKeys.getEmilKey(); + KeyRingInfo info = api.inspect(secretKeys); assertFalse(info.isFullyEncrypted()); - secretKeys = encryptSecretKeys(secretKeys); - info = PGPainless.inspectKeyRing(secretKeys); + secretKeys = encryptSecretKeys(secretKeys, api); + info = api.inspect(secretKeys); assertTrue(info.isFullyEncrypted()); } - private static PGPSecretKeyRing encryptSecretKeys(PGPSecretKeyRing secretKeys) throws PGPException { - return PGPainless.modifyKeyRing(secretKeys) + private static OpenPGPKey encryptSecretKeys(OpenPGPKey secretKeys, PGPainless api) throws PGPException { + return api.modify(secretKeys) .changePassphraseFromOldPassphrase(Passphrase.emptyPassphrase()) .withSecureDefaultSettings() .toNewPassphrase(Passphrase.fromPassword("sw0rdf1sh")) @@ -160,27 +160,29 @@ public class KeyRingInfoTest { @Test public void testGetSecretKey() throws IOException, PGPException { - PGPSecretKeyRing secretKeys = TestKeys.getCryptieSecretKeyRing(); - PGPPublicKeyRing publicKeys = KeyRingUtils.publicKeyRingFrom(secretKeys); + PGPainless api = PGPainless.getInstance(); + OpenPGPKey secretKeys = TestKeys.getCryptieKey(); + OpenPGPCertificate publicKeys = secretKeys.toCertificate(); - KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys); + KeyRingInfo info = api.inspect(secretKeys); OpenPGPKey.OpenPGPSecretKey primarySecretKey = info.getSecretKey(); assertNotNull(primarySecretKey); - assertEquals(KeyRingUtils.requirePrimarySecretKeyFrom(secretKeys), primarySecretKey.getPGPSecretKey()); + assertEquals(secretKeys.getPrimarySecretKey().getPGPSecretKey(), primarySecretKey.getPGPSecretKey()); - info = PGPainless.inspectKeyRing(publicKeys); + info = api.inspect(publicKeys); assertNull(info.getSecretKey()); } @Test public void testGetPublicKey() throws IOException, PGPException { - PGPSecretKeyRing secretKeys = TestKeys.getCryptieSecretKeyRing(); + PGPainless api = PGPainless.getInstance(); + OpenPGPKey secretKeys = TestKeys.getCryptieKey(); - KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys); - assertEquals(KeyRingUtils.requirePrimaryPublicKeyFrom(secretKeys), info.getPrimaryKey().getPGPPublicKey()); + KeyRingInfo info = api.inspect(secretKeys); + assertEquals(secretKeys.getPrimaryKey().getPGPPublicKey(), info.getPrimaryKey().getPGPPublicKey()); - assertEquals(KeyRingUtils.requirePrimarySecretKeyFrom(secretKeys), - KeyRingUtils.requireSecretKeyFrom(secretKeys, secretKeys.getPublicKey().getKeyID())); + assertEquals(secretKeys.getPrimarySecretKey().getPGPSecretKey(), + secretKeys.getPGPSecretKeyRing().getSecretKey(secretKeys.getKeyIdentifier())); } @TestTemplate @@ -224,8 +226,8 @@ public class KeyRingInfoTest { @TestTemplate @ExtendWith(TestAllImplementations.class) public void testGetKeysWithFlagsAndExpiry() { - - PGPSecretKeyRing secretKeys = PGPainless.buildKeyRing() + PGPainless api = PGPainless.getInstance(); + OpenPGPKey secretKeys = PGPainless.buildKeyRing() .setPrimaryKey(KeySpec.getBuilder( KeyType.EDDSA_LEGACY(EdDSALegacyCurve._Ed25519), KeyFlag.CERTIFY_OTHER)) .addSubkey(KeySpec.getBuilder( @@ -234,10 +236,9 @@ public class KeyRingInfoTest { .addSubkey(KeySpec.getBuilder( KeyType.ECDSA(EllipticCurve._BRAINPOOLP384R1), KeyFlag.SIGN_DATA)) .addUserId(UserId.builder().withName("Alice").withEmail("alice@pgpainless.org").build()) - .build() - .getPGPSecretKeyRing(); + .build(); - Iterator keys = secretKeys.iterator(); + Iterator keys = secretKeys.getPGPSecretKeyRing().iterator(); Date now = DateUtil.now(); Calendar calendar = Calendar.getInstance(); @@ -255,11 +256,11 @@ public class KeyRingInfoTest { PGPSecretKey signingKey = keys.next(); SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys(); - secretKeys = PGPainless.modifyKeyRing(secretKeys) + secretKeys = api.modify(secretKeys) .setExpirationDate(primaryKeyExpiration, protector) .done(); - KeyRingInfo info = new KeyRingInfo(secretKeys); + KeyRingInfo info = api.inspect(secretKeys); List encryptionKeys = info.getKeysWithKeyFlag(KeyFlag.ENCRYPT_STORAGE); assertEquals(1, encryptionKeys.size()); @@ -354,9 +355,10 @@ public class KeyRingInfoTest { "crH02GDG8CotAnEHkLTz9GPO80q8mowzBV0EtHsXb4TeAFw5T5Qd0a5I+wk=\n" + "=Vcb3\n" + "-----END PGP ARMORED FILE-----\n"; - OpenPGPCertificate certificate = PGPainless.getInstance().readKey().parseCertificate(KEY); + PGPainless api = PGPainless.getInstance(); + OpenPGPCertificate certificate = api.readKey().parseCertificate(KEY); - KeyRingInfo info = PGPainless.inspectKeyRing(certificate, DateUtil.parseUTCDate("2021-10-10 00:00:00 UTC")); + KeyRingInfo info = api.inspect(certificate, DateUtil.parseUTCDate("2021-10-10 00:00:00 UTC")); // Subkey is hard revoked assertFalse(info.isKeyValidlyBound(new KeyIdentifier(5364407983539305061L))); } @@ -434,14 +436,15 @@ public class KeyRingInfoTest { "=7Feh\n" + "-----END PGP ARMORED FILE-----\n"; - OpenPGPCertificate certificate = PGPainless.getInstance().readKey().parseCertificate(KEY); + PGPainless api = PGPainless.getInstance(); + OpenPGPCertificate certificate = api.readKey().parseCertificate(KEY); final KeyIdentifier subkeyId = new KeyIdentifier(5364407983539305061L); - KeyRingInfo inspectDuringRevokedPeriod = PGPainless.inspectKeyRing(certificate, DateUtil.parseUTCDate("2019-01-02 00:00:00 UTC")); + KeyRingInfo inspectDuringRevokedPeriod = api.inspect(certificate, DateUtil.parseUTCDate("2019-01-02 00:00:00 UTC")); assertFalse(inspectDuringRevokedPeriod.isKeyValidlyBound(subkeyId)); assertNotNull(inspectDuringRevokedPeriod.getSubkeyRevocationSignature(subkeyId)); - KeyRingInfo inspectAfterRebinding = PGPainless.inspectKeyRing(certificate, DateUtil.parseUTCDate("2020-01-02 00:00:00 UTC")); + KeyRingInfo inspectAfterRebinding = api.inspect(certificate, DateUtil.parseUTCDate("2020-01-02 00:00:00 UTC")); assertTrue(inspectAfterRebinding.isKeyValidlyBound(subkeyId)); } @@ -518,9 +521,10 @@ public class KeyRingInfoTest { "=MhJL\n" + "-----END PGP ARMORED FILE-----\n"; - OpenPGPCertificate keys = PGPainless.getInstance().readKey().parseCertificate(KEY); + PGPainless api = PGPainless.getInstance(); + OpenPGPCertificate keys = api.readKey().parseCertificate(KEY); - KeyRingInfo info = PGPainless.inspectKeyRing(keys); + KeyRingInfo info = api.inspect(keys); // Primary key is hard revoked assertFalse(info.isKeyValidlyBound(keys.getKeyIdentifier())); assertFalse(info.isFullyEncrypted()); @@ -528,49 +532,48 @@ public class KeyRingInfoTest { @Test public void getSecretKeyTest() { - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("Alice") - .getPGPSecretKeyRing(); - OpenPGPKey key = new OpenPGPKey(secretKeys); - KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys); + PGPainless api = PGPainless.getInstance(); + OpenPGPKey secretKeys = api.generateKey().modernKeyRing("Alice"); + KeyRingInfo info = api.inspect(secretKeys); OpenPgpV4Fingerprint primaryKeyFingerprint = new OpenPgpV4Fingerprint(secretKeys); OpenPGPKey.OpenPGPSecretKey primaryKey = info.getSecretKey(primaryKeyFingerprint); assertNotNull(primaryKey); - assertEquals(key.getPrimarySecretKey().getKeyIdentifier(), primaryKey.getKeyIdentifier()); + assertEquals(secretKeys.getPrimarySecretKey().getKeyIdentifier(), primaryKey.getKeyIdentifier()); } @Test public void testGetLatestKeyCreationDate() throws PGPException, IOException { - PGPSecretKeyRing secretKeys = TestKeys.getEmilSecretKeyRing(); + OpenPGPKey secretKeys = TestKeys.getEmilKey(); Date latestCreationDate = DateUtil.parseUTCDate("2020-01-12 18:01:44 UTC"); - KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys); + KeyRingInfo info = PGPainless.getInstance().inspect(secretKeys); JUtils.assertDateEquals(latestCreationDate, info.getLatestKeyCreationDate()); } @Test public void testGetExpirationDateForUse_SPLIT() throws PGPException, IOException { - PGPSecretKeyRing secretKeys = TestKeys.getEmilSecretKeyRing(); - KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys); + OpenPGPKey secretKeys = TestKeys.getEmilKey(); + KeyRingInfo info = PGPainless.getInstance().inspect(secretKeys); assertThrows(IllegalArgumentException.class, () -> info.getExpirationDateForUse(KeyFlag.SPLIT)); } @Test public void testGetExpirationDateForUse_SHARED() throws PGPException, IOException { - PGPSecretKeyRing secretKeys = TestKeys.getEmilSecretKeyRing(); - KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys); + OpenPGPKey secretKeys = TestKeys.getEmilKey(); + KeyRingInfo info = PGPainless.getInstance().inspect(secretKeys); assertThrows(IllegalArgumentException.class, () -> info.getExpirationDateForUse(KeyFlag.SHARED)); } @Test public void testGetExpirationDateForUse_NoSuchKey() { - PGPSecretKeyRing secretKeys = PGPainless.buildKeyRing() + PGPainless api = PGPainless.getInstance(); + OpenPGPKey secretKeys = PGPainless.buildKeyRing() .addUserId("Alice") .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA_LEGACY(EdDSALegacyCurve._Ed25519), KeyFlag.CERTIFY_OTHER)) - .build() - .getPGPSecretKeyRing(); + .build(); - KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys); + KeyRingInfo info = api.inspect(secretKeys); assertThrows(NoSuchElementException.class, () -> info.getExpirationDateForUse(KeyFlag.ENCRYPT_COMMS)); } @@ -600,8 +603,8 @@ public class KeyRingInfoTest { "/+XL+qMMgLHaQ25aA11GVAkC\n" + "=7gbt\n" + "-----END PGP PRIVATE KEY BLOCK-----"; - - OpenPGPKey secretKeys = PGPainless.getInstance().readKey().parseKey(KEY); + PGPainless api = PGPainless.getInstance(); + OpenPGPKey secretKeys = api.readKey().parseKey(KEY); final KeyIdentifier pkid = new KeyIdentifier(6643807985200014832L); final KeyIdentifier skid1 = new KeyIdentifier(-2328413746552029063L); final KeyIdentifier skid2 = new KeyIdentifier(-3276877650571760552L); @@ -611,7 +614,7 @@ public class KeyRingInfoTest { Arrays.asList(CompressionAlgorithm.ZLIB, CompressionAlgorithm.BZIP2, CompressionAlgorithm.ZIP, CompressionAlgorithm.UNCOMPRESSED)); Set preferredSymmetricAlgorithms = new LinkedHashSet<>( Arrays.asList(SymmetricKeyAlgorithm.AES_256, SymmetricKeyAlgorithm.AES_192, SymmetricKeyAlgorithm.AES_128)); - KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys); + KeyRingInfo info = api.inspect(secretKeys); // Bob is an invalid userId assertThrows(NoSuchElementException.class, () -> info.getPreferredSymmetricKeyAlgorithms("Bob")); @@ -694,10 +697,10 @@ public class KeyRingInfoTest { "C9h35EjDuD+1COXUOoW2B8LX6m2yf8cY72K70QgtGemj7UWhXL5u/wARAQAB\n" + "=A3B8\n" + "-----END PGP PUBLIC KEY BLOCK-----\n"; - - OpenPGPCertificate certificate = PGPainless.getInstance().readKey().parseCertificate(KEY); + PGPainless api = PGPainless.getInstance(); + OpenPGPCertificate certificate = api.readKey().parseCertificate(KEY); OpenPgpV4Fingerprint unboundKey = new OpenPgpV4Fingerprint("D622C916384E0F6D364907E55D918BBD521CCD10"); - KeyRingInfo info = PGPainless.inspectKeyRing(certificate); + KeyRingInfo info = api.inspect(certificate); assertFalse(info.isKeyValidlyBound(unboundKey.getKeyIdentifier())); @@ -773,9 +776,9 @@ public class KeyRingInfoTest { "qDzPRwEAhdVBeryRUcwjgwHX0xmMFK7vLkdonn8BR2++nXBO2g8=\n" + "=ZRAy\n" + "-----END PGP PRIVATE KEY BLOCK-----\n"; - - OpenPGPKey secretKeys = PGPainless.getInstance().readKey().parseKey(KEY); - KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys); + PGPainless api = PGPainless.getInstance(); + OpenPGPKey secretKeys = api.readKey().parseKey(KEY); + KeyRingInfo info = api.inspect(secretKeys); List emails = info.getEmailAddresses(); assertEquals(emails, Arrays.asList("alice@email.tld", "alice@pgpainless.org", "alice@openpgp.org", "alice@rfc4880.spec")); @@ -805,9 +808,9 @@ public class KeyRingInfoTest { "J5wP\n" + "=nFoO\n" + "-----END PGP PUBLIC KEY BLOCK-----"; - - OpenPGPCertificate cert = PGPainless.getInstance().readKey().parseCertificate(CERT); - KeyRingInfo info = PGPainless.inspectKeyRing(cert); + PGPainless api = PGPainless.getInstance(); + OpenPGPCertificate cert = api.readKey().parseCertificate(CERT); + KeyRingInfo info = api.inspect(cert); assertTrue(info.isUsableForEncryption()); } @@ -833,9 +836,9 @@ public class KeyRingInfoTest { "2XO/hpB2T8VXFfFKwj7U9LGkX+ciLg==\n" + "=etPP\n" + "-----END PGP PUBLIC KEY BLOCK-----"; - - OpenPGPCertificate publicKeys = PGPainless.getInstance().readKey().parseCertificate(CERT); - KeyRingInfo info = PGPainless.inspectKeyRing(publicKeys); + PGPainless api = PGPainless.getInstance(); + OpenPGPCertificate publicKeys = api.readKey().parseCertificate(CERT); + KeyRingInfo info = api.inspect(publicKeys); assertTrue(info.isUsableForEncryption(EncryptionPurpose.COMMUNICATIONS)); assertTrue(info.isUsableForEncryption(EncryptionPurpose.ANY)); @@ -870,8 +873,9 @@ public class KeyRingInfoTest { "AQCjeV+3VT+u1movwIYv4XkzB6gB+B2C+DK9nvG5sXZhBg==\n" + "=uqmO\n" + "-----END PGP PUBLIC KEY BLOCK-----"; - OpenPGPCertificate publicKeys = PGPainless.getInstance().readKey().parseCertificate(CERT); - KeyRingInfo info = PGPainless.inspectKeyRing(publicKeys); + PGPainless api = PGPainless.getInstance(); + OpenPGPCertificate publicKeys = api.readKey().parseCertificate(CERT); + KeyRingInfo info = api.inspect(publicKeys); assertFalse(info.isUsableForEncryption()); assertFalse(info.isUsableForEncryption(EncryptionPurpose.ANY)); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/info/PrimaryUserIdTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/info/PrimaryUserIdTest.java index a8d412ad..2a3895b5 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/info/PrimaryUserIdTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/info/PrimaryUserIdTest.java @@ -7,7 +7,7 @@ package org.pgpainless.key.info; import static org.junit.jupiter.api.Assertions.assertEquals; import org.bouncycastle.openpgp.PGPException; -import org.bouncycastle.openpgp.PGPSecretKeyRing; +import org.bouncycastle.openpgp.api.OpenPGPKey; import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; import org.pgpainless.key.protection.SecretKeyRingProtector; @@ -16,13 +16,13 @@ public class PrimaryUserIdTest { @Test public void testGetPrimaryUserId() throws PGPException { - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().simpleEcKeyRing("alice@wonderland.lit") - .getPGPSecretKeyRing(); - secretKeys = PGPainless.modifyKeyRing(secretKeys) + PGPainless api = PGPainless.getInstance(); + OpenPGPKey secretKeys = api.generateKey().simpleEcKeyRing("alice@wonderland.lit"); + secretKeys = api.modify(secretKeys) .addUserId("mad_alice@wonderland.lit", SecretKeyRingProtector.unprotectedKeys()) .done(); - KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys); + KeyRingInfo info = api.inspect(secretKeys); assertEquals("alice@wonderland.lit", info.getPrimaryUserId()); } } diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/info/UserIdRevocationTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/info/UserIdRevocationTest.java index cf34f9fe..301daed5 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/info/UserIdRevocationTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/info/UserIdRevocationTest.java @@ -15,11 +15,12 @@ import java.util.Arrays; import java.util.List; import java.util.NoSuchElementException; +import org.bouncycastle.bcpg.KeyIdentifier; import org.bouncycastle.bcpg.SignatureSubpacketTags; import org.bouncycastle.bcpg.sig.RevocationReason; import org.bouncycastle.openpgp.PGPException; -import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.PGPSignature; +import org.bouncycastle.openpgp.api.OpenPGPKey; import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; import org.pgpainless.algorithm.KeyFlag; @@ -37,7 +38,8 @@ public class UserIdRevocationTest { @Test public void testRevocationWithoutRevocationAttributes() throws PGPException { - PGPSecretKeyRing secretKeys = PGPainless.buildKeyRing() + PGPainless api = PGPainless.getInstance(); + OpenPGPKey secretKeys = PGPainless.buildKeyRing() .setPrimaryKey(KeySpec.getBuilder( KeyType.EDDSA_LEGACY(EdDSALegacyCurve._Ed25519), KeyFlag.SIGN_DATA, KeyFlag.CERTIFY_OTHER)) @@ -45,28 +47,27 @@ public class UserIdRevocationTest { KeyType.XDH_LEGACY(XDHLegacySpec._X25519), KeyFlag.ENCRYPT_COMMS)) .addUserId("primary@key.id") .addUserId("secondary@key.id") - .build() - .getPGPSecretKeyRing(); + .build(); // make a copy with revoked subkey - PGPSecretKeyRing revoked = PGPainless.modifyKeyRing(secretKeys) + OpenPGPKey revoked = api.modify(secretKeys) .revokeUserId("secondary@key.id", new UnprotectedKeysProtector()) .done(); - KeyRingInfo info = PGPainless.inspectKeyRing(revoked); + KeyRingInfo info = api.inspect(revoked); List userIds = info.getUserIds(); assertEquals(Arrays.asList("primary@key.id", "secondary@key.id"), userIds); assertTrue(info.isUserIdValid("primary@key.id")); assertFalse(info.isUserIdValid("sedondary@key.id")); assertFalse(info.isUserIdValid("tertiary@key.id")); - info = PGPainless.inspectKeyRing(secretKeys); + info = api.inspect(secretKeys); assertTrue(info.isUserIdValid("secondary@key.id")); // key on original secret key ring is still valid - revoked = PGPainless.modifyKeyRing(secretKeys) + revoked = api.modify(secretKeys) .revokeUserId("secondary@key.id", new UnprotectedKeysProtector()) .done(); - info = PGPainless.inspectKeyRing(revoked); + info = api.inspect(revoked); userIds = info.getUserIds(); assertEquals(Arrays.asList("primary@key.id", "secondary@key.id"), userIds); assertTrue(info.isUserIdValid("primary@key.id")); @@ -76,23 +77,23 @@ public class UserIdRevocationTest { @Test public void testRevocationWithRevocationReason() { - PGPSecretKeyRing secretKeys = PGPainless.buildKeyRing() + PGPainless api = PGPainless.getInstance(); + OpenPGPKey secretKeys = PGPainless.buildKeyRing() .setPrimaryKey(KeySpec.getBuilder( KeyType.EDDSA_LEGACY(EdDSALegacyCurve._Ed25519), KeyFlag.SIGN_DATA, KeyFlag.CERTIFY_OTHER)) .addSubkey(KeySpec.getBuilder(KeyType.XDH_LEGACY(XDHLegacySpec._X25519), KeyFlag.ENCRYPT_COMMS)) .addUserId("primary@key.id") .addUserId("secondary@key.id") - .build() - .getPGPSecretKeyRing(); + .build(); - secretKeys = PGPainless.modifyKeyRing(secretKeys) + secretKeys = api.modify(secretKeys) .revokeUserId("secondary@key.id", new UnprotectedKeysProtector(), RevocationAttributes.createCertificateRevocation() .withReason(RevocationAttributes.Reason.USER_ID_NO_LONGER_VALID) .withDescription("I lost my mail password")) .done(); - KeyRingInfo info = new KeyRingInfo(secretKeys); + KeyRingInfo info = api.inspect(secretKeys); PGPSignature signature = info.getUserIdRevocation("secondary@key.id"); assertNotNull(signature); @@ -104,31 +105,31 @@ public class UserIdRevocationTest { @Test public void unknownKeyThrowsIllegalArgumentException() throws IOException, PGPException { - PGPSecretKeyRing secretKeys = TestKeys.getCryptieSecretKeyRing(); + OpenPGPKey secretKeys = TestKeys.getCryptieKey(); SecretKeyRingProtector protector = PasswordBasedSecretKeyRingProtector - .forKey(secretKeys.getSecretKey(), TestKeys.CRYPTIE_PASSPHRASE); + .forKey(secretKeys, TestKeys.CRYPTIE_PASSPHRASE); - assertThrows(NoSuchElementException.class, () -> PGPainless.modifyKeyRing(secretKeys) - .revokeSubKey(1L, protector)); + assertThrows(NoSuchElementException.class, () -> PGPainless.getInstance().modify(secretKeys) + .revokeSubKey(new KeyIdentifier(1L), protector)); } @Test public void unknownUserIdThrowsNoSuchElementException() throws IOException, PGPException { - PGPSecretKeyRing secretKeys = TestKeys.getCryptieSecretKeyRing(); + OpenPGPKey secretKeys = TestKeys.getCryptieKey(); SecretKeyRingProtector protector = PasswordBasedSecretKeyRingProtector - .forKey(secretKeys.getSecretKey(), TestKeys.CRYPTIE_PASSPHRASE); + .forKey(secretKeys, TestKeys.CRYPTIE_PASSPHRASE); - assertThrows(NoSuchElementException.class, () -> PGPainless.modifyKeyRing(secretKeys) + assertThrows(NoSuchElementException.class, () -> PGPainless.getInstance().modify(secretKeys) .revokeUserId("invalid@user.id", protector)); } @Test public void invalidRevocationReasonThrowsIllegalArgumentException() throws IOException, PGPException { - PGPSecretKeyRing secretKeys = TestKeys.getCryptieSecretKeyRing(); + OpenPGPKey secretKeys = TestKeys.getCryptieKey(); SecretKeyRingProtector protector = PasswordBasedSecretKeyRingProtector - .forKey(secretKeys.getSecretKey(), TestKeys.CRYPTIE_PASSPHRASE); + .forKey(secretKeys, TestKeys.CRYPTIE_PASSPHRASE); - assertThrows(IllegalArgumentException.class, () -> PGPainless.modifyKeyRing(secretKeys) + assertThrows(IllegalArgumentException.class, () -> PGPainless.getInstance().modify(secretKeys) .revokeUserId("cryptie@encrypted.key", protector, RevocationAttributes.createKeyRevocation().withReason(RevocationAttributes.Reason.KEY_RETIRED) .withDescription("This is not a valid certification revocation reason."))); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddSubKeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddSubKeyTest.java index 02967ad3..7e2d8a38 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddSubKeyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddSubKeyTest.java @@ -16,8 +16,7 @@ import java.util.List; import org.bouncycastle.bcpg.KeyIdentifier; import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPPublicKey; -import org.bouncycastle.openpgp.PGPSecretKey; -import org.bouncycastle.openpgp.PGPSecretKeyRing; +import org.bouncycastle.openpgp.api.OpenPGPKey; import org.junit.jupiter.api.TestTemplate; import org.junit.jupiter.api.extension.ExtendWith; import org.pgpainless.PGPainless; @@ -39,14 +38,15 @@ public class AddSubKeyTest { @ExtendWith(TestAllImplementations.class) public void testAddSubKey() throws IOException, PGPException { - PGPSecretKeyRing secretKeys = TestKeys.getCryptieSecretKeyRing(); + PGPainless api = PGPainless.getInstance(); + OpenPGPKey secretKeys = TestKeys.getCryptieKey(); List keyIdentifiersBefore = new ArrayList<>(); - for (Iterator it = secretKeys.getPublicKeys(); it.hasNext(); ) { + for (Iterator it = secretKeys.getPGPSecretKeyRing().getPublicKeys(); it.hasNext(); ) { keyIdentifiersBefore.add(it.next().getKeyIdentifier()); } - secretKeys = PGPainless.modifyKeyRing(secretKeys) + secretKeys = api.modify(secretKeys) .addSubKey( KeySpec.getBuilder(ECDSA.fromCurve(EllipticCurve._P256), KeyFlag.SIGN_DATA).build(), Passphrase.fromPassword("subKeyPassphrase"), @@ -54,7 +54,7 @@ public class AddSubKeyTest { .done(); List keyIdentifiersAfter = new ArrayList<>(); - for (Iterator it = secretKeys.getPublicKeys(); it.hasNext(); ) { + for (Iterator it = secretKeys.getPGPSecretKeyRing().getPublicKeys(); it.hasNext(); ) { keyIdentifiersAfter.add(it.next().getKeyIdentifier()); } assertNotEquals(keyIdentifiersAfter, keyIdentifiersBefore); @@ -62,12 +62,12 @@ public class AddSubKeyTest { keyIdentifiersAfter.removeAll(keyIdentifiersBefore); KeyIdentifier subKeyIdentifier = keyIdentifiersAfter.get(0); - PGPSecretKey subKey = secretKeys.getSecretKey(subKeyIdentifier); + OpenPGPKey.OpenPGPSecretKey subKey = secretKeys.getSecretKey(subKeyIdentifier); SecretKeyRingProtector protector = SecretKeyRingProtector.unlockEachKeyWith( Passphrase.fromPassword("subKeyPassphrase"), secretKeys); UnlockSecretKey.unlockSecretKey(subKey, protector); - KeyRingInfo info = new KeyRingInfo(secretKeys); + KeyRingInfo info = api.inspect(secretKeys); assertEquals(Collections.singletonList(KeyFlag.SIGN_DATA), info.getKeyFlagsOf(subKeyIdentifier)); } } diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddSubkeyWithModifiedBindingSignatureSubpacketsTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddSubkeyWithModifiedBindingSignatureSubpacketsTest.java index a3aea2f0..86bcd54e 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddSubkeyWithModifiedBindingSignatureSubpacketsTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddSubkeyWithModifiedBindingSignatureSubpacketsTest.java @@ -14,9 +14,9 @@ import java.util.List; import org.bouncycastle.bcpg.sig.NotationData; import org.bouncycastle.openpgp.PGPKeyPair; -import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.PGPSignature; import org.bouncycastle.openpgp.api.OpenPGPCertificate; +import org.bouncycastle.openpgp.api.OpenPGPKey; import org.junit.JUtils; import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; @@ -38,11 +38,11 @@ public class AddSubkeyWithModifiedBindingSignatureSubpacketsTest { @Test public void bindEncryptionSubkeyAndModifyBindingSignatureHashedSubpackets() { + PGPainless api = PGPainless.getInstance(); SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys(); - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() - .modernKeyRing("Alice ") - .getPGPSecretKeyRing(); - KeyRingInfo before = PGPainless.inspectKeyRing(secretKeys); + OpenPGPKey secretKeys = api.generateKey() + .modernKeyRing("Alice "); + KeyRingInfo before = api.inspect(secretKeys); List signingKeysBefore = before.getSigningSubkeys(); PGPKeyPair secretSubkey = KeyRingBuilder.generateKeyPair( @@ -50,7 +50,7 @@ public class AddSubkeyWithModifiedBindingSignatureSubpacketsTest { OpenPGPKeyVersion.v4); long secondsUntilExpiration = 1000; - secretKeys = PGPainless.modifyKeyRing(secretKeys) + secretKeys = api.modify(secretKeys) .addSubKey(secretSubkey, new SelfSignatureSubpackets.Callback() { @Override public void modifyHashedSubpackets(SelfSignatureSubpackets hashedSubpackets) { @@ -60,7 +60,7 @@ public class AddSubkeyWithModifiedBindingSignatureSubpacketsTest { }, SecretKeyRingProtector.unprotectedKeys(), protector, KeyFlag.SIGN_DATA) .done(); - KeyRingInfo after = PGPainless.inspectKeyRing(secretKeys); + KeyRingInfo after = api.inspect(secretKeys); List signingKeysAfter = after.getSigningSubkeys(); signingKeysAfter.removeAll(signingKeysBefore); assertFalse(signingKeysAfter.isEmpty()); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddUserIdTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddUserIdTest.java index f070c9fa..48875ebf 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddUserIdTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddUserIdTest.java @@ -37,31 +37,31 @@ public class AddUserIdTest { @ExtendWith(TestAllImplementations.class) public void addUserIdToExistingKeyRing() throws PGPException { - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() - .simpleEcKeyRing("alice@wonderland.lit", "rabb1th0le") - .getPGPSecretKeyRing(); + PGPainless api = PGPainless.getInstance(); + OpenPGPKey secretKeys = api.generateKey() + .simpleEcKeyRing("alice@wonderland.lit", "rabb1th0le"); - KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys); + KeyRingInfo info = api.inspect(secretKeys); Iterator userIds = info.getValidUserIds().iterator(); assertEquals("alice@wonderland.lit", userIds.next()); assertFalse(userIds.hasNext()); SecretKeyRingProtector protector = PasswordBasedSecretKeyRingProtector.forKey(secretKeys, Passphrase.fromPassword("rabb1th0le")); - secretKeys = PGPainless.modifyKeyRing(secretKeys) + secretKeys = api.modify(secretKeys) .addUserId("cheshirecat@wonderland.lit", protector) .done(); - info = PGPainless.inspectKeyRing(secretKeys); + info = api.inspect(secretKeys); userIds = info.getValidUserIds().iterator(); assertEquals("alice@wonderland.lit", userIds.next()); assertEquals("cheshirecat@wonderland.lit", userIds.next()); assertFalse(userIds.hasNext()); - secretKeys = PGPainless.modifyKeyRing(secretKeys) + secretKeys = api.modify(secretKeys) .revokeUserId("cheshirecat@wonderland.lit", protector) .done(); - info = PGPainless.inspectKeyRing(secretKeys); + info = api.inspect(secretKeys); userIds = info.getValidUserIds().iterator(); assertEquals("alice@wonderland.lit", userIds.next()); assertFalse(userIds.hasNext()); @@ -96,20 +96,21 @@ public class AddUserIdTest { "=bk4o\r\n" + "-----END PGP PRIVATE KEY BLOCK-----\r\n"; - OpenPGPKey key = PGPainless.getInstance().readKey().parseKey(ARMORED_PRIVATE_KEY); - PGPSecretKeyRing secretKeys = key.getPGPSecretKeyRing(); - KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys); + PGPainless api = PGPainless.getInstance(); + + OpenPGPKey key = api.readKey().parseKey(ARMORED_PRIVATE_KEY); + KeyRingInfo info = api.inspect(key); Iterator userIds = info.getValidUserIds().iterator(); assertEquals("", userIds.next()); assertFalse(userIds.hasNext()); SecretKeyRingProtector protector = new UnprotectedKeysProtector(); - secretKeys = PGPainless.modifyKeyRing(secretKeys) + key = api.modify(key) .revokeUserId("", protector) .addUserId("cheshirecat@wonderland.lit", protector) .done(); - info = PGPainless.inspectKeyRing(secretKeys); + info = api.inspect(key); userIds = info.getValidUserIds().iterator(); assertEquals("cheshirecat@wonderland.lit", userIds.next()); assertFalse(userIds.hasNext()); @@ -118,17 +119,17 @@ public class AddUserIdTest { @Test public void addNewPrimaryUserIdTest() { Date now = new Date(); - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() - .modernKeyRing("Alice") - .getPGPSecretKeyRing(); + PGPainless api = PGPainless.getInstance(); + OpenPGPKey secretKeys = api.generateKey() + .modernKeyRing("Alice"); UserId bob = UserId.builder().withName("Bob").noEmail().noComment().build(); - assertNotEquals("Bob", PGPainless.inspectKeyRing(secretKeys).getPrimaryUserId()); + assertNotEquals("Bob", api.inspect(secretKeys).getPrimaryUserId()); - secretKeys = PGPainless.modifyKeyRing(secretKeys, DateExtensionsKt.plusSeconds(now, 1)) + secretKeys = api.modify(secretKeys, DateExtensionsKt.plusSeconds(now, 1)) .addPrimaryUserId(bob, SecretKeyRingProtector.unprotectedKeys()) .done(); - assertEquals("Bob", PGPainless.inspectKeyRing(secretKeys, DateExtensionsKt.plusSeconds(now, 2)).getPrimaryUserId()); + assertEquals("Bob", api.inspect(secretKeys, DateExtensionsKt.plusSeconds(now, 2)).getPrimaryUserId()); } } diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeExpirationOnKeyWithDifferentSignatureTypesTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeExpirationOnKeyWithDifferentSignatureTypesTest.java index 2eac921b..48bda2a2 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeExpirationOnKeyWithDifferentSignatureTypesTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeExpirationOnKeyWithDifferentSignatureTypesTest.java @@ -7,7 +7,7 @@ package org.pgpainless.key.modification; import java.io.IOException; import java.util.Date; -import org.bouncycastle.openpgp.PGPSecretKeyRing; +import org.bouncycastle.openpgp.api.OpenPGPKey; import org.junit.JUtils; import org.junit.jupiter.api.TestTemplate; import org.junit.jupiter.api.extension.ExtendWith; @@ -138,7 +138,8 @@ public class ChangeExpirationOnKeyWithDifferentSignatureTypesTest { @ExtendWith(TestAllImplementations.class) public void setExpirationDate_keyHasSigClass10() throws IOException { - PGPSecretKeyRing keys = PGPainless.readKeyRing().secretKeyRing(keyWithGenericCertification); + PGPainless api = PGPainless.getInstance(); + OpenPGPKey keys = api.readKey().parseKey(keyWithGenericCertification); SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys(); executeTestForKeys(keys, protector); } @@ -147,20 +148,23 @@ public class ChangeExpirationOnKeyWithDifferentSignatureTypesTest { @ExtendWith(TestAllImplementations.class) public void setExpirationDate_keyHasSigClass12() throws IOException { - PGPSecretKeyRing keys = PGPainless.readKeyRing().secretKeyRing(keyWithCasualCertification); + PGPainless api = PGPainless.getInstance(); + OpenPGPKey keys = api.readKey().parseKey(keyWithCasualCertification); SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys(); executeTestForKeys(keys, protector); } - private void executeTestForKeys(PGPSecretKeyRing keys, SecretKeyRingProtector protector) { + private void executeTestForKeys(OpenPGPKey keys, SecretKeyRingProtector protector) { + PGPainless api = PGPainless.getInstance(); + Date expirationDate = new Date(System.currentTimeMillis() + 1000 * 60 * 60 * 24 * 14); // round date for test stability expirationDate = DateUtil.toSecondsPrecision(expirationDate); - PGPSecretKeyRing modded = PGPainless.modifyKeyRing(keys) + OpenPGPKey modded = api.modify(keys) .setExpirationDate(expirationDate, protector) .done(); - JUtils.assertDateEquals(expirationDate, PGPainless.inspectKeyRing(modded).getPrimaryKeyExpirationDate()); + JUtils.assertDateEquals(expirationDate, api.inspect(modded).getPrimaryKeyExpirationDate()); } } diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeExpirationTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeExpirationTest.java index 7ddb2a27..ccef1d19 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeExpirationTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeExpirationTest.java @@ -14,7 +14,7 @@ import java.util.Calendar; import java.util.Date; import org.bouncycastle.openpgp.PGPException; -import org.bouncycastle.openpgp.PGPSecretKeyRing; +import org.bouncycastle.openpgp.api.OpenPGPKey; import org.junit.JUtils; import org.junit.jupiter.api.TestTemplate; import org.junit.jupiter.api.extension.ExtendWith; @@ -35,27 +35,28 @@ public class ChangeExpirationTest { @ExtendWith(TestAllImplementations.class) public void setExpirationDateAndThenUnsetIt_OnPrimaryKey() throws PGPException, IOException { - PGPSecretKeyRing secretKeys = TestKeys.getEmilSecretKeyRing(); - KeyRingInfo sInfo = PGPainless.inspectKeyRing(secretKeys); + PGPainless api = PGPainless.getInstance(); + OpenPGPKey secretKeys = TestKeys.getEmilKey(); + KeyRingInfo sInfo = api.inspect(secretKeys); assertNull(sInfo.getPrimaryKeyExpirationDate()); assertNull(sInfo.getSubkeyExpirationDate(subKeyFingerprint)); Date now = new Date(); Date date = DateUtil.parseUTCDate("2020-11-27 16:10:32 UTC"); - secretKeys = PGPainless.modifyKeyRing(secretKeys) + secretKeys = api.modify(secretKeys) .setExpirationDate(date, new UnprotectedKeysProtector()).done(); - sInfo = PGPainless.inspectKeyRing(secretKeys); + sInfo = api.inspect(secretKeys); assertNotNull(sInfo.getPrimaryKeyExpirationDate()); assertEquals(date.getTime(), sInfo.getPrimaryKeyExpirationDate().getTime()); // subkey unchanged assertNull(sInfo.getSubkeyExpirationDate(subKeyFingerprint)); Date t1 = new Date(now.getTime() + 1000 * 60 * 60); - secretKeys = PGPainless.modifyKeyRing(secretKeys, t1) + secretKeys = api.modify(secretKeys, t1) .setExpirationDate(null, new UnprotectedKeysProtector()).done(); - sInfo = PGPainless.inspectKeyRing(secretKeys, t1); + sInfo = api.inspect(secretKeys, t1); assertNull(sInfo.getPrimaryKeyExpirationDate()); assertNull(sInfo.getSubkeyExpirationDate(subKeyFingerprint)); } @@ -64,9 +65,9 @@ public class ChangeExpirationTest { @ExtendWith(TestAllImplementations.class) public void setExpirationDateAndThenUnsetIt_OnSubkey() throws PGPException, IOException { - - PGPSecretKeyRing secretKeys = TestKeys.getEmilSecretKeyRing(); - KeyRingInfo sInfo = PGPainless.inspectKeyRing(secretKeys); + PGPainless api = PGPainless.getInstance(); + OpenPGPKey secretKeys = TestKeys.getEmilKey(); + KeyRingInfo sInfo = api.inspect(secretKeys); assertNull(sInfo.getPrimaryKeyExpirationDate()); @@ -76,42 +77,43 @@ public class ChangeExpirationTest { calendar.add(Calendar.DATE, 5); Date expiration = calendar.getTime(); // in 5 days - secretKeys = PGPainless.modifyKeyRing(secretKeys) + secretKeys = api.modify(secretKeys) .setExpirationDate(expiration, new UnprotectedKeysProtector()).done(); - sInfo = PGPainless.inspectKeyRing(secretKeys); + sInfo = api.inspect(secretKeys); assertNotNull(sInfo.getPrimaryKeyExpirationDate()); JUtils.assertDateEquals(expiration, sInfo.getPrimaryKeyExpirationDate()); Date t1 = new Date(now.getTime() + 1000 * 60 * 60); - secretKeys = PGPainless.modifyKeyRing(secretKeys, t1) + secretKeys = api.modify(secretKeys, t1) .setExpirationDate(null, new UnprotectedKeysProtector()).done(); - sInfo = PGPainless.inspectKeyRing(secretKeys, t1); + sInfo = api.inspect(secretKeys, t1); assertNull(sInfo.getPrimaryKeyExpirationDate()); } @TestTemplate @ExtendWith(TestAllImplementations.class) public void testExtremeExpirationDates() throws PGPException, IOException { - PGPSecretKeyRing secretKeys = TestKeys.getEmilSecretKeyRing(); + PGPainless api = PGPainless.getInstance(); + OpenPGPKey secretKeys = TestKeys.getEmilKey(); SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys(); // seconds from 2021 to 2199 will overflow 32bit integers Date farAwayExpiration = DateUtil.parseUTCDate("2199-01-01 00:00:00 UTC"); - final PGPSecretKeyRing finalKeys = secretKeys; + final OpenPGPKey finalKeys = secretKeys; assertThrows(IllegalArgumentException.class, () -> - PGPainless.modifyKeyRing(finalKeys) + api.modify(finalKeys) .setExpirationDate(farAwayExpiration, protector) .done()); Date notSoFarAwayExpiration = DateUtil.parseUTCDate("2100-01-01 00:00:00 UTC"); - secretKeys = PGPainless.modifyKeyRing(secretKeys) + secretKeys = api.modify(secretKeys) .setExpirationDate(notSoFarAwayExpiration, protector) .done(); - Date actualExpiration = PGPainless.inspectKeyRing(secretKeys) + Date actualExpiration = api.inspect(secretKeys) .getPrimaryKeyExpirationDate(); JUtils.assertDateEquals(notSoFarAwayExpiration, actualExpiration); } diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangePrimaryUserIdAndExpirationDatesTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangePrimaryUserIdAndExpirationDatesTest.java index c7751434..a496594c 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangePrimaryUserIdAndExpirationDatesTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangePrimaryUserIdAndExpirationDatesTest.java @@ -5,8 +5,8 @@ package org.pgpainless.key.modification; import org.bouncycastle.openpgp.PGPException; -import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.PGPSignature; +import org.bouncycastle.openpgp.api.OpenPGPKey; import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; import org.pgpainless.key.info.KeyRingInfo; @@ -26,13 +26,14 @@ public class ChangePrimaryUserIdAndExpirationDatesTest { @Test public void generateA_primaryB_revokeA_cantSecondaryA() throws PGPException { - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() - .modernKeyRing("A") - .getPGPSecretKeyRing(); + PGPainless api = PGPainless.getInstance(); + + OpenPGPKey secretKeys = api.generateKey() + .modernKeyRing("A"); SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys(); Date now = new Date(); - KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys, now); + KeyRingInfo info = api.inspect(secretKeys, now); assertFalse(info.isHardRevoked("A")); assertFalse(info.isHardRevoked("B")); assertIsPrimaryUserId("A", info); @@ -41,10 +42,10 @@ public class ChangePrimaryUserIdAndExpirationDatesTest { // One hour later Date oneHourLater = new Date(now.getTime() + millisInHour); - secretKeys = PGPainless.modifyKeyRing(secretKeys, oneHourLater) + secretKeys = api.modify(secretKeys, oneHourLater) .addPrimaryUserId("B", protector) .done(); - info = PGPainless.inspectKeyRing(secretKeys, oneHourLater); + info = api.inspect(secretKeys, oneHourLater); assertIsPrimaryUserId("B", info); assertIsNotPrimaryUserId("A", info); @@ -52,10 +53,10 @@ public class ChangePrimaryUserIdAndExpirationDatesTest { // Two hours later Date twoHoursLater = new Date(now.getTime() + 2 * millisInHour); - secretKeys = PGPainless.modifyKeyRing(secretKeys, twoHoursLater) + secretKeys = api.modify(secretKeys, twoHoursLater) .revokeUserId("A", protector) // hard revoke A .done(); - info = PGPainless.inspectKeyRing(secretKeys, twoHoursLater); + info = api.inspect(secretKeys, twoHoursLater); assertTrue(info.isHardRevoked("A")); assertFalse(info.isHardRevoked("B")); @@ -65,71 +66,71 @@ public class ChangePrimaryUserIdAndExpirationDatesTest { // Three hours later Date threeHoursLater = new Date(now.getTime() + 3 * millisInHour); - PGPSecretKeyRing finalSecretKeys = secretKeys; + OpenPGPKey finalSecretKeys = secretKeys; assertThrows(IllegalArgumentException.class, () -> - PGPainless.modifyKeyRing(finalSecretKeys, threeHoursLater).addUserId("A", protector)); + api.modify(finalSecretKeys, threeHoursLater).addUserId("A", protector)); } @Test public void generateA_primaryExpire_isExpired() { - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() - .modernKeyRing("A") - .getPGPSecretKeyRing(); + PGPainless api = PGPainless.getInstance(); + OpenPGPKey secretKeys = api.generateKey() + .modernKeyRing("A"); SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys(); - KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys); + KeyRingInfo info = api.inspect(secretKeys); assertIsPrimaryUserId("A", info); Date now = new Date(); Date later = new Date(now.getTime() + millisInHour); - secretKeys = PGPainless.modifyKeyRing(secretKeys, now) + secretKeys = api.modify(secretKeys, now) .setExpirationDate(later, protector) // expire the whole key .done(); Date evenLater = new Date(now.getTime() + 2 * millisInHour); - info = PGPainless.inspectKeyRing(secretKeys, evenLater); + info = api.inspect(secretKeys, evenLater); assertFalse(info.isUserIdValid("A")); // is expired by now } @Test public void generateA_primaryB_primaryExpire_bIsStillPrimary() { - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() - .modernKeyRing("A") - .getPGPSecretKeyRing(); + PGPainless api = PGPainless.getInstance(); + OpenPGPKey secretKeys = api.generateKey() + .modernKeyRing("A"); SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys(); Date now = new Date(); // Generate key with primary user-id A - KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys); + KeyRingInfo info = api.inspect(secretKeys); assertIsPrimaryUserId("A", info); // later set primary user-id to B Date t1 = new Date(now.getTime() + millisInHour); - secretKeys = PGPainless.modifyKeyRing(secretKeys, t1) + secretKeys = api.modify(secretKeys, t1) .addPrimaryUserId("B", protector) .done(); - info = PGPainless.inspectKeyRing(secretKeys, t1); + info = api.inspect(secretKeys, t1); assertIsPrimaryUserId("B", info); assertIsNotPrimaryUserId("A", info); // Even later expire the whole key Date t2 = new Date(now.getTime() + 2 * millisInHour); Date expiration = new Date(now.getTime() + 10 * millisInHour); - secretKeys = PGPainless.modifyKeyRing(secretKeys, t2) + secretKeys = api.modify(secretKeys, t2) .setExpirationDate(expiration, protector) // expire the whole key in 1 hour .done(); Date t3 = new Date(now.getTime() + 3 * millisInHour); - info = PGPainless.inspectKeyRing(secretKeys, t3); + info = api.inspect(secretKeys, t3); assertIsValid("A", info); assertIsValid("B", info); assertIsPrimaryUserId("B", info); assertIsNotPrimaryUserId("A", info); - info = PGPainless.inspectKeyRing(secretKeys, expiration); + info = api.inspect(secretKeys, expiration); assertIsPrimaryUserId("B", info); // B is still primary, even though assertFalse(info.isUserIdValid("A")); // key is expired by now assertFalse(info.isUserIdValid("B")); @@ -137,23 +138,23 @@ public class ChangePrimaryUserIdAndExpirationDatesTest { @Test public void generateA_expire_certify() { - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("A") - .getPGPSecretKeyRing(); + PGPainless api = PGPainless.getInstance(); + OpenPGPKey secretKeys = api.generateKey().modernKeyRing("A"); SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys(); Date now = new Date(); Date t1 = new Date(now.getTime() + millisInHour); - secretKeys = PGPainless.modifyKeyRing(secretKeys, now) + secretKeys = api.modify(secretKeys, now) .setExpirationDate(t1, protector) .done(); Date t2 = new Date(now.getTime() + 2 * millisInHour); Date t4 = new Date(now.getTime() + 4 * millisInHour); - secretKeys = PGPainless.modifyKeyRing(secretKeys, t2) + secretKeys = api.modify(secretKeys, t2) .setExpirationDate(t4, protector) .done(); - KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys); + KeyRingInfo info = api.inspect(secretKeys); assertIsValid("A", info); assertIsPrimaryUserId("A", info); } @@ -161,28 +162,28 @@ public class ChangePrimaryUserIdAndExpirationDatesTest { @Test public void generateA_expire_primaryB_expire_isPrimaryB() throws PGPException { - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("A") - .getPGPSecretKeyRing(); + PGPainless api = PGPainless.getInstance(); + OpenPGPKey secretKeys = api.generateKey().modernKeyRing("A"); SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys(); Date now = new Date(); Date t1 = new Date(now.getTime() + millisInHour); - secretKeys = PGPainless.modifyKeyRing(secretKeys, t1) + secretKeys = api.modify(secretKeys, t1) .setExpirationDate(t1, protector) .done(); Date t2 = new Date(now.getTime() + 2 * millisInHour); - KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys, t2); + KeyRingInfo info = api.inspect(secretKeys, t2); assertIsPrimaryUserId("A", info); assertIsNotValid("A", info); // A is expired - secretKeys = PGPainless.modifyKeyRing(secretKeys, t2) + secretKeys = api.modify(secretKeys, t2) .addPrimaryUserId("B", protector) .done(); Date t3 = new Date(now.getTime() + 3 * millisInHour); - info = PGPainless.inspectKeyRing(secretKeys, t3); + info = api.inspect(secretKeys, t3); assertIsPrimaryUserId("B", info); assertIsNotValid("B", info); // A and B are still expired @@ -190,19 +191,19 @@ public class ChangePrimaryUserIdAndExpirationDatesTest { Date t4 = new Date(now.getTime() + 4 * millisInHour); Date t5 = new Date(now.getTime() + 5 * millisInHour); - secretKeys = PGPainless.modifyKeyRing(secretKeys, t3) + secretKeys = api.modify(secretKeys, t3) .setExpirationDate(t5, protector) .done(); - info = PGPainless.inspectKeyRing(secretKeys, t4); + info = api.inspect(secretKeys, t4); assertIsValid("B", info); assertIsValid("A", info); // A got re-validated when changing exp date assertIsPrimaryUserId("B", info); - secretKeys = PGPainless.modifyKeyRing(secretKeys, t4) + secretKeys = api.modify(secretKeys, t4) .addUserId("A", protector) // re-certify A as non-primary user-id .done(); - info = PGPainless.inspectKeyRing(secretKeys, t4); + info = api.inspect(secretKeys, t4); assertIsValid("B", info); assertIsValid("A", info); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeSecretKeyRingPassphraseTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeSecretKeyRingPassphraseTest.java index 96f57303..8a2723db 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeSecretKeyRingPassphraseTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeSecretKeyRingPassphraseTest.java @@ -15,8 +15,8 @@ import java.util.Iterator; import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPSecretKey; -import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.api.OpenPGPImplementation; +import org.bouncycastle.openpgp.api.OpenPGPKey; import org.bouncycastle.openpgp.operator.PBESecretKeyDecryptor; import org.bouncycastle.util.io.Streams; import org.junit.jupiter.api.TestTemplate; @@ -35,8 +35,8 @@ import org.pgpainless.util.Passphrase; public class ChangeSecretKeyRingPassphraseTest { - private final PGPSecretKeyRing keyRing = PGPainless.generateKeyRing().simpleEcKeyRing("password@encryp.ted", "weakPassphrase") - .getPGPSecretKeyRing(); + private final OpenPGPKey keyRing = PGPainless.getInstance() + .generateKey().simpleEcKeyRing("password@encryp.ted", "weakPassphrase"); public ChangeSecretKeyRingPassphraseTest() { } @@ -44,66 +44,64 @@ public class ChangeSecretKeyRingPassphraseTest { @TestTemplate @ExtendWith(TestAllImplementations.class) public void changePassphraseOfWholeKeyRingTest() throws PGPException { - - PGPSecretKeyRing secretKeys = PGPainless.modifyKeyRing(keyRing) + PGPainless api = PGPainless.getInstance(); + OpenPGPKey secretKeys = api.modify(keyRing) .changePassphraseFromOldPassphrase(Passphrase.fromPassword("weakPassphrase")) .withSecureDefaultSettings() .toNewPassphrase(Passphrase.fromPassword("1337p455phr453")) .done(); - PGPSecretKeyRing changedPassphraseKeyRing = secretKeys; - assertEquals(KeyRingProtectionSettings.secureDefaultSettings().getEncryptionAlgorithm().getAlgorithmId(), - changedPassphraseKeyRing.getSecretKey().getKeyEncryptionAlgorithm()); + secretKeys.getPGPSecretKeyRing().getSecretKey().getKeyEncryptionAlgorithm()); assertThrows(PGPException.class, () -> - signDummyMessageWithKeysAndPassphrase(changedPassphraseKeyRing, Passphrase.emptyPassphrase()), + signDummyMessageWithKeysAndPassphrase(api, secretKeys, Passphrase.emptyPassphrase()), "Unlocking secret key ring with empty passphrase MUST fail."); assertThrows(PGPException.class, () -> - signDummyMessageWithKeysAndPassphrase(changedPassphraseKeyRing, Passphrase.fromPassword("weakPassphrase")), + signDummyMessageWithKeysAndPassphrase(api, secretKeys, Passphrase.fromPassword("weakPassphrase")), "Unlocking secret key ring with old passphrase MUST fail."); - assertDoesNotThrow(() -> signDummyMessageWithKeysAndPassphrase(changedPassphraseKeyRing, Passphrase.fromPassword("1337p455phr453")), + assertDoesNotThrow(() -> signDummyMessageWithKeysAndPassphrase(api, secretKeys, Passphrase.fromPassword("1337p455phr453")), "Unlocking the secret key ring with the new passphrase MUST succeed."); } @TestTemplate @ExtendWith(TestAllImplementations.class) public void changePassphraseOfWholeKeyRingToEmptyPassphrase() throws PGPException, IOException { - PGPSecretKeyRing secretKeys = PGPainless.modifyKeyRing(keyRing) + PGPainless api = PGPainless.getInstance(); + + OpenPGPKey changedPassphraseKeyRing = api.modify(keyRing) .changePassphraseFromOldPassphrase(Passphrase.fromPassword("weakPassphrase")) .withSecureDefaultSettings() .toNoPassphrase() .done(); - PGPSecretKeyRing changedPassphraseKeyRing = secretKeys; - assertEquals(SymmetricKeyAlgorithm.NULL.getAlgorithmId(), - changedPassphraseKeyRing.getSecretKey().getKeyEncryptionAlgorithm()); + changedPassphraseKeyRing.getPGPSecretKeyRing().getSecretKey().getKeyEncryptionAlgorithm()); - signDummyMessageWithKeysAndPassphrase(changedPassphraseKeyRing, Passphrase.emptyPassphrase()); + signDummyMessageWithKeysAndPassphrase(api, changedPassphraseKeyRing, Passphrase.emptyPassphrase()); } @TestTemplate @ExtendWith(TestAllImplementations.class) public void changePassphraseOfSingleSubkeyToNewPassphrase() throws PGPException { - - Iterator keys = keyRing.getSecretKeys(); + PGPainless api = PGPainless.getInstance(); + Iterator keys = keyRing.getPGPSecretKeyRing().getSecretKeys(); PGPSecretKey primaryKey = keys.next(); PGPSecretKey subKey = keys.next(); extractPrivateKey(primaryKey, Passphrase.fromPassword("weakPassphrase")); extractPrivateKey(subKey, Passphrase.fromPassword("weakPassphrase")); - PGPSecretKeyRing secretKeys = PGPainless.modifyKeyRing(keyRing) + OpenPGPKey secretKeys = api.modify(keyRing) .changeSubKeyPassphraseFromOldPassphrase(subKey.getPublicKey().getKeyIdentifier(), Passphrase.fromPassword("weakPassphrase")) .withSecureDefaultSettings() .toNewPassphrase(Passphrase.fromPassword("subKeyPassphrase")) .done(); - keys = secretKeys.getSecretKeys(); + keys = secretKeys.getPGPSecretKeyRing().getSecretKeys(); primaryKey = keys.next(); subKey = keys.next(); @@ -124,18 +122,18 @@ public class ChangeSecretKeyRingPassphraseTest { @TestTemplate @ExtendWith(TestAllImplementations.class) public void changePassphraseOfSingleSubkeyToEmptyPassphrase() throws PGPException { - - Iterator keys = keyRing.getSecretKeys(); + PGPainless api = PGPainless.getInstance(); + Iterator keys = keyRing.getPGPSecretKeyRing().getSecretKeys(); PGPSecretKey primaryKey = keys.next(); PGPSecretKey subKey = keys.next(); - PGPSecretKeyRing secretKeys = PGPainless.modifyKeyRing(keyRing) + OpenPGPKey secretKeys = api.modify(keyRing) .changeSubKeyPassphraseFromOldPassphrase(subKey.getKeyIdentifier(), Passphrase.fromPassword("weakPassphrase")) .withSecureDefaultSettings() .toNoPassphrase() .done(); - keys = secretKeys.getSecretKeys(); + keys = secretKeys.getPGPSecretKeyRing().getSecretKeys(); primaryKey = keys.next(); subKey = keys.next(); @@ -176,13 +174,13 @@ public class ChangeSecretKeyRingPassphraseTest { UnlockSecretKey.unlockSecretKey(secretKey, decryptor); } - private void signDummyMessageWithKeysAndPassphrase(PGPSecretKeyRing keyRing, Passphrase passphrase) throws IOException, PGPException { + private void signDummyMessageWithKeysAndPassphrase(PGPainless api, OpenPGPKey key, Passphrase passphrase) throws IOException, PGPException { String dummyMessage = "dummy"; ByteArrayOutputStream dummy = new ByteArrayOutputStream(); - EncryptionStream stream = PGPainless.encryptAndOrSign().onOutputStream(dummy) + EncryptionStream stream = api.generateMessage().onOutputStream(dummy) .withOptions(ProducerOptions.sign(SigningOptions.get() - .addInlineSignature(PasswordBasedSecretKeyRingProtector.forKey(keyRing, passphrase), - keyRing, DocumentSignatureType.BINARY_DOCUMENT))); + .addInlineSignature(PasswordBasedSecretKeyRingProtector.forKey(key, passphrase), + key, DocumentSignatureType.BINARY_DOCUMENT))); Streams.pipeAll(new ByteArrayInputStream(dummyMessage.getBytes()), stream); stream.close(); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeSubkeyExpirationTimeTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeSubkeyExpirationTimeTest.java index d62f8ad8..9f1448d3 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeSubkeyExpirationTimeTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeSubkeyExpirationTimeTest.java @@ -4,8 +4,8 @@ package org.pgpainless.key.modification; -import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.api.OpenPGPCertificate; +import org.bouncycastle.openpgp.api.OpenPGPKey; import org.junit.JUtils; import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; @@ -25,26 +25,27 @@ public class ChangeSubkeyExpirationTimeTest { @Test public void changeExpirationTimeOfSubkey() { - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("Alice") - .getPGPSecretKeyRing(); - Date now = secretKeys.getPublicKey().getCreationTime(); + PGPainless api = PGPainless.getInstance(); + OpenPGPKey secretKeys = api.generateKey().modernKeyRing("Alice"); + Date now = secretKeys.getPrimaryKey().getCreationTime(); Date inAnHour = new Date(now.getTime() + 1000 * 60 * 60); - OpenPGPCertificate.OpenPGPComponentKey encryptionKey = PGPainless.inspectKeyRing(secretKeys) + OpenPGPCertificate.OpenPGPComponentKey encryptionKey = api.inspect(secretKeys) .getEncryptionSubkeys(EncryptionPurpose.ANY).get(0); - secretKeys = PGPainless.modifyKeyRing(secretKeys) + secretKeys = api.modify(secretKeys) .setExpirationDateOfSubkey( inAnHour, - encryptionKey.getKeyIdentifier().getKeyId(), + encryptionKey.getKeyIdentifier(), SecretKeyRingProtector.unprotectedKeys()) .done(); - JUtils.assertDateEquals(inAnHour, PGPainless.inspectKeyRing(secretKeys) + JUtils.assertDateEquals(inAnHour, api.inspect(secretKeys) .getSubkeyExpirationDate(OpenPgpFingerprint.of(encryptionKey.getPGPPublicKey()))); } @Test public void changeExpirationTimeOfExpiredSubkey() throws IOException { - PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing( + PGPainless api = PGPainless.getInstance(); + OpenPGPKey secretKeys = api.readKey().parseKey( "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" + "Version: PGPainless\n" + "Comment: CA52 4D5D E3D8 9CD9 105B BA45 3761 076B C6B5 3000\n" + @@ -79,13 +80,13 @@ public class ChangeSubkeyExpirationTimeTest { OpenPgpFingerprint encryptionSubkey = new OpenPgpV4Fingerprint("2E541354A23C9943375EC27A3EF133ED8720D636"); JUtils.assertDateEquals( DateUtil.parseUTCDate("2023-12-07 16:29:46 UTC"), - PGPainless.inspectKeyRing(secretKeys).getSubkeyExpirationDate(encryptionSubkey)); + api.inspect(secretKeys).getSubkeyExpirationDate(encryptionSubkey)); // re-validate the subkey by setting its expiry to null (no expiry) - secretKeys = PGPainless.modifyKeyRing(secretKeys) - .setExpirationDateOfSubkey(null, encryptionSubkey.getKeyId(), SecretKeyRingProtector.unprotectedKeys()) + secretKeys = api.modify(secretKeys) + .setExpirationDateOfSubkey(null, encryptionSubkey.getKeyIdentifier(), SecretKeyRingProtector.unprotectedKeys()) .done(); - assertNull(PGPainless.inspectKeyRing(secretKeys).getSubkeyExpirationDate(encryptionSubkey)); + assertNull(api.inspect(secretKeys).getSubkeyExpirationDate(encryptionSubkey)); } } diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/FixUserIdDoesNotBreakEncryptionCapabilityTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/FixUserIdDoesNotBreakEncryptionCapabilityTest.java index ce851da3..ccf07e56 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/FixUserIdDoesNotBreakEncryptionCapabilityTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/FixUserIdDoesNotBreakEncryptionCapabilityTest.java @@ -17,9 +17,9 @@ import java.nio.charset.StandardCharsets; import java.util.NoSuchElementException; import org.bouncycastle.openpgp.PGPException; -import org.bouncycastle.openpgp.PGPPublicKeyRing; -import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.PGPSignature; +import org.bouncycastle.openpgp.api.OpenPGPCertificate; +import org.bouncycastle.openpgp.api.OpenPGPKey; import org.bouncycastle.util.io.Streams; import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; @@ -73,9 +73,10 @@ public class FixUserIdDoesNotBreakEncryptionCapabilityTest { @Test public void manualReplaceUserIdWithFixedVersionDoesNotHinderEncryptionCapability() throws IOException, PGPException { - PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(SECRET_KEY); + PGPainless api = PGPainless.getInstance(); + OpenPGPKey secretKeys = api.readKey().parseKey(SECRET_KEY); SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys(); - PGPSecretKeyRing modified = PGPainless.modifyKeyRing(secretKeys) + OpenPGPKey modified = api.modify(secretKeys) .addUserId(userIdAfter, new SelfSignatureSubpackets.Callback() { @Override public void modifyHashedSubpackets(SelfSignatureSubpackets hashedSubpackets) { @@ -85,8 +86,8 @@ public class FixUserIdDoesNotBreakEncryptionCapabilityTest { .removeUserId(userIdBefore, protector) .done(); - KeyRingInfo before = PGPainless.inspectKeyRing(secretKeys); - KeyRingInfo after = PGPainless.inspectKeyRing(modified); + KeyRingInfo before = api.inspect(secretKeys); + KeyRingInfo after = api.inspect(modified); assertEquals(userIdBefore, before.getPrimaryUserId()); assertEquals(userIdAfter, after.getPrimaryUserId()); @@ -104,34 +105,38 @@ public class FixUserIdDoesNotBreakEncryptionCapabilityTest { @Test public void testReplaceUserId_missingOldUserIdThrows() throws IOException { - PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(SECRET_KEY); - assertThrows(NoSuchElementException.class, () -> PGPainless.modifyKeyRing(secretKeys) + PGPainless api = PGPainless.getInstance(); + OpenPGPKey secretKeys = api.readKey().parseKey(SECRET_KEY); + assertThrows(NoSuchElementException.class, () -> api.modify(secretKeys) .replaceUserId("missing", userIdAfter, SecretKeyRingProtector.unprotectedKeys())); } @Test public void testReplaceUserId_emptyOldUserIdThrows() throws IOException { - PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(SECRET_KEY); - assertThrows(IllegalArgumentException.class, () -> PGPainless.modifyKeyRing(secretKeys) + PGPainless api = PGPainless.getInstance(); + OpenPGPKey secretKeys = api.readKey().parseKey(SECRET_KEY); + assertThrows(IllegalArgumentException.class, () -> api.modify(secretKeys) .replaceUserId(" ", userIdAfter, SecretKeyRingProtector.unprotectedKeys())); } @Test public void testReplaceUserId_emptyNewUserIdThrows() throws IOException { - PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(SECRET_KEY); - assertThrows(IllegalArgumentException.class, () -> PGPainless.modifyKeyRing(secretKeys) + PGPainless api = PGPainless.getInstance(); + OpenPGPKey secretKeys = api.readKey().parseKey(SECRET_KEY); + assertThrows(IllegalArgumentException.class, () -> api.modify(secretKeys) .replaceUserId(userIdBefore, " ", SecretKeyRingProtector.unprotectedKeys())); } @Test public void testReplaceImplicitUserIdDoesNotBreakStuff() throws IOException, PGPException { - PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(SECRET_KEY); + PGPainless api = PGPainless.getInstance(); + OpenPGPKey secretKeys = api.readKey().parseKey(SECRET_KEY); - PGPSecretKeyRing edited = PGPainless.modifyKeyRing(secretKeys) + OpenPGPKey edited = api.modify(secretKeys) .replaceUserId(userIdBefore, userIdAfter, SecretKeyRingProtector.unprotectedKeys()) .done(); - KeyRingInfo info = PGPainless.inspectKeyRing(edited); + KeyRingInfo info = api.inspect(edited); assertTrue(info.isUserIdValid(userIdAfter)); assertEquals(userIdAfter, info.getPrimaryUserId()); @@ -139,10 +144,10 @@ public class FixUserIdDoesNotBreakEncryptionCapabilityTest { assertNotNull(latestCertification); assertTrue(latestCertification.getHashedSubPackets().isPrimaryUserID()); - PGPPublicKeyRing cert = PGPainless.extractCertificate(edited); + OpenPGPCertificate cert = edited.toCertificate(); ByteArrayOutputStream out = new ByteArrayOutputStream(); - EncryptionStream encryptionStream = PGPainless.encryptAndOrSign() + EncryptionStream encryptionStream = api.generateMessage() .onOutputStream(out) .withOptions(ProducerOptions.encrypt(EncryptionOptions.get() .addRecipient(cert))); @@ -151,7 +156,7 @@ public class FixUserIdDoesNotBreakEncryptionCapabilityTest { encryptionStream.close(); EncryptionResult result = encryptionStream.getResult(); - assertTrue(result.isEncryptedFor(cert)); + assertTrue(result.isEncryptedFor(cert.getPGPPublicKeyRing())); ByteArrayInputStream in = new ByteArrayInputStream(out.toByteArray()); ByteArrayOutputStream plain = new ByteArrayOutputStream(); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/GnuDummyS2KChangePassphraseTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/GnuDummyS2KChangePassphraseTest.java index 64439775..d9198e31 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/GnuDummyS2KChangePassphraseTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/GnuDummyS2KChangePassphraseTest.java @@ -10,7 +10,7 @@ import static org.junit.jupiter.api.Assertions.assertTrue; import java.io.IOException; import org.bouncycastle.openpgp.PGPException; -import org.bouncycastle.openpgp.PGPSecretKeyRing; +import org.bouncycastle.openpgp.api.OpenPGPKey; import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; import org.pgpainless.util.Passphrase; @@ -166,17 +166,18 @@ public class GnuDummyS2KChangePassphraseTest { @Test public void testChangePassphraseToNoPassphraseIgnoresGnuDummyS2KKeys() throws PGPException, IOException { - PGPSecretKeyRing secretKey = PGPainless.readKeyRing().secretKeyRing(KEY_WITH_GNU_DUMMY_S2K_PRIMARY_KEY); + PGPainless api = PGPainless.getInstance(); + OpenPGPKey secretKey = api.readKey().parseKey(KEY_WITH_GNU_DUMMY_S2K_PRIMARY_KEY); - assertFalse(PGPainless.inspectKeyRing(secretKey).isFullyDecrypted()); + assertFalse(api.inspect(secretKey).isFullyDecrypted()); - secretKey = PGPainless.modifyKeyRing(secretKey) + secretKey = api.modify(secretKey) .changePassphraseFromOldPassphrase(passphrase) .withSecureDefaultSettings() .toNoPassphrase() .done(); - assertTrue(PGPainless.inspectKeyRing(secretKey).isFullyDecrypted()); + assertTrue(api.inspect(secretKey).isFullyDecrypted()); } } diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/OldSignatureSubpacketsArePreservedOnNewSigTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/OldSignatureSubpacketsArePreservedOnNewSigTest.java index afea503c..c99739b5 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/OldSignatureSubpacketsArePreservedOnNewSigTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/OldSignatureSubpacketsArePreservedOnNewSigTest.java @@ -10,9 +10,9 @@ import static org.junit.jupiter.api.Assertions.assertNotNull; import java.util.Date; -import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.PGPSignature; import org.bouncycastle.openpgp.PGPSignatureSubpacketVector; +import org.bouncycastle.openpgp.api.OpenPGPKey; import org.junit.jupiter.api.TestTemplate; import org.junit.jupiter.api.extension.ExtendWith; import org.pgpainless.PGPainless; @@ -26,11 +26,11 @@ public class OldSignatureSubpacketsArePreservedOnNewSigTest { @TestTemplate @ExtendWith(TestAllImplementations.class) public void verifyOldSignatureSubpacketsArePreservedOnNewExpirationDateSig() { - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() - .simpleEcKeyRing("Alice ") - .getPGPSecretKeyRing(); + PGPainless api = PGPainless.getInstance(); + OpenPGPKey secretKeys = api.generateKey() + .simpleEcKeyRing("Alice "); - PGPSignature oldSignature = PGPainless.inspectKeyRing(secretKeys).getLatestUserIdCertification("Alice "); + PGPSignature oldSignature = api.inspect(secretKeys).getLatestUserIdCertification("Alice "); assertNotNull(oldSignature); PGPSignatureSubpacketVector oldPackets = oldSignature.getHashedSubPackets(); @@ -40,10 +40,10 @@ public class OldSignatureSubpacketsArePreservedOnNewSigTest { Date t1 = new Date(now.getTime() + millisInHour); Date expiration = new Date(now.getTime() + 5 * 24 * millisInHour); // in 5 days - secretKeys = PGPainless.modifyKeyRing(secretKeys, t1) + secretKeys = api.modify(secretKeys, t1) .setExpirationDate(expiration, new UnprotectedKeysProtector()) .done(); - PGPSignature newSignature = PGPainless.inspectKeyRing(secretKeys, t1).getLatestUserIdCertification("Alice "); + PGPSignature newSignature = api.inspect(secretKeys, t1).getLatestUserIdCertification("Alice "); assertNotNull(newSignature); PGPSignatureSubpacketVector newPackets = newSignature.getHashedSubPackets(); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/RefuseToAddWeakSubkeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/RefuseToAddWeakSubkeyTest.java index 925b4426..c1019679 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/RefuseToAddWeakSubkeyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/RefuseToAddWeakSubkeyTest.java @@ -10,7 +10,7 @@ import static org.junit.jupiter.api.Assertions.assertThrows; import java.util.EnumMap; import java.util.Map; -import org.bouncycastle.openpgp.PGPSecretKeyRing; +import org.bouncycastle.openpgp.api.OpenPGPKey; import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; import org.pgpainless.algorithm.EncryptionPurpose; @@ -28,31 +28,31 @@ public class RefuseToAddWeakSubkeyTest { @Test public void testEditorRefusesToAddWeakSubkey() { + PGPainless api = PGPainless.getInstance(); // ensure default policy is set - Policy oldPolicy = PGPainless.getPolicy(); + Policy oldPolicy = api.getAlgorithmPolicy(); Policy adjusted = oldPolicy.copy().withPublicKeyAlgorithmPolicy( Policy.PublicKeyAlgorithmPolicy.bsi2021PublicKeyAlgorithmPolicy() ).build(); - PGPainless.getInstance().setAlgorithmPolicy(adjusted); + api.setAlgorithmPolicy(adjusted); - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() - .modernKeyRing("Alice") - .getPGPSecretKeyRing(); - SecretKeyRingEditorInterface editor = PGPainless.modifyKeyRing(secretKeys); + OpenPGPKey secretKeys = api.generateKey() + .modernKeyRing("Alice"); + SecretKeyRingEditorInterface editor = api.modify(secretKeys); KeySpec spec = KeySpec.getBuilder(KeyType.RSA(RsaLength._1024), KeyFlag.ENCRYPT_COMMS).build(); assertThrows(IllegalArgumentException.class, () -> editor.addSubKey(spec, Passphrase.emptyPassphrase(), SecretKeyRingProtector.unprotectedKeys())); - PGPainless.getInstance().setAlgorithmPolicy(oldPolicy); + api.setAlgorithmPolicy(oldPolicy); } @Test public void testEditorAllowsToAddWeakSubkeyIfCompliesToPublicKeyAlgorithmPolicy() { - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() - .modernKeyRing("Alice") - .getPGPSecretKeyRing(); + PGPainless api = PGPainless.getInstance(); + OpenPGPKey secretKeys = api.generateKey() + .modernKeyRing("Alice"); - Policy oldPolicy = PGPainless.getPolicy(); + Policy oldPolicy = api.getAlgorithmPolicy(); // set weak policy Map minimalBitStrengths = new EnumMap<>(PublicKeyAlgorithm.class); @@ -75,11 +75,11 @@ public class RefuseToAddWeakSubkeyTest { minimalBitStrengths.put(PublicKeyAlgorithm.DIFFIE_HELLMAN, 2000); // §7.2.2 minimalBitStrengths.put(PublicKeyAlgorithm.ECDH, 250); - PGPainless.getInstance().setAlgorithmPolicy(oldPolicy.copy() + api.setAlgorithmPolicy(oldPolicy.copy() .withPublicKeyAlgorithmPolicy(new Policy.PublicKeyAlgorithmPolicy(minimalBitStrengths)) .build()); - SecretKeyRingEditorInterface editor = PGPainless.modifyKeyRing(secretKeys); + SecretKeyRingEditorInterface editor = api.modify(secretKeys); KeySpec spec = KeySpec.getBuilder(KeyType.RSA(RsaLength._1024), KeyFlag.ENCRYPT_COMMS) .setKeyCreationDate(editor.getReferenceTime()) // The key gets created after we instantiate the editor. .build(); @@ -87,9 +87,9 @@ public class RefuseToAddWeakSubkeyTest { secretKeys = editor.addSubKey(spec, Passphrase.emptyPassphrase(), SecretKeyRingProtector.unprotectedKeys()) .done(); - assertEquals(2, PGPainless.inspectKeyRing(secretKeys).getEncryptionSubkeys(EncryptionPurpose.ANY).size()); + assertEquals(2, api.inspect(secretKeys).getEncryptionSubkeys(EncryptionPurpose.ANY).size()); // reset default policy - PGPainless.getInstance().setAlgorithmPolicy(oldPolicy); + api.setAlgorithmPolicy(oldPolicy); } } diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevocationCertificateTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevocationCertificateTest.java index 6dbd7318..2ac4c87f 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevocationCertificateTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevocationCertificateTest.java @@ -15,9 +15,10 @@ import java.io.IOException; import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPPublicKey; -import org.bouncycastle.openpgp.PGPPublicKeyRing; import org.bouncycastle.openpgp.PGPSecretKeyRing; -import org.bouncycastle.openpgp.PGPSignature; +import org.bouncycastle.openpgp.api.OpenPGPCertificate; +import org.bouncycastle.openpgp.api.OpenPGPKey; +import org.bouncycastle.openpgp.api.OpenPGPSignature; import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; import org.pgpainless.key.TestKeys; @@ -30,9 +31,10 @@ public class RevocationCertificateTest { @Test public void createRevocationCertificateTest() throws PGPException, IOException { - PGPSecretKeyRing secretKeys = TestKeys.getEmilSecretKeyRing(); + PGPainless api = PGPainless.getInstance(); + OpenPGPKey secretKeys = TestKeys.getEmilKey(); - PGPSignature revocation = PGPainless.modifyKeyRing(secretKeys) + OpenPGPSignature revocation = api.modify(secretKeys) .createRevocation(SecretKeyRingProtector.unprotectedKeys(), RevocationAttributes.createKeyRevocation() .withReason(RevocationAttributes.Reason.KEY_RETIRED) @@ -40,66 +42,68 @@ public class RevocationCertificateTest { assertNotNull(revocation); - assertTrue(PGPainless.inspectKeyRing(secretKeys).isKeyValidlyBound(secretKeys.getPublicKey().getKeyID())); + assertTrue(api.inspect(secretKeys).isKeyValidlyBound(secretKeys.getKeyIdentifier())); // merge key and revocation certificate PGPSecretKeyRing revokedKey = KeyRingUtils.keysPlusSecretKey( - secretKeys, - KeyRingUtils.secretKeyPlusSignature(secretKeys.getSecretKey(), revocation)); + secretKeys.getPGPSecretKeyRing(), + KeyRingUtils.secretKeyPlusSignature(secretKeys.getPrimarySecretKey().getPGPSecretKey(), revocation.getSignature())); - assertFalse(PGPainless.inspectKeyRing(revokedKey).isKeyValidlyBound(secretKeys.getPublicKey().getKeyID())); + assertFalse(api.inspect(api.toKey(revokedKey)).isKeyValidlyBound(secretKeys.getKeyIdentifier())); } @Test public void createMinimalRevocationCertificateTest() throws PGPException, IOException { - PGPSecretKeyRing secretKeys = TestKeys.getEmilSecretKeyRing(); + PGPainless api = PGPainless.getInstance(); + OpenPGPKey secretKeys = TestKeys.getEmilKey(); - PGPPublicKeyRing minimalRevocationCert = PGPainless.modifyKeyRing(secretKeys).createMinimalRevocationCertificate( + OpenPGPCertificate minimalRevocationCert = api.modify(secretKeys).createMinimalRevocationCertificate( SecretKeyRingProtector.unprotectedKeys(), RevocationAttributes.createKeyRevocation().withReason(RevocationAttributes.Reason.KEY_RETIRED).withoutDescription()); - assertEquals(1, minimalRevocationCert.size()); - PGPPublicKey key = minimalRevocationCert.getPublicKey(); - assertEquals(secretKeys.getPublicKey().getKeyID(), key.getKeyID()); + assertEquals(1, minimalRevocationCert.getPGPKeyRing().size()); + PGPPublicKey key = minimalRevocationCert.getPrimaryKey().getPGPPublicKey(); + assertEquals(secretKeys.getKeyIdentifier(), key.getKeyIdentifier()); assertEquals(1, CollectionUtils.iteratorToList(key.getSignatures()).size()); assertFalse(key.getUserIDs().hasNext()); assertFalse(key.getUserAttributes().hasNext()); assertNull(key.getTrustData()); - PGPPublicKeyRing originalCert = PGPainless.extractCertificate(secretKeys); - PGPPublicKeyRing mergedCert = PGPainless.mergeCertificate(originalCert, minimalRevocationCert); + OpenPGPCertificate originalCert = secretKeys.toCertificate(); + OpenPGPCertificate mergedCert = api.mergeCertificate(originalCert, minimalRevocationCert); - assertTrue(PGPainless.inspectKeyRing(mergedCert).getRevocationState().isSoftRevocation()); + assertTrue(api.inspect(mergedCert).getRevocationState().isSoftRevocation()); } @Test public void createMinimalRevocationCertificateForFreshKeyTest() { - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("Alice ") - .getPGPSecretKeyRing(); + PGPainless api = PGPainless.getInstance(); + OpenPGPKey secretKeys = api.generateKey().modernKeyRing("Alice "); - PGPPublicKeyRing minimalRevocationCert = PGPainless.modifyKeyRing(secretKeys).createMinimalRevocationCertificate( + OpenPGPCertificate minimalRevocationCert = api.modify(secretKeys).createMinimalRevocationCertificate( SecretKeyRingProtector.unprotectedKeys(), RevocationAttributes.createKeyRevocation().withReason(RevocationAttributes.Reason.KEY_RETIRED).withoutDescription()); - assertEquals(1, minimalRevocationCert.size()); - PGPPublicKey key = minimalRevocationCert.getPublicKey(); - assertEquals(secretKeys.getPublicKey().getKeyID(), key.getKeyID()); + assertEquals(1, minimalRevocationCert.getKeys().size()); + PGPPublicKey key = minimalRevocationCert.getPGPPublicKeyRing().getPublicKey(); + assertEquals(secretKeys.getKeyIdentifier(), key.getKeyIdentifier()); assertEquals(1, CollectionUtils.iteratorToList(key.getSignatures()).size()); assertFalse(key.getUserIDs().hasNext()); assertFalse(key.getUserAttributes().hasNext()); assertNull(key.getTrustData()); - PGPPublicKeyRing originalCert = PGPainless.extractCertificate(secretKeys); - PGPPublicKeyRing mergedCert = PGPainless.mergeCertificate(originalCert, minimalRevocationCert); + OpenPGPCertificate originalCert = secretKeys.toCertificate(); + OpenPGPCertificate mergedCert = api.mergeCertificate(originalCert, minimalRevocationCert); - assertTrue(PGPainless.inspectKeyRing(mergedCert).getRevocationState().isSoftRevocation()); + assertTrue(api.inspect(mergedCert).getRevocationState().isSoftRevocation()); } @Test public void createMinimalRevocationCertificate_wrongReason() throws PGPException, IOException { - PGPSecretKeyRing secretKeys = TestKeys.getEmilSecretKeyRing(); + PGPainless api = PGPainless.getInstance(); + OpenPGPKey secretKeys = TestKeys.getEmilKey(); assertThrows(IllegalArgumentException.class, - () -> PGPainless.modifyKeyRing(secretKeys).createMinimalRevocationCertificate( + () -> api.modify(secretKeys).createMinimalRevocationCertificate( SecretKeyRingProtector.unprotectedKeys(), RevocationAttributes.createCertificateRevocation() .withReason(RevocationAttributes.Reason.USER_ID_NO_LONGER_VALID) diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeKeyWithGenericCertificationSignatureTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeKeyWithGenericCertificationSignatureTest.java index b2cd85fc..2d02dba2 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeKeyWithGenericCertificationSignatureTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeKeyWithGenericCertificationSignatureTest.java @@ -7,13 +7,14 @@ package org.pgpainless.key.modification; import java.io.ByteArrayOutputStream; import java.io.IOException; import java.nio.charset.StandardCharsets; -import java.util.Arrays; +import java.util.Collections; import org.bouncycastle.bcpg.ArmoredOutputStream; import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPPublicKey; import org.bouncycastle.openpgp.PGPSecretKey; import org.bouncycastle.openpgp.PGPSecretKeyRing; +import org.bouncycastle.openpgp.api.OpenPGPKey; import org.junit.jupiter.api.TestTemplate; import org.junit.jupiter.api.extension.ExtendWith; import org.pgpainless.PGPainless; @@ -24,7 +25,7 @@ import org.pgpainless.util.TestAllImplementations; /** * Test that makes sure that PGPainless can deal with keys that carry a key * signature of type 0x10 (generic certification). - * + *

* Originally PGPainless would only handle keys with key signature type * 0x13 (positive certification) and would otherwise crash when negotiating * algorithms, esp. when revoking a key. @@ -70,23 +71,26 @@ public class RevokeKeyWithGenericCertificationSignatureTest { } private KeyPair revokeKey(String priv) throws IOException, PGPException { - byte[] armoredBytes = priv.getBytes(StandardCharsets.UTF_8); - PGPSecretKeyRing r = PGPainless.readKeyRing() - .secretKeyRing(armoredBytes); - PGPSecretKey secretKey = r.getSecretKey(); + PGPainless api = PGPainless.getInstance(); + OpenPGPKey key = api.readKey().parseKey(priv); + OpenPGPKey onlyPrimaryKey = api.toKey( + new PGPSecretKeyRing( + Collections.singletonList(key.getPrimarySecretKey().getPGPSecretKey()) + ) + ); // this is not ideal, but still valid usage - PGPSecretKeyRing secretKeyRing = - PGPainless.modifyKeyRing(new PGPSecretKeyRing(Arrays.asList(secretKey))) + OpenPGPKey revokedPrimaryKey = + api.modify(onlyPrimaryKey) .revoke(new UnprotectedKeysProtector()).done(); - PGPPublicKey pkr = secretKeyRing.getPublicKeys().next(); + PGPPublicKey pkr = revokedPrimaryKey.getPGPSecretKeyRing().getPublicKeys().next(); ByteArrayOutputStream pubOutBytes = new ByteArrayOutputStream(); try (ArmoredOutputStream pubOut = ArmoredOutputStreamFactory.get(pubOutBytes)) { pkr.encode(pubOut); } pubOutBytes.close(); - PGPSecretKey skr = secretKeyRing.getSecretKeys().next(); + PGPSecretKey skr = revokedPrimaryKey.getPGPSecretKeyRing().getSecretKeys().next(); ByteArrayOutputStream secOutBytes = new ByteArrayOutputStream(); try (ArmoredOutputStream privOut = ArmoredOutputStreamFactory.get(secOutBytes)) { skr.encode(privOut); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeKeyWithoutPreferredAlgorithmsOnPrimaryKey.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeKeyWithoutPreferredAlgorithmsOnPrimaryKey.java index c4a177ed..0460b319 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeKeyWithoutPreferredAlgorithmsOnPrimaryKey.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeKeyWithoutPreferredAlgorithmsOnPrimaryKey.java @@ -7,7 +7,7 @@ package org.pgpainless.key.modification; import java.io.IOException; import java.util.Date; -import org.bouncycastle.openpgp.PGPSecretKeyRing; +import org.bouncycastle.openpgp.api.OpenPGPKey; import org.junit.JUtils; import org.junit.jupiter.api.TestTemplate; import org.junit.jupiter.api.extension.ExtendWith; @@ -99,16 +99,17 @@ public class RevokeKeyWithoutPreferredAlgorithmsOnPrimaryKey { @ExtendWith(TestAllImplementations.class) public void testChangingExpirationTimeWithKeyWithoutPrefAlgos() throws IOException { + PGPainless api = PGPainless.getInstance(); Date expirationDate = DateUtil.now(); - PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(KEY); + OpenPGPKey secretKeys = api.readKey().parseKey(KEY); SecretKeyRingProtector protector = new UnprotectedKeysProtector(); - SecretKeyRingEditorInterface modify = PGPainless.modifyKeyRing(secretKeys) + SecretKeyRingEditorInterface modify = api.modify(secretKeys) .setExpirationDate(expirationDate, protector); secretKeys = modify.done(); - KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys); + KeyRingInfo info = api.inspect(secretKeys); JUtils.assertDateEquals(expirationDate, info.getPrimaryKeyExpirationDate()); } diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeSubKeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeSubKeyTest.java index 729c2151..0843e368 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeSubKeyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeSubKeyTest.java @@ -19,8 +19,9 @@ import org.bouncycastle.bcpg.sig.IssuerFingerprint; import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPPublicKey; import org.bouncycastle.openpgp.PGPSecretKey; -import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.PGPSignature; +import org.bouncycastle.openpgp.api.OpenPGPKey; +import org.bouncycastle.openpgp.api.OpenPGPSignature; import org.junit.jupiter.api.Test; import org.junit.jupiter.api.TestTemplate; import org.junit.jupiter.api.extension.ExtendWith; @@ -33,7 +34,6 @@ import org.pgpainless.key.modification.secretkeyring.SecretKeyRingEditorInterfac import org.pgpainless.key.protection.PasswordBasedSecretKeyRingProtector; import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.key.util.RevocationAttributes; -import org.pgpainless.signature.SignatureUtils; import org.pgpainless.signature.subpackets.RevocationSignatureSubpackets; import org.pgpainless.signature.subpackets.SignatureSubpacketsUtil; import org.pgpainless.util.TestAllImplementations; @@ -43,10 +43,11 @@ public class RevokeSubKeyTest { @TestTemplate @ExtendWith(TestAllImplementations.class) - public void revokeSukeyTest() throws IOException, PGPException { - PGPSecretKeyRing secretKeys = TestKeys.getCryptieSecretKeyRing(); + public void revokeSubkeyTest() throws IOException, PGPException { + PGPainless api = PGPainless.getInstance(); + OpenPGPKey secretKeys = TestKeys.getCryptieKey(); - Iterator keysIterator = secretKeys.iterator(); + Iterator keysIterator = secretKeys.getPGPSecretKeyRing().iterator(); PGPSecretKey primaryKey = keysIterator.next(); PGPSecretKey subKey = keysIterator.next(); @@ -55,10 +56,10 @@ public class RevokeSubKeyTest { SecretKeyRingProtector protector = PasswordBasedSecretKeyRingProtector .forKey(secretKeys, Passphrase.fromPassword("password123")); - secretKeys = PGPainless.modifyKeyRing(secretKeys) + secretKeys = api.modify(secretKeys) .revokeSubKey(new OpenPgpV4Fingerprint(subKey), protector) .done(); - keysIterator = secretKeys.iterator(); + keysIterator = secretKeys.getPGPSecretKeyRing().iterator(); primaryKey = keysIterator.next(); subKey = keysIterator.next(); @@ -68,19 +69,20 @@ public class RevokeSubKeyTest { @TestTemplate @ExtendWith(TestAllImplementations.class) public void detachedRevokeSubkeyTest() throws IOException, PGPException { - PGPSecretKeyRing secretKeys = TestKeys.getCryptieSecretKeyRing(); + PGPainless api = PGPainless.getInstance(); + OpenPGPKey secretKeys = TestKeys.getCryptieKey(); OpenPgpV4Fingerprint fingerprint = new OpenPgpV4Fingerprint(secretKeys); SecretKeyRingProtector protector = PasswordBasedSecretKeyRingProtector.forKey(secretKeys, Passphrase.fromPassword("password123")); - PGPSignature revocationCertificate = PGPainless.modifyKeyRing(secretKeys) + OpenPGPSignature revocationCertificate = api.modify(secretKeys) .createRevocation(fingerprint, protector, RevocationAttributes.createKeyRevocation() .withReason(RevocationAttributes.Reason.KEY_RETIRED) .withDescription("Key no longer used.")); - PGPPublicKey publicKey = secretKeys.getPublicKey(); + PGPPublicKey publicKey = secretKeys.getPGPSecretKeyRing().getPublicKey(); assertFalse(publicKey.hasRevocation()); - publicKey = PGPPublicKey.addCertification(publicKey, revocationCertificate); + publicKey = PGPPublicKey.addCertification(publicKey, revocationCertificate.getSignature()); assertTrue(publicKey.hasRevocation()); } @@ -88,19 +90,20 @@ public class RevokeSubKeyTest { @TestTemplate @ExtendWith(TestAllImplementations.class) public void testRevocationSignatureTypeCorrect() throws IOException, PGPException { - PGPSecretKeyRing secretKeys = TestKeys.getCryptieSecretKeyRing(); - Iterator keysIterator = secretKeys.getPublicKeys(); + PGPainless api = PGPainless.getInstance(); + OpenPGPKey secretKeys = TestKeys.getCryptieKey(); + Iterator keysIterator = secretKeys.getPGPKeyRing().getPublicKeys(); PGPPublicKey primaryKey = keysIterator.next(); PGPPublicKey subKey = keysIterator.next(); SecretKeyRingProtector protector = PasswordBasedSecretKeyRingProtector .forKey(secretKeys, Passphrase.fromPassword("password123")); - SecretKeyRingEditorInterface editor = PGPainless.modifyKeyRing(secretKeys); - PGPSignature keyRevocation = editor.createRevocation(primaryKey.getKeyID(), protector, (RevocationAttributes) null); - PGPSignature subkeyRevocation = editor.createRevocation(subKey.getKeyID(), protector, (RevocationAttributes) null); + SecretKeyRingEditorInterface editor = api.modify(secretKeys); + OpenPGPSignature keyRevocation = editor.createRevocation(primaryKey.getKeyIdentifier(), protector, (RevocationAttributes) null); + OpenPGPSignature subkeyRevocation = editor.createRevocation(subKey.getKeyIdentifier(), protector, (RevocationAttributes) null); - assertEquals(SignatureType.KEY_REVOCATION.getCode(), keyRevocation.getSignatureType()); - assertEquals(SignatureType.SUBKEY_REVOCATION.getCode(), subkeyRevocation.getSignatureType()); + assertEquals(SignatureType.KEY_REVOCATION.getCode(), keyRevocation.getSignature().getSignatureType()); + assertEquals(SignatureType.SUBKEY_REVOCATION.getCode(), subkeyRevocation.getSignature().getSignatureType()); } @Test @@ -126,39 +129,39 @@ public class RevokeSubKeyTest { @Test public void inspectSubpacketsOnDefaultRevocationSignature() throws PGPException { - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("Alice") - .getPGPSecretKeyRing(); + PGPainless api = PGPainless.getInstance(); + OpenPGPKey secretKeys = api.generateKey().modernKeyRing("Alice"); SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys(); - PGPPublicKey encryptionSubkey = PGPainless.inspectKeyRing(secretKeys) + PGPPublicKey encryptionSubkey = api.inspect(secretKeys) .getEncryptionSubkeys(EncryptionPurpose.ANY).get(0).getPGPPublicKey(); - secretKeys = PGPainless.modifyKeyRing(secretKeys) - .revokeSubKey(encryptionSubkey.getKeyID(), protector) + secretKeys = api.modify(secretKeys) + .revokeSubKey(encryptionSubkey.getKeyIdentifier(), protector) .done(); - encryptionSubkey = secretKeys.getPublicKey(encryptionSubkey.getKeyID()); + encryptionSubkey = secretKeys.getPGPSecretKeyRing().getPublicKey(encryptionSubkey.getKeyIdentifier()); PGPSignature revocation = encryptionSubkey.getSignaturesOfType(SignatureType.SUBKEY_REVOCATION.getCode()).next(); assertNotNull(revocation); assertArrayEquals( - secretKeys.getPublicKey().getFingerprint(), + secretKeys.getPGPSecretKeyRing().getPublicKey().getFingerprint(), revocation.getHashedSubPackets().getIssuerFingerprint().getFingerprint()); - assertEquals(secretKeys.getPublicKey().getKeyID(), + assertEquals(secretKeys.getPGPSecretKeyRing().getPublicKey().getKeyID(), revocation.getHashedSubPackets().getIssuerKeyID()); assertNull(SignatureSubpacketsUtil.getRevocationReason(revocation)); - assertTrue(SignatureUtils.isHardRevocation(revocation)); + assertTrue(revocation.isHardRevocation()); } @Test public void inspectSubpacketsOnModifiedRevocationSignature() { - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("Alice") - .getPGPSecretKeyRing(); + PGPainless api = PGPainless.getInstance(); + OpenPGPKey secretKeys = api.generateKey().modernKeyRing("Alice"); SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys(); - PGPPublicKey encryptionSubkey = PGPainless.inspectKeyRing(secretKeys) + PGPPublicKey encryptionSubkey = api.inspect(secretKeys) .getEncryptionSubkeys(EncryptionPurpose.ANY).get(0).getPGPPublicKey(); - secretKeys = PGPainless.modifyKeyRing(secretKeys) - .revokeSubKey(encryptionSubkey.getKeyID(), protector, new RevocationSignatureSubpackets.Callback() { + secretKeys = api.modify(secretKeys) + .revokeSubKey(encryptionSubkey.getKeyIdentifier(), protector, new RevocationSignatureSubpackets.Callback() { @Override public void modifyHashedSubpackets(RevocationSignatureSubpackets hashedSubpackets) { hashedSubpackets.setRevocationReason( @@ -171,14 +174,14 @@ public class RevokeSubKeyTest { }) .done(); - encryptionSubkey = secretKeys.getPublicKey(encryptionSubkey.getKeyID()); + encryptionSubkey = secretKeys.getPGPSecretKeyRing().getPublicKey(encryptionSubkey.getKeyIdentifier()); PGPSignature revocation = encryptionSubkey.getSignaturesOfType(SignatureType.SUBKEY_REVOCATION.getCode()).next(); assertNotNull(revocation); assertNull(revocation.getHashedSubPackets().getIssuerFingerprint()); - assertEquals(secretKeys.getPublicKey().getKeyID(), + assertEquals(secretKeys.getKeyIdentifier().getKeyId(), revocation.getHashedSubPackets().getIssuerKeyID()); assertNotNull(SignatureSubpacketsUtil.getRevocationReason(revocation)); - assertFalse(SignatureUtils.isHardRevocation(revocation)); + assertFalse(revocation.isHardRevocation()); } } diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeUserIdsTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeUserIdsTest.java index e06f2065..f39c030f 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeUserIdsTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeUserIdsTest.java @@ -13,46 +13,45 @@ import java.util.Date; import java.util.NoSuchElementException; import org.bouncycastle.openpgp.PGPException; -import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.PGPSignature; +import org.bouncycastle.openpgp.api.OpenPGPKey; import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; import org.pgpainless.key.info.KeyRingInfo; import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.key.util.RevocationAttributes; -import org.pgpainless.util.selection.userid.SelectUserId; public class RevokeUserIdsTest { @Test public void revokeWithSelectUserId() throws PGPException { - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() - .modernKeyRing("Alice ") - .getPGPSecretKeyRing(); + PGPainless api = PGPainless.getInstance(); + OpenPGPKey secretKeys = api.generateKey() + .modernKeyRing("Alice "); SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys(); - secretKeys = PGPainless.modifyKeyRing(secretKeys) + secretKeys = api.modify(secretKeys) .addUserId("Allice ", protector) .addUserId("Alice ", protector) .done(); - KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys); + KeyRingInfo info = api.inspect(secretKeys); assertTrue(info.isUserIdValid("Alice ")); assertTrue(info.isUserIdValid("Allice ")); assertTrue(info.isUserIdValid("Alice ")); Date n1 = new Date(info.getCreationDate().getTime() + 1000); // 1 sec later - secretKeys = PGPainless.modifyKeyRing(secretKeys, n1) + secretKeys = api.modify(secretKeys, n1) .revokeUserIds( - SelectUserId.containsEmailAddress("alice@example.org"), protector, RevocationAttributes.createCertificateRevocation() .withReason(RevocationAttributes.Reason.USER_ID_NO_LONGER_VALID) - .withoutDescription()) + .withoutDescription(), + uid -> uid.contains("alice@example.org")) .done(); - info = PGPainless.inspectKeyRing(secretKeys, n1); + info = api.inspect(secretKeys, n1); assertTrue(info.isUserIdValid("Alice ")); assertFalse(info.isUserIdValid("Allice ")); assertFalse(info.isUserIdValid("Alice ")); @@ -60,28 +59,28 @@ public class RevokeUserIdsTest { @Test public void removeUserId() throws PGPException { - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() - .modernKeyRing("Alice ") - .getPGPSecretKeyRing(); + PGPainless api = PGPainless.getInstance(); + OpenPGPKey secretKeys = api.generateKey() + .modernKeyRing("Alice "); SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys(); - secretKeys = PGPainless.modifyKeyRing(secretKeys) + secretKeys = api.modify(secretKeys) .addUserId("Allice ", protector) .addUserId("Alice ", protector) .done(); - KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys); + KeyRingInfo info = api.inspect(secretKeys); assertTrue(info.isUserIdValid("Alice ")); assertTrue(info.isUserIdValid("Allice ")); assertTrue(info.isUserIdValid("Alice ")); Date n1 = new Date(info.getCreationDate().getTime() + 1000); - secretKeys = PGPainless.modifyKeyRing(secretKeys, n1) + secretKeys = api.modify(secretKeys, n1) .removeUserId("Allice ", protector) .done(); - info = PGPainless.inspectKeyRing(secretKeys, n1); + info = api.inspect(secretKeys, n1); assertTrue(info.isUserIdValid("Alice ")); assertFalse(info.isUserIdValid("Allice ")); assertTrue(info.isUserIdValid("Alice ")); @@ -95,14 +94,14 @@ public class RevokeUserIdsTest { @Test public void emptySelectionYieldsNoSuchElementException() { - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() - .modernKeyRing("Alice ") - .getPGPSecretKeyRing(); + PGPainless api = PGPainless.getInstance(); + OpenPGPKey secretKeys = api.generateKey() + .modernKeyRing("Alice "); assertThrows(NoSuchElementException.class, () -> - PGPainless.modifyKeyRing(secretKeys).revokeUserIds( - SelectUserId.containsEmailAddress("alice@example.org"), + api.modify(secretKeys).revokeUserIds( SecretKeyRingProtector.unprotectedKeys(), - (RevocationAttributes) null)); + (RevocationAttributes) null, + uid -> uid.contains("alice@example.org"))); } } diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/protection/fixes/S2KUsageFixTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/protection/fixes/S2KUsageFixTest.java index f13f8ab0..0fd98622 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/protection/fixes/S2KUsageFixTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/protection/fixes/S2KUsageFixTest.java @@ -16,6 +16,7 @@ import org.bouncycastle.bcpg.SecretKeyPacket; import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPSecretKey; import org.bouncycastle.openpgp.PGPSecretKeyRing; +import org.bouncycastle.openpgp.api.OpenPGPKey; import org.bouncycastle.util.io.Streams; import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; @@ -67,27 +68,27 @@ public class S2KUsageFixTest { @Test public void verifyOutFixInChangePassphraseWorks() throws PGPException { - PGPSecretKeyRing before = PGPainless.generateKeyRing().modernKeyRing("Alice", "before") - .getPGPSecretKeyRing(); - for (PGPSecretKey key : before) { + PGPainless api = PGPainless.getInstance(); + OpenPGPKey before = api.generateKey().modernKeyRing("Alice", "before"); + for (PGPSecretKey key : before.getPGPSecretKeyRing()) { assertEquals(SecretKeyPacket.USAGE_SHA1, key.getS2KUsage()); } - PGPSecretKeyRing unprotected = PGPainless.modifyKeyRing(before) + OpenPGPKey unprotected = api.modify(before) .changePassphraseFromOldPassphrase(Passphrase.fromPassword("before")) .withSecureDefaultSettings() .toNoPassphrase() .done(); - for (PGPSecretKey key : unprotected) { + for (PGPSecretKey key : unprotected.getPGPSecretKeyRing()) { assertEquals(SecretKeyPacket.USAGE_NONE, key.getS2KUsage()); } - PGPSecretKeyRing after = PGPainless.modifyKeyRing(unprotected) + OpenPGPKey after = api.modify(unprotected) .changePassphraseFromOldPassphrase(Passphrase.emptyPassphrase()) .withSecureDefaultSettings() .toNewPassphrase(Passphrase.fromPassword("after")) .done(); - for (PGPSecretKey key : after) { + for (PGPSecretKey key : after.getPGPSecretKeyRing()) { assertEquals(SecretKeyPacket.USAGE_SHA1, key.getS2KUsage()); } } @@ -95,18 +96,19 @@ public class S2KUsageFixTest { @Test public void testFixS2KUsageFrom_USAGE_CHECKSUM_to_USAGE_SHA1() throws IOException, PGPException { - PGPSecretKeyRing keys = PGPainless.readKeyRing().secretKeyRing(KEY_WITH_USAGE_CHECKSUM); + PGPainless api = PGPainless.getInstance(); + OpenPGPKey keys = api.readKey().parseKey(KEY_WITH_USAGE_CHECKSUM); SecretKeyRingProtector protector = SecretKeyRingProtector.unlockAnyKeyWith(Passphrase.fromPassword("after")); - PGPSecretKeyRing fixed = S2KUsageFix.replaceUsageChecksumWithUsageSha1(keys, protector); + PGPSecretKeyRing fixed = S2KUsageFix.replaceUsageChecksumWithUsageSha1(keys.getPGPSecretKeyRing(), protector); for (PGPSecretKey key : fixed) { assertEquals(SecretKeyPacket.USAGE_SHA1, key.getS2KUsage()); } - testCanStillDecrypt(keys, protector); + testCanStillDecrypt(api.toKey(fixed), protector); } - private void testCanStillDecrypt(PGPSecretKeyRing keys, SecretKeyRingProtector protector) + private void testCanStillDecrypt(OpenPGPKey keys, SecretKeyRingProtector protector) throws PGPException, IOException { ByteArrayInputStream in = new ByteArrayInputStream(MESSAGE.getBytes(StandardCharsets.UTF_8)); DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureSubpacketsUtilTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureSubpacketsUtilTest.java index 3fcf712e..a377ed82 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureSubpacketsUtilTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureSubpacketsUtilTest.java @@ -34,6 +34,7 @@ import org.bouncycastle.openpgp.PGPSignatureGenerator; import org.bouncycastle.openpgp.PGPSignatureSubpacketGenerator; import org.bouncycastle.openpgp.api.OpenPGPCertificate; import org.bouncycastle.openpgp.api.OpenPGPImplementation; +import org.bouncycastle.openpgp.api.OpenPGPKey; import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; import org.pgpainless.algorithm.CompressionAlgorithm; @@ -43,7 +44,6 @@ import org.pgpainless.algorithm.SignatureType; import org.pgpainless.key.TestKeys; import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.key.protection.UnlockSecretKey; -import org.pgpainless.policy.Policy; import org.pgpainless.signature.consumer.SignaturePicker; import org.pgpainless.signature.subpackets.SignatureSubpacketsUtil; @@ -51,17 +51,17 @@ public class SignatureSubpacketsUtilTest { @Test public void testGetKeyExpirationTimeAsDate() { - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() - .modernKeyRing("Expire") - .getPGPSecretKeyRing(); + PGPainless api = PGPainless.getInstance(); + OpenPGPKey secretKeys = api.generateKey() + .modernKeyRing("Expire"); Date expiration = Date.from(new Date().toInstant().plus(365, ChronoUnit.DAYS)); - secretKeys = PGPainless.modifyKeyRing(secretKeys) + secretKeys = api.modify(secretKeys) .setExpirationDate(expiration, SecretKeyRingProtector.unprotectedKeys()) .done(); PGPSignature expirationSig = SignaturePicker.pickCurrentUserIdCertificationSignature( - secretKeys, "Expire", Policy.getInstance(), new Date()); - OpenPGPCertificate.OpenPGPComponentKey notTheRightKey = PGPainless.inspectKeyRing(secretKeys).getSigningSubkeys().get(0); + secretKeys.getPGPSecretKeyRing(), "Expire", api.getAlgorithmPolicy(), new Date()); + OpenPGPCertificate.OpenPGPComponentKey notTheRightKey = api.inspect(secretKeys).getSigningSubkeys().get(0); assertThrows(IllegalArgumentException.class, () -> SignatureSubpacketsUtil.getKeyExpirationTimeAsDate(expirationSig, notTheRightKey.getPGPPublicKey())); @@ -69,18 +69,19 @@ public class SignatureSubpacketsUtilTest { @Test public void testGetRevocable() throws PGPException, IOException { - PGPSecretKeyRing secretKeys = TestKeys.getEmilSecretKeyRing(); - PGPPrivateKey certKey = UnlockSecretKey.unlockSecretKey(secretKeys.getSecretKey(), SecretKeyRingProtector.unprotectedKeys()); + OpenPGPKey secretKeys = TestKeys.getEmilKey(); + PGPPrivateKey certKey = UnlockSecretKey.unlockSecretKey(secretKeys.getPrimarySecretKey().getPGPSecretKey(), + SecretKeyRingProtector.unprotectedKeys()); PGPSignatureGenerator generator = getSignatureGenerator(certKey, SignatureType.CASUAL_CERTIFICATION); - PGPSignature withoutRevocable = generator.generateCertification(secretKeys.getPublicKey()); + PGPSignature withoutRevocable = generator.generateCertification(secretKeys.getPrimaryKey().getPGPPublicKey()); assertNull(SignatureSubpacketsUtil.getRevocable(withoutRevocable)); generator = getSignatureGenerator(certKey, SignatureType.CASUAL_CERTIFICATION); PGPSignatureSubpacketGenerator hashed = new PGPSignatureSubpacketGenerator(); hashed.setRevocable(true, true); generator.setHashedSubpackets(hashed.generate()); - PGPSignature withRevocable = generator.generateCertification(secretKeys.getPublicKey()); + PGPSignature withRevocable = generator.generateCertification(secretKeys.getPrimaryKey().getPGPPublicKey()); assertNotNull(SignatureSubpacketsUtil.getRevocable(withRevocable)); } diff --git a/pgpainless-core/src/test/java/org/pgpainless/util/selection/userid/SelectUserIdTest.java b/pgpainless-core/src/test/java/org/pgpainless/util/selection/userid/SelectUserIdTest.java index d45594e6..b8eccd95 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/util/selection/userid/SelectUserIdTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/util/selection/userid/SelectUserIdTest.java @@ -14,7 +14,7 @@ import java.util.List; import java.util.stream.Collectors; import org.bouncycastle.openpgp.PGPException; -import org.bouncycastle.openpgp.PGPSecretKeyRing; +import org.bouncycastle.openpgp.api.OpenPGPKey; import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; import org.pgpainless.key.protection.SecretKeyRingProtector; @@ -24,17 +24,17 @@ public class SelectUserIdTest { @Test public void testSelectUserIds() throws PGPException { - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() - .simpleEcKeyRing("") - .getPGPSecretKeyRing(); - secretKeys = PGPainless.modifyKeyRing(secretKeys) + PGPainless api = PGPainless.getInstance(); + OpenPGPKey secretKeys = api.generateKey() + .simpleEcKeyRing(""); + secretKeys = api.modify(secretKeys) .addUserId( UserId.builder().withName("Alice Liddell").noComment() .withEmail("crazy@the-rabbit.hole").build(), SecretKeyRingProtector.unprotectedKeys()) .done(); - List userIds = PGPainless.inspectKeyRing(secretKeys).getValidUserIds(); + List userIds = api.inspect(secretKeys).getValidUserIds(); List validEmail = userIds.stream().filter(SelectUserId.and( SelectUserId.validUserId(secretKeys), SelectUserId.containsEmailAddress("alice@wonderland.lit") @@ -54,14 +54,14 @@ public class SelectUserIdTest { @Test public void testContainsSubstring() throws PGPException { - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().simpleEcKeyRing("wine drinker") - .getPGPSecretKeyRing(); - secretKeys = PGPainless.modifyKeyRing(secretKeys) + PGPainless api = PGPainless.getInstance(); + OpenPGPKey secretKeys = api.generateKey().simpleEcKeyRing("wine drinker"); + secretKeys = api.modify(secretKeys) .addUserId("this is not a quine", SecretKeyRingProtector.unprotectedKeys()) .addUserId("this is not a crime", SecretKeyRingProtector.unprotectedKeys()) .done(); - List userIds = PGPainless.inspectKeyRing(secretKeys).getValidUserIds(); + List userIds = api.inspect(secretKeys).getValidUserIds(); List containSubstring = userIds.stream().filter(SelectUserId.containsSubstring("ine")).collect(Collectors.toList()); assertEquals(Arrays.asList("wine drinker", "this is not a quine"), containSubstring); @@ -69,9 +69,9 @@ public class SelectUserIdTest { @Test public void testContainsEmailAddress() { - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().simpleEcKeyRing("Alice ") - .getPGPSecretKeyRing(); - List userIds = PGPainless.inspectKeyRing(secretKeys).getValidUserIds(); + PGPainless api = PGPainless.getInstance(); + OpenPGPKey secretKeys = api.generateKey().simpleEcKeyRing("Alice "); + List userIds = api.inspect(secretKeys).getValidUserIds(); assertEquals("Alice ", userIds.stream().filter( SelectUserId.containsEmailAddress("alice@wonderland.lit")).findFirst().get()); @@ -83,15 +83,15 @@ public class SelectUserIdTest { @Test public void testAndOrNot() throws PGPException { - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().simpleEcKeyRing("Alice ") - .getPGPSecretKeyRing(); - secretKeys = PGPainless.modifyKeyRing(secretKeys) + PGPainless api = PGPainless.getInstance(); + OpenPGPKey secretKeys = api.generateKey().simpleEcKeyRing("Alice "); + secretKeys = api.modify(secretKeys) .addUserId("Alice ", SecretKeyRingProtector.unprotectedKeys()) .addUserId("", SecretKeyRingProtector.unprotectedKeys()) .addUserId("Crazy Girl ", SecretKeyRingProtector.unprotectedKeys()) .done(); - List userIds = PGPainless.inspectKeyRing(secretKeys).getValidUserIds(); + List userIds = api.inspect(secretKeys).getValidUserIds(); List or = userIds.stream().filter(SelectUserId.or( SelectUserId.containsEmailAddress("alice@wonderland.lit"), @@ -110,12 +110,12 @@ public class SelectUserIdTest { @Test public void testFirstMatch() throws PGPException { - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().simpleEcKeyRing("First UserID") - .getPGPSecretKeyRing(); - secretKeys = PGPainless.modifyKeyRing(secretKeys) + PGPainless api = PGPainless.getInstance(); + OpenPGPKey secretKeys = api.generateKey().simpleEcKeyRing("First UserID"); + secretKeys = api.modify(secretKeys) .addUserId("Second UserID", SecretKeyRingProtector.unprotectedKeys()) .done(); - List userIds = PGPainless.inspectKeyRing(secretKeys).getValidUserIds(); + List userIds = api.inspect(secretKeys).getValidUserIds(); assertEquals("First UserID", userIds.stream().filter(SelectUserId.validUserId(secretKeys)).findFirst().get()); assertEquals("Second UserID", userIds.stream().filter(SelectUserId.containsSubstring("Second")).findFirst().get()); } diff --git a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/RevokeKeyImpl.kt b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/RevokeKeyImpl.kt index ecc87e62..f53338ee 100644 --- a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/RevokeKeyImpl.kt +++ b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/RevokeKeyImpl.kt @@ -9,10 +9,11 @@ import java.io.InputStream import java.io.OutputStream import java.lang.RuntimeException import org.bouncycastle.openpgp.PGPException -import org.bouncycastle.openpgp.PGPPublicKeyRing import org.bouncycastle.openpgp.PGPPublicKeyRingCollection +import org.bouncycastle.openpgp.api.OpenPGPCertificate import org.pgpainless.PGPainless import org.pgpainless.bouncycastle.extensions.openPgpFingerprint +import org.pgpainless.bouncycastle.extensions.toOpenPGPCertificate import org.pgpainless.exception.WrongPassphraseException import org.pgpainless.key.util.KeyRingUtils import org.pgpainless.key.util.RevocationAttributes @@ -38,7 +39,7 @@ class RevokeKeyImpl : RevokeKey { secretKeyRings.forEach { protector.addSecretKey(it) } - val revocationCertificates = mutableListOf() + val revocationCertificates = mutableListOf() secretKeyRings.forEach { secretKeys -> val editor = PGPainless.modifyKeyRing(secretKeys) try { @@ -53,7 +54,8 @@ class RevokeKeyImpl : RevokeKey { val certificate = PGPainless.extractCertificate(secretKeys) val revocation = editor.createRevocation(protector, attributes) revocationCertificates.add( - KeyRingUtils.injectCertification(certificate, revocation)) + KeyRingUtils.injectCertification(certificate, revocation.signature) + .toOpenPGPCertificate()) } } catch (e: WrongPassphraseException) { throw SOPGPException.KeyIsProtected( @@ -67,7 +69,8 @@ class RevokeKeyImpl : RevokeKey { return object : Ready() { override fun writeTo(outputStream: OutputStream) { - val collection = PGPPublicKeyRingCollection(revocationCertificates) + val collection = + PGPPublicKeyRingCollection(revocationCertificates.map { it.pgpPublicKeyRing }) if (armor) { val armorOut = ArmoredOutputStreamFactory.get(outputStream) collection.encode(armorOut) diff --git a/pgpainless-sop/src/test/java/sop/testsuite/pgpainless/operation/PGPainlessChangeKeyPasswordTest.java b/pgpainless-sop/src/test/java/sop/testsuite/pgpainless/operation/PGPainlessChangeKeyPasswordTest.java index cb45551d..6756300a 100644 --- a/pgpainless-sop/src/test/java/sop/testsuite/pgpainless/operation/PGPainlessChangeKeyPasswordTest.java +++ b/pgpainless-sop/src/test/java/sop/testsuite/pgpainless/operation/PGPainlessChangeKeyPasswordTest.java @@ -7,7 +7,7 @@ package sop.testsuite.pgpainless.operation; import org.bouncycastle.bcpg.KeyIdentifier; import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPPublicKey; -import org.bouncycastle.openpgp.PGPSecretKeyRing; +import org.bouncycastle.openpgp.api.OpenPGPKey; import org.junit.jupiter.params.ParameterizedTest; import org.junit.jupiter.params.provider.MethodSource; import org.pgpainless.PGPainless; @@ -32,13 +32,13 @@ public class PGPainlessChangeKeyPasswordTest extends ChangeKeyPasswordTest { @ParameterizedTest @MethodSource("provideInstances") public void changePasswordOfKeyWithSeparateSubkeyPasswords(SOP sop) throws IOException, PGPException { - PGPSecretKeyRing secretKeys = PGPainless.buildKeyRing() + PGPainless api = PGPainless.getInstance(); + OpenPGPKey secretKeys = PGPainless.buildKeyRing() .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA_LEGACY(EdDSALegacyCurve._Ed25519), KeyFlag.CERTIFY_OTHER)) .addSubkey(KeySpec.getBuilder(KeyType.EDDSA_LEGACY(EdDSALegacyCurve._Ed25519), KeyFlag.SIGN_DATA)) .addSubkey(KeySpec.getBuilder(KeyType.XDH_LEGACY(XDHLegacySpec._X25519), KeyFlag.ENCRYPT_COMMS, KeyFlag.ENCRYPT_STORAGE)) - .build() - .getPGPSecretKeyRing(); - Iterator keys = secretKeys.getPublicKeys(); + .build(); + Iterator keys = secretKeys.getPGPSecretKeyRing().getPublicKeys(); KeyIdentifier primaryKeyId = keys.next().getKeyIdentifier(); KeyIdentifier signingKeyId = keys.next().getKeyIdentifier(); KeyIdentifier encryptKeyId = keys.next().getKeyIdentifier(); @@ -47,7 +47,7 @@ public class PGPainlessChangeKeyPasswordTest extends ChangeKeyPasswordTest { String p2 = "0r4ng3"; String p3 = "dr4g0n"; - secretKeys = PGPainless.modifyKeyRing(secretKeys) + secretKeys = api.modify(secretKeys) .changeSubKeyPassphraseFromOldPassphrase(primaryKeyId, Passphrase.emptyPassphrase()) .withSecureDefaultSettings() .toNewPassphrase(Passphrase.fromPassword(p1)) From 766a22716ef0ef0fe6920a3e5c0bf7aea3366d3a Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 20 Mar 2025 15:03:24 +0100 Subject: [PATCH 107/265] SOP: Inject API instance --- .../kotlin/org/pgpainless/sop/ArmorImpl.kt | 3 +- .../pgpainless/sop/ChangeKeyPasswordImpl.kt | 3 +- .../kotlin/org/pgpainless/sop/DearmorImpl.kt | 3 +- .../kotlin/org/pgpainless/sop/DecryptImpl.kt | 4 +-- .../org/pgpainless/sop/DetachedSignImpl.kt | 10 +++---- .../org/pgpainless/sop/DetachedVerifyImpl.kt | 4 +-- .../kotlin/org/pgpainless/sop/EncryptImpl.kt | 16 +++++----- .../org/pgpainless/sop/ExtractCertImpl.kt | 2 +- .../org/pgpainless/sop/GenerateKeyImpl.kt | 2 +- .../org/pgpainless/sop/InlineDetachImpl.kt | 10 +++---- .../org/pgpainless/sop/InlineSignImpl.kt | 10 +++---- .../org/pgpainless/sop/InlineVerifyImpl.kt | 4 +-- .../org/pgpainless/sop/ListProfilesImpl.kt | 3 +- .../sop/MatchMakingSecretKeyRingProtector.kt | 4 +-- .../org/pgpainless/sop/RevokeKeyImpl.kt | 14 +++++---- .../main/kotlin/org/pgpainless/sop/SOPImpl.kt | 30 +++++++++++-------- .../kotlin/org/pgpainless/sop/SOPVImpl.kt | 9 +++--- .../kotlin/org/pgpainless/sop/VersionImpl.kt | 3 +- 18 files changed, 72 insertions(+), 62 deletions(-) diff --git a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/ArmorImpl.kt b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/ArmorImpl.kt index 40ac811d..daffcd30 100644 --- a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/ArmorImpl.kt +++ b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/ArmorImpl.kt @@ -9,6 +9,7 @@ import java.io.InputStream import java.io.OutputStream import kotlin.jvm.Throws import org.bouncycastle.util.io.Streams +import org.pgpainless.PGPainless import org.pgpainless.decryption_verification.OpenPgpInputStream import org.pgpainless.util.ArmoredOutputStreamFactory import sop.Ready @@ -16,7 +17,7 @@ import sop.exception.SOPGPException import sop.operation.Armor /** Implementation of the `armor` operation using PGPainless. */ -class ArmorImpl : Armor { +class ArmorImpl(private val api: PGPainless) : Armor { @Throws(SOPGPException.BadData::class) override fun data(data: InputStream): Ready { diff --git a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/ChangeKeyPasswordImpl.kt b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/ChangeKeyPasswordImpl.kt index a9aaf1e4..a63d73ed 100644 --- a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/ChangeKeyPasswordImpl.kt +++ b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/ChangeKeyPasswordImpl.kt @@ -9,6 +9,7 @@ import java.io.InputStream import java.io.OutputStream import org.bouncycastle.openpgp.PGPException import org.bouncycastle.openpgp.PGPSecretKeyRingCollection +import org.pgpainless.PGPainless import org.pgpainless.bouncycastle.extensions.openPgpFingerprint import org.pgpainless.exception.MissingPassphraseException import org.pgpainless.key.protection.SecretKeyRingProtector @@ -20,7 +21,7 @@ import sop.exception.SOPGPException import sop.operation.ChangeKeyPassword /** Implementation of the `change-key-password` operation using PGPainless. */ -class ChangeKeyPasswordImpl : ChangeKeyPassword { +class ChangeKeyPasswordImpl(private val api: PGPainless) : ChangeKeyPassword { private val oldProtector = MatchMakingSecretKeyRingProtector() private var newPassphrase = Passphrase.emptyPassphrase() diff --git a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/DearmorImpl.kt b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/DearmorImpl.kt index 9d196004..2d6e02d9 100644 --- a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/DearmorImpl.kt +++ b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/DearmorImpl.kt @@ -10,12 +10,13 @@ import java.io.InputStream import java.io.OutputStream import org.bouncycastle.openpgp.PGPUtil import org.bouncycastle.util.io.Streams +import org.pgpainless.PGPainless import sop.Ready import sop.exception.SOPGPException import sop.operation.Dearmor /** Implementation of the `dearmor` operation using PGPainless. */ -class DearmorImpl : Dearmor { +class DearmorImpl(private val api: PGPainless) : Dearmor { override fun data(data: InputStream): Ready { val decoder = diff --git a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/DecryptImpl.kt b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/DecryptImpl.kt index de2b2b3c..26c372a5 100644 --- a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/DecryptImpl.kt +++ b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/DecryptImpl.kt @@ -25,9 +25,9 @@ import sop.operation.Decrypt import sop.util.UTF8Util /** Implementation of the `decrypt` operation using PGPainless. */ -class DecryptImpl : Decrypt { +class DecryptImpl(private val api: PGPainless) : Decrypt { - private val consumerOptions = ConsumerOptions.get() + private val consumerOptions = ConsumerOptions.get(api) private val protector = MatchMakingSecretKeyRingProtector() override fun ciphertext(ciphertext: InputStream): ReadyWithResult { diff --git a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/DetachedSignImpl.kt b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/DetachedSignImpl.kt index 19bc782b..a7271740 100644 --- a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/DetachedSignImpl.kt +++ b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/DetachedSignImpl.kt @@ -30,9 +30,9 @@ import sop.operation.DetachedSign import sop.util.UTF8Util /** Implementation of the `sign` operation using PGPainless. */ -class DetachedSignImpl : DetachedSign { +class DetachedSignImpl(private val api: PGPainless) : DetachedSign { - private val signingOptions = SigningOptions.get() + private val signingOptions = SigningOptions.get(api) private val protector = MatchMakingSecretKeyRingProtector() private val signingKeys = mutableListOf() @@ -56,10 +56,10 @@ class DetachedSignImpl : DetachedSign { try { val signingStream = - PGPainless.encryptAndOrSign() + api.generateMessage() .discardOutput() .withOptions( - ProducerOptions.sign(signingOptions) + ProducerOptions.sign(signingOptions, api) .setAsciiArmor(armor) .overrideCompressionAlgorithm(CompressionAlgorithm.UNCOMPRESSED)) @@ -94,7 +94,7 @@ class DetachedSignImpl : DetachedSign { override fun key(key: InputStream): DetachedSign = apply { KeyReader.readSecretKeys(key, true).forEach { - val info = PGPainless.inspectKeyRing(it) + val info = api.inspect(api.toKey(it)) if (!info.isUsableForSigning) { throw SOPGPException.KeyCannotSign( "Key ${info.fingerprint} does not have valid, signing capable subkeys.") diff --git a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/DetachedVerifyImpl.kt b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/DetachedVerifyImpl.kt index 08472144..c73d30ac 100644 --- a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/DetachedVerifyImpl.kt +++ b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/DetachedVerifyImpl.kt @@ -18,9 +18,9 @@ import sop.operation.DetachedVerify import sop.operation.VerifySignatures /** Implementation of the `verify` operation using PGPainless. */ -class DetachedVerifyImpl : DetachedVerify { +class DetachedVerifyImpl(private val api: PGPainless) : DetachedVerify { - private val options = ConsumerOptions.get().forceNonOpenPgpData() + private val options = ConsumerOptions.get(api).forceNonOpenPgpData() override fun cert(cert: InputStream): DetachedVerify = apply { options.addVerificationCerts(KeyReader.readPublicKeys(cert, true)) diff --git a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/EncryptImpl.kt b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/EncryptImpl.kt index b227561e..a0534f56 100644 --- a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/EncryptImpl.kt +++ b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/EncryptImpl.kt @@ -30,7 +30,7 @@ import sop.operation.Encrypt import sop.util.UTF8Util /** Implementation of the `encrypt` operation using PGPainless. */ -class EncryptImpl : Encrypt { +class EncryptImpl(private val api: PGPainless) : Encrypt { companion object { @JvmField val RFC4880_PROFILE = Profile("rfc4880", "Follow the packet format of rfc4880") @@ -38,7 +38,7 @@ class EncryptImpl : Encrypt { @JvmField val SUPPORTED_PROFILES = listOf(RFC4880_PROFILE) } - private val encryptionOptions = EncryptionOptions.get() + private val encryptionOptions = EncryptionOptions.get(api) private var signingOptions: SigningOptions? = null private val signingKeys = mutableListOf() private val protector = MatchMakingSecretKeyRingProtector() @@ -58,9 +58,9 @@ class EncryptImpl : Encrypt { val options = if (signingOptions != null) { - ProducerOptions.signAndEncrypt(encryptionOptions, signingOptions!!) + ProducerOptions.signAndEncrypt(encryptionOptions, signingOptions!!, api) } else { - ProducerOptions.encrypt(encryptionOptions) + ProducerOptions.encrypt(encryptionOptions, api) } .setAsciiArmor(armor) .setEncoding(modeToStreamEncoding(mode)) @@ -81,9 +81,7 @@ class EncryptImpl : Encrypt { return object : ReadyWithResult() { override fun writeTo(outputStream: OutputStream): EncryptionResult { val encryptionStream = - PGPainless.encryptAndOrSign() - .onOutputStream(outputStream) - .withOptions(options) + api.generateMessage().onOutputStream(outputStream).withOptions(options) Streams.pipeAll(plaintext, encryptionStream) encryptionStream.close() // TODO: Extract and emit session key once BC supports that @@ -103,7 +101,7 @@ class EncryptImpl : Encrypt { override fun signWith(key: InputStream): Encrypt = apply { if (signingOptions == null) { - signingOptions = SigningOptions.get() + signingOptions = SigningOptions.get(api) } val signingKey = @@ -112,7 +110,7 @@ class EncryptImpl : Encrypt { AssertionError( "Exactly one secret key at a time expected. Got zero or multiple instead.")) - val info = PGPainless.inspectKeyRing(signingKey) + val info = api.inspect(api.toKey(signingKey)) if (info.signingSubkeys.isEmpty()) { throw SOPGPException.KeyCannotSign("Key ${info.fingerprint} cannot sign.") } diff --git a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/ExtractCertImpl.kt b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/ExtractCertImpl.kt index 7fe66ee5..426d5787 100644 --- a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/ExtractCertImpl.kt +++ b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/ExtractCertImpl.kt @@ -13,7 +13,7 @@ import sop.Ready import sop.operation.ExtractCert /** Implementation of the `extract-cert` operation using PGPainless. */ -class ExtractCertImpl : ExtractCert { +class ExtractCertImpl(private val api: PGPainless) : ExtractCert { private var armor = true diff --git a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/GenerateKeyImpl.kt b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/GenerateKeyImpl.kt index fe904909..ca9cb98a 100644 --- a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/GenerateKeyImpl.kt +++ b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/GenerateKeyImpl.kt @@ -26,7 +26,7 @@ import sop.exception.SOPGPException import sop.operation.GenerateKey /** Implementation of the `generate-key` operation using PGPainless. */ -class GenerateKeyImpl : GenerateKey { +class GenerateKeyImpl(private val api: PGPainless) : GenerateKey { companion object { @JvmField diff --git a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/InlineDetachImpl.kt b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/InlineDetachImpl.kt index 2d2ae063..6a751550 100644 --- a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/InlineDetachImpl.kt +++ b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/InlineDetachImpl.kt @@ -13,8 +13,8 @@ import org.bouncycastle.openpgp.PGPException import org.bouncycastle.openpgp.PGPLiteralData import org.bouncycastle.openpgp.PGPOnePassSignatureList import org.bouncycastle.openpgp.PGPSignatureList -import org.bouncycastle.openpgp.api.OpenPGPImplementation import org.bouncycastle.util.io.Streams +import org.pgpainless.PGPainless import org.pgpainless.decryption_verification.OpenPgpInputStream import org.pgpainless.decryption_verification.cleartext_signatures.ClearsignedMessageUtil import org.pgpainless.exception.WrongConsumingMethodException @@ -25,7 +25,7 @@ import sop.exception.SOPGPException import sop.operation.InlineDetach /** Implementation of the `inline-detach` operation using PGPainless. */ -class InlineDetachImpl : InlineDetach { +class InlineDetachImpl(private val api: PGPainless) : InlineDetach { private var armor = true @@ -72,7 +72,7 @@ class InlineDetachImpl : InlineDetach { } // handle binary OpenPGP data - var objectFactory = OpenPGPImplementation.getInstance().pgpObjectFactory(pgpIn) + var objectFactory = api.implementation.pgpObjectFactory(pgpIn) var next: Any? while (objectFactory.nextObject().also { next = it } != null) { @@ -94,8 +94,8 @@ class InlineDetachImpl : InlineDetach { // Decompress compressed data try { objectFactory = - OpenPGPImplementation.getInstance() - .pgpObjectFactory((next as PGPCompressedData).dataStream) + api.implementation.pgpObjectFactory( + (next as PGPCompressedData).dataStream) } catch (e: PGPException) { throw SOPGPException.BadData( "Cannot decompress PGPCompressedData", e) diff --git a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/InlineSignImpl.kt b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/InlineSignImpl.kt index bd77b553..7f9cd0eb 100644 --- a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/InlineSignImpl.kt +++ b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/InlineSignImpl.kt @@ -27,9 +27,9 @@ import sop.operation.InlineSign import sop.util.UTF8Util /** Implementation of the `inline-sign` operation using PGPainless. */ -class InlineSignImpl : InlineSign { +class InlineSignImpl(private val api: PGPainless) : InlineSign { - private val signingOptions = SigningOptions.get() + private val signingOptions = SigningOptions.get(api) private val protector = MatchMakingSecretKeyRingProtector() private val signingKeys = mutableListOf() @@ -57,7 +57,7 @@ class InlineSignImpl : InlineSign { } val producerOptions = - ProducerOptions.sign(signingOptions).apply { + ProducerOptions.sign(signingOptions, api).apply { when (mode) { InlineSignAs.clearsigned -> { setCleartextSigned() @@ -80,7 +80,7 @@ class InlineSignImpl : InlineSign { override fun writeTo(outputStream: OutputStream) { try { val signingStream = - PGPainless.encryptAndOrSign() + api.generateMessage() .onOutputStream(outputStream) .withOptions(producerOptions) @@ -98,7 +98,7 @@ class InlineSignImpl : InlineSign { override fun key(key: InputStream): InlineSign = apply { KeyReader.readSecretKeys(key, true).forEach { - val info = PGPainless.inspectKeyRing(it) + val info = api.inspect(api.toKey(it)) if (!info.isUsableForSigning) { throw SOPGPException.KeyCannotSign( "Key ${info.fingerprint} does not have valid, signing capable subkeys.") diff --git a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/InlineVerifyImpl.kt b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/InlineVerifyImpl.kt index 0b4e7d2f..bfc3dd37 100644 --- a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/InlineVerifyImpl.kt +++ b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/InlineVerifyImpl.kt @@ -19,9 +19,9 @@ import sop.exception.SOPGPException import sop.operation.InlineVerify /** Implementation of the `inline-verify` operation using PGPainless. */ -class InlineVerifyImpl : InlineVerify { +class InlineVerifyImpl(private val api: PGPainless) : InlineVerify { - private val options = ConsumerOptions.get() + private val options = ConsumerOptions.get(api) override fun cert(cert: InputStream): InlineVerify = apply { options.addVerificationCerts(KeyReader.readPublicKeys(cert, true)) diff --git a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/ListProfilesImpl.kt b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/ListProfilesImpl.kt index 39a5151d..a196fd01 100644 --- a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/ListProfilesImpl.kt +++ b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/ListProfilesImpl.kt @@ -4,12 +4,13 @@ package org.pgpainless.sop +import org.pgpainless.PGPainless import sop.Profile import sop.exception.SOPGPException import sop.operation.ListProfiles /** Implementation of the `list-profiles` operation using PGPainless. */ -class ListProfilesImpl : ListProfiles { +class ListProfilesImpl(private val api: PGPainless) : ListProfiles { override fun subcommand(command: String): List = when (command) { diff --git a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/MatchMakingSecretKeyRingProtector.kt b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/MatchMakingSecretKeyRingProtector.kt index ea0753c4..d4a4cb7e 100644 --- a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/MatchMakingSecretKeyRingProtector.kt +++ b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/MatchMakingSecretKeyRingProtector.kt @@ -86,8 +86,8 @@ class MatchMakingSecretKeyRingProtector : SecretKeyRingProtector { override fun getEncryptor(key: PGPPublicKey): PBESecretKeyEncryptor? = protector.getEncryptor(key) - override fun getKeyPassword(p0: OpenPGPKey.OpenPGPSecretKey): CharArray? = - protector.getKeyPassword(p0) + override fun getKeyPassword(key: OpenPGPKey.OpenPGPSecretKey): CharArray? = + protector.getKeyPassword(key) /** Clear all known passphrases from the protector. */ fun clear() { diff --git a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/RevokeKeyImpl.kt b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/RevokeKeyImpl.kt index f53338ee..67dd36a2 100644 --- a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/RevokeKeyImpl.kt +++ b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/RevokeKeyImpl.kt @@ -24,7 +24,7 @@ import sop.exception.SOPGPException import sop.operation.RevokeKey import sop.util.UTF8Util -class RevokeKeyImpl : RevokeKey { +class RevokeKeyImpl(private val api: PGPainless) : RevokeKey { private val protector = MatchMakingSecretKeyRingProtector() private var armor = true @@ -41,21 +41,23 @@ class RevokeKeyImpl : RevokeKey { val revocationCertificates = mutableListOf() secretKeyRings.forEach { secretKeys -> - val editor = PGPainless.modifyKeyRing(secretKeys) + val openPGPKey = api.toKey(secretKeys) + val editor = api.modify(openPGPKey) try { val attributes = RevocationAttributes.createKeyRevocation() .withReason(RevocationAttributes.Reason.NO_REASON) .withoutDescription() - if (secretKeys.publicKey.version == 6) { + if (openPGPKey.primaryKey.version == 6) { revocationCertificates.add( editor.createMinimalRevocationCertificate(protector, attributes)) } else { - val certificate = PGPainless.extractCertificate(secretKeys) + val certificate = openPGPKey.toCertificate() val revocation = editor.createRevocation(protector, attributes) revocationCertificates.add( - KeyRingUtils.injectCertification(certificate, revocation.signature) - .toOpenPGPCertificate()) + KeyRingUtils.injectCertification( + certificate.pgpKeyRing, revocation.signature) + .toOpenPGPCertificate(api.implementation)) } } catch (e: WrongPassphraseException) { throw SOPGPException.KeyIsProtected( diff --git a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/SOPImpl.kt b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/SOPImpl.kt index 16f54a22..6af80060 100644 --- a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/SOPImpl.kt +++ b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/SOPImpl.kt @@ -4,6 +4,7 @@ package org.pgpainless.sop +import org.pgpainless.PGPainless import sop.SOP import sop.SOPV import sop.operation.Armor @@ -22,35 +23,38 @@ import sop.operation.ListProfiles import sop.operation.RevokeKey import sop.operation.Version -class SOPImpl(private val sopv: SOPV = SOPVImpl()) : SOP { +class SOPImpl( + private val api: PGPainless = PGPainless.getInstance(), + private val sopv: SOPV = SOPVImpl(api) +) : SOP { - override fun armor(): Armor = ArmorImpl() + override fun armor(): Armor = ArmorImpl(api) - override fun changeKeyPassword(): ChangeKeyPassword = ChangeKeyPasswordImpl() + override fun changeKeyPassword(): ChangeKeyPassword = ChangeKeyPasswordImpl(api) - override fun dearmor(): Dearmor = DearmorImpl() + override fun dearmor(): Dearmor = DearmorImpl(api) - override fun decrypt(): Decrypt = DecryptImpl() + override fun decrypt(): Decrypt = DecryptImpl(api) - override fun detachedSign(): DetachedSign = DetachedSignImpl() + override fun detachedSign(): DetachedSign = DetachedSignImpl(api) override fun detachedVerify(): DetachedVerify = sopv.detachedVerify() - override fun encrypt(): Encrypt = EncryptImpl() + override fun encrypt(): Encrypt = EncryptImpl(api) - override fun extractCert(): ExtractCert = ExtractCertImpl() + override fun extractCert(): ExtractCert = ExtractCertImpl(api) - override fun generateKey(): GenerateKey = GenerateKeyImpl() + override fun generateKey(): GenerateKey = GenerateKeyImpl(api) - override fun inlineDetach(): InlineDetach = InlineDetachImpl() + override fun inlineDetach(): InlineDetach = InlineDetachImpl(api) - override fun inlineSign(): InlineSign = InlineSignImpl() + override fun inlineSign(): InlineSign = InlineSignImpl(api) override fun inlineVerify(): InlineVerify = sopv.inlineVerify() - override fun listProfiles(): ListProfiles = ListProfilesImpl() + override fun listProfiles(): ListProfiles = ListProfilesImpl(api) - override fun revokeKey(): RevokeKey = RevokeKeyImpl() + override fun revokeKey(): RevokeKey = RevokeKeyImpl(api) override fun version(): Version = sopv.version() } diff --git a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/SOPVImpl.kt b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/SOPVImpl.kt index 43b4c64f..d1f729cf 100644 --- a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/SOPVImpl.kt +++ b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/SOPVImpl.kt @@ -4,21 +4,22 @@ package org.pgpainless.sop +import org.pgpainless.PGPainless import org.pgpainless.util.ArmoredOutputStreamFactory import sop.SOPV import sop.operation.DetachedVerify import sop.operation.InlineVerify import sop.operation.Version -class SOPVImpl : SOPV { +class SOPVImpl(private val api: PGPainless) : SOPV { init { ArmoredOutputStreamFactory.setVersionInfo(null) } - override fun detachedVerify(): DetachedVerify = DetachedVerifyImpl() + override fun detachedVerify(): DetachedVerify = DetachedVerifyImpl(api) - override fun inlineVerify(): InlineVerify = InlineVerifyImpl() + override fun inlineVerify(): InlineVerify = InlineVerifyImpl(api) - override fun version(): Version = VersionImpl() + override fun version(): Version = VersionImpl(api) } diff --git a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/VersionImpl.kt b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/VersionImpl.kt index 94b9c016..b43ef9b9 100644 --- a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/VersionImpl.kt +++ b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/VersionImpl.kt @@ -8,11 +8,12 @@ import java.io.IOException import java.io.InputStream import java.util.* import org.bouncycastle.jce.provider.BouncyCastleProvider +import org.pgpainless.PGPainless import sop.SOP import sop.operation.Version /** Implementation of the `version` operation using PGPainless. */ -class VersionImpl : Version { +class VersionImpl(private val api: PGPainless) : Version { companion object { const val SOP_VERSION = 10 From 24f871c178fa897cb9c8ee78ec22f04381ccb93b Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 20 Mar 2025 18:39:12 +0100 Subject: [PATCH 108/265] Update some examples in the README file --- README.md | 34 ++++++++++++++++++---------------- 1 file changed, 18 insertions(+), 16 deletions(-) diff --git a/README.md b/README.md index e305e43a..65281607 100644 --- a/README.md +++ b/README.md @@ -65,24 +65,23 @@ Reading keys from ASCII armored strings or from binary files is easy: ```java String key = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n"... - PGPSecretKeyRing secretKey = PGPainless.readKeyRing() - .secretKeyRing(key); + OpenPGPKey secretKey = PGPainless.getInstance().readKey() + .parseKey(key); ``` Similarly, keys can quickly be exported:: ```java - PGPSecretKeyRing secretKey = ...; - String armored = PGPainless.asciiArmor(secretKey); - ByteArrayOutputStream binary = new ByteArrayOutputStream(); - secretKey.encode(binary); + OpenPGPKey secretKey = ...; + String armored = secretKey.toAsciiArmoredString(); + byte[] binary = secretKey.getEncoded(); ``` Extract a public key certificate from a secret key: ```java - PGPSecretKeyRing secretKey = ...; - PGPPublicKeyRing certificate = PGPainless.extractCertificate(secretKey); + OpenPGPKey secretKey = ...; + OpenPGPCertificate certificate = secretKey.toCertificate(); ``` ### Easily Generate Keys @@ -90,16 +89,17 @@ PGPainless comes with a simple to use `KeyRingBuilder` class that helps you to q There are some predefined key archetypes, but it is possible to fully customize key generation to your needs. ```java + PGPainless api = PGPainless.getInstance(); // RSA key without additional subkeys - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() + OpenPGPKey secretKeys = api.generateKey() .simpleRsaKeyRing("Juliet ", RsaLength._4096); // EdDSA primary key with EdDSA signing- and XDH encryption subkeys - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() + OpenPGPKey secretKeys = api.generateKey() .modernKeyRing("Romeo ", "I defy you, stars!"); // Customized key - PGPSecretKeyRing keyRing = PGPainless.buildKeyRing() + OpenPGPKey keyRing = PGPainless.buildKeyRing() .setPrimaryKey(KeySpec.getBuilder( RSA.withLength(RsaLength._8192), KeyFlag.SIGN_DATA, KeyFlag.CERTIFY_OTHER)) @@ -124,24 +124,26 @@ algorithms accordingly. Still it allows you to manually specify which algorithms to use of course. ```java - EncryptionStream encryptionStream = PGPainless.encryptAndOrSign() + PGPainless api = PGPainless.getInstance(); + EncryptionStream encryptionStream = api.generateMessage() .onOutputStream(outputStream) .withOptions( ProducerOptions.signAndEncrypt( - new EncryptionOptions() + EncryptionOptions.get(api) .addRecipient(aliceKey) .addRecipient(bobsKey) // optionally encrypt to a passphrase .addMessagePassphrase(Passphrase.fromPassword("password123")) // optionally override symmetric encryption algorithm .overrideEncryptionAlgorithm(SymmetricKeyAlgorithm.AES_192), - new SigningOptions() + SigningOptions.get(api) // Sign in-line (using one-pass-signature packet) .addInlineSignature(secretKeyDecryptor, aliceSecKey, signatureType) // Sign using a detached signature .addDetachedSignature(secretKeyDecryptor, aliceSecKey, signatureType) // optionally override hash algorithm - .overrideHashAlgorithm(HashAlgorithm.SHA256) + .overrideHashAlgorithm(HashAlgorithm.SHA256), + api ).setAsciiArmor(true) // Ascii armor or not ); @@ -163,7 +165,7 @@ This behaviour can be modified though using the `Policy` class. ```java DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() .onInputStream(encryptedInputStream) - .withOptions(new ConsumerOptions() + .withOptions(ConsumerOptions.get(api) .addDecryptionKey(bobSecKeys, secretKeyProtector) .addVerificationCert(alicePubKeys) ); From 6d25ddefabd3611362aa6453bd026876396e43de Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 20 Mar 2025 18:51:29 +0100 Subject: [PATCH 109/265] PGPSignatureExtensions: Port wasIssuedBy() to KeyIdentifier --- .../extensions/PGPSignatureExtensions.kt | 17 ++++++----------- .../org/pgpainless/signature/SignatureUtils.kt | 9 --------- 2 files changed, 6 insertions(+), 20 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/PGPSignatureExtensions.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/PGPSignatureExtensions.kt index 1393883c..428a0ee9 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/PGPSignatureExtensions.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/PGPSignatureExtensions.kt @@ -6,6 +6,7 @@ package org.pgpainless.bouncycastle.extensions import java.util.* import openpgp.plusSeconds +import org.bouncycastle.bcpg.KeyIdentifier import org.bouncycastle.openpgp.PGPPublicKey import org.bouncycastle.openpgp.PGPSignature import org.pgpainless.algorithm.HashAlgorithm @@ -56,23 +57,17 @@ val PGPSignature.issuerKeyId: Long /** Return true, if the signature was likely issued by a key with the given fingerprint. */ fun PGPSignature.wasIssuedBy(fingerprint: OpenPgpFingerprint): Boolean = - this.fingerprint?.let { it.keyId == fingerprint.keyId } ?: (keyID == fingerprint.keyId) + wasIssuedBy(fingerprint.keyIdentifier) /** * Return true, if the signature was likely issued by a key with the given fingerprint. * - * @param fingerprint fingerprint bytes + * @param key key */ -@Deprecated("Discouraged in favor of method taking an OpenPgpFingerprint.") -fun PGPSignature.wasIssuedBy(fingerprint: ByteArray): Boolean = - try { - wasIssuedBy(OpenPgpFingerprint.parseFromBinary(fingerprint)) - } catch (e: IllegalArgumentException) { - // Unknown fingerprint length / format - false - } +fun PGPSignature.wasIssuedBy(key: PGPPublicKey): Boolean = wasIssuedBy(key.keyIdentifier) -fun PGPSignature.wasIssuedBy(key: PGPPublicKey): Boolean = wasIssuedBy(OpenPgpFingerprint.of(key)) +fun PGPSignature.wasIssuedBy(keyIdentifier: KeyIdentifier): Boolean = + KeyIdentifier.matches(this.keyIdentifiers, keyIdentifier, true) /** Return true, if this signature is a hard revocation. */ val PGPSignature.isHardRevocation diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/SignatureUtils.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/SignatureUtils.kt index e4136cc0..0ef6dc5a 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/SignatureUtils.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/SignatureUtils.kt @@ -214,15 +214,6 @@ class SignatureUtils { return Hex.toHexString(signature.digestPrefix) } - @JvmStatic - @Deprecated( - "Deprecated in favor of PGPSignature extension method", - ReplaceWith( - "signature.wasIssuedBy(fingerprint)", "org.bouncycastle.extensions.wasIssuedBy")) - fun wasIssuedBy(fingerprint: ByteArray, signature: PGPSignature): Boolean { - return signature.wasIssuedBy(fingerprint) - } - @JvmStatic @Deprecated( "Deprecated in favor of PGPSignature extension method", From fad3974b217ed26a94aa5a465d0688d8e219d2df Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 20 Mar 2025 19:02:48 +0100 Subject: [PATCH 110/265] Migrate some extension functions --- .../extensions/OpenPGPKeyExtensions.kt | 4 ++ .../extensions/PGPSecretKeyRingExtensions.kt | 45 ++++++++++++++----- .../PGPSecretKeyRingExtensionsTest.kt | 21 ++++++--- 3 files changed, 53 insertions(+), 17 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/OpenPGPKeyExtensions.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/OpenPGPKeyExtensions.kt index 6be48f4a..305bca15 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/OpenPGPKeyExtensions.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/OpenPGPKeyExtensions.kt @@ -5,8 +5,12 @@ package org.pgpainless.bouncycastle.extensions import org.bouncycastle.openpgp.PGPPublicKeyEncryptedData +import org.bouncycastle.openpgp.PGPSignature import org.bouncycastle.openpgp.api.OpenPGPKey import org.bouncycastle.openpgp.api.OpenPGPKey.OpenPGPSecretKey fun OpenPGPKey.getSecretKeyFor(pkesk: PGPPublicKeyEncryptedData): OpenPGPSecretKey? = this.getSecretKey(pkesk.keyIdentifier) + +fun OpenPGPKey.getSecretKeyFor(signature: PGPSignature): OpenPGPSecretKey? = + this.getSecretKey(signature.fingerprint!!.keyIdentifier) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/PGPSecretKeyRingExtensions.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/PGPSecretKeyRingExtensions.kt index 90c67236..9566988f 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/PGPSecretKeyRingExtensions.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/PGPSecretKeyRingExtensions.kt @@ -4,8 +4,13 @@ package org.pgpainless.bouncycastle.extensions -import openpgp.openPgpKeyId -import org.bouncycastle.openpgp.* +import org.bouncycastle.bcpg.KeyIdentifier +import org.bouncycastle.openpgp.PGPOnePassSignature +import org.bouncycastle.openpgp.PGPPublicKeyEncryptedData +import org.bouncycastle.openpgp.PGPPublicKeyRing +import org.bouncycastle.openpgp.PGPSecretKey +import org.bouncycastle.openpgp.PGPSecretKeyRing +import org.bouncycastle.openpgp.PGPSignature import org.bouncycastle.openpgp.api.OpenPGPImplementation import org.bouncycastle.openpgp.api.OpenPGPKey import org.pgpainless.PGPainless @@ -21,7 +26,17 @@ val PGPSecretKeyRing.certificate: PGPPublicKeyRing * @param keyId keyId of the secret key * @return true, if the [PGPSecretKeyRing] has a matching [PGPSecretKey], false otherwise */ -fun PGPSecretKeyRing.hasSecretKey(keyId: Long): Boolean = this.getSecretKey(keyId) != null +@Deprecated("Pass in a KeyIdentifier instead.") +fun PGPSecretKeyRing.hasSecretKey(keyId: Long): Boolean = hasSecretKey(KeyIdentifier(keyId)) + +/** + * Return true, if the [PGPSecretKeyRing] contains a [PGPSecretKey] with the given [keyIdentifier]. + * + * @param keyIdentifier identifier of the secret key + * @return true, if the [PGPSecretKeyRing] has a matching [PGPSecretKey], false otherwise + */ +fun PGPSecretKeyRing.hasSecretKey(keyIdentifier: KeyIdentifier): Boolean = + this.getSecretKey(keyIdentifier) != null /** * Return true, if the [PGPSecretKeyRing] contains a [PGPSecretKey] with the given fingerprint. @@ -30,7 +45,7 @@ fun PGPSecretKeyRing.hasSecretKey(keyId: Long): Boolean = this.getSecretKey(keyI * @return true, if the [PGPSecretKeyRing] has a matching [PGPSecretKey], false otherwise */ fun PGPSecretKeyRing.hasSecretKey(fingerprint: OpenPgpFingerprint): Boolean = - this.getSecretKey(fingerprint) != null + hasSecretKey(fingerprint.keyIdentifier) /** * Return the [PGPSecretKey] with the given [OpenPgpFingerprint]. @@ -39,7 +54,7 @@ fun PGPSecretKeyRing.hasSecretKey(fingerprint: OpenPgpFingerprint): Boolean = * @return the secret key or null */ fun PGPSecretKeyRing.getSecretKey(fingerprint: OpenPgpFingerprint): PGPSecretKey? = - this.getSecretKey(fingerprint.bytes) + this.getSecretKey(fingerprint.keyIdentifier) /** * Return the [PGPSecretKey] with the given key-ID. @@ -47,10 +62,20 @@ fun PGPSecretKeyRing.getSecretKey(fingerprint: OpenPgpFingerprint): PGPSecretKey * @throws NoSuchElementException if the OpenPGP key doesn't contain a secret key with the given * key-ID */ +@Deprecated("Pass in a KeyIdentifier instead.") fun PGPSecretKeyRing.requireSecretKey(keyId: Long): PGPSecretKey = - getSecretKey(keyId) + requireSecretKey(KeyIdentifier(keyId)) + +/** + * Return the [PGPSecretKey] with the given [keyIdentifier]. + * + * @throws NoSuchElementException if the OpenPGP key doesn't contain a secret key with the given + * keyIdentifier + */ +fun PGPSecretKeyRing.requireSecretKey(keyIdentifier: KeyIdentifier): PGPSecretKey = + getSecretKey(keyIdentifier) ?: throw NoSuchElementException( - "OpenPGP key does not contain key with id ${keyId.openPgpKeyId()}.") + "OpenPGP key does not contain key with id ${keyIdentifier}.") /** * Return the [PGPSecretKey] with the given fingerprint. @@ -59,9 +84,7 @@ fun PGPSecretKeyRing.requireSecretKey(keyId: Long): PGPSecretKey = * fingerprint */ fun PGPSecretKeyRing.requireSecretKey(fingerprint: OpenPgpFingerprint): PGPSecretKey = - getSecretKey(fingerprint) - ?: throw NoSuchElementException( - "OpenPGP key does not contain key with fingerprint $fingerprint.") + requireSecretKey(fingerprint.keyIdentifier) /** * Return the [PGPSecretKey] that matches the [OpenPgpFingerprint] of the given [PGPSignature]. If @@ -73,7 +96,7 @@ fun PGPSecretKeyRing.getSecretKeyFor(signature: PGPSignature): PGPSecretKey? = /** Return the [PGPSecretKey] that matches the key-ID of the given [PGPOnePassSignature] packet. */ fun PGPSecretKeyRing.getSecretKeyFor(onePassSignature: PGPOnePassSignature): PGPSecretKey? = - this.getSecretKey(onePassSignature.keyID) + this.getSecretKey(onePassSignature.keyIdentifier) fun PGPSecretKeyRing.getSecretKeyFor(pkesk: PGPPublicKeyEncryptedData): PGPSecretKey? = this.getSecretKey(pkesk.keyIdentifier) diff --git a/pgpainless-core/src/test/kotlin/org/pgpainless/bouncycastle/extensions/PGPSecretKeyRingExtensionsTest.kt b/pgpainless-core/src/test/kotlin/org/pgpainless/bouncycastle/extensions/PGPSecretKeyRingExtensionsTest.kt index 90641aff..d1aa7682 100644 --- a/pgpainless-core/src/test/kotlin/org/pgpainless/bouncycastle/extensions/PGPSecretKeyRingExtensionsTest.kt +++ b/pgpainless-core/src/test/kotlin/org/pgpainless/bouncycastle/extensions/PGPSecretKeyRingExtensionsTest.kt @@ -22,28 +22,37 @@ class PGPSecretKeyRingExtensionsTest { @Test fun testHasPgpSecretKeyRing() { val key = TestKeys.getEmilSecretKeyRing() - assertTrue(key.hasSecretKey(TestKeys.EMIL_KEY_ID)) + assertTrue(key.hasSecretKey(TestKeys.EMIL_FINGERPRINT.keyIdentifier)) + assertTrue(key.hasSecretKey(TestKeys.EMIL_FINGERPRINT.keyId)) assertTrue(key.hasSecretKey(TestKeys.EMIL_FINGERPRINT)) - assertFalse(key.hasSecretKey(TestKeys.ROMEO_KEY_ID)) + assertFalse(key.hasSecretKey(TestKeys.ROMEO_FINGERPRINT.keyIdentifier)) + assertFalse(key.hasSecretKey(TestKeys.ROMEO_FINGERPRINT.keyId)) assertFalse(key.hasSecretKey(TestKeys.ROMEO_FINGERPRINT)) } @Test fun testRequireSecretKey() { val key = TestKeys.getEmilSecretKeyRing() - assertNotNull(key.requireSecretKey(TestKeys.EMIL_KEY_ID)) + assertNotNull(key.requireSecretKey(TestKeys.EMIL_FINGERPRINT.keyIdentifier)) + assertNotNull(key.requireSecretKey(TestKeys.EMIL_FINGERPRINT.keyId)) assertNotNull(key.requireSecretKey(TestKeys.EMIL_FINGERPRINT)) - assertThrows { key.requireSecretKey(TestKeys.ROMEO_KEY_ID) } + assertThrows { + key.requireSecretKey(TestKeys.ROMEO_FINGERPRINT.keyIdentifier) + } + assertThrows { + key.requireSecretKey(TestKeys.ROMEO_FINGERPRINT.keyId) + } assertThrows { key.requireSecretKey(TestKeys.ROMEO_FINGERPRINT) } } @Test fun testGetSecretKeyForSignature() { - val key = TestKeys.getEmilSecretKeyRing() + val key = TestKeys.getEmilKey() val signer = - PGPainless.encryptAndOrSign() + PGPainless.getInstance() + .generateMessage() .onOutputStream(ByteArrayOutputStream()) .withOptions( ProducerOptions.sign( From efc20145b1a0bd87b77c8ea3548b5743fc356baf Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 20 Mar 2025 19:13:09 +0100 Subject: [PATCH 111/265] Port more extension functions --- .../extensions/PGPKeyRingExtensions.kt | 41 ++++++++++++------- 1 file changed, 26 insertions(+), 15 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/PGPKeyRingExtensions.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/PGPKeyRingExtensions.kt index 5727ee7c..f7222c67 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/PGPKeyRingExtensions.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/PGPKeyRingExtensions.kt @@ -4,7 +4,7 @@ package org.pgpainless.bouncycastle.extensions -import openpgp.openPgpKeyId +import org.bouncycastle.bcpg.KeyIdentifier import org.bouncycastle.openpgp.PGPKeyRing import org.bouncycastle.openpgp.PGPOnePassSignature import org.bouncycastle.openpgp.PGPPublicKey @@ -17,8 +17,17 @@ import org.pgpainless.key.SubkeyIdentifier /** Return true, if this [PGPKeyRing] contains the subkey identified by the [SubkeyIdentifier]. */ fun PGPKeyRing.matches(subkeyIdentifier: SubkeyIdentifier): Boolean = - this.publicKey.keyID == subkeyIdentifier.primaryKeyId && - this.getPublicKey(subkeyIdentifier.subkeyId) != null + this.publicKey.keyIdentifier.matches(subkeyIdentifier.certificateIdentifier) && + this.getPublicKey(subkeyIdentifier.componentKeyIdentifier) != null + +/** + * Return true, if the [PGPKeyRing] contains a public key with the given [keyIdentifier]. + * + * @param keyIdentifier KeyIdentifier + * @return true if key with the given key-ID is present, false otherwise + */ +fun PGPKeyRing.hasPublicKey(keyIdentifier: KeyIdentifier): Boolean = + this.getPublicKey(keyIdentifier) != null /** * Return true, if the [PGPKeyRing] contains a public key with the given key-ID. @@ -26,7 +35,8 @@ fun PGPKeyRing.matches(subkeyIdentifier: SubkeyIdentifier): Boolean = * @param keyId keyId * @return true if key with the given key-ID is present, false otherwise */ -fun PGPKeyRing.hasPublicKey(keyId: Long): Boolean = this.getPublicKey(keyId) != null +@Deprecated("Pass in a KeyIdentifier instead.") +fun PGPKeyRing.hasPublicKey(keyId: Long): Boolean = hasPublicKey(KeyIdentifier(keyId)) /** * Return true, if the [PGPKeyRing] contains a public key with the given fingerprint. @@ -35,7 +45,7 @@ fun PGPKeyRing.hasPublicKey(keyId: Long): Boolean = this.getPublicKey(keyId) != * @return true if key with the given fingerprint is present, false otherwise */ fun PGPKeyRing.hasPublicKey(fingerprint: OpenPgpFingerprint): Boolean = - this.getPublicKey(fingerprint) != null + hasPublicKey(fingerprint.keyIdentifier) /** * Return the [PGPPublicKey] with the given [OpenPgpFingerprint] or null, if no such key is present. @@ -44,17 +54,17 @@ fun PGPKeyRing.hasPublicKey(fingerprint: OpenPgpFingerprint): Boolean = * @return public key */ fun PGPKeyRing.getPublicKey(fingerprint: OpenPgpFingerprint): PGPPublicKey? = - this.getPublicKey(fingerprint.bytes) + this.getPublicKey(fingerprint.keyIdentifier) -fun PGPKeyRing.requirePublicKey(keyId: Long): PGPPublicKey = - getPublicKey(keyId) - ?: throw NoSuchElementException( - "OpenPGP key does not contain key with id ${keyId.openPgpKeyId()}.") +fun PGPKeyRing.requirePublicKey(keyIdentifier: KeyIdentifier): PGPPublicKey = + getPublicKey(keyIdentifier) + ?: throw NoSuchElementException("OpenPGP key does not contain key with id $keyIdentifier.") + +@Deprecated("Pass in a KeyIdentifier instead.") +fun PGPKeyRing.requirePublicKey(keyId: Long): PGPPublicKey = requirePublicKey(KeyIdentifier(keyId)) fun PGPKeyRing.requirePublicKey(fingerprint: OpenPgpFingerprint): PGPPublicKey = - getPublicKey(fingerprint) - ?: throw NoSuchElementException( - "OpenPGP key does not contain key with fingerprint $fingerprint.") + requirePublicKey(fingerprint.keyIdentifier) /** * Return the [PGPPublicKey] that matches the [OpenPgpFingerprint] of the given [PGPSignature]. If @@ -62,11 +72,12 @@ fun PGPKeyRing.requirePublicKey(fingerprint: OpenPgpFingerprint): PGPPublicKey = * subpacket to identify the [PGPPublicKey] via its key-ID. */ fun PGPKeyRing.getPublicKeyFor(signature: PGPSignature): PGPPublicKey? = - signature.fingerprint?.let { this.getPublicKey(it) } ?: this.getPublicKey(signature.keyID) + signature.fingerprint?.let { this.getPublicKey(it.keyIdentifier) } + ?: this.getPublicKey(signature.keyID) /** Return the [PGPPublicKey] that matches the key-ID of the given [PGPOnePassSignature] packet. */ fun PGPKeyRing.getPublicKeyFor(onePassSignature: PGPOnePassSignature): PGPPublicKey? = - this.getPublicKey(onePassSignature.keyID) + this.getPublicKey(onePassSignature.keyIdentifier) /** Return the [OpenPgpFingerprint] of this OpenPGP key. */ val PGPKeyRing.openPgpFingerprint: OpenPgpFingerprint From dc1da5ff495a2b0d083d87c7ecee59145c23028d Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 20 Mar 2025 19:17:08 +0100 Subject: [PATCH 112/265] Fix test name --- ...ionKeyTest.java => PGPainlessDecryptWithSessionKeyTest.java} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename pgpainless-sop/src/test/java/sop/testsuite/pgpainless/operation/{PGPainlessDecryptWIthSessionKeyTest.java => PGPainlessDecryptWithSessionKeyTest.java} (78%) diff --git a/pgpainless-sop/src/test/java/sop/testsuite/pgpainless/operation/PGPainlessDecryptWIthSessionKeyTest.java b/pgpainless-sop/src/test/java/sop/testsuite/pgpainless/operation/PGPainlessDecryptWithSessionKeyTest.java similarity index 78% rename from pgpainless-sop/src/test/java/sop/testsuite/pgpainless/operation/PGPainlessDecryptWIthSessionKeyTest.java rename to pgpainless-sop/src/test/java/sop/testsuite/pgpainless/operation/PGPainlessDecryptWithSessionKeyTest.java index 2825db5f..a046be68 100644 --- a/pgpainless-sop/src/test/java/sop/testsuite/pgpainless/operation/PGPainlessDecryptWIthSessionKeyTest.java +++ b/pgpainless-sop/src/test/java/sop/testsuite/pgpainless/operation/PGPainlessDecryptWithSessionKeyTest.java @@ -6,6 +6,6 @@ package sop.testsuite.pgpainless.operation; import sop.testsuite.operation.DecryptWithSessionKeyTest; -public class PGPainlessDecryptWIthSessionKeyTest extends DecryptWithSessionKeyTest { +public class PGPainlessDecryptWithSessionKeyTest extends DecryptWithSessionKeyTest { } From 264eb1c8a6ed0a3e07cd0cea3c5faceb884fd89c Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 20 Mar 2025 19:25:29 +0100 Subject: [PATCH 113/265] Delete SignaturePicker class --- .../signature/consumer/SignaturePicker.kt | 383 ------------------ .../SignatureSubpacketsUtilTest.java | 24 -- 2 files changed, 407 deletions(-) delete mode 100644 pgpainless-core/src/main/kotlin/org/pgpainless/signature/consumer/SignaturePicker.kt diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/consumer/SignaturePicker.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/consumer/SignaturePicker.kt deleted file mode 100644 index 5952003e..00000000 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/consumer/SignaturePicker.kt +++ /dev/null @@ -1,383 +0,0 @@ -// SPDX-FileCopyrightText: 2023 Paul Schaub -// -// SPDX-License-Identifier: Apache-2.0 - -package org.pgpainless.signature.consumer - -import java.util.Date -import org.bouncycastle.openpgp.PGPKeyRing -import org.bouncycastle.openpgp.PGPPublicKey -import org.bouncycastle.openpgp.PGPSignature -import org.pgpainless.algorithm.SignatureType -import org.pgpainless.bouncycastle.extensions.getPublicKeyFor -import org.pgpainless.bouncycastle.extensions.isExpired -import org.pgpainless.bouncycastle.extensions.wasIssuedBy -import org.pgpainless.exception.SignatureValidationException -import org.pgpainless.policy.Policy - -/** - * Pick signatures from keys. - * - * The format of a V4 OpenPGP key is: - * - * Primary-Key [Revocation Self Signature] [Direct Key Signature...] User ID [Signature ...] [User - * ID [Signature ...] ...] [User Attribute [Signature ...] ...] [[Subkey - * [Binding-Signature-Revocation] Primary-Key-Binding-Signature] ...] - */ -class SignaturePicker { - - companion object { - - /** - * Pick the at validation date most recent valid key revocation signature. If there are hard - * revocation signatures, the latest hard revocation sig is picked, even if it was created - * after validationDate or if it is already expired. - * - * @param keyRing key ring - * @param policy policy - * @param referenceTime date of signature validation - * @return most recent, valid key revocation signature - */ - @JvmStatic - fun pickCurrentRevocationSelfSignature( - keyRing: PGPKeyRing, - policy: Policy, - referenceTime: Date - ): PGPSignature? { - val primaryKey = keyRing.publicKey - return getSortedSignaturesOfType(primaryKey, SignatureType.KEY_REVOCATION).lastOrNull { - return@lastOrNull try { - SignatureVerifier.verifyKeyRevocationSignature( - it, primaryKey, policy, referenceTime) - true // valid - } catch (e: SignatureValidationException) { - false // not valid - } - } - } - - /** - * Pick the at validationDate most recent, valid direct key signature. This method might - * return null, if there is no direct key self-signature which is valid at validationDate. - * - * @param keyRing key ring - * @param policy policy - * @param referenceTime validation date - * @return direct-key self-signature - */ - @JvmStatic - fun pickCurrentDirectKeySelfSignature( - keyRing: PGPKeyRing, - policy: Policy, - referenceTime: Date - ): PGPSignature? { - val primaryKey = keyRing.publicKey - return pickCurrentDirectKeySignature(primaryKey, primaryKey, policy, referenceTime) - } - - @JvmStatic - fun pickCurrentDirectKeySignature( - signingKey: PGPPublicKey, - signedKey: PGPPublicKey, - policy: Policy, - referenceTime: Date - ): PGPSignature? { - return getSortedSignaturesOfType(signedKey, SignatureType.DIRECT_KEY).lastOrNull { - return@lastOrNull try { - SignatureVerifier.verifyDirectKeySignature( - it, signingKey, signedKey, policy, referenceTime) - true - } catch (e: SignatureValidationException) { - false - } - } - } - - /** - * Pick the at validationDate latest direct key signature. This method might return an - * expired signature. If there are more than one direct-key signature, and some of those are - * not expired, the latest non-expired yet already effective direct-key signature will be - * returned. - * - * @param keyRing key ring - * @param policy policy - * @param referenceTime validation date - * @return latest direct key signature - */ - @JvmStatic - fun pickLatestDirectKeySignature( - keyRing: PGPKeyRing, - policy: Policy, - referenceTime: Date - ): PGPSignature? { - return pickLatestDirectKeySignature( - keyRing.publicKey, keyRing.publicKey, policy, referenceTime) - } - - /** - * Pick the at validationDate latest direct key signature made by signingKey on signedKey. - * This method might return an expired signature. If a non-expired direct-key signature - * exists, the latest non-expired yet already effective direct-key signature will be - * returned. - * - * @param signingKey signing key (key that made the sig) - * @param signedKey signed key (key that carries the sig) - * @param policy policy - * @param referenceTime date of validation - * @return latest direct key sig - */ - @JvmStatic - fun pickLatestDirectKeySignature( - signingKey: PGPPublicKey, - signedKey: PGPPublicKey, - policy: Policy, - referenceTime: Date - ): PGPSignature? { - var latest: PGPSignature? = null - return getSortedSignaturesOfType(signedKey, SignatureType.DIRECT_KEY).lastOrNull { - try { - SignatureValidator.signatureIsOfType(SignatureType.DIRECT_KEY).verify(it) - SignatureValidator.signatureStructureIsAcceptable(signingKey, policy).verify(it) - SignatureValidator.signatureIsAlreadyEffective(referenceTime).verify(it) - if (latest != null && !latest!!.isExpired(referenceTime)) { - SignatureValidator.signatureIsNotYetExpired(referenceTime).verify(it) - } - SignatureValidator.correctSignatureOverKey(signingKey, signedKey).verify(it) - latest = it - true - } catch (e: SignatureValidationException) { - false - } - } - } - - /** - * Pick the at validationDate most recent, valid user-id revocation signature. If there are - * hard revocation signatures, the latest hard revocation sig is picked, even if it was - * created after validationDate or if it is already expired. - * - * @param keyRing key ring - * @param userId user-Id that gets revoked - * @param policy policy - * @param referenceTime validation date - * @return revocation signature - */ - @JvmStatic - fun pickCurrentUserIdRevocationSignature( - keyRing: PGPKeyRing, - userId: CharSequence, - policy: Policy, - referenceTime: Date - ): PGPSignature? { - val primaryKey = keyRing.publicKey - return getSortedSignaturesOfType(primaryKey, SignatureType.CERTIFICATION_REVOCATION) - .lastOrNull { - keyRing.getPublicKeyFor(it) - ?: return@lastOrNull false // signature made by external key. skip. - return@lastOrNull try { - SignatureVerifier.verifyUserIdRevocation( - userId.toString(), it, primaryKey, policy, referenceTime) - true - } catch (e: SignatureValidationException) { - false // signature not valid - } - } - } - - /** - * Pick the at validationDate latest, valid certification self-signature for the given - * user-id. This method might return null, if there is no certification self signature for - * that user-id which is valid at validationDate. - * - * @param keyRing keyring - * @param userId userid - * @param policy policy - * @param referenceTime validation date - * @return user-id certification - */ - @JvmStatic - fun pickCurrentUserIdCertificationSignature( - keyRing: PGPKeyRing, - userId: CharSequence, - policy: Policy, - referenceTime: Date - ): PGPSignature? { - val primaryKey = keyRing.publicKey - return primaryKey - .getSignaturesForID(userId.toString()) - .asSequence() - .sortedWith(SignatureCreationDateComparator()) - .lastOrNull { - return@lastOrNull it.wasIssuedBy(primaryKey) && - try { - SignatureVerifier.verifyUserIdCertification( - userId.toString(), it, primaryKey, policy, referenceTime) - true - } catch (e: SignatureValidationException) { - false - } - } - } - - /** - * Pick the at validationDate latest certification self-signature for the given user-id. - * This method might return an expired signature. If a non-expired user-id certification - * signature exists, the latest non-expired yet already effective user-id certification - * signature for the given user-id will be returned. - * - * @param keyRing keyring - * @param userId userid - * @param policy policy - * @param referenceTime validation date - * @return user-id certification - */ - @JvmStatic - fun pickLatestUserIdCertificationSignature( - keyRing: PGPKeyRing, - userId: CharSequence, - policy: Policy, - referenceTime: Date - ): PGPSignature? { - val primaryKey = keyRing.publicKey - return primaryKey - .getSignaturesForID(userId.toString()) - .asSequence() - .sortedWith(SignatureCreationDateComparator()) - .lastOrNull { - return@lastOrNull try { - SignatureValidator.wasPossiblyMadeByKey(primaryKey).verify(it) - SignatureValidator.signatureIsCertification().verify(it) - SignatureValidator.signatureStructureIsAcceptable(primaryKey, policy) - .verify(it) - SignatureValidator.signatureIsAlreadyEffective(referenceTime).verify(it) - SignatureValidator.correctSignatureOverUserId( - userId.toString(), primaryKey, primaryKey) - .verify(it) - true - } catch (e: SignatureValidationException) { - false - } - } - } - - /** - * Pick the at validationDate most recent, valid subkey revocation signature. If there are - * hard revocation signatures, the latest hard revocation sig is picked, even if it was - * created after validationDate or if it is already expired. - * - * @param keyRing keyring - * @param subkey subkey - * @param policy policy - * @param referenceTime validation date - * @return subkey revocation signature - */ - @JvmStatic - fun pickCurrentSubkeyBindingRevocationSignature( - keyRing: PGPKeyRing, - subkey: PGPPublicKey, - policy: Policy, - referenceTime: Date - ): PGPSignature? { - val primaryKey = keyRing.publicKey - require(primaryKey.keyID != subkey.keyID) { - "Primary key cannot have subkey binding revocations." - } - return getSortedSignaturesOfType(subkey, SignatureType.SUBKEY_REVOCATION).lastOrNull { - return@lastOrNull try { - SignatureVerifier.verifySubkeyBindingRevocation( - it, primaryKey, subkey, policy, referenceTime) - true - } catch (e: SignatureValidationException) { - false - } - } - } - - /** - * Pick the at validationDate latest, valid subkey binding signature for the given subkey. - * This method might return null, if there is no subkey binding signature which is valid at - * validationDate. - * - * @param keyRing key ring - * @param subkey subkey - * @param policy policy - * @param referenceTime date of validation - * @return most recent valid subkey binding signature - */ - @JvmStatic - fun pickCurrentSubkeyBindingSignature( - keyRing: PGPKeyRing, - subkey: PGPPublicKey, - policy: Policy, - referenceTime: Date - ): PGPSignature? { - val primaryKey = keyRing.publicKey - require(primaryKey.keyID != subkey.keyID) { - "Primary key cannot have subkey binding signatures." - } - return getSortedSignaturesOfType(subkey, SignatureType.SUBKEY_BINDING).lastOrNull { - return@lastOrNull try { - SignatureVerifier.verifySubkeyBindingSignature( - it, primaryKey, subkey, policy, referenceTime) - true - } catch (e: SignatureValidationException) { - false - } - } - } - - /** - * Pick the at validationDate latest subkey binding signature for the given subkey. This - * method might return an expired signature. If a non-expired subkey binding signature - * exists, the latest non-expired yet already effective subkey binding signature for the - * given subkey will be returned. - * - * @param keyRing key ring - * @param subkey subkey - * @param policy policy - * @param referenceTime validationDate - * @return subkey binding signature - */ - @JvmStatic - fun pickLatestSubkeyBindingSignature( - keyRing: PGPKeyRing, - subkey: PGPPublicKey, - policy: Policy, - referenceTime: Date - ): PGPSignature? { - val primaryKey = keyRing.publicKey - require(primaryKey.keyID != subkey.keyID) { - "Primary key cannot have subkey binding signatures." - } - var latest: PGPSignature? = null - return getSortedSignaturesOfType(subkey, SignatureType.SUBKEY_BINDING).lastOrNull { - return@lastOrNull try { - SignatureValidator.signatureIsOfType(SignatureType.SUBKEY_BINDING).verify(it) - SignatureValidator.signatureStructureIsAcceptable(primaryKey, policy).verify(it) - SignatureValidator.signatureDoesNotPredateSignee(subkey).verify(it) - SignatureValidator.signatureIsAlreadyEffective(referenceTime).verify(it) - // if the currently latest signature is not yet expired, check if the next - // candidate is not yet expired - if (latest != null && !latest!!.isExpired(referenceTime)) { - SignatureValidator.signatureIsNotYetExpired(referenceTime).verify(it) - } - SignatureValidator.correctSubkeyBindingSignature(primaryKey, subkey).verify(it) - latest = it - true - } catch (e: SignatureValidationException) { - false - } - } - } - - @JvmStatic - private fun getSortedSignaturesOfType( - key: PGPPublicKey, - type: SignatureType - ): List = - key.getSignaturesOfType(type.code) - .asSequence() - .sortedWith(SignatureCreationDateComparator()) - .toList() - } -} diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureSubpacketsUtilTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureSubpacketsUtilTest.java index a377ed82..475aa8c6 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureSubpacketsUtilTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureSubpacketsUtilTest.java @@ -9,13 +9,10 @@ import static org.junit.jupiter.api.Assertions.assertEquals; import static org.junit.jupiter.api.Assertions.assertFalse; import static org.junit.jupiter.api.Assertions.assertNotNull; import static org.junit.jupiter.api.Assertions.assertNull; -import static org.junit.jupiter.api.Assertions.assertThrows; import static org.junit.jupiter.api.Assertions.assertTrue; import java.io.IOException; -import java.time.temporal.ChronoUnit; import java.util.Arrays; -import java.util.Date; import java.util.Iterator; import java.util.LinkedHashSet; import java.util.List; @@ -32,11 +29,9 @@ import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.PGPSignature; import org.bouncycastle.openpgp.PGPSignatureGenerator; import org.bouncycastle.openpgp.PGPSignatureSubpacketGenerator; -import org.bouncycastle.openpgp.api.OpenPGPCertificate; import org.bouncycastle.openpgp.api.OpenPGPImplementation; import org.bouncycastle.openpgp.api.OpenPGPKey; import org.junit.jupiter.api.Test; -import org.pgpainless.PGPainless; import org.pgpainless.algorithm.CompressionAlgorithm; import org.pgpainless.algorithm.Feature; import org.pgpainless.algorithm.HashAlgorithm; @@ -44,29 +39,10 @@ import org.pgpainless.algorithm.SignatureType; import org.pgpainless.key.TestKeys; import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.key.protection.UnlockSecretKey; -import org.pgpainless.signature.consumer.SignaturePicker; import org.pgpainless.signature.subpackets.SignatureSubpacketsUtil; public class SignatureSubpacketsUtilTest { - @Test - public void testGetKeyExpirationTimeAsDate() { - PGPainless api = PGPainless.getInstance(); - OpenPGPKey secretKeys = api.generateKey() - .modernKeyRing("Expire"); - Date expiration = Date.from(new Date().toInstant().plus(365, ChronoUnit.DAYS)); - secretKeys = api.modify(secretKeys) - .setExpirationDate(expiration, SecretKeyRingProtector.unprotectedKeys()) - .done(); - - PGPSignature expirationSig = SignaturePicker.pickCurrentUserIdCertificationSignature( - secretKeys.getPGPSecretKeyRing(), "Expire", api.getAlgorithmPolicy(), new Date()); - OpenPGPCertificate.OpenPGPComponentKey notTheRightKey = api.inspect(secretKeys).getSigningSubkeys().get(0); - - assertThrows(IllegalArgumentException.class, () -> - SignatureSubpacketsUtil.getKeyExpirationTimeAsDate(expirationSig, notTheRightKey.getPGPPublicKey())); - } - @Test public void testGetRevocable() throws PGPException, IOException { OpenPGPKey secretKeys = TestKeys.getEmilKey(); From aabc8aa3a1117bf3f678cee438fef8fe3b0fe223 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 20 Mar 2025 19:33:29 +0100 Subject: [PATCH 114/265] Change argument type for toCertificate() method to more general PGPKeyRing --- pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt index e2918389..12e85ff7 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt @@ -80,8 +80,8 @@ class PGPainless( fun toKey(secretKeyRing: PGPSecretKeyRing): OpenPGPKey = OpenPGPKey(secretKeyRing, implementation) - fun toCertificate(publicKeyRing: PGPPublicKeyRing): OpenPGPCertificate = - OpenPGPCertificate(publicKeyRing, implementation) + fun toCertificate(keyOrCertificate: PGPKeyRing): OpenPGPCertificate = + OpenPGPCertificate(keyOrCertificate, implementation) fun mergeCertificate( originalCopy: OpenPGPCertificate, From 6f3808466f29a541b812c7fd2d90d61c239306aa Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 20 Mar 2025 19:33:46 +0100 Subject: [PATCH 115/265] Port SelectUserId.validUserIds() --- .../org/pgpainless/util/selection/userid/SelectUserId.kt | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/util/selection/userid/SelectUserId.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/util/selection/userid/SelectUserId.kt index 6613abde..00bc3984 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/util/selection/userid/SelectUserId.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/util/selection/userid/SelectUserId.kt @@ -83,11 +83,7 @@ abstract class SelectUserId : Predicate, (String) -> Boolean { @JvmStatic fun validUserId(keyRing: PGPKeyRing) = - object : SelectUserId() { - private val info = PGPainless.inspectKeyRing(keyRing) - - override fun invoke(userId: String): Boolean = info.isUserIdValid(userId) - } + validUserId(PGPainless.getInstance().toCertificate(keyRing)) @JvmStatic fun and(vararg filters: SelectUserId) = From 1afcbacb043e64da405cc0cdad932485fcca475a Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 20 Mar 2025 20:02:55 +0100 Subject: [PATCH 116/265] Determine, whether to use AEAD by cosulting KeyRingProtectionSettings --- pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt index 12e85ff7..3344a004 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt @@ -57,7 +57,10 @@ class PGPainless( creationTime: Date = Date() ): OpenPGPKeyGenerator = OpenPGPKeyGenerator( - implementation, version.numeric, version == OpenPGPKeyVersion.v6, creationTime) + implementation, + version.numeric, + algorithmPolicy.keyProtectionSettings.aead, + creationTime) .setAlgorithmSuite(algorithmPolicy.keyGenerationAlgorithmSuite) /** From f2bd36502f5cda8ea2821068593ea99a4775ad15 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 20 Mar 2025 20:17:50 +0100 Subject: [PATCH 117/265] Policy is no longer a Singleton --- .../main/kotlin/org/pgpainless/PGPainless.kt | 5 +++- .../pgpainless/bouncycastle/PolicyAdapter.kt | 2 +- .../key/certification/CertifyCertificate.kt | 27 ++++++++++--------- .../kotlin/org/pgpainless/policy/Policy.kt | 9 ------- .../pgpainless/policy/PolicySetterTest.java | 14 +++++----- 5 files changed, 26 insertions(+), 31 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt index 3344a004..e15c285a 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt @@ -17,6 +17,7 @@ import org.bouncycastle.openpgp.api.OpenPGPKey import org.bouncycastle.openpgp.api.OpenPGPKeyGenerator import org.bouncycastle.openpgp.api.OpenPGPKeyReader import org.bouncycastle.openpgp.api.bc.BcOpenPGPApi +import org.bouncycastle.openpgp.api.bc.BcOpenPGPImplementation import org.pgpainless.algorithm.OpenPGPKeyVersion import org.pgpainless.bouncycastle.PolicyAdapter import org.pgpainless.bouncycastle.extensions.setAlgorithmSuite @@ -34,7 +35,7 @@ import org.pgpainless.util.ArmorUtils class PGPainless( val implementation: OpenPGPImplementation = OpenPGPImplementation.getInstance(), - var algorithmPolicy: Policy = Policy.getInstance() + var algorithmPolicy: Policy = Policy() ) { private var api: OpenPGPApi @@ -107,6 +108,8 @@ class PGPainless( @Volatile private var instance: PGPainless? = null + @JvmStatic fun newInstance(): PGPainless = PGPainless(BcOpenPGPImplementation(), Policy()) + @JvmStatic fun getInstance(): PGPainless = instance ?: synchronized(this) { instance ?: PGPainless().also { instance = it } } diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/PolicyAdapter.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/PolicyAdapter.kt index bb8e9f0f..7a6f4bcb 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/PolicyAdapter.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/PolicyAdapter.kt @@ -10,7 +10,7 @@ import org.bouncycastle.openpgp.api.OpenPGPPolicy.OpenPGPNotationRegistry import org.pgpainless.policy.Policy /** Adapter class that adapts a PGPainless [Policy] object to Bouncy Castles [OpenPGPPolicy]. */ -class PolicyAdapter(val policy: Policy = Policy.getInstance()) : OpenPGPPolicy { +class PolicyAdapter(val policy: Policy) : OpenPGPPolicy { /** * Determine, whether the hash algorithm of a document signature is acceptable. diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/certification/CertifyCertificate.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/certification/CertifyCertificate.kt index f30b7539..dffde49c 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/certification/CertifyCertificate.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/certification/CertifyCertificate.kt @@ -139,7 +139,7 @@ class CertifyCertificate(private val api: PGPainless) { ThirdPartyCertificationSignatureBuilder( certificationType.asSignatureType(), secretKey, protector, api) - return CertificationOnUserIdWithSubpackets(certificate, userId, sigBuilder) + return CertificationOnUserIdWithSubpackets(certificate, userId, sigBuilder, api) } /** @@ -154,14 +154,14 @@ class CertifyCertificate(private val api: PGPainless) { fun withKey( certificationKey: PGPSecretKeyRing, protector: SecretKeyRingProtector - ): CertificationOnUserIdWithSubpackets = - withKey(PGPainless.getInstance().toKey(certificationKey), protector) + ): CertificationOnUserIdWithSubpackets = withKey(api.toKey(certificationKey), protector) } class CertificationOnUserIdWithSubpackets( val certificate: OpenPGPCertificate, val userId: CharSequence, - val sigBuilder: ThirdPartyCertificationSignatureBuilder + val sigBuilder: ThirdPartyCertificationSignatureBuilder, + private val api: PGPainless ) { @Deprecated("Pass in an OpenPGPCertificate instead of a PGPPublicKeyRing.") @@ -170,7 +170,7 @@ class CertifyCertificate(private val api: PGPainless) { userId: String, sigBuilder: ThirdPartyCertificationSignatureBuilder, api: PGPainless - ) : this(api.toCertificate(certificate), userId, sigBuilder) + ) : this(api.toCertificate(certificate), userId, sigBuilder, api) /** * Apply the given signature subpackets and build the certification. @@ -195,7 +195,7 @@ class CertifyCertificate(private val api: PGPainless) { fun build(): CertificationResult { val signature = sigBuilder.build(certificate, userId) val certifiedCertificate = - OpenPGPCertificate( + api.toCertificate( KeyRingUtils.injectCertification( certificate.pgpPublicKeyRing, userId, signature.signature)) @@ -226,7 +226,7 @@ class CertifyCertificate(private val api: PGPainless) { sigBuilder.hashedSubpackets.setTrust( true, trustworthiness.depth, trustworthiness.amount) } - return DelegationOnCertificateWithSubpackets(certificate, sigBuilder) + return DelegationOnCertificateWithSubpackets(certificate, sigBuilder, api) } /** @@ -241,20 +241,21 @@ class CertifyCertificate(private val api: PGPainless) { fun withKey( certificationKey: PGPSecretKeyRing, protector: SecretKeyRingProtector - ): DelegationOnCertificateWithSubpackets = - withKey(PGPainless.getInstance().toKey(certificationKey), protector) + ): DelegationOnCertificateWithSubpackets = withKey(api.toKey(certificationKey), protector) } class DelegationOnCertificateWithSubpackets( val certificate: OpenPGPCertificate, - val sigBuilder: ThirdPartyDirectKeySignatureBuilder + val sigBuilder: ThirdPartyDirectKeySignatureBuilder, + private val api: PGPainless ) { @Deprecated("Pass in an OpenPGPCertificate instead of a PGPPublicKeyRing.") constructor( certificate: PGPPublicKeyRing, - sigBuilder: ThirdPartyDirectKeySignatureBuilder - ) : this(PGPainless.getInstance().toCertificate(certificate), sigBuilder) + sigBuilder: ThirdPartyDirectKeySignatureBuilder, + api: PGPainless + ) : this(api.toCertificate(certificate), sigBuilder, api) /** * Apply the given signature subpackets and build the delegation signature. @@ -280,7 +281,7 @@ class CertifyCertificate(private val api: PGPainless) { val delegatedKey = certificate.primaryKey val delegation = sigBuilder.build(delegatedKey) val delegatedCertificate = - OpenPGPCertificate( + api.toCertificate( KeyRingUtils.injectCertification( certificate.pgpPublicKeyRing, delegatedKey.pgpPublicKey, diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/policy/Policy.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/policy/Policy.kt index a82875ec..a2339bec 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/policy/Policy.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/policy/Policy.kt @@ -411,15 +411,6 @@ class Policy( DISABLED } - companion object { - - @Volatile private var INSTANCE: Policy? = null - - @JvmStatic - fun getInstance() = - INSTANCE ?: synchronized(this) { INSTANCE ?: Policy().also { INSTANCE = it } } - } - class Builder(private val origin: Policy) { private var certificationSignatureHashAlgorithmPolicy: HashAlgorithmPolicy = origin.certificationSignatureHashAlgorithmPolicy diff --git a/pgpainless-core/src/test/java/org/pgpainless/policy/PolicySetterTest.java b/pgpainless-core/src/test/java/org/pgpainless/policy/PolicySetterTest.java index bd044b3b..42d7e7b5 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/policy/PolicySetterTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/policy/PolicySetterTest.java @@ -17,43 +17,43 @@ public class PolicySetterTest { @Test public void testSetCertificationSignatureHashAlgorithmPolicy_NullFails() { - Policy policy = Policy.getInstance(); + Policy policy = new Policy(); assertThrows(NullPointerException.class, () -> policy.copy().withCertificationSignatureHashAlgorithmPolicy(null)); } @Test public void testSetDataSignatureHashAlgorithmPolicy_NullFails() { - Policy policy = Policy.getInstance(); + Policy policy = new Policy(); assertThrows(NullPointerException.class, () -> policy.copy().withDataSignatureHashAlgorithmPolicy(null)); } @Test public void testSetRevocationSignatureHashAlgorithmPolicy_NullFails() { - Policy policy = Policy.getInstance(); + Policy policy = new Policy(); assertThrows(NullPointerException.class, () -> policy.copy().withRevocationSignatureHashAlgorithmPolicy(null)); } @Test public void testSetSymmetricKeyEncryptionAlgorithmPolicy_NullFails() { - Policy policy = Policy.getInstance(); + Policy policy = new Policy(); assertThrows(NullPointerException.class, () -> policy.copy().withSymmetricKeyEncryptionAlgorithmPolicy(null)); } @Test public void testSetSymmetricKeyDecryptionAlgorithmPolicy_NullFails() { - Policy policy = Policy.getInstance(); + Policy policy = new Policy(); assertThrows(NullPointerException.class, () -> policy.copy().withSymmetricKeyDecryptionAlgorithmPolicy(null)); } @Test public void testSetCompressionAlgorithmPolicy_NullFails() { - Policy policy = Policy.getInstance(); + Policy policy = new Policy(); assertThrows(NullPointerException.class, () -> policy.copy().withCompressionAlgorithmPolicy(null)); } @Test public void testSetPublicKeyAlgorithmPolicy_NullFails() { - Policy policy = Policy.getInstance(); + Policy policy = new Policy(); assertThrows(NullPointerException.class, () -> policy.copy().withPublicKeyAlgorithmPolicy(null)); } From 772ffe5f5a94979acdb041fe0cc4baf6bcc51b70 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 20 Mar 2025 20:21:06 +0100 Subject: [PATCH 118/265] KeySpecBuilder: Do not use PGPainless.getPolicy() method --- .../main/kotlin/org/pgpainless/key/generation/KeySpecBuilder.kt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeySpecBuilder.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeySpecBuilder.kt index b934698e..b2d9714b 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeySpecBuilder.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeySpecBuilder.kt @@ -19,7 +19,7 @@ constructor( ) : KeySpecBuilderInterface { private val hashedSubpackets: SelfSignatureSubpackets = SignatureSubpackets() - private val algorithmSuite: AlgorithmSuite = PGPainless.getPolicy().keyGenerationAlgorithmSuite + private val algorithmSuite: AlgorithmSuite = PGPainless.getInstance().algorithmPolicy.keyGenerationAlgorithmSuite private var preferredCompressionAlgorithms: Set? = algorithmSuite.compressionAlgorithms private var preferredHashAlgorithms: Set? = algorithmSuite.hashAlgorithms From 14a16575a450607838b4f89be3f53ea3dbf755cf Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 20 Mar 2025 20:51:24 +0100 Subject: [PATCH 119/265] Avoid usage of PGPainless.getPolicy() --- .../kotlin/org/pgpainless/key/generation/KeySpecBuilder.kt | 3 ++- .../org/pgpainless/signature/consumer/CertificateValidator.kt | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeySpecBuilder.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeySpecBuilder.kt index b2d9714b..2ed50ffa 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeySpecBuilder.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeySpecBuilder.kt @@ -19,7 +19,8 @@ constructor( ) : KeySpecBuilderInterface { private val hashedSubpackets: SelfSignatureSubpackets = SignatureSubpackets() - private val algorithmSuite: AlgorithmSuite = PGPainless.getInstance().algorithmPolicy.keyGenerationAlgorithmSuite + private val algorithmSuite: AlgorithmSuite = + PGPainless.getInstance().algorithmPolicy.keyGenerationAlgorithmSuite private var preferredCompressionAlgorithms: Set? = algorithmSuite.compressionAlgorithms private var preferredHashAlgorithms: Set? = algorithmSuite.hashAlgorithms diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/consumer/CertificateValidator.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/consumer/CertificateValidator.kt index e58a677f..5d5f60b8 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/consumer/CertificateValidator.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/consumer/CertificateValidator.kt @@ -51,7 +51,7 @@ class CertificateValidator { fun validateCertificate( signature: PGPSignature, signingKeyRing: PGPPublicKeyRing, - policy: Policy = PGPainless.getPolicy() + policy: Policy = PGPainless.getInstance().algorithmPolicy ): Boolean { val signingSubkey: PGPPublicKey = signingKeyRing.getPublicKey(signature.issuerKeyId) From c87941a41da2c1dae2fac34d6337b340d412dc20 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 20 Mar 2025 20:51:36 +0100 Subject: [PATCH 120/265] Rework ModifiedPublicKeysInvestigation --- .../ModifiedPublicKeysInvestigation.java | 77 +++++++++++-------- 1 file changed, 45 insertions(+), 32 deletions(-) diff --git a/pgpainless-core/src/test/java/investigations/ModifiedPublicKeysInvestigation.java b/pgpainless-core/src/test/java/investigations/ModifiedPublicKeysInvestigation.java index 2a965cb7..5ee78246 100644 --- a/pgpainless-core/src/test/java/investigations/ModifiedPublicKeysInvestigation.java +++ b/pgpainless-core/src/test/java/investigations/ModifiedPublicKeysInvestigation.java @@ -9,16 +9,16 @@ import static org.junit.jupiter.api.Assertions.assertThrows; import java.io.IOException; +import org.bouncycastle.bcpg.KeyIdentifier; import org.bouncycastle.openpgp.PGPException; -import org.bouncycastle.openpgp.PGPSecretKey; -import org.bouncycastle.openpgp.PGPSecretKeyRing; +import org.bouncycastle.openpgp.api.OpenPGPKey; import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; import org.pgpainless.exception.KeyIntegrityException; import org.pgpainless.key.generation.type.rsa.RsaLength; import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.key.protection.UnlockSecretKey; -import org.pgpainless.key.util.KeyIdUtil; +import org.pgpainless.policy.Policy; import org.pgpainless.util.Passphrase; public class ModifiedPublicKeysInvestigation { @@ -75,6 +75,8 @@ public class ModifiedPublicKeysInvestigation { "RuvLdJPtAP9VND4sdnrXUXoUn6OgUmKoV0KKcTUPEnMqQ8QgfVDEJA==\n" + "=p9kX\n" + "-----END PGP PRIVATE KEY BLOCK-----"; + private static final KeyIdentifier dsaKID1 = new KeyIdentifier("0FE102C159C818EF2D7D9F7EB1BD1F049EC87F3D"); + private static final KeyIdentifier dsaKID2 = new KeyIdentifier("AB30CFBA5A2ED4848B096123F5FFDF6D71DD5789"); private static final String ELGAMAL = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" + "Version: OpenPGP.js VERSION\n" + @@ -127,6 +129,8 @@ public class ModifiedPublicKeysInvestigation { "TsMBqN9H5d+2XQ==\n" + "=lI+G\n" + "-----END PGP PRIVATE KEY BLOCK-----\n"; + private static final KeyIdentifier elgamalKID1 = new KeyIdentifier("9B0F5D6800DEA53499F455C75F04ACF44FD822B1"); + private static final KeyIdentifier elgamalKID2 = new KeyIdentifier("AB30CFBA5A2ED4848B096123F5FFDF6D71DD5789"); // created with exploit code by cure53.de private static final String INJECTED_KEY = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" + @@ -207,56 +211,65 @@ public class ModifiedPublicKeysInvestigation { @Test public void assertModifiedDSAKeyThrowsKeyIntegrityException() throws IOException { - SecretKeyRingProtector protector = SecretKeyRingProtector.unlockAnyKeyWith(Passphrase.fromPassword("12345678")); - PGPSecretKeyRing dsa = PGPainless.readKeyRing().secretKeyRing(DSA); + System.out.println(DSA); + PGPainless api = PGPainless.newInstance(); + Policy policy = api.getAlgorithmPolicy(); + policy.setEnableKeyParameterValidation(true); + + SecretKeyRingProtector protector = SecretKeyRingProtector.unlockAnyKeyWith(Passphrase.fromPassword("12345678")); + OpenPGPKey dsa = api.readKey().parseKey(DSA); - PGPainless.getPolicy().setEnableKeyParameterValidation(true); assertThrows(KeyIntegrityException.class, () -> - UnlockSecretKey.unlockSecretKey(dsa.getSecretKey(KeyIdUtil.fromLongKeyId("b1bd1f049ec87f3d")), protector)); + UnlockSecretKey.unlockSecretKey(dsa.getSecretKey(dsaKID1), protector, policy)); assertThrows(KeyIntegrityException.class, () -> - UnlockSecretKey.unlockSecretKey(dsa.getSecretKey(KeyIdUtil.fromLongKeyId("f5ffdf6d71dd5789")), protector)); - PGPainless.getPolicy().setEnableKeyParameterValidation(false); + UnlockSecretKey.unlockSecretKey(dsa.getSecretKey(dsaKID2), protector, policy)); } @Test public void assertModifiedElGamalKeyThrowsKeyIntegrityException() throws IOException { - SecretKeyRingProtector protector = SecretKeyRingProtector.unlockAnyKeyWith(Passphrase.fromPassword("12345678")); - PGPSecretKeyRing elgamal = PGPainless.readKeyRing().secretKeyRing(ELGAMAL); + PGPainless api = PGPainless.newInstance(); + Policy policy = api.getAlgorithmPolicy(); + policy.setEnableKeyParameterValidation(true); + + SecretKeyRingProtector protector = SecretKeyRingProtector.unlockAnyKeyWith(Passphrase.fromPassword("12345678")); + OpenPGPKey elgamal = api.readKey().parseKey(ELGAMAL); - PGPainless.getPolicy().setEnableKeyParameterValidation(true); assertThrows(KeyIntegrityException.class, () -> - UnlockSecretKey.unlockSecretKey(elgamal.getSecretKey(KeyIdUtil.fromLongKeyId("f5ffdf6d71dd5789")), protector)); - PGPainless.getPolicy().setEnableKeyParameterValidation(false); + UnlockSecretKey.unlockSecretKey(elgamal.getSecretKey(elgamalKID2), protector, policy)); } @Test public void assertInjectedKeyRingFailsToUnlockPrimaryKey() throws IOException { - PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(INJECTED_KEY); + PGPainless api = PGPainless.newInstance(); + Policy policy = api.getAlgorithmPolicy(); + policy.setEnableKeyParameterValidation(true); + + OpenPGPKey secretKeys = api.readKey().parseKey(INJECTED_KEY); SecretKeyRingProtector protector = SecretKeyRingProtector.unlockAnyKeyWith(Passphrase.fromPassword("pass")); - PGPainless.getPolicy().setEnableKeyParameterValidation(true); assertThrows(KeyIntegrityException.class, () -> - UnlockSecretKey.unlockSecretKey(secretKeys.getSecretKey(), protector)); - PGPainless.getPolicy().setEnableKeyParameterValidation(false); + UnlockSecretKey.unlockSecretKey(secretKeys.getPrimarySecretKey(), protector, policy)); } @Test public void assertCannotUnlockElGamalPrimaryKeyDueToDummyS2K() throws IOException { + PGPainless api = PGPainless.newInstance(); + SecretKeyRingProtector protector = SecretKeyRingProtector.unlockAnyKeyWith(Passphrase.fromPassword("12345678")); - PGPSecretKeyRing elgamal = PGPainless.readKeyRing().secretKeyRing(ELGAMAL); + OpenPGPKey elgamal = api.readKey().parseKey(ELGAMAL); assertThrows(PGPException.class, () -> - UnlockSecretKey.unlockSecretKey(elgamal.getSecretKey(KeyIdUtil.fromLongKeyId("5f04acf44fd822b1")), protector)); + UnlockSecretKey.unlockSecretKey(elgamal.getSecretKey(elgamalKID1), protector)); } @Test public void assertUnmodifiedRSAKeyDoesNotThrow() { - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() - .simpleRsaKeyRing("Unmodified", RsaLength._4096, "987654321") - .getPGPSecretKeyRing(); + PGPainless api = PGPainless.getInstance(); + OpenPGPKey secretKeys = api.generateKey() + .simpleRsaKeyRing("Unmodified", RsaLength._4096, "987654321"); SecretKeyRingProtector protector = SecretKeyRingProtector.unlockAnyKeyWith(Passphrase.fromPassword("987654321")); - for (PGPSecretKey secretKey : secretKeys) { + for (OpenPGPKey.OpenPGPSecretKey secretKey : secretKeys.getSecretKeys().values()) { assertDoesNotThrow(() -> UnlockSecretKey.unlockSecretKey(secretKey, protector)); } @@ -264,12 +277,12 @@ public class ModifiedPublicKeysInvestigation { @Test public void assertUnmodifiedECKeyDoesNotThrow() { - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() - .simpleEcKeyRing("Unmodified", "987654321") - .getPGPSecretKeyRing(); + PGPainless api = PGPainless.getInstance(); + OpenPGPKey secretKeys = api.generateKey() + .simpleEcKeyRing("Unmodified", "987654321"); SecretKeyRingProtector protector = SecretKeyRingProtector.unlockAnyKeyWith(Passphrase.fromPassword("987654321")); - for (PGPSecretKey secretKey : secretKeys) { + for (OpenPGPKey.OpenPGPSecretKey secretKey : secretKeys.getSecretKeys().values()) { assertDoesNotThrow(() -> UnlockSecretKey.unlockSecretKey(secretKey, protector)); } @@ -277,12 +290,12 @@ public class ModifiedPublicKeysInvestigation { @Test public void assertUnmodifiedModernKeyDoesNotThrow() { - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() - .modernKeyRing("Unmodified", "987654321") - .getPGPSecretKeyRing(); + PGPainless api = PGPainless.getInstance(); + OpenPGPKey secretKeys = api.generateKey() + .modernKeyRing("Unmodified", "987654321"); SecretKeyRingProtector protector = SecretKeyRingProtector.unlockAnyKeyWith(Passphrase.fromPassword("987654321")); - for (PGPSecretKey secretKey : secretKeys) { + for (OpenPGPKey.OpenPGPSecretKey secretKey : secretKeys.getSecretKeys().values()) { assertDoesNotThrow(() -> UnlockSecretKey.unlockSecretKey(secretKey, protector)); } From b97ff5bc4ed7eff531f72eb63774385f5d0ee52f Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Fri, 21 Mar 2025 13:44:24 +0100 Subject: [PATCH 121/265] Port signature validation to BC --- .../OpenPgpMessageInputStream.kt | 65 ++-- .../consumer/CertificateValidator.kt | 318 ------------------ .../signature/consumer/SignatureCheck.kt | 25 -- .../ModifiedPublicKeysInvestigation.java | 1 - .../CleartextSignatureVerificationTest.java | 16 - .../BindingSignatureSubpacketsTest.java | 124 +++---- .../signature/CertificateValidatorTest.java | 93 +++-- .../signature/KeyRevocationTest.java | 39 ++- 8 files changed, 191 insertions(+), 490 deletions(-) delete mode 100644 pgpainless-core/src/main/kotlin/org/pgpainless/signature/consumer/CertificateValidator.kt delete mode 100644 pgpainless-core/src/main/kotlin/org/pgpainless/signature/consumer/SignatureCheck.kt diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.kt index 1241b110..af5ffe97 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.kt @@ -13,6 +13,7 @@ import java.util.zip.InflaterInputStream import openpgp.openPgpKeyId import org.bouncycastle.bcpg.BCPGInputStream import org.bouncycastle.bcpg.CompressionAlgorithmTags +import org.bouncycastle.bcpg.KeyIdentifier import org.bouncycastle.bcpg.UnsupportedPacketVersionException import org.bouncycastle.openpgp.PGPCompressedData import org.bouncycastle.openpgp.PGPEncryptedData @@ -30,6 +31,7 @@ import org.bouncycastle.openpgp.api.OpenPGPKey import org.bouncycastle.openpgp.api.OpenPGPKey.OpenPGPPrivateKey import org.bouncycastle.openpgp.api.OpenPGPKey.OpenPGPSecretKey import org.bouncycastle.openpgp.api.OpenPGPSignature.OpenPGPDocumentSignature +import org.bouncycastle.openpgp.api.exception.MalformedOpenPGPSignatureException import org.bouncycastle.openpgp.operator.PBEDataDecryptorFactory import org.bouncycastle.openpgp.operator.PublicKeyDataDecryptorFactory import org.bouncycastle.util.io.TeeInputStream @@ -60,8 +62,6 @@ import org.pgpainless.exception.UnacceptableAlgorithmException import org.pgpainless.exception.WrongPassphraseException import org.pgpainless.key.SubkeyIdentifier import org.pgpainless.key.protection.UnlockSecretKey.Companion.unlockSecretKey -import org.pgpainless.policy.Policy -import org.pgpainless.signature.consumer.CertificateValidator import org.pgpainless.signature.consumer.OnePassSignatureCheck import org.pgpainless.signature.consumer.SignatureValidator import org.pgpainless.util.ArmoredInputStreamFactory @@ -312,8 +312,7 @@ class OpenPgpMessageInputStream( signatures .leaveNesting() // TODO: Only leave nesting if all OPSs of the nesting layer are // dealt with - signatures.addCorrespondingOnePassSignature( - signature, layerMetadata, api.algorithmPolicy) + signatures.addCorrespondingOnePassSignature(signature, layerMetadata) } else { LOGGER.debug( "Prepended Signature Packet by key ${keyId.openPgpKeyId()} at depth ${layerMetadata.depth} encountered.") @@ -618,7 +617,7 @@ class OpenPgpMessageInputStream( throw RuntimeException(e) } } - signatures.finish(layerMetadata, api.algorithmPolicy) + signatures.finish(layerMetadata) } return r } @@ -645,7 +644,7 @@ class OpenPgpMessageInputStream( throw RuntimeException(e) } } - signatures.finish(layerMetadata, api.algorithmPolicy) + signatures.finish(layerMetadata) } return r } @@ -832,15 +831,11 @@ class OpenPgpMessageInputStream( } } - fun addCorrespondingOnePassSignature( - signature: PGPSignature, - layer: Layer, - policy: Policy - ) { + fun addCorrespondingOnePassSignature(signature: PGPSignature, layer: Layer) { var found = false - val keyId = signature.issuerKeyId for ((i, check) in onePassSignatures.withIndex().reversed()) { - if (check.onePassSignature.keyID != keyId) { + if (!KeyIdentifier.matches( + signature.keyIdentifiers, check.onePassSignature.keyIdentifier, true)) { continue } found = true @@ -848,8 +843,11 @@ class OpenPgpMessageInputStream( if (check.signature != null) { continue } - check.signature = signature + + val documentSignature = + OpenPGPDocumentSignature( + signature, check.verificationKeys.getSigningKeyFor(signature)) val verification = SignatureVerification( signature, @@ -861,11 +859,15 @@ class OpenPgpMessageInputStream( SignatureValidator.signatureWasCreatedInBounds( options.getVerifyNotBefore(), options.getVerifyNotAfter()) .verify(signature) - CertificateValidator.validateCertificateAndVerifyOnePassSignature(check, policy) - LOGGER.debug("Acceptable signature by key ${verification.signingKey}") - layer.addVerifiedOnePassSignature(verification) + if (documentSignature.verify(check.onePassSignature) && + documentSignature.isValid(api.implementation.policy())) { + layer.addVerifiedOnePassSignature(verification) + } else { + throw SignatureValidationException("Incorrect OnePassSignature.") + } + } catch (e: MalformedOpenPGPSignatureException) { + throw SignatureValidationException("Malformed OnePassSignature.", e) } catch (e: SignatureValidationException) { - LOGGER.debug("Rejected signature by key ${verification.signingKey}", e) layer.addRejectedOnePassSignature( SignatureVerification.Failure(verification, e)) } @@ -874,7 +876,7 @@ class OpenPgpMessageInputStream( if (!found) { LOGGER.debug( - "No suitable certificate for verification of signature by key ${keyId.openPgpKeyId()} found.") + "No suitable certificate for verification of signature by key ${signature.issuerKeyId.openPgpKeyId()} found.") inbandSignaturesWithMissingCert.add( SignatureVerification.Failure( signature, null, SignatureValidationException("Missing verification key."))) @@ -963,7 +965,7 @@ class OpenPgpMessageInputStream( } } - fun finish(layer: Layer, policy: Policy) { + fun finish(layer: Layer) { for (detached in detachedSignatures) { val verification = SignatureVerification(detached.signature, SubkeyIdentifier(detached.issuer)) @@ -971,12 +973,14 @@ class OpenPgpMessageInputStream( SignatureValidator.signatureWasCreatedInBounds( options.getVerifyNotBefore(), options.getVerifyNotAfter()) .verify(detached.signature) - CertificateValidator.validateCertificateAndVerifyInitializedSignature( - detached.signature, detached.issuerCertificate.pgpPublicKeyRing, policy) - LOGGER.debug("Acceptable signature by key ${verification.signingKey}") - layer.addVerifiedDetachedSignature(verification) + if (detached.verify() && detached.isValid(api.implementation.policy())) { + layer.addVerifiedDetachedSignature(verification) + } else { + throw SignatureValidationException("Incorrect detached signature.") + } + } catch (e: MalformedOpenPGPSignatureException) { + throw SignatureValidationException("Malformed detached signature.", e) } catch (e: SignatureValidationException) { - LOGGER.debug("Rejected signature by key ${verification.signingKey}", e) layer.addRejectedDetachedSignature( SignatureVerification.Failure(verification, e)) } @@ -989,10 +993,13 @@ class OpenPgpMessageInputStream( SignatureValidator.signatureWasCreatedInBounds( options.getVerifyNotBefore(), options.getVerifyNotAfter()) .verify(prepended.signature) - CertificateValidator.validateCertificateAndVerifyInitializedSignature( - prepended.signature, prepended.issuerCertificate.pgpPublicKeyRing, policy) - LOGGER.debug("Acceptable signature by key ${verification.signingKey}") - layer.addVerifiedPrependedSignature(verification) + if (prepended.verify() && prepended.isValid(api.implementation.policy())) { + layer.addVerifiedPrependedSignature(verification) + } else { + throw SignatureValidationException("Incorrect prepended signature.") + } + } catch (e: MalformedOpenPGPSignatureException) { + throw SignatureValidationException("Malformed prepended signature.", e) } catch (e: SignatureValidationException) { LOGGER.debug("Rejected signature by key ${verification.signingKey}", e) layer.addRejectedPrependedSignature( diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/consumer/CertificateValidator.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/consumer/CertificateValidator.kt deleted file mode 100644 index 5d5f60b8..00000000 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/consumer/CertificateValidator.kt +++ /dev/null @@ -1,318 +0,0 @@ -// SPDX-FileCopyrightText: 2023 Paul Schaub -// -// SPDX-License-Identifier: Apache-2.0 - -package org.pgpainless.signature.consumer - -import java.io.InputStream -import java.util.* -import openpgp.openPgpKeyId -import org.bouncycastle.openpgp.PGPPublicKey -import org.bouncycastle.openpgp.PGPPublicKeyRing -import org.bouncycastle.openpgp.PGPSignature -import org.pgpainless.PGPainless -import org.pgpainless.algorithm.KeyFlag -import org.pgpainless.algorithm.SignatureType -import org.pgpainless.bouncycastle.extensions.getPublicKey -import org.pgpainless.bouncycastle.extensions.issuerKeyId -import org.pgpainless.exception.SignatureValidationException -import org.pgpainless.key.util.KeyRingUtils -import org.pgpainless.policy.Policy -import org.pgpainless.signature.subpackets.SignatureSubpacketsUtil -import org.slf4j.LoggerFactory - -/** - * A collection of static methods that validate signing certificates (public keys) and verify - * signature correctness. - */ -class CertificateValidator { - - companion object { - - @JvmStatic private val LOGGER = LoggerFactory.getLogger(CertificateValidator::class.java) - - /** - * Check if the signing key was eligible to create the provided signature. - * - * That entails: - * - Check, if the primary key is being revoked via key-revocation signatures. - * - Check, if the keys user-ids are revoked or not bound. - * - Check, if the signing subkey is revoked or expired. - * - Check, if the signing key is not capable of signing - * - * @param signature signature - * @param signingKeyRing signing key ring - * @param policy validation policy - * @return true if the signing key was eligible to create the signature - * @throws SignatureValidationException in case of a validation constraint violation - */ - @JvmStatic - @Throws(SignatureValidationException::class) - fun validateCertificate( - signature: PGPSignature, - signingKeyRing: PGPPublicKeyRing, - policy: Policy = PGPainless.getInstance().algorithmPolicy - ): Boolean { - val signingSubkey: PGPPublicKey = - signingKeyRing.getPublicKey(signature.issuerKeyId) - ?: throw SignatureValidationException( - "Provided key ring does not contain a subkey with id ${signature.issuerKeyId.openPgpKeyId()}.") - val primaryKey = signingKeyRing.publicKey!! - val directKeyAndRevSigs = mutableListOf() - val rejections = mutableMapOf() - // revocations - primaryKey - .getSignaturesOfType(SignatureType.KEY_REVOCATION.code) - .asSequence() - .filter { - it.issuerKeyId == primaryKey.keyID - } // We do not support external rev keys - .forEach { - try { - if (SignatureVerifier.verifyKeyRevocationSignature( - it, primaryKey, policy, signature.creationTime)) { - directKeyAndRevSigs.add(it) - } - } catch (e: SignatureValidationException) { - rejections[it] = e - LOGGER.debug("Rejecting key revocation signature: ${e.message}", e) - } - } - - // direct-key sigs - primaryKey - .getSignaturesOfType(SignatureType.DIRECT_KEY.code) - .asSequence() - .filter { it.issuerKeyId == primaryKey.keyID } - .forEach { - try { - if (SignatureVerifier.verifyDirectKeySignature( - it, primaryKey, policy, signature.creationTime)) { - directKeyAndRevSigs.add(it) - } - } catch (e: SignatureValidationException) { - rejections[it] = e - LOGGER.debug("Rejecting key signature: ${e.message}, e") - } - } - - directKeyAndRevSigs.sortWith( - SignatureValidityComparator(SignatureCreationDateComparator.Order.NEW_TO_OLD)) - if (directKeyAndRevSigs.isNotEmpty()) { - if (directKeyAndRevSigs[0].signatureType == SignatureType.KEY_REVOCATION.code) { - throw SignatureValidationException("Primary key has been revoked.") - } - } - - // UserID signatures - val userIdSignatures = mutableMapOf>() - KeyRingUtils.getUserIdsIgnoringInvalidUTF8(primaryKey).forEach { userId -> - buildList { - primaryKey - .getSignaturesForID(userId) - .asSequence() - .filter { it.issuerKeyId == primaryKey.keyID } - .forEach { uidSig -> - try { - if (SignatureVerifier.verifySignatureOverUserId( - userId, - uidSig, - primaryKey, - policy, - signature.creationTime)) { - add(uidSig) - } - } catch (e: SignatureValidationException) { - rejections[uidSig] = e - LOGGER.debug("Rejecting user-id signature: ${e.message}", e) - } - } - } - .sortedWith( - SignatureValidityComparator( - SignatureCreationDateComparator.Order.NEW_TO_OLD)) - .let { userIdSignatures[userId] = it } - } - - val hasAnyUserIds = userIdSignatures.isNotEmpty() - val isAnyUserIdValid = - userIdSignatures.any { entry -> - entry.value.isNotEmpty() && - entry.value[0].signatureType != SignatureType.CERTIFICATION_REVOCATION.code - } - - if (hasAnyUserIds && !isAnyUserIdValid) { - throw SignatureValidationException("No valid user-id found.", rejections) - } - - // Specific signer user-id - if (policy.signerUserIdValidationLevel == Policy.SignerUserIdValidationLevel.STRICT) { - SignatureSubpacketsUtil.getSignerUserID(signature)?.let { - if (userIdSignatures[it.id] == null || userIdSignatures[it.id]!!.isEmpty()) { - throw SignatureValidationException( - "Signature was allegedly made by user-id '${it.id}'," + - " but we have no valid signatures for that on the certificate.") - } - - if (userIdSignatures[it.id]!![0].signatureType == - SignatureType.CERTIFICATION_REVOCATION.code) { - throw SignatureValidationException( - "Signature was made with user-id '${it.id}' which is revoked.") - } - } - } - - if (signingSubkey.keyID == primaryKey.keyID) { // signing key is primary key - if (directKeyAndRevSigs.isNotEmpty()) { - val directKeySig = directKeyAndRevSigs[0] - val flags = SignatureSubpacketsUtil.getKeyFlags(directKeySig) - if (flags != null && KeyFlag.hasKeyFlag(flags.flags, KeyFlag.SIGN_DATA)) { - return true - } - } - // Reject sigs by non-signing keys - if (userIdSignatures.none { (_, sigs) -> - sigs.any { - SignatureSubpacketsUtil.getKeyFlags(it)?.let { f -> - KeyFlag.hasKeyFlag(f.flags, KeyFlag.SIGN_DATA) - } == true - } - }) { - throw SignatureValidationException( - "Signature was generated by non-signing key.") - } - } else { // signing key is subkey - val subkeySigs = mutableListOf() - signingSubkey - .getSignaturesOfType(SignatureType.SUBKEY_REVOCATION.code) - .asSequence() - .filter { it.issuerKeyId == primaryKey.keyID } - .forEach { - try { - if (SignatureVerifier.verifySubkeyBindingRevocation( - it, primaryKey, signingSubkey, policy, signature.creationTime)) { - subkeySigs.add(it) - } - } catch (e: SignatureValidationException) { - rejections[it] = e - LOGGER.debug("Rejecting subkey revocation signature: ${e.message}", e) - } - } - - signingSubkey - .getSignaturesOfType(SignatureType.SUBKEY_BINDING.code) - .asSequence() - .forEach { - try { - if (SignatureVerifier.verifySubkeyBindingSignature( - it, primaryKey, signingSubkey, policy, signature.creationTime)) { - subkeySigs.add(it) - } - } catch (e: SignatureValidationException) { - rejections[it] = e - LOGGER.debug("Rejecting subkey binding signature: ${e.message}", e) - } - } - - subkeySigs.sortWith( - SignatureValidityComparator(SignatureCreationDateComparator.Order.NEW_TO_OLD)) - if (subkeySigs.isEmpty()) { - throw SignatureValidationException("Subkey is not bound.", rejections) - } - - if (subkeySigs[0].signatureType == SignatureType.SUBKEY_REVOCATION.code) { - throw SignatureValidationException("Subkey is revoked.") - } - - val keyFlags = SignatureSubpacketsUtil.getKeyFlags(subkeySigs[0]) - if (keyFlags == null || !KeyFlag.hasKeyFlag(keyFlags.flags, KeyFlag.SIGN_DATA)) { - throw SignatureValidationException( - "Signature was made by key which is not capable of signing (no keyflag).") - } - } - return true - } - - /** - * Validate the given signing key and then verify the given signature while parsing out the - * signed data. Uninitialized means that no signed data has been read and the hash - * generators state has not yet been updated. - * - * @param signature uninitialized signature - * @param signedData input stream containing signed data - * @param signingKeyRing key ring containing signing key - * @param policy validation policy - * @param validationDate date of validation - * @return true if the signature is valid, false otherwise - * @throws SignatureValidationException for validation constraint violations - */ - @JvmStatic - @Throws(SignatureValidationException::class) - fun validateCertificateAndVerifyUninitializedSignature( - signature: PGPSignature, - signedData: InputStream, - signingKeyRing: PGPPublicKeyRing, - policy: Policy, - referenceTime: Date = signature.creationTime - ): Boolean { - return validateCertificate(signature, signingKeyRing, policy) && - SignatureVerifier.verifyUninitializedSignature( - signature, - signedData, - signingKeyRing.getPublicKey(signature.issuerKeyId)!!, - policy, - referenceTime) - } - - /** - * Validate the signing key and the given initialized signature. Initialized means that the - * signatures hash generator has already been updated by reading the signed data completely. - * - * @param signature initialized signature - * @param verificationKeys key ring containing the verification key - * @param policy validation policy - * @return true if the signature is valid, false otherwise - * @throws SignatureValidationException in case of a validation constraint violation - */ - @JvmStatic - @Throws(SignatureValidationException::class) - fun validateCertificateAndVerifyInitializedSignature( - signature: PGPSignature, - verificationKeys: PGPPublicKeyRing, - policy: Policy - ): Boolean { - return validateCertificate(signature, verificationKeys, policy) && - SignatureVerifier.verifyInitializedSignature( - signature, - verificationKeys.getPublicKey(signature.issuerKeyId), - policy, - signature.creationTime) - } - - /** - * Validate the signing key certificate and the given [OnePassSignatureCheck]. - * - * @param onePassSignature corresponding one-pass-signature - * @param policy policy - * @return true if the certificate is valid and the signature is correct, false otherwise. - * @throws SignatureValidationException in case of a validation error - */ - @JvmStatic - @Throws(SignatureValidationException::class) - fun validateCertificateAndVerifyOnePassSignature( - onePassSignature: OnePassSignatureCheck, - policy: Policy - ): Boolean { - return validateCertificate( - onePassSignature.signature!!, - onePassSignature.verificationKeys.pgpPublicKeyRing, - policy) && - SignatureVerifier.verifyOnePassSignature( - onePassSignature.signature!!, - onePassSignature.verificationKeys.pgpKeyRing.getPublicKey( - onePassSignature.signature!!.issuerKeyId), - onePassSignature, - policy) - } - } -} diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/consumer/SignatureCheck.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/consumer/SignatureCheck.kt deleted file mode 100644 index 15564773..00000000 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/consumer/SignatureCheck.kt +++ /dev/null @@ -1,25 +0,0 @@ -// SPDX-FileCopyrightText: 2023 Paul Schaub -// -// SPDX-License-Identifier: Apache-2.0 - -package org.pgpainless.signature.consumer - -import org.bouncycastle.openpgp.PGPKeyRing -import org.bouncycastle.openpgp.PGPSignature -import org.pgpainless.key.SubkeyIdentifier - -/** - * Tuple-class which bundles together a signature, the signing key that created the signature, an - * identifier of the signing key and a record of whether the signature was verified. - * - * @param signature OpenPGP signature - * @param signingKeyIdentifier identifier pointing to the exact signing key which was used to create - * the signature - * @param signingKeyRing certificate or key ring that contains the signing key that created the - * signature - */ -data class SignatureCheck( - val signature: PGPSignature, - val signingKeyRing: PGPKeyRing, - val signingKeyIdentifier: SubkeyIdentifier -) {} diff --git a/pgpainless-core/src/test/java/investigations/ModifiedPublicKeysInvestigation.java b/pgpainless-core/src/test/java/investigations/ModifiedPublicKeysInvestigation.java index 5ee78246..46bfca6a 100644 --- a/pgpainless-core/src/test/java/investigations/ModifiedPublicKeysInvestigation.java +++ b/pgpainless-core/src/test/java/investigations/ModifiedPublicKeysInvestigation.java @@ -211,7 +211,6 @@ public class ModifiedPublicKeysInvestigation { @Test public void assertModifiedDSAKeyThrowsKeyIntegrityException() throws IOException { - System.out.println(DSA); PGPainless api = PGPainless.newInstance(); Policy policy = api.getAlgorithmPolicy(); policy.setEnableKeyParameterValidation(true); diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CleartextSignatureVerificationTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CleartextSignatureVerificationTest.java index 8b423cba..d9b4c809 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CleartextSignatureVerificationTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CleartextSignatureVerificationTest.java @@ -19,7 +19,6 @@ import java.nio.charset.StandardCharsets; import java.util.Random; import org.bouncycastle.openpgp.PGPException; -import org.bouncycastle.openpgp.PGPPublicKey; import org.bouncycastle.openpgp.PGPPublicKeyRing; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.PGPSignature; @@ -36,9 +35,7 @@ import org.pgpainless.encryption_signing.SigningOptions; import org.pgpainless.exception.WrongConsumingMethodException; import org.pgpainless.key.TestKeys; import org.pgpainless.key.protection.SecretKeyRingProtector; -import org.pgpainless.signature.consumer.CertificateValidator; import org.pgpainless.signature.SignatureUtils; -import org.pgpainless.signature.consumer.SignatureVerifier; import org.pgpainless.util.ArmorUtils; import org.pgpainless.util.TestUtils; @@ -136,19 +133,6 @@ public class CleartextSignatureVerificationTest { assertArrayEquals(MESSAGE_BODY, bytes.toByteArray()); } - @Test - public void verifySignatureDetached() - throws IOException, PGPException { - PGPPublicKeyRing signingKeys = TestKeys.getEmilPublicKeyRing(); - - PGPSignature signature = SignatureUtils.readSignatures(SIGNATURE).get(0); - PGPPublicKey signingKey = signingKeys.getPublicKey(signature.getKeyID()); - - SignatureVerifier.initializeSignatureAndUpdateWithSignedData(signature, new ByteArrayInputStream(MESSAGE_BODY), signingKey); - - CertificateValidator.validateCertificateAndVerifyInitializedSignature(signature, signingKeys, PGPainless.getPolicy()); - } - public static void main(String[] args) throws IOException { // CHECKSTYLE:OFF PGPPublicKeyRing keys = TestKeys.getEmilPublicKeyRing(); diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/BindingSignatureSubpacketsTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/BindingSignatureSubpacketsTest.java index bf3d7a0d..fa018909 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/BindingSignatureSubpacketsTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/BindingSignatureSubpacketsTest.java @@ -4,23 +4,23 @@ package org.pgpainless.signature; -import static org.junit.jupiter.api.Assertions.assertThrows; -import static org.junit.jupiter.api.Assertions.fail; +import static org.junit.jupiter.api.Assertions.assertFalse; +import static org.junit.jupiter.api.Assertions.assertTrue; import java.io.ByteArrayInputStream; import java.io.IOException; import java.io.InputStream; import java.nio.charset.StandardCharsets; -import java.util.Date; -import org.bouncycastle.openpgp.PGPPublicKeyRing; -import org.bouncycastle.openpgp.PGPSignature; +import org.bouncycastle.openpgp.PGPException; +import org.bouncycastle.openpgp.api.OpenPGPCertificate; +import org.bouncycastle.util.io.Streams; import org.junit.jupiter.api.TestTemplate; import org.junit.jupiter.api.extension.ExtendWith; import org.pgpainless.PGPainless; -import org.pgpainless.exception.SignatureValidationException; -import org.pgpainless.policy.Policy; -import org.pgpainless.signature.consumer.CertificateValidator; +import org.pgpainless.decryption_verification.ConsumerOptions; +import org.pgpainless.decryption_verification.DecryptionStream; +import org.pgpainless.decryption_verification.MessageMetadata; import org.pgpainless.util.TestAllImplementations; /** @@ -47,12 +47,9 @@ public class BindingSignatureSubpacketsTest { "-----END PGP SIGNATURE-----\n"; private static final String data = "Hello World :)"; - private Date validationDate = new Date(); - private Policy policy = PGPainless.getPolicy(); - @TestTemplate @ExtendWith(TestAllImplementations.class) - public void baseCase() throws IOException { + public void baseCase() throws IOException, PGPException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + @@ -113,7 +110,7 @@ public class BindingSignatureSubpacketsTest { @TestTemplate @ExtendWith(TestAllImplementations.class) - public void subkeyBindingIssuerFpOnly() throws IOException { + public void subkeyBindingIssuerFpOnly() throws IOException, PGPException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + @@ -174,7 +171,7 @@ public class BindingSignatureSubpacketsTest { @TestTemplate @ExtendWith(TestAllImplementations.class) - public void subkeyBindingIssuerV6IssuerFp() throws IOException { + public void subkeyBindingIssuerV6IssuerFp() throws IOException, PGPException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + @@ -235,7 +232,7 @@ public class BindingSignatureSubpacketsTest { @TestTemplate @ExtendWith(TestAllImplementations.class) - public void subkeyBindingIssuerFakeIssuer() throws IOException { + public void subkeyBindingIssuerFakeIssuer() throws IOException, PGPException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + @@ -296,7 +293,7 @@ public class BindingSignatureSubpacketsTest { @TestTemplate @ExtendWith(TestAllImplementations.class) - public void subkeyBindingFakeIssuerIssuer() throws IOException { + public void subkeyBindingFakeIssuerIssuer() throws IOException, PGPException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + @@ -357,7 +354,7 @@ public class BindingSignatureSubpacketsTest { @TestTemplate @ExtendWith(TestAllImplementations.class) - public void subkeyBindingFakeIssuer() throws IOException { + public void subkeyBindingFakeIssuer() throws IOException, PGPException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + @@ -418,7 +415,7 @@ public class BindingSignatureSubpacketsTest { @TestTemplate @ExtendWith(TestAllImplementations.class) - public void subkeyBindingNoIssuer() throws IOException { + public void subkeyBindingNoIssuer() throws IOException, PGPException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + @@ -478,7 +475,7 @@ public class BindingSignatureSubpacketsTest { @TestTemplate @ExtendWith(TestAllImplementations.class) - public void unknownSubpacketHashed() throws IOException { + public void unknownSubpacketHashed() throws IOException, PGPException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + @@ -539,7 +536,7 @@ public class BindingSignatureSubpacketsTest { @TestTemplate @ExtendWith(TestAllImplementations.class) - public void subkeyBindingUnknownCriticalSubpacket() throws IOException { + public void subkeyBindingUnknownCriticalSubpacket() throws IOException, PGPException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + @@ -600,7 +597,7 @@ public class BindingSignatureSubpacketsTest { @TestTemplate @ExtendWith(TestAllImplementations.class) - public void subkeyBindingUnknownSubpacketUnhashed() throws IOException { + public void subkeyBindingUnknownSubpacketUnhashed() throws IOException, PGPException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + @@ -661,7 +658,7 @@ public class BindingSignatureSubpacketsTest { @TestTemplate @ExtendWith(TestAllImplementations.class) - public void subkeyBindingUnknownCriticalSubpacketUnhashed() throws IOException { + public void subkeyBindingUnknownCriticalSubpacketUnhashed() throws IOException, PGPException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + @@ -722,7 +719,7 @@ public class BindingSignatureSubpacketsTest { @TestTemplate @ExtendWith(TestAllImplementations.class) - public void subkeyBindingUnknownNotationHashed() throws IOException { + public void subkeyBindingUnknownNotationHashed() throws IOException, PGPException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + @@ -784,7 +781,7 @@ public class BindingSignatureSubpacketsTest { @TestTemplate @ExtendWith(TestAllImplementations.class) - public void subkeyBindingCriticalUnknownNotationHashed() throws IOException { + public void subkeyBindingCriticalUnknownNotationHashed() throws IOException, PGPException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + @@ -846,7 +843,7 @@ public class BindingSignatureSubpacketsTest { @TestTemplate @ExtendWith(TestAllImplementations.class) - public void subkeyBindingUnknownNotationUnhashed() throws IOException { + public void subkeyBindingUnknownNotationUnhashed() throws IOException, PGPException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + @@ -908,7 +905,7 @@ public class BindingSignatureSubpacketsTest { @TestTemplate @ExtendWith(TestAllImplementations.class) - public void subkeyBindingCriticalUnknownNotationUnhashed() throws IOException { + public void subkeyBindingCriticalUnknownNotationUnhashed() throws IOException, PGPException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + @@ -970,7 +967,7 @@ public class BindingSignatureSubpacketsTest { @TestTemplate @ExtendWith(TestAllImplementations.class) - public void subkeyBindingBackSigFakeBackSig() throws IOException { + public void subkeyBindingBackSigFakeBackSig() throws IOException, PGPException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + @@ -1042,7 +1039,7 @@ public class BindingSignatureSubpacketsTest { @TestTemplate @ExtendWith(TestAllImplementations.class) - public void subkeyBindingFakeBackSigBackSig() throws IOException { + public void subkeyBindingFakeBackSigBackSig() throws IOException, PGPException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + @@ -1114,7 +1111,7 @@ public class BindingSignatureSubpacketsTest { @TestTemplate @ExtendWith(TestAllImplementations.class) - public void primaryBindingIssuerFpOnly() throws IOException { + public void primaryBindingIssuerFpOnly() throws IOException, PGPException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + @@ -1175,7 +1172,7 @@ public class BindingSignatureSubpacketsTest { @TestTemplate @ExtendWith(TestAllImplementations.class) - public void primaryBindingIssuerV6IssuerFp() throws IOException { + public void primaryBindingIssuerV6IssuerFp() throws IOException, PGPException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + @@ -1236,7 +1233,7 @@ public class BindingSignatureSubpacketsTest { @TestTemplate @ExtendWith(TestAllImplementations.class) - public void primaryBindingIssuerFakeIssuer() throws IOException { + public void primaryBindingIssuerFakeIssuer() throws IOException, PGPException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + @@ -1297,7 +1294,7 @@ public class BindingSignatureSubpacketsTest { @TestTemplate @ExtendWith(TestAllImplementations.class) - public void primaryBindingFakeIssuerIssuer() throws IOException { + public void primaryBindingFakeIssuerIssuer() throws IOException, PGPException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + @@ -1358,7 +1355,7 @@ public class BindingSignatureSubpacketsTest { @TestTemplate @ExtendWith(TestAllImplementations.class) - public void primaryBindingFakeIssuer() throws IOException { + public void primaryBindingFakeIssuer() throws IOException, PGPException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + @@ -1419,7 +1416,7 @@ public class BindingSignatureSubpacketsTest { @TestTemplate @ExtendWith(TestAllImplementations.class) - public void primaryBindingNoIssuer() throws IOException { + public void primaryBindingNoIssuer() throws IOException, PGPException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + @@ -1479,7 +1476,7 @@ public class BindingSignatureSubpacketsTest { @TestTemplate @ExtendWith(TestAllImplementations.class) - public void primaryBindingUnknownSubpacketHashed() throws IOException { + public void primaryBindingUnknownSubpacketHashed() throws IOException, PGPException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + @@ -1540,7 +1537,7 @@ public class BindingSignatureSubpacketsTest { @TestTemplate @ExtendWith(TestAllImplementations.class) - public void primaryBindingCriticalUnknownSubpacketHashed() throws IOException { + public void primaryBindingCriticalUnknownSubpacketHashed() throws IOException, PGPException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + @@ -1601,7 +1598,7 @@ public class BindingSignatureSubpacketsTest { @TestTemplate @ExtendWith(TestAllImplementations.class) - public void primaryBindingUnknownSubpacketUnhashed() throws IOException { + public void primaryBindingUnknownSubpacketUnhashed() throws IOException, PGPException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + @@ -1662,7 +1659,7 @@ public class BindingSignatureSubpacketsTest { @TestTemplate @ExtendWith(TestAllImplementations.class) - public void primaryBindingCriticalUnknownSubpacketUnhashed() throws IOException { + public void primaryBindingCriticalUnknownSubpacketUnhashed() throws IOException, PGPException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + @@ -1723,7 +1720,7 @@ public class BindingSignatureSubpacketsTest { @TestTemplate @ExtendWith(TestAllImplementations.class) - public void primaryBindingUnknownNotationHashed() throws IOException { + public void primaryBindingUnknownNotationHashed() throws IOException, PGPException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + @@ -1785,7 +1782,7 @@ public class BindingSignatureSubpacketsTest { @TestTemplate @ExtendWith(TestAllImplementations.class) - public void primaryBindingCriticalUnknownNotationHashed() throws IOException { + public void primaryBindingCriticalUnknownNotationHashed() throws IOException, PGPException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + @@ -1847,7 +1844,7 @@ public class BindingSignatureSubpacketsTest { @TestTemplate @ExtendWith(TestAllImplementations.class) - public void primaryBindingUnknownNotationUnhashed() throws IOException { + public void primaryBindingUnknownNotationUnhashed() throws IOException, PGPException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + @@ -1909,7 +1906,7 @@ public class BindingSignatureSubpacketsTest { @TestTemplate @ExtendWith(TestAllImplementations.class) - public void primaryBindingCriticalUnknownNotationUnhashed() throws IOException { + public void primaryBindingCriticalUnknownNotationUnhashed() throws IOException, PGPException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + @@ -1969,27 +1966,38 @@ public class BindingSignatureSubpacketsTest { expectSignatureValidationSucceeds(key, "Critical unknown notation is acceptable in unhashed area of primary key binding sig."); } - private void expectSignatureValidationSucceeds(String key, String message) throws IOException { - PGPPublicKeyRing publicKeys = PGPainless.readKeyRing().publicKeyRing(key); - PGPSignature signature = SignatureUtils.readSignatures(sig).get(0); + private void expectSignatureValidationSucceeds(String key, String message) throws IOException, PGPException { + PGPainless api = PGPainless.getInstance(); + OpenPGPCertificate certificate = api.readKey().parseCertificate(key); - try { - CertificateValidator.validateCertificateAndVerifyUninitializedSignature(signature, getSignedData(data), publicKeys, policy, validationDate); - } catch (SignatureValidationException e) { - // CHECKSTYLE:OFF - e.printStackTrace(); - // CHECKSTYLE:ON - fail(message + ": " + e.getMessage()); + DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify().onInputStream(getSignedData(data)) + .withOptions(ConsumerOptions.get(api) + .addVerificationCert(certificate) + .addVerificationOfDetachedSignatures(SignatureUtils.readSignatures(sig))); + + Streams.drain(decryptionStream); + decryptionStream.close(); + MessageMetadata metadata = decryptionStream.getMetadata(); + + if (!metadata.getRejectedSignatures().isEmpty()) { + throw metadata.getRejectedSignatures().get(0).getValidationException(); } + assertTrue(decryptionStream.getMetadata().isVerifiedSignedBy(certificate), + message); } - private void expectSignatureValidationFails(String key, String message) throws IOException { - PGPPublicKeyRing publicKeys = PGPainless.readKeyRing().publicKeyRing(key); - PGPSignature signature = SignatureUtils.readSignatures(sig).get(0); + private void expectSignatureValidationFails(String key, String message) throws IOException, PGPException { + PGPainless api = PGPainless.getInstance(); + OpenPGPCertificate certificate = api.readKey().parseCertificate(key); - assertThrows(SignatureValidationException.class, () -> - CertificateValidator.validateCertificateAndVerifyUninitializedSignature( - signature, getSignedData(data), publicKeys, policy, validationDate), + DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify().onInputStream(getSignedData(data)) + .withOptions(ConsumerOptions.get(api) + .addVerificationCert(certificate) + .addVerificationOfDetachedSignatures(SignatureUtils.readSignatures(sig))); + + Streams.drain(decryptionStream); + decryptionStream.close(); + assertFalse(decryptionStream.getMetadata().isVerifiedSignedBy(certificate), message); } diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/CertificateValidatorTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/CertificateValidatorTest.java index b1e70445..ff22d4d3 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/CertificateValidatorTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/CertificateValidatorTest.java @@ -17,6 +17,7 @@ import java.util.Date; import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPPublicKeyRing; import org.bouncycastle.openpgp.PGPSignature; +import org.bouncycastle.openpgp.api.OpenPGPCertificate; import org.bouncycastle.util.io.Streams; import org.junit.jupiter.api.Test; import org.junit.jupiter.api.TestTemplate; @@ -27,7 +28,6 @@ import org.pgpainless.decryption_verification.DecryptionStream; import org.pgpainless.decryption_verification.MessageMetadata; import org.pgpainless.exception.SignatureValidationException; import org.pgpainless.policy.Policy; -import org.pgpainless.signature.consumer.CertificateValidator; import org.pgpainless.util.TestAllImplementations; public class CertificateValidatorTest { @@ -170,16 +170,16 @@ public class CertificateValidatorTest { Date validationDate = new Date(); String data = "Hello, World"; - assertThrows(SignatureValidationException.class, () -> CertificateValidator.validateCertificateAndVerifyUninitializedSignature( + assertThrows(SignatureValidationException.class, () -> verify( predatesPrimaryKey, getSignedData(data), publicKeys, policy, validationDate), "Signature predates primary key"); - assertThrows(SignatureValidationException.class, () -> CertificateValidator.validateCertificateAndVerifyUninitializedSignature( + assertThrows(SignatureValidationException.class, () -> verify( unboundSubkey, getSignedData(data), publicKeys, policy, validationDate), "Primary key hard revoked"); - assertThrows(SignatureValidationException.class, () -> CertificateValidator.validateCertificateAndVerifyUninitializedSignature( + assertThrows(SignatureValidationException.class, () -> verify( primaryKeyRevoked, getSignedData(data), publicKeys, policy, validationDate), "Primary key hard revoked"); - assertThrows(SignatureValidationException.class, () -> CertificateValidator.validateCertificateAndVerifyUninitializedSignature( + assertThrows(SignatureValidationException.class, () -> verify( primaryKeyRevalidated, getSignedData(data), publicKeys, policy, validationDate), "Primary key hard revoked"); } @@ -321,16 +321,16 @@ public class CertificateValidatorTest { Date validationDate = new Date(); String data = "Hello, World"; - assertThrows(SignatureValidationException.class, () -> CertificateValidator.validateCertificateAndVerifyUninitializedSignature( + assertThrows(SignatureValidationException.class, () -> verify( predatesPrimaryKey, getSignedData(data), publicKeys, policy, validationDate), "Signature predates primary key"); - assertThrows(SignatureValidationException.class, () -> CertificateValidator.validateCertificateAndVerifyUninitializedSignature( + assertThrows(SignatureValidationException.class, () -> verify( unboundSubkey, getSignedData(data), publicKeys, policy, validationDate), "Signing key unbound + hard revocation"); - assertThrows(SignatureValidationException.class, () -> CertificateValidator.validateCertificateAndVerifyUninitializedSignature( + assertThrows(SignatureValidationException.class, () -> verify( revokedSubkey, getSignedData(data), publicKeys, policy, validationDate), "Primary key is hard revoked"); - assertThrows(SignatureValidationException.class, () -> CertificateValidator.validateCertificateAndVerifyUninitializedSignature( + assertThrows(SignatureValidationException.class, () -> verify( revalidatedSubkey, getSignedData(data), publicKeys, policy, validationDate), "Primary key is hard revoked"); } @@ -473,16 +473,16 @@ public class CertificateValidatorTest { Date validationDate = new Date(); String data = "Hello World :)"; - assertThrows(SignatureValidationException.class, () -> CertificateValidator.validateCertificateAndVerifyUninitializedSignature( + assertThrows(SignatureValidationException.class, () -> verify( predatesPrimaryKey, getSignedData(data), publicKeys, policy, validationDate), "Signature predates primary key"); - assertThrows(SignatureValidationException.class, () -> CertificateValidator.validateCertificateAndVerifyUninitializedSignature( + assertThrows(SignatureValidationException.class, () -> verify( unboundKey, getSignedData(data), publicKeys, policy, validationDate), "Signing key unbound + hard revocation"); - assertThrows(SignatureValidationException.class, () -> CertificateValidator.validateCertificateAndVerifyUninitializedSignature( + assertThrows(SignatureValidationException.class, () -> verify( afterHardRevocation, getSignedData(data), publicKeys, policy, validationDate), "Hard revocation invalidates key at all times"); - assertThrows(SignatureValidationException.class, () -> CertificateValidator.validateCertificateAndVerifyUninitializedSignature( + assertThrows(SignatureValidationException.class, () -> verify( afterRevalidation, getSignedData(data), publicKeys, policy, validationDate), "Hard revocation invalidates key at all times"); } @@ -624,22 +624,22 @@ public class CertificateValidatorTest { String data = "Hello, World"; // Sig not valid, as it predates the signing key creation time - assertThrows(SignatureValidationException.class, () -> CertificateValidator.validateCertificateAndVerifyUninitializedSignature( + assertThrows(SignatureValidationException.class, () -> verify( predatesPrimaryKey, getSignedData(data), publicKeys, policy, predatesPrimaryKey.getCreationTime()), "Signature predates primary key creation date"); // Sig valid - assertDoesNotThrow(() -> CertificateValidator.validateCertificateAndVerifyUninitializedSignature( + assertDoesNotThrow(() -> verify( keyIsValid, getSignedData(data), publicKeys, policy, keyIsValid.getCreationTime()), "Signature is valid"); // Sig not valid, as the signing key is revoked - assertThrows(SignatureValidationException.class, () -> CertificateValidator.validateCertificateAndVerifyUninitializedSignature( + assertThrows(SignatureValidationException.class, () -> verify( keyIsRevoked, getSignedData(data), publicKeys, policy, keyIsRevoked.getCreationTime()), "Signing key is revoked at this point"); // Sig valid, as the signing key is revalidated - assertDoesNotThrow(() -> CertificateValidator.validateCertificateAndVerifyUninitializedSignature( + assertDoesNotThrow(() -> verify( keyIsRevalidated, getSignedData(data), publicKeys, policy, keyIsRevalidated.getCreationTime()), "Signature is valid, as signing key is revalidated"); } @@ -782,17 +782,17 @@ public class CertificateValidatorTest { String data = "Hello, World"; Date validationDate = new Date(); - assertThrows(SignatureValidationException.class, () -> CertificateValidator.validateCertificateAndVerifyUninitializedSignature( + assertThrows(SignatureValidationException.class, () -> verify( predatesPrimaryKey, getSignedData(data), publicKeys, policy, validationDate), "Signature predates primary key creation date"); - assertThrows(SignatureValidationException.class, () -> CertificateValidator.validateCertificateAndVerifyUninitializedSignature( + assertThrows(SignatureValidationException.class, () -> verify( keyNotBound, getSignedData(data), publicKeys, policy, validationDate), "Signing key is not bound at this point"); - assertThrows(SignatureValidationException.class, () -> CertificateValidator.validateCertificateAndVerifyUninitializedSignature( + assertThrows(SignatureValidationException.class, () -> verify( keyRevoked, getSignedData(data), publicKeys, policy, validationDate), "Signing key is revoked at this point"); assertDoesNotThrow(() -> - CertificateValidator.validateCertificateAndVerifyUninitializedSignature( + verify( valid, getSignedData(data), publicKeys, policy, validationDate), "Signing key is revalidated"); } @@ -935,17 +935,17 @@ public class CertificateValidatorTest { Date validationDate = new Date(); String data = "Hello, World"; - assertThrows(SignatureValidationException.class, () -> CertificateValidator.validateCertificateAndVerifyUninitializedSignature( + assertThrows(SignatureValidationException.class, () -> verify( predatesPrimaryKey, getSignedData(data), publicKeys, policy, validationDate), "Signature predates primary key creation date"); - assertDoesNotThrow(() -> CertificateValidator.validateCertificateAndVerifyUninitializedSignature( + assertDoesNotThrow(() -> verify( valid, getSignedData(data), publicKeys, policy, validationDate), "Signature is valid"); assertThrows(SignatureValidationException.class, () -> - CertificateValidator.validateCertificateAndVerifyUninitializedSignature( + verify( revoked, getSignedData(data), publicKeys, policy, validationDate), "Primary key is revoked"); - assertDoesNotThrow(() -> CertificateValidator.validateCertificateAndVerifyUninitializedSignature( + assertDoesNotThrow(() -> verify( revalidated, getSignedData(data), publicKeys, policy, validationDate), "Primary key is re-legitimized"); } @@ -1275,47 +1275,66 @@ public class CertificateValidatorTest { Date validationDate = new Date(); String data = "Hello World :)"; - assertThrows(SignatureValidationException.class, () -> CertificateValidator.validateCertificateAndVerifyUninitializedSignature( + assertThrows(SignatureValidationException.class, () -> verify( sigAT0, getSignedData(data), keysA, policy, validationDate), "Signature predates key creation time"); - assertDoesNotThrow(() -> CertificateValidator.validateCertificateAndVerifyUninitializedSignature( + assertDoesNotThrow(() -> verify( sigAT1_T2, getSignedData(data), keysA, policy, validationDate), "Key valid"); assertThrows(SignatureValidationException.class, () -> - CertificateValidator.validateCertificateAndVerifyUninitializedSignature( + verify( sigAT2_T3, getSignedData(data), keysA, policy, validationDate), "Key is not valid, as subkey binding expired"); - assertDoesNotThrow(() -> CertificateValidator.validateCertificateAndVerifyUninitializedSignature( + assertDoesNotThrow(() -> verify( sigAT3_now, getSignedData(data), keysA, policy, validationDate), "Key is valid again"); - assertThrows(SignatureValidationException.class, () -> CertificateValidator.validateCertificateAndVerifyUninitializedSignature( + assertThrows(SignatureValidationException.class, () -> verify( sigBT0, getSignedData(data), keysB, policy, validationDate), "Signature predates key creation time"); - assertDoesNotThrow(() -> CertificateValidator.validateCertificateAndVerifyUninitializedSignature( + assertDoesNotThrow(() -> verify( sigBT1_T2, getSignedData(data), keysB, policy, validationDate), "Key is valid"); - assertThrows(SignatureValidationException.class, () -> CertificateValidator.validateCertificateAndVerifyUninitializedSignature( + assertThrows(SignatureValidationException.class, () -> verify( sigBT2_T3, getSignedData(data), keysB, policy, validationDate), "Primary key is not signing-capable"); - assertDoesNotThrow(() -> CertificateValidator.validateCertificateAndVerifyUninitializedSignature( + assertDoesNotThrow(() -> verify( sigBT3_now, getSignedData(data), keysB, policy, validationDate), "Key is valid again"); - assertThrows(SignatureValidationException.class, () -> CertificateValidator.validateCertificateAndVerifyUninitializedSignature( + assertThrows(SignatureValidationException.class, () -> verify( sigCT0, getSignedData(data), keysC, policy, validationDate), "Signature predates key creation time"); - assertDoesNotThrow(() -> CertificateValidator.validateCertificateAndVerifyUninitializedSignature( + assertDoesNotThrow(() -> verify( sigCT1_T2, getSignedData(data), keysC, policy, validationDate), "Key is valid"); - assertThrows(SignatureValidationException.class, () -> CertificateValidator.validateCertificateAndVerifyUninitializedSignature( + assertThrows(SignatureValidationException.class, () -> verify( sigCT2_T3, getSignedData(data), keysC, policy, validationDate), "Key is revoked"); - assertDoesNotThrow(() -> CertificateValidator.validateCertificateAndVerifyUninitializedSignature( + assertDoesNotThrow(() -> verify( sigCT3_now, getSignedData(data), keysC, policy, validationDate), "Key is valid again"); } + private void verify(PGPSignature signature, InputStream dataIn, PGPPublicKeyRing cert, Policy policy, Date validationDate) throws PGPException, IOException { + PGPainless api = PGPainless.getInstance(); + OpenPGPCertificate certificate = api.toCertificate(cert); + + DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() + .onInputStream(dataIn) + .withOptions(ConsumerOptions.get(api) + .addVerificationOfDetachedSignature(signature) + .addVerificationCert(certificate)); + + Streams.drain(decryptionStream); + decryptionStream.close(); + MessageMetadata metadata = decryptionStream.getMetadata(); + + if (metadata.hasRejectedSignatures()) { + throw metadata.getRejectedSignatures().get(0).getValidationException(); + } + } + private static InputStream getSignedData(String data) { return new ByteArrayInputStream(data.getBytes(StandardCharsets.UTF_8)); } diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/KeyRevocationTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/KeyRevocationTest.java index 87059847..2a45b1c5 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/KeyRevocationTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/KeyRevocationTest.java @@ -8,17 +8,23 @@ import static org.junit.jupiter.api.Assertions.assertThrows; import java.io.ByteArrayInputStream; import java.io.IOException; +import java.io.InputStream; import java.nio.charset.StandardCharsets; import java.util.Date; import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPPublicKeyRing; import org.bouncycastle.openpgp.PGPSignature; +import org.bouncycastle.openpgp.api.OpenPGPCertificate; +import org.bouncycastle.util.io.Streams; import org.junit.jupiter.api.TestTemplate; import org.junit.jupiter.api.extension.ExtendWith; import org.pgpainless.PGPainless; +import org.pgpainless.decryption_verification.ConsumerOptions; +import org.pgpainless.decryption_verification.DecryptionStream; +import org.pgpainless.decryption_verification.MessageMetadata; import org.pgpainless.exception.SignatureValidationException; -import org.pgpainless.signature.consumer.CertificateValidator; +import org.pgpainless.policy.Policy; import org.pgpainless.util.TestAllImplementations; public class KeyRevocationTest { @@ -153,16 +159,16 @@ public class KeyRevocationTest { PGPSignature t2t3 = SignatureUtils.readSignatures(sigT2T3).get(0); PGPSignature t3now = SignatureUtils.readSignatures(sigT3Now).get(0); - assertThrows(SignatureValidationException.class, () -> CertificateValidator.validateCertificateAndVerifyUninitializedSignature(t0, + assertThrows(SignatureValidationException.class, () -> verify(t0, new ByteArrayInputStream(data.getBytes(StandardCharsets.UTF_8)), publicKeys, PGPainless.getPolicy(), new Date())); - assertThrows(SignatureValidationException.class, () -> CertificateValidator.validateCertificateAndVerifyUninitializedSignature(t1t2, + assertThrows(SignatureValidationException.class, () -> verify(t1t2, new ByteArrayInputStream(data.getBytes(StandardCharsets.UTF_8)), publicKeys, PGPainless.getPolicy(), new Date())); - assertThrows(SignatureValidationException.class, () -> CertificateValidator.validateCertificateAndVerifyUninitializedSignature(t2t3, + assertThrows(SignatureValidationException.class, () -> verify(t2t3, new ByteArrayInputStream(data.getBytes(StandardCharsets.UTF_8)), publicKeys, PGPainless.getPolicy(), new Date())); - assertThrows(SignatureValidationException.class, () -> CertificateValidator.validateCertificateAndVerifyUninitializedSignature(t3now, + assertThrows(SignatureValidationException.class, () -> verify(t3now, new ByteArrayInputStream(data.getBytes(StandardCharsets.UTF_8)), publicKeys, PGPainless.getPolicy(), new Date())); } @@ -255,8 +261,29 @@ public class KeyRevocationTest { PGPPublicKeyRing publicKeys = PGPainless.readKeyRing().publicKeyRing(key); PGPSignature signature = SignatureUtils.readSignatures(sig).get(0); - CertificateValidator.validateCertificateAndVerifyUninitializedSignature(signature, + verify(signature, new ByteArrayInputStream(data.getBytes(StandardCharsets.UTF_8)), publicKeys, PGPainless.getPolicy(), new Date()); } + + + private void verify(PGPSignature signature, InputStream dataIn, PGPPublicKeyRing cert, Policy policy, Date validationDate) throws PGPException, IOException { + PGPainless api = PGPainless.getInstance(); + OpenPGPCertificate certificate = api.toCertificate(cert); + + DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() + .onInputStream(dataIn) + .withOptions(ConsumerOptions.get(api) + .addVerificationOfDetachedSignature(signature) + .addVerificationCert(certificate)); + + Streams.drain(decryptionStream); + decryptionStream.close(); + MessageMetadata metadata = decryptionStream.getMetadata(); + + if (metadata.hasRejectedSignatures()) { + throw metadata.getRejectedSignatures().get(0).getValidationException(); + } + } + } From 8f3049602ffd7da2a26d01b2277a733b02735f76 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 24 Mar 2025 12:40:43 +0100 Subject: [PATCH 122/265] Remove SignerUserId check, Policy setting only via constructor parameter --- .../main/kotlin/org/pgpainless/PGPainless.kt | 17 +- .../OpenPgpMessageInputStream.kt | 13 +- .../key/generation/KeyRingTemplates.kt | 9 +- .../kotlin/org/pgpainless/policy/Policy.kt | 6 +- .../ModifiedPublicKeysInvestigation.java | 8 +- .../WrongSignerUserIdTest.java | 174 ------------------ .../EncryptDecryptTest.java | 27 ++- .../org/pgpainless/example/ManagePolicy.java | 35 +--- ...GenerateKeyWithoutPrimaryKeyFlagsTest.java | 26 +-- .../key/generation/GenerateV6KeyTest.java | 21 +-- .../GeneratingWeakKeyThrowsTest.java | 21 +-- .../RefuseToAddWeakSubkeyTest.java | 8 +- .../org/pgpainless/policy/PolicyTest.java | 6 - .../signature/CertificateValidatorTest.java | 89 ++++----- .../main/kotlin/org/pgpainless/sop/SOPImpl.kt | 2 + .../sop/VerifyLegacySignatureTest.java | 11 +- 16 files changed, 125 insertions(+), 348 deletions(-) delete mode 100644 pgpainless-core/src/test/java/org/pgpainless/decryption_verification/WrongSignerUserIdTest.java diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt index e15c285a..4a0084d2 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt @@ -17,7 +17,6 @@ import org.bouncycastle.openpgp.api.OpenPGPKey import org.bouncycastle.openpgp.api.OpenPGPKeyGenerator import org.bouncycastle.openpgp.api.OpenPGPKeyReader import org.bouncycastle.openpgp.api.bc.BcOpenPGPApi -import org.bouncycastle.openpgp.api.bc.BcOpenPGPImplementation import org.pgpainless.algorithm.OpenPGPKeyVersion import org.pgpainless.bouncycastle.PolicyAdapter import org.pgpainless.bouncycastle.extensions.setAlgorithmSuite @@ -35,10 +34,14 @@ import org.pgpainless.util.ArmorUtils class PGPainless( val implementation: OpenPGPImplementation = OpenPGPImplementation.getInstance(), - var algorithmPolicy: Policy = Policy() + val algorithmPolicy: Policy = Policy() ) { - private var api: OpenPGPApi + constructor( + algorithmPolicy: Policy + ) : this(OpenPGPImplementation.getInstance(), algorithmPolicy) + + private val api: OpenPGPApi init { implementation.setPolicy( @@ -53,7 +56,11 @@ class PGPainless( ): KeyRingTemplates = KeyRingTemplates(version, creationTime, this) @JvmOverloads - fun buildKey( + fun buildKey(version: OpenPGPKeyVersion = OpenPGPKeyVersion.v4): KeyRingBuilder = + KeyRingBuilder(version, this) + + @JvmOverloads + fun _buildKey( version: OpenPGPKeyVersion = OpenPGPKeyVersion.v4, creationTime: Date = Date() ): OpenPGPKeyGenerator = @@ -108,8 +115,6 @@ class PGPainless( @Volatile private var instance: PGPainless? = null - @JvmStatic fun newInstance(): PGPainless = PGPainless(BcOpenPGPImplementation(), Policy()) - @JvmStatic fun getInstance(): PGPainless = instance ?: synchronized(this) { instance ?: PGPainless().also { instance = it } } diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.kt index af5ffe97..8e8062af 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.kt @@ -26,6 +26,7 @@ import org.bouncycastle.openpgp.PGPPublicKey import org.bouncycastle.openpgp.PGPPublicKeyEncryptedData import org.bouncycastle.openpgp.PGPSessionKey import org.bouncycastle.openpgp.PGPSignature +import org.bouncycastle.openpgp.PGPSignatureException import org.bouncycastle.openpgp.api.OpenPGPCertificate import org.bouncycastle.openpgp.api.OpenPGPKey import org.bouncycastle.openpgp.api.OpenPGPKey.OpenPGPPrivateKey @@ -870,6 +871,10 @@ class OpenPgpMessageInputStream( } catch (e: SignatureValidationException) { layer.addRejectedOnePassSignature( SignatureVerification.Failure(verification, e)) + } catch (e: PGPSignatureException) { + layer.addRejectedOnePassSignature( + SignatureVerification.Failure( + verification, SignatureValidationException(e.message, e))) } break } @@ -973,10 +978,12 @@ class OpenPgpMessageInputStream( SignatureValidator.signatureWasCreatedInBounds( options.getVerifyNotBefore(), options.getVerifyNotAfter()) .verify(detached.signature) - if (detached.verify() && detached.isValid(api.implementation.policy())) { - layer.addVerifiedDetachedSignature(verification) - } else { + if (!detached.verify()) { throw SignatureValidationException("Incorrect detached signature.") + } else if (!detached.isValid(api.implementation.policy())) { + throw SignatureValidationException("Detached signature is not valid.") + } else { + layer.addVerifiedDetachedSignature(verification) } } catch (e: MalformedOpenPGPSignatureException) { throw SignatureValidationException("Malformed detached signature.", e) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingTemplates.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingTemplates.kt index 54948878..122b8e31 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingTemplates.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingTemplates.kt @@ -7,7 +7,6 @@ package org.pgpainless.key.generation import java.util.* import org.bouncycastle.openpgp.api.OpenPGPKey import org.pgpainless.PGPainless -import org.pgpainless.PGPainless.Companion.buildKeyRing import org.pgpainless.algorithm.KeyFlag import org.pgpainless.algorithm.OpenPGPKeyVersion import org.pgpainless.key.generation.KeySpec.Companion.getBuilder @@ -38,7 +37,7 @@ class KeyRingTemplates( length: RsaLength, passphrase: Passphrase = Passphrase.emptyPassphrase() ): OpenPGPKey = - buildKeyRing(version, api) + api.buildKey(version) .apply { setPrimaryKey( getBuilder(KeyType.RSA(length), KeyFlag.CERTIFY_OTHER) @@ -90,7 +89,7 @@ class KeyRingTemplates( length: RsaLength, passphrase: Passphrase = Passphrase.emptyPassphrase() ): OpenPGPKey = - buildKeyRing(version) + api.buildKey(version) .apply { setPrimaryKey( getBuilder( @@ -144,7 +143,7 @@ class KeyRingTemplates( val encryptionKeyType = if (version == OpenPGPKeyVersion.v6) KeyType.X25519() else KeyType.XDH_LEGACY(XDHLegacySpec._X25519) - return buildKeyRing(version) + return api.buildKey(version) .apply { setPrimaryKey( getBuilder(signingKeyType, KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA) @@ -197,7 +196,7 @@ class KeyRingTemplates( val encryptionKeyType = if (version == OpenPGPKeyVersion.v6) KeyType.X25519() else KeyType.XDH_LEGACY(XDHLegacySpec._X25519) - return buildKeyRing(version) + return api.buildKey(version) .apply { setPrimaryKey( getBuilder(signingKeyType, KeyFlag.CERTIFY_OTHER) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/policy/Policy.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/policy/Policy.kt index a2339bec..233600c7 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/policy/Policy.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/policy/Policy.kt @@ -36,7 +36,6 @@ class Policy( NotationRegistry(), AlgorithmSuite.defaultAlgorithmSuite) - var signerUserIdValidationLevel = SignerUserIdValidationLevel.DISABLED var enableKeyParameterValidation = false fun copy() = Builder(this) @@ -493,9 +492,6 @@ class Policy( keyProtectionSettings, notationRegistry, keyGenerationAlgorithmSuite) - .apply { - enableKeyParameterValidation = origin.enableKeyParameterValidation - signerUserIdValidationLevel = origin.signerUserIdValidationLevel - } + .apply { enableKeyParameterValidation = origin.enableKeyParameterValidation } } } diff --git a/pgpainless-core/src/test/java/investigations/ModifiedPublicKeysInvestigation.java b/pgpainless-core/src/test/java/investigations/ModifiedPublicKeysInvestigation.java index 46bfca6a..1d79658b 100644 --- a/pgpainless-core/src/test/java/investigations/ModifiedPublicKeysInvestigation.java +++ b/pgpainless-core/src/test/java/investigations/ModifiedPublicKeysInvestigation.java @@ -211,7 +211,7 @@ public class ModifiedPublicKeysInvestigation { @Test public void assertModifiedDSAKeyThrowsKeyIntegrityException() throws IOException { - PGPainless api = PGPainless.newInstance(); + PGPainless api = PGPainless.getInstance(); Policy policy = api.getAlgorithmPolicy(); policy.setEnableKeyParameterValidation(true); @@ -226,7 +226,7 @@ public class ModifiedPublicKeysInvestigation { @Test public void assertModifiedElGamalKeyThrowsKeyIntegrityException() throws IOException { - PGPainless api = PGPainless.newInstance(); + PGPainless api = PGPainless.getInstance(); Policy policy = api.getAlgorithmPolicy(); policy.setEnableKeyParameterValidation(true); @@ -239,7 +239,7 @@ public class ModifiedPublicKeysInvestigation { @Test public void assertInjectedKeyRingFailsToUnlockPrimaryKey() throws IOException { - PGPainless api = PGPainless.newInstance(); + PGPainless api = PGPainless.getInstance(); Policy policy = api.getAlgorithmPolicy(); policy.setEnableKeyParameterValidation(true); @@ -252,7 +252,7 @@ public class ModifiedPublicKeysInvestigation { @Test public void assertCannotUnlockElGamalPrimaryKeyDueToDummyS2K() throws IOException { - PGPainless api = PGPainless.newInstance(); + PGPainless api = PGPainless.getInstance(); SecretKeyRingProtector protector = SecretKeyRingProtector.unlockAnyKeyWith(Passphrase.fromPassword("12345678")); OpenPGPKey elgamal = api.readKey().parseKey(ELGAMAL); diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/WrongSignerUserIdTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/WrongSignerUserIdTest.java deleted file mode 100644 index 61e06cf5..00000000 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/WrongSignerUserIdTest.java +++ /dev/null @@ -1,174 +0,0 @@ -// SPDX-FileCopyrightText: 2022 Paul Schaub -// -// SPDX-License-Identifier: Apache-2.0 - -package org.pgpainless.decryption_verification; - -import static org.junit.jupiter.api.Assertions.assertEquals; -import static org.junit.jupiter.api.Assertions.assertFalse; -import static org.junit.jupiter.api.Assertions.assertTrue; - -import java.io.ByteArrayInputStream; -import java.io.ByteArrayOutputStream; -import java.io.IOException; -import java.io.OutputStream; -import java.nio.charset.StandardCharsets; -import java.util.Date; -import java.util.Iterator; - -import org.bouncycastle.bcpg.ArmoredOutputStream; -import org.bouncycastle.bcpg.BCPGOutputStream; -import org.bouncycastle.bcpg.CompressionAlgorithmTags; -import org.bouncycastle.bcpg.SymmetricKeyAlgorithmTags; -import org.bouncycastle.openpgp.PGPCompressedDataGenerator; -import org.bouncycastle.openpgp.PGPEncryptedDataGenerator; -import org.bouncycastle.openpgp.PGPException; -import org.bouncycastle.openpgp.PGPLiteralDataGenerator; -import org.bouncycastle.openpgp.PGPPrivateKey; -import org.bouncycastle.openpgp.PGPPublicKeyRing; -import org.bouncycastle.openpgp.PGPSecretKey; -import org.bouncycastle.openpgp.PGPSecretKeyRing; -import org.bouncycastle.openpgp.PGPSignature; -import org.bouncycastle.openpgp.PGPSignatureGenerator; -import org.bouncycastle.openpgp.PGPSignatureSubpacketGenerator; -import org.bouncycastle.openpgp.operator.PGPDataEncryptorBuilder; -import org.bouncycastle.openpgp.operator.bc.BcPGPContentSignerBuilder; -import org.bouncycastle.openpgp.operator.bc.BcPGPDataEncryptorBuilder; -import org.bouncycastle.openpgp.operator.bc.BcPublicKeyKeyEncryptionMethodGenerator; -import org.bouncycastle.util.io.Streams; -import org.junit.jupiter.api.AfterAll; -import org.junit.jupiter.api.Test; -import org.pgpainless.PGPainless; -import org.pgpainless.algorithm.HashAlgorithm; -import org.pgpainless.key.protection.UnlockSecretKey; -import org.pgpainless.policy.Policy; -import org.pgpainless.util.Passphrase; - -public class WrongSignerUserIdTest { - - private static final String KEY = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" + - " Comment: Alice's OpenPGP Transferable Secret Key\n" + - " Comment: https://www.ietf.org/id/draft-bre-openpgp-samples-01.html\n" + - "\n" + - " lFgEXEcE6RYJKwYBBAHaRw8BAQdArjWwk3FAqyiFbFBKT4TzXcVBqPTB3gmzlC/U\n" + - " b7O1u10AAP9XBeW6lzGOLx7zHH9AsUDUTb2pggYGMzd0P3ulJ2AfvQ4RtCZBbGlj\n" + - " ZSBMb3ZlbGFjZSA8YWxpY2VAb3BlbnBncC5leGFtcGxlPoiQBBMWCAA4AhsDBQsJ\n" + - " CAcCBhUKCQgLAgQWAgMBAh4BAheAFiEE64W7X6M6deFelE5j8jFVDE9H444FAl2l\n" + - " nzoACgkQ8jFVDE9H447pKwD6A5xwUqIDprBzrHfahrImaYEZzncqb25vkLV2arYf\n" + - " a78A/R3AwtLQvjxwLDuzk4dUtUwvUYibL2sAHwj2kGaHnfICnF0EXEcE6RIKKwYB\n" + - " BAGXVQEFAQEHQEL/BiGtq0k84Km1wqQw2DIikVYrQrMttN8d7BPfnr4iAwEIBwAA\n" + - " /3/xFPG6U17rhTuq+07gmEvaFYKfxRB6sgAYiW6TMTpQEK6IeAQYFggAIBYhBOuF\n" + - " u1+jOnXhXpROY/IxVQxPR+OOBQJcRwTpAhsMAAoJEPIxVQxPR+OOWdABAMUdSzpM\n" + - " hzGs1O0RkWNQWbUzQ8nUOeD9wNbjE3zR+yfRAQDbYqvtWQKN4AQLTxVJN5X5AWyb\n" + - " Pnn+We1aTBhaGa86AQ==\n" + - " =n8OM\n" + - " -----END PGP PRIVATE KEY BLOCK-----"; - private static final String USER_ID = "Alice Lovelace "; - - @Test - public void verificationSucceedsWithDisabledCheck() throws PGPException, IOException { - executeTest(false, true); - } - - @Test - public void verificationFailsWithEnabledCheck() throws PGPException, IOException { - executeTest(true, false); - } - - @AfterAll - public static void resetDefault() { - PGPainless.getPolicy().setSignerUserIdValidationLevel(Policy.SignerUserIdValidationLevel.DISABLED); - } - - public void executeTest(boolean enableCheck, boolean expectSucessfulVerification) throws IOException, PGPException { - PGPainless.getPolicy().setSignerUserIdValidationLevel(enableCheck ? Policy.SignerUserIdValidationLevel.STRICT : Policy.SignerUserIdValidationLevel.DISABLED); - PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(KEY); - assertEquals(USER_ID, secretKeys.getPublicKey().getUserIDs().next()); - - String messageWithWrongUserId = generateTestMessage(secretKeys); - verifyTestMessage(messageWithWrongUserId, secretKeys, expectSucessfulVerification); - } - - private void verifyTestMessage(String messageWithWrongUserId, PGPSecretKeyRing secretKeys, boolean expectSuccessfulVerification) throws IOException, PGPException { - PGPPublicKeyRing certificate = PGPainless.extractCertificate(secretKeys); - - DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify().onInputStream( - new ByteArrayInputStream(messageWithWrongUserId.getBytes(StandardCharsets.UTF_8))) - .withOptions(ConsumerOptions.get() - .addDecryptionKey(secretKeys) - .addVerificationCert(certificate)); - - ByteArrayOutputStream out = new ByteArrayOutputStream(); - Streams.pipeAll(decryptionStream, out); - - decryptionStream.close(); - MessageMetadata metadata = decryptionStream.getMetadata(); - - if (expectSuccessfulVerification) { - assertTrue(metadata.isVerifiedSigned()); - } else { - assertFalse(metadata.isVerifiedSigned()); - } - - } - - private String generateTestMessage(PGPSecretKeyRing secretKeys) throws PGPException, IOException { - PGPPublicKeyRing certificate = PGPainless.extractCertificate(secretKeys); - - assertEquals(USER_ID, certificate.getPublicKey().getUserIDs().next()); - - Iterator keys = secretKeys.getSecretKeys(); - PGPSecretKey signingKey = keys.next(); - PGPSecretKey encryptionKey = keys.next(); - - PGPPrivateKey signingPrivKey = UnlockSecretKey.unlockSecretKey(signingKey, Passphrase.emptyPassphrase()); - - // ARMOR - ByteArrayOutputStream cipherText = new ByteArrayOutputStream(); - ArmoredOutputStream armorOut = new ArmoredOutputStream(cipherText); - - // ENCRYPTION - PGPDataEncryptorBuilder dataEncryptorBuilder = new BcPGPDataEncryptorBuilder(SymmetricKeyAlgorithmTags.AES_256); - dataEncryptorBuilder.setWithIntegrityPacket(true); - - PGPEncryptedDataGenerator encDataGenerator = new PGPEncryptedDataGenerator(dataEncryptorBuilder); - encDataGenerator.addMethod(new BcPublicKeyKeyEncryptionMethodGenerator(encryptionKey.getPublicKey())); - OutputStream encStream = encDataGenerator.open(armorOut, new byte[4096]); - - // COMPRESSION - PGPCompressedDataGenerator compressedDataGenerator = new PGPCompressedDataGenerator(CompressionAlgorithmTags.ZLIB); - BCPGOutputStream bOut = new BCPGOutputStream(compressedDataGenerator.open(encStream)); - - // SIGNING - PGPSignatureGenerator sigGen = new PGPSignatureGenerator( - new BcPGPContentSignerBuilder(signingKey.getPublicKey().getAlgorithm(), HashAlgorithm.SHA512.getAlgorithmId())); - sigGen.init(PGPSignature.BINARY_DOCUMENT, signingPrivKey); - - PGPSignatureSubpacketGenerator subpacketGenerator = new PGPSignatureSubpacketGenerator(); - subpacketGenerator.addSignerUserID(false, "Albert Lovelace "); - sigGen.setHashedSubpackets(subpacketGenerator.generate()); - - sigGen.generateOnePassVersion(false).encode(bOut); - - // LITERAL DATA - PGPLiteralDataGenerator literalDataGenerator = new PGPLiteralDataGenerator(); - OutputStream lOut = literalDataGenerator.open(bOut, PGPLiteralDataGenerator.BINARY, - PGPLiteralDataGenerator.CONSOLE, new Date(), new byte[4096]); - - // write msg - ByteArrayInputStream msgIn = new ByteArrayInputStream("Hello, World!\n".getBytes(StandardCharsets.UTF_8)); - int ch; - while ((ch = msgIn.read()) >= 0) { - lOut.write(ch); - sigGen.update((byte) ch); - } - - lOut.close(); - sigGen.generate().encode(bOut); - compressedDataGenerator.close(); - encStream.close(); - armorOut.close(); - - return cipherText.toString(); - } -} diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java index 5ec70502..6561368d 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java @@ -23,7 +23,6 @@ import org.bouncycastle.openpgp.PGPPublicKeyRing; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.PGPSignature; import org.bouncycastle.util.io.Streams; -import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.TestTemplate; import org.junit.jupiter.api.extension.ExtendWith; import org.pgpainless.PGPainless; @@ -39,7 +38,6 @@ import org.pgpainless.key.generation.type.rsa.RsaLength; import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.key.protection.UnprotectedKeysProtector; import org.pgpainless.key.util.KeyRingUtils; -import org.pgpainless.policy.Policy; import org.pgpainless.util.ArmoredOutputStreamFactory; import org.pgpainless.util.TestAllImplementations; @@ -57,18 +55,14 @@ public class EncryptDecryptTest { "Unfold the imagined happiness that both\n" + "Receive in either by this dear encounter."; - @BeforeEach - public void setDefaultPolicy() { - PGPainless.getInstance().setAlgorithmPolicy(new Policy()); - } - @TestTemplate @ExtendWith(TestAllImplementations.class) public void freshKeysRsaToRsaTest() throws PGPException, IOException { - PGPSecretKeyRing sender = PGPainless.generateKeyRing().simpleRsaKeyRing("romeo@montague.lit", RsaLength._3072) + PGPainless api = PGPainless.getInstance(); + PGPSecretKeyRing sender = api.generateKey().simpleRsaKeyRing("romeo@montague.lit", RsaLength._3072) .getPGPSecretKeyRing(); - PGPSecretKeyRing recipient = PGPainless.generateKeyRing().simpleRsaKeyRing("juliet@capulet.lit", RsaLength._3072) + PGPSecretKeyRing recipient = api.generateKey().simpleRsaKeyRing("juliet@capulet.lit", RsaLength._3072) .getPGPSecretKeyRing(); encryptDecryptForSecretKeyRings(sender, recipient); @@ -78,9 +72,10 @@ public class EncryptDecryptTest { @ExtendWith(TestAllImplementations.class) public void freshKeysEcToEcTest() throws IOException, PGPException { - PGPSecretKeyRing sender = PGPainless.generateKeyRing().simpleEcKeyRing("romeo@montague.lit") + PGPainless api = PGPainless.getInstance(); + PGPSecretKeyRing sender = api.generateKey().simpleEcKeyRing("romeo@montague.lit") .getPGPSecretKeyRing(); - PGPSecretKeyRing recipient = PGPainless.generateKeyRing().simpleEcKeyRing("juliet@capulet.lit") + PGPSecretKeyRing recipient = api.generateKey().simpleEcKeyRing("juliet@capulet.lit") .getPGPSecretKeyRing(); encryptDecryptForSecretKeyRings(sender, recipient); @@ -90,9 +85,10 @@ public class EncryptDecryptTest { @ExtendWith(TestAllImplementations.class) public void freshKeysEcToRsaTest() throws PGPException, IOException { - PGPSecretKeyRing sender = PGPainless.generateKeyRing().simpleEcKeyRing("romeo@montague.lit") + PGPainless api = PGPainless.getInstance(); + PGPSecretKeyRing sender = api.generateKey().simpleEcKeyRing("romeo@montague.lit") .getPGPSecretKeyRing(); - PGPSecretKeyRing recipient = PGPainless.generateKeyRing().simpleRsaKeyRing("juliet@capulet.lit", RsaLength._3072) + PGPSecretKeyRing recipient = api.generateKey().simpleRsaKeyRing("juliet@capulet.lit", RsaLength._3072) .getPGPSecretKeyRing(); encryptDecryptForSecretKeyRings(sender, recipient); @@ -102,9 +98,10 @@ public class EncryptDecryptTest { @ExtendWith(TestAllImplementations.class) public void freshKeysRsaToEcTest() throws PGPException, IOException { - PGPSecretKeyRing sender = PGPainless.generateKeyRing().simpleRsaKeyRing("romeo@montague.lit", RsaLength._3072) + PGPainless api = PGPainless.getInstance(); + PGPSecretKeyRing sender = api.generateKey().simpleRsaKeyRing("romeo@montague.lit", RsaLength._3072) .getPGPSecretKeyRing(); - PGPSecretKeyRing recipient = PGPainless.generateKeyRing().simpleEcKeyRing("juliet@capulet.lit") + PGPSecretKeyRing recipient = api.generateKey().simpleEcKeyRing("juliet@capulet.lit") .getPGPSecretKeyRing(); encryptDecryptForSecretKeyRings(sender, recipient); diff --git a/pgpainless-core/src/test/java/org/pgpainless/example/ManagePolicy.java b/pgpainless-core/src/test/java/org/pgpainless/example/ManagePolicy.java index c0cbc505..7fc55f7b 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/example/ManagePolicy.java +++ b/pgpainless-core/src/test/java/org/pgpainless/example/ManagePolicy.java @@ -10,8 +10,6 @@ import static org.junit.jupiter.api.Assertions.assertTrue; import java.util.Arrays; import java.util.HashMap; -import org.junit.jupiter.api.AfterEach; -import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; import org.pgpainless.algorithm.HashAlgorithm; @@ -36,16 +34,6 @@ import org.pgpainless.util.NotationRegistry; */ public class ManagePolicy { - /** - * Reset PGPainless' policy class to default values. - */ - @BeforeEach - @AfterEach - public void resetPolicy() { - // Policy for hash algorithms in non-revocation signatures - PGPainless.getInstance().setAlgorithmPolicy(new Policy()); - } - /** * {@link HashAlgorithm Hash Algorithms} may get outdated with time. {@link HashAlgorithm#SHA1} is a prominent * example for an algorithm that is nowadays considered unsafe to use and which shall be avoided. @@ -62,8 +50,9 @@ public class ManagePolicy { */ @Test public void setCustomSignatureHashPolicy() { + PGPainless api = PGPainless.getInstance(); // Get PGPainless' policy - Policy oldPolicy = PGPainless.getInstance().getAlgorithmPolicy(); + Policy oldPolicy = api.getAlgorithmPolicy(); Policy.HashAlgorithmPolicy sigHashAlgoPolicy = oldPolicy.getDataSignatureHashAlgorithmPolicy(); assertTrue(sigHashAlgoPolicy.isAcceptable(HashAlgorithm.SHA512)); @@ -77,17 +66,12 @@ public class ManagePolicy { // List of acceptable hash algorithms Arrays.asList(HashAlgorithm.SHA512, HashAlgorithm.SHA384, HashAlgorithm.SHA256, HashAlgorithm.SHA224, HashAlgorithm.SHA1)); // Set the hash algo policy as policy for non-revocation signatures - PGPainless.getInstance().setAlgorithmPolicy( - oldPolicy.copy().withDataSignatureHashAlgorithmPolicy(customPolicy).build() - ); + api = new PGPainless(oldPolicy.copy().withDataSignatureHashAlgorithmPolicy(customPolicy).build()); - sigHashAlgoPolicy = PGPainless.getInstance().getAlgorithmPolicy().getDataSignatureHashAlgorithmPolicy(); + sigHashAlgoPolicy = api.getAlgorithmPolicy().getDataSignatureHashAlgorithmPolicy(); assertTrue(sigHashAlgoPolicy.isAcceptable(HashAlgorithm.SHA512)); // SHA-1 is now acceptable as well assertTrue(sigHashAlgoPolicy.isAcceptable(HashAlgorithm.SHA1)); - - // reset old policy - PGPainless.getInstance().setAlgorithmPolicy(oldPolicy); } /** @@ -100,7 +84,8 @@ public class ManagePolicy { */ @Test public void setCustomPublicKeyAlgorithmPolicy() { - Policy oldPolicy = PGPainless.getInstance().getAlgorithmPolicy(); + PGPainless api = PGPainless.getInstance(); + Policy oldPolicy = api.getAlgorithmPolicy(); Policy.PublicKeyAlgorithmPolicy pkAlgorithmPolicy = oldPolicy.getPublicKeyAlgorithmPolicy(); assertTrue(pkAlgorithmPolicy.isAcceptable(PublicKeyAlgorithm.RSA_GENERAL, 4096)); assertTrue(pkAlgorithmPolicy.isAcceptable(PublicKeyAlgorithm.RSA_GENERAL, 2048)); @@ -115,17 +100,15 @@ public class ManagePolicy { put(PublicKeyAlgorithm.RSA_GENERAL, 3000); }} ); - PGPainless.getInstance().setAlgorithmPolicy(oldPolicy.copy().withPublicKeyAlgorithmPolicy(customPolicy).build()); - pkAlgorithmPolicy = PGPainless.getInstance().getAlgorithmPolicy().getPublicKeyAlgorithmPolicy(); + api = new PGPainless(oldPolicy.copy().withPublicKeyAlgorithmPolicy(customPolicy).build()); + + pkAlgorithmPolicy = api.getAlgorithmPolicy().getPublicKeyAlgorithmPolicy(); assertTrue(pkAlgorithmPolicy.isAcceptable(PublicKeyAlgorithm.RSA_GENERAL, 4096)); // RSA 2048 is no longer acceptable assertFalse(pkAlgorithmPolicy.isAcceptable(PublicKeyAlgorithm.RSA_GENERAL, 2048)); // ECDSA is no longer acceptable, since it is no longer included in the policy at all assertFalse(pkAlgorithmPolicy.isAcceptable(PublicKeyAlgorithm.ECDSA, 256)); - - // Reset policy - PGPainless.getInstance().setAlgorithmPolicy(oldPolicy); } /** diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithoutPrimaryKeyFlagsTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithoutPrimaryKeyFlagsTest.java index d23e6f15..40bcac96 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithoutPrimaryKeyFlagsTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithoutPrimaryKeyFlagsTest.java @@ -15,8 +15,8 @@ import java.nio.charset.StandardCharsets; import org.bouncycastle.bcpg.KeyIdentifier; import org.bouncycastle.openpgp.PGPException; -import org.bouncycastle.openpgp.PGPPublicKeyRing; -import org.bouncycastle.openpgp.PGPSecretKeyRing; +import org.bouncycastle.openpgp.api.OpenPGPCertificate; +import org.bouncycastle.openpgp.api.OpenPGPKey; import org.bouncycastle.util.io.Streams; import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; @@ -42,15 +42,15 @@ public class GenerateKeyWithoutPrimaryKeyFlagsTest { @Test public void generateKeyWithoutCertifyKeyFlag_cannotCertifyThirdParties() throws PGPException, IOException { - PGPSecretKeyRing secretKeys = PGPainless.buildKeyRing().setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA_LEGACY(EdDSALegacyCurve._Ed25519))) + PGPainless api = PGPainless.getInstance(); + OpenPGPKey key = api.buildKey().setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA_LEGACY(EdDSALegacyCurve._Ed25519))) .addSubkey(KeySpec.getBuilder(KeyType.EDDSA_LEGACY(EdDSALegacyCurve._Ed25519), KeyFlag.SIGN_DATA)) .addSubkey(KeySpec.getBuilder(KeyType.XDH_LEGACY(XDHLegacySpec._X25519), KeyFlag.ENCRYPT_STORAGE, KeyFlag.ENCRYPT_COMMS)) .addUserId("Alice") - .build() - .getPGPSecretKeyRing(); - PGPPublicKeyRing cert = PGPainless.extractCertificate(secretKeys); + .build(); + OpenPGPCertificate cert = key.toCertificate(); - KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys); + KeyRingInfo info = api.inspect(key); assertTrue(info.getValidUserIds().contains("Alice")); KeyIdentifier primaryKeyIdentifier = info.getKeyIdentifier(); @@ -59,18 +59,18 @@ public class GenerateKeyWithoutPrimaryKeyFlagsTest { assertFalse(info.isUsableForThirdPartyCertification()); // Key without CERTIFY_OTHER flag cannot be used to certify other keys - PGPPublicKeyRing thirdPartyCert = TestKeys.getCryptiePublicKeyRing(); + OpenPGPCertificate thirdPartyCert = TestKeys.getCryptieCertificate(); assertThrows(KeyException.UnacceptableThirdPartyCertificationKeyException.class, () -> - PGPainless.certify().certificate(thirdPartyCert) - .withKey(secretKeys, SecretKeyRingProtector.unprotectedKeys())); + api.generateCertification().certificate(thirdPartyCert) + .withKey(key, SecretKeyRingProtector.unprotectedKeys())); // Key without CERTIFY_OTHER flags is usable for encryption and signing ByteArrayOutputStream ciphertext = new ByteArrayOutputStream(); - EncryptionStream encryptionStream = PGPainless.encryptAndOrSign() + EncryptionStream encryptionStream = api.generateMessage() .onOutputStream(ciphertext) .withOptions(ProducerOptions.signAndEncrypt( EncryptionOptions.get().addRecipient(cert), - SigningOptions.get().addInlineSignature(SecretKeyRingProtector.unprotectedKeys(), secretKeys, DocumentSignatureType.BINARY_DOCUMENT) + SigningOptions.get().addInlineSignature(SecretKeyRingProtector.unprotectedKeys(), key, DocumentSignatureType.BINARY_DOCUMENT) )); encryptionStream.write("Hello, World!\n".getBytes(StandardCharsets.UTF_8)); encryptionStream.close(); @@ -79,7 +79,7 @@ public class GenerateKeyWithoutPrimaryKeyFlagsTest { DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() .onInputStream(new ByteArrayInputStream(ciphertext.toByteArray())) - .withOptions(ConsumerOptions.get().addDecryptionKey(secretKeys) + .withOptions(ConsumerOptions.get().addDecryptionKey(key) .addVerificationCert(cert)); ByteArrayOutputStream plaintext = new ByteArrayOutputStream(); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateV6KeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateV6KeyTest.java index 652afb33..58f4695e 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateV6KeyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateV6KeyTest.java @@ -18,7 +18,6 @@ import org.pgpainless.algorithm.OpenPGPKeyVersion; import org.pgpainless.algorithm.PublicKeyAlgorithm; import org.pgpainless.key.generation.type.rsa.RsaLength; import org.pgpainless.key.protection.KeyRingProtectionSettings; -import org.pgpainless.policy.Policy; import java.io.IOException; @@ -31,7 +30,8 @@ public class GenerateV6KeyTest { @Test public void generateModernV6Key() { - OpenPGPKey key = PGPainless.generateKeyRing(OpenPGPKeyVersion.v6) + PGPainless api = PGPainless.getInstance(); + OpenPGPKey key = api.generateKey(OpenPGPKeyVersion.v6) .modernKeyRing("Alice "); assertEquals(3, key.getKeys().size()); @@ -54,7 +54,7 @@ public class GenerateV6KeyTest { @Test public void buildMinimalEd25519V6Key() throws PGPException { - OpenPGPKey key = PGPainless.getInstance().buildKey(OpenPGPKeyVersion.v6) + OpenPGPKey key = PGPainless.getInstance()._buildKey(OpenPGPKeyVersion.v6) .withPrimaryKey(PGPKeyPairGenerator::generateEd25519KeyPair, new SignatureParameters.Callback() { @Override public SignatureParameters apply(SignatureParameters parameters) { @@ -87,7 +87,7 @@ public class GenerateV6KeyTest { @Test public void buildCompositeCurve25519V6Key() throws PGPException, IOException { - OpenPGPKey key = PGPainless.getInstance().buildKey(OpenPGPKeyVersion.v6) + OpenPGPKey key = PGPainless.getInstance()._buildKey(OpenPGPKeyVersion.v6) .withPrimaryKey(PGPKeyPairGenerator::generateEd25519KeyPair) .addSigningSubkey(PGPKeyPairGenerator::generateEd25519KeyPair) .addEncryptionSubkey(PGPKeyPairGenerator::generateX25519KeyPair) @@ -138,20 +138,19 @@ public class GenerateV6KeyTest { @Test public void generateAEADProtectedModernKey() throws IOException, PGPException { - Policy oldPolicy = PGPainless.getInstance().getAlgorithmPolicy(); + PGPainless api = PGPainless.getInstance(); // Change Policy to use AEAD for secret key protection - PGPainless.getInstance().setAlgorithmPolicy( - oldPolicy.copy().withKeyProtectionSettings(KeyRingProtectionSettings.aead()).build() - ); + api = new PGPainless(api.getAlgorithmPolicy().copy() + .withKeyProtectionSettings(KeyRingProtectionSettings.aead()).build()); - OpenPGPKey key = PGPainless.getInstance() + OpenPGPKey key = api .generateKey(OpenPGPKeyVersion.v6) .modernKeyRing("Alice ", "p455w0rd"); String armored = key.toAsciiArmoredString(); - OpenPGPKey parsed = PGPainless.getInstance().readKey().parseKey(armored); + OpenPGPKey parsed = api.readKey().parseKey(armored); OpenPGPKey.OpenPGPSecretKey primaryKey = key.getPrimarySecretKey(); assertEquals(SecretKeyPacket.USAGE_AEAD, primaryKey.getPGPSecretKey().getS2KUsage()); @@ -160,7 +159,5 @@ public class GenerateV6KeyTest { assertNotNull(privateKey); assertEquals(armored, parsed.toAsciiArmoredString()); - - PGPainless.getInstance().setAlgorithmPolicy(oldPolicy); } } diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GeneratingWeakKeyThrowsTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GeneratingWeakKeyThrowsTest.java index 49db0243..d75a751c 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GeneratingWeakKeyThrowsTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GeneratingWeakKeyThrowsTest.java @@ -21,20 +21,15 @@ public class GeneratingWeakKeyThrowsTest { @Test public void refuseToGenerateWeakPrimaryKeyTest() { - // ensure we have default public key algorithm policy set - PGPainless.getInstance().setAlgorithmPolicy(new Policy()); assertThrows(IllegalArgumentException.class, () -> - PGPainless.buildKeyRing() + PGPainless.getInstance().buildKey() .setPrimaryKey(KeySpec.getBuilder(KeyType.RSA(RsaLength._1024), KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA))); } @Test public void refuseToAddWeakSubkeyDuringGenerationTest() { - // ensure we have default public key algorithm policy set - PGPainless.getInstance().setAlgorithmPolicy(new Policy()); - - KeyRingBuilder kb = PGPainless.buildKeyRing() + KeyRingBuilder kb = PGPainless.getInstance().buildKey() .setPrimaryKey(KeySpec.getBuilder(KeyType.RSA(RsaLength._4096), KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA)); @@ -46,23 +41,19 @@ public class GeneratingWeakKeyThrowsTest { @Test public void allowToAddWeakKeysWithWeakPolicy() { // set a weak algorithm policy + PGPainless api = PGPainless.getInstance(); Map bitStrengths = new HashMap<>(); bitStrengths.put(PublicKeyAlgorithm.RSA_GENERAL, 512); - Policy oldPolicy = PGPainless.getPolicy(); - PGPainless.getInstance().setAlgorithmPolicy(oldPolicy.copy() - .withPublicKeyAlgorithmPolicy(new Policy.PublicKeyAlgorithmPolicy(bitStrengths)) - .build()); + Policy oldPolicy = api.getAlgorithmPolicy(); + api = new PGPainless(oldPolicy.copy().withPublicKeyAlgorithmPolicy(new Policy.PublicKeyAlgorithmPolicy(bitStrengths)).build()); - PGPainless.buildKeyRing() + api.buildKey() .setPrimaryKey(KeySpec.getBuilder(KeyType.RSA(RsaLength._4096), KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA)) .addSubkey(KeySpec.getBuilder(KeyType.RSA(RsaLength._1024), KeyFlag.ENCRYPT_COMMS)) .addUserId("Henry") .build(); - - // reset public key algorithm policy - PGPainless.getInstance().setAlgorithmPolicy(oldPolicy); } } diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/RefuseToAddWeakSubkeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/RefuseToAddWeakSubkeyTest.java index c1019679..cffdd063 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/RefuseToAddWeakSubkeyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/RefuseToAddWeakSubkeyTest.java @@ -34,7 +34,7 @@ public class RefuseToAddWeakSubkeyTest { Policy adjusted = oldPolicy.copy().withPublicKeyAlgorithmPolicy( Policy.PublicKeyAlgorithmPolicy.bsi2021PublicKeyAlgorithmPolicy() ).build(); - api.setAlgorithmPolicy(adjusted); + api = new PGPainless(adjusted); OpenPGPKey secretKeys = api.generateKey() .modernKeyRing("Alice"); @@ -43,7 +43,6 @@ public class RefuseToAddWeakSubkeyTest { assertThrows(IllegalArgumentException.class, () -> editor.addSubKey(spec, Passphrase.emptyPassphrase(), SecretKeyRingProtector.unprotectedKeys())); - api.setAlgorithmPolicy(oldPolicy); } @Test @@ -75,7 +74,7 @@ public class RefuseToAddWeakSubkeyTest { minimalBitStrengths.put(PublicKeyAlgorithm.DIFFIE_HELLMAN, 2000); // §7.2.2 minimalBitStrengths.put(PublicKeyAlgorithm.ECDH, 250); - api.setAlgorithmPolicy(oldPolicy.copy() + api = new PGPainless(oldPolicy.copy() .withPublicKeyAlgorithmPolicy(new Policy.PublicKeyAlgorithmPolicy(minimalBitStrengths)) .build()); @@ -88,8 +87,5 @@ public class RefuseToAddWeakSubkeyTest { .done(); assertEquals(2, api.inspect(secretKeys).getEncryptionSubkeys(EncryptionPurpose.ANY).size()); - - // reset default policy - api.setAlgorithmPolicy(oldPolicy); } } diff --git a/pgpainless-core/src/test/java/org/pgpainless/policy/PolicyTest.java b/pgpainless-core/src/test/java/org/pgpainless/policy/PolicyTest.java index 27288218..440b8165 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/policy/PolicyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/policy/PolicyTest.java @@ -6,7 +6,6 @@ package org.pgpainless.policy; import static org.junit.jupiter.api.Assertions.assertEquals; import static org.junit.jupiter.api.Assertions.assertFalse; -import static org.junit.jupiter.api.Assertions.assertThrows; import static org.junit.jupiter.api.Assertions.assertTrue; import java.util.Arrays; @@ -205,9 +204,4 @@ public class PolicyTest { public void testUnknownPublicKeyAlgorithmIsNotAcceptable() { assertFalse(policy.getPublicKeyAlgorithmPolicy().isAcceptable(-1, 4096)); } - - @Test - public void setNullSignerUserIdValidationLevelThrows() { - assertThrows(NullPointerException.class, () -> policy.setSignerUserIdValidationLevel(null)); - } } diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/CertificateValidatorTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/CertificateValidatorTest.java index ff22d4d3..1ab69990 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/CertificateValidatorTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/CertificateValidatorTest.java @@ -12,7 +12,6 @@ import java.io.ByteArrayInputStream; import java.io.IOException; import java.io.InputStream; import java.nio.charset.StandardCharsets; -import java.util.Date; import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPPublicKeyRing; @@ -27,7 +26,6 @@ import org.pgpainless.decryption_verification.ConsumerOptions; import org.pgpainless.decryption_verification.DecryptionStream; import org.pgpainless.decryption_verification.MessageMetadata; import org.pgpainless.exception.SignatureValidationException; -import org.pgpainless.policy.Policy; import org.pgpainless.util.TestAllImplementations; public class CertificateValidatorTest { @@ -166,21 +164,19 @@ public class CertificateValidatorTest { PGPSignature primaryKeyRevoked = SignatureUtils.readSignatures(sigPrimaryKeyRevoked).get(0); PGPSignature primaryKeyRevalidated = SignatureUtils.readSignatures(sigPrimaryKeyRevalidated).get(0); - Policy policy = PGPainless.getPolicy(); - Date validationDate = new Date(); String data = "Hello, World"; assertThrows(SignatureValidationException.class, () -> verify( - predatesPrimaryKey, getSignedData(data), publicKeys, policy, validationDate), + predatesPrimaryKey, getSignedData(data), publicKeys), "Signature predates primary key"); assertThrows(SignatureValidationException.class, () -> verify( - unboundSubkey, getSignedData(data), publicKeys, policy, validationDate), + unboundSubkey, getSignedData(data), publicKeys), "Primary key hard revoked"); assertThrows(SignatureValidationException.class, () -> verify( - primaryKeyRevoked, getSignedData(data), publicKeys, policy, validationDate), + primaryKeyRevoked, getSignedData(data), publicKeys), "Primary key hard revoked"); assertThrows(SignatureValidationException.class, () -> verify( - primaryKeyRevalidated, getSignedData(data), publicKeys, policy, validationDate), + primaryKeyRevalidated, getSignedData(data), publicKeys), "Primary key hard revoked"); } @@ -317,21 +313,19 @@ public class CertificateValidatorTest { PGPSignature revokedSubkey = SignatureUtils.readSignatures(sigSubkeyRevoked).get(0); PGPSignature revalidatedSubkey = SignatureUtils.readSignatures(sigSubkeyRevalidated).get(0); - Policy policy = PGPainless.getPolicy(); - Date validationDate = new Date(); String data = "Hello, World"; assertThrows(SignatureValidationException.class, () -> verify( - predatesPrimaryKey, getSignedData(data), publicKeys, policy, validationDate), + predatesPrimaryKey, getSignedData(data), publicKeys), "Signature predates primary key"); assertThrows(SignatureValidationException.class, () -> verify( - unboundSubkey, getSignedData(data), publicKeys, policy, validationDate), + unboundSubkey, getSignedData(data), publicKeys), "Signing key unbound + hard revocation"); assertThrows(SignatureValidationException.class, () -> verify( - revokedSubkey, getSignedData(data), publicKeys, policy, validationDate), + revokedSubkey, getSignedData(data), publicKeys), "Primary key is hard revoked"); assertThrows(SignatureValidationException.class, () -> verify( - revalidatedSubkey, getSignedData(data), publicKeys, policy, validationDate), + revalidatedSubkey, getSignedData(data), publicKeys), "Primary key is hard revoked"); } @@ -469,21 +463,19 @@ public class CertificateValidatorTest { PGPSignature afterHardRevocation = SignatureUtils.readSignatures(sigAfterHardRevocation).get(0); PGPSignature afterRevalidation = SignatureUtils.readSignatures(sigAfterRevalidation).get(0); - Policy policy = PGPainless.getPolicy(); - Date validationDate = new Date(); String data = "Hello World :)"; assertThrows(SignatureValidationException.class, () -> verify( - predatesPrimaryKey, getSignedData(data), publicKeys, policy, validationDate), + predatesPrimaryKey, getSignedData(data), publicKeys), "Signature predates primary key"); assertThrows(SignatureValidationException.class, () -> verify( - unboundKey, getSignedData(data), publicKeys, policy, validationDate), + unboundKey, getSignedData(data), publicKeys), "Signing key unbound + hard revocation"); assertThrows(SignatureValidationException.class, () -> verify( - afterHardRevocation, getSignedData(data), publicKeys, policy, validationDate), + afterHardRevocation, getSignedData(data), publicKeys), "Hard revocation invalidates key at all times"); assertThrows(SignatureValidationException.class, () -> verify( - afterRevalidation, getSignedData(data), publicKeys, policy, validationDate), + afterRevalidation, getSignedData(data), publicKeys), "Hard revocation invalidates key at all times"); } @@ -620,27 +612,26 @@ public class CertificateValidatorTest { PGPSignature keyIsValid = SignatureUtils.readSignatures(sigKeyIsValid).get(0); PGPSignature keyIsRevoked = SignatureUtils.readSignatures(sigKeyIsRevoked).get(0); PGPSignature keyIsRevalidated = SignatureUtils.readSignatures(sigKeyIsRevalidated).get(0); - Policy policy = PGPainless.getPolicy(); String data = "Hello, World"; // Sig not valid, as it predates the signing key creation time assertThrows(SignatureValidationException.class, () -> verify( - predatesPrimaryKey, getSignedData(data), publicKeys, policy, predatesPrimaryKey.getCreationTime()), + predatesPrimaryKey, getSignedData(data), publicKeys), "Signature predates primary key creation date"); // Sig valid assertDoesNotThrow(() -> verify( - keyIsValid, getSignedData(data), publicKeys, policy, keyIsValid.getCreationTime()), + keyIsValid, getSignedData(data), publicKeys), "Signature is valid"); // Sig not valid, as the signing key is revoked assertThrows(SignatureValidationException.class, () -> verify( - keyIsRevoked, getSignedData(data), publicKeys, policy, keyIsRevoked.getCreationTime()), + keyIsRevoked, getSignedData(data), publicKeys), "Signing key is revoked at this point"); // Sig valid, as the signing key is revalidated assertDoesNotThrow(() -> verify( - keyIsRevalidated, getSignedData(data), publicKeys, policy, keyIsRevalidated.getCreationTime()), + keyIsRevalidated, getSignedData(data), publicKeys), "Signature is valid, as signing key is revalidated"); } @@ -778,22 +769,20 @@ public class CertificateValidatorTest { PGPSignature keyRevoked = SignatureUtils.readSignatures(sigKeyRevoked).get(0); PGPSignature valid = SignatureUtils.readSignatures(sigKeyValid).get(0); - Policy policy = PGPainless.getPolicy(); String data = "Hello, World"; - Date validationDate = new Date(); assertThrows(SignatureValidationException.class, () -> verify( - predatesPrimaryKey, getSignedData(data), publicKeys, policy, validationDate), + predatesPrimaryKey, getSignedData(data), publicKeys), "Signature predates primary key creation date"); assertThrows(SignatureValidationException.class, () -> verify( - keyNotBound, getSignedData(data), publicKeys, policy, validationDate), + keyNotBound, getSignedData(data), publicKeys), "Signing key is not bound at this point"); assertThrows(SignatureValidationException.class, () -> verify( - keyRevoked, getSignedData(data), publicKeys, policy, validationDate), + keyRevoked, getSignedData(data), publicKeys), "Signing key is revoked at this point"); assertDoesNotThrow(() -> verify( - valid, getSignedData(data), publicKeys, policy, validationDate), + valid, getSignedData(data), publicKeys), "Signing key is revalidated"); } @@ -931,22 +920,20 @@ public class CertificateValidatorTest { PGPSignature revoked = SignatureUtils.readSignatures(sigRevoked).get(0); PGPSignature revalidated = SignatureUtils.readSignatures(sigReLegitimized).get(0); - Policy policy = PGPainless.getPolicy(); - Date validationDate = new Date(); String data = "Hello, World"; assertThrows(SignatureValidationException.class, () -> verify( - predatesPrimaryKey, getSignedData(data), publicKeys, policy, validationDate), + predatesPrimaryKey, getSignedData(data), publicKeys), "Signature predates primary key creation date"); assertDoesNotThrow(() -> verify( - valid, getSignedData(data), publicKeys, policy, validationDate), + valid, getSignedData(data), publicKeys), "Signature is valid"); assertThrows(SignatureValidationException.class, () -> verify( - revoked, getSignedData(data), publicKeys, policy, validationDate), + revoked, getSignedData(data), publicKeys), "Primary key is revoked"); assertDoesNotThrow(() -> verify( - revalidated, getSignedData(data), publicKeys, policy, validationDate), + revalidated, getSignedData(data), publicKeys), "Primary key is re-legitimized"); } @@ -1271,52 +1258,50 @@ public class CertificateValidatorTest { PGPSignature sigCT2_T3 = SignatureUtils.readSignatures(keyCSigT2_T3).get(0); PGPSignature sigCT3_now = SignatureUtils.readSignatures(keyCSigT3_now).get(0); - Policy policy = PGPainless.getPolicy(); - Date validationDate = new Date(); String data = "Hello World :)"; assertThrows(SignatureValidationException.class, () -> verify( - sigAT0, getSignedData(data), keysA, policy, validationDate), + sigAT0, getSignedData(data), keysA), "Signature predates key creation time"); assertDoesNotThrow(() -> verify( - sigAT1_T2, getSignedData(data), keysA, policy, validationDate), + sigAT1_T2, getSignedData(data), keysA), "Key valid"); assertThrows(SignatureValidationException.class, () -> verify( - sigAT2_T3, getSignedData(data), keysA, policy, validationDate), + sigAT2_T3, getSignedData(data), keysA), "Key is not valid, as subkey binding expired"); assertDoesNotThrow(() -> verify( - sigAT3_now, getSignedData(data), keysA, policy, validationDate), + sigAT3_now, getSignedData(data), keysA), "Key is valid again"); assertThrows(SignatureValidationException.class, () -> verify( - sigBT0, getSignedData(data), keysB, policy, validationDate), + sigBT0, getSignedData(data), keysB), "Signature predates key creation time"); assertDoesNotThrow(() -> verify( - sigBT1_T2, getSignedData(data), keysB, policy, validationDate), + sigBT1_T2, getSignedData(data), keysB), "Key is valid"); assertThrows(SignatureValidationException.class, () -> verify( - sigBT2_T3, getSignedData(data), keysB, policy, validationDate), + sigBT2_T3, getSignedData(data), keysB), "Primary key is not signing-capable"); assertDoesNotThrow(() -> verify( - sigBT3_now, getSignedData(data), keysB, policy, validationDate), + sigBT3_now, getSignedData(data), keysB), "Key is valid again"); assertThrows(SignatureValidationException.class, () -> verify( - sigCT0, getSignedData(data), keysC, policy, validationDate), + sigCT0, getSignedData(data), keysC), "Signature predates key creation time"); assertDoesNotThrow(() -> verify( - sigCT1_T2, getSignedData(data), keysC, policy, validationDate), + sigCT1_T2, getSignedData(data), keysC), "Key is valid"); assertThrows(SignatureValidationException.class, () -> verify( - sigCT2_T3, getSignedData(data), keysC, policy, validationDate), + sigCT2_T3, getSignedData(data), keysC), "Key is revoked"); assertDoesNotThrow(() -> verify( - sigCT3_now, getSignedData(data), keysC, policy, validationDate), + sigCT3_now, getSignedData(data), keysC), "Key is valid again"); } - private void verify(PGPSignature signature, InputStream dataIn, PGPPublicKeyRing cert, Policy policy, Date validationDate) throws PGPException, IOException { + private void verify(PGPSignature signature, InputStream dataIn, PGPPublicKeyRing cert) throws PGPException, IOException { PGPainless api = PGPainless.getInstance(); OpenPGPCertificate certificate = api.toCertificate(cert); diff --git a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/SOPImpl.kt b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/SOPImpl.kt index 6af80060..2c393901 100644 --- a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/SOPImpl.kt +++ b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/SOPImpl.kt @@ -28,6 +28,8 @@ class SOPImpl( private val sopv: SOPV = SOPVImpl(api) ) : SOP { + constructor(api: PGPainless) : this(api, SOPVImpl(api)) + override fun armor(): Armor = ArmorImpl(api) override fun changeKeyPassword(): ChangeKeyPassword = ChangeKeyPasswordImpl(api) diff --git a/pgpainless-sop/src/test/java/org/pgpainless/sop/VerifyLegacySignatureTest.java b/pgpainless-sop/src/test/java/org/pgpainless/sop/VerifyLegacySignatureTest.java index 721c338d..a6096915 100644 --- a/pgpainless-sop/src/test/java/org/pgpainless/sop/VerifyLegacySignatureTest.java +++ b/pgpainless-sop/src/test/java/org/pgpainless/sop/VerifyLegacySignatureTest.java @@ -123,7 +123,8 @@ public class VerifyLegacySignatureTest { "=TtKx\n" + "-----END PGP MESSAGE-----"; - SOPImpl sop = new SOPImpl(); + PGPainless api = PGPainless.getInstance(); + SOPImpl sop = new SOPImpl(api); byte[] cert = sop.extractCert().key(KEY.getBytes(StandardCharsets.UTF_8)) .getBytes(); ByteArrayAndResult> result = sop.inlineVerify() @@ -134,12 +135,13 @@ public class VerifyLegacySignatureTest { assertFalse(result.getResult().isEmpty()); // Adjust data signature hash policy to accept new SHA-1 sigs - Policy policy = PGPainless.getPolicy(); + Policy policy = api.getAlgorithmPolicy(); Policy adjusted = policy.copy() .withDataSignatureHashAlgorithmPolicy( Policy.HashAlgorithmPolicy.static2022RevocationSignatureHashAlgorithmPolicy() ).build(); - PGPainless.getInstance().setAlgorithmPolicy(adjusted); + api = new PGPainless(adjusted); + sop = new SOPImpl(api); // Sig generated in 2024 using SHA1 String newSig = "-----BEGIN PGP MESSAGE-----\n" + @@ -164,8 +166,5 @@ public class VerifyLegacySignatureTest { .toByteArrayAndResult(); assertFalse(result.getResult().isEmpty()); - - // Reset old policy - PGPainless.getInstance().setAlgorithmPolicy(policy); } } From 288375212c7048fb2c0656a21482ad9fb72770d2 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 24 Mar 2025 12:57:46 +0100 Subject: [PATCH 123/265] Introduce PGPainless.toKeyOrCertificate(PGPKeyRing) and constrain argument type of PGPainless.toCertificate(PGPPublicKeyRing) --- .../main/kotlin/org/pgpainless/PGPainless.kt | 32 +++++++++++-------- .../util/selection/userid/SelectUserId.kt | 2 +- 2 files changed, 20 insertions(+), 14 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt index 4a0084d2..86642f22 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt @@ -91,8 +91,17 @@ class PGPainless( fun toKey(secretKeyRing: PGPSecretKeyRing): OpenPGPKey = OpenPGPKey(secretKeyRing, implementation) - fun toCertificate(keyOrCertificate: PGPKeyRing): OpenPGPCertificate = - OpenPGPCertificate(keyOrCertificate, implementation) + fun toCertificate(certificate: PGPPublicKeyRing): OpenPGPCertificate = + OpenPGPCertificate(certificate, implementation) + + fun toKeyOrCertificate(keyOrCertificate: PGPKeyRing): OpenPGPCertificate = + when (keyOrCertificate) { + is PGPSecretKeyRing -> toKey(keyOrCertificate) + is PGPPublicKeyRing -> toCertificate(keyOrCertificate) + else -> + throw IllegalArgumentException( + "Unexpected PGPKeyRing subclass: ${keyOrCertificate.javaClass.name}") + } fun mergeCertificate( originalCopy: OpenPGPCertificate, @@ -120,8 +129,8 @@ class PGPainless( instance ?: synchronized(this) { instance ?: PGPainless().also { instance = it } } @JvmStatic - fun setInstance(pgpainless: PGPainless) { - instance = pgpainless + fun setInstance(api: PGPainless) { + instance = api } /** @@ -145,10 +154,8 @@ class PGPainless( @JvmStatic @JvmOverloads @Deprecated("Call buildKey() on an instance of PGPainless instead.") - fun buildKeyRing( - version: OpenPGPKeyVersion = OpenPGPKeyVersion.v4, - api: PGPainless = getInstance() - ): KeyRingBuilder = KeyRingBuilder(version, api) + fun buildKeyRing(version: OpenPGPKeyVersion = OpenPGPKeyVersion.v4): KeyRingBuilder = + getInstance().buildKey(version) /** * Read an existing OpenPGP key ring. @@ -262,9 +269,8 @@ class PGPainless( @JvmOverloads fun modifyKeyRing( secretKey: PGPSecretKeyRing, - referenceTime: Date = Date(), - api: PGPainless = getInstance() - ): SecretKeyRingEditor = SecretKeyRingEditor(secretKey, api, referenceTime) + referenceTime: Date = Date() + ): SecretKeyRingEditor = getInstance().modify(getInstance().toKey(secretKey), referenceTime) /** * Quickly access information about a [org.bouncycastle.openpgp.PGPPublicKeyRing] / @@ -281,7 +287,7 @@ class PGPainless( "Use inspect(key) on an instance of PGPainless instead.", replaceWith = ReplaceWith("inspect(key)")) fun inspectKeyRing(key: PGPKeyRing, referenceTime: Date = Date()): KeyRingInfo = - KeyRingInfo(key, referenceTime) + getInstance().inspect(getInstance().toKeyOrCertificate(key), referenceTime) @JvmStatic @JvmOverloads @@ -289,7 +295,7 @@ class PGPainless( "Use inspect(key) on an instance of PGPainless instead.", replaceWith = ReplaceWith("inspect(key)")) fun inspectKeyRing(key: OpenPGPCertificate, referenceTime: Date = Date()): KeyRingInfo = - KeyRingInfo(key, getInstance(), referenceTime) + getInstance().inspect(key, referenceTime) /** * Access, and make changes to PGPainless policy on acceptable/default algorithms etc. diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/util/selection/userid/SelectUserId.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/util/selection/userid/SelectUserId.kt index 00bc3984..41f9e8e0 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/util/selection/userid/SelectUserId.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/util/selection/userid/SelectUserId.kt @@ -83,7 +83,7 @@ abstract class SelectUserId : Predicate, (String) -> Boolean { @JvmStatic fun validUserId(keyRing: PGPKeyRing) = - validUserId(PGPainless.getInstance().toCertificate(keyRing)) + validUserId(PGPainless.getInstance().toKeyOrCertificate(keyRing)) @JvmStatic fun and(vararg filters: SelectUserId) = From d5151b804e5c4e00910e503c1ddeaa2d29c3b13d Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 24 Mar 2025 13:21:23 +0100 Subject: [PATCH 124/265] Port SigningTest --- .../encryption_signing/SigningOptions.kt | 1 + .../key/protection/SecretKeyRingProtector.kt | 8 ++ .../encryption_signing/SigningTest.java | 117 ++++++++---------- 3 files changed, 64 insertions(+), 62 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/SigningOptions.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/SigningOptions.kt index 0d518c96..f34e6dd1 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/SigningOptions.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/SigningOptions.kt @@ -312,6 +312,7 @@ class SigningOptions(private val api: PGPainless) { signatureType: DocumentSignatureType ) = apply { addDetachedSignature(signingKeyProtector, signingKey, null, signatureType) } + @JvmOverloads fun addDetachedSignature( signingKeyProtector: SecretKeyRingProtector, signingKey: OpenPGPKey, diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/SecretKeyRingProtector.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/SecretKeyRingProtector.kt index 23f455e7..5de7de48 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/SecretKeyRingProtector.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/SecretKeyRingProtector.kt @@ -13,6 +13,7 @@ import org.bouncycastle.openpgp.PGPSecretKeyRing import org.bouncycastle.openpgp.api.KeyPassphraseProvider import org.bouncycastle.openpgp.api.OpenPGPCertificate.OpenPGPComponentKey import org.bouncycastle.openpgp.api.OpenPGPKey +import org.bouncycastle.openpgp.api.OpenPGPKey.OpenPGPSecretKey import org.bouncycastle.openpgp.operator.PBESecretKeyDecryptor import org.bouncycastle.openpgp.operator.PBESecretKeyEncryptor import org.pgpainless.key.protection.passphrase_provider.SecretKeyPassphraseProvider @@ -153,6 +154,13 @@ interface SecretKeyRingProtector : KeyPassphraseProvider { fun unlockSingleKeyWith(passphrase: Passphrase, key: PGPSecretKey): SecretKeyRingProtector = PasswordBasedSecretKeyRingProtector.forKey(key, passphrase) + @JvmStatic + fun unlockSingleKeyWith( + passphrase: Passphrase, + key: OpenPGPSecretKey + ): SecretKeyRingProtector = + PasswordBasedSecretKeyRingProtector.forKey(key.pgpSecretKey, passphrase) + /** * Use the provided passphrase to lock/unlock only the provided (sub-)key. This protector * will only return a non-null encryptor/decryptor based on the provided passphrase if diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/SigningTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/SigningTest.java index 6fb0192b..0f10f71d 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/SigningTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/SigningTest.java @@ -14,15 +14,10 @@ import java.io.ByteArrayInputStream; import java.io.ByteArrayOutputStream; import java.io.IOException; import java.nio.charset.StandardCharsets; -import java.util.Arrays; import org.bouncycastle.openpgp.PGPException; -import org.bouncycastle.openpgp.PGPPublicKeyRing; -import org.bouncycastle.openpgp.PGPPublicKeyRingCollection; -import org.bouncycastle.openpgp.PGPSecretKey; -import org.bouncycastle.openpgp.PGPSecretKeyRing; -import org.bouncycastle.openpgp.PGPSecretKeyRingCollection; import org.bouncycastle.openpgp.PGPSignature; +import org.bouncycastle.openpgp.api.OpenPGPCertificate; import org.bouncycastle.openpgp.api.OpenPGPKey; import org.bouncycastle.util.io.Streams; import org.junit.jupiter.api.TestTemplate; @@ -42,7 +37,6 @@ import org.pgpainless.key.generation.type.KeyType; import org.pgpainless.key.generation.type.eddsa_legacy.EdDSALegacyCurve; import org.pgpainless.key.info.KeyRingInfo; import org.pgpainless.key.protection.SecretKeyRingProtector; -import org.pgpainless.key.util.KeyRingUtils; import org.pgpainless.util.MultiMap; import org.pgpainless.util.Passphrase; import org.pgpainless.util.TestAllImplementations; @@ -53,26 +47,27 @@ public class SigningTest { @ExtendWith(TestAllImplementations.class) public void testEncryptionAndSignatureVerification() throws IOException, PGPException { + PGPainless api = PGPainless.getInstance(); - PGPPublicKeyRing julietKeys = TestKeys.getJulietPublicKeyRing(); - PGPPublicKeyRing romeoKeys = TestKeys.getRomeoPublicKeyRing(); + OpenPGPCertificate julietCert = TestKeys.getJulietCertificate(); + OpenPGPCertificate romeoCert = TestKeys.getRomeoCertificate(); - PGPSecretKeyRing cryptieKeys = TestKeys.getCryptieSecretKeyRing(); - KeyRingInfo cryptieInfo = new KeyRingInfo(cryptieKeys); - PGPSecretKey cryptieSigningKey = cryptieKeys.getSecretKey(cryptieInfo.getSigningSubkeys().get(0).getKeyIdentifier()); - - PGPPublicKeyRingCollection keys = new PGPPublicKeyRingCollection(Arrays.asList(julietKeys, romeoKeys)); + OpenPGPKey cryptieKey = TestKeys.getCryptieKey(); + KeyRingInfo cryptieInfo = api.inspect(cryptieKey); + OpenPGPKey.OpenPGPSecretKey cryptieSigningKey = cryptieKey.getSecretKey(cryptieInfo.getSigningSubkeys().get(0).getKeyIdentifier()); ByteArrayOutputStream out = new ByteArrayOutputStream(); - EncryptionStream encryptionStream = PGPainless.encryptAndOrSign() + EncryptionStream encryptionStream = api.generateMessage() .onOutputStream(out) .withOptions(ProducerOptions.signAndEncrypt( - EncryptionOptions.encryptDataAtRest() - .addRecipients(keys) - .addRecipient(KeyRingUtils.publicKeyRingFrom(cryptieKeys)), - SigningOptions.get().addInlineSignature( + EncryptionOptions.encryptDataAtRest(api) + .addRecipient(romeoCert) + .addRecipient(julietCert) + .addRecipient(cryptieKey.toCertificate()), + SigningOptions.get(api).addInlineSignature( SecretKeyRingProtector.unlockSingleKeyWith(TestKeys.CRYPTIE_PASSPHRASE, cryptieSigningKey), - cryptieKeys, TestKeys.CRYPTIE_UID, DocumentSignatureType.CANONICAL_TEXT_DOCUMENT) + cryptieKey, TestKeys.CRYPTIE_UID, DocumentSignatureType.CANONICAL_TEXT_DOCUMENT), + api ).setAsciiArmor(true)); byte[] messageBytes = "This message is signed and encrypted to Romeo and Juliet." @@ -85,19 +80,16 @@ public class SigningTest { byte[] encrypted = out.toByteArray(); ByteArrayInputStream cryptIn = new ByteArrayInputStream(encrypted); - PGPSecretKeyRing romeoSecret = TestKeys.getRomeoSecretKeyRing(); - PGPSecretKeyRing julietSecret = TestKeys.getJulietSecretKeyRing(); - - PGPSecretKeyRingCollection secretKeys = new PGPSecretKeyRingCollection( - Arrays.asList(romeoSecret, julietSecret)); - PGPPublicKeyRingCollection verificationKeys = new PGPPublicKeyRingCollection( - Arrays.asList(KeyRingUtils.publicKeyRingFrom(cryptieKeys), romeoKeys)); + OpenPGPKey romeoKey = TestKeys.getRomeoKey(); + OpenPGPKey julietKey = TestKeys.getJulietKey(); DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() .onInputStream(cryptIn) - .withOptions(ConsumerOptions.get() - .addDecryptionKeys(secretKeys, SecretKeyRingProtector.unprotectedKeys()) - .addVerificationCerts(verificationKeys) + .withOptions(ConsumerOptions.get(api) + .addDecryptionKey(romeoKey, SecretKeyRingProtector.unprotectedKeys()) + .addDecryptionKey(julietKey, SecretKeyRingProtector.unprotectedKeys()) + .addVerificationCert(cryptieKey.toCertificate()) + .addVerificationCert(romeoCert) ); ByteArrayOutputStream plaintextOut = new ByteArrayOutputStream(); @@ -108,19 +100,19 @@ public class SigningTest { MessageMetadata metadata = decryptionStream.getMetadata(); assertTrue(metadata.isEncrypted()); assertTrue(metadata.isVerifiedSigned()); - assertTrue(metadata.isVerifiedSignedBy(KeyRingUtils.publicKeyRingFrom(cryptieKeys))); - assertFalse(metadata.isVerifiedSignedBy(julietKeys)); + assertTrue(metadata.isVerifiedSignedBy(cryptieKey)); + assertFalse(metadata.isVerifiedSignedBy(julietCert)); } @TestTemplate @ExtendWith(TestAllImplementations.class) public void testSignWithInvalidUserIdFails() { - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() - .modernKeyRing("alice", "password123") - .getPGPSecretKeyRing(); + PGPainless api = PGPainless.getInstance(); + OpenPGPKey secretKeys = api.generateKey() + .modernKeyRing("alice", "password123"); SecretKeyRingProtector protector = SecretKeyRingProtector.unlockAnyKeyWith(Passphrase.fromPassword("password123")); - SigningOptions opts = SigningOptions.get(); + SigningOptions opts = SigningOptions.get(api); // "bob" is not a valid user-id assertThrows(KeyException.UnboundUserIdException.class, () -> opts.addInlineSignature(protector, secretKeys, "bob", @@ -152,10 +144,11 @@ public class SigningTest { @TestTemplate @ExtendWith(TestAllImplementations.class) public void signWithHashAlgorithmOverride() throws PGPException, IOException { - PGPSecretKeyRing secretKeys = TestKeys.getEmilSecretKeyRing(); + PGPainless api = PGPainless.getInstance(); + OpenPGPKey secretKeys = TestKeys.getEmilKey(); SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys(); - SigningOptions options = SigningOptions.get(); + SigningOptions options = SigningOptions.get(api); assertNull(options.getHashAlgorithmOverride()); options.overrideHashAlgorithm(HashAlgorithm.SHA224); @@ -164,9 +157,9 @@ public class SigningTest { options.addDetachedSignature(protector, secretKeys, DocumentSignatureType.BINARY_DOCUMENT); String data = "Hello, World!\n"; - EncryptionStream signer = PGPainless.encryptAndOrSign() + EncryptionStream signer = api.generateMessage() .onOutputStream(new ByteArrayOutputStream()) - .withOptions(ProducerOptions.sign(options)); + .withOptions(ProducerOptions.sign(options, api)); Streams.pipeAll(new ByteArrayInputStream(data.getBytes(StandardCharsets.UTF_8)), signer); signer.close(); @@ -185,21 +178,21 @@ public class SigningTest { @ExtendWith(TestAllImplementations.class) public void negotiateHashAlgorithmChoseFallbackIfEmptyPreferences() throws PGPException, IOException { - PGPSecretKeyRing secretKeys = PGPainless.buildKeyRing() + PGPainless api = PGPainless.getInstance(); + OpenPGPKey secretKeys = api.buildKey() .setPrimaryKey(KeySpec.getBuilder( KeyType.EDDSA_LEGACY(EdDSALegacyCurve._Ed25519), KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA) .overridePreferredHashAlgorithms()) .addUserId("Alice") - .build() - .getPGPSecretKeyRing(); + .build(); - SigningOptions options = SigningOptions.get() + SigningOptions options = SigningOptions.get(api) .addDetachedSignature(SecretKeyRingProtector.unprotectedKeys(), secretKeys, DocumentSignatureType.BINARY_DOCUMENT); String data = "Hello, World!\n"; - EncryptionStream signer = PGPainless.encryptAndOrSign() + EncryptionStream signer = api.generateMessage() .onOutputStream(new ByteArrayOutputStream()) - .withOptions(ProducerOptions.sign(options)); + .withOptions(ProducerOptions.sign(options, api)); Streams.pipeAll(new ByteArrayInputStream(data.getBytes(StandardCharsets.UTF_8)), signer); signer.close(); @@ -208,7 +201,7 @@ public class SigningTest { SubkeyIdentifier signingKey = sigs.keySet().iterator().next(); PGPSignature signature = sigs.get(signingKey).iterator().next(); - assertEquals(PGPainless.getPolicy().getDataSignatureHashAlgorithmPolicy().defaultHashAlgorithm().getAlgorithmId(), + assertEquals(api.getAlgorithmPolicy().getDataSignatureHashAlgorithmPolicy().defaultHashAlgorithm().getAlgorithmId(), signature.getHashAlgorithm()); } @@ -216,21 +209,21 @@ public class SigningTest { @ExtendWith(TestAllImplementations.class) public void negotiateHashAlgorithmChoseFallbackIfUnacceptablePreferences() throws PGPException, IOException { - PGPSecretKeyRing secretKeys = PGPainless.buildKeyRing() + PGPainless api = PGPainless.getInstance(); + OpenPGPKey secretKeys = api.buildKey() .setPrimaryKey( KeySpec.getBuilder(KeyType.EDDSA_LEGACY(EdDSALegacyCurve._Ed25519), KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA) .overridePreferredHashAlgorithms(HashAlgorithm.MD5)) .addUserId("Alice") - .build() - .getPGPSecretKeyRing(); + .build(); - SigningOptions options = SigningOptions.get() + SigningOptions options = SigningOptions.get(api) .addDetachedSignature(SecretKeyRingProtector.unprotectedKeys(), secretKeys, DocumentSignatureType.BINARY_DOCUMENT); String data = "Hello, World!\n"; - EncryptionStream signer = PGPainless.encryptAndOrSign() + EncryptionStream signer = api.generateMessage() .onOutputStream(new ByteArrayOutputStream()) - .withOptions(ProducerOptions.sign(options)); + .withOptions(ProducerOptions.sign(options, api)); Streams.pipeAll(new ByteArrayInputStream(data.getBytes(StandardCharsets.UTF_8)), signer); signer.close(); @@ -239,20 +232,20 @@ public class SigningTest { SubkeyIdentifier signingKey = sigs.keySet().iterator().next(); PGPSignature signature = sigs.get(signingKey).iterator().next(); - assertEquals(PGPainless.getPolicy().getDataSignatureHashAlgorithmPolicy().defaultHashAlgorithm().getAlgorithmId(), + assertEquals(api.getAlgorithmPolicy().getDataSignatureHashAlgorithmPolicy().defaultHashAlgorithm().getAlgorithmId(), signature.getHashAlgorithm()); } @TestTemplate @ExtendWith(TestAllImplementations.class) public void signingWithNonCapableKeyThrowsKeyCannotSignException() { - PGPSecretKeyRing secretKeys = PGPainless.buildKeyRing() + PGPainless api = PGPainless.getInstance(); + OpenPGPKey secretKeys = api.buildKey() .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA_LEGACY(EdDSALegacyCurve._Ed25519), KeyFlag.CERTIFY_OTHER)) .addUserId("Alice") - .build() - .getPGPSecretKeyRing(); + .build(); - SigningOptions options = SigningOptions.get(); + SigningOptions options = SigningOptions.get(api); assertThrows(KeyException.UnacceptableSigningKeyException.class, () -> options.addDetachedSignature( SecretKeyRingProtector.unprotectedKeys(), secretKeys, DocumentSignatureType.BINARY_DOCUMENT)); assertThrows(KeyException.UnacceptableSigningKeyException.class, () -> options.addInlineSignature( @@ -262,14 +255,14 @@ public class SigningTest { @TestTemplate @ExtendWith(TestAllImplementations.class) public void signWithInvalidUserIdThrowsKeyValidationError() { - PGPSecretKeyRing secretKeys = PGPainless.buildKeyRing() + PGPainless api = PGPainless.getInstance(); + OpenPGPKey secretKeys = api.buildKey() .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA_LEGACY(EdDSALegacyCurve._Ed25519), KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA)) .addUserId("Alice") - .build() - .getPGPSecretKeyRing(); + .build(); - SigningOptions options = SigningOptions.get(); + SigningOptions options = SigningOptions.get(api); assertThrows(KeyException.UnboundUserIdException.class, () -> options.addDetachedSignature(SecretKeyRingProtector.unprotectedKeys(), secretKeys, "Bob", DocumentSignatureType.BINARY_DOCUMENT)); From 6a9fb3f6df283ce2ea31c17baf3c104097d79be8 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 24 Mar 2025 13:44:55 +0100 Subject: [PATCH 125/265] Rework some more tests --- .../certification/CertifyCertificateTest.java | 44 +++++++------- ...upidAlgorithmPreferenceEncryptionTest.java | 16 +++--- .../signature/KeyRevocationTest.java | 26 ++++----- .../SignatureOverUserAttributesTest.java | 57 ++++++++++--------- 4 files changed, 75 insertions(+), 68 deletions(-) diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/certification/CertifyCertificateTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/certification/CertifyCertificateTest.java index 49c48c78..53c193cb 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/certification/CertifyCertificateTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/certification/CertifyCertificateTest.java @@ -32,18 +32,21 @@ import org.pgpainless.signature.subpackets.CertificationSubpackets; import org.pgpainless.util.CollectionUtils; import org.pgpainless.util.DateUtil; +import javax.annotation.Nonnull; + public class CertifyCertificateTest { @Test public void testUserIdCertification() throws PGPException, IOException { + PGPainless api = PGPainless.getInstance(); SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys(); - OpenPGPKey alice = PGPainless.generateKeyRing().modernKeyRing("Alice "); + OpenPGPKey alice = api.generateKey().modernKeyRing("Alice "); String bobUserId = "Bob "; - OpenPGPKey bob = PGPainless.generateKeyRing().modernKeyRing(bobUserId); + OpenPGPKey bob = api.generateKey().modernKeyRing(bobUserId); OpenPGPCertificate bobCertificate = bob.toCertificate(); - CertifyCertificate.CertificationResult result = PGPainless.certify() + CertifyCertificate.CertificationResult result = api.generateCertification() .userIdOnCertificate(bobUserId, bobCertificate) .withKey(alice, protector) .build(); @@ -51,11 +54,11 @@ public class CertifyCertificateTest { assertNotNull(result); PGPSignature signature = result.getPgpSignature(); assertNotNull(signature); - assertEquals(SignatureType.GENERIC_CERTIFICATION, SignatureType.valueOf(signature.getSignatureType())); + assertEquals(SignatureType.GENERIC_CERTIFICATION, SignatureType.requireFromCode(signature.getSignatureType())); assertEquals(alice.getPrimaryKey().getPGPPublicKey().getKeyID(), signature.getKeyID()); assertTrue(SignatureVerifier.verifyUserIdCertification( - bobUserId, signature, alice.getPrimaryKey().getPGPPublicKey(), bob.getPrimaryKey().getPGPPublicKey(), PGPainless.getPolicy(), DateUtil.now())); + bobUserId, signature, alice.getPrimaryKey().getPGPPublicKey(), bob.getPrimaryKey().getPGPPublicKey(), api.getAlgorithmPolicy(), DateUtil.now())); OpenPGPCertificate bobCertified = result.getCertifiedCertificate(); PGPPublicKey bobCertifiedKey = bobCertified.getPrimaryKey().getPGPPublicKey(); @@ -71,13 +74,14 @@ public class CertifyCertificateTest { @Test public void testKeyDelegation() throws PGPException, IOException { + PGPainless api = PGPainless.getInstance(); SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys(); - OpenPGPKey alice = PGPainless.generateKeyRing().modernKeyRing("Alice "); - OpenPGPKey bob = PGPainless.generateKeyRing().modernKeyRing("Bob "); + OpenPGPKey alice = api.generateKey().modernKeyRing("Alice "); + OpenPGPKey bob = api.generateKey().modernKeyRing("Bob "); OpenPGPCertificate bobCertificate = bob.toCertificate(); - CertifyCertificate.CertificationResult result = PGPainless.certify() + CertifyCertificate.CertificationResult result = api.generateCertification() .certificate(bobCertificate, Trustworthiness.fullyTrusted().introducer()) .withKey(alice, protector) .build(); @@ -86,7 +90,7 @@ public class CertifyCertificateTest { OpenPGPSignature signature = result.getCertification(); PGPSignature pgpSignature = signature.getSignature(); assertNotNull(signature); - assertEquals(SignatureType.DIRECT_KEY, SignatureType.valueOf(pgpSignature.getSignatureType())); + assertEquals(SignatureType.DIRECT_KEY, SignatureType.requireFromCode(pgpSignature.getSignatureType())); assertEquals(alice.getPrimaryKey().getPGPPublicKey().getKeyID(), pgpSignature.getKeyID()); TrustSignature trustSignaturePacket = pgpSignature.getHashedSubPackets().getTrust(); assertNotNull(trustSignaturePacket); @@ -96,7 +100,7 @@ public class CertifyCertificateTest { assertFalse(trustworthiness.canIntroduce(1)); assertTrue(SignatureVerifier.verifyDirectKeySignature( - pgpSignature, alice.getPrimaryKey().getPGPPublicKey(), bob.getPrimaryKey().getPGPPublicKey(), PGPainless.getPolicy(), DateUtil.now())); + pgpSignature, alice.getPrimaryKey().getPGPPublicKey(), bob.getPrimaryKey().getPGPPublicKey(), api.getAlgorithmPolicy(), DateUtil.now())); OpenPGPCertificate bobCertified = result.getCertifiedCertificate(); PGPPublicKey bobCertifiedKey = bobCertified.getPrimaryKey().getPGPPublicKey(); @@ -111,20 +115,21 @@ public class CertifyCertificateTest { @Test public void testPetNameCertification() { - OpenPGPKey aliceKey = PGPainless.generateKeyRing() + PGPainless api = PGPainless.getInstance(); + OpenPGPKey aliceKey = api.generateKey() .modernKeyRing("Alice "); - OpenPGPKey bobKey = PGPainless.generateKeyRing() + OpenPGPKey bobKey = api.generateKey() .modernKeyRing("Bob "); OpenPGPCertificate bobCert = bobKey.toCertificate(); String petName = "Bobby"; - CertifyCertificate.CertificationResult result = PGPainless.certify() + CertifyCertificate.CertificationResult result = api.generateCertification() .userIdOnCertificate(petName, bobCert) .withKey(aliceKey, SecretKeyRingProtector.unprotectedKeys()) .buildWithSubpackets(new CertificationSubpackets.Callback() { @Override - public void modifyHashedSubpackets(CertificationSubpackets hashedSubpackets) { + public void modifyHashedSubpackets(@Nonnull CertificationSubpackets hashedSubpackets) { hashedSubpackets.setExportable(false); } }); @@ -135,25 +140,26 @@ public class CertifyCertificateTest { assertEquals(CertificationType.GENERIC.asSignatureType().getCode(), signature.getSignatureType()); OpenPGPCertificate certWithPetName = result.getCertifiedCertificate(); - KeyRingInfo info = PGPainless.inspectKeyRing(certWithPetName); + KeyRingInfo info = api.inspect(certWithPetName); assertTrue(info.getUserIds().contains(petName)); assertFalse(info.getValidUserIds().contains(petName)); } @Test public void testScopedDelegation() { - OpenPGPKey aliceKey = PGPainless.generateKeyRing() + PGPainless api = PGPainless.getInstance(); + OpenPGPKey aliceKey = api.generateKey() .modernKeyRing("Alice "); - OpenPGPKey caKey = PGPainless.generateKeyRing() + OpenPGPKey caKey = api.generateKey() .modernKeyRing("CA "); OpenPGPCertificate caCert = caKey.toCertificate(); - CertifyCertificate.CertificationResult result = PGPainless.certify() + CertifyCertificate.CertificationResult result = api.generateCertification() .certificate(caCert, Trustworthiness.fullyTrusted().introducer()) .withKey(aliceKey, SecretKeyRingProtector.unprotectedKeys()) .buildWithSubpackets(new CertificationSubpackets.Callback() { @Override - public void modifyHashedSubpackets(CertificationSubpackets hashedSubpackets) { + public void modifyHashedSubpackets(@Nonnull CertificationSubpackets hashedSubpackets) { hashedSubpackets.setRegularExpression("^.*<.+@example.com>.*$"); } }); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/StupidAlgorithmPreferenceEncryptionTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/StupidAlgorithmPreferenceEncryptionTest.java index 95071088..85d0c89d 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/generation/StupidAlgorithmPreferenceEncryptionTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/StupidAlgorithmPreferenceEncryptionTest.java @@ -5,8 +5,8 @@ package org.pgpainless.key.generation; import org.bouncycastle.openpgp.PGPException; -import org.bouncycastle.openpgp.PGPPublicKeyRing; -import org.bouncycastle.openpgp.PGPSecretKeyRing; +import org.bouncycastle.openpgp.api.OpenPGPCertificate; +import org.bouncycastle.openpgp.api.OpenPGPKey; import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; import org.pgpainless.algorithm.KeyFlag; @@ -99,14 +99,16 @@ public class StupidAlgorithmPreferenceEncryptionTest { @Test public void testEncryptionIsNotUnencrypted() throws PGPException, IOException { - PGPSecretKeyRing stupidKey = PGPainless.readKeyRing().secretKeyRing(STUPID_KEY); - PGPPublicKeyRing certificate = PGPainless.extractCertificate(stupidKey); + PGPainless api = PGPainless.getInstance(); + OpenPGPKey stupidKey = api.readKey().parseKey(STUPID_KEY); + OpenPGPCertificate certificate = stupidKey.toCertificate(); ByteArrayOutputStream out = new ByteArrayOutputStream(); - EncryptionStream encryptionStream = PGPainless.encryptAndOrSign() + EncryptionStream encryptionStream = api.generateMessage() .onOutputStream(out) .withOptions(ProducerOptions.encrypt( - EncryptionOptions.get().addRecipient(certificate) + EncryptionOptions.get(api).addRecipient(certificate), + api )); encryptionStream.write("Hello".getBytes(StandardCharsets.UTF_8)); @@ -114,7 +116,7 @@ public class StupidAlgorithmPreferenceEncryptionTest { EncryptionResult metadata = encryptionStream.getResult(); assertTrue(metadata.isEncryptedFor(certificate)); - assertEquals(PGPainless.getPolicy().getSymmetricKeyEncryptionAlgorithmPolicy().getDefaultSymmetricKeyAlgorithm(), + assertEquals(api.getAlgorithmPolicy().getSymmetricKeyEncryptionAlgorithmPolicy().getDefaultSymmetricKeyAlgorithm(), metadata.getEncryptionAlgorithm()); } } diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/KeyRevocationTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/KeyRevocationTest.java index 2a45b1c5..160fc1d6 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/KeyRevocationTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/KeyRevocationTest.java @@ -10,10 +10,8 @@ import java.io.ByteArrayInputStream; import java.io.IOException; import java.io.InputStream; import java.nio.charset.StandardCharsets; -import java.util.Date; import org.bouncycastle.openpgp.PGPException; -import org.bouncycastle.openpgp.PGPPublicKeyRing; import org.bouncycastle.openpgp.PGPSignature; import org.bouncycastle.openpgp.api.OpenPGPCertificate; import org.bouncycastle.util.io.Streams; @@ -24,7 +22,6 @@ import org.pgpainless.decryption_verification.ConsumerOptions; import org.pgpainless.decryption_verification.DecryptionStream; import org.pgpainless.decryption_verification.MessageMetadata; import org.pgpainless.exception.SignatureValidationException; -import org.pgpainless.policy.Policy; import org.pgpainless.util.TestAllImplementations; public class KeyRevocationTest { @@ -152,8 +149,9 @@ public class KeyRevocationTest { "u5SfXaTsbMeVQJNdjCNsHq2bOXPGLw==\n" + "=2BW4\n" + "-----END PGP ARMORED FILE-----\n"; + PGPainless api = PGPainless.getInstance(); - PGPPublicKeyRing publicKeys = PGPainless.readKeyRing().publicKeyRing(key); + OpenPGPCertificate publicKeys = api.readKey().parseCertificate(key); PGPSignature t0 = SignatureUtils.readSignatures(sigT0).get(0); PGPSignature t1t2 = SignatureUtils.readSignatures(sigT1T2).get(0); PGPSignature t2t3 = SignatureUtils.readSignatures(sigT2T3).get(0); @@ -161,16 +159,16 @@ public class KeyRevocationTest { assertThrows(SignatureValidationException.class, () -> verify(t0, new ByteArrayInputStream(data.getBytes(StandardCharsets.UTF_8)), - publicKeys, PGPainless.getPolicy(), new Date())); + publicKeys, api)); assertThrows(SignatureValidationException.class, () -> verify(t1t2, new ByteArrayInputStream(data.getBytes(StandardCharsets.UTF_8)), - publicKeys, PGPainless.getPolicy(), new Date())); + publicKeys, api)); assertThrows(SignatureValidationException.class, () -> verify(t2t3, new ByteArrayInputStream(data.getBytes(StandardCharsets.UTF_8)), - publicKeys, PGPainless.getPolicy(), new Date())); + publicKeys, api)); assertThrows(SignatureValidationException.class, () -> verify(t3now, new ByteArrayInputStream(data.getBytes(StandardCharsets.UTF_8)), - publicKeys, PGPainless.getPolicy(), new Date())); + publicKeys, api)); } /** @@ -258,19 +256,19 @@ public class KeyRevocationTest { "=MOaJ\n" + "-----END PGP ARMORED FILE-----\n"; - PGPPublicKeyRing publicKeys = PGPainless.readKeyRing().publicKeyRing(key); + PGPainless api = PGPainless.getInstance(); + + OpenPGPCertificate publicKeys = api.readKey().parseCertificate(key); PGPSignature signature = SignatureUtils.readSignatures(sig).get(0); verify(signature, new ByteArrayInputStream(data.getBytes(StandardCharsets.UTF_8)), - publicKeys, PGPainless.getPolicy(), new Date()); + publicKeys, api); } - private void verify(PGPSignature signature, InputStream dataIn, PGPPublicKeyRing cert, Policy policy, Date validationDate) throws PGPException, IOException { - PGPainless api = PGPainless.getInstance(); - OpenPGPCertificate certificate = api.toCertificate(cert); - + private void verify(PGPSignature signature, InputStream dataIn, OpenPGPCertificate certificate, PGPainless api) + throws PGPException, IOException { DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() .onInputStream(dataIn) .withOptions(ConsumerOptions.get(api) diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureOverUserAttributesTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureOverUserAttributesTest.java index f598fecc..bf1ef550 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureOverUserAttributesTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureOverUserAttributesTest.java @@ -11,15 +11,14 @@ import java.util.Date; import org.bouncycastle.bcpg.attr.ImageAttribute; import org.bouncycastle.openpgp.PGPException; -import org.bouncycastle.openpgp.PGPPrivateKey; import org.bouncycastle.openpgp.PGPPublicKey; -import org.bouncycastle.openpgp.PGPSecretKey; -import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.PGPSignature; import org.bouncycastle.openpgp.PGPSignatureGenerator; import org.bouncycastle.openpgp.PGPUserAttributeSubpacketVector; import org.bouncycastle.openpgp.PGPUserAttributeSubpacketVectorGenerator; +import org.bouncycastle.openpgp.api.OpenPGPCertificate; import org.bouncycastle.openpgp.api.OpenPGPImplementation; +import org.bouncycastle.openpgp.api.OpenPGPKey; import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; import org.pgpainless.algorithm.HashAlgorithm; @@ -33,8 +32,8 @@ import org.pgpainless.signature.consumer.SignatureVerifier; public class SignatureOverUserAttributesTest { private static final byte[] image = new byte[] {(byte) -1, (byte) -40, (byte) -1, (byte) -32, (byte) 0, (byte) 16, (byte) 74, (byte) 70, (byte) 73, (byte) 70, (byte) 0, (byte) 1, (byte) 1, (byte) 1, (byte) 1, (byte) 44, (byte) 1, (byte) 44, (byte) 0, (byte) 0, (byte) -1, (byte) -2, (byte) 0, (byte) 19, (byte) 67, (byte) 114, (byte) 101, (byte) 97, (byte) 116, (byte) 101, (byte) 100, (byte) 32, (byte) 119, (byte) 105, (byte) 116, (byte) 104, (byte) 32, (byte) 71, (byte) 73, (byte) 77, (byte) 80, (byte) -1, (byte) -30, (byte) 2, (byte) -80, (byte) 73, (byte) 67, (byte) 67, (byte) 95, (byte) 80, (byte) 82, (byte) 79, (byte) 70, (byte) 73, (byte) 76, (byte) 69, (byte) 0, (byte) 1, (byte) 1, (byte) 0, (byte) 0, (byte) 2, (byte) -96, (byte) 108, (byte) 99, (byte) 109, (byte) 115, (byte) 4, (byte) 48, (byte) 0, (byte) 0, (byte) 109, (byte) 110, (byte) 116, (byte) 114, (byte) 82, (byte) 71, (byte) 66, (byte) 32, (byte) 88, (byte) 89, (byte) 90, (byte) 32, (byte) 7, (byte) -27, (byte) 0, (byte) 10, (byte) 0, (byte) 4, (byte) 0, (byte) 12, (byte) 0, (byte) 27, (byte) 0, (byte) 19, (byte) 97, (byte) 99, (byte) 115, (byte) 112, (byte) 65, (byte) 80, (byte) 80, (byte) 76, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) -10, (byte) -42, (byte) 0, (byte) 1, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) -45, (byte) 45, (byte) 108, (byte) 99, (byte) 109, (byte) 115, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 13, (byte) 100, (byte) 101, (byte) 115, (byte) 99, (byte) 0, (byte) 0, (byte) 1, (byte) 32, (byte) 0, (byte) 0, (byte) 0, (byte) 64, (byte) 99, (byte) 112, (byte) 114, (byte) 116, (byte) 0, (byte) 0, (byte) 1, (byte) 96, (byte) 0, (byte) 0, (byte) 0, (byte) 54, (byte) 119, (byte) 116, (byte) 112, (byte) 116, (byte) 0, (byte) 0, (byte) 1, (byte) -104, (byte) 0, (byte) 0, (byte) 0, (byte) 20, (byte) 99, (byte) 104, (byte) 97, (byte) 100, (byte) 0, (byte) 0, (byte) 1, (byte) -84, (byte) 0, (byte) 0, (byte) 0, (byte) 44, (byte) 114, (byte) 88, (byte) 89, (byte) 90, (byte) 0, (byte) 0, (byte) 1, (byte) -40, (byte) 0, (byte) 0, (byte) 0, (byte) 20, (byte) 98, (byte) 88, (byte) 89, (byte) 90, (byte) 0, (byte) 0, (byte) 1, (byte) -20, (byte) 0, (byte) 0, (byte) 0, (byte) 20, (byte) 103, (byte) 88, (byte) 89, (byte) 90, (byte) 0, (byte) 0, (byte) 2, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 20, (byte) 114, (byte) 84, (byte) 82, (byte) 67, (byte) 0, (byte) 0, (byte) 2, (byte) 20, (byte) 0, (byte) 0, (byte) 0, (byte) 32, (byte) 103, (byte) 84, (byte) 82, (byte) 67, (byte) 0, (byte) 0, (byte) 2, (byte) 20, (byte) 0, (byte) 0, (byte) 0, (byte) 32, (byte) 98, (byte) 84, (byte) 82, (byte) 67, (byte) 0, (byte) 0, (byte) 2, (byte) 20, (byte) 0, (byte) 0, (byte) 0, (byte) 32, (byte) 99, (byte) 104, (byte) 114, (byte) 109, (byte) 0, (byte) 0, (byte) 2, (byte) 52, (byte) 0, (byte) 0, (byte) 0, (byte) 36, (byte) 100, (byte) 109, (byte) 110, (byte) 100, (byte) 0, (byte) 0, (byte) 2, (byte) 88, (byte) 0, (byte) 0, (byte) 0, (byte) 36, (byte) 100, (byte) 109, (byte) 100, (byte) 100, (byte) 0, (byte) 0, (byte) 2, (byte) 124, (byte) 0, (byte) 0, (byte) 0, (byte) 36, (byte) 109, (byte) 108, (byte) 117, (byte) 99, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 1, (byte) 0, (byte) 0, (byte) 0, (byte) 12, (byte) 101, (byte) 110, (byte) 85, (byte) 83, (byte) 0, (byte) 0, (byte) 0, (byte) 36, (byte) 0, (byte) 0, (byte) 0, (byte) 28, (byte) 0, (byte) 71, (byte) 0, (byte) 73, (byte) 0, (byte) 77, (byte) 0, (byte) 80, (byte) 0, (byte) 32, (byte) 0, (byte) 98, (byte) 0, (byte) 117, (byte) 0, (byte) 105, (byte) 0, (byte) 108, (byte) 0, (byte) 116, (byte) 0, (byte) 45, (byte) 0, (byte) 105, (byte) 0, (byte) 110, (byte) 0, (byte) 32, (byte) 0, (byte) 115, (byte) 0, (byte) 82, (byte) 0, (byte) 71, (byte) 0, (byte) 66, (byte) 109, (byte) 108, (byte) 117, (byte) 99, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 1, (byte) 0, (byte) 0, (byte) 0, (byte) 12, (byte) 101, (byte) 110, (byte) 85, (byte) 83, (byte) 0, (byte) 0, (byte) 0, (byte) 26, (byte) 0, (byte) 0, (byte) 0, (byte) 28, (byte) 0, (byte) 80, (byte) 0, (byte) 117, (byte) 0, (byte) 98, (byte) 0, (byte) 108, (byte) 0, (byte) 105, (byte) 0, (byte) 99, (byte) 0, (byte) 32, (byte) 0, (byte) 68, (byte) 0, (byte) 111, (byte) 0, (byte) 109, (byte) 0, (byte) 97, (byte) 0, (byte) 105, (byte) 0, (byte) 110, (byte) 0, (byte) 0, (byte) 88, (byte) 89, (byte) 90, (byte) 32, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) -10, (byte) -42, (byte) 0, (byte) 1, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) -45, (byte) 45, (byte) 115, (byte) 102, (byte) 51, (byte) 50, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 1, (byte) 12, (byte) 66, (byte) 0, (byte) 0, (byte) 5, (byte) -34, (byte) -1, (byte) -1, (byte) -13, (byte) 37, (byte) 0, (byte) 0, (byte) 7, (byte) -109, (byte) 0, (byte) 0, (byte) -3, (byte) -112, (byte) -1, (byte) -1, (byte) -5, (byte) -95, (byte) -1, (byte) -1, (byte) -3, (byte) -94, (byte) 0, (byte) 0, (byte) 3, (byte) -36, (byte) 0, (byte) 0, (byte) -64, (byte) 110, (byte) 88, (byte) 89, (byte) 90, (byte) 32, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 111, (byte) -96, (byte) 0, (byte) 0, (byte) 56, (byte) -11, (byte) 0, (byte) 0, (byte) 3, (byte) -112, (byte) 88, (byte) 89, (byte) 90, (byte) 32, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 36, (byte) -97, (byte) 0, (byte) 0, (byte) 15, (byte) -124, (byte) 0, (byte) 0, (byte) -74, (byte) -60, (byte) 88, (byte) 89, (byte) 90, (byte) 32, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 98, (byte) -105, (byte) 0, (byte) 0, (byte) -73, (byte) -121, (byte) 0, (byte) 0, (byte) 24, (byte) -39, (byte) 112, (byte) 97, (byte) 114, (byte) 97, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 3, (byte) 0, (byte) 0, (byte) 0, (byte) 2, (byte) 102, (byte) 102, (byte) 0, (byte) 0, (byte) -14, (byte) -89, (byte) 0, (byte) 0, (byte) 13, (byte) 89, (byte) 0, (byte) 0, (byte) 19, (byte) -48, (byte) 0, (byte) 0, (byte) 10, (byte) 91, (byte) 99, (byte) 104, (byte) 114, (byte) 109, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 3, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) -93, (byte) -41, (byte) 0, (byte) 0, (byte) 84, (byte) 124, (byte) 0, (byte) 0, (byte) 76, (byte) -51, (byte) 0, (byte) 0, (byte) -103, (byte) -102, (byte) 0, (byte) 0, (byte) 38, (byte) 103, (byte) 0, (byte) 0, (byte) 15, (byte) 92, (byte) 109, (byte) 108, (byte) 117, (byte) 99, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 1, (byte) 0, (byte) 0, (byte) 0, (byte) 12, (byte) 101, (byte) 110, (byte) 85, (byte) 83, (byte) 0, (byte) 0, (byte) 0, (byte) 8, (byte) 0, (byte) 0, (byte) 0, (byte) 28, (byte) 0, (byte) 71, (byte) 0, (byte) 73, (byte) 0, (byte) 77, (byte) 0, (byte) 80, (byte) 109, (byte) 108, (byte) 117, (byte) 99, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 1, (byte) 0, (byte) 0, (byte) 0, (byte) 12, (byte) 101, (byte) 110, (byte) 85, (byte) 83, (byte) 0, (byte) 0, (byte) 0, (byte) 8, (byte) 0, (byte) 0, (byte) 0, (byte) 28, (byte) 0, (byte) 115, (byte) 0, (byte) 82, (byte) 0, (byte) 71, (byte) 0, (byte) 66, (byte) -1, (byte) -37, (byte) 0, (byte) 67, (byte) 0, (byte) 16, (byte) 11, (byte) 12, (byte) 14, (byte) 12, (byte) 10, (byte) 16, (byte) 14, (byte) 13, (byte) 14, (byte) 18, (byte) 17, (byte) 16, (byte) 19, (byte) 24, (byte) 40, (byte) 26, (byte) 24, (byte) 22, (byte) 22, (byte) 24, (byte) 49, (byte) 35, (byte) 37, (byte) 29, (byte) 40, (byte) 58, (byte) 51, (byte) 61, (byte) 60, (byte) 57, (byte) 51, (byte) 56, (byte) 55, (byte) 64, (byte) 72, (byte) 92, (byte) 78, (byte) 64, (byte) 68, (byte) 87, (byte) 69, (byte) 55, (byte) 56, (byte) 80, (byte) 109, (byte) 81, (byte) 87, (byte) 95, (byte) 98, (byte) 103, (byte) 104, (byte) 103, (byte) 62, (byte) 77, (byte) 113, (byte) 121, (byte) 112, (byte) 100, (byte) 120, (byte) 92, (byte) 101, (byte) 103, (byte) 99, (byte) -1, (byte) -37, (byte) 0, (byte) 67, (byte) 1, (byte) 17, (byte) 18, (byte) 18, (byte) 24, (byte) 21, (byte) 24, (byte) 47, (byte) 26, (byte) 26, (byte) 47, (byte) 99, (byte) 66, (byte) 56, (byte) 66, (byte) 99, (byte) 99, (byte) 99, (byte) 99, (byte) 99, (byte) 99, (byte) 99, (byte) 99, (byte) 99, (byte) 99, (byte) 99, (byte) 99, (byte) 99, (byte) 99, (byte) 99, (byte) 99, (byte) 99, (byte) 99, (byte) 99, (byte) 99, (byte) 99, (byte) 99, (byte) 99, (byte) 99, (byte) 99, (byte) 99, (byte) 99, (byte) 99, (byte) 99, (byte) 99, (byte) 99, (byte) 99, (byte) 99, (byte) 99, (byte) 99, (byte) 99, (byte) 99, (byte) 99, (byte) 99, (byte) 99, (byte) 99, (byte) 99, (byte) 99, (byte) 99, (byte) 99, (byte) 99, (byte) 99, (byte) 99, (byte) 99, (byte) 99, (byte) -1, (byte) -62, (byte) 0, (byte) 17, (byte) 8, (byte) 0, (byte) 16, (byte) 0, (byte) 16, (byte) 3, (byte) 1, (byte) 17, (byte) 0, (byte) 2, (byte) 17, (byte) 1, (byte) 3, (byte) 17, (byte) 1, (byte) -1, (byte) -60, (byte) 0, (byte) 22, (byte) 0, (byte) 1, (byte) 1, (byte) 1, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 3, (byte) 5, (byte) -1, (byte) -60, (byte) 0, (byte) 20, (byte) 1, (byte) 1, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) -1, (byte) -38, (byte) 0, (byte) 12, (byte) 3, (byte) 1, (byte) 0, (byte) 2, (byte) 16, (byte) 3, (byte) 16, (byte) 0, (byte) 0, (byte) 1, (byte) -46, (byte) 4, (byte) -127, (byte) -1, (byte) -60, (byte) 0, (byte) 23, (byte) 16, (byte) 1, (byte) 1, (byte) 1, (byte) 1, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 3, (byte) 1, (byte) 2, (byte) 18, (byte) -1, (byte) -38, (byte) 0, (byte) 8, (byte) 1, (byte) 1, (byte) 0, (byte) 1, (byte) 5, (byte) 2, (byte) 100, (byte) -99, (byte) -118, (byte) 78, (byte) -44, (byte) -18, (byte) -100, (byte) -114, (byte) -27, (byte) -1, (byte) 0, (byte) -1, (byte) -60, (byte) 0, (byte) 20, (byte) 17, (byte) 1, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 32, (byte) -1, (byte) -38, (byte) 0, (byte) 8, (byte) 1, (byte) 3, (byte) 1, (byte) 1, (byte) 63, (byte) 1, (byte) 31, (byte) -1, (byte) -60, (byte) 0, (byte) 20, (byte) 17, (byte) 1, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 32, (byte) -1, (byte) -38, (byte) 0, (byte) 8, (byte) 1, (byte) 2, (byte) 1, (byte) 1, (byte) 63, (byte) 1, (byte) 31, (byte) -1, (byte) -60, (byte) 0, (byte) 31, (byte) 16, (byte) 0, (byte) 1, (byte) 1, (byte) 9, (byte) 1, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 1, (byte) 0, (byte) 2, (byte) 17, (byte) 18, (byte) 33, (byte) 49, (byte) 81, (byte) 113, (byte) -111, (byte) -47, (byte) 3, (byte) -1, (byte) -38, (byte) 0, (byte) 8, (byte) 1, (byte) 1, (byte) 0, (byte) 6, (byte) 63, (byte) 2, (byte) 30, (byte) 111, (byte) 55, (byte) 107, (byte) 8, (byte) -80, (byte) -13, (byte) 118, (byte) 112, (byte) -88, (byte) 97, (byte) 32, (byte) 79, (byte) 125, (byte) 84, (byte) 48, (byte) -128, (byte) 103, (byte) -82, (byte) 47, (byte) -1, (byte) -60, (byte) 0, (byte) 28, (byte) 16, (byte) 1, (byte) 0, (byte) 2, (byte) 1, (byte) 5, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 1, (byte) 0, (byte) 17, (byte) 33, (byte) 49, (byte) 65, (byte) 81, (byte) 113, (byte) -127, (byte) -1, (byte) -38, (byte) 0, (byte) 8, (byte) 1, (byte) 1, (byte) 0, (byte) 1, (byte) 63, (byte) 33, (byte) 50, (byte) -128, (byte) -43, (byte) 26, (byte) -84, (byte) -73, (byte) -18, (byte) 56, (byte) 104, (byte) 106, (byte) -83, (byte) -34, (byte) 27, (byte) -9, (byte) 26, (byte) 113, (byte) -125, (byte) -59, (byte) 65, (byte) 78, (byte) 112, (byte) 120, (byte) -88, (byte) -1, (byte) -38, (byte) 0, (byte) 12, (byte) 3, (byte) 1, (byte) 0, (byte) 2, (byte) 0, (byte) 3, (byte) 0, (byte) 0, (byte) 0, (byte) 16, (byte) 0, (byte) 15, (byte) -1, (byte) -60, (byte) 0, (byte) 20, (byte) 17, (byte) 1, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 32, (byte) -1, (byte) -38, (byte) 0, (byte) 8, (byte) 1, (byte) 3, (byte) 1, (byte) 1, (byte) 63, (byte) 16, (byte) 31, (byte) -1, (byte) -60, (byte) 0, (byte) 20, (byte) 17, (byte) 1, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 32, (byte) -1, (byte) -38, (byte) 0, (byte) 8, (byte) 1, (byte) 2, (byte) 1, (byte) 1, (byte) 63, (byte) 16, (byte) 31, (byte) -1, (byte) -60, (byte) 0, (byte) 25, (byte) 16, (byte) 1, (byte) 1, (byte) 0, (byte) 3, (byte) 1, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 1, (byte) 17, (byte) 0, (byte) 33, (byte) 49, (byte) 65, (byte) -1, (byte) -38, (byte) 0, (byte) 8, (byte) 1, (byte) 1, (byte) 0, (byte) 1, (byte) 63, (byte) 16, (byte) -107, (byte) 3, (byte) 101, (byte) -86, (byte) 14, (byte) -55, (byte) 65, (byte) -18, (byte) 74, (byte) -95, (byte) -78, (byte) -43, (byte) 15, (byte) 109, (byte) -119, (byte) -9, (byte) 27, (byte) -42, (byte) -76, (byte) -70, (byte) 80, (byte) 69, (byte) -91, (byte) -27, (byte) 115, (byte) -61, (byte) 27, (byte) -62, (byte) -108, (byte) -70, (byte) 20, (byte) 1, (byte) -95, (byte) -27, (byte) 115, (byte) -41, (byte) 63, (byte) -1, (byte) -39}; - private static PGPUserAttributeSubpacketVector attribute; - private static PGPUserAttributeSubpacketVector invalidAttribute; + private static final PGPUserAttributeSubpacketVector attribute; + private static final PGPUserAttributeSubpacketVector invalidAttribute; static { PGPUserAttributeSubpacketVectorGenerator attrGen = new PGPUserAttributeSubpacketVectorGenerator(); @@ -52,42 +51,44 @@ public class SignatureOverUserAttributesTest { @Test public void createAndVerifyUserAttributeCertification() throws PGPException, IOException { - PGPSecretKeyRing secretKeys = TestKeys.getEmilSecretKeyRing(); - PGPSecretKey secretKey = secretKeys.getSecretKey(); - PGPPublicKey publicKey = secretKey.getPublicKey(); - PGPPrivateKey privateKey = UnlockSecretKey.unlockSecretKey(secretKey, SecretKeyRingProtector.unprotectedKeys()); + PGPainless api = PGPainless.getInstance(); + OpenPGPKey secretKeys = TestKeys.getEmilKey(); + OpenPGPKey.OpenPGPSecretKey secretKey = secretKeys.getPrimarySecretKey(); + OpenPGPCertificate.OpenPGPComponentKey publicKey = secretKey.getPublicKey(); + OpenPGPKey.OpenPGPPrivateKey privateKey = UnlockSecretKey.unlockSecretKey(secretKey, SecretKeyRingProtector.unprotectedKeys()); PGPSignatureGenerator generator = new PGPSignatureGenerator( OpenPGPImplementation.getInstance() .pgpContentSignerBuilder(secretKey.getPublicKey().getAlgorithm(), HashAlgorithm.SHA512.getAlgorithmId()), - secretKey.getPublicKey()); - generator.init(SignatureType.CASUAL_CERTIFICATION.getCode(), privateKey); + secretKey.getPublicKey().getPGPPublicKey()); + generator.init(SignatureType.CASUAL_CERTIFICATION.getCode(), privateKey.getKeyPair().getPrivateKey()); - PGPSignature signature = generator.generateCertification(attribute, publicKey); - publicKey = PGPPublicKey.addCertification(publicKey, attribute, signature); - SignatureVerifier.verifyUserAttributesCertification(attribute, signature, publicKey, PGPainless.getPolicy(), new Date()); + PGPSignature signature = generator.generateCertification(attribute, publicKey.getPGPPublicKey()); + PGPPublicKey pgpPublicKey = PGPPublicKey.addCertification(publicKey.getPGPPublicKey(), attribute, signature); + SignatureVerifier.verifyUserAttributesCertification(attribute, signature, pgpPublicKey, api.getAlgorithmPolicy(), new Date()); - PGPPublicKey finalPublicKey = publicKey; - assertThrows(SignatureValidationException.class, () -> SignatureVerifier.verifyUserAttributesCertification(invalidAttribute, signature, finalPublicKey, PGPainless.getPolicy(), new Date())); + assertThrows(SignatureValidationException.class, () -> SignatureVerifier.verifyUserAttributesCertification(invalidAttribute, signature, pgpPublicKey, api.getAlgorithmPolicy(), new Date())); } @Test public void createAndVerifyUserAttributeRevocation() throws PGPException, IOException { - PGPSecretKeyRing secretKeys = TestKeys.getEmilSecretKeyRing(); - PGPSecretKey secretKey = secretKeys.getSecretKey(); - PGPPublicKey publicKey = secretKey.getPublicKey(); - PGPPrivateKey privateKey = UnlockSecretKey.unlockSecretKey(secretKey, SecretKeyRingProtector.unprotectedKeys()); + PGPainless api = PGPainless.getInstance(); + OpenPGPKey secretKeys = TestKeys.getEmilKey(); + OpenPGPKey.OpenPGPSecretKey secretKey = secretKeys.getPrimarySecretKey(); + OpenPGPCertificate.OpenPGPComponentKey publicKey = secretKey.getPublicKey(); + OpenPGPKey.OpenPGPPrivateKey privateKey = UnlockSecretKey.unlockSecretKey(secretKey, SecretKeyRingProtector.unprotectedKeys()); PGPSignatureGenerator generator = new PGPSignatureGenerator( - OpenPGPImplementation.getInstance() + api.getImplementation() .pgpContentSignerBuilder(secretKey.getPublicKey().getAlgorithm(), HashAlgorithm.SHA512.getAlgorithmId()), - secretKey.getPublicKey()); - generator.init(SignatureType.CERTIFICATION_REVOCATION.getCode(), privateKey); + publicKey.getPGPPublicKey()); + generator.init(SignatureType.CERTIFICATION_REVOCATION.getCode(), privateKey.getKeyPair().getPrivateKey()); - PGPSignature signature = generator.generateCertification(attribute, publicKey); - publicKey = PGPPublicKey.addCertification(publicKey, attribute, signature); - SignatureVerifier.verifyUserAttributesRevocation(attribute, signature, publicKey, PGPainless.getPolicy(), new Date()); - PGPPublicKey finalPublicKey = publicKey; - assertThrows(SignatureValidationException.class, () -> SignatureVerifier.verifyUserAttributesCertification(invalidAttribute, signature, finalPublicKey, PGPainless.getPolicy(), new Date())); + PGPSignature signature = generator.generateCertification(attribute, publicKey.getPGPPublicKey()); + PGPPublicKey pgpPublicKey = PGPPublicKey.addCertification(publicKey.getPGPPublicKey(), attribute, signature); + SignatureVerifier.verifyUserAttributesRevocation(attribute, signature, pgpPublicKey, api.getAlgorithmPolicy(), new Date()); + assertThrows(SignatureValidationException.class, () -> + SignatureVerifier.verifyUserAttributesCertification( + invalidAttribute, signature, pgpPublicKey, api.getAlgorithmPolicy(), new Date())); } } From 970e974556f4e45dfc90c0dc2cc18623f1713d7d Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 25 Mar 2025 13:03:52 +0100 Subject: [PATCH 126/265] Remove unused KeyRingSelectionStrategy implementations --- .../org/pgpainless/util/package-info.java | 8 -- .../keyring/KeyRingSelectionStrategy.java | 49 ---------- .../PublicKeyRingSelectionStrategy.java | 44 --------- .../SecretKeyRingSelectionStrategy.java | 43 --------- .../selection/keyring/impl/ExactUserId.java | 56 ----------- .../selection/keyring/impl/Whitelist.java | 92 ------------------- .../util/selection/keyring/impl/Wildcard.java | 36 -------- .../util/selection/keyring/impl/XMPP.java | 53 ----------- .../selection/keyring/impl/package-info.java | 8 -- .../util/selection/keyring/package-info.java | 8 -- .../keyring/KeyRingsFromCollectionTest.java | 88 ------------------ ...WhitelistKeyRingSelectionStrategyTest.java | 52 ----------- .../WildcardKeyRingSelectionStrategyTest.java | 57 ------------ .../XmppKeyRingSelectionStrategyTest.java | 72 --------------- 14 files changed, 666 deletions(-) delete mode 100644 pgpainless-core/src/main/java/org/pgpainless/util/package-info.java delete mode 100644 pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/KeyRingSelectionStrategy.java delete mode 100644 pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/PublicKeyRingSelectionStrategy.java delete mode 100644 pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/SecretKeyRingSelectionStrategy.java delete mode 100644 pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/impl/ExactUserId.java delete mode 100644 pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/impl/Whitelist.java delete mode 100644 pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/impl/Wildcard.java delete mode 100644 pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/impl/XMPP.java delete mode 100644 pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/impl/package-info.java delete mode 100644 pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/package-info.java delete mode 100644 pgpainless-core/src/test/java/org/pgpainless/util/selection/keyring/KeyRingsFromCollectionTest.java delete mode 100644 pgpainless-core/src/test/java/org/pgpainless/util/selection/keyring/WhitelistKeyRingSelectionStrategyTest.java delete mode 100644 pgpainless-core/src/test/java/org/pgpainless/util/selection/keyring/WildcardKeyRingSelectionStrategyTest.java delete mode 100644 pgpainless-core/src/test/java/org/pgpainless/util/selection/keyring/XmppKeyRingSelectionStrategyTest.java diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/package-info.java b/pgpainless-core/src/main/java/org/pgpainless/util/package-info.java deleted file mode 100644 index 6c525229..00000000 --- a/pgpainless-core/src/main/java/org/pgpainless/util/package-info.java +++ /dev/null @@ -1,8 +0,0 @@ -// SPDX-FileCopyrightText: 2018 Paul Schaub -// -// SPDX-License-Identifier: Apache-2.0 - -/** - * Utility classes. - */ -package org.pgpainless.util; diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/KeyRingSelectionStrategy.java b/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/KeyRingSelectionStrategy.java deleted file mode 100644 index 26180214..00000000 --- a/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/KeyRingSelectionStrategy.java +++ /dev/null @@ -1,49 +0,0 @@ -// SPDX-FileCopyrightText: 2018 Paul Schaub -// -// SPDX-License-Identifier: Apache-2.0 - -package org.pgpainless.util.selection.keyring; - -import java.util.Set; - -import org.pgpainless.util.MultiMap; - -/** - * Filter for selecting public / secret key rings based on identifiers (e.g. user-ids). - * - * @param Type of {@link org.bouncycastle.openpgp.PGPKeyRing} ({@link org.bouncycastle.openpgp.PGPSecretKeyRing} - * or {@link org.bouncycastle.openpgp.PGPPublicKeyRing}). - * @param Type of key ring collection (e.g. {@link org.bouncycastle.openpgp.PGPSecretKeyRingCollection} - * or {@link org.bouncycastle.openpgp.PGPPublicKeyRingCollection}). - * @param Type of key identifier - */ -public interface KeyRingSelectionStrategy { - - /** - * Return true, if the filter accepts the given 

keyRing
based on the given 
identifier
. - * - * @param identifier identifier - * @param keyRing key ring - * @return acceptance - */ - boolean accept(O identifier, R keyRing); - - /** - * Iterate of the given 
keyRingCollection
and return a {@link Set} of all acceptable - * keyRings in the collection, based on the given 
identifier
. - * - * @param identifier identifier - * @param keyRingCollection collection - * @return set of acceptable key rings - */ - Set selectKeyRingsFromCollection(O identifier, C keyRingCollection); - - /** - * Iterate over all keyRings in the given {@link MultiMap} of keyRingCollections and return a new {@link MultiMap} - * which for every identifier (key of the map) contains all acceptable keyRings based on that identifier. - * - * @param keyRingCollections MultiMap of identifiers and keyRingCollections. - * @return MultiMap of identifiers and acceptable keyRings. - */ - MultiMap selectKeyRingsFromCollections(MultiMap keyRingCollections); -} diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/PublicKeyRingSelectionStrategy.java b/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/PublicKeyRingSelectionStrategy.java deleted file mode 100644 index 7dbf7c93..00000000 --- a/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/PublicKeyRingSelectionStrategy.java +++ /dev/null @@ -1,44 +0,0 @@ -// SPDX-FileCopyrightText: 2018 Paul Schaub -// -// SPDX-License-Identifier: Apache-2.0 - -package org.pgpainless.util.selection.keyring; - -import javax.annotation.Nonnull; -import java.util.HashSet; -import java.util.Iterator; -import java.util.Map; -import java.util.Set; - -import org.bouncycastle.openpgp.PGPPublicKeyRing; -import org.bouncycastle.openpgp.PGPPublicKeyRingCollection; -import org.pgpainless.util.MultiMap; - -/** - * Abstract {@link KeyRingSelectionStrategy} for {@link PGPPublicKeyRing PGPPublicKeyRings}. - * - * @param Type of identifier - */ -public abstract class PublicKeyRingSelectionStrategy implements KeyRingSelectionStrategy { - - @Override - public Set selectKeyRingsFromCollection(@Nonnull O identifier, @Nonnull PGPPublicKeyRingCollection keyRingCollection) { - Set accepted = new HashSet<>(); - for (Iterator i = keyRingCollection.getKeyRings(); i.hasNext(); ) { - PGPPublicKeyRing ring = i.next(); - if (accept(identifier, ring)) accepted.add(ring); - } - return accepted; - } - - @Override - public MultiMap selectKeyRingsFromCollections(@Nonnull MultiMap keyRingCollections) { - MultiMap keyRings = new MultiMap<>(); - for (Map.Entry> entry : keyRingCollections.entrySet()) { - for (PGPPublicKeyRingCollection collection : entry.getValue()) { - keyRings.plus(entry.getKey(), selectKeyRingsFromCollection(entry.getKey(), collection)); - } - } - return keyRings; - } -} diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/SecretKeyRingSelectionStrategy.java b/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/SecretKeyRingSelectionStrategy.java deleted file mode 100644 index 9e57b575..00000000 --- a/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/SecretKeyRingSelectionStrategy.java +++ /dev/null @@ -1,43 +0,0 @@ -// SPDX-FileCopyrightText: 2018 Paul Schaub -// -// SPDX-License-Identifier: Apache-2.0 - -package org.pgpainless.util.selection.keyring; - -import java.util.HashSet; -import java.util.Iterator; -import java.util.Map; -import java.util.Set; -import javax.annotation.Nonnull; - -import org.bouncycastle.openpgp.PGPSecretKeyRing; -import org.bouncycastle.openpgp.PGPSecretKeyRingCollection; -import org.pgpainless.util.MultiMap; - -/** - * Abstract {@link KeyRingSelectionStrategy} for {@link PGPSecretKeyRing PGPSecretKeyRings}. - * - * @param Type of identifier - */ -public abstract class SecretKeyRingSelectionStrategy implements KeyRingSelectionStrategy { - @Override - public Set selectKeyRingsFromCollection(O identifier, @Nonnull PGPSecretKeyRingCollection keyRingCollection) { - Set accepted = new HashSet<>(); - for (Iterator i = keyRingCollection.getKeyRings(); i.hasNext(); ) { - PGPSecretKeyRing ring = i.next(); - if (accept(identifier, ring)) accepted.add(ring); - } - return accepted; - } - - @Override - public MultiMap selectKeyRingsFromCollections(@Nonnull MultiMap keyRingCollections) { - MultiMap keyRings = new MultiMap<>(); - for (Map.Entry> entry : keyRingCollections.entrySet()) { - for (PGPSecretKeyRingCollection collection : entry.getValue()) { - keyRings.plus(entry.getKey(), selectKeyRingsFromCollection(entry.getKey(), collection)); - } - } - return keyRings; - } -} diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/impl/ExactUserId.java b/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/impl/ExactUserId.java deleted file mode 100644 index ffda8867..00000000 --- a/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/impl/ExactUserId.java +++ /dev/null @@ -1,56 +0,0 @@ -// SPDX-FileCopyrightText: 2018 Paul Schaub -// -// SPDX-License-Identifier: Apache-2.0 - -package org.pgpainless.util.selection.keyring.impl; - -import java.util.List; - -import org.bouncycastle.openpgp.PGPPublicKeyRing; -import org.bouncycastle.openpgp.PGPSecretKeyRing; -import org.pgpainless.key.util.KeyRingUtils; -import org.pgpainless.util.selection.keyring.PublicKeyRingSelectionStrategy; -import org.pgpainless.util.selection.keyring.SecretKeyRingSelectionStrategy; - -/** - * Implementations of {@link org.pgpainless.util.selection.keyring.KeyRingSelectionStrategy} which select key rings - * based on the exact user-id. - */ -public final class ExactUserId { - - private ExactUserId() { - - } - - /** - * {@link PublicKeyRingSelectionStrategy} which accepts {@link PGPPublicKeyRing PGPPublicKeyRings} if those - * have a user-id which exactly matches the given 
identifier
. - */ - public static class PubRingSelectionStrategy extends PublicKeyRingSelectionStrategy { - - @Override - public boolean accept(String identifier, PGPPublicKeyRing keyRing) { - List userIds = KeyRingUtils.getUserIdsIgnoringInvalidUTF8(keyRing.getPublicKey()); - for (String userId : userIds) { - if (userId.equals(identifier)) return true; - } - return false; - } - } - - /** - * {@link SecretKeyRingSelectionStrategy} which accepts {@link PGPSecretKeyRing PGPSecretKeyRings} if those - * have a user-id which exactly matches the given 
identifier
. - */ - public static class SecRingSelectionStrategy extends SecretKeyRingSelectionStrategy { - - @Override - public boolean accept(String identifier, PGPSecretKeyRing keyRing) { - List userIds = KeyRingUtils.getUserIdsIgnoringInvalidUTF8(keyRing.getPublicKey()); - for (String userId : userIds) { - if (userId.equals(identifier)) return true; - } - return false; - } - } -} diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/impl/Whitelist.java b/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/impl/Whitelist.java deleted file mode 100644 index 934f5577..00000000 --- a/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/impl/Whitelist.java +++ /dev/null @@ -1,92 +0,0 @@ -// SPDX-FileCopyrightText: 2018 Paul Schaub -// -// SPDX-License-Identifier: Apache-2.0 - -package org.pgpainless.util.selection.keyring.impl; - -import java.util.Map; -import java.util.Set; - -import org.bouncycastle.openpgp.PGPPublicKeyRing; -import org.bouncycastle.openpgp.PGPSecretKeyRing; -import org.pgpainless.util.selection.keyring.PublicKeyRingSelectionStrategy; -import org.pgpainless.util.selection.keyring.SecretKeyRingSelectionStrategy; -import org.pgpainless.util.MultiMap; - -/** - * Implementations of {@link org.pgpainless.util.selection.keyring.KeyRingSelectionStrategy} which accept PGP KeyRings - * based on a whitelist of acceptable keyIds. - */ -public final class Whitelist { - - private Whitelist() { - - } - - /** - * {@link org.pgpainless.util.selection.keyring.KeyRingSelectionStrategy} which accepts - * {@link PGPPublicKeyRing PGPPublicKeyRings} if the 
whitelist
contains their primary key id. - * - * If the whitelist contains 123L for "alice@pgpainless.org", the key with primary key id 123L is - * acceptable for "alice@pgpainless.org". - * - * @param Type of identifier for {@link org.bouncycastle.openpgp.PGPPublicKeyRingCollection PGPPublicKeyRingCollections}. - */ - public static class PubRingSelectionStrategy extends PublicKeyRingSelectionStrategy { - - private final MultiMap whitelist; - - public PubRingSelectionStrategy(MultiMap whitelist) { - this.whitelist = whitelist; - } - - public PubRingSelectionStrategy(Map> whitelist) { - this(new MultiMap<>(whitelist)); - } - - @Override - public boolean accept(O identifier, PGPPublicKeyRing keyRing) { - Set whitelistedKeyIds = whitelist.get(identifier); - - if (whitelistedKeyIds == null) { - return false; - } - - return whitelistedKeyIds.contains(keyRing.getPublicKey().getKeyID()); - } - } - - /** - * {@link org.pgpainless.util.selection.keyring.KeyRingSelectionStrategy} which accepts - * {@link PGPSecretKeyRing PGPSecretKeyRings} if the 
whitelist
contains their primary key id. - * - * If the whitelist contains 123L for "alice@pgpainless.org", the key with primary key id 123L is - * acceptable for "alice@pgpainless.org". - * - * @param Type of identifier for {@link org.bouncycastle.openpgp.PGPSecretKeyRingCollection PGPSecretKeyRingCollections}. - */ - public static class SecRingSelectionStrategy extends SecretKeyRingSelectionStrategy { - - private final MultiMap whitelist; - - public SecRingSelectionStrategy(MultiMap whitelist) { - this.whitelist = whitelist; - } - - public SecRingSelectionStrategy(Map> whitelist) { - this(new MultiMap<>(whitelist)); - } - - @Override - public boolean accept(O identifier, PGPSecretKeyRing keyRing) { - Set whitelistedKeyIds = whitelist.get(identifier); - - if (whitelistedKeyIds == null) { - return false; - } - - return whitelistedKeyIds.contains(keyRing.getPublicKey().getKeyID()); - } - - } -} diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/impl/Wildcard.java b/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/impl/Wildcard.java deleted file mode 100644 index d1929028..00000000 --- a/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/impl/Wildcard.java +++ /dev/null @@ -1,36 +0,0 @@ -// SPDX-FileCopyrightText: 2018 Paul Schaub -// -// SPDX-License-Identifier: Apache-2.0 - -package org.pgpainless.util.selection.keyring.impl; - -import org.bouncycastle.openpgp.PGPPublicKeyRing; -import org.bouncycastle.openpgp.PGPSecretKeyRing; -import org.pgpainless.util.selection.keyring.PublicKeyRingSelectionStrategy; -import org.pgpainless.util.selection.keyring.SecretKeyRingSelectionStrategy; - -/** - * Implementations of {@link org.pgpainless.util.selection.keyring.KeyRingSelectionStrategy} which accept all keyRings. - */ -public final class Wildcard { - - private Wildcard() { - - } - - public static class PubRingSelectionStrategy extends PublicKeyRingSelectionStrategy { - - @Override - public boolean accept(O identifier, PGPPublicKeyRing keyRing) { - return true; - } - } - - public static class SecRingSelectionStrategy extends SecretKeyRingSelectionStrategy { - - @Override - public boolean accept(O identifier, PGPSecretKeyRing keyRing) { - return true; - } - } -} diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/impl/XMPP.java b/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/impl/XMPP.java deleted file mode 100644 index edc38006..00000000 --- a/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/impl/XMPP.java +++ /dev/null @@ -1,53 +0,0 @@ -// SPDX-FileCopyrightText: 2018 Paul Schaub -// -// SPDX-License-Identifier: Apache-2.0 - -package org.pgpainless.util.selection.keyring.impl; - -import org.bouncycastle.openpgp.PGPPublicKeyRing; -import org.bouncycastle.openpgp.PGPSecretKeyRing; - -/** - * Implementations of {@link org.pgpainless.util.selection.keyring.KeyRingSelectionStrategy} which accept KeyRings - * containing a given XMPP address of the format "xmpp:alice@pgpainless.org". - */ -public final class XMPP { - - private XMPP() { - - } - - /** - * {@link org.pgpainless.util.selection.keyring.PublicKeyRingSelectionStrategy} which accepts a given - * {@link PGPPublicKeyRing} if its primary key has a user-id that matches the given 
jid
. - * - * The argument 
jid
can either contain the prefix "xmpp:", or not, the result will be the same. - */ - public static class PubRingSelectionStrategy extends ExactUserId.PubRingSelectionStrategy { - - @Override - public boolean accept(String jid, PGPPublicKeyRing keyRing) { - if (!jid.matches("^xmpp:.+$")) { - jid = "xmpp:" + jid; - } - return super.accept(jid, keyRing); - } - } - - /** - * {@link org.pgpainless.util.selection.keyring.SecretKeyRingSelectionStrategy} which accepts a given - * {@link PGPSecretKeyRing} if its primary key has a user-id that matches the given 
jid
. - * - * The argument 
jid
can either contain the prefix "xmpp:", or not, the result will be the same. - */ - public static class SecRingSelectionStrategy extends ExactUserId.SecRingSelectionStrategy { - - @Override - public boolean accept(String jid, PGPSecretKeyRing keyRing) { - if (!jid.matches("^xmpp:.+$")) { - jid = "xmpp:" + jid; - } - return super.accept(jid, keyRing); - } - } -} diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/impl/package-info.java b/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/impl/package-info.java deleted file mode 100644 index 9b4bf1a4..00000000 --- a/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/impl/package-info.java +++ /dev/null @@ -1,8 +0,0 @@ -// SPDX-FileCopyrightText: 2018 Paul Schaub -// -// SPDX-License-Identifier: Apache-2.0 - -/** - * Implementations of Key Ring Selection Strategies. - */ -package org.pgpainless.util.selection.keyring.impl; diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/package-info.java b/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/package-info.java deleted file mode 100644 index 3c93ce47..00000000 --- a/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/package-info.java +++ /dev/null @@ -1,8 +0,0 @@ -// SPDX-FileCopyrightText: 2018 Paul Schaub -// -// SPDX-License-Identifier: Apache-2.0 - -/** - * Different Key Ring Selection Strategies. - */ -package org.pgpainless.util.selection.keyring; diff --git a/pgpainless-core/src/test/java/org/pgpainless/util/selection/keyring/KeyRingsFromCollectionTest.java b/pgpainless-core/src/test/java/org/pgpainless/util/selection/keyring/KeyRingsFromCollectionTest.java deleted file mode 100644 index c7f6d722..00000000 --- a/pgpainless-core/src/test/java/org/pgpainless/util/selection/keyring/KeyRingsFromCollectionTest.java +++ /dev/null @@ -1,88 +0,0 @@ -// SPDX-FileCopyrightText: 2021 Paul Schaub -// -// SPDX-License-Identifier: Apache-2.0 - -package org.pgpainless.util.selection.keyring; - -import static org.junit.jupiter.api.Assertions.assertEquals; -import static org.junit.jupiter.api.Assertions.assertTrue; - -import java.io.IOException; -import java.util.Arrays; -import java.util.Collections; -import java.util.Set; - -import org.bouncycastle.openpgp.PGPException; -import org.bouncycastle.openpgp.PGPPublicKeyRing; -import org.bouncycastle.openpgp.PGPPublicKeyRingCollection; -import org.bouncycastle.openpgp.PGPSecretKeyRing; -import org.bouncycastle.openpgp.PGPSecretKeyRingCollection; -import org.junit.jupiter.api.Test; -import org.pgpainless.key.TestKeys; -import org.pgpainless.util.MultiMap; -import org.pgpainless.util.selection.keyring.impl.ExactUserId; - -public class KeyRingsFromCollectionTest { - - @Test - public void selectSecretKeyRingFromSecretKeyRingCollectionTest() throws IOException, PGPException { - PGPSecretKeyRing emil = TestKeys.getEmilSecretKeyRing(); - PGPSecretKeyRing juliet = TestKeys.getJulietSecretKeyRing(); - PGPSecretKeyRingCollection collection = new PGPSecretKeyRingCollection(Arrays.asList(emil, juliet)); - - SecretKeyRingSelectionStrategy strategy = new ExactUserId.SecRingSelectionStrategy(); - Set secretKeyRings = strategy.selectKeyRingsFromCollection(TestKeys.JULIET_UID, collection); - assertEquals(1, secretKeyRings.size()); - assertEquals(juliet.getPublicKey().getKeyID(), secretKeyRings.iterator().next().getPublicKey().getKeyID()); - } - - @Test - public void selectSecretKeyRingMapFromSecretKeyRingCollectionMapTest() throws IOException, PGPException { - PGPSecretKeyRing emil = TestKeys.getEmilSecretKeyRing(); - PGPSecretKeyRing juliet = TestKeys.getJulietSecretKeyRing(); - MultiMap map = new MultiMap<>(); - PGPSecretKeyRingCollection julietCollection = new PGPSecretKeyRingCollection(Arrays.asList(emil, juliet)); - map.put(TestKeys.JULIET_UID, julietCollection); - PGPSecretKeyRingCollection emilCollection = new PGPSecretKeyRingCollection(Collections.singletonList(emil)); - map.put(TestKeys.EMIL_UID, emilCollection); - assertEquals(2, julietCollection.size()); - map.put("invalidId", emilCollection); - - SecretKeyRingSelectionStrategy strategy = new ExactUserId.SecRingSelectionStrategy(); - MultiMap selected = strategy.selectKeyRingsFromCollections(map); - assertEquals(1, selected.get(TestKeys.JULIET_UID).size()); - assertEquals(1, selected.get(TestKeys.EMIL_UID).size()); - assertTrue(selected.get("invalidId").isEmpty()); - } - - @Test - public void selectPublicKeyRingFromPublicKeyRingCollectionTest() throws IOException { - PGPPublicKeyRing emil = TestKeys.getEmilPublicKeyRing(); - PGPPublicKeyRing juliet = TestKeys.getJulietPublicKeyRing(); - PGPPublicKeyRingCollection collection = new PGPPublicKeyRingCollection(Arrays.asList(emil, juliet)); - - PublicKeyRingSelectionStrategy strategy = new ExactUserId.PubRingSelectionStrategy(); - Set publicKeyRings = strategy.selectKeyRingsFromCollection(TestKeys.JULIET_UID, collection); - assertEquals(1, publicKeyRings.size()); - assertEquals(juliet.getPublicKey().getKeyID(), publicKeyRings.iterator().next().getPublicKey().getKeyID()); - } - - @Test - public void selectPublicKeyRingMapFromPublicKeyRingCollectionMapTest() throws IOException { - PGPPublicKeyRing emil = TestKeys.getEmilPublicKeyRing(); - PGPPublicKeyRing juliet = TestKeys.getJulietPublicKeyRing(); - MultiMap map = new MultiMap<>(); - PGPPublicKeyRingCollection julietCollection = new PGPPublicKeyRingCollection(Arrays.asList(emil, juliet)); - map.plus(TestKeys.JULIET_UID, julietCollection); - PGPPublicKeyRingCollection emilCollection = new PGPPublicKeyRingCollection(Collections.singletonList(emil)); - map.plus(TestKeys.EMIL_UID, emilCollection); - assertEquals(2, julietCollection.size()); - map.plus("invalidId", emilCollection); - - PublicKeyRingSelectionStrategy strategy = new ExactUserId.PubRingSelectionStrategy(); - MultiMap selected = strategy.selectKeyRingsFromCollections(map); - assertEquals(1, selected.get(TestKeys.JULIET_UID).size()); - assertEquals(1, selected.get(TestKeys.EMIL_UID).size()); - assertTrue(selected.get("invalidId").isEmpty()); - } -} diff --git a/pgpainless-core/src/test/java/org/pgpainless/util/selection/keyring/WhitelistKeyRingSelectionStrategyTest.java b/pgpainless-core/src/test/java/org/pgpainless/util/selection/keyring/WhitelistKeyRingSelectionStrategyTest.java deleted file mode 100644 index 43c19a6c..00000000 --- a/pgpainless-core/src/test/java/org/pgpainless/util/selection/keyring/WhitelistKeyRingSelectionStrategyTest.java +++ /dev/null @@ -1,52 +0,0 @@ -// SPDX-FileCopyrightText: 2020 Paul Schaub -// -// SPDX-License-Identifier: Apache-2.0 - -package org.pgpainless.util.selection.keyring; - -import static org.junit.jupiter.api.Assertions.assertFalse; -import static org.junit.jupiter.api.Assertions.assertTrue; - -import java.io.IOException; -import java.util.Collections; -import java.util.Map; -import java.util.Set; -import java.util.concurrent.ConcurrentHashMap; - -import org.bouncycastle.openpgp.PGPException; -import org.bouncycastle.openpgp.PGPPublicKeyRing; -import org.bouncycastle.openpgp.PGPSecretKeyRing; -import org.junit.jupiter.api.Test; -import org.pgpainless.key.TestKeys; -import org.pgpainless.util.selection.keyring.impl.Whitelist; - -public class WhitelistKeyRingSelectionStrategyTest { - - @Test - public void testWithPublicKeys() throws IOException { - Map> ids = new ConcurrentHashMap<>(); - ids.put(TestKeys.JULIET_UID, Collections.singleton(TestKeys.JULIET_KEY_ID)); - Whitelist.PubRingSelectionStrategy selectionStrategy = new Whitelist.PubRingSelectionStrategy<>(ids); - - PGPPublicKeyRing julietsKeys = TestKeys.getJulietPublicKeyRing(); - PGPPublicKeyRing romeosKeys = TestKeys.getRomeoPublicKeyRing(); - - assertTrue(selectionStrategy.accept(TestKeys.JULIET_UID, julietsKeys)); - assertFalse(selectionStrategy.accept(TestKeys.JULIET_UID, romeosKeys)); - assertFalse(selectionStrategy.accept(TestKeys.ROMEO_UID, julietsKeys)); - } - - @Test - public void testWithSecretKeys() throws IOException, PGPException { - Map> ids = new ConcurrentHashMap<>(); - ids.put(TestKeys.JULIET_UID, Collections.singleton(TestKeys.JULIET_KEY_ID)); - Whitelist.SecRingSelectionStrategy selectionStrategy = new Whitelist.SecRingSelectionStrategy<>(ids); - - PGPSecretKeyRing julietsKeys = TestKeys.getJulietSecretKeyRing(); - PGPSecretKeyRing romeosKeys = TestKeys.getRomeoSecretKeyRing(); - - assertTrue(selectionStrategy.accept(TestKeys.JULIET_UID, julietsKeys)); - assertFalse(selectionStrategy.accept(TestKeys.JULIET_UID, romeosKeys)); - assertFalse(selectionStrategy.accept(TestKeys.ROMEO_UID, julietsKeys)); - } -} diff --git a/pgpainless-core/src/test/java/org/pgpainless/util/selection/keyring/WildcardKeyRingSelectionStrategyTest.java b/pgpainless-core/src/test/java/org/pgpainless/util/selection/keyring/WildcardKeyRingSelectionStrategyTest.java deleted file mode 100644 index 10907eca..00000000 --- a/pgpainless-core/src/test/java/org/pgpainless/util/selection/keyring/WildcardKeyRingSelectionStrategyTest.java +++ /dev/null @@ -1,57 +0,0 @@ -// SPDX-FileCopyrightText: 2020 Paul Schaub -// -// SPDX-License-Identifier: Apache-2.0 - -package org.pgpainless.util.selection.keyring; - -import static org.junit.jupiter.api.Assertions.assertTrue; - -import java.io.IOException; - -import org.bouncycastle.openpgp.PGPException; -import org.bouncycastle.openpgp.PGPPublicKeyRing; -import org.bouncycastle.openpgp.PGPSecretKeyRing; -import org.junit.jupiter.api.Test; -import org.pgpainless.key.TestKeys; -import org.pgpainless.util.selection.keyring.impl.Wildcard; - -public class WildcardKeyRingSelectionStrategyTest { - - - private static final Wildcard.PubRingSelectionStrategy pubKeySelectionStrategy - = new Wildcard.PubRingSelectionStrategy<>(); - private static final Wildcard.SecRingSelectionStrategy secKeySelectionStrategy - = new Wildcard.SecRingSelectionStrategy<>(); - - @Test - public void testStratAcceptsMatchingUIDsOnPubKey() throws IOException { - String uid = TestKeys.EMIL_UID; - PGPPublicKeyRing key = TestKeys.getEmilPublicKeyRing(); - - assertTrue(pubKeySelectionStrategy.accept(uid, key)); - } - - @Test - public void testStratAcceptsMismatchingUIDsOnPubKey() throws IOException { - String uid = "blabla@bla.bla"; - PGPPublicKeyRing key = TestKeys.getEmilPublicKeyRing(); - - assertTrue(pubKeySelectionStrategy.accept(uid, key)); - } - - @Test - public void testStratAcceptsMatchingUIDsOnSecKey() throws IOException, PGPException { - String uid = TestKeys.EMIL_UID; - PGPSecretKeyRing key = TestKeys.getEmilSecretKeyRing(); - - assertTrue(secKeySelectionStrategy.accept(uid, key)); - } - - @Test - public void testStratAcceptsMismatchingUIDsOnSecKey() throws IOException, PGPException { - String uid = "blabla@bla.bla"; - PGPSecretKeyRing key = TestKeys.getEmilSecretKeyRing(); - - assertTrue(secKeySelectionStrategy.accept(uid, key)); - } -} diff --git a/pgpainless-core/src/test/java/org/pgpainless/util/selection/keyring/XmppKeyRingSelectionStrategyTest.java b/pgpainless-core/src/test/java/org/pgpainless/util/selection/keyring/XmppKeyRingSelectionStrategyTest.java deleted file mode 100644 index 2b5f8ebb..00000000 --- a/pgpainless-core/src/test/java/org/pgpainless/util/selection/keyring/XmppKeyRingSelectionStrategyTest.java +++ /dev/null @@ -1,72 +0,0 @@ -// SPDX-FileCopyrightText: 2020 Paul Schaub -// -// SPDX-License-Identifier: Apache-2.0 - -package org.pgpainless.util.selection.keyring; - -import static org.junit.jupiter.api.Assertions.assertFalse; -import static org.junit.jupiter.api.Assertions.assertTrue; - -import java.io.IOException; - -import org.bouncycastle.openpgp.PGPException; -import org.bouncycastle.openpgp.PGPPublicKeyRing; -import org.bouncycastle.openpgp.PGPSecretKeyRing; -import org.junit.jupiter.api.Test; -import org.pgpainless.key.TestKeys; -import org.pgpainless.util.selection.keyring.impl.XMPP; - -public class XmppKeyRingSelectionStrategyTest { - - private static final XMPP.PubRingSelectionStrategy pubKeySelectionStrategy = - new XMPP.PubRingSelectionStrategy(); - private static final XMPP.SecRingSelectionStrategy secKeySelectionStrategy = - new XMPP.SecRingSelectionStrategy(); - - @Test - public void testMatchingXmppUIDAcceptedOnPubKey() throws IOException { - String uid = "xmpp:juliet@capulet.lit"; - PGPPublicKeyRing key = TestKeys.getJulietPublicKeyRing(); - - assertTrue(pubKeySelectionStrategy.accept(uid, key)); - } - - @Test - public void testAddressIsFormattedToMatchOnPubKey() throws IOException { - String uid = "juliet@capulet.lit"; - PGPPublicKeyRing key = TestKeys.getJulietPublicKeyRing(); - - assertTrue(pubKeySelectionStrategy.accept(uid, key)); - } - - @Test - public void testPubKeyWithDifferentUIDIsRejected() throws IOException { - String wrongUid = "romeo@montague.lit"; - PGPPublicKeyRing key = TestKeys.getJulietPublicKeyRing(); - assertFalse(pubKeySelectionStrategy.accept(wrongUid, key)); - } - - @Test - public void testMatchingEmailUIDAcceptedOnSecKey() throws IOException, PGPException { - String uid = "xmpp:juliet@capulet.lit"; - PGPSecretKeyRing key = TestKeys.getJulietSecretKeyRing(); - - assertTrue(secKeySelectionStrategy.accept(uid, key)); - } - - @Test - public void testAddressIsFormattedToMatchOnSecKey() throws IOException, PGPException { - String uid = "juliet@capulet.lit"; - PGPSecretKeyRing key = TestKeys.getJulietSecretKeyRing(); - - assertTrue(secKeySelectionStrategy.accept(uid, key)); - } - - @Test - public void testSecKeyWithDifferentUIDIsRejected() throws IOException, PGPException { - String wrongUid = "romeo@montague.lit"; - - PGPSecretKeyRing key = TestKeys.getJulietSecretKeyRing(); - assertFalse(secKeySelectionStrategy.accept(wrongUid, key)); - } -} From 529d3445475dd37181bbfefb6ce426d7479e610d Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 25 Mar 2025 13:16:32 +0100 Subject: [PATCH 127/265] Remove Tuple class --- .../OpenPgpMessageInputStreamTest.java | 99 ++++++++++--------- .../test/java/org/pgpainless/util/Tuple.java | 32 ------ 2 files changed, 54 insertions(+), 77 deletions(-) delete mode 100644 pgpainless-core/src/test/java/org/pgpainless/util/Tuple.java diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStreamTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStreamTest.java index 20008a85..b1bcee89 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStreamTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStreamTest.java @@ -49,7 +49,6 @@ import org.pgpainless.exception.MalformedOpenPgpMessageException; import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.util.ArmoredInputStreamFactory; import org.pgpainless.util.Passphrase; -import org.pgpainless.util.Tuple; public class OpenPgpMessageInputStreamTest { @@ -313,7 +312,17 @@ public class OpenPgpMessageInputStreamTest { } interface Processor { - Tuple process(String armoredMessage, ConsumerOptions options) throws PGPException, IOException; + Result process(String armoredMessage, ConsumerOptions options) throws PGPException, IOException; + } + + static class Result { + private final String plaintext; + private final MessageMetadata metadata; + + Result(String plaintext, MessageMetadata metadata) { + this.plaintext = plaintext; + this.metadata = metadata; + } } private static Stream provideMessageProcessors() { @@ -325,12 +334,12 @@ public class OpenPgpMessageInputStreamTest { @ParameterizedTest(name = "Process LIT using {0}") @MethodSource("provideMessageProcessors") - public void testProcessLIT(Processor processor) throws IOException, PGPException { - Tuple result = processor.process(LIT, ConsumerOptions.get()); - String plain = result.getA(); + void testProcessLIT(Processor processor) throws IOException, PGPException { + Result result = processor.process(LIT, ConsumerOptions.get()); + String plain = result.plaintext; assertEquals(PLAINTEXT, plain); - MessageMetadata metadata = result.getB(); + MessageMetadata metadata = result.metadata; assertNull(metadata.getCompressionAlgorithm()); assertNull(metadata.getEncryptionAlgorithm()); assertEquals("", metadata.getFilename()); @@ -342,19 +351,19 @@ public class OpenPgpMessageInputStreamTest { @ParameterizedTest(name = "Process LIT LIT using {0}") @MethodSource("provideMessageProcessors") - public void testProcessLIT_LIT_fails(Processor processor) { + void testProcessLIT_LIT_fails(Processor processor) { assertThrows(MalformedOpenPgpMessageException.class, () -> processor.process(LIT_LIT, ConsumerOptions.get())); } @ParameterizedTest(name = "Process COMP(LIT) using {0}") @MethodSource("provideMessageProcessors") - public void testProcessCOMP_LIT(Processor processor) + void testProcessCOMP_LIT(Processor processor) throws PGPException, IOException { - Tuple result = processor.process(COMP_LIT, ConsumerOptions.get()); - String plain = result.getA(); + Result result = processor.process(COMP_LIT, ConsumerOptions.get()); + String plain = result.plaintext; assertEquals(PLAINTEXT, plain); - MessageMetadata metadata = result.getB(); + MessageMetadata metadata = result.metadata; assertEquals(CompressionAlgorithm.ZIP, metadata.getCompressionAlgorithm()); assertTrue(metadata.getVerifiedInlineSignatures().isEmpty()); assertTrue(metadata.getRejectedInlineSignatures().isEmpty()); @@ -362,19 +371,19 @@ public class OpenPgpMessageInputStreamTest { @ParameterizedTest(name = "Process COMP using {0}") @MethodSource("provideMessageProcessors") - public void testProcessCOMP_fails(Processor processor) { + void testProcessCOMP_fails(Processor processor) { assertThrows(MalformedOpenPgpMessageException.class, () -> processor.process(COMP, ConsumerOptions.get())); } @ParameterizedTest(name = "Process COMP(COMP(LIT)) using {0}") @MethodSource("provideMessageProcessors") - public void testProcessCOMP_COMP_LIT(Processor processor) + void testProcessCOMP_COMP_LIT(Processor processor) throws PGPException, IOException { - Tuple result = processor.process(COMP_COMP_LIT, ConsumerOptions.get()); - String plain = result.getA(); + Result result = processor.process(COMP_COMP_LIT, ConsumerOptions.get()); + String plain = result.plaintext; assertEquals(PLAINTEXT, plain); - MessageMetadata metadata = result.getB(); + MessageMetadata metadata = result.metadata; assertEquals(CompressionAlgorithm.ZIP, metadata.getCompressionAlgorithm()); Iterator compressionAlgorithms = metadata.getCompressionAlgorithms(); assertEquals(CompressionAlgorithm.ZIP, compressionAlgorithms.next()); @@ -387,16 +396,16 @@ public class OpenPgpMessageInputStreamTest { @ParameterizedTest(name = "Process SIG COMP(LIT) using {0}") @MethodSource("provideMessageProcessors") - public void testProcessSIG_COMP_LIT(Processor processor) + void testProcessSIG_COMP_LIT(Processor processor) throws PGPException, IOException { PGPPublicKeyRing cert = PGPainless.extractCertificate( PGPainless.readKeyRing().secretKeyRing(KEY)); - Tuple result = processor.process(SIG_COMP_LIT, ConsumerOptions.get() + Result result = processor.process(SIG_COMP_LIT, ConsumerOptions.get() .addVerificationCert(cert)); - String plain = result.getA(); + String plain = result.plaintext; assertEquals(PLAINTEXT, plain); - MessageMetadata metadata = result.getB(); + MessageMetadata metadata = result.metadata; assertEquals(CompressionAlgorithm.ZIP, metadata.getCompressionAlgorithm()); assertNull(metadata.getEncryptionAlgorithm()); assertFalse(metadata.getVerifiedInlineSignatures().isEmpty()); @@ -405,13 +414,13 @@ public class OpenPgpMessageInputStreamTest { @ParameterizedTest(name = "Process SENC(LIT) using {0}") @MethodSource("provideMessageProcessors") - public void testProcessSENC_LIT(Processor processor) + void testProcessSENC_LIT(Processor processor) throws PGPException, IOException { - Tuple result = processor.process(SENC_LIT, ConsumerOptions.get() + Result result = processor.process(SENC_LIT, ConsumerOptions.get() .addMessagePassphrase(Passphrase.fromPassword(PASSPHRASE))); - String plain = result.getA(); + String plain = result.plaintext; assertEquals(PLAINTEXT, plain); - MessageMetadata metadata = result.getB(); + MessageMetadata metadata = result.metadata; assertNull(metadata.getCompressionAlgorithm()); assertEquals(SymmetricKeyAlgorithm.AES_256, metadata.getEncryptionAlgorithm()); assertTrue(metadata.getVerifiedInlineSignatures().isEmpty()); @@ -420,14 +429,14 @@ public class OpenPgpMessageInputStreamTest { @ParameterizedTest(name = "Process PENC(COMP(LIT)) using {0}") @MethodSource("provideMessageProcessors") - public void testProcessPENC_COMP_LIT(Processor processor) + void testProcessPENC_COMP_LIT(Processor processor) throws IOException, PGPException { PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(KEY); - Tuple result = processor.process(PENC_COMP_LIT, ConsumerOptions.get() + Result result = processor.process(PENC_COMP_LIT, ConsumerOptions.get() .addDecryptionKey(secretKeys)); - String plain = result.getA(); + String plain = result.plaintext; assertEquals(PLAINTEXT, plain); - MessageMetadata metadata = result.getB(); + MessageMetadata metadata = result.metadata; assertEquals(CompressionAlgorithm.ZLIB, metadata.getCompressionAlgorithm()); assertEquals(SymmetricKeyAlgorithm.AES_256, metadata.getEncryptionAlgorithm()); assertTrue(metadata.getVerifiedInlineSignatures().isEmpty()); @@ -436,14 +445,14 @@ public class OpenPgpMessageInputStreamTest { @ParameterizedTest(name = "Process OPS LIT SIG using {0}") @MethodSource("provideMessageProcessors") - public void testProcessOPS_LIT_SIG(Processor processor) + void testProcessOPS_LIT_SIG(Processor processor) throws IOException, PGPException { PGPPublicKeyRing cert = PGPainless.extractCertificate(PGPainless.readKeyRing().secretKeyRing(KEY)); - Tuple result = processor.process(OPS_LIT_SIG, ConsumerOptions.get() + Result result = processor.process(OPS_LIT_SIG, ConsumerOptions.get() .addVerificationCert(cert)); - String plain = result.getA(); + String plain = result.plaintext; assertEquals(PLAINTEXT, plain); - MessageMetadata metadata = result.getB(); + MessageMetadata metadata = result.metadata; assertNull(metadata.getEncryptionAlgorithm()); assertNull(metadata.getCompressionAlgorithm()); assertFalse(metadata.getVerifiedInlineSignatures().isEmpty()); @@ -535,7 +544,7 @@ public class OpenPgpMessageInputStreamTest { @ParameterizedTest(name = "Process PENC(OPS OPS LIT SIG SIG) using {0}") @MethodSource("provideMessageProcessors") - public void testProcessPENC_OPS_OPS_LIT_SIG_SIG(Processor processor) throws IOException, PGPException { + void testProcessPENC_OPS_OPS_LIT_SIG_SIG(Processor processor) throws IOException, PGPException { String MSG = "-----BEGIN PGP MESSAGE-----\n" + "\n" + "wcDMA3wvqk35PDeyAQv/RhY9sgxMXj1UxumNMOeN+1+c5bB5e3jSrvA93L8yLFqB\n" + @@ -575,12 +584,12 @@ public class OpenPgpMessageInputStreamTest { PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(BOB_KEY); PGPPublicKeyRing certificate = PGPainless.extractCertificate(secretKeys); - Tuple result = processor.process(MSG, ConsumerOptions.get() + Result result = processor.process(MSG, ConsumerOptions.get() .addVerificationCert(certificate) .addDecryptionKey(secretKeys)); - String plain = result.getA(); + String plain = result.plaintext; assertEquals("encrypt ∘ sign ∘ sign", plain); - MessageMetadata metadata = result.getB(); + MessageMetadata metadata = result.metadata; assertEquals(SymmetricKeyAlgorithm.AES_256, metadata.getEncryptionAlgorithm()); assertNull(metadata.getCompressionAlgorithm()); assertFalse(metadata.getVerifiedInlineSignatures().isEmpty()); @@ -589,7 +598,7 @@ public class OpenPgpMessageInputStreamTest { @ParameterizedTest(name = "Process PENC(OPS OPS OPS LIT SIG SIG SIG) using {0}") @MethodSource("provideMessageProcessors") - public void testProcessOPS_OPS_OPS_LIT_SIG_SIG_SIG(Processor processor) throws IOException, PGPException { + void testProcessOPS_OPS_OPS_LIT_SIG_SIG_SIG(Processor processor) throws IOException, PGPException { String MSG = "-----BEGIN PGP MESSAGE-----\n" + "\n" + "wcDMA3wvqk35PDeyAQwA0yaEgydkAMEfl7rDTYVGanLKiFiWIs34mkF+LB8qR5eY\n" + @@ -640,12 +649,12 @@ public class OpenPgpMessageInputStreamTest { PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(BOB_KEY); PGPPublicKeyRing certificate = PGPainless.extractCertificate(secretKeys); - Tuple result = processor.process(MSG, ConsumerOptions.get() + Result result = processor.process(MSG, ConsumerOptions.get() .addVerificationCert(certificate) .addDecryptionKey(secretKeys)); - String plain = result.getA(); + String plain = result.plaintext; assertEquals("encrypt ∘ sign ∘ sign ∘ sign", plain); - MessageMetadata metadata = result.getB(); + MessageMetadata metadata = result.metadata; assertEquals(SymmetricKeyAlgorithm.AES_256, metadata.getEncryptionAlgorithm()); assertNull(metadata.getCompressionAlgorithm()); assertFalse(metadata.getVerifiedInlineSignatures().isEmpty()); @@ -653,7 +662,7 @@ public class OpenPgpMessageInputStreamTest { } @Test - public void readAfterCloseTest() throws IOException { + void readAfterCloseTest() throws IOException { OpenPgpMessageInputStream pgpIn = get(SENC_LIT, ConsumerOptions.get() .addMessagePassphrase(Passphrase.fromPassword(PASSPHRASE))); Streams.drain(pgpIn); // read all @@ -668,17 +677,17 @@ public class OpenPgpMessageInputStreamTest { pgpIn.getMetadata(); } - private static Tuple processReadBuffered(String armoredMessage, ConsumerOptions options) + private static Result processReadBuffered(String armoredMessage, ConsumerOptions options) throws IOException { OpenPgpMessageInputStream in = get(armoredMessage, options); ByteArrayOutputStream out = new ByteArrayOutputStream(); Streams.pipeAll(in, out); in.close(); MessageMetadata metadata = in.getMetadata(); - return new Tuple<>(out.toString(), metadata); + return new Result(out.toString(), metadata); } - private static Tuple processReadSequential(String armoredMessage, ConsumerOptions options) + private static Result processReadSequential(String armoredMessage, ConsumerOptions options) throws IOException { OpenPgpMessageInputStream in = get(armoredMessage, options); ByteArrayOutputStream out = new ByteArrayOutputStream(); @@ -690,7 +699,7 @@ public class OpenPgpMessageInputStreamTest { in.close(); MessageMetadata metadata = in.getMetadata(); - return new Tuple<>(out.toString(), metadata); + return new Result(out.toString(), metadata); } private static OpenPgpMessageInputStream get(String armored, ConsumerOptions options) diff --git a/pgpainless-core/src/test/java/org/pgpainless/util/Tuple.java b/pgpainless-core/src/test/java/org/pgpainless/util/Tuple.java deleted file mode 100644 index 84d7a370..00000000 --- a/pgpainless-core/src/test/java/org/pgpainless/util/Tuple.java +++ /dev/null @@ -1,32 +0,0 @@ -// SPDX-FileCopyrightText: 2021 Paul Schaub -// -// SPDX-License-Identifier: Apache-2.0 - -package org.pgpainless.util; - -/** - * Helper class pairing together two values. - * @param type of the first value - * @param type of the second value - * @deprecated Scheduled for removal. - * TODO: Remove - */ -@Deprecated -public class Tuple { - - private final A a; - private final B b; - - public Tuple(A a, B b) { - this.a = a; - this.b = b; - } - - public A getA() { - return a; - } - - public B getB() { - return b; - } -} From 9540d6090eee54ffe66452233b5f3a4ec9f59085 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 26 Mar 2025 10:54:37 +0100 Subject: [PATCH 128/265] CertifyCertificate: Change visibility of internal members to private --- .../key/certification/CertifyCertificate.kt | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/certification/CertifyCertificate.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/certification/CertifyCertificate.kt index dffde49c..c8c7704f 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/certification/CertifyCertificate.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/certification/CertifyCertificate.kt @@ -116,9 +116,9 @@ class CertifyCertificate(private val api: PGPainless) { DelegationOnCertificate(certificate, trustworthiness, api) class CertificationOnUserId( - val userId: CharSequence, - val certificate: OpenPGPCertificate, - val certificationType: CertificationType, + private val userId: CharSequence, + private val certificate: OpenPGPCertificate, + private val certificationType: CertificationType, private val api: PGPainless ) { @@ -158,9 +158,9 @@ class CertifyCertificate(private val api: PGPainless) { } class CertificationOnUserIdWithSubpackets( - val certificate: OpenPGPCertificate, - val userId: CharSequence, - val sigBuilder: ThirdPartyCertificationSignatureBuilder, + private val certificate: OpenPGPCertificate, + private val userId: CharSequence, + private val sigBuilder: ThirdPartyCertificationSignatureBuilder, private val api: PGPainless ) { @@ -204,8 +204,8 @@ class CertifyCertificate(private val api: PGPainless) { } class DelegationOnCertificate( - val certificate: OpenPGPCertificate, - val trustworthiness: Trustworthiness?, + private val certificate: OpenPGPCertificate, + private val trustworthiness: Trustworthiness?, private val api: PGPainless ) { @@ -245,8 +245,8 @@ class CertifyCertificate(private val api: PGPainless) { } class DelegationOnCertificateWithSubpackets( - val certificate: OpenPGPCertificate, - val sigBuilder: ThirdPartyDirectKeySignatureBuilder, + private val certificate: OpenPGPCertificate, + private val sigBuilder: ThirdPartyDirectKeySignatureBuilder, private val api: PGPainless ) { From 8621ae8a69567418234fbd15b37d460a937985b1 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 26 Mar 2025 13:20:17 +0100 Subject: [PATCH 129/265] Test v6 third party certification generation --- .../key/certification/CertifyCertificate.kt | 133 ++++++++++++++++++ .../builder/RevocationSignatureBuilder.kt | 15 ++ .../CertifyV6CertificateTest.java | 78 ++++++++++ 3 files changed, 226 insertions(+) create mode 100644 pgpainless-core/src/test/java/org/pgpainless/key/certification/CertifyV6CertificateTest.java diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/certification/CertifyCertificate.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/certification/CertifyCertificate.kt index c8c7704f..24c21a0b 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/certification/CertifyCertificate.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/certification/CertifyCertificate.kt @@ -15,6 +15,7 @@ import org.bouncycastle.openpgp.api.OpenPGPSignature import org.pgpainless.PGPainless import org.pgpainless.algorithm.CertificationType import org.pgpainless.algorithm.KeyFlag +import org.pgpainless.algorithm.SignatureType import org.pgpainless.algorithm.Trustworthiness import org.pgpainless.exception.KeyException import org.pgpainless.exception.KeyException.ExpiredKeyException @@ -22,9 +23,11 @@ import org.pgpainless.exception.KeyException.MissingSecretKeyException import org.pgpainless.exception.KeyException.RevokedKeyException import org.pgpainless.key.protection.SecretKeyRingProtector import org.pgpainless.key.util.KeyRingUtils +import org.pgpainless.signature.builder.RevocationSignatureBuilder import org.pgpainless.signature.builder.ThirdPartyCertificationSignatureBuilder import org.pgpainless.signature.builder.ThirdPartyDirectKeySignatureBuilder import org.pgpainless.signature.subpackets.CertificationSubpackets +import org.pgpainless.signature.subpackets.RevocationSignatureSubpackets /** * API for creating certifications and delegations (Signatures) on keys. This API can be used to @@ -78,6 +81,16 @@ class CertifyCertificate(private val api: PGPainless) { certificationType: CertificationType ) = CertificationOnUserId(userId, certificate, certificationType, api) + /** + * Create a certification revocation signature for the given [userId] on the given + * [certificate]. + * + * @param userId userid to revoke + * @param certificate certificate carrying the userid + */ + fun revokeUserIdOnCertificate(userId: CharSequence, certificate: OpenPGPCertificate) = + RevocationOnUserId(userId, certificate, api) + /** * Create a delegation (direct key signature) over a certificate. This can be used to mark a * certificate as a trusted introducer (see [certificate] method with [Trustworthiness] @@ -115,6 +128,14 @@ class CertifyCertificate(private val api: PGPainless) { fun certificate(certificate: PGPPublicKeyRing, trustworthiness: Trustworthiness?) = DelegationOnCertificate(certificate, trustworthiness, api) + /** + * Create a key revocation signature, revoking a delegation over the given [certificate]. + * + * @param certificate certificate to revoke the delegation to + */ + fun revokeCertificate(certificate: OpenPGPCertificate): RevocationOnCertificate = + RevocationOnCertificate(certificate, api) + class CertificationOnUserId( private val userId: CharSequence, private val certificate: OpenPGPCertificate, @@ -203,6 +224,63 @@ class CertifyCertificate(private val api: PGPainless) { } } + class RevocationOnUserId( + private val userId: CharSequence, + private val certificate: OpenPGPCertificate, + private val api: PGPainless + ) { + + fun withKey( + key: OpenPGPKey, + protector: SecretKeyRingProtector + ): RevocationOnUserIdWithSubpackets { + val secretKey = getCertifyingSecretKey(key, api) + val sigBuilder = + RevocationSignatureBuilder( + SignatureType.CERTIFICATION_REVOCATION, secretKey, protector, api) + + return RevocationOnUserIdWithSubpackets(certificate, userId, sigBuilder, api) + } + } + + class RevocationOnUserIdWithSubpackets( + private val certificate: OpenPGPCertificate, + private val userId: CharSequence, + private val sigBuilder: RevocationSignatureBuilder, + private val api: PGPainless + ) { + + /** + * Apply the given signature subpackets and build the revocation signature. + * + * @param subpacketCallback callback to modify the revocation signatures subpackets + * @return result + * @throws PGPException in case of an OpenPGP related error + */ + fun buildWithSubpackets( + subpacketCallback: RevocationSignatureSubpackets.Callback + ): CertificationResult { + sigBuilder.applyCallback(subpacketCallback) + return build() + } + + /** + * Build the revocation signature. + * + * @return result + * @throws PGPException in case of an OpenPGP related error + */ + fun build(): CertificationResult { + val signature = sigBuilder.build(certificate.primaryKey, userId) + val certifiedCertificate = + api.toCertificate( + KeyRingUtils.injectCertification( + certificate.pgpPublicKeyRing, userId, signature.signature)) + + return CertificationResult(certifiedCertificate, signature) + } + } + class DelegationOnCertificate( private val certificate: OpenPGPCertificate, private val trustworthiness: Trustworthiness?, @@ -290,6 +368,61 @@ class CertifyCertificate(private val api: PGPainless) { } } + class RevocationOnCertificate( + private val certificate: OpenPGPCertificate, + private val api: PGPainless + ) { + + fun withKey( + key: OpenPGPKey, + protector: SecretKeyRingProtector + ): RevocationOnCertificateWithSubpackets { + val secretKey = getCertifyingSecretKey(key, api) + val sigBuilder = + RevocationSignatureBuilder(SignatureType.KEY_REVOCATION, secretKey, protector, api) + return RevocationOnCertificateWithSubpackets(certificate, sigBuilder, api) + } + } + + class RevocationOnCertificateWithSubpackets( + private val certificate: OpenPGPCertificate, + private val sigBuilder: RevocationSignatureBuilder, + private val api: PGPainless + ) { + + /** + * Apply the given signature subpackets and build the delegation revocation signature. + * + * @param subpacketsCallback callback to modify the revocations subpackets + * @return result + * @throws PGPException in case of an OpenPGP related error + */ + fun buildWithSubpackets( + subpacketsCallback: RevocationSignatureSubpackets.Callback + ): CertificationResult { + sigBuilder.applyCallback(subpacketsCallback) + return build() + } + + /** + * Build the delegation revocation signature. + * + * @return result + * @throws PGPException in case of an OpenPGP related error + */ + fun build(): CertificationResult { + val revokedKey = certificate.primaryKey + val revocation = sigBuilder.build(revokedKey) + val revokedCertificate = + api.toCertificate( + KeyRingUtils.injectCertification( + certificate.pgpPublicKeyRing, + revokedKey.pgpPublicKey, + revocation.signature)) + return CertificationResult(revokedCertificate, revocation) + } + } + /** * Result of a certification operation. * diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/builder/RevocationSignatureBuilder.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/builder/RevocationSignatureBuilder.kt index e41e4308..b1912d8c 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/builder/RevocationSignatureBuilder.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/builder/RevocationSignatureBuilder.kt @@ -83,6 +83,21 @@ constructor( build(revokeeUserId.userId), signingKey.publicKey, revokeeUserId) } + fun build( + revokeeKey: OpenPGPComponentKey, + revokeeUserId: CharSequence + ): OpenPGPComponentSignature = + OpenPGPComponentSignature( + buildAndInitSignatureGenerator() + .also { + require(_signatureType == SignatureType.CERTIFICATION_REVOCATION) { + "Signature type is != CERTIFICATION_REVOCATION." + } + } + .generateCertification(revokeeUserId.toString(), revokeeKey.pgpPublicKey), + signingKey.publicKey, + revokeeKey.certificate.getUserId(revokeeUserId.toString())) + init { hashedSubpackets.setRevocable(false) } diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/certification/CertifyV6CertificateTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/certification/CertifyV6CertificateTest.java new file mode 100644 index 00000000..8c1a2d9a --- /dev/null +++ b/pgpainless-core/src/test/java/org/pgpainless/key/certification/CertifyV6CertificateTest.java @@ -0,0 +1,78 @@ +// SPDX-FileCopyrightText: 2022 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + +package org.pgpainless.key.certification; + +import org.bouncycastle.openpgp.PGPException; +import org.bouncycastle.openpgp.api.OpenPGPCertificate; +import org.bouncycastle.openpgp.api.OpenPGPKey; +import org.junit.jupiter.api.Test; +import org.pgpainless.PGPainless; +import org.pgpainless.algorithm.OpenPGPKeyVersion; +import org.pgpainless.key.protection.SecretKeyRingProtector; + +import static org.junit.jupiter.api.Assertions.assertNotNull; +import static org.junit.jupiter.api.Assertions.assertNull; +import static org.junit.jupiter.api.Assertions.assertTrue; + +public class CertifyV6CertificateTest { + + @Test + public void testCertifyV6CertWithV6Key() throws PGPException { + PGPainless api = PGPainless.getInstance(); + + OpenPGPKey aliceKey = api.generateKey(OpenPGPKeyVersion.v6) + .modernKeyRing("Alice "); + + OpenPGPKey bobKey = api.generateKey(OpenPGPKeyVersion.v6) + .modernKeyRing("Bob "); + OpenPGPCertificate bobCert = bobKey.toCertificate(); + + // Create a certification on Bobs certificate + OpenPGPCertificate bobCertified = api.generateCertification() + .userIdOnCertificate("Bob ", bobCert) + .withKey(aliceKey, SecretKeyRingProtector.unprotectedKeys()) + .build().getCertifiedCertificate(); + + // Check that there is a valid certification chain from Alice to Bobs UID + OpenPGPCertificate.OpenPGPSignatureChain signatureChain = + bobCertified.getUserId("Bob ") + .getCertificationBy(aliceKey.toCertificate()); + assertNotNull(signatureChain); + assertTrue(signatureChain.isValid()); + + + + // Revoke Alice' key and... + OpenPGPKey aliceRevoked = api.modify(aliceKey) + .revoke(SecretKeyRingProtector.unprotectedKeys()) + .done(); + + // ...verify we no longer have a valid certification chain + OpenPGPCertificate.OpenPGPSignatureChain missingChain = + bobCertified.getUserId("Bob ") + .getCertificationBy(aliceRevoked.toCertificate()); + assertNull(missingChain); + + OpenPGPCertificate.OpenPGPSignatureChain revokedChain = + bobCertified.getUserId("Bob ") + .getRevocationBy(aliceRevoked); + assertNotNull(revokedChain); + assertTrue(revokedChain.isValid()); + + + // Instead, revoke the certification itself and... + bobCertified = api.generateCertification() + .revokeUserIdOnCertificate("Bob ", bobCertified) + .withKey(aliceKey, SecretKeyRingProtector.unprotectedKeys()) + .build().getCertifiedCertificate(); + + // ...verify we now have a valid certification chain + OpenPGPCertificate.OpenPGPSignatureChain brokenChain = + bobCertified.getUserId("Bob ") + .getRevocationBy(aliceKey.toCertificate()); + assertNotNull(brokenChain); + assertTrue(brokenChain.isValid()); + } +} From fa9d769c5a62ee3a7aac32593ec92b3f4455fc69 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 26 Mar 2025 15:01:30 +0100 Subject: [PATCH 130/265] Rename new CertifyCertificate API methods and add revocation methods --- .../key/certification/CertifyCertificate.kt | 11 ++--- .../certification/CertifyCertificateTest.java | 8 ++-- .../CertifyV6CertificateTest.java | 40 +++++++++++++++++-- ...GenerateKeyWithoutPrimaryKeyFlagsTest.java | 2 +- 4 files changed, 47 insertions(+), 14 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/certification/CertifyCertificate.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/certification/CertifyCertificate.kt index 24c21a0b..ef6d03b8 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/certification/CertifyCertificate.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/certification/CertifyCertificate.kt @@ -48,7 +48,7 @@ class CertifyCertificate(private val api: PGPainless) { * @return API */ @JvmOverloads - fun userIdOnCertificate( + fun certifyUserId( userId: CharSequence, certificate: OpenPGPCertificate, certificationType: CertificationType = CertificationType.GENERIC @@ -62,7 +62,8 @@ class CertifyCertificate(private val api: PGPainless) { * @param certificate certificate * @return API */ - @Deprecated("Pass in an OpenPGPCertificate instead of PGPPublicKeyRing.") + @Deprecated( + "Pass in an OpenPGPCertificate instead.", replaceWith = ReplaceWith("certifyUserId")) fun userIdOnCertificate(userId: String, certificate: PGPPublicKeyRing): CertificationOnUserId = userIdOnCertificate(userId, certificate, CertificationType.GENERIC) @@ -88,7 +89,7 @@ class CertifyCertificate(private val api: PGPainless) { * @param userId userid to revoke * @param certificate certificate carrying the userid */ - fun revokeUserIdOnCertificate(userId: CharSequence, certificate: OpenPGPCertificate) = + fun revokeCertifiedUserId(userId: CharSequence, certificate: OpenPGPCertificate) = RevocationOnUserId(userId, certificate, api) /** @@ -100,7 +101,7 @@ class CertifyCertificate(private val api: PGPainless) { * @return API */ @JvmOverloads - fun certificate(certificate: OpenPGPCertificate, trustworthiness: Trustworthiness? = null) = + fun delegateTrust(certificate: OpenPGPCertificate, trustworthiness: Trustworthiness? = null) = DelegationOnCertificate(certificate, trustworthiness, api) /** @@ -133,7 +134,7 @@ class CertifyCertificate(private val api: PGPainless) { * * @param certificate certificate to revoke the delegation to */ - fun revokeCertificate(certificate: OpenPGPCertificate): RevocationOnCertificate = + fun revokeDelegatedTrust(certificate: OpenPGPCertificate): RevocationOnCertificate = RevocationOnCertificate(certificate, api) class CertificationOnUserId( diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/certification/CertifyCertificateTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/certification/CertifyCertificateTest.java index 53c193cb..0cd74325 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/certification/CertifyCertificateTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/certification/CertifyCertificateTest.java @@ -47,7 +47,7 @@ public class CertifyCertificateTest { OpenPGPCertificate bobCertificate = bob.toCertificate(); CertifyCertificate.CertificationResult result = api.generateCertification() - .userIdOnCertificate(bobUserId, bobCertificate) + .certifyUserId(bobUserId, bobCertificate) .withKey(alice, protector) .build(); @@ -82,7 +82,7 @@ public class CertifyCertificateTest { OpenPGPCertificate bobCertificate = bob.toCertificate(); CertifyCertificate.CertificationResult result = api.generateCertification() - .certificate(bobCertificate, Trustworthiness.fullyTrusted().introducer()) + .delegateTrust(bobCertificate, Trustworthiness.fullyTrusted().introducer()) .withKey(alice, protector) .build(); @@ -125,7 +125,7 @@ public class CertifyCertificateTest { String petName = "Bobby"; CertifyCertificate.CertificationResult result = api.generateCertification() - .userIdOnCertificate(petName, bobCert) + .certifyUserId(petName, bobCert) .withKey(aliceKey, SecretKeyRingProtector.unprotectedKeys()) .buildWithSubpackets(new CertificationSubpackets.Callback() { @Override @@ -155,7 +155,7 @@ public class CertifyCertificateTest { OpenPGPCertificate caCert = caKey.toCertificate(); CertifyCertificate.CertificationResult result = api.generateCertification() - .certificate(caCert, Trustworthiness.fullyTrusted().introducer()) + .delegateTrust(caCert, Trustworthiness.fullyTrusted().introducer()) .withKey(aliceKey, SecretKeyRingProtector.unprotectedKeys()) .buildWithSubpackets(new CertificationSubpackets.Callback() { @Override diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/certification/CertifyV6CertificateTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/certification/CertifyV6CertificateTest.java index 8c1a2d9a..6c37cbcc 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/certification/CertifyV6CertificateTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/certification/CertifyV6CertificateTest.java @@ -5,6 +5,7 @@ package org.pgpainless.key.certification; import org.bouncycastle.openpgp.PGPException; +import org.bouncycastle.openpgp.PGPSignatureException; import org.bouncycastle.openpgp.api.OpenPGPCertificate; import org.bouncycastle.openpgp.api.OpenPGPKey; import org.junit.jupiter.api.Test; @@ -19,7 +20,7 @@ import static org.junit.jupiter.api.Assertions.assertTrue; public class CertifyV6CertificateTest { @Test - public void testCertifyV6CertWithV6Key() throws PGPException { + public void testCertifyV6UIDWithV6Key() throws PGPException { PGPainless api = PGPainless.getInstance(); OpenPGPKey aliceKey = api.generateKey(OpenPGPKeyVersion.v6) @@ -31,7 +32,7 @@ public class CertifyV6CertificateTest { // Create a certification on Bobs certificate OpenPGPCertificate bobCertified = api.generateCertification() - .userIdOnCertificate("Bob ", bobCert) + .certifyUserId("Bob ", bobCert) .withKey(aliceKey, SecretKeyRingProtector.unprotectedKeys()) .build().getCertifiedCertificate(); @@ -43,7 +44,6 @@ public class CertifyV6CertificateTest { assertTrue(signatureChain.isValid()); - // Revoke Alice' key and... OpenPGPKey aliceRevoked = api.modify(aliceKey) .revoke(SecretKeyRingProtector.unprotectedKeys()) @@ -64,7 +64,7 @@ public class CertifyV6CertificateTest { // Instead, revoke the certification itself and... bobCertified = api.generateCertification() - .revokeUserIdOnCertificate("Bob ", bobCertified) + .revokeCertifiedUserId("Bob ", bobCertified) .withKey(aliceKey, SecretKeyRingProtector.unprotectedKeys()) .build().getCertifiedCertificate(); @@ -75,4 +75,36 @@ public class CertifyV6CertificateTest { assertNotNull(brokenChain); assertTrue(brokenChain.isValid()); } + + @Test + public void testCertifyV6CertificateWithV6Key() throws PGPSignatureException { + PGPainless api = PGPainless.getInstance(); + + OpenPGPKey aliceKey = api.generateKey(OpenPGPKeyVersion.v6) + .modernKeyRing("Alice "); + OpenPGPKey bobKey = api.generateKey(OpenPGPKeyVersion.v6) + .modernKeyRing("Bob "); + OpenPGPCertificate bobCert = bobKey.toCertificate(); + + // Alice delegates trust to Bob + OpenPGPCertificate bobDelegated = api.generateCertification() + .delegateTrust(bobCert) + .withKey(aliceKey, SecretKeyRingProtector.unprotectedKeys()) + .build().getCertifiedCertificate(); + + // Check that Bob is actually delegated to by Alice + OpenPGPCertificate.OpenPGPSignatureChain delegation = bobDelegated.getDelegationBy(aliceKey.toCertificate()); + assertNotNull(delegation); + assertTrue(delegation.isValid()); + + // Alice revokes the delegation + OpenPGPCertificate bobRevoked = api.generateCertification() + .revokeDelegatedTrust(bobDelegated) + .withKey(aliceKey, SecretKeyRingProtector.unprotectedKeys()) + .build().getCertifiedCertificate(); + + OpenPGPCertificate.OpenPGPSignatureChain revocation = bobRevoked.getRevocationBy(aliceKey.toCertificate()); + assertNotNull(revocation); + assertTrue(revocation.isValid()); + } } diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithoutPrimaryKeyFlagsTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithoutPrimaryKeyFlagsTest.java index 40bcac96..32792b4a 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithoutPrimaryKeyFlagsTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithoutPrimaryKeyFlagsTest.java @@ -61,7 +61,7 @@ public class GenerateKeyWithoutPrimaryKeyFlagsTest { // Key without CERTIFY_OTHER flag cannot be used to certify other keys OpenPGPCertificate thirdPartyCert = TestKeys.getCryptieCertificate(); assertThrows(KeyException.UnacceptableThirdPartyCertificationKeyException.class, () -> - api.generateCertification().certificate(thirdPartyCert) + api.generateCertification().delegateTrust(thirdPartyCert) .withKey(key, SecretKeyRingProtector.unprotectedKeys())); // Key without CERTIFY_OTHER flags is usable for encryption and signing From b4cff6d2956f0a08303115c0c773673472744256 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 27 Mar 2025 15:49:31 +0100 Subject: [PATCH 131/265] KeyRingInfo: Apply latest method name change from BC --- .../src/main/kotlin/org/pgpainless/key/info/KeyRingInfo.kt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/info/KeyRingInfo.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/info/KeyRingInfo.kt index 42c15dc9..5ae87e38 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/info/KeyRingInfo.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/info/KeyRingInfo.kt @@ -137,7 +137,7 @@ class KeyRingInfo( /** Newest primary-key revocation self-signature. */ val revocationSelfSignature: PGPSignature? = - primaryKey.getLatestKeyRevocationSignature(referenceDate)?.signature + primaryKey.getLatestKeyRevocationSelfSignature(referenceDate)?.signature /** Public-key encryption-algorithm of the primary key. */ val algorithm: PublicKeyAlgorithm = From fe981e0384cd5dc296c414d1475bc189ef9d3cc3 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Fri, 28 Mar 2025 15:43:51 +0100 Subject: [PATCH 132/265] Replace KeyRingUtils usage with toCertificate() --- pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt index 86642f22..d4892d8a 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt @@ -28,7 +28,6 @@ import org.pgpainless.key.generation.KeyRingTemplates import org.pgpainless.key.info.KeyRingInfo import org.pgpainless.key.modification.secretkeyring.SecretKeyRingEditor import org.pgpainless.key.parsing.KeyRingReader -import org.pgpainless.key.util.KeyRingUtils import org.pgpainless.policy.Policy import org.pgpainless.util.ArmorUtils @@ -175,7 +174,7 @@ class PGPainless( @JvmStatic @Deprecated("Use .toKey() and then .toCertificate() instead.") fun extractCertificate(secretKey: PGPSecretKeyRing): PGPPublicKeyRing = - KeyRingUtils.publicKeyRingFrom(secretKey) + secretKey.toCertificate() /** * Merge two copies of the same certificate (e.g. an old copy, and one retrieved from a key From 8b0057f2669443d0680572cbcd5620744d0931db Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Fri, 28 Mar 2025 15:59:31 +0100 Subject: [PATCH 133/265] Remove duplicate Padding parser branch --- .../decryption_verification/OpenPgpMessageInputStream.kt | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.kt index 8e8062af..17fd497b 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.kt @@ -178,7 +178,7 @@ class OpenPgpMessageInputStream( } OpenPgpPacket.PADDING -> { LOGGER.debug("Skipping Padding Packet") - pIn.readPacket() + pIn.readPadding() } OpenPgpPacket.SK, OpenPgpPacket.PK, @@ -188,10 +188,6 @@ class OpenPgpMessageInputStream( OpenPgpPacket.UID, OpenPgpPacket.UATTR -> throw MalformedOpenPgpMessageException("Illegal Packet in Stream: $packet") - OpenPgpPacket.PADDING -> { - LOGGER.debug("Padding packet") - pIn.readPadding() - } OpenPgpPacket.EXP_1, OpenPgpPacket.EXP_2, OpenPgpPacket.EXP_3, From 05300e320935133fea2bcf54d6bd651821eda034 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Fri, 28 Mar 2025 16:00:22 +0100 Subject: [PATCH 134/265] Improve readability of OpenPGPMessageInputStream --- .../decryption_verification/OpenPgpMessageInputStream.kt | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.kt index 17fd497b..a959818b 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.kt @@ -743,10 +743,10 @@ class OpenPgpMessageInputStream( if (esk is PGPPBEEncryptedData) { skesks.add(esk) } else if (esk is PGPPublicKeyEncryptedData) { - if (esk.keyID != 0L) { - pkesks.add(esk) - } else { + if (esk.keyIdentifier.isWildcard) { anonPkesks.add(esk) + } else { + pkesks.add(esk) } } else { throw IllegalArgumentException("Unknown ESK class type ${esk.javaClass}") @@ -830,7 +830,7 @@ class OpenPgpMessageInputStream( fun addCorrespondingOnePassSignature(signature: PGPSignature, layer: Layer) { var found = false - for ((i, check) in onePassSignatures.withIndex().reversed()) { + for (check in onePassSignatures.reversed()) { if (!KeyIdentifier.matches( signature.keyIdentifiers, check.onePassSignature.keyIdentifier, true)) { continue From d721f546b6848494c4077daf5e334d4fa3dcd819 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Fri, 28 Mar 2025 16:01:04 +0100 Subject: [PATCH 135/265] KeyRingReader: Replace usage of deprecated PGPainless method with BC method --- .../main/kotlin/org/pgpainless/key/parsing/KeyRingReader.kt | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/parsing/KeyRingReader.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/parsing/KeyRingReader.kt index 7fddc903..e8aeddeb 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/parsing/KeyRingReader.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/parsing/KeyRingReader.kt @@ -11,7 +11,6 @@ import kotlin.jvm.Throws import org.bouncycastle.openpgp.* import org.bouncycastle.openpgp.api.OpenPGPImplementation import org.bouncycastle.util.io.Streams -import org.pgpainless.PGPainless import org.pgpainless.key.collection.PGPKeyRingCollection import org.pgpainless.util.ArmorUtils @@ -229,7 +228,7 @@ class KeyRingReader { continue } if (next is PGPSecretKeyRing) { - certificates.add(PGPainless.extractCertificate(next)) + certificates.add(next.toCertificate()) continue } if (next is PGPPublicKeyRingCollection) { From a5336b18061d7ad91d4aa0178adf9742767b961f Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Fri, 28 Mar 2025 16:01:36 +0100 Subject: [PATCH 136/265] KeyRingUtils: Use KeyIdentifier instead of keyId --- .../src/main/kotlin/org/pgpainless/key/util/KeyRingUtils.kt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/util/KeyRingUtils.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/util/KeyRingUtils.kt index 2286da28..d788d1f9 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/util/KeyRingUtils.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/util/KeyRingUtils.kt @@ -39,7 +39,7 @@ class KeyRingUtils { "Deprecated in favor of PGPSecretKeyRing extension function.", ReplaceWith("secretKeys.requireSecretKey(keyId)")) fun requirePrimarySecretKeyFrom(secretKeys: PGPSecretKeyRing): PGPSecretKey { - return secretKeys.requireSecretKey(secretKeys.publicKey.keyID) + return secretKeys.requireSecretKey(secretKeys.publicKey.keyIdentifier) } /** From aeed0e736bbe6a0cb5c99cff1d682cf9b60d8160 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Fri, 28 Mar 2025 16:02:10 +0100 Subject: [PATCH 137/265] Port MessageInspector --- .../MessageInspector.kt | 135 +++++++++--------- .../MessageInspectorTest.java | 28 ++-- 2 files changed, 83 insertions(+), 80 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/MessageInspector.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/MessageInspector.kt index e6d08dae..0a2fb971 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/MessageInspector.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/MessageInspector.kt @@ -6,104 +6,103 @@ package org.pgpainless.decryption_verification import java.io.IOException import java.io.InputStream +import org.bouncycastle.bcpg.KeyIdentifier import org.bouncycastle.openpgp.* import org.bouncycastle.openpgp.api.OpenPGPImplementation +import org.pgpainless.PGPainless import org.pgpainless.util.ArmorUtils /** * Inspect an OpenPGP message to determine IDs of its encryption keys or whether it is passphrase * protected. */ -class MessageInspector { +class MessageInspector(val api: PGPainless = PGPainless.getInstance()) { /** * Info about an OpenPGP message. * - * @param keyIds List of recipient key ids for whom the message is encrypted. + * @param keyIdentifiers List of recipient [KeyIdentifiers][KeyIdentifier] for whom the message + * is encrypted. * @param isPassphraseEncrypted true, if the message is encrypted for a passphrase * @param isSignedOnly true, if the message is not encrypted, but signed using OnePassSignatures */ data class EncryptionInfo( - val keyIds: List, + val keyIdentifiers: List, val isPassphraseEncrypted: Boolean, val isSignedOnly: Boolean ) { val isEncrypted: Boolean get() = isPassphraseEncrypted || keyIds.isNotEmpty() + + val keyIds: List = keyIdentifiers.map { it.keyId } } - companion object { + /** + * Parses parts of the provided OpenPGP message in order to determine which keys were used to + * encrypt it. + * + * @param message OpenPGP message + * @return encryption info + * @throws PGPException in case the message is broken + * @throws IOException in case of an IO error + */ + @Throws(PGPException::class, IOException::class) + fun determineEncryptionInfoForMessage(message: String): EncryptionInfo = + determineEncryptionInfoForMessage(message.byteInputStream()) - /** - * Parses parts of the provided OpenPGP message in order to determine which keys were used - * to encrypt it. - * - * @param message OpenPGP message - * @return encryption info - * @throws PGPException in case the message is broken - * @throws IOException in case of an IO error - */ - @JvmStatic - @Throws(PGPException::class, IOException::class) - fun determineEncryptionInfoForMessage(message: String): EncryptionInfo = - determineEncryptionInfoForMessage(message.byteInputStream()) + /** + * Parses parts of the provided OpenPGP message in order to determine which keys were used to + * encrypt it. Note: This method does not rewind the passed in Stream, so you might need to take + * care of that yourselves. + * + * @param inputStream openpgp message + * @return encryption information + * @throws IOException in case of an IO error + * @throws PGPException if the message is broken + */ + @Throws(PGPException::class, IOException::class) + fun determineEncryptionInfoForMessage(inputStream: InputStream): EncryptionInfo { + return processMessage(ArmorUtils.getDecoderStream(inputStream)) + } - /** - * Parses parts of the provided OpenPGP message in order to determine which keys were used - * to encrypt it. Note: This method does not rewind the passed in Stream, so you might need - * to take care of that yourselves. - * - * @param inputStream openpgp message - * @return encryption information - * @throws IOException in case of an IO error - * @throws PGPException if the message is broken - */ - @JvmStatic - @Throws(PGPException::class, IOException::class) - fun determineEncryptionInfoForMessage(inputStream: InputStream): EncryptionInfo { - return processMessage(ArmorUtils.getDecoderStream(inputStream)) - } + @Throws(PGPException::class, IOException::class) + private fun processMessage(inputStream: InputStream): EncryptionInfo { + var objectFactory = api.implementation.pgpObjectFactory(inputStream) - @JvmStatic - @Throws(PGPException::class, IOException::class) - private fun processMessage(inputStream: InputStream): EncryptionInfo { - var objectFactory = OpenPGPImplementation.getInstance().pgpObjectFactory(inputStream) - - var n: Any? - while (objectFactory.nextObject().also { n = it } != null) { - when (val next = n!!) { - is PGPOnePassSignatureList -> { - if (!next.isEmpty) { - return EncryptionInfo( - listOf(), isPassphraseEncrypted = false, isSignedOnly = true) - } - } - is PGPEncryptedDataList -> { - var isPassphraseEncrypted = false - val keyIds = mutableListOf() - for (encryptedData in next) { - if (encryptedData is PGPPublicKeyEncryptedData) { - keyIds.add(encryptedData.keyID) - } else if (encryptedData is PGPPBEEncryptedData) { - isPassphraseEncrypted = true - } - } - // Data is encrypted, we cannot go deeper - return EncryptionInfo(keyIds, isPassphraseEncrypted, false) - } - is PGPCompressedData -> { - objectFactory = - OpenPGPImplementation.getInstance() - .pgpObjectFactory(PGPUtil.getDecoderStream(next.dataStream)) - continue - } - is PGPLiteralData -> { - break + var n: Any? + while (objectFactory.nextObject().also { n = it } != null) { + when (val next = n!!) { + is PGPOnePassSignatureList -> { + if (!next.isEmpty) { + return EncryptionInfo( + listOf(), isPassphraseEncrypted = false, isSignedOnly = true) } } + is PGPEncryptedDataList -> { + var isPassphraseEncrypted = false + val keyIdentifiers = mutableListOf() + for (encryptedData in next) { + if (encryptedData is PGPPublicKeyEncryptedData) { + keyIdentifiers.add(encryptedData.keyIdentifier) + } else if (encryptedData is PGPPBEEncryptedData) { + isPassphraseEncrypted = true + } + } + // Data is encrypted, we cannot go deeper + return EncryptionInfo(keyIdentifiers, isPassphraseEncrypted, false) + } + is PGPCompressedData -> { + objectFactory = + OpenPGPImplementation.getInstance() + .pgpObjectFactory(PGPUtil.getDecoderStream(next.dataStream)) + continue + } + is PGPLiteralData -> { + break + } } - return EncryptionInfo(listOf(), isPassphraseEncrypted = false, isSignedOnly = false) } + return EncryptionInfo(listOf(), isPassphraseEncrypted = false, isSignedOnly = false) } } diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/MessageInspectorTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/MessageInspectorTest.java index b7382360..fce4186d 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/MessageInspectorTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/MessageInspectorTest.java @@ -10,9 +10,9 @@ import static org.junit.jupiter.api.Assertions.assertTrue; import java.io.IOException; +import org.bouncycastle.bcpg.KeyIdentifier; import org.bouncycastle.openpgp.PGPException; import org.junit.jupiter.api.Test; -import org.pgpainless.key.util.KeyIdUtil; public class MessageInspectorTest { @@ -26,14 +26,15 @@ public class MessageInspectorTest { "Z1/i3TYsmy8B0mMKkNYtpMk=\n" + "=IICf\n" + "-----END PGP MESSAGE-----\n"; + MessageInspector inspector = new MessageInspector(); - MessageInspector.EncryptionInfo info = MessageInspector.determineEncryptionInfoForMessage(message); + MessageInspector.EncryptionInfo info = inspector.determineEncryptionInfoForMessage(message); assertFalse(info.isPassphraseEncrypted()); assertFalse(info.isSignedOnly()); assertTrue(info.isEncrypted()); assertEquals(1, info.getKeyIds().size()); - assertEquals(KeyIdUtil.fromLongKeyId("4766F6B9D5F21EB6"), (long) info.getKeyIds().get(0)); + assertEquals(new KeyIdentifier("4766F6B9D5F21EB6"), info.getKeyIdentifiers().get(0)); } @Test @@ -51,15 +52,16 @@ public class MessageInspectorTest { "nxVuXey3iyihCFAfD8ZK1Rnh\n" + "=z6e0\n" + "-----END PGP MESSAGE-----"; + MessageInspector inspector = new MessageInspector(); - MessageInspector.EncryptionInfo info = MessageInspector.determineEncryptionInfoForMessage(message); + MessageInspector.EncryptionInfo info = inspector.determineEncryptionInfoForMessage(message); assertTrue(info.isEncrypted()); assertTrue(info.isPassphraseEncrypted()); assertEquals(2, info.getKeyIds().size()); assertFalse(info.isSignedOnly()); - assertTrue(info.getKeyIds().contains(KeyIdUtil.fromLongKeyId("4C6E8F99F6E47184"))); - assertTrue(info.getKeyIds().contains(KeyIdUtil.fromLongKeyId("1839079A640B2FAC"))); + assertTrue(info.getKeyIdentifiers().contains(new KeyIdentifier("4C6E8F99F6E47184"))); + assertTrue(info.getKeyIdentifiers().contains(new KeyIdentifier("1839079A640B2FAC"))); } @Test @@ -73,8 +75,8 @@ public class MessageInspectorTest { "Dvxwv8UPAA==\n" + "=nt5n\n" + "-----END PGP MESSAGE-----"; - - MessageInspector.EncryptionInfo info = MessageInspector.determineEncryptionInfoForMessage(message); + MessageInspector inspector = new MessageInspector(); + MessageInspector.EncryptionInfo info = inspector.determineEncryptionInfoForMessage(message); assertTrue(info.isSignedOnly()); @@ -97,7 +99,8 @@ public class MessageInspectorTest { "KK0Ymg5GrsBTEGFm4jb1p+V85PPhsIioX3np/N3fkIfxFguTGZza33/GHy61+DTy\n" + "=SZU6\n" + "-----END PGP MESSAGE-----"; - MessageInspector.EncryptionInfo info = MessageInspector.determineEncryptionInfoForMessage(message); + MessageInspector inspector = new MessageInspector(); + MessageInspector.EncryptionInfo info = inspector.determineEncryptionInfoForMessage(message); // Message is encrypted, so we cannot determine if it is signed or not. // It is not signed only @@ -117,8 +120,8 @@ public class MessageInspectorTest { "yyl0CF9DT05TT0xFYXlXgUp1c3Qgc29tZSB1bmVuY3J5cHRlZCBkYXRhLg==\n" + "=jVNT\n" + "-----END PGP MESSAGE-----"; - - MessageInspector.EncryptionInfo info = MessageInspector.determineEncryptionInfoForMessage(message); + MessageInspector inspector = new MessageInspector(); + MessageInspector.EncryptionInfo info = inspector.determineEncryptionInfoForMessage(message); assertFalse(info.isEncrypted()); assertFalse(info.isSignedOnly()); assertFalse(info.isPassphraseEncrypted()); @@ -136,7 +139,8 @@ public class MessageInspectorTest { "=jw3E\n" + "-----END PGP MESSAGE-----"; - MessageInspector.EncryptionInfo info = MessageInspector.determineEncryptionInfoForMessage(message); + MessageInspector inspector = new MessageInspector(); + MessageInspector.EncryptionInfo info = inspector.determineEncryptionInfoForMessage(message); assertFalse(info.isEncrypted()); assertFalse(info.isSignedOnly()); assertFalse(info.isPassphraseEncrypted()); From 85c0286041ba965837870f504cfef67366e392c6 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Fri, 28 Mar 2025 16:02:36 +0100 Subject: [PATCH 138/265] Remove usage of deprecated methods in SOP implementations --- .../pgpainless/sop/ChangeKeyPasswordImpl.kt | 19 ++-- .../kotlin/org/pgpainless/sop/DecryptImpl.kt | 4 +- .../org/pgpainless/sop/DetachedSignImpl.kt | 15 ++- .../org/pgpainless/sop/DetachedVerifyImpl.kt | 2 +- .../kotlin/org/pgpainless/sop/EncryptImpl.kt | 17 ++- .../org/pgpainless/sop/ExtractCertImpl.kt | 12 +-- .../org/pgpainless/sop/InlineSignImpl.kt | 17 ++- .../org/pgpainless/sop/InlineVerifyImpl.kt | 2 +- .../kotlin/org/pgpainless/sop/KeyReader.kt | 100 ++++++++---------- .../sop/MatchMakingSecretKeyRingProtector.kt | 4 +- .../org/pgpainless/sop/RevokeKeyImpl.kt | 21 ++-- 11 files changed, 100 insertions(+), 113 deletions(-) diff --git a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/ChangeKeyPasswordImpl.kt b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/ChangeKeyPasswordImpl.kt index a63d73ed..f8b66896 100644 --- a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/ChangeKeyPasswordImpl.kt +++ b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/ChangeKeyPasswordImpl.kt @@ -10,7 +10,6 @@ import java.io.OutputStream import org.bouncycastle.openpgp.PGPException import org.bouncycastle.openpgp.PGPSecretKeyRingCollection import org.pgpainless.PGPainless -import org.pgpainless.bouncycastle.extensions.openPgpFingerprint import org.pgpainless.exception.MissingPassphraseException import org.pgpainless.key.protection.SecretKeyRingProtector import org.pgpainless.key.util.KeyRingUtils @@ -29,30 +28,30 @@ class ChangeKeyPasswordImpl(private val api: PGPainless) : ChangeKeyPassword { override fun keys(keys: InputStream): Ready { val newProtector = SecretKeyRingProtector.unlockAnyKeyWith(newPassphrase) - val secretKeysCollection = + val secretKeys = try { - KeyReader.readSecretKeys(keys, true) + KeyReader(api).readSecretKeys(keys, true) } catch (e: IOException) { throw SOPGPException.BadData(e) } val updatedSecretKeys = - secretKeysCollection - .map { secretKeys -> - oldProtector.addSecretKey(secretKeys) + secretKeys + .map { + oldProtector.addSecretKey(it) try { return@map KeyRingUtils.changePassphrase( - null, secretKeys, oldProtector, newProtector) + null, it.pgpSecretKeyRing, oldProtector, newProtector) } catch (e: MissingPassphraseException) { throw SOPGPException.KeyIsProtected( - "Cannot unlock key ${secretKeys.openPgpFingerprint}", e) + "Cannot unlock key ${it.keyIdentifier}", e) } catch (e: PGPException) { if (e.message?.contains("Exception decrypting key") == true) { throw SOPGPException.KeyIsProtected( - "Cannot unlock key ${secretKeys.openPgpFingerprint}", e) + "Cannot unlock key ${it.keyIdentifier}", e) } throw RuntimeException( - "Cannot change passphrase of key ${secretKeys.openPgpFingerprint}", e) + "Cannot change passphrase of key ${it.keyIdentifier}", e) } } .let { PGPSecretKeyRingCollection(it) } diff --git a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/DecryptImpl.kt b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/DecryptImpl.kt index 26c372a5..fad50c5b 100644 --- a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/DecryptImpl.kt +++ b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/DecryptImpl.kt @@ -92,11 +92,11 @@ class DecryptImpl(private val api: PGPainless) : Decrypt { } override fun verifyWithCert(cert: InputStream): Decrypt = apply { - KeyReader.readPublicKeys(cert, true).let { consumerOptions.addVerificationCerts(it) } + consumerOptions.addVerificationCerts(KeyReader(api).readPublicKeys(cert, true)) } override fun withKey(key: InputStream): Decrypt = apply { - KeyReader.readSecretKeys(key, true).forEach { + KeyReader(api).readSecretKeys(key, true).forEach { protector.addSecretKey(it) consumerOptions.addDecryptionKey(it, protector) } diff --git a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/DetachedSignImpl.kt b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/DetachedSignImpl.kt index a7271740..26548c89 100644 --- a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/DetachedSignImpl.kt +++ b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/DetachedSignImpl.kt @@ -7,14 +7,13 @@ package org.pgpainless.sop import java.io.InputStream import java.io.OutputStream import org.bouncycastle.openpgp.PGPException -import org.bouncycastle.openpgp.PGPSecretKeyRing import org.bouncycastle.openpgp.PGPSignature +import org.bouncycastle.openpgp.api.OpenPGPKey import org.bouncycastle.util.io.Streams import org.pgpainless.PGPainless import org.pgpainless.algorithm.CompressionAlgorithm import org.pgpainless.algorithm.DocumentSignatureType import org.pgpainless.algorithm.HashAlgorithm -import org.pgpainless.bouncycastle.extensions.openPgpFingerprint import org.pgpainless.encryption_signing.ProducerOptions import org.pgpainless.encryption_signing.SigningOptions import org.pgpainless.exception.KeyException.MissingSecretKeyException @@ -34,7 +33,7 @@ class DetachedSignImpl(private val api: PGPainless) : DetachedSign { private val signingOptions = SigningOptions.get(api) private val protector = MatchMakingSecretKeyRingProtector() - private val signingKeys = mutableListOf() + private val signingKeys = mutableListOf() private var armor = true private var mode = SignAs.binary @@ -44,13 +43,13 @@ class DetachedSignImpl(private val api: PGPainless) : DetachedSign { try { signingOptions.addDetachedSignature(protector, it, modeToSigType(mode)) } catch (e: UnacceptableSigningKeyException) { - throw SOPGPException.KeyCannotSign("Key ${it.openPgpFingerprint} cannot sign.", e) + throw SOPGPException.KeyCannotSign("Key ${it.keyIdentifier} cannot sign.", e) } catch (e: MissingSecretKeyException) { throw SOPGPException.KeyCannotSign( - "Key ${it.openPgpFingerprint} cannot sign. Missing secret key.", e) + "Key ${it.keyIdentifier} cannot sign. Missing secret key.", e) } catch (e: PGPException) { throw SOPGPException.KeyIsProtected( - "Key ${it.openPgpFingerprint} cannot be unlocked.", e) + "Key ${it.keyIdentifier} cannot be unlocked.", e) } } @@ -93,8 +92,8 @@ class DetachedSignImpl(private val api: PGPainless) : DetachedSign { } override fun key(key: InputStream): DetachedSign = apply { - KeyReader.readSecretKeys(key, true).forEach { - val info = api.inspect(api.toKey(it)) + KeyReader(api).readSecretKeys(key, true).forEach { + val info = api.inspect(it) if (!info.isUsableForSigning) { throw SOPGPException.KeyCannotSign( "Key ${info.fingerprint} does not have valid, signing capable subkeys.") diff --git a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/DetachedVerifyImpl.kt b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/DetachedVerifyImpl.kt index c73d30ac..1a252bfa 100644 --- a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/DetachedVerifyImpl.kt +++ b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/DetachedVerifyImpl.kt @@ -23,7 +23,7 @@ class DetachedVerifyImpl(private val api: PGPainless) : DetachedVerify { private val options = ConsumerOptions.get(api).forceNonOpenPgpData() override fun cert(cert: InputStream): DetachedVerify = apply { - options.addVerificationCerts(KeyReader.readPublicKeys(cert, true)) + options.addVerificationCerts(KeyReader(api).readPublicKeys(cert, true)) } override fun data(data: InputStream): List { diff --git a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/EncryptImpl.kt b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/EncryptImpl.kt index a0534f56..556a9490 100644 --- a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/EncryptImpl.kt +++ b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/EncryptImpl.kt @@ -8,12 +8,11 @@ import java.io.IOException import java.io.InputStream import java.io.OutputStream import org.bouncycastle.openpgp.PGPException -import org.bouncycastle.openpgp.PGPSecretKeyRing +import org.bouncycastle.openpgp.api.OpenPGPKey import org.bouncycastle.util.io.Streams import org.pgpainless.PGPainless import org.pgpainless.algorithm.DocumentSignatureType import org.pgpainless.algorithm.StreamEncoding -import org.pgpainless.bouncycastle.extensions.openPgpFingerprint import org.pgpainless.encryption_signing.EncryptionOptions import org.pgpainless.encryption_signing.ProducerOptions import org.pgpainless.encryption_signing.SigningOptions @@ -40,7 +39,7 @@ class EncryptImpl(private val api: PGPainless) : Encrypt { private val encryptionOptions = EncryptionOptions.get(api) private var signingOptions: SigningOptions? = null - private val signingKeys = mutableListOf() + private val signingKeys = mutableListOf() private val protector = MatchMakingSecretKeyRingProtector() private var profile = RFC4880_PROFILE.name @@ -69,9 +68,9 @@ class EncryptImpl(private val api: PGPainless) : Encrypt { try { signingOptions!!.addInlineSignature(protector, it, modeToSignatureType(mode)) } catch (e: UnacceptableSigningKeyException) { - throw SOPGPException.KeyCannotSign("Key ${it.openPgpFingerprint} cannot sign", e) + throw SOPGPException.KeyCannotSign("Key ${it.keyIdentifier} cannot sign", e) } catch (e: WrongPassphraseException) { - throw SOPGPException.KeyIsProtected("Cannot unlock key ${it.openPgpFingerprint}", e) + throw SOPGPException.KeyIsProtected("Cannot unlock key ${it.keyIdentifier}", e) } catch (e: PGPException) { throw SOPGPException.BadData(e) } @@ -105,14 +104,14 @@ class EncryptImpl(private val api: PGPainless) : Encrypt { } val signingKey = - KeyReader.readSecretKeys(key, true).singleOrNull() + KeyReader(api).readSecretKeys(key, true).singleOrNull() ?: throw SOPGPException.BadData( AssertionError( "Exactly one secret key at a time expected. Got zero or multiple instead.")) - val info = api.inspect(api.toKey(signingKey)) + val info = api.inspect(signingKey) if (info.signingSubkeys.isEmpty()) { - throw SOPGPException.KeyCannotSign("Key ${info.fingerprint} cannot sign.") + throw SOPGPException.KeyCannotSign("Key ${info.keyIdentifier} cannot sign.") } protector.addSecretKey(signingKey) @@ -121,7 +120,7 @@ class EncryptImpl(private val api: PGPainless) : Encrypt { override fun withCert(cert: InputStream): Encrypt = apply { try { - encryptionOptions.addRecipients(KeyReader.readPublicKeys(cert, true)) + KeyReader(api).readPublicKeys(cert, true).forEach { encryptionOptions.addRecipient(it) } } catch (e: UnacceptableEncryptionKeyException) { throw SOPGPException.CertCannotEncrypt(e.message ?: "Cert cannot encrypt", e) } catch (e: IOException) { diff --git a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/ExtractCertImpl.kt b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/ExtractCertImpl.kt index 426d5787..3a5993b4 100644 --- a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/ExtractCertImpl.kt +++ b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/ExtractCertImpl.kt @@ -18,8 +18,7 @@ class ExtractCertImpl(private val api: PGPainless) : ExtractCert { private var armor = true override fun key(keyInputStream: InputStream): Ready { - val certs = - KeyReader.readSecretKeys(keyInputStream, true).map { PGPainless.extractCertificate(it) } + val certs = KeyReader(api).readSecretKeys(keyInputStream, true).map { it.toCertificate() } return object : Ready() { override fun writeTo(outputStream: OutputStream) { @@ -27,17 +26,18 @@ class ExtractCertImpl(private val api: PGPainless) : ExtractCert { if (certs.size == 1) { val cert = certs[0] // This way we have a nice armor header with fingerprint and user-ids - val armorOut = ArmorUtils.toAsciiArmoredStream(cert, outputStream) - cert.encode(armorOut) + val armorOut = + ArmorUtils.toAsciiArmoredStream(cert.pgpKeyRing, outputStream) + armorOut.write(cert.encoded) armorOut.close() } else { // for multiple certs, add no info headers to the ASCII armor val armorOut = ArmoredOutputStreamFactory.get(outputStream) - certs.forEach { it.encode(armorOut) } + certs.forEach { armorOut.write(it.encoded) } armorOut.close() } } else { - certs.forEach { it.encode(outputStream) } + certs.forEach { outputStream.write(it.encoded) } } } } diff --git a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/InlineSignImpl.kt b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/InlineSignImpl.kt index 7f9cd0eb..c12c9b1e 100644 --- a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/InlineSignImpl.kt +++ b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/InlineSignImpl.kt @@ -8,13 +8,12 @@ import java.io.InputStream import java.io.OutputStream import java.lang.RuntimeException import org.bouncycastle.openpgp.PGPException -import org.bouncycastle.openpgp.PGPSecretKeyRing +import org.bouncycastle.openpgp.api.OpenPGPKey import org.bouncycastle.util.io.Streams import org.pgpainless.PGPainless import org.pgpainless.algorithm.CompressionAlgorithm import org.pgpainless.algorithm.DocumentSignatureType import org.pgpainless.algorithm.StreamEncoding -import org.pgpainless.bouncycastle.extensions.openPgpFingerprint import org.pgpainless.encryption_signing.ProducerOptions import org.pgpainless.encryption_signing.SigningOptions import org.pgpainless.exception.KeyException.MissingSecretKeyException @@ -31,7 +30,7 @@ class InlineSignImpl(private val api: PGPainless) : InlineSign { private val signingOptions = SigningOptions.get(api) private val protector = MatchMakingSecretKeyRingProtector() - private val signingKeys = mutableListOf() + private val signingKeys = mutableListOf() private var armor = true private var mode = InlineSignAs.binary @@ -45,14 +44,14 @@ class InlineSignImpl(private val api: PGPainless) : InlineSign { signingOptions.addInlineSignature(protector, key, modeToSigType(mode)) } } catch (e: UnacceptableSigningKeyException) { - throw SOPGPException.KeyCannotSign("Key ${key.openPgpFingerprint} cannot sign.", e) + throw SOPGPException.KeyCannotSign("Key ${key.keyIdentifier} cannot sign.", e) } catch (e: MissingSecretKeyException) { throw SOPGPException.KeyCannotSign( - "Key ${key.openPgpFingerprint} does not have the secret signing key component available.", + "Key ${key.keyIdentifier} does not have the secret signing key component available.", e) } catch (e: PGPException) { throw SOPGPException.KeyIsProtected( - "Key ${key.openPgpFingerprint} cannot be unlocked.", e) + "Key ${key.keyIdentifier} cannot be unlocked.", e) } } @@ -97,11 +96,11 @@ class InlineSignImpl(private val api: PGPainless) : InlineSign { } override fun key(key: InputStream): InlineSign = apply { - KeyReader.readSecretKeys(key, true).forEach { - val info = api.inspect(api.toKey(it)) + KeyReader(api).readSecretKeys(key, true).forEach { + val info = api.inspect(it) if (!info.isUsableForSigning) { throw SOPGPException.KeyCannotSign( - "Key ${info.fingerprint} does not have valid, signing capable subkeys.") + "Key ${info.keyIdentifier} does not have valid, signing capable subkeys.") } protector.addSecretKey(it) signingKeys.add(it) diff --git a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/InlineVerifyImpl.kt b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/InlineVerifyImpl.kt index bfc3dd37..332c1445 100644 --- a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/InlineVerifyImpl.kt +++ b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/InlineVerifyImpl.kt @@ -24,7 +24,7 @@ class InlineVerifyImpl(private val api: PGPainless) : InlineVerify { private val options = ConsumerOptions.get(api) override fun cert(cert: InputStream): InlineVerify = apply { - options.addVerificationCerts(KeyReader.readPublicKeys(cert, true)) + options.addVerificationCerts(KeyReader(api).readPublicKeys(cert, true)) } override fun data(data: InputStream): ReadyWithResult> { diff --git a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/KeyReader.kt b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/KeyReader.kt index 2ce608ca..2ea36137 100644 --- a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/KeyReader.kt +++ b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/KeyReader.kt @@ -7,71 +7,63 @@ package org.pgpainless.sop import java.io.IOException import java.io.InputStream import org.bouncycastle.openpgp.PGPException -import org.bouncycastle.openpgp.PGPPublicKeyRingCollection import org.bouncycastle.openpgp.PGPRuntimeOperationException -import org.bouncycastle.openpgp.PGPSecretKeyRingCollection +import org.bouncycastle.openpgp.api.OpenPGPCertificate +import org.bouncycastle.openpgp.api.OpenPGPKey import org.pgpainless.PGPainless import sop.exception.SOPGPException /** Reader for OpenPGP keys and certificates with error matching according to the SOP spec. */ -class KeyReader { +class KeyReader(val api: PGPainless = PGPainless.getInstance()) { - companion object { - @JvmStatic - fun readSecretKeys( - keyInputStream: InputStream, - requireContent: Boolean - ): PGPSecretKeyRingCollection { - val keys = - try { - PGPainless.readKeyRing().secretKeyRingCollection(keyInputStream) - } catch (e: IOException) { - if (e.message == null) { - throw e - } - if (e.message!!.startsWith("unknown object in stream:") || - e.message!!.startsWith("invalid header encountered")) { - throw SOPGPException.BadData(e) - } + fun readSecretKeys(keyInputStream: InputStream, requireContent: Boolean): List { + val keys = + try { + api.readKey().parseKeys(keyInputStream) + } catch (e: IOException) { + if (e.message == null) { throw e } - if (requireContent && keys.none()) { - throw SOPGPException.BadData(PGPException("No key data found.")) - } - - return keys - } - - @JvmStatic - fun readPublicKeys( - certIn: InputStream, - requireContent: Boolean - ): PGPPublicKeyRingCollection { - val certs = - try { - PGPainless.readKeyRing().keyRingCollection(certIn, true) - } catch (e: IOException) { - if (e.message == null) { - throw e - } - if (e.message!!.startsWith("unknown object in stream:") || - e.message!!.startsWith("invalid header encountered")) { - throw SOPGPException.BadData(e) - } - throw e - } catch (e: PGPRuntimeOperationException) { + if (e.message!!.startsWith("unknown object in stream:") || + e.message!!.startsWith("invalid header encountered") || + e.message!!.startsWith("Encountered unexpected packet:")) { throw SOPGPException.BadData(e) } - - if (certs.pgpSecretKeyRingCollection.any()) { - throw SOPGPException.BadData( - "Secret key components encountered, while certificates were expected.") + throw e } - - if (requireContent && certs.pgpPublicKeyRingCollection.none()) { - throw SOPGPException.BadData(PGPException("No cert data found.")) - } - return certs.pgpPublicKeyRingCollection + if (requireContent && keys.none()) { + throw SOPGPException.BadData(PGPException("No key data found.")) } + + return keys + } + + fun readPublicKeys(certIn: InputStream, requireContent: Boolean): List { + val certs = + try { + api.readKey().parseKeysOrCertificates(certIn) + } catch (e: IOException) { + if (e.message == null) { + throw e + } + if (e.message!!.startsWith("unknown object in stream:") || + e.message!!.startsWith("invalid header encountered")) { + throw SOPGPException.BadData(e) + } + throw e + } catch (e: PGPRuntimeOperationException) { + throw SOPGPException.BadData(e) + } + + if (certs.any { it.isSecretKey }) { + throw SOPGPException.BadData( + "Secret key components encountered, while certificates were expected.") + } + + if (requireContent && certs.isEmpty()) { + throw SOPGPException.BadData("No certificate data found.") + } + + return certs } } diff --git a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/MatchMakingSecretKeyRingProtector.kt b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/MatchMakingSecretKeyRingProtector.kt index d4a4cb7e..21ed794b 100644 --- a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/MatchMakingSecretKeyRingProtector.kt +++ b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/MatchMakingSecretKeyRingProtector.kt @@ -39,7 +39,7 @@ class MatchMakingSecretKeyRingProtector : SecretKeyRingProtector { keys.forEach { key -> for (subkey in key) { - if (protector.hasPassphrase(subkey.keyID)) { + if (protector.hasPassphrase(subkey.keyIdentifier)) { continue } @@ -50,6 +50,8 @@ class MatchMakingSecretKeyRingProtector : SecretKeyRingProtector { } } + fun addSecretKey(key: OpenPGPKey) = addSecretKey(key.pgpSecretKeyRing) + fun addSecretKey(key: PGPSecretKeyRing) = apply { if (!keys.add(key)) { return@apply diff --git a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/RevokeKeyImpl.kt b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/RevokeKeyImpl.kt index 67dd36a2..40b5103f 100644 --- a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/RevokeKeyImpl.kt +++ b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/RevokeKeyImpl.kt @@ -12,7 +12,6 @@ import org.bouncycastle.openpgp.PGPException import org.bouncycastle.openpgp.PGPPublicKeyRingCollection import org.bouncycastle.openpgp.api.OpenPGPCertificate import org.pgpainless.PGPainless -import org.pgpainless.bouncycastle.extensions.openPgpFingerprint import org.pgpainless.bouncycastle.extensions.toOpenPGPCertificate import org.pgpainless.exception.WrongPassphraseException import org.pgpainless.key.util.KeyRingUtils @@ -30,29 +29,28 @@ class RevokeKeyImpl(private val api: PGPainless) : RevokeKey { private var armor = true override fun keys(keys: InputStream): Ready { - val secretKeyRings = + val secretKeys = try { - KeyReader.readSecretKeys(keys, true) + KeyReader(api).readSecretKeys(keys, true) } catch (e: IOException) { throw SOPGPException.BadData("Cannot decode secret keys.", e) } - secretKeyRings.forEach { protector.addSecretKey(it) } + secretKeys.forEach { protector.addSecretKey(it) } val revocationCertificates = mutableListOf() - secretKeyRings.forEach { secretKeys -> - val openPGPKey = api.toKey(secretKeys) - val editor = api.modify(openPGPKey) + secretKeys.forEach { + val editor = api.modify(it) try { val attributes = RevocationAttributes.createKeyRevocation() .withReason(RevocationAttributes.Reason.NO_REASON) .withoutDescription() - if (openPGPKey.primaryKey.version == 6) { + if (it.primaryKey.version == 6) { revocationCertificates.add( editor.createMinimalRevocationCertificate(protector, attributes)) } else { - val certificate = openPGPKey.toCertificate() + val certificate = it.toCertificate() val revocation = editor.createRevocation(protector, attributes) revocationCertificates.add( KeyRingUtils.injectCertification( @@ -61,11 +59,10 @@ class RevokeKeyImpl(private val api: PGPainless) : RevokeKey { } } catch (e: WrongPassphraseException) { throw SOPGPException.KeyIsProtected( - "Missing or wrong passphrase for key ${secretKeys.openPgpFingerprint}", e) + "Missing or wrong passphrase for key ${it.keyIdentifier}", e) } catch (e: PGPException) { throw RuntimeException( - "Cannot generate revocation certificate for key ${secretKeys.openPgpFingerprint}", - e) + "Cannot generate revocation certificate for key ${it.keyIdentifier}", e) } } From 08ac0e874be296efaf73fc57998bb53c26ce4088 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 31 Mar 2025 09:52:49 +0200 Subject: [PATCH 139/265] Replace SignatureVerifier usage with BC API --- .../signature/consumer/SignatureValidator.kt | 143 ----- .../signature/consumer/SignatureVerifier.kt | 597 ------------------ .../certification/CertifyCertificateTest.java | 8 +- .../SignatureOverUserAttributesTest.java | 32 +- 4 files changed, 18 insertions(+), 762 deletions(-) delete mode 100644 pgpainless-core/src/main/kotlin/org/pgpainless/signature/consumer/SignatureVerifier.kt diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/consumer/SignatureValidator.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/consumer/SignatureValidator.kt index 046aa714..120f9d2b 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/consumer/SignatureValidator.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/consumer/SignatureValidator.kt @@ -4,7 +4,6 @@ package org.pgpainless.signature.consumer -import java.lang.Exception import java.util.Date import openpgp.formatUTC import openpgp.openPgpKeyId @@ -13,7 +12,6 @@ import org.bouncycastle.openpgp.PGPPublicKey import org.bouncycastle.openpgp.PGPSignature import org.bouncycastle.openpgp.PGPUserAttributeSubpacketVector import org.bouncycastle.openpgp.api.OpenPGPImplementation -import org.pgpainless.algorithm.KeyFlag import org.pgpainless.algorithm.SignatureSubpacket import org.pgpainless.algorithm.SignatureType import org.pgpainless.bouncycastle.extensions.fingerprint @@ -74,76 +72,6 @@ abstract class SignatureValidator { } } - /** - * Verify that a subkey binding signature - if the subkey is signing-capable - contains a - * valid primary key binding signature. - * - * @param primaryKey primary key - * @param subkey subkey - * @param policy policy - * @param referenceDate reference date for signature verification - * @return validator - */ - @JvmStatic - fun hasValidPrimaryKeyBindingSignatureIfRequired( - primaryKey: PGPPublicKey, - subkey: PGPPublicKey, - policy: Policy, - referenceTime: Date - ): SignatureValidator { - return object : SignatureValidator() { - override fun verify(signature: PGPSignature) { - if (!signature.publicKeyAlgorithm.isSigningCapable()) { - // subkey is not signing capable -> No need to process embedded signatures - return - } - - // Make sure we have key flags - SignatureSubpacketsUtil.getKeyFlags(signature)?.let { - if (!KeyFlag.hasKeyFlag(it.flags, KeyFlag.SIGN_DATA) && - !KeyFlag.hasKeyFlag(it.flags, KeyFlag.CERTIFY_OTHER)) { - return - } - } - ?: return - - try { - val embeddedSignatures = - SignatureSubpacketsUtil.getEmbeddedSignature(signature) - if (embeddedSignatures.isEmpty) { - throw SignatureValidationException( - "Missing primary key binding" + - " signature on signing capable subkey ${subkey.keyID.openPgpKeyId()}", - mapOf()) - } - - val rejectedEmbeddedSignatures = mutableMapOf() - if (!embeddedSignatures.any { embedded -> - if (embedded.isOfType(SignatureType.PRIMARYKEY_BINDING)) { - try { - signatureStructureIsAcceptable(subkey, policy).verify(embedded) - signatureIsEffective(referenceTime).verify(embedded) - correctPrimaryKeyBindingSignature(primaryKey, subkey) - .verify(embedded) - return@any true - } catch (e: SignatureValidationException) { - rejectedEmbeddedSignatures[embedded] = e - } - } - false - }) { - throw SignatureValidationException( - "Missing primary key binding signature on signing capable subkey ${subkey.keyID.openPgpKeyId()}", - rejectedEmbeddedSignatures) - } - } catch (e: PGPException) { - throw SignatureValidationException( - "Cannot process list of embedded signatures.", e) - } - } - } - } - /** * Verify that a signature has an acceptable structure. * @@ -466,77 +394,6 @@ abstract class SignatureValidator { } } - /** - * Verify that a subkey binding signature is correct. - * - * @param primaryKey primary key - * @param subkey subkey - * @return validator - */ - @JvmStatic - fun correctSubkeyBindingSignature( - primaryKey: PGPPublicKey, - subkey: PGPPublicKey - ): SignatureValidator { - return object : SignatureValidator() { - override fun verify(signature: PGPSignature) { - if (primaryKey.keyID == subkey.keyID) { - throw SignatureValidationException("Primary key cannot be its own subkey.") - } - try { - signature.init( - OpenPGPImplementation.getInstance().pgpContentVerifierBuilderProvider(), - primaryKey) - if (!signature.verifyCertification(primaryKey, subkey)) { - throw SignatureValidationException("Signature is not correct.") - } - } catch (e: PGPException) { - throw SignatureValidationException( - "Cannot verify subkey binding signature correctness", e) - } catch (e: ClassCastException) { - throw SignatureValidationException( - "Cannot verify subkey binding signature correctness", e) - } - } - } - } - - /** - * Verify that a primary key binding signature is correct. - * - * @param primaryKey primary key - * @param subkey subkey - * @return validator - */ - @JvmStatic - fun correctPrimaryKeyBindingSignature( - primaryKey: PGPPublicKey, - subkey: PGPPublicKey - ): SignatureValidator { - return object : SignatureValidator() { - override fun verify(signature: PGPSignature) { - if (primaryKey.keyID == subkey.keyID) { - throw SignatureValidationException("Primary key cannot be its own subkey.") - } - try { - signature.init( - OpenPGPImplementation.getInstance().pgpContentVerifierBuilderProvider(), - subkey) - if (!signature.verifyCertification(primaryKey, subkey)) { - throw SignatureValidationException( - "Primary Key Binding Signature is not correct.") - } - } catch (e: PGPException) { - throw SignatureValidationException( - "Cannot verify primary key binding signature correctness", e) - } catch (e: ClassCastException) { - throw SignatureValidationException( - "Cannot verify primary key binding signature correctness", e) - } - } - } - } - /** * Verify that a direct-key signature is correct. * diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/consumer/SignatureVerifier.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/consumer/SignatureVerifier.kt deleted file mode 100644 index 1ac204cf..00000000 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/consumer/SignatureVerifier.kt +++ /dev/null @@ -1,597 +0,0 @@ -// SPDX-FileCopyrightText: 2023 Paul Schaub -// -// SPDX-License-Identifier: Apache-2.0 - -package org.pgpainless.signature.consumer - -import java.io.IOException -import java.io.InputStream -import java.util.* -import openpgp.openPgpKeyId -import org.bouncycastle.openpgp.PGPException -import org.bouncycastle.openpgp.PGPPublicKey -import org.bouncycastle.openpgp.PGPSignature -import org.bouncycastle.openpgp.PGPUserAttributeSubpacketVector -import org.bouncycastle.openpgp.api.OpenPGPImplementation -import org.pgpainless.algorithm.SignatureType -import org.pgpainless.exception.SignatureValidationException -import org.pgpainless.policy.Policy -import org.pgpainless.signature.consumer.SignatureValidator.Companion.correctSignatureOverKey -import org.pgpainless.signature.consumer.SignatureValidator.Companion.correctSignatureOverUserAttributes -import org.pgpainless.signature.consumer.SignatureValidator.Companion.correctSignatureOverUserId -import org.pgpainless.signature.consumer.SignatureValidator.Companion.correctSubkeyBindingSignature -import org.pgpainless.signature.consumer.SignatureValidator.Companion.hasValidPrimaryKeyBindingSignatureIfRequired -import org.pgpainless.signature.consumer.SignatureValidator.Companion.signatureDoesNotPredateSignee -import org.pgpainless.signature.consumer.SignatureValidator.Companion.signatureIsCertification -import org.pgpainless.signature.consumer.SignatureValidator.Companion.signatureIsEffective -import org.pgpainless.signature.consumer.SignatureValidator.Companion.signatureIsOfType -import org.pgpainless.signature.consumer.SignatureValidator.Companion.signatureStructureIsAcceptable -import org.pgpainless.signature.consumer.SignatureValidator.Companion.wasPossiblyMadeByKey - -/** - * Collection of static methods for signature verification. Signature verification entails - * validation of certain criteria (see [SignatureValidator]), as well as cryptographic verification - * of signature correctness. - */ -class SignatureVerifier { - - companion object { - - /** - * Verify a signature (certification or revocation) over a user-id. - * - * @param userId user-id - * @param signature certification signature - * @param signingKey key that created the certification - * @param keyWithUserId key carrying the user-id - * @param policy policy - * @param referenceTime reference date for signature verification - * @return true if signature verification is successful - * @throws SignatureValidationException if signature verification fails for some reason - */ - @JvmStatic - @Throws(SignatureValidationException::class) - fun verifySignatureOverUserId( - userId: CharSequence, - signature: PGPSignature, - signingKey: PGPPublicKey, - keyWithUserId: PGPPublicKey, - policy: Policy, - referenceTime: Date - ): Boolean { - val type = SignatureType.fromCode(signature.signatureType) - return when (type) { - SignatureType.GENERIC_CERTIFICATION, - SignatureType.NO_CERTIFICATION, - SignatureType.CASUAL_CERTIFICATION, - SignatureType.POSITIVE_CERTIFICATION, - null -> - verifyUserIdCertification( - userId, signature, signingKey, keyWithUserId, policy, referenceTime) - SignatureType.CERTIFICATION_REVOCATION -> - verifyUserIdRevocation( - userId, signature, signingKey, keyWithUserId, policy, referenceTime) - else -> - throw SignatureValidationException( - "Signature is not a valid user-id certification/revocation signature: $type") - } - } - - /** - * Verify a certification self-signature over a user-id. - * - * @param userId user-id - * @param signature certification signature - * @param primaryKey primary key - * @param policy policy - * @param referenceTime reference date for signature verification - * @return true if the self-signature is verified successfully - * @throws SignatureValidationException if signature verification fails for some reason - */ - @JvmStatic - @Throws(SignatureValidationException::class) - fun verifyUserIdCertification( - userId: CharSequence, - signature: PGPSignature, - primaryKey: PGPPublicKey, - policy: Policy, - referenceTime: Date - ): Boolean { - return verifyUserIdCertification( - userId, signature, primaryKey, primaryKey, policy, referenceTime) - } - - /** - * Verify a user-id certification. - * - * @param userId user-id - * @param signature certification signature - * @param signingKey key that created the certification - * @param keyWithUserId primary key that carries the user-id - * @param policy policy - * @param referenceTime reference date for signature verification - * @return true if signature verification is successful - * @throws SignatureValidationException if signature verification fails for some reason - */ - @JvmStatic - @Throws(SignatureValidationException::class) - fun verifyUserIdCertification( - userId: CharSequence, - signature: PGPSignature, - signingKey: PGPPublicKey, - keyWithUserId: PGPPublicKey, - policy: Policy, - referenceTime: Date - ): Boolean { - wasPossiblyMadeByKey(signingKey).verify(signature) - signatureIsCertification().verify(signature) - signatureStructureIsAcceptable(signingKey, policy).verify(signature) - signatureIsEffective(referenceTime).verify(signature) - correctSignatureOverUserId(userId, keyWithUserId, signingKey).verify(signature) - - return true - } - - /** - * Verify a user-id revocation self-signature. - * - * @param userId user-id - * @param signature user-id revocation signature - * @param primaryKey primary key - * @param policy policy - * @param referenceTime reference date for signature verification - * @return true if the user-id revocation signature is successfully verified - * @throws SignatureValidationException if signature verification fails for some reason - */ - @JvmStatic - @Throws(SignatureValidationException::class) - fun verifyUserIdRevocation( - userId: CharSequence, - signature: PGPSignature, - primaryKey: PGPPublicKey, - policy: Policy, - referenceTime: Date - ): Boolean { - return verifyUserIdRevocation( - userId, signature, primaryKey, primaryKey, policy, referenceTime) - } - - /** - * Verify a user-id revocation signature. - * - * @param userId user-id - * @param signature revocation signature - * @param signingKey key that created the revocation signature - * @param keyWithUserId primary key carrying the user-id - * @param policy policy - * @param referenceTime reference date for signature verification - * @return true if the user-id revocation signature is successfully verified - * @throws SignatureValidationException if signature verification fails for some reason - */ - @JvmStatic - @Throws(SignatureValidationException::class) - fun verifyUserIdRevocation( - userId: CharSequence, - signature: PGPSignature, - signingKey: PGPPublicKey, - keyWithUserId: PGPPublicKey, - policy: Policy, - referenceTime: Date - ): Boolean { - wasPossiblyMadeByKey(signingKey).verify(signature) - signatureIsOfType(SignatureType.CERTIFICATION_REVOCATION).verify(signature) - signatureStructureIsAcceptable(signingKey, policy).verify(signature) - signatureIsEffective(referenceTime).verify(signature) - correctSignatureOverUserId(userId, keyWithUserId, signingKey).verify(signature) - - return true - } - - /** - * Verify a certification self-signature over a user-attributes packet. - * - * @param userAttributes user attributes - * @param signature certification self-signature - * @param primaryKey primary key that carries the user-attributes - * @param policy policy - * @param referenceTime reference date for signature verification - * @return true if the signature can be verified successfully - * @throws SignatureValidationException if signature verification fails for some reason - */ - @JvmStatic - @Throws(SignatureValidationException::class) - fun verifyUserAttributesCertification( - userAttributes: PGPUserAttributeSubpacketVector, - signature: PGPSignature, - primaryKey: PGPPublicKey, - policy: Policy, - referenceTime: Date - ): Boolean { - return verifyUserAttributesCertification( - userAttributes, signature, primaryKey, primaryKey, policy, referenceTime) - } - - /** - * Verify a certification signature over a user-attributes packet. - * - * @param userAttributes user attributes - * @param signature certification signature - * @param signingKey key that created the user-attributes certification - * @param keyWithAttributes key that carries the user-attributes certification - * @param policy policy - * @param referenceTime reference date for signature verification - * @return true if the signature can be verified successfully - * @throws SignatureValidationException if signature verification fails for some reason - */ - @JvmStatic - @Throws(SignatureValidationException::class) - fun verifyUserAttributesCertification( - userAttributes: PGPUserAttributeSubpacketVector, - signature: PGPSignature, - signingKey: PGPPublicKey, - keyWithAttributes: PGPPublicKey, - policy: Policy, - referenceTime: Date - ): Boolean { - wasPossiblyMadeByKey(signingKey).verify(signature) - signatureIsCertification().verify(signature) - signatureStructureIsAcceptable(signingKey, policy).verify(signature) - signatureIsEffective(referenceTime).verify(signature) - correctSignatureOverUserAttributes(userAttributes, keyWithAttributes, signingKey) - .verify(signature) - - return true - } - - /** - * Verify a user-attributes revocation self-signature. - * - * @param userAttributes user-attributes - * @param signature user-attributes revocation signature - * @param primaryKey primary key that carries the user-attributes - * @param policy policy - * @param referenceTime reference date for signature verification - * @return true if the revocation signature can be verified successfully - * @throws SignatureValidationException if signature verification fails for some reason - */ - @JvmStatic - @Throws(SignatureValidationException::class) - fun verifyUserAttributesRevocation( - userAttributes: PGPUserAttributeSubpacketVector, - signature: PGPSignature, - primaryKey: PGPPublicKey, - policy: Policy, - referenceTime: Date - ): Boolean { - return verifyUserAttributesRevocation( - userAttributes, signature, primaryKey, primaryKey, policy, referenceTime) - } - - /** - * Verify a user-attributes revocation signature. - * - * @param userAttributes user-attributes - * @param signature revocation signature - * @param signingKey revocation key - * @param keyWithAttributes key that carries the user-attributes - * @param policy policy - * @param referenceTime reference date for signature verification - * @return true if the revocation signature can be verified successfully - * @throws SignatureValidationException if signature verification fails for some reason - */ - @JvmStatic - @Throws(SignatureValidationException::class) - fun verifyUserAttributesRevocation( - userAttributes: PGPUserAttributeSubpacketVector, - signature: PGPSignature, - signingKey: PGPPublicKey, - keyWithAttributes: PGPPublicKey, - policy: Policy, - referenceTime: Date - ): Boolean { - wasPossiblyMadeByKey(signingKey).verify(signature) - signatureIsOfType(SignatureType.CERTIFICATION_REVOCATION).verify(signature) - signatureStructureIsAcceptable(signingKey, policy).verify(signature) - signatureIsEffective(referenceTime).verify(signature) - correctSignatureOverUserAttributes(userAttributes, keyWithAttributes, signingKey) - .verify(signature) - - return true - } - - /** - * Verify a subkey binding signature. - * - * @param signature binding signature - * @param primaryKey primary key - * @param subkey subkey - * @param policy policy - * @param referenceTime reference date for signature verification - * @return true if the binding signature can be verified successfully - * @throws SignatureValidationException if signature verification fails for some reason - */ - @JvmStatic - @Throws(SignatureValidationException::class) - fun verifySubkeyBindingSignature( - signature: PGPSignature, - primaryKey: PGPPublicKey, - subkey: PGPPublicKey, - policy: Policy, - referenceTime: Date - ): Boolean { - signatureIsOfType(SignatureType.SUBKEY_BINDING).verify(signature) - signatureStructureIsAcceptable(primaryKey, policy).verify(signature) - signatureDoesNotPredateSignee(subkey).verify(signature) - signatureIsEffective(referenceTime).verify(signature) - hasValidPrimaryKeyBindingSignatureIfRequired(primaryKey, subkey, policy, referenceTime) - .verify(signature) - correctSubkeyBindingSignature(primaryKey, subkey).verify(signature) - - return true - } - - /** - * Verify a subkey revocation signature. - * - * @param signature subkey revocation signature - * @param primaryKey primary key - * @param subkey subkey - * @param policy policy - * @param referenceTime reference date for signature verification - * @return true if the subkey revocation signature can be verified successfully - * @throws SignatureValidationException if signature verification fails for some reason - */ - @JvmStatic - @Throws(SignatureValidationException::class) - fun verifySubkeyBindingRevocation( - signature: PGPSignature, - primaryKey: PGPPublicKey, - subkey: PGPPublicKey, - policy: Policy, - referenceTime: Date - ): Boolean { - signatureIsOfType(SignatureType.SUBKEY_REVOCATION).verify(signature) - signatureStructureIsAcceptable(primaryKey, policy).verify(signature) - signatureDoesNotPredateSignee(subkey).verify(signature) - signatureIsEffective(referenceTime).verify(signature) - correctSignatureOverKey(primaryKey, subkey).verify(signature) - - return true - } - - /** - * Verify a direct-key self-signature. - * - * @param signature signature - * @param primaryKey primary key - * @param policy policy - * @param referenceTime reference date for signature verification - * @return true if the signature can be verified successfully - * @throws SignatureValidationException if signature verification fails for some reason - */ - @JvmStatic - @Throws(SignatureValidationException::class) - fun verifyDirectKeySignature( - signature: PGPSignature, - primaryKey: PGPPublicKey, - policy: Policy, - referenceTime: Date - ): Boolean { - return verifyDirectKeySignature( - signature, primaryKey, primaryKey, policy, referenceTime) - } - - /** - * Verify a direct-key signature. - * - * @param signature signature - * @param signingKey signing key - * @param signedKey signed key - * @param policy policy - * @param referenceTime reference date for signature verification - * @return true if signature verification is successful - * @throws SignatureValidationException if signature verification fails for some reason - */ - @JvmStatic - @Throws(SignatureValidationException::class) - fun verifyDirectKeySignature( - signature: PGPSignature, - signingKey: PGPPublicKey, - signedKey: PGPPublicKey, - policy: Policy, - referenceTime: Date - ): Boolean { - signatureIsOfType(SignatureType.DIRECT_KEY).verify(signature) - signatureStructureIsAcceptable(signingKey, policy).verify(signature) - signatureDoesNotPredateSignee(signedKey).verify(signature) - signatureIsEffective(referenceTime).verify(signature) - correctSignatureOverKey(signingKey, signedKey).verify(signature) - - return true - } - - /** - * Verify a key revocation signature. - * - * @param signature signature - * @param primaryKey primary key - * @param policy policy - * @param referenceTime reference date for signature verification - * @return true if signature verification is successful - * @throws SignatureValidationException if signature verification fails for some reason - */ - @JvmStatic - @Throws(SignatureValidationException::class) - fun verifyKeyRevocationSignature( - signature: PGPSignature, - primaryKey: PGPPublicKey, - policy: Policy, - referenceTime: Date - ): Boolean { - signatureIsOfType(SignatureType.KEY_REVOCATION).verify(signature) - signatureStructureIsAcceptable(primaryKey, policy).verify(signature) - signatureIsEffective(referenceTime).verify(signature) - correctSignatureOverKey(primaryKey, primaryKey).verify(signature) - - return true - } - - /** - * Initialize a signature and verify it afterwards by updating it with the signed data. - * - * @param signature OpenPGP signature - * @param signedData input stream containing the signed data - * @param signingKey the key that created the signature - * @param policy policy - * @param referenceTime reference date of signature verification - * @return true if the signature is successfully verified - * @throws SignatureValidationException if the signature verification fails for some reason - */ - @JvmStatic - @Throws(SignatureValidationException::class) - fun verifyUninitializedSignature( - signature: PGPSignature, - signedData: InputStream, - signingKey: PGPPublicKey, - policy: Policy, - referenceTime: Date - ): Boolean { - initializeSignatureAndUpdateWithSignedData(signature, signedData, signingKey) - return verifyInitializedSignature(signature, signingKey, policy, referenceTime) - } - - /** - * Initialize a signature and then update it with the signed data from the given - * [InputStream]. - * - * @param signature OpenPGP signature - * @param signedData input stream containing signed data - * @param signingKey key that created the signature - * @throws SignatureValidationException in case the signature cannot be verified for some - * reason - */ - @JvmStatic - @Throws(SignatureValidationException::class) - fun initializeSignatureAndUpdateWithSignedData( - signature: PGPSignature, - signedData: InputStream, - signingKey: PGPPublicKey - ) { - try { - signature.init( - OpenPGPImplementation.getInstance().pgpContentVerifierBuilderProvider(), - signingKey, - ) - var read: Int - val buf = ByteArray(8192) - var lastByte: Byte = -1 - while (signedData.read(buf).also { read = it } != -1) { - // If we previously omitted a newline, but the stream is not yet empty, add it - // now - if (lastByte == '\n'.code.toByte()) { - signature.update(lastByte) - } - lastByte = buf[read - 1] - if (lastByte == '\n'.code.toByte()) { - // if last byte in buffer is newline, omit it for now - signature.update(buf, 0, read - 1) - } else { - // otherwise, write buffer as usual - signature.update(buf, 0, read) - } - } - } catch (e: PGPException) { - throw SignatureValidationException("Cannot init signature.", e) - } catch (e: IOException) { - throw SignatureValidationException("Cannot update signature.", e) - } - } - - /** - * Verify an initialized signature. An initialized signature was already updated with the - * signed data. - * - * @param signature OpenPGP signature - * @param signingKey key that created the signature - * @param policy policy - * @param referenceTime reference date for signature verification - * @return true if signature is verified successfully - * @throws SignatureValidationException if signature verification fails for some reason - */ - @JvmStatic - @Throws(SignatureValidationException::class) - fun verifyInitializedSignature( - signature: PGPSignature, - signingKey: PGPPublicKey, - policy: Policy, - referenceTime: Date - ): Boolean { - wasPossiblyMadeByKey(signingKey).verify(signature) - signatureStructureIsAcceptable(signingKey, policy).verify(signature) - signatureIsEffective(referenceTime).verify(signature) - - return try { - if (!signature.verify()) { - throw SignatureValidationException("Signature is not correct.") - } - true - } catch (e: PGPException) { - throw SignatureValidationException("Could not verify signature correctness.", e) - } - } - - @JvmStatic - @Throws(SignatureValidationException::class) - fun verifyOnePassSignature( - signature: PGPSignature, - signingKey: PGPPublicKey, - onePassSignature: OnePassSignatureCheck, - policy: Policy - ): Boolean { - try { - wasPossiblyMadeByKey(signingKey).verify(signature) - signatureStructureIsAcceptable(signingKey, policy).verify(signature) - signatureIsEffective().verify(signature) - } catch (e: SignatureValidationException) { - throw SignatureValidationException("Signature is not valid: ${e.message}", e) - } - - try { - checkNotNull(onePassSignature.signature) { "No comparison signature provided." } - if (!onePassSignature.onePassSignature.verify(signature)) { - throw SignatureValidationException( - "Bad signature of key ${signingKey.keyID.openPgpKeyId()}") - } - } catch (e: PGPException) { - throw SignatureValidationException( - "Could not verify correctness of One-Pass-Signature: ${e.message}", e) - } - - return true - } - - /** - * Verify a signature (certification or revocation) over a user-id. - * - * @param userId user-id - * @param signature self-signature - * @param primaryKey primary key that created the signature - * @param policy policy - * @param referenceTime reference date for signature verification - * @return true if the signature is successfully verified - * @throws SignatureValidationException if signature verification fails for some reason - */ - @JvmStatic - @Throws(SignatureValidationException::class) - fun verifySignatureOverUserId( - userId: CharSequence, - signature: PGPSignature, - primaryKey: PGPPublicKey, - policy: Policy, - referenceTime: Date - ): Boolean { - return verifySignatureOverUserId( - userId, signature, primaryKey, primaryKey, policy, referenceTime) - } - } -} diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/certification/CertifyCertificateTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/certification/CertifyCertificateTest.java index 0cd74325..c0361f89 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/certification/CertifyCertificateTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/certification/CertifyCertificateTest.java @@ -27,10 +27,8 @@ import org.pgpainless.algorithm.SignatureType; import org.pgpainless.algorithm.Trustworthiness; import org.pgpainless.key.info.KeyRingInfo; import org.pgpainless.key.protection.SecretKeyRingProtector; -import org.pgpainless.signature.consumer.SignatureVerifier; import org.pgpainless.signature.subpackets.CertificationSubpackets; import org.pgpainless.util.CollectionUtils; -import org.pgpainless.util.DateUtil; import javax.annotation.Nonnull; @@ -57,8 +55,7 @@ public class CertifyCertificateTest { assertEquals(SignatureType.GENERIC_CERTIFICATION, SignatureType.requireFromCode(signature.getSignatureType())); assertEquals(alice.getPrimaryKey().getPGPPublicKey().getKeyID(), signature.getKeyID()); - assertTrue(SignatureVerifier.verifyUserIdCertification( - bobUserId, signature, alice.getPrimaryKey().getPGPPublicKey(), bob.getPrimaryKey().getPGPPublicKey(), api.getAlgorithmPolicy(), DateUtil.now())); + assertTrue(result.getCertifiedCertificate().getUserId("Bob ").getCertificationBy(alice).isValid()); OpenPGPCertificate bobCertified = result.getCertifiedCertificate(); PGPPublicKey bobCertifiedKey = bobCertified.getPrimaryKey().getPGPPublicKey(); @@ -99,8 +96,7 @@ public class CertifyCertificateTest { assertTrue(trustworthiness.isIntroducer()); assertFalse(trustworthiness.canIntroduce(1)); - assertTrue(SignatureVerifier.verifyDirectKeySignature( - pgpSignature, alice.getPrimaryKey().getPGPPublicKey(), bob.getPrimaryKey().getPGPPublicKey(), api.getAlgorithmPolicy(), DateUtil.now())); + assertTrue(result.getCertifiedCertificate().getDelegationBy(alice).isValid()); OpenPGPCertificate bobCertified = result.getCertifiedCertificate(); PGPPublicKey bobCertifiedKey = bobCertified.getPrimaryKey().getPGPPublicKey(); diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureOverUserAttributesTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureOverUserAttributesTest.java index bf1ef550..c7b7ce6c 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureOverUserAttributesTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureOverUserAttributesTest.java @@ -4,18 +4,12 @@ package org.pgpainless.signature; -import static org.junit.jupiter.api.Assertions.assertThrows; - import java.io.IOException; import java.util.Date; +import java.util.List; import org.bouncycastle.bcpg.attr.ImageAttribute; -import org.bouncycastle.openpgp.PGPException; -import org.bouncycastle.openpgp.PGPPublicKey; -import org.bouncycastle.openpgp.PGPSignature; -import org.bouncycastle.openpgp.PGPSignatureGenerator; -import org.bouncycastle.openpgp.PGPUserAttributeSubpacketVector; -import org.bouncycastle.openpgp.PGPUserAttributeSubpacketVectorGenerator; +import org.bouncycastle.openpgp.*; import org.bouncycastle.openpgp.api.OpenPGPCertificate; import org.bouncycastle.openpgp.api.OpenPGPImplementation; import org.bouncycastle.openpgp.api.OpenPGPKey; @@ -23,11 +17,11 @@ import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; import org.pgpainless.algorithm.HashAlgorithm; import org.pgpainless.algorithm.SignatureType; -import org.pgpainless.exception.SignatureValidationException; import org.pgpainless.key.TestKeys; import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.key.protection.UnlockSecretKey; -import org.pgpainless.signature.consumer.SignatureVerifier; + +import static org.junit.jupiter.api.Assertions.*; public class SignatureOverUserAttributesTest { @@ -53,6 +47,7 @@ public class SignatureOverUserAttributesTest { public void createAndVerifyUserAttributeCertification() throws PGPException, IOException { PGPainless api = PGPainless.getInstance(); OpenPGPKey secretKeys = TestKeys.getEmilKey(); + OpenPGPKey.OpenPGPSecretKey secretKey = secretKeys.getPrimarySecretKey(); OpenPGPCertificate.OpenPGPComponentKey publicKey = secretKey.getPublicKey(); OpenPGPKey.OpenPGPPrivateKey privateKey = UnlockSecretKey.unlockSecretKey(secretKey, SecretKeyRingProtector.unprotectedKeys()); @@ -65,9 +60,12 @@ public class SignatureOverUserAttributesTest { PGPSignature signature = generator.generateCertification(attribute, publicKey.getPGPPublicKey()); PGPPublicKey pgpPublicKey = PGPPublicKey.addCertification(publicKey.getPGPPublicKey(), attribute, signature); - SignatureVerifier.verifyUserAttributesCertification(attribute, signature, pgpPublicKey, api.getAlgorithmPolicy(), new Date()); + pgpPublicKey = PGPPublicKey.addCertification(pgpPublicKey, invalidAttribute, signature); + OpenPGPCertificate withUserAttribute = api.toCertificate(PGPPublicKeyRing.insertPublicKey(secretKeys.getPGPPublicKeyRing(), pgpPublicKey)); + List identities = withUserAttribute.getIdentities(); - assertThrows(SignatureValidationException.class, () -> SignatureVerifier.verifyUserAttributesCertification(invalidAttribute, signature, pgpPublicKey, api.getAlgorithmPolicy(), new Date())); + assertTrue(identities.get(1).isBound()); // valid + assertFalse(identities.get(2).isBound()); // invalid } @Test @@ -86,9 +84,11 @@ public class SignatureOverUserAttributesTest { PGPSignature signature = generator.generateCertification(attribute, publicKey.getPGPPublicKey()); PGPPublicKey pgpPublicKey = PGPPublicKey.addCertification(publicKey.getPGPPublicKey(), attribute, signature); - SignatureVerifier.verifyUserAttributesRevocation(attribute, signature, pgpPublicKey, api.getAlgorithmPolicy(), new Date()); - assertThrows(SignatureValidationException.class, () -> - SignatureVerifier.verifyUserAttributesCertification( - invalidAttribute, signature, pgpPublicKey, api.getAlgorithmPolicy(), new Date())); + OpenPGPCertificate withRevocation = api.toCertificate(PGPPublicKeyRing.insertPublicKey(secretKeys.getPGPPublicKeyRing(), pgpPublicKey)); + List identities = withRevocation.getIdentities(); + OpenPGPCertificate.OpenPGPComponentSignature revocation = identities.get(1).getRevocation(new Date()); + revocation.verify(api.getImplementation()); + assertTrue(revocation.isRevocation()); + assertTrue(revocation.isTestedCorrect()); } } From 44c85fd1f49cc106557121c46f675f8ebb0953fa Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 31 Mar 2025 09:58:19 +0200 Subject: [PATCH 140/265] Remove unused SignatureValidator methods --- .../signature/consumer/SignatureValidator.kt | 472 ------------------ 1 file changed, 472 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/consumer/SignatureValidator.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/consumer/SignatureValidator.kt index 120f9d2b..bef545ea 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/consumer/SignatureValidator.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/consumer/SignatureValidator.kt @@ -7,23 +7,12 @@ package org.pgpainless.signature.consumer import java.util.Date import openpgp.formatUTC import openpgp.openPgpKeyId -import org.bouncycastle.openpgp.PGPException import org.bouncycastle.openpgp.PGPPublicKey import org.bouncycastle.openpgp.PGPSignature -import org.bouncycastle.openpgp.PGPUserAttributeSubpacketVector -import org.bouncycastle.openpgp.api.OpenPGPImplementation -import org.pgpainless.algorithm.SignatureSubpacket -import org.pgpainless.algorithm.SignatureType import org.pgpainless.bouncycastle.extensions.fingerprint -import org.pgpainless.bouncycastle.extensions.isOfType -import org.pgpainless.bouncycastle.extensions.publicKeyAlgorithm -import org.pgpainless.bouncycastle.extensions.signatureExpirationDate -import org.pgpainless.bouncycastle.extensions.signatureHashAlgorithm import org.pgpainless.exception.SignatureValidationException import org.pgpainless.key.OpenPgpFingerprint -import org.pgpainless.policy.Policy import org.pgpainless.signature.subpackets.SignatureSubpacketsUtil -import org.pgpainless.util.NotationRegistry abstract class SignatureValidator { @@ -72,467 +61,6 @@ abstract class SignatureValidator { } } - /** - * Verify that a signature has an acceptable structure. - * - * @param signingKey signing key - * @param policy policy - * @return validator - */ - @JvmStatic - fun signatureStructureIsAcceptable( - signingKey: PGPPublicKey, - policy: Policy - ): SignatureValidator { - return object : SignatureValidator() { - override fun verify(signature: PGPSignature) { - signatureIsNotMalformed(signingKey).verify(signature) - if (signature.version >= 4) { - signatureDoesNotHaveCriticalUnknownNotations(policy.notationRegistry) - .verify(signature) - signatureDoesNotHaveCriticalUnknownSubpackets().verify(signature) - } - signatureUsesAcceptableHashAlgorithm(policy).verify(signature) - signatureUsesAcceptablePublicKeyAlgorithm(policy, signingKey).verify(signature) - } - } - } - - /** - * Verify that a signature was made using an acceptable [PublicKeyAlgorithm]. - * - * @param policy policy - * @param signingKey signing key - * @return validator - */ - @JvmStatic - fun signatureUsesAcceptablePublicKeyAlgorithm( - policy: Policy, - signingKey: PGPPublicKey - ): SignatureValidator { - return object : SignatureValidator() { - override fun verify(signature: PGPSignature) { - if (signingKey.bitStrength == -1) { - throw SignatureValidationException( - "Cannot determine bit strength of signing key.") - } - if (!policy.publicKeyAlgorithmPolicy.isAcceptable( - signingKey.publicKeyAlgorithm, signingKey.bitStrength)) { - throw SignatureValidationException( - "Signature was made using unacceptable key. " + - "${signingKey.publicKeyAlgorithm} (${signingKey.bitStrength} bits) is " + - "not acceptable according to the public key algorithm policy.") - } - } - } - } - - @JvmStatic - fun signatureUsesAcceptableHashAlgorithm(policy: Policy): SignatureValidator { - return object : SignatureValidator() { - override fun verify(signature: PGPSignature) { - try { - val algorithmPolicy = getHashAlgorithmPolicyForSignature(signature, policy) - if (!algorithmPolicy.isAcceptable( - signature.signatureHashAlgorithm, signature.creationTime)) { - throw SignatureValidationException( - "Signature uses unacceptable" + - " hash algorithm ${signature.signatureHashAlgorithm}" + - " (Signature creation time: ${signature.creationTime.formatUTC()})") - } - } catch (e: NoSuchElementException) { - throw SignatureValidationException( - "Signature uses unknown hash" + " algorithm ${signature.hashAlgorithm}") - } - } - } - } - - /** - * Return the applicable [Policy.HashAlgorithmPolicy] for the given [PGPSignature]. - * Revocation signatures are being policed using a different policy than non-revocation - * signatures. - * - * @param signature signature - * @param policy revocation policy for revocation sigs, normal policy for non-rev sigs - * @return policy - */ - @JvmStatic - private fun getHashAlgorithmPolicyForSignature( - signature: PGPSignature, - policy: Policy - ): Policy.HashAlgorithmPolicy { - return when (SignatureType.fromCode(signature.signatureType)) { - null -> policy.certificationSignatureHashAlgorithmPolicy - SignatureType.CERTIFICATION_REVOCATION, - SignatureType.KEY_REVOCATION, - SignatureType.SUBKEY_REVOCATION -> policy.revocationSignatureHashAlgorithmPolicy - SignatureType.GENERIC_CERTIFICATION, - SignatureType.NO_CERTIFICATION, - SignatureType.CASUAL_CERTIFICATION, - SignatureType.POSITIVE_CERTIFICATION, - SignatureType.DIRECT_KEY, - SignatureType.SUBKEY_BINDING, - SignatureType.PRIMARYKEY_BINDING -> policy.certificationSignatureHashAlgorithmPolicy - else -> policy.dataSignatureHashAlgorithmPolicy - } - } - - /** - * Verify that a signature does not carry critical unknown notations. - * - * @param registry notation registry of known notations - * @return validator - */ - @JvmStatic - fun signatureDoesNotHaveCriticalUnknownNotations( - registry: NotationRegistry - ): SignatureValidator { - return object : SignatureValidator() { - override fun verify(signature: PGPSignature) { - SignatureSubpacketsUtil.getHashedNotationData(signature) - .filter { it.isCritical && !registry.isKnownNotation(it.notationName) } - .forEach { - throw SignatureValidationException( - "Signature contains unknown critical notation '${it.notationName}' in its hashed area.") - } - } - } - } - - /** - * Verify that a signature does not contain critical unknown subpackets. - * - * @return validator - */ - @JvmStatic - fun signatureDoesNotHaveCriticalUnknownSubpackets(): SignatureValidator { - return object : SignatureValidator() { - override fun verify(signature: PGPSignature) { - signature.hashedSubPackets.criticalTags.forEach { - try { - SignatureSubpacket.requireFromCode(it) - } catch (e: NoSuchElementException) { - throw SignatureValidationException( - "Signature contains unknown critical subpacket of type 0x${Integer.toHexString(it)}") - } - } - } - } - } - - /** - * Verify that a signature is effective at the given reference date. - * - * @param referenceTime reference date for signature verification - * @return validator - */ - @JvmStatic - @JvmOverloads - fun signatureIsEffective(referenceTime: Date = Date()): SignatureValidator { - return object : SignatureValidator() { - override fun verify(signature: PGPSignature) { - signatureIsAlreadyEffective(referenceTime).verify(signature) - signatureIsNotYetExpired(referenceTime).verify(signature) - } - } - } - - /** - * Verify that a signature was created prior to the given reference date. - * - * @param referenceTime reference date for signature verification - * @return validator - */ - @JvmStatic - fun signatureIsAlreadyEffective(referenceTime: Date): SignatureValidator { - return object : SignatureValidator() { - override fun verify(signature: PGPSignature) { - if (signature.isHardRevocation) { - return - } - if (signature.creationTime > referenceTime) { - throw SignatureValidationException( - "Signature was created at ${signature.creationTime.formatUTC()} and" + - " is therefore not yet valid at ${referenceTime.formatUTC()}") - } - } - } - } - - /** - * Verify that a signature is not yet expired. - * - * @param referenceTime reference date for signature verification - * @return validator - */ - @JvmStatic - fun signatureIsNotYetExpired(referenceTime: Date): SignatureValidator { - return object : SignatureValidator() { - override fun verify(signature: PGPSignature) { - if (signature.isHardRevocation) { - return - } - val expirationDate = signature.signatureExpirationDate - if (expirationDate != null && expirationDate < referenceTime) { - throw SignatureValidationException( - "Signature is already expired " + - "(expiration: ${expirationDate.formatUTC()}," + - " validation: ${referenceTime.formatUTC()})") - } - } - } - } - - /** - * Verify that a signature is not malformed. A signature is malformed if it has no hashed - * creation time subpacket, it predates the creation time of the signing key, or it predates - * the creation date of the signing key binding signature. - * - * @param signingKey signing key - * @return validator - */ - @JvmStatic - fun signatureIsNotMalformed(signingKey: PGPPublicKey): SignatureValidator { - return object : SignatureValidator() { - override fun verify(signature: PGPSignature) { - if (signature.version >= 4) { - signatureHasHashedCreationTime().verify(signature) - } - signatureDoesNotPredateSigningKey(signingKey).verify(signature) - if (!signature.isOfType(SignatureType.PRIMARYKEY_BINDING)) { - signatureDoesNotPredateSigningKeyBindingDate(signingKey).verify(signature) - } - } - } - } - - @JvmStatic - fun signatureDoesNotPredateSignee(signee: PGPPublicKey): SignatureValidator { - return signatureDoesNotPredateKeyCreation(signee) - } - - /** - * Verify that a signature does not predate the creation time of the signing key. - * - * @param key signing key - * @return validator - */ - @JvmStatic - fun signatureDoesNotPredateSigningKey(signingKey: PGPPublicKey): SignatureValidator { - return signatureDoesNotPredateKeyCreation(signingKey) - } - - /** - * Verify that a signature does not predate the creation time of the given key. - * - * @param key key - * @return validator - */ - @JvmStatic - fun signatureDoesNotPredateKeyCreation(key: PGPPublicKey): SignatureValidator { - return object : SignatureValidator() { - override fun verify(signature: PGPSignature) { - if (key.creationTime > signature.creationTime) { - throw SignatureValidationException( - "Signature predates key" + - " (key creation: ${key.creationTime.formatUTC()}," + - " signature creation: ${signature.creationTime.formatUTC()})") - } - } - } - } - - /** - * Verify that a signature has a hashed creation time subpacket. - * - * @return validator - */ - @JvmStatic - fun signatureHasHashedCreationTime(): SignatureValidator { - return object : SignatureValidator() { - override fun verify(signature: PGPSignature) { - if (SignatureSubpacketsUtil.getSignatureCreationTime(signature) == null) { - throw SignatureValidationException( - "Malformed signature." + - "Signature has no signature creation time subpacket in its hashed area.") - } - } - } - } - - /** - * Verify that a signature does not predate the binding date of the signing key. - * - * @param signingKey signing key - * @return validator - */ - @JvmStatic - fun signatureDoesNotPredateSigningKeyBindingDate( - signingKey: PGPPublicKey - ): SignatureValidator { - return object : SignatureValidator() { - override fun verify(signature: PGPSignature) { - if (signingKey.isMasterKey) { - return - } - if (signingKey - .getSignaturesOfType(SignatureType.SUBKEY_BINDING.code) - .asSequence() - .map { - if (signature.creationTime < it.creationTime) { - throw SignatureValidationException( - "Signature was created " + - "before the signing key was bound to the certificate.") - } - } - .none()) { - throw SignatureValidationException( - "Signing subkey does not have a subkey binding signature.") - } - } - } - } - - /** - * Verify that a direct-key signature is correct. - * - * @param signingKey signing key - * @param signedKey signed key - * @return validator - */ - @JvmStatic - fun correctSignatureOverKey( - signingKey: PGPPublicKey, - signedKey: PGPPublicKey - ): SignatureValidator { - return object : SignatureValidator() { - override fun verify(signature: PGPSignature) { - try { - signature.init( - OpenPGPImplementation.getInstance().pgpContentVerifierBuilderProvider(), - signingKey) - val valid = - if (signingKey.keyID == signedKey.keyID || - signature.isOfType(SignatureType.DIRECT_KEY)) { - signature.verifyCertification(signedKey) - } else { - signature.verifyCertification(signingKey, signedKey) - } - if (!valid) { - throw SignatureValidationException("Signature is not correct.") - } - } catch (e: PGPException) { - throw SignatureValidationException( - "Cannot verify direct-key signature correctness", e) - } catch (e: ClassCastException) { - throw SignatureValidationException( - "Cannot verify direct-key signature correctness", e) - } - } - } - } - - @JvmStatic - fun signatureIsCertification(): SignatureValidator { - return signatureIsOfType( - SignatureType.POSITIVE_CERTIFICATION, - SignatureType.CASUAL_CERTIFICATION, - SignatureType.GENERIC_CERTIFICATION, - SignatureType.NO_CERTIFICATION) - } - - /** - * Verify that a signature type equals one of the given [SignatureType]. - * - * @param signatureType one or more signature types - * @return validator - */ - @JvmStatic - fun signatureIsOfType(vararg signatureType: SignatureType): SignatureValidator { - return object : SignatureValidator() { - override fun verify(signature: PGPSignature) { - if (signatureType.none { signature.isOfType(it) }) { - throw SignatureValidationException( - "Signature is of type" + - " ${SignatureType.fromCode(signature.signatureType) ?: - ("0x" + signature.signatureType.toString(16))}, " + - "while only ${signatureType.contentToString()} are allowed here.") - } - } - } - } - - /** - * Verify that a signature over a user-id is correct. - * - * @param userId user-id - * @param certifiedKey key carrying the user-id - * @param certifyingKey key that created the signature. - * @return validator - */ - @JvmStatic - fun correctSignatureOverUserId( - userId: CharSequence, - certifiedKey: PGPPublicKey, - certifyingKey: PGPPublicKey - ): SignatureValidator { - return object : SignatureValidator() { - override fun verify(signature: PGPSignature) { - try { - signature.init( - OpenPGPImplementation.getInstance().pgpContentVerifierBuilderProvider(), - certifyingKey) - if (!signature.verifyCertification(userId.toString(), certifiedKey)) { - throw SignatureValidationException( - "Signature over user-id '$userId' is not valid.") - } - } catch (e: PGPException) { - throw SignatureValidationException( - "Cannot verify signature over user-id '$userId'.", e) - } catch (e: ClassCastException) { - throw SignatureValidationException( - "Cannot verify signature over user-id '$userId'.", e) - } - } - } - } - - /** - * Verify that a signature over a user-attribute packet is correct. - * - * @param userAttributes user attributes - * @param certifiedKey key carrying the user-attributes - * @param certifyingKey key that created the certification signature - * @return validator - */ - @JvmStatic - fun correctSignatureOverUserAttributes( - userAttributes: PGPUserAttributeSubpacketVector, - certifiedKey: PGPPublicKey, - certifyingKey: PGPPublicKey - ): SignatureValidator { - return object : SignatureValidator() { - override fun verify(signature: PGPSignature) { - try { - signature.init( - OpenPGPImplementation.getInstance().pgpContentVerifierBuilderProvider(), - certifyingKey) - if (!signature.verifyCertification(userAttributes, certifiedKey)) { - throw SignatureValidationException( - "Signature over user-attributes is not correct.") - } - } catch (e: PGPException) { - throw SignatureValidationException( - "Cannot verify signature over user-attribute vector.", e) - } catch (e: ClassCastException) { - throw SignatureValidationException( - "Cannot verify signature over user-attribute vector.", e) - } - } - } - } - @JvmStatic fun signatureWasCreatedInBounds(notBefore: Date?, notAfter: Date?): SignatureValidator { return object : SignatureValidator() { From 797f421b27ac360ab7f19de87486e597c2fcbdf9 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 31 Mar 2025 11:36:38 +0200 Subject: [PATCH 141/265] Remove SignatureValidator methods --- .../extensions/PGPSignatureExtensions.kt | 17 ++ .../OpenPgpMessageInputStream.kt | 17 +- .../signature/consumer/SignatureValidator.kt | 85 ------- .../SignatureOverUserAttributesTest.java | 11 +- .../SignatureWasPossiblyMadeByKeyTest.java | 213 ------------------ 5 files changed, 33 insertions(+), 310 deletions(-) delete mode 100644 pgpainless-core/src/main/kotlin/org/pgpainless/signature/consumer/SignatureValidator.kt delete mode 100644 pgpainless-core/src/test/java/org/pgpainless/signature/SignatureWasPossiblyMadeByKeyTest.java diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/PGPSignatureExtensions.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/PGPSignatureExtensions.kt index 428a0ee9..2b3d08c2 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/PGPSignatureExtensions.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/PGPSignatureExtensions.kt @@ -5,6 +5,7 @@ package org.pgpainless.bouncycastle.extensions import java.util.* +import openpgp.formatUTC import openpgp.plusSeconds import org.bouncycastle.bcpg.KeyIdentifier import org.bouncycastle.openpgp.PGPPublicKey @@ -13,6 +14,7 @@ import org.pgpainless.algorithm.HashAlgorithm import org.pgpainless.algorithm.PublicKeyAlgorithm import org.pgpainless.algorithm.RevocationState import org.pgpainless.algorithm.SignatureType +import org.pgpainless.exception.SignatureValidationException import org.pgpainless.key.OpenPgpFingerprint import org.pgpainless.key.util.RevocationAttributes.Reason import org.pgpainless.signature.subpackets.SignatureSubpacketsUtil @@ -85,6 +87,21 @@ val PGPSignature.isHardRevocation else -> false // Not a revocation } +fun PGPSignature.assertCreatedInBounds(notBefore: Date?, notAfter: Date?) { + if (notBefore != null && creationTime < notBefore) { + throw SignatureValidationException( + "Signature was made before the earliest allowed signature creation time." + + " Created: ${creationTime.formatUTC()}," + + " earliest allowed: ${notBefore.formatUTC()}") + } + if (notAfter != null && creationTime > notAfter) { + throw SignatureValidationException( + "Signature was made after the latest allowed signature creation time." + + " Created: ${creationTime.formatUTC()}," + + " latest allowed: ${notAfter.formatUTC()}") + } +} + fun PGPSignature?.toRevocationState() = if (this == null) RevocationState.notRevoked() else if (isHardRevocation) RevocationState.hardRevoked() diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.kt index a959818b..68da867f 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.kt @@ -41,6 +41,7 @@ import org.pgpainless.algorithm.CompressionAlgorithm import org.pgpainless.algorithm.OpenPgpPacket import org.pgpainless.algorithm.StreamEncoding import org.pgpainless.algorithm.SymmetricKeyAlgorithm +import org.pgpainless.bouncycastle.extensions.assertCreatedInBounds import org.pgpainless.bouncycastle.extensions.getSecretKeyFor import org.pgpainless.bouncycastle.extensions.getSigningKeyFor import org.pgpainless.bouncycastle.extensions.issuerKeyId @@ -64,7 +65,6 @@ import org.pgpainless.exception.WrongPassphraseException import org.pgpainless.key.SubkeyIdentifier import org.pgpainless.key.protection.UnlockSecretKey.Companion.unlockSecretKey import org.pgpainless.signature.consumer.OnePassSignatureCheck -import org.pgpainless.signature.consumer.SignatureValidator import org.pgpainless.util.ArmoredInputStreamFactory import org.pgpainless.util.SessionKey import org.slf4j.LoggerFactory @@ -853,9 +853,8 @@ class OpenPgpMessageInputStream( check.onePassSignature.keyIdentifier)) try { - SignatureValidator.signatureWasCreatedInBounds( - options.getVerifyNotBefore(), options.getVerifyNotAfter()) - .verify(signature) + signature.assertCreatedInBounds( + options.getVerifyNotBefore(), options.getVerifyNotAfter()) if (documentSignature.verify(check.onePassSignature) && documentSignature.isValid(api.implementation.policy())) { layer.addVerifiedOnePassSignature(verification) @@ -971,9 +970,8 @@ class OpenPgpMessageInputStream( val verification = SignatureVerification(detached.signature, SubkeyIdentifier(detached.issuer)) try { - SignatureValidator.signatureWasCreatedInBounds( - options.getVerifyNotBefore(), options.getVerifyNotAfter()) - .verify(detached.signature) + detached.signature.assertCreatedInBounds( + options.getVerifyNotBefore(), options.getVerifyNotAfter()) if (!detached.verify()) { throw SignatureValidationException("Incorrect detached signature.") } else if (!detached.isValid(api.implementation.policy())) { @@ -993,9 +991,8 @@ class OpenPgpMessageInputStream( val verification = SignatureVerification(prepended.signature, SubkeyIdentifier(prepended.issuer)) try { - SignatureValidator.signatureWasCreatedInBounds( - options.getVerifyNotBefore(), options.getVerifyNotAfter()) - .verify(prepended.signature) + prepended.signature.assertCreatedInBounds( + options.getVerifyNotBefore(), options.getVerifyNotAfter()) if (prepended.verify() && prepended.isValid(api.implementation.policy())) { layer.addVerifiedPrependedSignature(verification) } else { diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/consumer/SignatureValidator.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/consumer/SignatureValidator.kt deleted file mode 100644 index bef545ea..00000000 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/consumer/SignatureValidator.kt +++ /dev/null @@ -1,85 +0,0 @@ -// SPDX-FileCopyrightText: 2023 Paul Schaub -// -// SPDX-License-Identifier: Apache-2.0 - -package org.pgpainless.signature.consumer - -import java.util.Date -import openpgp.formatUTC -import openpgp.openPgpKeyId -import org.bouncycastle.openpgp.PGPPublicKey -import org.bouncycastle.openpgp.PGPSignature -import org.pgpainless.bouncycastle.extensions.fingerprint -import org.pgpainless.exception.SignatureValidationException -import org.pgpainless.key.OpenPgpFingerprint -import org.pgpainless.signature.subpackets.SignatureSubpacketsUtil - -abstract class SignatureValidator { - - @Throws(SignatureValidationException::class) abstract fun verify(signature: PGPSignature) - - companion object { - - /** - * Check, whether there is the possibility that the given signature was created by the given - * key. [verify] throws a [SignatureValidationException] if we can say with certainty that - * the signature was not created by the given key (e.g. if the sig carries another issuer, - * issuer fingerprint packet). - * - * If there is no information found in the signature about who created it (no issuer, no - * fingerprint), [verify] will simply return since it is plausible that the given key - * created the sig. - * - * @param signingKey signing key - * @return validator that throws a [SignatureValidationException] if the signature was not - * possibly made by the given key. - */ - @JvmStatic - fun wasPossiblyMadeByKey(signingKey: PGPPublicKey): SignatureValidator { - return object : SignatureValidator() { - override fun verify(signature: PGPSignature) { - val signingKeyFingerprint = OpenPgpFingerprint.of(signingKey) - val issuer = SignatureSubpacketsUtil.getIssuerKeyIdAsLong(signature) - - if (issuer != null) { - if (issuer != signingKey.keyID) { - throw SignatureValidationException( - "Signature was not created by" + - " $signingKeyFingerprint (signature issuer: ${issuer.openPgpKeyId()})") - } - } - - if (signature.fingerprint != null && - signature.fingerprint != signingKeyFingerprint) { - throw SignatureValidationException( - "Signature was not created by" + - " $signingKeyFingerprint (signature fingerprint: ${signature.fingerprint})") - } - } - - // No issuer information found, so we cannot rule out that we did not create the sig - } - } - - @JvmStatic - fun signatureWasCreatedInBounds(notBefore: Date?, notAfter: Date?): SignatureValidator { - return object : SignatureValidator() { - override fun verify(signature: PGPSignature) { - val timestamp = signature.creationTime - if (notBefore != null && timestamp < notBefore) { - throw SignatureValidationException( - "Signature was made before the earliest allowed signature creation time." + - " Created: ${timestamp.formatUTC()}," + - " earliest allowed: ${notBefore.formatUTC()}") - } - if (notAfter != null && timestamp > notAfter) { - throw SignatureValidationException( - "Signature was made after the latest allowed signature creation time." + - " Created: ${timestamp.formatUTC()}," + - " latest allowed: ${notAfter.formatUTC()}") - } - } - } - } - } -} diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureOverUserAttributesTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureOverUserAttributesTest.java index c7b7ce6c..19e4ef52 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureOverUserAttributesTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureOverUserAttributesTest.java @@ -9,7 +9,13 @@ import java.util.Date; import java.util.List; import org.bouncycastle.bcpg.attr.ImageAttribute; -import org.bouncycastle.openpgp.*; +import org.bouncycastle.openpgp.PGPException; +import org.bouncycastle.openpgp.PGPPublicKey; +import org.bouncycastle.openpgp.PGPPublicKeyRing; +import org.bouncycastle.openpgp.PGPSignature; +import org.bouncycastle.openpgp.PGPSignatureGenerator; +import org.bouncycastle.openpgp.PGPUserAttributeSubpacketVector; +import org.bouncycastle.openpgp.PGPUserAttributeSubpacketVectorGenerator; import org.bouncycastle.openpgp.api.OpenPGPCertificate; import org.bouncycastle.openpgp.api.OpenPGPImplementation; import org.bouncycastle.openpgp.api.OpenPGPKey; @@ -21,7 +27,8 @@ import org.pgpainless.key.TestKeys; import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.key.protection.UnlockSecretKey; -import static org.junit.jupiter.api.Assertions.*; +import static org.junit.jupiter.api.Assertions.assertFalse; +import static org.junit.jupiter.api.Assertions.assertTrue; public class SignatureOverUserAttributesTest { diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureWasPossiblyMadeByKeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureWasPossiblyMadeByKeyTest.java deleted file mode 100644 index ebd414bf..00000000 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureWasPossiblyMadeByKeyTest.java +++ /dev/null @@ -1,213 +0,0 @@ -// SPDX-FileCopyrightText: 2021 Paul Schaub -// -// SPDX-License-Identifier: Apache-2.0 - -package org.pgpainless.signature; - -import static org.junit.jupiter.api.Assertions.assertThrows; -import static org.junit.jupiter.api.Assertions.fail; - -import java.io.IOException; - -import org.bouncycastle.openpgp.PGPException; -import org.bouncycastle.openpgp.PGPPublicKey; -import org.bouncycastle.openpgp.PGPPublicKeyRing; -import org.bouncycastle.openpgp.PGPSignature; -import org.junit.jupiter.api.Test; -import org.pgpainless.PGPainless; -import org.pgpainless.exception.SignatureValidationException; -import org.pgpainless.key.OpenPgpV4Fingerprint; -import org.pgpainless.signature.consumer.SignatureValidator; - -public class SignatureWasPossiblyMadeByKeyTest { - - public static PGPPublicKeyRing CERT; - public static PGPPublicKey SIGKEY; - public static PGPPublicKey NOSIGKEY; - static { - try { - CERT = PGPainless.readKeyRing().publicKeyRing("-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + - "Comment: Bob's OpenPGP certificate\n" + - "\n" + - "mQGNBF2lnPIBDAC5cL9PQoQLTMuhjbYvb4Ncuuo0bfmgPRFywX53jPhoFf4Zg6mv\n" + - "/seOXpgecTdOcVttfzC8ycIKrt3aQTiwOG/ctaR4Bk/t6ayNFfdUNxHWk4WCKzdz\n" + - "/56fW2O0F23qIRd8UUJp5IIlN4RDdRCtdhVQIAuzvp2oVy/LaS2kxQoKvph/5pQ/\n" + - "5whqsyroEWDJoSV0yOb25B/iwk/pLUFoyhDG9bj0kIzDxrEqW+7Ba8nocQlecMF3\n" + - "X5KMN5kp2zraLv9dlBBpWW43XktjcCZgMy20SouraVma8Je/ECwUWYUiAZxLIlMv\n" + - "9CurEOtxUw6N3RdOtLmYZS9uEnn5y1UkF88o8Nku890uk6BrewFzJyLAx5wRZ4F0\n" + - "qV/yq36UWQ0JB/AUGhHVPdFf6pl6eaxBwT5GXvbBUibtf8YI2og5RsgTWtXfU7eb\n" + - "SGXrl5ZMpbA6mbfhd0R8aPxWfmDWiIOhBufhMCvUHh1sApMKVZnvIff9/0Dca3wb\n" + - "vLIwa3T4CyshfT0AEQEAAbQhQm9iIEJhYmJhZ2UgPGJvYkBvcGVucGdwLmV4YW1w\n" + - "bGU+iQHOBBMBCgA4AhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAFiEE0aZuGiOx\n" + - "gsmYD3iM+/zIKgFeczAFAl2lnvoACgkQ+/zIKgFeczBvbAv/VNk90a6hG8Od9xTz\n" + - "XxH5YRFUSGfIA1yjPIVOnKqhMwps2U+sWE3urL+MvjyQRlyRV8oY9IOhQ5Esm6DO\n" + - "ZYrTnE7qVETm1ajIAP2OFChEc55uH88x/anpPOXOJY7S8jbn3naC9qad75BrZ+3g\n" + - "9EBUWiy5p8TykP05WSnSxNRt7vFKLfEB4nGkehpwHXOVF0CRNwYle42bg8lpmdXF\n" + - "DcCZCi+qEbafmTQzkAqyzS3nCh3IAqq6Y0kBuaKLm2tSNUOlZbD+OHYQNZ5Jix7c\n" + - "ZUzs6Xh4+I55NRWl5smrLq66yOQoFPy9jot/Qxikx/wP3MsAzeGaZSEPc0fHp5G1\n" + - "6rlGbxQ3vl8/usUV7W+TMEMljgwd5x8POR6HC8EaCDfVnUBCPi/Gv+egLjsIbPJZ\n" + - "ZEroiE40e6/UoCiQtlpQB5exPJYSd1Q1txCwueih99PHepsDhmUQKiACszNU+RRo\n" + - "zAYau2VdHqnRJ7QYdxHDiH49jPK4NTMyb/tJh2TiIwcmsIpGuQGNBF2lnPIBDADW\n" + - "ML9cbGMrp12CtF9b2P6z9TTT74S8iyBOzaSvdGDQY/sUtZXRg21HWamXnn9sSXvI\n" + - "DEINOQ6A9QxdxoqWdCHrOuW3ofneYXoG+zeKc4dC86wa1TR2q9vW+RMXSO4uImA+\n" + - "Uzula/6k1DogDf28qhCxMwG/i/m9g1c/0aApuDyKdQ1PXsHHNlgd/Dn6rrd5y2AO\n" + - "baifV7wIhEJnvqgFXDN2RXGjLeCOHV4Q2WTYPg/S4k1nMXVDwZXrvIsA0YwIMgIT\n" + - "86Rafp1qKlgPNbiIlC1g9RY/iFaGN2b4Ir6GDohBQSfZW2+LXoPZuVE/wGlQ01rh\n" + - "827KVZW4lXvqsge+wtnWlszcselGATyzqOK9LdHPdZGzROZYI2e8c+paLNDdVPL6\n" + - "vdRBUnkCaEkOtl1mr2JpQi5nTU+gTX4IeInC7E+1a9UDF/Y85ybUz8XV8rUnR76U\n" + - "qVC7KidNepdHbZjjXCt8/Zo+Tec9JNbYNQB/e9ExmDntmlHEsSEQzFwzj8sxH48A\n" + - "EQEAAYkBtgQYAQoAIBYhBNGmbhojsYLJmA94jPv8yCoBXnMwBQJdpZzyAhsMAAoJ\n" + - "EPv8yCoBXnMw6f8L/26C34dkjBffTzMj5Bdzm8MtF67OYneJ4TQMw7+41IL4rVcS\n" + - "KhIhk/3Ud5knaRtP2ef1+5F66h9/RPQOJ5+tvBwhBAcUWSupKnUrdVaZQanYmtSx\n" + - "cVV2PL9+QEiNN3tzluhaWO//rACxJ+K/ZXQlIzwQVTpNhfGzAaMVV9zpf3u0k14i\n" + - "tcv6alKY8+rLZvO1wIIeRZLmU0tZDD5HtWDvUV7rIFI1WuoLb+KZgbYn3OWjCPHV\n" + - "dTrdZ2CqnZbG3SXw6awH9bzRLV9EXkbhIMez0deCVdeo+wFFklh8/5VK2b0vk/+w\n" + - "qMJxfpa1lHvJLobzOP9fvrswsr92MA2+k901WeISR7qEzcI0Fdg8AyFAExaEK6Vy\n" + - "jP7SXGLwvfisw34OxuZr3qmx1Sufu4toH3XrB7QJN8XyqqbsGxUCBqWif9RSK4xj\n" + - "zRTe56iPeiSJJOIciMP9i2ldI+KgLycyeDvGoBj0HCLO3gVaBe4ubVrj5KjhX2PV\n" + - "NEJd3XZRzaXZE2aAMQ==\n" + - "=NXei\n" + - "-----END PGP PUBLIC KEY BLOCK-----\n"); - SIGKEY = CERT.getPublicKey(new OpenPgpV4Fingerprint("D1A66E1A23B182C9980F788CFBFCC82A015E7330").getKeyId()); - NOSIGKEY = CERT.getPublicKey(new OpenPgpV4Fingerprint("1DDCE15F09217CEE2F3B37607C2FAA4DF93C37B2").getKeyId()); - } catch (IOException e) { - fail("Cannot parse certificate"); - } - } - - @Test - public void issuer() throws PGPException { - String sigWithIssuer = "-----BEGIN PGP SIGNATURE-----\n" + - "\n" + - "wsE7BAABCABlBYJgyf21RxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNlcXVvaWEt\n" + - "cGdwLm9yZ41vMHyr0Q9WbEh89cDcZt1LU9wR1Li+3wXFW0I0Lv4qFiEE0aZuGiOx\n" + - "gsmYD3iM+/zIKgFeczAACgkQ+/zIKgFeczCN/Av+P/RqTj8hMDTsoQWggQS3EPmx\n" + - "5u43yp8JCNuIKiDwTy+civQpAsfWLKhwmHZqokPonMtVSvxH9RFry9x8MpaaQzag\n" + - "gNO2XwsFFpYa3ce/vjOHv+b9JGfPsSak6RvcPKV99AjqAnxDj93Q9od5DzmWo4jp\n" + - "i9zt1Kj1AGEgqg/tp9jmmIEJ6ZgjM1sAysyE2YFU0hc0xySKI8+pBk8YG3fj8Twq\n" + - "d6FDQ3CTvpApdrL5EKW3qW1K/vBvmck15GZOxAsiXaPoiIPDJPxBCy0koK7z/Z+0\n" + - "vCft+isreOB9B1b68iGdaET9W+bd0ODdZHTfi7KmtG1D8+Ep4oVL8IRuWmf2M1Z9\n" + - "qI93KxIYqanw0I5HDsfd/5IQ4X1ZD5hoMy+ICLKHQirQzyXL1tjYcw6NPJt0jAHR\n" + - "LNlerP+KD288SPzu7jymsRXfxp91F1n+UT8n7kG16YARBGhc7hen858EJXn9dtWi\n" + - "cqP71SMuOwD+JNuWQCd4e1WaTWNXrB1xerzmuWFc\n" + - "=4ZFC\n" + - "-----END PGP SIGNATURE-----"; - assertWasPossiblyMadeByKey(SIGKEY, get(sigWithIssuer)); - } - - @Test - public void hashedIssuer() throws PGPException { - String sigWithHashedIssuer = "-----BEGIN PGP SIGNATURE-----\n" + - "\n" + - "wsE7BAABCABvBYJgyf21CRD7/MgqAV5zMEcUAAAAAAAeACBzYWx0QG5vdGF0aW9u\n" + - "cy5zZXF1b2lhLXBncC5vcmcQXJVlUI2e8ug0H1ekty9QUCLzgzv/H/U243WfBpJP\n" + - "PBYhBNGmbhojsYLJmA94jPv8yCoBXnMwAADK5Av/XIuS13XrduVk3V7a28Uz9ARz\n" + - "l2eHgOuSyM8IovCaWvO+L8KaCsFXVYUB0cHEHzH0QfyMapkVymsjLmqT5ULdwdKf\n" + - "HsPluhZQlgEzeS043/uoikBgGOF+u0hdsibVpW0TVp0vZgBpuD7raLQQ9eWymRUE\n" + - "dZ1dwWPc5OD3OV6jVwjNPoLy8yQaYLhfRser/h+pIFTL8XSqjPMDklN+oLnzZkvo\n" + - "A0OCupqpiDtrREmeTVKDkL0DJ0DM7qMky7oI1qB4i3Ryt7gMUzpy7nK6APosi5Rg\n" + - "vPuofxHle32pzaMDbBFQFcFYsXFdzmQdCcIx1myo6yrdkq4RMYXR20+cE+4R0pcQ\n" + - "JZhDFyx3d/7vloWXeXM9HT+asPVfub+HXPFkqvsFulogpo/Pr66Og6+fRc2FPPSO\n" + - "HmamWg1mMpzca8F35zZie1ICT7Qdef+aBcUb/7gwlv0Fd4FYWaIcleve4YtEacE/\n" + - "Q0Quxar3DOTtNNQVrXeoeIlVGue0pNCwg6abDj5N\n" + - "=IcX1\n" + - "-----END PGP SIGNATURE-----\n"; - assertWasPossiblyMadeByKey(SIGKEY, get(sigWithHashedIssuer)); - } - - @Test - public void noIssuerNoFingerprint() throws PGPException { - String sigWithNoIssuerNoFingerprint = "-----BEGIN PGP SIGNATURE-----\n" + - "\n" + - "wsEaBAABCABOBYJgyf21RxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNlcXVvaWEt\n" + - "cGdwLm9yZ2T4siBf1CQ8wqT+oTCmxVm6OC+KC/kvqQdQ4AAGC68JAAC3Zwv/d70q\n" + - "hUeTJrMXGej1/FkNOSKyjVRnJusDEojc4eQ/+Ov8jdByj2Rcr44UH7ZICtWuR4gc\n" + - "ZrG9+DBFKgeuY6TawyBbTj3NU4IEOqihtn8RDBEXKIc91cW9BuqLyxvoUr432g6y\n" + - "7l7nyXf17kPx8E62BjOhUz0NuwRQ5c2pnIRDe37xX0519DMf9PaywTAgs4eZaKXd\n" + - "e1JLYvkd7BuMaT17VEggdRLM3GJGAJfZQ4+eoOmAzGRs1xGZrvcs2AH+OOzslU5l\n" + - "t2nR9N7BCLX0NZVIP5KpRzw/puIFBiFj7zrPb7CJqKb0UEK8qngukASlvzYZTjHA\n" + - "03qAeYqUj6LXTPNYlobPsGB0Srt2j7ycpeOYh6c3l7pKkvyaQL4QVawECMxsymu0\n" + - "iMrLtyuWclsBcRDezIHQqKHOhSeCLt67SJj2+fCa+7WgQdvBT//3McFVsWnLQJsq\n" + - "zVflI4b3E2kyhRgYK7f6jaa0OZ7BJRpQ3RRNk0Oq3rIYjysrwkbBG9N6tnCk\n" + - "=NdKQ\n" + - "-----END PGP SIGNATURE-----"; - - - assertWasPossiblyMadeByKey(SIGKEY, get(sigWithNoIssuerNoFingerprint)); - } - - @Test - public void noIssuerUnhashedFingerprint() throws PGPException { - String sigWithNoIssuerUnhashedFingerprint = "-----BEGIN PGP SIGNATURE-----\n" + - "\n" + - "wsExBAABCABOBYJgyf21RxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNlcXVvaWEt\n" + - "cGdwLm9yZ3rfvSuqnA0bf1EQnEstGhA5DCtJi6DDcXnosObaXtDLABcWIQTRpm4a\n" + - "I7GCyZgPeIz7/MgqAV5zMHc4C/0b582atQFBFrSn+YAtDMPChnu/p4DKDXu3Ytxf\n" + - "X04TYV2+31MtndB4OMs0IMijWBpLkBFp57ozwIlos+y2gWAiJJ/uyLOzJNYPsEzA\n" + - "WVbEOrTgmelkc0sYFZlL0JcNsaCmpWjXuhNNulTj2svmwyNrD/3sO2G2hZcGqDDd\n" + - "zREX0Z8rEAssk4UxJVwOqmvhspWRDT3/UYpAA7sMQa3NtoLB0BM/+/mPG78fmSsP\n" + - "CmquP71TF3VdbW3zDdeq71apJbGgLdbEKVbwqU7IHtMk3DA469rT0NHdNVbQu0Mv\n" + - "nbNA43fNfaBbT7ApFQgnzBMF+nBc+HLCJQxq4uRBRX0i2eh+hgFM8VxX8miV1iCT\n" + - "o6NkMerueuXGFSGU37wGQQMdzOK13cW/Rp1DyFu3L0BSnFpykowdADmjAWhZYCMX\n" + - "6HAbz8mWRfNbNOahOtCVO3pojI8UiJ9ru7efTA/k3n06WYLndLcI3uW3Bn1F6/we\n" + - "7IQfGLcjtGngm993hPuCHrg/dnc=\n" + - "=LBou\n" + - "-----END PGP SIGNATURE-----\n"; - - assertWasPossiblyMadeByKey(SIGKEY, get(sigWithNoIssuerUnhashedFingerprint)); - } - - @Test - public void issuerMismatch() { - String sig = "-----BEGIN PGP SIGNATURE-----\n" + - "\n" + - "wsE7BAABCABlBYJgyf21RxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNlcXVvaWEt\n" + - "cGdwLm9yZ41vMHyr0Q9WbEh89cDcZt1LU9wR1Li+3wXFW0I0Lv4qFiEE0aZuGiOx\n" + - "gsmYD3iM+/zIKgFeczAACgkQ+/zIKgFeczCN/Av+P/RqTj8hMDTsoQWggQS3EPmx\n" + - "5u43yp8JCNuIKiDwTy+civQpAsfWLKhwmHZqokPonMtVSvxH9RFry9x8MpaaQzag\n" + - "gNO2XwsFFpYa3ce/vjOHv+b9JGfPsSak6RvcPKV99AjqAnxDj93Q9od5DzmWo4jp\n" + - "i9zt1Kj1AGEgqg/tp9jmmIEJ6ZgjM1sAysyE2YFU0hc0xySKI8+pBk8YG3fj8Twq\n" + - "d6FDQ3CTvpApdrL5EKW3qW1K/vBvmck15GZOxAsiXaPoiIPDJPxBCy0koK7z/Z+0\n" + - "vCft+isreOB9B1b68iGdaET9W+bd0ODdZHTfi7KmtG1D8+Ep4oVL8IRuWmf2M1Z9\n" + - "qI93KxIYqanw0I5HDsfd/5IQ4X1ZD5hoMy+ICLKHQirQzyXL1tjYcw6NPJt0jAHR\n" + - "LNlerP+KD288SPzu7jymsRXfxp91F1n+UT8n7kG16YARBGhc7hen858EJXn9dtWi\n" + - "cqP71SMuOwD+JNuWQCd4e1WaTWNXrB1xerzmuWFc\n" + - "=4ZFC\n" + - "-----END PGP SIGNATURE-----"; - assertWasNotPossiblyMadeByKey(NOSIGKEY, get(sig)); - } - - @Test - public void noIssuer_fingerprintMismatch() { - String sigWithNoIssuerAndWrongFingerprint = "-----BEGIN PGP SIGNATURE-----\n" + - "\n" + - "wsExBAABCABlBYJgyf21RxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNlcXVvaWEt\n" + - "cGdwLm9yZ4LlavMh1EAlex0cmzIH6jHzRv9iaqLPdHi1pM7J65EzFiEE0aZuGiOx\n" + - "gsmYD3iM+/zIKgFeczAAAIMIC/0QkkD7RcvKUogLhENpeGrQnkGmVEBupHz6V8LR\n" + - "i/DtlIBNjTRAEwDHcDDfn0JkY9Zp3E4IkNN6cJ9o8vsZvOMu0v9qQKVDwhy6N0SM\n" + - "BAOCJ+rNkZlXIWM8wyRzt52TWG6CStU2bbLJAq3EeEkZ2+WupCAdsVax0qrWJxQf\n" + - "tcm2lLQrtCa3gvRtaGCnmW1jrpvkkNZyC/bOBAazr4aD5lgeVtP8Oq3SI32xGV6f\n" + - "zCSfctIxGz9ZxQGe/VGHmgExkQ6SCaF3JhHHgZt/FCmquIK/IV5WIYAidWmFtQYI\n" + - "26jVUVUgNHU7Oxagx/55ZXUAMPIspO+J0HOLCpVQUTABBumhgwF6JkVnIn8ZO+vn\n" + - "GXIkZXQIK1Hx7M4xFYgJjva2ZwxCsENmtDp8FKyeTjq5QTU4Q1WSpJH6KVSpqCVM\n" + - "hyYvz7nf+kWf5Gm/Z0yGlkDhFnj3th4tUyytvypKgWeZu/1/0+Lfs293OrjjygCW\n" + - "lMirZ5N3oGYyNH4DQMJ1jeMwdbg=\n" + - "=A/zE\n" + - "-----END PGP SIGNATURE-----\n"; - - assertWasNotPossiblyMadeByKey(NOSIGKEY, get(sigWithNoIssuerAndWrongFingerprint)); - } - - private PGPSignature get(String encoded) { - return SignatureUtils.readSignatures(encoded).get(0); - } - - private void assertWasPossiblyMadeByKey(PGPPublicKey signatureKey, PGPSignature signature) throws SignatureValidationException { - SignatureValidator.wasPossiblyMadeByKey(signatureKey).verify(signature); - } - - private void assertWasNotPossiblyMadeByKey(PGPPublicKey signatureKey, PGPSignature signature) { - assertThrows(SignatureValidationException.class, () -> assertWasPossiblyMadeByKey(signatureKey, signature)); - } - -} From 4260ed7969e09b4e7446bf028aae70ab21d2bee4 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 31 Mar 2025 11:46:50 +0200 Subject: [PATCH 142/265] IntegrityProtectedInputStream: remove useless logger --- .../IntegrityProtectedInputStream.kt | 8 -------- 1 file changed, 8 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/IntegrityProtectedInputStream.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/IntegrityProtectedInputStream.kt index 4618882c..3b215669 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/IntegrityProtectedInputStream.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/IntegrityProtectedInputStream.kt @@ -9,8 +9,6 @@ import java.io.InputStream import org.bouncycastle.openpgp.PGPEncryptedData import org.bouncycastle.openpgp.PGPException import org.pgpainless.exception.ModificationDetectionException -import org.slf4j.Logger -import org.slf4j.LoggerFactory class IntegrityProtectedInputStream( private val inputStream: InputStream, @@ -30,15 +28,9 @@ class IntegrityProtectedInputStream( if (encryptedData.isIntegrityProtected && !options.isIgnoreMDCErrors()) { try { if (!encryptedData.verify()) throw ModificationDetectionException() - LOGGER.debug("Integrity Protection check passed.") } catch (e: PGPException) { throw IOException("Data appears to not be integrity protected.", e) } } } - - companion object { - @JvmStatic - val LOGGER: Logger = LoggerFactory.getLogger(IntegrityProtectedInputStream::class.java) - } } From 6273f93d598e99939760fcef1923a24a78cdc0d9 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 1 Apr 2025 14:13:21 +0200 Subject: [PATCH 143/265] Migrate some tests to new API --- .../RoundTripEncryptDecryptCmdTest.java | 22 +++++----- .../SecretKeyRingProtectorTest.java | 43 ++++++++----------- 2 files changed, 29 insertions(+), 36 deletions(-) diff --git a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripEncryptDecryptCmdTest.java b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripEncryptDecryptCmdTest.java index e4fd9e0c..bafc19e9 100644 --- a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripEncryptDecryptCmdTest.java +++ b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripEncryptDecryptCmdTest.java @@ -12,8 +12,8 @@ import java.io.ByteArrayOutputStream; import java.io.File; import java.io.IOException; -import org.bouncycastle.openpgp.PGPPublicKeyRing; -import org.bouncycastle.openpgp.PGPSecretKeyRing; +import org.bouncycastle.openpgp.api.OpenPGPCertificate; +import org.bouncycastle.openpgp.api.OpenPGPKey; import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; import org.pgpainless.algorithm.KeyFlag; @@ -295,13 +295,13 @@ public class RoundTripEncryptDecryptCmdTest extends CLITest { @Test public void testEncryptWithIncapableCert() throws IOException { - PGPSecretKeyRing secretKeys = PGPainless.buildKeyRing() + PGPainless api = PGPainless.getInstance(); + OpenPGPKey key = api.buildKey() .addUserId("No Crypt ") .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA_LEGACY(EdDSALegacyCurve._Ed25519), KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA)) - .build() - .getPGPSecretKeyRing(); - PGPPublicKeyRing cert = PGPainless.extractCertificate(secretKeys); + .build(); + OpenPGPCertificate cert = key.toCertificate(); File certFile = writeFile("cert.pgp", cert.getEncoded()); pipeStringToStdin("Hello, World!\n"); @@ -315,15 +315,15 @@ public class RoundTripEncryptDecryptCmdTest extends CLITest { @Test public void testSignWithIncapableKey() throws IOException { - PGPSecretKeyRing secretKeys = PGPainless.buildKeyRing() + PGPainless api = PGPainless.getInstance(); + OpenPGPKey key = api.buildKey() .addUserId("Cannot Sign ") .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA_LEGACY(EdDSALegacyCurve._Ed25519), KeyFlag.CERTIFY_OTHER)) .addSubkey(KeySpec.getBuilder( KeyType.XDH_LEGACY(XDHLegacySpec._X25519), KeyFlag.ENCRYPT_COMMS, KeyFlag.ENCRYPT_STORAGE)) - .build() - .getPGPSecretKeyRing(); - File keyFile = writeFile("key.pgp", secretKeys.getEncoded()); - File certFile = writeFile("cert.pgp", PGPainless.extractCertificate(secretKeys).getEncoded()); + .build(); + File keyFile = writeFile("key.pgp", key.getEncoded()); + File certFile = writeFile("cert.pgp", key.toCertificate().getEncoded()); pipeStringToStdin("Hello, World!\n"); ByteArrayOutputStream out = pipeStdoutToStream(); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/protection/SecretKeyRingProtectorTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/protection/SecretKeyRingProtectorTest.java index d1b585a1..1b0e404c 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/protection/SecretKeyRingProtectorTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/protection/SecretKeyRingProtectorTest.java @@ -17,9 +17,7 @@ import java.util.concurrent.ConcurrentHashMap; import org.bouncycastle.bcpg.KeyIdentifier; import org.bouncycastle.openpgp.PGPException; -import org.bouncycastle.openpgp.PGPSecretKey; -import org.bouncycastle.openpgp.PGPSecretKeyRing; -import org.bouncycastle.openpgp.operator.PBESecretKeyDecryptor; +import org.bouncycastle.openpgp.api.OpenPGPKey; import org.jetbrains.annotations.NotNull; import org.junit.jupiter.api.Test; import org.junit.jupiter.api.TestTemplate; @@ -37,22 +35,18 @@ public class SecretKeyRingProtectorTest { public void testUnlockAllKeysWithSamePassword() throws IOException, PGPException { - PGPSecretKeyRing secretKeys = TestKeys.getCryptieSecretKeyRing(); + OpenPGPKey key = TestKeys.getCryptieKey(); SecretKeyRingProtector protector = - SecretKeyRingProtector.unlockEachKeyWith(TestKeys.CRYPTIE_PASSPHRASE, secretKeys); - for (PGPSecretKey secretKey : secretKeys) { - PBESecretKeyDecryptor decryptor = protector.getDecryptor(secretKey.getKeyIdentifier()); - assertNotNull(decryptor); - secretKey.extractPrivateKey(decryptor); + SecretKeyRingProtector.unlockEachKeyWith(TestKeys.CRYPTIE_PASSPHRASE, key); + for (OpenPGPKey.OpenPGPSecretKey secretKey : key.getSecretKeys().values()) { + assertNotNull(secretKey.unlock(protector)); } - PGPSecretKeyRing unrelatedKeys = PGPainless.generateKeyRing().simpleEcKeyRing("unrelated", - "SecurePassword") - .getPGPSecretKeyRing(); - for (PGPSecretKey unrelatedKey : unrelatedKeys) { - PBESecretKeyDecryptor decryptor = protector.getDecryptor(unrelatedKey.getKeyIdentifier()); - assertNull(decryptor); - assertThrows(PGPException.class, - () -> unrelatedKey.extractPrivateKey(protector.getDecryptor(unrelatedKey.getKeyIdentifier()))); + + OpenPGPKey unrelatedKey = PGPainless.getInstance().generateKey() + .simpleEcKeyRing("unrelated", + "SecurePassword"); + for (OpenPGPKey.OpenPGPSecretKey k : unrelatedKey.getSecretKeys().values()) { + assertThrows(PGPException.class, () -> k.unlock(protector)); } } @@ -70,16 +64,15 @@ public class SecretKeyRingProtectorTest { @ExtendWith(TestAllImplementations.class) public void testUnlockSingleKeyWithPassphrase() throws IOException, PGPException { - - PGPSecretKeyRing secretKeys = TestKeys.getCryptieSecretKeyRing(); - Iterator iterator = secretKeys.iterator(); - PGPSecretKey secretKey = iterator.next(); - PGPSecretKey subKey = iterator.next(); + OpenPGPKey secretKeys = TestKeys.getCryptieKey(); + Iterator iterator = secretKeys.getSecretKeys().values().iterator(); + OpenPGPKey.OpenPGPSecretKey key = iterator.next(); + OpenPGPKey.OpenPGPSecretKey subKey = iterator.next(); SecretKeyRingProtector protector = - SecretKeyRingProtector.unlockSingleKeyWith(TestKeys.CRYPTIE_PASSPHRASE, secretKey); - assertNotNull(protector.getDecryptor(secretKey.getKeyIdentifier())); - assertNotNull(protector.getEncryptor(secretKey.getPublicKey())); + SecretKeyRingProtector.unlockSingleKeyWith(TestKeys.CRYPTIE_PASSPHRASE, key); + assertNotNull(protector.getDecryptor(key.getKeyIdentifier())); + assertNotNull(protector.getEncryptor(key.getPublicKey())); assertNull(protector.getEncryptor(subKey.getPublicKey())); assertNull(protector.getDecryptor(subKey.getKeyIdentifier())); } From 5e3f6a1d47f19428d84a39ffe49164185f094da0 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 1 Apr 2025 14:16:42 +0200 Subject: [PATCH 144/265] Migrate GenerateKeyWithoutUserIdTest --- .../generation/GenerateKeyWithoutUserIdTest.java | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithoutUserIdTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithoutUserIdTest.java index a42146dc..24fb8088 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithoutUserIdTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithoutUserIdTest.java @@ -5,8 +5,8 @@ package org.pgpainless.key.generation; import org.bouncycastle.openpgp.PGPException; -import org.bouncycastle.openpgp.PGPPublicKeyRing; -import org.bouncycastle.openpgp.PGPSecretKeyRing; +import org.bouncycastle.openpgp.api.OpenPGPCertificate; +import org.bouncycastle.openpgp.api.OpenPGPKey; import org.bouncycastle.util.io.Streams; import org.junit.JUtils; import org.junit.jupiter.api.Test; @@ -42,17 +42,17 @@ public class GenerateKeyWithoutUserIdTest { @Test public void generateKeyWithoutUserId() throws PGPException, IOException { + PGPainless api = PGPainless.getInstance(); Date now = new Date(); Date expirationDate = TestTimeFrameProvider.defaultExpirationForCreationDate(now); - PGPSecretKeyRing secretKey = PGPainless.buildKeyRing() + OpenPGPKey secretKey = api.buildKey() .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA_LEGACY(EdDSALegacyCurve._Ed25519), KeyFlag.CERTIFY_OTHER).setKeyCreationDate(now)) .addSubkey(KeySpec.getBuilder(KeyType.EDDSA_LEGACY(EdDSALegacyCurve._Ed25519), KeyFlag.SIGN_DATA).setKeyCreationDate(now)) .addSubkey(KeySpec.getBuilder(KeyType.XDH_LEGACY(XDHLegacySpec._X25519), KeyFlag.ENCRYPT_COMMS, KeyFlag.ENCRYPT_STORAGE).setKeyCreationDate(now)) .setExpirationDate(expirationDate) - .build() - .getPGPSecretKeyRing(); + .build(); - KeyRingInfo info = PGPainless.inspectKeyRing(secretKey); + KeyRingInfo info = api.inspect(secretKey); assertNull(info.getPrimaryUserId()); assertTrue(info.getUserIds().isEmpty()); JUtils.assertDateEquals(expirationDate, info.getPrimaryKeyExpirationDate()); @@ -60,9 +60,9 @@ public class GenerateKeyWithoutUserIdTest { InputStream plaintextIn = new ByteArrayInputStream("Hello, World!\n".getBytes()); ByteArrayOutputStream ciphertextOut = new ByteArrayOutputStream(); SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys(); - PGPPublicKeyRing certificate = PGPainless.extractCertificate(secretKey); + OpenPGPCertificate certificate = secretKey.toCertificate(); - EncryptionStream encryptionStream = PGPainless.encryptAndOrSign() + EncryptionStream encryptionStream = api.generateMessage() .onOutputStream(ciphertextOut) .withOptions(ProducerOptions.signAndEncrypt( EncryptionOptions.get() From 2a0e4e1d2d2e684405689c47aba99e13781ae9b5 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 1 Apr 2025 14:33:08 +0200 Subject: [PATCH 145/265] generate-key: Use API instance when generating keys --- .../src/main/kotlin/org/pgpainless/sop/GenerateKeyImpl.kt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/GenerateKeyImpl.kt b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/GenerateKeyImpl.kt index ca9cb98a..3d914946 100644 --- a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/GenerateKeyImpl.kt +++ b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/GenerateKeyImpl.kt @@ -92,7 +92,7 @@ class GenerateKeyImpl(private val api: PGPainless) : GenerateKey { val keyBuilder: KeyRingBuilder = when (profile) { CURVE25519_PROFILE.name -> - PGPainless.buildKeyRing() + api.buildKey() .setPrimaryKey( KeySpec.getBuilder( KeyType.EDDSA_LEGACY(EdDSALegacyCurve._Ed25519), @@ -110,7 +110,7 @@ class GenerateKeyImpl(private val api: PGPainless) : GenerateKey { } } RSA4096_PROFILE.name -> { - PGPainless.buildKeyRing() + api.buildKey() .setPrimaryKey( KeySpec.getBuilder(KeyType.RSA(RsaLength._4096), KeyFlag.CERTIFY_OTHER)) .addSubkey( From 0450e0cb811290a2d6bf2cfb4396cbccdfb4cbe9 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 1 Apr 2025 14:33:18 +0200 Subject: [PATCH 146/265] Port ExtractCertCmdTest --- .../cli/commands/ExtractCertCmdTest.java | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/ExtractCertCmdTest.java b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/ExtractCertCmdTest.java index 801b654d..45b20084 100644 --- a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/ExtractCertCmdTest.java +++ b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/ExtractCertCmdTest.java @@ -12,8 +12,8 @@ import java.io.ByteArrayOutputStream; import java.io.File; import java.io.IOException; -import org.bouncycastle.openpgp.PGPPublicKeyRing; -import org.bouncycastle.openpgp.PGPSecretKeyRing; +import org.bouncycastle.openpgp.api.OpenPGPCertificate; +import org.bouncycastle.openpgp.api.OpenPGPKey; import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; import org.pgpainless.key.info.KeyRingInfo; @@ -22,6 +22,8 @@ import sop.exception.SOPGPException; public class ExtractCertCmdTest extends CLITest { + private final PGPainless api = PGPainless.getInstance(); + public ExtractCertCmdTest() { super(LoggerFactory.getLogger(ExtractCertCmdTest.class)); } @@ -29,18 +31,17 @@ public class ExtractCertCmdTest extends CLITest { @Test public void testExtractCert() throws IOException { - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() - .simpleEcKeyRing("Juliet Capulet ") - .getPGPSecretKeyRing(); + OpenPGPKey key = api.generateKey() + .simpleEcKeyRing("Juliet Capulet "); - pipeBytesToStdin(secretKeys.getEncoded()); + pipeBytesToStdin(key.getEncoded()); ByteArrayOutputStream out = pipeStdoutToStream(); assertSuccess(executeCommand("extract-cert", "--armor")); assertTrue(out.toString().startsWith("-----BEGIN PGP PUBLIC KEY BLOCK-----\n")); - PGPPublicKeyRing publicKeys = PGPainless.readKeyRing().publicKeyRing(out.toByteArray()); - KeyRingInfo info = PGPainless.inspectKeyRing(publicKeys); + OpenPGPCertificate certificate = api.readKey().parseCertificate(out.toByteArray()); + KeyRingInfo info = api.inspect(certificate); assertFalse(info.isSecretKey()); assertTrue(info.isUserIdValid("Juliet Capulet ")); } From c1c54be25978f447b9bf13c4f92079be03130273 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 1 Apr 2025 14:39:57 +0200 Subject: [PATCH 147/265] Port PGPPublicKeyRingTest --- .../bouncycastle/PGPPublicKeyRingTest.java | 30 ++++++++----------- 1 file changed, 12 insertions(+), 18 deletions(-) diff --git a/pgpainless-core/src/test/java/org/bouncycastle/PGPPublicKeyRingTest.java b/pgpainless-core/src/test/java/org/bouncycastle/PGPPublicKeyRingTest.java index ac909383..1fb624f6 100644 --- a/pgpainless-core/src/test/java/org/bouncycastle/PGPPublicKeyRingTest.java +++ b/pgpainless-core/src/test/java/org/bouncycastle/PGPPublicKeyRingTest.java @@ -4,7 +4,6 @@ package org.bouncycastle; -import static org.junit.jupiter.api.Assertions.assertEquals; import static org.junit.jupiter.api.Assertions.assertFalse; import static org.junit.jupiter.api.Assertions.assertTrue; @@ -12,15 +11,16 @@ import java.util.Iterator; import java.util.List; import org.bouncycastle.openpgp.PGPPublicKey; -import org.bouncycastle.openpgp.PGPPublicKeyRing; -import org.bouncycastle.openpgp.PGPSecretKeyRing; +import org.bouncycastle.openpgp.api.OpenPGPCertificate; +import org.bouncycastle.openpgp.api.OpenPGPKey; import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; -import org.pgpainless.key.util.KeyRingUtils; import org.pgpainless.util.CollectionUtils; public class PGPPublicKeyRingTest { + private final PGPainless api = PGPainless.getInstance(); + /** * Learning test to see if BC also makes userids available on subkeys. * It does not. @@ -29,15 +29,10 @@ public class PGPPublicKeyRingTest { */ @Test public void subkeysDoNotHaveUserIDsTest() { - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().simpleEcKeyRing("primary@user.id") - .getPGPSecretKeyRing(); - PGPPublicKeyRing publicKeys = KeyRingUtils.publicKeyRingFrom(secretKeys); - PGPPublicKey primaryKey = publicKeys.getPublicKey(); - for (PGPPublicKey subkey : publicKeys) { - Iterator userIds = subkey.getUserIDs(); - if (primaryKey == subkey) { - assertEquals("primary@user.id", userIds.next()); - } + OpenPGPKey key = api.generateKey().simpleEcKeyRing("primary@user.id"); + OpenPGPCertificate certificate = key.toCertificate(); + for (OpenPGPCertificate.OpenPGPComponentKey subkey : certificate.getSubkeys().values()) { + Iterator userIds = subkey.getPGPPublicKey().getUserIDs(); assertFalse(userIds.hasNext()); } } @@ -45,14 +40,13 @@ public class PGPPublicKeyRingTest { @Test public void removeUserIdTest() { String userId = "alice@wonderland.lit"; - PGPSecretKeyRing secretKeyRing = PGPainless.generateKeyRing().simpleEcKeyRing(userId) - .getPGPSecretKeyRing(); - PGPPublicKeyRing publicKeys = KeyRingUtils.publicKeyRingFrom(secretKeyRing); + OpenPGPKey key = api.generateKey().simpleEcKeyRing(userId); + OpenPGPCertificate certificate = key.toCertificate(); + PGPPublicKey publicKey = certificate.getPrimaryKey().getPGPPublicKey(); - List userIds = CollectionUtils.iteratorToList(publicKeys.getPublicKey().getUserIDs()); + List userIds = CollectionUtils.iteratorToList(publicKey.getUserIDs()); assertTrue(userIds.contains(userId)); - PGPPublicKey publicKey = publicKeys.getPublicKey(); publicKey = PGPPublicKey.removeCertification(publicKey, userId); userIds = CollectionUtils.iteratorToList(publicKey.getUserIDs()); From 9204df53436b484658b84d8d0e5ef2a8a5c1a8eb Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 1 Apr 2025 14:43:42 +0200 Subject: [PATCH 148/265] Port GenerateKeys examples --- .../org/pgpainless/example/GenerateKeys.java | 29 +++++++++++-------- 1 file changed, 17 insertions(+), 12 deletions(-) diff --git a/pgpainless-core/src/test/java/org/pgpainless/example/GenerateKeys.java b/pgpainless-core/src/test/java/org/pgpainless/example/GenerateKeys.java index ddd74cb1..125400c5 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/example/GenerateKeys.java +++ b/pgpainless-core/src/test/java/org/pgpainless/example/GenerateKeys.java @@ -7,6 +7,7 @@ package org.pgpainless.example; import static org.junit.jupiter.api.Assertions.assertEquals; import static org.junit.jupiter.api.Assertions.assertTrue; +import java.io.IOException; import java.util.Date; import org.bouncycastle.openpgp.api.OpenPGPCertificate; @@ -31,7 +32,7 @@ import org.pgpainless.util.Passphrase; /** * This class demonstrates how to use PGPainless to generate secret keys. - * In general the starting point for generating secret keys using PGPainless is {@link PGPainless#generateKeyRing()}. + * In general the starting point for generating secret keys using PGPainless is {@link PGPainless#generateKey()}. * The result ({@link org.pgpainless.key.generation.KeyRingBuilder}) provides some factory methods for key archetypes * such as {@link org.pgpainless.key.generation.KeyRingTemplates#modernKeyRing(CharSequence, String)} or * {@link org.pgpainless.key.generation.KeyRingTemplates#simpleRsaKeyRing(CharSequence, RsaLength)}. @@ -52,22 +53,23 @@ public class GenerateKeys { * This is the recommended way to generate OpenPGP keys with PGPainless. */ @Test - public void generateModernEcKey() { + public void generateModernEcKey() throws IOException { + PGPainless api = PGPainless.getInstance(); // Define a primary user-id String userId = "gbaker@pgpainless.org"; // Set a password to protect the secret key String password = "ra1nb0w"; // Generate the OpenPGP key - OpenPGPKey secretKey = PGPainless.generateKeyRing() + OpenPGPKey key = api.generateKey() .modernKeyRing(userId, password); // Extract public key - OpenPGPCertificate publicKey = secretKey.toCertificate(); + OpenPGPCertificate certificate = key.toCertificate(); // Encode the public key to an ASCII armored string ready for sharing - String asciiArmoredPublicKey = PGPainless.asciiArmor(publicKey); + String asciiArmoredPublicKey = certificate.toAsciiArmoredString(); assertTrue(asciiArmoredPublicKey.startsWith("-----BEGIN PGP PUBLIC KEY BLOCK-----")); - KeyRingInfo keyInfo = PGPainless.inspectKeyRing(secretKey); + KeyRingInfo keyInfo = api.inspect(key); assertEquals(3, keyInfo.getSecretKeys().size()); assertEquals(userId, keyInfo.getPrimaryUserId()); assertEquals(PublicKeyAlgorithm.EDDSA_LEGACY.getAlgorithmId(), @@ -86,15 +88,16 @@ public class GenerateKeys { */ @Test public void generateSimpleRSAKey() { + PGPainless api = PGPainless.getInstance(); // Define a primary user-id String userId = "mpage@pgpainless.org"; // Set a password to protect the secret key String password = "b1angl3s"; // Generate the OpenPGP key - OpenPGPKey secretKey = PGPainless.generateKeyRing() + OpenPGPKey secretKey = api.generateKey() .simpleRsaKeyRing(userId, RsaLength._4096, password); - KeyRingInfo keyInfo = PGPainless.inspectKeyRing(secretKey); + KeyRingInfo keyInfo = api.inspect(secretKey); assertEquals(1, keyInfo.getSecretKeys().size()); assertEquals(userId, keyInfo.getPrimaryUserId()); assertEquals(PublicKeyAlgorithm.RSA_GENERAL.getAlgorithmId(), keyInfo.getAlgorithm().getAlgorithmId()); @@ -109,16 +112,17 @@ public class GenerateKeys { */ @Test public void generateSimpleECKey() { + PGPainless api = PGPainless.getInstance(); // Define a primary user-id String userId = "mhelms@pgpainless.org"; // Set a password to protect the secret key String password = "tr4ns"; // Generate the OpenPGP key - OpenPGPKey secretKey = PGPainless.generateKeyRing() + OpenPGPKey secretKey = api.generateKey() .simpleEcKeyRing(userId, password); - KeyRingInfo keyInfo = PGPainless.inspectKeyRing(secretKey); + KeyRingInfo keyInfo = api.inspect(secretKey); assertEquals(2, keyInfo.getSecretKeys().size()); assertEquals(userId, keyInfo.getPrimaryUserId()); } @@ -160,6 +164,7 @@ public class GenerateKeys { */ @Test public void generateCustomOpenPGPKey() { + PGPainless api = PGPainless.getInstance(); // Instead of providing a string, we can assemble a user-id by using the user-id builder. // The example below corresponds to "Morgan Carpenter (Pride!) " UserId userId = UserId.builder() @@ -172,7 +177,7 @@ public class GenerateKeys { // It is recommended to use the Passphrase class, as it can be used to safely invalidate passwords from memory Passphrase passphrase = Passphrase.fromPassword("1nters3x"); - OpenPGPKey secretKey = PGPainless.buildKeyRing() + OpenPGPKey secretKey = api.buildKey() .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA_LEGACY(EdDSALegacyCurve._Ed25519), // The primary key MUST carry the CERTIFY_OTHER flag, but CAN carry additional flags KeyFlag.CERTIFY_OTHER)) @@ -205,7 +210,7 @@ public class GenerateKeys { .build(); - KeyRingInfo keyInfo = PGPainless.inspectKeyRing(secretKey); + KeyRingInfo keyInfo = api.inspect(secretKey); assertEquals(3, keyInfo.getSecretKeys().size()); assertEquals("Morgan Carpenter (Pride!) ", keyInfo.getPrimaryUserId()); assertTrue(keyInfo.isUserIdValid(additionalUserId)); From 9894524e332c392a717902d2297e6d5e268852b2 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 1 Apr 2025 14:44:43 +0200 Subject: [PATCH 149/265] Port ConvertKeys example --- .../src/test/java/org/pgpainless/example/ConvertKeys.java | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/pgpainless-core/src/test/java/org/pgpainless/example/ConvertKeys.java b/pgpainless-core/src/test/java/org/pgpainless/example/ConvertKeys.java index d44d4db2..8e6d20b3 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/example/ConvertKeys.java +++ b/pgpainless-core/src/test/java/org/pgpainless/example/ConvertKeys.java @@ -20,17 +20,17 @@ public class ConvertKeys { */ @Test public void secretKeyToCertificate() { + PGPainless api = PGPainless.getInstance(); String userId = "alice@wonderland.lit"; - OpenPGPKey secretKey = PGPainless.generateKeyRing() + OpenPGPKey secretKey = api.generateKey() .modernKeyRing(userId); // Extract certificate (public key) from secret key OpenPGPCertificate certificate = secretKey.toCertificate(); - - KeyRingInfo secretKeyInfo = PGPainless.inspectKeyRing(secretKey); + KeyRingInfo secretKeyInfo = api.inspect(secretKey); assertTrue(secretKeyInfo.isSecretKey()); - KeyRingInfo certificateInfo = PGPainless.inspectKeyRing(certificate); + KeyRingInfo certificateInfo = api.inspect(certificate); assertFalse(certificateInfo.isSecretKey()); } } From 0152a69d0e3389f6f3eb98d1353f86ee96681abf Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 1 Apr 2025 14:52:48 +0200 Subject: [PATCH 150/265] Remove API instance parameter from ProducerOptions --- .../encryption_signing/EncryptionStream.kt | 2 +- .../encryption_signing/ProducerOptions.kt | 39 +++++++------------ .../encryption_signing/SigningTest.java | 9 ++--- .../java/org/pgpainless/example/Sign.java | 17 ++++---- ...upidAlgorithmPreferenceEncryptionTest.java | 3 +- .../org/pgpainless/sop/DetachedSignImpl.kt | 2 +- .../kotlin/org/pgpainless/sop/EncryptImpl.kt | 4 +- .../org/pgpainless/sop/InlineSignImpl.kt | 2 +- 8 files changed, 33 insertions(+), 45 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionStream.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionStream.kt index 322cf24d..67a83093 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionStream.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionStream.kt @@ -106,7 +106,7 @@ class EncryptionStream( @Throws(IOException::class) private fun prepareCompression() { - options.negotiateCompressionAlgorithm().let { + options.negotiateCompressionAlgorithm(api.algorithmPolicy).let { resultBuilder.setCompressionAlgorithm(it) compressedDataGenerator = PGPCompressedDataGenerator(it.algorithmId) if (it == CompressionAlgorithm.UNCOMPRESSED) return diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/ProducerOptions.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/ProducerOptions.kt index 1bb99433..b58c6e78 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/ProducerOptions.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/ProducerOptions.kt @@ -6,14 +6,13 @@ package org.pgpainless.encryption_signing import java.util.* import org.bouncycastle.openpgp.PGPLiteralData -import org.pgpainless.PGPainless import org.pgpainless.algorithm.CompressionAlgorithm import org.pgpainless.algorithm.StreamEncoding +import org.pgpainless.policy.Policy class ProducerOptions( val encryptionOptions: EncryptionOptions?, - val signingOptions: SigningOptions?, - val api: PGPainless + val signingOptions: SigningOptions? ) { private var _fileName: String = "" @@ -24,8 +23,8 @@ class ProducerOptions( private var _hideArmorHeaders = false var isDisableAsciiArmorCRC = false - private var _compressionAlgorithmOverride: CompressionAlgorithm = - api.algorithmPolicy.compressionAlgorithmPolicy.defaultCompressionAlgorithm + private var _compressionAlgorithmOverride: CompressionAlgorithm? = null + private var asciiArmor = true private var _comment: String? = null private var _version: String? = null @@ -219,7 +218,7 @@ class ProducerOptions( _compressionAlgorithmOverride = compressionAlgorithm } - val compressionAlgorithmOverride: CompressionAlgorithm + val compressionAlgorithmOverride: CompressionAlgorithm? get() = _compressionAlgorithmOverride val isHideArmorHeaders: Boolean @@ -237,8 +236,9 @@ class ProducerOptions( _hideArmorHeaders = hideArmorHeaders } - internal fun negotiateCompressionAlgorithm(): CompressionAlgorithm { + internal fun negotiateCompressionAlgorithm(policy: Policy): CompressionAlgorithm { return compressionAlgorithmOverride + ?: policy.compressionAlgorithmPolicy.defaultCompressionAlgorithm } companion object { @@ -249,13 +249,11 @@ class ProducerOptions( * @param signingOptions signing options * @return builder */ - @JvmOverloads @JvmStatic fun signAndEncrypt( encryptionOptions: EncryptionOptions, - signingOptions: SigningOptions, - api: PGPainless = PGPainless.getInstance() - ): ProducerOptions = ProducerOptions(encryptionOptions, signingOptions, api) + signingOptions: SigningOptions + ): ProducerOptions = ProducerOptions(encryptionOptions, signingOptions) /** * Sign some data without encryption. @@ -263,12 +261,9 @@ class ProducerOptions( * @param signingOptions signing options * @return builder */ - @JvmOverloads @JvmStatic - fun sign( - signingOptions: SigningOptions, - api: PGPainless = PGPainless.getInstance() - ): ProducerOptions = ProducerOptions(null, signingOptions, api) + fun sign(signingOptions: SigningOptions): ProducerOptions = + ProducerOptions(null, signingOptions) /** * Encrypt some data without signing. @@ -276,21 +271,15 @@ class ProducerOptions( * @param encryptionOptions encryption options * @return builder */ - @JvmOverloads @JvmStatic - fun encrypt( - encryptionOptions: EncryptionOptions, - api: PGPainless = PGPainless.getInstance() - ): ProducerOptions = ProducerOptions(encryptionOptions, null, api) + fun encrypt(encryptionOptions: EncryptionOptions): ProducerOptions = + ProducerOptions(encryptionOptions, null) /** * Only wrap the data in an OpenPGP packet. No encryption or signing will be applied. * * @return builder */ - @JvmOverloads - @JvmStatic - fun noEncryptionNoSigning(api: PGPainless = PGPainless.getInstance()): ProducerOptions = - ProducerOptions(null, null, api) + @JvmStatic fun noEncryptionNoSigning(): ProducerOptions = ProducerOptions(null, null) } } diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/SigningTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/SigningTest.java index 0f10f71d..b1c1191d 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/SigningTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/SigningTest.java @@ -66,8 +66,7 @@ public class SigningTest { .addRecipient(cryptieKey.toCertificate()), SigningOptions.get(api).addInlineSignature( SecretKeyRingProtector.unlockSingleKeyWith(TestKeys.CRYPTIE_PASSPHRASE, cryptieSigningKey), - cryptieKey, TestKeys.CRYPTIE_UID, DocumentSignatureType.CANONICAL_TEXT_DOCUMENT), - api + cryptieKey, TestKeys.CRYPTIE_UID, DocumentSignatureType.CANONICAL_TEXT_DOCUMENT) ).setAsciiArmor(true)); byte[] messageBytes = "This message is signed and encrypted to Romeo and Juliet." @@ -159,7 +158,7 @@ public class SigningTest { String data = "Hello, World!\n"; EncryptionStream signer = api.generateMessage() .onOutputStream(new ByteArrayOutputStream()) - .withOptions(ProducerOptions.sign(options, api)); + .withOptions(ProducerOptions.sign(options)); Streams.pipeAll(new ByteArrayInputStream(data.getBytes(StandardCharsets.UTF_8)), signer); signer.close(); @@ -192,7 +191,7 @@ public class SigningTest { String data = "Hello, World!\n"; EncryptionStream signer = api.generateMessage() .onOutputStream(new ByteArrayOutputStream()) - .withOptions(ProducerOptions.sign(options, api)); + .withOptions(ProducerOptions.sign(options)); Streams.pipeAll(new ByteArrayInputStream(data.getBytes(StandardCharsets.UTF_8)), signer); signer.close(); @@ -223,7 +222,7 @@ public class SigningTest { String data = "Hello, World!\n"; EncryptionStream signer = api.generateMessage() .onOutputStream(new ByteArrayOutputStream()) - .withOptions(ProducerOptions.sign(options, api)); + .withOptions(ProducerOptions.sign(options)); Streams.pipeAll(new ByteArrayInputStream(data.getBytes(StandardCharsets.UTF_8)), signer); signer.close(); diff --git a/pgpainless-core/src/test/java/org/pgpainless/example/Sign.java b/pgpainless-core/src/test/java/org/pgpainless/example/Sign.java index cef4850a..8d1320f5 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/example/Sign.java +++ b/pgpainless-core/src/test/java/org/pgpainless/example/Sign.java @@ -32,12 +32,13 @@ import org.pgpainless.util.ArmorUtils; public class Sign { - private static OpenPGPKey secretKey; + private static OpenPGPKey key; private static SecretKeyRingProtector protector; + private static final PGPainless api = PGPainless.getInstance(); @BeforeAll public static void prepare() { - secretKey = PGPainless.generateKeyRing() + key = api.generateKey() .modernKeyRing("Emilia Example "); protector = SecretKeyRingProtector.unprotectedKeys(); // no password } @@ -51,10 +52,10 @@ public class Sign { String message = "\"Derivative Works\" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof."; InputStream messageIn = new ByteArrayInputStream(message.getBytes(StandardCharsets.UTF_8)); ByteArrayOutputStream signedOut = new ByteArrayOutputStream(); - EncryptionStream signingStream = PGPainless.encryptAndOrSign() + EncryptionStream signingStream = api.generateMessage() .onOutputStream(signedOut) - .withOptions(ProducerOptions.sign(SigningOptions.get() - .addSignature(protector, secretKey)) + .withOptions(ProducerOptions.sign(SigningOptions.get(api) + .addSignature(protector, key)) ); Streams.pipeAll(messageIn, signingStream); @@ -84,7 +85,7 @@ public class Sign { EncryptionStream signingStream = PGPainless.encryptAndOrSign() .onOutputStream(ignoreMe) .withOptions(ProducerOptions.sign(SigningOptions.get() - .addDetachedSignature(protector, secretKey, DocumentSignatureType.CANONICAL_TEXT_DOCUMENT)) + .addDetachedSignature(protector, key, DocumentSignatureType.CANONICAL_TEXT_DOCUMENT)) .setAsciiArmor(false) ); @@ -93,7 +94,7 @@ public class Sign { EncryptionResult result = signingStream.getResult(); - OpenPGPCertificate.OpenPGPComponentKey signingKey = PGPainless.inspectKeyRing(secretKey).getSigningSubkeys().get(0); + OpenPGPCertificate.OpenPGPComponentKey signingKey = PGPainless.inspectKeyRing(key).getSigningSubkeys().get(0); PGPSignature signature = result.getDetachedSignatures().get(new SubkeyIdentifier(signingKey)).iterator().next(); String detachedSignature = ArmorUtils.toAsciiArmoredString(signature.getEncoded()); @@ -128,7 +129,7 @@ public class Sign { EncryptionStream signingStream = PGPainless.encryptAndOrSign() .onOutputStream(signedOut) .withOptions(ProducerOptions.sign(SigningOptions.get() - .addDetachedSignature(protector, secretKey, DocumentSignatureType.CANONICAL_TEXT_DOCUMENT)) // Human-readable text document + .addDetachedSignature(protector, key, DocumentSignatureType.CANONICAL_TEXT_DOCUMENT)) // Human-readable text document .setCleartextSigned() // <- Explicitly use Cleartext Signature Framework!!! ); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/StupidAlgorithmPreferenceEncryptionTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/StupidAlgorithmPreferenceEncryptionTest.java index 85d0c89d..bf93fe7a 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/generation/StupidAlgorithmPreferenceEncryptionTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/StupidAlgorithmPreferenceEncryptionTest.java @@ -107,8 +107,7 @@ public class StupidAlgorithmPreferenceEncryptionTest { EncryptionStream encryptionStream = api.generateMessage() .onOutputStream(out) .withOptions(ProducerOptions.encrypt( - EncryptionOptions.get(api).addRecipient(certificate), - api + EncryptionOptions.get(api).addRecipient(certificate) )); encryptionStream.write("Hello".getBytes(StandardCharsets.UTF_8)); diff --git a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/DetachedSignImpl.kt b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/DetachedSignImpl.kt index 26548c89..54c61aae 100644 --- a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/DetachedSignImpl.kt +++ b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/DetachedSignImpl.kt @@ -58,7 +58,7 @@ class DetachedSignImpl(private val api: PGPainless) : DetachedSign { api.generateMessage() .discardOutput() .withOptions( - ProducerOptions.sign(signingOptions, api) + ProducerOptions.sign(signingOptions) .setAsciiArmor(armor) .overrideCompressionAlgorithm(CompressionAlgorithm.UNCOMPRESSED)) diff --git a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/EncryptImpl.kt b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/EncryptImpl.kt index 556a9490..bacd53e9 100644 --- a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/EncryptImpl.kt +++ b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/EncryptImpl.kt @@ -57,9 +57,9 @@ class EncryptImpl(private val api: PGPainless) : Encrypt { val options = if (signingOptions != null) { - ProducerOptions.signAndEncrypt(encryptionOptions, signingOptions!!, api) + ProducerOptions.signAndEncrypt(encryptionOptions, signingOptions!!) } else { - ProducerOptions.encrypt(encryptionOptions, api) + ProducerOptions.encrypt(encryptionOptions) } .setAsciiArmor(armor) .setEncoding(modeToStreamEncoding(mode)) diff --git a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/InlineSignImpl.kt b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/InlineSignImpl.kt index c12c9b1e..fd7abfac 100644 --- a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/InlineSignImpl.kt +++ b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/InlineSignImpl.kt @@ -56,7 +56,7 @@ class InlineSignImpl(private val api: PGPainless) : InlineSign { } val producerOptions = - ProducerOptions.sign(signingOptions, api).apply { + ProducerOptions.sign(signingOptions).apply { when (mode) { InlineSignAs.clearsigned -> { setCleartextSigned() From 92630e40a43e916f7e1f38191fe2697cc92c9135 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 1 Apr 2025 20:08:12 +0200 Subject: [PATCH 151/265] Add missing javadoc to SigningOptions --- .../encryption_signing/SigningOptions.kt | 85 +++++++++++++++++++ 1 file changed, 85 insertions(+) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/SigningOptions.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/SigningOptions.kt index f34e6dd1..79c37216 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/SigningOptions.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/SigningOptions.kt @@ -48,6 +48,9 @@ class SigningOptions(private val api: PGPainless) { _hashAlgorithmOverride = hashAlgorithmOverride } + /** + * Evaluation date for signing keys. + */ val evaluationDate: Date get() = _evaluationDate @@ -88,6 +91,7 @@ class SigningOptions(private val api: PGPainless) { */ @Deprecated("Pass an OpenPGPKey instead.") @Throws(KeyException::class, PGPException::class) + // TODO: Remove in 2.1 fun addSignature(signingKeyProtector: SecretKeyRingProtector, signingKey: PGPSecretKeyRing) = addSignature(signingKeyProtector, api.toKey(signingKey)) @@ -104,6 +108,7 @@ class SigningOptions(private val api: PGPainless) { */ @Throws(KeyException::class, PGPException::class) @Deprecated("Repeatedly call addInlineSignature(), passing an OpenPGPKey instead.") + // TODO: Remove in 2.1 fun addInlineSignatures( signingKeyProtector: SecretKeyRingProtector, signingKeys: Iterable, @@ -112,6 +117,17 @@ class SigningOptions(private val api: PGPainless) { signingKeys.forEach { addInlineSignature(signingKeyProtector, it, null, signatureType) } } + /** + * Add inline signatures with the provided [signingKey]. + * + * @param signingKeyProtector decryptor to unlock the signing secret keys + * @param signingKey OpenPGP key + * @param signatureType type of signature (binary, canonical text) + * @return this + * @throws KeyException if something is wrong with any of the keys + * @throws PGPException if any of the keys cannot be unlocked or a signing method cannot be + * created + */ fun addInlineSignature( signingKeyProtector: SecretKeyRingProtector, signingKey: OpenPGPKey, @@ -131,12 +147,30 @@ class SigningOptions(private val api: PGPainless) { */ @Throws(KeyException::class, PGPException::class) @Deprecated("Pass an OpenPGPKey instead.") + // TODO: Remove in 2.1 fun addInlineSignature( signingKeyProtector: SecretKeyRingProtector, signingKey: PGPSecretKeyRing, signatureType: DocumentSignatureType ) = addInlineSignature(signingKeyProtector, api.toKey(signingKey), signatureType) + /** + * Add an inline-signature. Inline signatures are being embedded into the message itself and can + * be processed in one pass, thanks to the use of one-pass-signature packets. + * + *

+ * This method uses the passed in user-id to select user-specific hash algorithms. + * + * @param signingKeyProtector decryptor to unlock the signing secret key + * @param signingKey signing key + * @param userId user-id of the signer + * @param signatureType signature type (binary, canonical text) + * @param subpacketsCallback callback to modify the hashed and unhashed subpackets of the + * signature + * @return this + * @throws KeyException if the key is invalid + * @throws PGPException if the key cannot be unlocked or the signing method cannot be created + */ @JvmOverloads fun addInlineSignature( signingKeyProtector: SecretKeyRingProtector, @@ -195,6 +229,7 @@ class SigningOptions(private val api: PGPainless) { @Deprecated("Pass an OpenPGPKey instead.") @Throws(KeyException::class, PGPException::class) @JvmOverloads + // TODO: Remove in 2.1 fun addInlineSignature( signingKeyProtector: SecretKeyRingProtector, signingKey: PGPSecretKeyRing, @@ -205,6 +240,17 @@ class SigningOptions(private val api: PGPainless) { addInlineSignature( signingKeyProtector, api.toKey(signingKey), userId, signatureType, subpacketsCallback) + /** + * Create an inline signature using the given signing component key (e.g. a specific subkey). + * + * @param signingKeyProtector decryptor to unlock the secret key + * @param signingKey signing component key + * @param signatureType signature type + * @param subpacketsCallback callback to modify the signatures subpackets + * @return builder + * @throws PGPException if the secret key cannot be unlocked or if no signing method can be + * created. + */ fun addInlineSignature( signingKeyProtector: SecretKeyRingProtector, signingKey: OpenPGPSecretKey, @@ -247,6 +293,8 @@ class SigningOptions(private val api: PGPainless) { */ @Throws(KeyException::class, PGPException::class) @JvmOverloads + @Deprecated("Pass in an OpenPGPSecretKey instead.") + // TODO: Remove in 2.1 fun addInlineSignature( signingKeyProtector: SecretKeyRingProtector, signingKey: PGPSecretKeyRing, @@ -277,6 +325,7 @@ class SigningOptions(private val api: PGPainless) { */ @Throws(KeyException::class, PGPException::class) @Deprecated("Repeatedly call addDetachedSignature(), passing an OpenPGPKey instead.") + // TODO: Remove in 2.1 fun addDetachedSignatures( signingKeyProtector: SecretKeyRingProtector, signingKeys: Iterable, @@ -306,12 +355,31 @@ class SigningOptions(private val api: PGPainless) { */ @Deprecated("Pass an OpenPGPKey instead.") @Throws(KeyException::class, PGPException::class) + // TODO: Remove in 2.1 fun addDetachedSignature( signingKeyProtector: SecretKeyRingProtector, signingKey: PGPSecretKeyRing, signatureType: DocumentSignatureType ) = apply { addDetachedSignature(signingKeyProtector, signingKey, null, signatureType) } + /** + * Create a detached signature. Detached signatures are not being added into the PGP message + * itself. Instead, they can be distributed separately to the message. Detached signatures are + * useful if the data that is being signed shall not be modified (e.g. when signing a file). + * + *

+ * This method uses the passed in user-id to select user-specific hash algorithms. + * + * @param signingKeyProtector decryptor to unlock the secret signing key + * @param signingKey signing key + * @param userId user-id + * @param signatureType type of data that is signed (binary, canonical text) + * @param subpacketCallback callback to modify hashed and unhashed subpackets of the signature + * @return this + * @throws KeyException if something is wrong with the key + * @throws PGPException if the key cannot be validated or unlocked, or if no signature method + * can be created + */ @JvmOverloads fun addDetachedSignature( signingKeyProtector: SecretKeyRingProtector, @@ -364,6 +432,7 @@ class SigningOptions(private val api: PGPainless) { @Deprecated("Pass an OpenPGPKey instead.") @JvmOverloads @Throws(KeyException::class, PGPException::class) + // TODO: Remove in 2.1 fun addDetachedSignature( signingKeyProtector: SecretKeyRingProtector, signingKey: PGPSecretKeyRing, @@ -374,6 +443,21 @@ class SigningOptions(private val api: PGPainless) { addDetachedSignature( signingKeyProtector, api.toKey(signingKey), userId, signatureType, subpacketCallback) + /** + * Create a detached signature. Detached signatures are not being added into the PGP message + * itself. Instead, they can be distributed separately to the message. Detached signatures are + * useful if the data that is being signed shall not be modified (e.g. when signing a file). + * This method creates a signature using the provided [signingKey], taking into consideration + * the preferences found on the binding signature of the given [userId]. + * + * @param signingKeyProtector protector to unlock the signing key + * @param signingKey OpenPGP key for signing + * @param userId user-id to determine algorithm preferences + * @param signatureType document signature type + * @param subpacketCallback callback to change the subpackets of the signature + * + * @return this + */ fun addDetachedSignature( signingKeyProtector: SecretKeyRingProtector, signingKey: OpenPGPSecretKey, @@ -410,6 +494,7 @@ class SigningOptions(private val api: PGPainless) { @Throws(KeyException::class, PGPException::class) @JvmOverloads @Deprecated("Pass an OpenPGPSecretKey instead.") + // TODO: Remove in 2.1 fun addDetachedSignature( signingKeyProtector: SecretKeyRingProtector, signingKey: PGPSecretKeyRing, From b84f464b49fcd92cde619de2b836fa7351f70bf9 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 2 Apr 2025 13:45:21 +0200 Subject: [PATCH 152/265] KeySpecBuilder: Expose API for overriding default AEAD algorithms and features --- .../key/generation/KeySpecBuilder.kt | 24 ++++++++++++++----- .../key/generation/KeySpecBuilderInterface.kt | 6 +++++ 2 files changed, 24 insertions(+), 6 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeySpecBuilder.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeySpecBuilder.kt index 2ed50ffa..21cf5ec0 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeySpecBuilder.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeySpecBuilder.kt @@ -12,8 +12,7 @@ import org.pgpainless.signature.subpackets.SelfSignatureSubpackets import org.pgpainless.signature.subpackets.SignatureSubpackets import org.pgpainless.signature.subpackets.SignatureSubpacketsUtil -class KeySpecBuilder -constructor( +class KeySpecBuilder( private val type: KeyType, private val keyFlags: List, ) : KeySpecBuilderInterface { @@ -27,6 +26,7 @@ constructor( private var preferredSymmetricAlgorithms: Set? = algorithmSuite.symmetricKeyAlgorithms private var preferredAEADAlgorithms: Set? = algorithmSuite.aeadAlgorithms + private var features: Set? = algorithmSuite.features private var keyCreationDate: Date? = null constructor(type: KeyType, vararg keyFlags: KeyFlag) : this(type, listOf(*keyFlags)) @@ -37,11 +37,13 @@ constructor( override fun overridePreferredCompressionAlgorithms( vararg algorithms: CompressionAlgorithm - ): KeySpecBuilder = apply { this.preferredCompressionAlgorithms = algorithms.toSet() } + ): KeySpecBuilder = apply { + this.preferredCompressionAlgorithms = if (algorithms.isEmpty()) null else algorithms.toSet() + } override fun overridePreferredHashAlgorithms(vararg algorithms: HashAlgorithm): KeySpecBuilder = apply { - this.preferredHashAlgorithms = algorithms.toSet() + this.preferredHashAlgorithms = if (algorithms.isEmpty()) null else algorithms.toSet() } override fun overridePreferredSymmetricKeyAlgorithms( @@ -50,7 +52,17 @@ constructor( require(!algorithms.contains(SymmetricKeyAlgorithm.NULL)) { "NULL (unencrypted) is an invalid symmetric key algorithm preference." } - this.preferredSymmetricAlgorithms = algorithms.toSet() + this.preferredSymmetricAlgorithms = if (algorithms.isEmpty()) null else algorithms.toSet() + } + + override fun overridePreferredAEADAlgorithms( + vararg algorithms: AEADCipherMode + ): KeySpecBuilder = apply { + this.preferredAEADAlgorithms = if (algorithms.isEmpty()) null else algorithms.toSet() + } + + override fun overrideFeatures(vararg features: Feature): KeySpecBuilder = apply { + this.features = if (features.isEmpty()) null else features.toSet() } override fun setKeyCreationDate(creationDate: Date): KeySpecBuilder = apply { @@ -65,7 +77,7 @@ constructor( preferredHashAlgorithms?.let { setPreferredHashAlgorithms(it) } preferredSymmetricAlgorithms?.let { setPreferredSymmetricKeyAlgorithms(it) } preferredAEADAlgorithms?.let { setPreferredAEADCiphersuites(it) } - setFeatures(Feature.MODIFICATION_DETECTION) + features?.let { setFeatures(*it.toTypedArray()) } } .let { KeySpec(type, hashedSubpackets as SignatureSubpackets, false, keyCreationDate) } } diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeySpecBuilderInterface.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeySpecBuilderInterface.kt index 7fb767e4..956a70b0 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeySpecBuilderInterface.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeySpecBuilderInterface.kt @@ -5,7 +5,9 @@ package org.pgpainless.key.generation import java.util.* +import org.pgpainless.algorithm.AEADCipherMode import org.pgpainless.algorithm.CompressionAlgorithm +import org.pgpainless.algorithm.Feature import org.pgpainless.algorithm.HashAlgorithm import org.pgpainless.algorithm.SymmetricKeyAlgorithm @@ -21,6 +23,10 @@ interface KeySpecBuilderInterface { vararg algorithms: SymmetricKeyAlgorithm ): KeySpecBuilder + fun overridePreferredAEADAlgorithms(vararg algorithms: AEADCipherMode): KeySpecBuilder + + fun overrideFeatures(vararg features: Feature): KeySpecBuilder + fun setKeyCreationDate(creationDate: Date): KeySpecBuilder fun build(): KeySpec From cf4ba07fbcde4f3f01d1231f13f96ed54883471f Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 2 Apr 2025 13:46:05 +0200 Subject: [PATCH 153/265] Add test for overriding features during key generation --- .../key/generation/GenerateV6KeyTest.java | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateV6KeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateV6KeyTest.java index 58f4695e..b387ef3e 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateV6KeyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateV6KeyTest.java @@ -13,9 +13,11 @@ import org.bouncycastle.openpgp.api.SignatureParameters; import org.bouncycastle.openpgp.operator.PGPKeyPairGenerator; import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; +import org.pgpainless.algorithm.Feature; import org.pgpainless.algorithm.KeyFlag; import org.pgpainless.algorithm.OpenPGPKeyVersion; import org.pgpainless.algorithm.PublicKeyAlgorithm; +import org.pgpainless.key.generation.type.KeyType; import org.pgpainless.key.generation.type.rsa.RsaLength; import org.pgpainless.key.protection.KeyRingProtectionSettings; @@ -160,4 +162,17 @@ public class GenerateV6KeyTest { assertEquals(armored, parsed.toAsciiArmoredString()); } + + @Test + public void generateKeyOverrideFeatures() { + PGPainless api = PGPainless.getInstance(); + + OpenPGPKey key = api.buildKey(OpenPGPKeyVersion.v6) + .setPrimaryKey(KeySpec.getBuilder(KeyType.Ed25519(), KeyFlag.CERTIFY_OTHER) + .overrideFeatures(Feature.MODIFICATION_DETECTION, Feature.MODIFICATION_DETECTION_2)) + .build(); + + assertTrue(key.getPrimaryKey().getFeatures().supportsModificationDetection()); + assertTrue(key.getPrimaryKey().getFeatures().supportsSEIPDv2()); + } } From 9c87e4f34f5ad0c100e966d06650cc79b948499a Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 2 Apr 2025 13:46:17 +0200 Subject: [PATCH 154/265] Small javadoc fixes --- .../org/pgpainless/encryption_signing/SigningOptions.kt | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/SigningOptions.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/SigningOptions.kt index 79c37216..5a0b4f62 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/SigningOptions.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/SigningOptions.kt @@ -48,9 +48,7 @@ class SigningOptions(private val api: PGPainless) { _hashAlgorithmOverride = hashAlgorithmOverride } - /** - * Evaluation date for signing keys. - */ + /** Evaluation date for signing keys. */ val evaluationDate: Date get() = _evaluationDate @@ -455,7 +453,6 @@ class SigningOptions(private val api: PGPainless) { * @param userId user-id to determine algorithm preferences * @param signatureType document signature type * @param subpacketCallback callback to change the subpackets of the signature - * * @return this */ fun addDetachedSignature( From f6284fd59b30875a27847c3876cdadcd8c72c5b5 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 2 Apr 2025 15:27:49 +0200 Subject: [PATCH 155/265] Port UnlockSecretKey method --- .../kotlin/org/pgpainless/key/protection/UnlockSecretKey.kt | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/UnlockSecretKey.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/UnlockSecretKey.kt index f83b8336..dd2f7081 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/UnlockSecretKey.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/UnlockSecretKey.kt @@ -111,5 +111,9 @@ class UnlockSecretKey { secretKey, SecretKeyRingProtector.unlockSingleKeyWith(passphrase, secretKey)) } } + + @JvmStatic + fun unlockSecretKey(secretKey: OpenPGPSecretKey, passphrase: Passphrase): OpenPGPPrivateKey = + unlockSecretKey(secretKey, SecretKeyRingProtector.unlockAnyKeyWith(passphrase)) } } From c0207f50e9d903ef5dd107e41c05abf38c70895b Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 2 Apr 2025 15:27:58 +0200 Subject: [PATCH 156/265] Port some more tests --- .../CertificateWithMissingSecretKeyTest.java | 40 ++++++++------- .../CleartextSignatureVerificationTest.java | 49 +++++++++---------- ...stomPublicKeyDataDecryptorFactoryTest.java | 27 +++++----- 3 files changed, 57 insertions(+), 59 deletions(-) diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CertificateWithMissingSecretKeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CertificateWithMissingSecretKeyTest.java index 70f655ef..0536a03f 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CertificateWithMissingSecretKeyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CertificateWithMissingSecretKeyTest.java @@ -17,8 +17,9 @@ import java.nio.charset.StandardCharsets; import org.bouncycastle.bcpg.KeyIdentifier; import org.bouncycastle.openpgp.PGPException; -import org.bouncycastle.openpgp.PGPPublicKeyRing; import org.bouncycastle.openpgp.PGPSecretKeyRing; +import org.bouncycastle.openpgp.api.OpenPGPCertificate; +import org.bouncycastle.openpgp.api.OpenPGPKey; import org.bouncycastle.util.io.Streams; import org.junit.jupiter.api.BeforeAll; import org.junit.jupiter.api.Test; @@ -62,45 +63,46 @@ public class CertificateWithMissingSecretKeyTest { "=eTh7\n" + "-----END PGP PRIVATE KEY BLOCK-----"; - private static final long signingSubkeyId = -7647663290973502178L; - private static PGPSecretKeyRing missingSigningSecKey; + private static final KeyIdentifier signingSubkeyId = new KeyIdentifier(-7647663290973502178L); + private static OpenPGPKey missingSigningSecKey; private static KeyIdentifier encryptionSubkeyId; - private static PGPSecretKeyRing missingDecryptionSecKey; + private static OpenPGPKey missingDecryptionSecKey; private static final SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys(); @BeforeAll public static void prepare() throws IOException { + PGPainless api = PGPainless.getInstance(); // missing signing sec key we read from bytes - missingSigningSecKey = PGPainless.readKeyRing().secretKeyRing(MISSING_SIGNING_SECKEY); + missingSigningSecKey = api.readKey().parseKey(MISSING_SIGNING_SECKEY); // missing encryption sec key we generate on the fly - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() - .modernKeyRing("Missing Decryption Key ") - .getPGPSecretKeyRing(); - encryptionSubkeyId = PGPainless.inspectKeyRing(secretKeys) + OpenPGPKey secretKeys = api.generateKey() + .modernKeyRing("Missing Decryption Key "); + encryptionSubkeyId = api.inspect(secretKeys) .getEncryptionSubkeys(EncryptionPurpose.ANY).get(0).getKeyIdentifier(); // remove the encryption/decryption secret key - missingDecryptionSecKey = KeyRingUtils.stripSecretKey(secretKeys, encryptionSubkeyId.getKeyId()); + PGPSecretKeyRing withSecretKeyStripped = KeyRingUtils.stripSecretKey(secretKeys.getPGPSecretKeyRing(), encryptionSubkeyId); + missingDecryptionSecKey = api.toKey(withSecretKeyStripped); } @Test public void assureMissingSigningSecKeyOnlyContainSigningPubKey() { - assertNotNull(missingSigningSecKey.getPublicKey(signingSubkeyId)); + assertNotNull(missingSigningSecKey.getKey(signingSubkeyId)); assertNull(missingSigningSecKey.getSecretKey(signingSubkeyId)); - KeyRingInfo info = PGPainless.inspectKeyRing(missingSigningSecKey); + KeyRingInfo info = PGPainless.getInstance().inspect(missingSigningSecKey); assertFalse(info.getSigningSubkeys().isEmpty()); // This method only tests for pub keys. } @Test public void assureMissingDecryptionSecKeyOnlyContainsEncryptionPubKey() { - assertNotNull(missingDecryptionSecKey.getPublicKey(encryptionSubkeyId)); + assertNotNull(missingDecryptionSecKey.getKey(encryptionSubkeyId)); assertNull(missingDecryptionSecKey.getSecretKey(encryptionSubkeyId)); - KeyRingInfo info = PGPainless.inspectKeyRing(missingDecryptionSecKey); + KeyRingInfo info = PGPainless.getInstance().inspect(missingDecryptionSecKey); assertFalse(info.getEncryptionSubkeys(EncryptionPurpose.ANY).isEmpty()); // pub key is still there } @@ -119,12 +121,14 @@ public class CertificateWithMissingSecretKeyTest { ByteArrayInputStream in = new ByteArrayInputStream("Hello, World!\n".getBytes(StandardCharsets.UTF_8)); ByteArrayOutputStream out = new ByteArrayOutputStream(); - PGPPublicKeyRing certificate = PGPainless.extractCertificate(missingDecryptionSecKey); + PGPainless api = PGPainless.getInstance(); + + OpenPGPCertificate certificate = missingDecryptionSecKey.toCertificate(); ProducerOptions producerOptions = ProducerOptions.encrypt( - EncryptionOptions.encryptCommunications() + EncryptionOptions.encryptCommunications(api) .addRecipient(certificate)); // we can still encrypt, since the pub key is still there - EncryptionStream encryptionStream = PGPainless.encryptAndOrSign() + EncryptionStream encryptionStream = api.generateMessage() .onOutputStream(out) .withOptions(producerOptions); @@ -136,7 +140,7 @@ public class CertificateWithMissingSecretKeyTest { // Test decryption ByteArrayInputStream cipherIn = new ByteArrayInputStream(out.toByteArray()); - ConsumerOptions consumerOptions = ConsumerOptions.get() + ConsumerOptions consumerOptions = ConsumerOptions.get(api) .addDecryptionKey(missingDecryptionSecKey); assertThrows(MissingDecryptionMethodException.class, () -> diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CleartextSignatureVerificationTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CleartextSignatureVerificationTest.java index d9b4c809..457c7fa7 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CleartextSignatureVerificationTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CleartextSignatureVerificationTest.java @@ -19,9 +19,9 @@ import java.nio.charset.StandardCharsets; import java.util.Random; import org.bouncycastle.openpgp.PGPException; -import org.bouncycastle.openpgp.PGPPublicKeyRing; -import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.PGPSignature; +import org.bouncycastle.openpgp.api.OpenPGPCertificate; +import org.bouncycastle.openpgp.api.OpenPGPKey; import org.bouncycastle.util.io.Streams; import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; @@ -36,7 +36,6 @@ import org.pgpainless.exception.WrongConsumingMethodException; import org.pgpainless.key.TestKeys; import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.signature.SignatureUtils; -import org.pgpainless.util.ArmorUtils; import org.pgpainless.util.TestUtils; public class CleartextSignatureVerificationTest { @@ -73,13 +72,14 @@ public class CleartextSignatureVerificationTest { public static final String alphabet = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"; public static final Random random = new Random(); + private static final PGPainless api = PGPainless.getInstance(); @Test public void cleartextSignVerification_InMemoryMultiPassStrategy() throws IOException, PGPException { - PGPPublicKeyRing signingKeys = TestKeys.getEmilPublicKeyRing(); - ConsumerOptions options = ConsumerOptions.get() - .addVerificationCert(signingKeys); + OpenPGPCertificate signingCert = TestKeys.getEmilCertificate(); + ConsumerOptions options = ConsumerOptions.get(api) + .addVerificationCert(signingCert); InMemoryMultiPassStrategy multiPassStrategy = MultiPassStrategy.keepMessageInMemory(); options.setMultiPassStrategy(multiPassStrategy); @@ -97,16 +97,16 @@ public class CleartextSignatureVerificationTest { PGPSignature signature = result.getVerifiedSignatures().iterator().next().getSignature(); - assertEquals(signature.getKeyID(), signingKeys.getPublicKey().getKeyID()); + assertTrue(signature.hasKeyIdentifier(signingCert.getKeyIdentifier())); assertArrayEquals(MESSAGE_BODY, out.toByteArray()); } @Test public void cleartextSignVerification_FileBasedMultiPassStrategy() throws IOException, PGPException { - PGPPublicKeyRing signingKeys = TestKeys.getEmilPublicKeyRing(); - ConsumerOptions options = ConsumerOptions.get() - .addVerificationCert(signingKeys); + OpenPGPCertificate signingCert = TestKeys.getEmilCertificate(); + ConsumerOptions options = ConsumerOptions.get(api) + .addVerificationCert(signingCert); File tempDir = TestUtils.createTempDirectory(); File file = new File(tempDir, "file"); @@ -125,7 +125,7 @@ public class CleartextSignatureVerificationTest { PGPSignature signature = result.getVerifiedSignatures().iterator().next().getSignature(); - assertEquals(signature.getKeyID(), signingKeys.getPublicKey().getKeyID()); + assertTrue(signature.hasKeyIdentifier(signingCert.getKeyIdentifier())); FileInputStream fileIn = new FileInputStream(file); ByteArrayOutputStream bytes = new ByteArrayOutputStream(); Streams.pipeAll(fileIn, bytes); @@ -135,8 +135,8 @@ public class CleartextSignatureVerificationTest { public static void main(String[] args) throws IOException { // CHECKSTYLE:OFF - PGPPublicKeyRing keys = TestKeys.getEmilPublicKeyRing(); - System.out.println(ArmorUtils.toAsciiArmoredString(keys)); + OpenPGPCertificate cert = TestKeys.getEmilCertificate(); + System.out.println(cert.toAsciiArmoredString()); System.out.println(new String(MESSAGE_SIGNED)); System.out.println(new String(MESSAGE_BODY)); System.out.println(new String(SIGNATURE)); @@ -148,8 +148,8 @@ public class CleartextSignatureVerificationTest { throws IOException, PGPException { PGPSignature signature = SignatureUtils.readSignatures(SIGNATURE).get(0); - ConsumerOptions options = ConsumerOptions.get() - .addVerificationCert(TestKeys.getEmilPublicKeyRing()) + ConsumerOptions options = ConsumerOptions.get(api) + .addVerificationCert(TestKeys.getEmilCertificate()) .addVerificationOfDetachedSignature(signature); DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() @@ -170,10 +170,10 @@ public class CleartextSignatureVerificationTest { String message = "Foo\nBar"; // PGPUtil.getDecoderStream() would have mistaken this for base64 data ByteArrayInputStream msgIn = new ByteArrayInputStream(message.getBytes(StandardCharsets.UTF_8)); - PGPSecretKeyRing secretKey = TestKeys.getEmilSecretKeyRing(); + OpenPGPKey secretKey = TestKeys.getEmilKey(); ByteArrayOutputStream signedOut = new ByteArrayOutputStream(); - EncryptionStream signingStream = PGPainless.encryptAndOrSign().onOutputStream(signedOut) - .withOptions(ProducerOptions.sign(SigningOptions.get() + EncryptionStream signingStream = api.generateMessage().onOutputStream(signedOut) + .withOptions(ProducerOptions.sign(SigningOptions.get(api) .addDetachedSignature(SecretKeyRingProtector.unprotectedKeys(), secretKey, DocumentSignatureType.CANONICAL_TEXT_DOCUMENT)) .setCleartextSigned()); @@ -185,8 +185,8 @@ public class CleartextSignatureVerificationTest { ByteArrayInputStream signedIn = new ByteArrayInputStream(signed.getBytes(StandardCharsets.UTF_8)); DecryptionStream verificationStream = PGPainless.decryptAndOrVerify() .onInputStream(signedIn) - .withOptions(ConsumerOptions.get() - .addVerificationCert(TestKeys.getEmilPublicKeyRing())); + .withOptions(ConsumerOptions.get(api) + .addVerificationCert(TestKeys.getEmilCertificate())); ByteArrayOutputStream msgOut = new ByteArrayOutputStream(); Streams.pipeAll(verificationStream, msgOut); @@ -201,13 +201,12 @@ public class CleartextSignatureVerificationTest { throws PGPException, IOException { String message = randomString(28, 4000); - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("Alice") - .getPGPSecretKeyRing(); + OpenPGPKey secretKeys = api.generateKey().modernKeyRing("Alice"); ByteArrayOutputStream out = new ByteArrayOutputStream(); - EncryptionStream encryptionStream = PGPainless.encryptAndOrSign() + EncryptionStream encryptionStream = api.generateMessage() .onOutputStream(out) .withOptions(ProducerOptions.sign( - SigningOptions.get() + SigningOptions.get(api) .addDetachedSignature(SecretKeyRingProtector.unprotectedKeys(), secretKeys, DocumentSignatureType.CANONICAL_TEXT_DOCUMENT) ).setCleartextSigned()); @@ -221,7 +220,7 @@ public class CleartextSignatureVerificationTest { DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() .onInputStream(in) .withOptions(ConsumerOptions.get() - .addVerificationCert(PGPainless.extractCertificate(secretKeys))); + .addVerificationCert(secretKeys.toCertificate())); out = new ByteArrayOutputStream(); Streams.pipeAll(decryptionStream, out); diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CustomPublicKeyDataDecryptorFactoryTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CustomPublicKeyDataDecryptorFactoryTest.java index 1f1f65ff..947b6980 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CustomPublicKeyDataDecryptorFactoryTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CustomPublicKeyDataDecryptorFactoryTest.java @@ -5,15 +5,11 @@ package org.pgpainless.decryption_verification; import org.bouncycastle.openpgp.PGPException; -import org.bouncycastle.openpgp.PGPPrivateKey; -import org.bouncycastle.openpgp.PGPPublicKeyRing; -import org.bouncycastle.openpgp.PGPSecretKey; -import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.api.OpenPGPCertificate; +import org.bouncycastle.openpgp.api.OpenPGPKey; import org.bouncycastle.openpgp.operator.PublicKeyDataDecryptorFactory; import org.bouncycastle.openpgp.operator.bc.BcPublicKeyDataDecryptorFactory; import org.bouncycastle.util.io.Streams; -import org.junit.jupiter.api.Disabled; import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; import org.pgpainless.algorithm.EncryptionPurpose; @@ -35,22 +31,21 @@ import static org.junit.jupiter.api.Assertions.assertEquals; public class CustomPublicKeyDataDecryptorFactoryTest { @Test - @Disabled public void testDecryptionWithEmulatedHardwareDecryptionCallback() throws PGPException, IOException { - PGPSecretKeyRing secretKey = PGPainless.generateKeyRing().modernKeyRing("Alice") - .getPGPSecretKeyRing(); - PGPPublicKeyRing cert = PGPainless.extractCertificate(secretKey); - KeyRingInfo info = PGPainless.inspectKeyRing(secretKey); + PGPainless api = PGPainless.getInstance(); + OpenPGPKey secretKey = api.generateKey().modernKeyRing("Alice"); + OpenPGPCertificate cert = secretKey.toCertificate(); + KeyRingInfo info = api.inspect(secretKey); OpenPGPCertificate.OpenPGPComponentKey encryptionKey = info.getEncryptionSubkeys(EncryptionPurpose.ANY).get(0); // Encrypt a test message String plaintext = "Hello, World!\n"; ByteArrayOutputStream ciphertextOut = new ByteArrayOutputStream(); - EncryptionStream encryptionStream = PGPainless.encryptAndOrSign() + EncryptionStream encryptionStream = api.generateMessage() .onOutputStream(ciphertextOut) - .withOptions(ProducerOptions.encrypt(EncryptionOptions.get() + .withOptions(ProducerOptions.encrypt(EncryptionOptions.get(api) .addRecipient(cert))); encryptionStream.write(plaintext.getBytes(StandardCharsets.UTF_8)); encryptionStream.close(); @@ -61,9 +56,9 @@ public class CustomPublicKeyDataDecryptorFactoryTest { throws HardwareSecurity.HardwareSecurityException { // Emulate hardware decryption. try { - PGPSecretKey decryptionKey = secretKey.getSecretKey(encryptionKey.getKeyIdentifier()); - PGPPrivateKey privateKey = UnlockSecretKey.unlockSecretKey(decryptionKey, Passphrase.emptyPassphrase()); - PublicKeyDataDecryptorFactory internal = new BcPublicKeyDataDecryptorFactory(privateKey); + OpenPGPKey.OpenPGPSecretKey decryptionKey = secretKey.getSecretKey(encryptionKey.getKeyIdentifier()); + OpenPGPKey.OpenPGPPrivateKey privateKey = UnlockSecretKey.unlockSecretKey(decryptionKey, Passphrase.emptyPassphrase()); + PublicKeyDataDecryptorFactory internal = new BcPublicKeyDataDecryptorFactory(privateKey.getKeyPair().getPrivateKey()); return internal.recoverSessionData(keyAlgorithm, new byte[][] {sessionKeyData}, pkeskVersion); } catch (PGPException e) { throw new HardwareSecurity.HardwareSecurityException(); @@ -77,7 +72,7 @@ public class CustomPublicKeyDataDecryptorFactoryTest { .withOptions(ConsumerOptions.get() .addCustomDecryptorFactory( new HardwareSecurity.HardwareDataDecryptorFactory( - new SubkeyIdentifier(cert, encryptionKey.getKeyIdentifier()), + new SubkeyIdentifier(encryptionKey), hardwareDecryptionCallback))); ByteArrayOutputStream decryptedOut = new ByteArrayOutputStream(); From bad49de6aa4463307afaf195b01577b53033af94 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 2 Apr 2025 15:37:19 +0200 Subject: [PATCH 157/265] Port more tests --- .../MissingPassphraseForDecryptionTest.java | 23 ++++--- .../OpenPgpInputStreamTest.java | 12 ++-- .../OpenPgpMessageInputStreamTest.java | 64 ++++++++++--------- 3 files changed, 51 insertions(+), 48 deletions(-) diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/MissingPassphraseForDecryptionTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/MissingPassphraseForDecryptionTest.java index 5037786f..338d1fbb 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/MissingPassphraseForDecryptionTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/MissingPassphraseForDecryptionTest.java @@ -18,9 +18,8 @@ import java.util.List; import org.bouncycastle.bcpg.KeyIdentifier; import org.bouncycastle.openpgp.PGPException; -import org.bouncycastle.openpgp.PGPPublicKeyRing; -import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.api.OpenPGPCertificate; +import org.bouncycastle.openpgp.api.OpenPGPKey; import org.bouncycastle.util.io.Streams; import org.jetbrains.annotations.NotNull; import org.junit.jupiter.api.BeforeEach; @@ -40,18 +39,18 @@ import org.pgpainless.util.Passphrase; public class MissingPassphraseForDecryptionTest { private final String passphrase = "dragon123"; - private PGPSecretKeyRing secretKeys; + private OpenPGPKey secretKeys; private byte[] message; + private final PGPainless api = PGPainless.getInstance(); @BeforeEach public void setup() throws PGPException, IOException { - secretKeys = PGPainless.generateKeyRing().modernKeyRing("Test", passphrase) - .getPGPSecretKeyRing(); - PGPPublicKeyRing certificate = PGPainless.extractCertificate(secretKeys); + secretKeys = api.generateKey().modernKeyRing("Test", passphrase); + OpenPGPCertificate certificate = secretKeys.toCertificate(); ByteArrayOutputStream out = new ByteArrayOutputStream(); - EncryptionStream encryptionStream = PGPainless.encryptAndOrSign() + EncryptionStream encryptionStream = api.generateMessage() .onOutputStream(out) - .withOptions(ProducerOptions.encrypt(EncryptionOptions.encryptCommunications() + .withOptions(ProducerOptions.encrypt(EncryptionOptions.encryptCommunications(api) .addRecipient(certificate))); Streams.pipeAll(new ByteArrayInputStream("Hey, what's up?".getBytes(StandardCharsets.UTF_8)), encryptionStream); @@ -74,7 +73,7 @@ public class MissingPassphraseForDecryptionTest { return true; } }; - ConsumerOptions options = ConsumerOptions.get() + ConsumerOptions options = ConsumerOptions.get(api) .setMissingKeyPassphraseStrategy(MissingKeyPassphraseStrategy.INTERACTIVE) .addDecryptionKey(secretKeys, SecretKeyRingProtector.defaultSecretKeyRingProtector(callback)); @@ -91,7 +90,7 @@ public class MissingPassphraseForDecryptionTest { @Test public void throwExceptionStrategy() throws PGPException, IOException { - KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys); + KeyRingInfo info = api.inspect(secretKeys); List encryptionKeys = info.getEncryptionSubkeys(EncryptionPurpose.ANY); @@ -108,7 +107,7 @@ public class MissingPassphraseForDecryptionTest { } }; - ConsumerOptions options = ConsumerOptions.get() + ConsumerOptions options = ConsumerOptions.get(api) .setMissingKeyPassphraseStrategy(MissingKeyPassphraseStrategy.THROW_EXCEPTION) .addDecryptionKey(secretKeys, SecretKeyRingProtector.defaultSecretKeyRingProtector(callback)); @@ -121,7 +120,7 @@ public class MissingPassphraseForDecryptionTest { assertFalse(e.getKeyIds().isEmpty()); assertEquals(encryptionKeys.size(), e.getKeyIds().size()); for (OpenPGPCertificate.OpenPGPComponentKey encryptionKey : encryptionKeys) { - assertTrue(e.getKeyIds().contains(new SubkeyIdentifier(secretKeys, encryptionKey.getKeyIdentifier()))); + assertTrue(e.getKeyIds().contains(new SubkeyIdentifier(encryptionKey))); } } } diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpInputStreamTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpInputStreamTest.java index c6b4e0d3..8d2e2307 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpInputStreamTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpInputStreamTest.java @@ -19,7 +19,7 @@ import org.bouncycastle.bcpg.ArmoredInputStream; import org.bouncycastle.bcpg.CompressionAlgorithmTags; import org.bouncycastle.openpgp.PGPCompressedDataGenerator; import org.bouncycastle.openpgp.PGPException; -import org.bouncycastle.openpgp.PGPSecretKeyRing; +import org.bouncycastle.openpgp.api.OpenPGPKey; import org.bouncycastle.util.io.Streams; import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; @@ -735,15 +735,15 @@ public class OpenPgpInputStreamTest { @Test public void testSignedMessageConsumption() throws PGPException, IOException { + PGPainless api = PGPainless.getInstance(); ByteArrayInputStream plaintext = new ByteArrayInputStream("Hello, World!\n".getBytes(StandardCharsets.UTF_8)); - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() - .modernKeyRing("Sigmund ") - .getPGPSecretKeyRing(); + OpenPGPKey secretKeys = api.generateKey() + .modernKeyRing("Sigmund "); ByteArrayOutputStream signedOut = new ByteArrayOutputStream(); - EncryptionStream signer = PGPainless.encryptAndOrSign() + EncryptionStream signer = api.generateMessage() .onOutputStream(signedOut) - .withOptions(ProducerOptions.sign(SigningOptions.get() + .withOptions(ProducerOptions.sign(SigningOptions.get(api) .addSignature(SecretKeyRingProtector.unprotectedKeys(), secretKeys)) .setAsciiArmor(false) .overrideCompressionAlgorithm(CompressionAlgorithm.UNCOMPRESSED)); diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStreamTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStreamTest.java index b1bcee89..39e4b7e6 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStreamTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStreamTest.java @@ -26,9 +26,9 @@ import org.bouncycastle.openpgp.PGPCompressedDataGenerator; import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPLiteralData; import org.bouncycastle.openpgp.PGPLiteralDataGenerator; -import org.bouncycastle.openpgp.PGPPublicKeyRing; -import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.PGPSignature; +import org.bouncycastle.openpgp.api.OpenPGPCertificate; +import org.bouncycastle.openpgp.api.OpenPGPKey; import org.bouncycastle.util.io.Streams; import org.junit.JUtils; import org.junit.jupiter.api.Named; @@ -162,6 +162,8 @@ public class OpenPgpMessageInputStreamTest { "=tkTV\n" + "-----END PGP MESSAGE-----"; + private static final PGPainless api = PGPainless.getInstance(); + public static void main(String[] args) throws Exception { // genLIT(); // genLIT_LIT(); @@ -237,21 +239,22 @@ public class OpenPgpMessageInputStreamTest { armorOut.close(); } - public static void genKey() { - PGPainless.asciiArmor( - PGPainless.generateKeyRing().modernKeyRing("Alice ") - .getPGPSecretKeyRing(), - System.out); + public static void genKey() throws IOException { + OpenPGPKey key = api.generateKey() + .modernKeyRing("Alice "); + // CHECKSTYLE:OFF + System.out.println(key.toAsciiArmoredString()); + // CHECKSTYLE:ON } public static void genSIG_COMP_LIT() throws PGPException, IOException { - PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(KEY); + OpenPGPKey secretKeys = api.readKey().parseKey(KEY); ByteArrayOutputStream msgOut = new ByteArrayOutputStream(); - EncryptionStream signer = PGPainless.encryptAndOrSign() + EncryptionStream signer = api.generateMessage() .onOutputStream(msgOut) .withOptions( ProducerOptions.sign( - SigningOptions.get() + SigningOptions.get(api) .addDetachedSignature(SecretKeyRingProtector.unprotectedKeys(), secretKeys) ).setAsciiArmor(false) ); @@ -277,9 +280,9 @@ public class OpenPgpMessageInputStreamTest { } public static void genSENC_LIT() throws PGPException, IOException { - EncryptionStream enc = PGPainless.encryptAndOrSign() + EncryptionStream enc = api.generateMessage() .onOutputStream(System.out) - .withOptions(ProducerOptions.encrypt(EncryptionOptions.get() + .withOptions(ProducerOptions.encrypt(EncryptionOptions.get(api) .addMessagePassphrase(Passphrase.fromPassword(PASSPHRASE))) .overrideCompressionAlgorithm(CompressionAlgorithm.UNCOMPRESSED)); enc.write(PLAINTEXT.getBytes(StandardCharsets.UTF_8)); @@ -287,11 +290,11 @@ public class OpenPgpMessageInputStreamTest { } public static void genPENC_COMP_LIT() throws IOException, PGPException { - PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(KEY); - PGPPublicKeyRing cert = PGPainless.extractCertificate(secretKeys); - EncryptionStream enc = PGPainless.encryptAndOrSign() + OpenPGPKey secretKeys = api.readKey().parseKey(KEY); + OpenPGPCertificate cert = secretKeys.toCertificate(); + EncryptionStream enc = api.generateMessage() .onOutputStream(System.out) - .withOptions(ProducerOptions.encrypt(EncryptionOptions.get() + .withOptions(ProducerOptions.encrypt(EncryptionOptions.get(api) .addRecipient(cert)) .overrideCompressionAlgorithm(CompressionAlgorithm.ZLIB)); @@ -300,11 +303,11 @@ public class OpenPgpMessageInputStreamTest { } public static void genOPS_LIT_SIG() throws PGPException, IOException { - PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(KEY); + OpenPGPKey secretKeys = api.readKey().parseKey(KEY); - EncryptionStream enc = PGPainless.encryptAndOrSign() + EncryptionStream enc = api.generateMessage() .onOutputStream(System.out) - .withOptions(ProducerOptions.sign(SigningOptions.get() + .withOptions(ProducerOptions.sign(SigningOptions.get(api) .addSignature(SecretKeyRingProtector.unprotectedKeys(), secretKeys)) .overrideCompressionAlgorithm(CompressionAlgorithm.UNCOMPRESSED)); Streams.pipeAll(new ByteArrayInputStream(PLAINTEXT.getBytes(StandardCharsets.UTF_8)), enc); @@ -398,8 +401,8 @@ public class OpenPgpMessageInputStreamTest { @MethodSource("provideMessageProcessors") void testProcessSIG_COMP_LIT(Processor processor) throws PGPException, IOException { - PGPPublicKeyRing cert = PGPainless.extractCertificate( - PGPainless.readKeyRing().secretKeyRing(KEY)); + OpenPGPKey key = api.readKey().parseKey(KEY); + OpenPGPCertificate cert = key.toCertificate(); Result result = processor.process(SIG_COMP_LIT, ConsumerOptions.get() .addVerificationCert(cert)); @@ -431,8 +434,8 @@ public class OpenPgpMessageInputStreamTest { @MethodSource("provideMessageProcessors") void testProcessPENC_COMP_LIT(Processor processor) throws IOException, PGPException { - PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(KEY); - Result result = processor.process(PENC_COMP_LIT, ConsumerOptions.get() + OpenPGPKey secretKeys = api.readKey().parseKey(KEY); + Result result = processor.process(PENC_COMP_LIT, ConsumerOptions.get(api) .addDecryptionKey(secretKeys)); String plain = result.plaintext; assertEquals(PLAINTEXT, plain); @@ -447,7 +450,8 @@ public class OpenPgpMessageInputStreamTest { @MethodSource("provideMessageProcessors") void testProcessOPS_LIT_SIG(Processor processor) throws IOException, PGPException { - PGPPublicKeyRing cert = PGPainless.extractCertificate(PGPainless.readKeyRing().secretKeyRing(KEY)); + OpenPGPKey key = api.readKey().parseKey(KEY); + OpenPGPCertificate cert = key.toCertificate(); Result result = processor.process(OPS_LIT_SIG, ConsumerOptions.get() .addVerificationCert(cert)); String plain = result.plaintext; @@ -581,10 +585,10 @@ public class OpenPgpMessageInputStreamTest { "s7O7MH2b1YkDPsTDuLoDjBzDRoA+2vi034km9Qdcs3w8+vrydw4=\n" + "=mdYs\n" + "-----END PGP MESSAGE-----\n"; - PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(BOB_KEY); - PGPPublicKeyRing certificate = PGPainless.extractCertificate(secretKeys); + OpenPGPKey secretKeys = api.readKey().parseKey(BOB_KEY); + OpenPGPCertificate certificate = secretKeys.toCertificate(); - Result result = processor.process(MSG, ConsumerOptions.get() + Result result = processor.process(MSG, ConsumerOptions.get(api) .addVerificationCert(certificate) .addDecryptionKey(secretKeys)); String plain = result.plaintext; @@ -646,10 +650,10 @@ public class OpenPgpMessageInputStreamTest { "x12WVuyITVU3fCfHp6/0A6wPtJezCvoodqPlw/3fd5eSVYzb5C3v564uhz4=\n" + "=JP9T\n" + "-----END PGP MESSAGE-----"; - PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(BOB_KEY); - PGPPublicKeyRing certificate = PGPainless.extractCertificate(secretKeys); + OpenPGPKey secretKeys = api.readKey().parseKey(BOB_KEY); + OpenPGPCertificate certificate = secretKeys.toCertificate(); - Result result = processor.process(MSG, ConsumerOptions.get() + Result result = processor.process(MSG, ConsumerOptions.get(api) .addVerificationCert(certificate) .addDecryptionKey(secretKeys)); String plain = result.plaintext; From 0963f110a4ecea6bccfd484f5d945798c95b82a9 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 2 Apr 2025 15:59:04 +0200 Subject: [PATCH 158/265] Port TryDecryptWithUnavailableGnuDummyKeyTest --- ...DecryptWithUnavailableGnuDummyKeyTest.java | 23 ++++++++++--------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/TryDecryptWithUnavailableGnuDummyKeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/TryDecryptWithUnavailableGnuDummyKeyTest.java index 0c8bff4f..4093b1ec 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/TryDecryptWithUnavailableGnuDummyKeyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/TryDecryptWithUnavailableGnuDummyKeyTest.java @@ -5,8 +5,8 @@ package org.pgpainless.decryption_verification; import org.bouncycastle.openpgp.PGPException; -import org.bouncycastle.openpgp.PGPPublicKeyRing; -import org.bouncycastle.openpgp.PGPSecretKeyRing; +import org.bouncycastle.openpgp.api.OpenPGPCertificate; +import org.bouncycastle.openpgp.api.OpenPGPKey; import org.bouncycastle.util.io.Streams; import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; @@ -27,26 +27,27 @@ public class TryDecryptWithUnavailableGnuDummyKeyTest { @Test public void testAttemptToDecryptWithRemovedPrivateKeysThrows() throws PGPException, IOException { - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() - .modernKeyRing("Hardy Hardware ") - .getPGPSecretKeyRing(); - PGPPublicKeyRing certificate = PGPainless.extractCertificate(secretKeys); + PGPainless api = PGPainless.getInstance(); + OpenPGPKey secretKeys = api.generateKey() + .modernKeyRing("Hardy Hardware "); + OpenPGPCertificate certificate = secretKeys.toCertificate(); ByteArrayOutputStream ciphertextOut = new ByteArrayOutputStream(); - EncryptionStream encryptionStream = PGPainless.encryptAndOrSign() + EncryptionStream encryptionStream = api.generateMessage() .onOutputStream(ciphertextOut) .withOptions( - ProducerOptions.encrypt(EncryptionOptions.get().addRecipient(certificate))); + ProducerOptions.encrypt(EncryptionOptions.get(api).addRecipient(certificate))); ByteArrayInputStream plaintextIn = new ByteArrayInputStream("Hello, World!\n".getBytes()); Streams.pipeAll(plaintextIn, encryptionStream); encryptionStream.close(); - PGPSecretKeyRing removedKeys = GnuPGDummyKeyUtil.modify(secretKeys) - .removePrivateKeys(GnuPGDummyKeyUtil.KeyFilter.any()); + OpenPGPKey removedKeys = api.toKey( + GnuPGDummyKeyUtil.modify(secretKeys) + .removePrivateKeys(GnuPGDummyKeyUtil.KeyFilter.any())); ByteArrayInputStream ciphertextIn = new ByteArrayInputStream(ciphertextOut.toByteArray()); assertThrows(MissingDecryptionMethodException.class, () -> PGPainless.decryptAndOrVerify() .onInputStream(ciphertextIn) - .withOptions(ConsumerOptions.get().addDecryptionKey(removedKeys))); + .withOptions(ConsumerOptions.get(api).addDecryptionKey(removedKeys))); } } From 46d58f230ed2d8e12cb4c5f4a37f7781b915e529 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 2 Apr 2025 20:05:12 +0200 Subject: [PATCH 159/265] Port BcHashContextSigner and test --- .../encryption_signing/BcHashContextSigner.kt | 28 ++++++++++--------- .../BcHashContextSignerTest.java | 16 ++++++----- 2 files changed, 24 insertions(+), 20 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/BcHashContextSigner.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/BcHashContextSigner.kt index 88e8d21d..18303dfc 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/BcHashContextSigner.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/BcHashContextSigner.kt @@ -4,16 +4,15 @@ package org.pgpainless.encryption_signing -import java.security.MessageDigest import org.bouncycastle.openpgp.PGPException -import org.bouncycastle.openpgp.PGPPrivateKey -import org.bouncycastle.openpgp.PGPSecretKeyRing -import org.bouncycastle.openpgp.PGPSignature import org.bouncycastle.openpgp.PGPSignatureGenerator +import org.bouncycastle.openpgp.api.OpenPGPKey +import org.bouncycastle.openpgp.api.OpenPGPSignature.OpenPGPDocumentSignature import org.pgpainless.PGPainless import org.pgpainless.algorithm.SignatureType -import org.pgpainless.bouncycastle.extensions.unlock import org.pgpainless.key.protection.SecretKeyRingProtector +import org.pgpainless.key.protection.UnlockSecretKey +import java.security.MessageDigest class BcHashContextSigner { @@ -22,15 +21,15 @@ class BcHashContextSigner { fun signHashContext( hashContext: MessageDigest, signatureType: SignatureType, - secretKey: PGPSecretKeyRing, + secretKey: OpenPGPKey, protector: SecretKeyRingProtector - ): PGPSignature { - val info = PGPainless.inspectKeyRing(secretKey) + ): OpenPGPDocumentSignature { + val info = PGPainless.getInstance().inspect(secretKey) return info.signingSubkeys .mapNotNull { info.getSecretKey(it.keyIdentifier) } .firstOrNull() ?.let { - signHashContext(hashContext, signatureType, it.pgpSecretKey.unlock(protector)) + signHashContext(hashContext, signatureType, UnlockSecretKey.unlockSecretKey(it, protector)) } ?: throw PGPException("Key does not contain suitable signing subkey.") } @@ -47,11 +46,14 @@ class BcHashContextSigner { internal fun signHashContext( hashContext: MessageDigest, signatureType: SignatureType, - privateKey: PGPPrivateKey - ): PGPSignature { - return PGPSignatureGenerator(BcPGPHashContextContentSignerBuilder(hashContext)) - .apply { init(signatureType.code, privateKey) } + privateKey: OpenPGPKey.OpenPGPPrivateKey + ): OpenPGPDocumentSignature { + return PGPSignatureGenerator( + BcPGPHashContextContentSignerBuilder(hashContext), + privateKey.keyPair.publicKey) + .apply { init(signatureType.code, privateKey.keyPair.privateKey) } .generate() + .let { OpenPGPDocumentSignature(it, privateKey.publicKey) } } } } diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/BcHashContextSignerTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/BcHashContextSignerTest.java index 660001fa..fe89af80 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/BcHashContextSignerTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/BcHashContextSignerTest.java @@ -16,9 +16,9 @@ import java.security.NoSuchAlgorithmException; import org.bouncycastle.jce.provider.BouncyCastleProvider; import org.bouncycastle.openpgp.PGPException; -import org.bouncycastle.openpgp.PGPSignature; import org.bouncycastle.openpgp.api.OpenPGPCertificate; import org.bouncycastle.openpgp.api.OpenPGPKey; +import org.bouncycastle.openpgp.api.OpenPGPSignature; import org.bouncycastle.util.io.Streams; import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; @@ -66,13 +66,15 @@ public class BcHashContextSignerTest { @Test public void signContextWithRSAKeys() throws PGPException, NoSuchAlgorithmException, IOException { - OpenPGPKey secretKeys = PGPainless.generateKeyRing().simpleRsaKeyRing("Sigfried", RsaLength._3072); + OpenPGPKey secretKeys = PGPainless.getInstance().generateKey() + .simpleRsaKeyRing("Sigfried", RsaLength._3072); signWithKeys(secretKeys); } @Test public void signContextWithEcKeys() throws PGPException, NoSuchAlgorithmException, IOException { - OpenPGPKey secretKeys = PGPainless.generateKeyRing().simpleEcKeyRing("Sigfried"); + OpenPGPKey secretKeys = PGPainless.getInstance().generateKey() + .simpleEcKeyRing("Sigfried"); signWithKeys(secretKeys); } @@ -91,8 +93,8 @@ public class BcHashContextSignerTest { byte[] messageBytes = message.getBytes(StandardCharsets.UTF_8); ByteArrayInputStream messageIn = new ByteArrayInputStream(messageBytes); - PGPSignature signature = signMessage(messageBytes, hashAlgorithm, secretKeys); - assertEquals(hashAlgorithm.getAlgorithmId(), signature.getHashAlgorithm()); + OpenPGPSignature.OpenPGPDocumentSignature signature = signMessage(messageBytes, hashAlgorithm, secretKeys); + assertEquals(hashAlgorithm.getAlgorithmId(), signature.getSignature().getHashAlgorithm()); DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() .onInputStream(messageIn) @@ -108,13 +110,13 @@ public class BcHashContextSignerTest { assertTrue(metadata.isVerifiedSigned()); } - private PGPSignature signMessage(byte[] message, HashAlgorithm hashAlgorithm, OpenPGPKey secretKeys) + private OpenPGPSignature.OpenPGPDocumentSignature signMessage(byte[] message, HashAlgorithm hashAlgorithm, OpenPGPKey secretKeys) throws NoSuchAlgorithmException { // Prepare the hash context // This would be done by the caller application MessageDigest messageDigest = MessageDigest.getInstance(hashAlgorithm.getAlgorithmName(), new BouncyCastleProvider()); messageDigest.update(message); - return BcHashContextSigner.signHashContext(messageDigest, SignatureType.BINARY_DOCUMENT, secretKeys.getPGPSecretKeyRing(), SecretKeyRingProtector.unprotectedKeys()); + return BcHashContextSigner.signHashContext(messageDigest, SignatureType.BINARY_DOCUMENT, secretKeys, SecretKeyRingProtector.unprotectedKeys()); } } From 2d678f8bb990f7ab98cbea69adc3b81e304fa5f5 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 2 Apr 2025 20:50:03 +0200 Subject: [PATCH 160/265] Add OpenPGPSecretKey.unlock(Passphrase) extension method --- .../bouncycastle/extensions/OpenPGPKeyExtensions.kt | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/OpenPGPKeyExtensions.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/OpenPGPKeyExtensions.kt index 305bca15..06a7e8ed 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/OpenPGPKeyExtensions.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/OpenPGPKeyExtensions.kt @@ -7,10 +7,15 @@ package org.pgpainless.bouncycastle.extensions import org.bouncycastle.openpgp.PGPPublicKeyEncryptedData import org.bouncycastle.openpgp.PGPSignature import org.bouncycastle.openpgp.api.OpenPGPKey +import org.bouncycastle.openpgp.api.OpenPGPKey.OpenPGPPrivateKey import org.bouncycastle.openpgp.api.OpenPGPKey.OpenPGPSecretKey +import org.pgpainless.util.Passphrase fun OpenPGPKey.getSecretKeyFor(pkesk: PGPPublicKeyEncryptedData): OpenPGPSecretKey? = this.getSecretKey(pkesk.keyIdentifier) fun OpenPGPKey.getSecretKeyFor(signature: PGPSignature): OpenPGPSecretKey? = this.getSecretKey(signature.fingerprint!!.keyIdentifier) + +fun OpenPGPKey.OpenPGPSecretKey.unlock(passphrase: Passphrase): OpenPGPPrivateKey = + this.unlock(passphrase.getChars()) From 674b15637f56f035c19ef0534ad4fe23cbdb1181 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 2 Apr 2025 20:50:25 +0200 Subject: [PATCH 161/265] Add missing methods for SecretKeyRing protection --- .../key/protection/CachingSecretKeyRingProtector.kt | 10 ++++++++++ .../key/protection/SecretKeyRingProtector.kt | 4 ++++ .../passphrase_provider/SecretKeyPassphraseProvider.kt | 4 ++++ 3 files changed, 18 insertions(+) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/CachingSecretKeyRingProtector.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/CachingSecretKeyRingProtector.kt index 32bd4732..51e3fe35 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/CachingSecretKeyRingProtector.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/CachingSecretKeyRingProtector.kt @@ -7,6 +7,8 @@ package org.pgpainless.key.protection import org.bouncycastle.bcpg.KeyIdentifier import org.bouncycastle.openpgp.PGPKeyRing import org.bouncycastle.openpgp.PGPPublicKey +import org.bouncycastle.openpgp.api.OpenPGPCertificate +import org.bouncycastle.openpgp.api.OpenPGPCertificate.OpenPGPComponentKey import org.bouncycastle.openpgp.api.OpenPGPKey import org.bouncycastle.openpgp.operator.PBESecretKeyDecryptor import org.bouncycastle.openpgp.operator.PBESecretKeyEncryptor @@ -133,6 +135,12 @@ class CachingSecretKeyRingProtector : SecretKeyRingProtector, SecretKeyPassphras fun addPassphrase(key: PGPPublicKey, passphrase: Passphrase) = addPassphrase(key.keyIdentifier, passphrase) + fun addPassphrase(cert: OpenPGPCertificate, passphrase: Passphrase) = + addPassphrase(cert.pgpKeyRing, passphrase) + + fun addPassphrase(key: OpenPGPComponentKey, passphrase: Passphrase) = + addPassphrase(key.keyIdentifier, passphrase) + /** * Remember the given passphrase for the key with the given fingerprint. * @@ -161,6 +169,8 @@ class CachingSecretKeyRingProtector : SecretKeyRingProtector, SecretKeyPassphras keyRing.publicKeys.forEach { forgetPassphrase(it) } } + fun forgetPassphrase(cert: OpenPGPCertificate) = forgetPassphrase(cert.pgpPublicKeyRing) + /** * Forget the passphrase of the given public key. * diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/SecretKeyRingProtector.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/SecretKeyRingProtector.kt index 5de7de48..d76f8e37 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/SecretKeyRingProtector.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/SecretKeyRingProtector.kt @@ -58,6 +58,10 @@ interface SecretKeyRingProtector : KeyPassphraseProvider { @Throws(PGPException::class) fun getDecryptor(keyId: Long): PBESecretKeyDecryptor? = getDecryptor(KeyIdentifier(keyId)) + @Throws(PGPException::class) + fun getDecryptor(key: OpenPGPSecretKey): PBESecretKeyDecryptor? = + getDecryptor(key.keyIdentifier) + /** * Return a decryptor for the key with the given [keyIdentifier]. This method returns null if * the key is unprotected. diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/passphrase_provider/SecretKeyPassphraseProvider.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/passphrase_provider/SecretKeyPassphraseProvider.kt index 138d0632..a557dde2 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/passphrase_provider/SecretKeyPassphraseProvider.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/passphrase_provider/SecretKeyPassphraseProvider.kt @@ -6,11 +6,15 @@ package org.pgpainless.key.protection.passphrase_provider import org.bouncycastle.bcpg.KeyIdentifier import org.bouncycastle.openpgp.PGPSecretKey +import org.bouncycastle.openpgp.api.OpenPGPCertificate.OpenPGPComponentKey import org.pgpainless.util.Passphrase /** Interface to allow the user to provide a [Passphrase] for an encrypted OpenPGP secret key. */ interface SecretKeyPassphraseProvider { + fun getPassphraseFor(key: OpenPGPComponentKey): Passphrase? = + getPassphraseFor(key.keyIdentifier) + /** * Return a passphrase for the given secret key. If no record is found, return null. Note: In * case of an unprotected secret key, this method must may not return null, but a [Passphrase] From f79aba74ed2dde8a9b6277df9edfa05ad0dd3bfd Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 2 Apr 2025 20:54:19 +0200 Subject: [PATCH 162/265] Port a bunch of more tests --- .../encryption_signing/BcHashContextSigner.kt | 8 +- .../key/protection/UnlockSecretKey.kt | 5 +- .../EncryptionOptionsTest.java | 37 ++++---- .../FileInformationTest.java | 30 ++++--- .../HiddenRecipientEncryptionTest.java | 18 ++-- .../java/org/pgpainless/key/WeirdKeys.java | 41 ++++----- .../collection/PGPKeyRingCollectionTest.java | 8 +- .../parsing/KeyRingCollectionReaderTest.java | 11 ++- .../key/parsing/KeyRingReaderTest.java | 87 +++++++++---------- .../CachingSecretKeyRingProtectorTest.java | 27 +++--- .../weird_keys/TestTwoSubkeysEncryption.java | 15 ++-- 11 files changed, 148 insertions(+), 139 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/BcHashContextSigner.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/BcHashContextSigner.kt index 18303dfc..8de2726b 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/BcHashContextSigner.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/BcHashContextSigner.kt @@ -4,6 +4,7 @@ package org.pgpainless.encryption_signing +import java.security.MessageDigest import org.bouncycastle.openpgp.PGPException import org.bouncycastle.openpgp.PGPSignatureGenerator import org.bouncycastle.openpgp.api.OpenPGPKey @@ -12,7 +13,6 @@ import org.pgpainless.PGPainless import org.pgpainless.algorithm.SignatureType import org.pgpainless.key.protection.SecretKeyRingProtector import org.pgpainless.key.protection.UnlockSecretKey -import java.security.MessageDigest class BcHashContextSigner { @@ -29,7 +29,8 @@ class BcHashContextSigner { .mapNotNull { info.getSecretKey(it.keyIdentifier) } .firstOrNull() ?.let { - signHashContext(hashContext, signatureType, UnlockSecretKey.unlockSecretKey(it, protector)) + signHashContext( + hashContext, signatureType, UnlockSecretKey.unlockSecretKey(it, protector)) } ?: throw PGPException("Key does not contain suitable signing subkey.") } @@ -49,8 +50,7 @@ class BcHashContextSigner { privateKey: OpenPGPKey.OpenPGPPrivateKey ): OpenPGPDocumentSignature { return PGPSignatureGenerator( - BcPGPHashContextContentSignerBuilder(hashContext), - privateKey.keyPair.publicKey) + BcPGPHashContextContentSignerBuilder(hashContext), privateKey.keyPair.publicKey) .apply { init(signatureType.code, privateKey.keyPair.privateKey) } .generate() .let { OpenPGPDocumentSignature(it, privateKey.publicKey) } diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/UnlockSecretKey.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/UnlockSecretKey.kt index dd2f7081..00ea9de9 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/UnlockSecretKey.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/UnlockSecretKey.kt @@ -113,7 +113,10 @@ class UnlockSecretKey { } @JvmStatic - fun unlockSecretKey(secretKey: OpenPGPSecretKey, passphrase: Passphrase): OpenPGPPrivateKey = + fun unlockSecretKey( + secretKey: OpenPGPSecretKey, + passphrase: Passphrase + ): OpenPGPPrivateKey = unlockSecretKey(secretKey, SecretKeyRingProtector.unlockAnyKeyWith(passphrase)) } } diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptionOptionsTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptionOptionsTest.java index d364a84d..7adfefd5 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptionOptionsTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptionOptionsTest.java @@ -16,7 +16,6 @@ import java.util.Iterator; import java.util.List; import java.util.Set; -import org.bouncycastle.openpgp.PGPPublicKeyRing; import org.bouncycastle.openpgp.PGPPublicKeyRingCollection; import org.bouncycastle.openpgp.api.OpenPGPCertificate; import org.bouncycastle.openpgp.api.OpenPGPKey; @@ -31,7 +30,6 @@ import org.pgpainless.key.generation.KeySpec; import org.pgpainless.key.generation.type.KeyType; import org.pgpainless.key.generation.type.eddsa_legacy.EdDSALegacyCurve; import org.pgpainless.key.generation.type.xdh_legacy.XDHLegacySpec; -import org.pgpainless.key.util.KeyRingUtils; import org.pgpainless.util.Passphrase; import javax.annotation.Nonnull; @@ -43,10 +41,11 @@ public class EncryptionOptionsTest { private static OpenPGPCertificate.OpenPGPComponentKey primaryKey; private static OpenPGPCertificate.OpenPGPComponentKey encryptComms; private static OpenPGPCertificate.OpenPGPComponentKey encryptStorage; + private static final PGPainless api = PGPainless.getInstance(); @BeforeAll public static void generateKey() { - secretKeys = PGPainless.buildKeyRing() + secretKeys = api.buildKey() .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA_LEGACY(EdDSALegacyCurve._Ed25519), KeyFlag.CERTIFY_OTHER) .build()) .addSubkey(KeySpec.getBuilder(KeyType.XDH_LEGACY(XDHLegacySpec._X25519), KeyFlag.ENCRYPT_COMMS) @@ -66,7 +65,7 @@ public class EncryptionOptionsTest { @Test public void testOverrideEncryptionAlgorithmFailsForNULL() { - EncryptionOptions options = EncryptionOptions.get(); + EncryptionOptions options = EncryptionOptions.get(api); assertNull(options.getEncryptionAlgorithmOverride()); assertThrows(IllegalArgumentException.class, () -> options.overrideEncryptionAlgorithm(SymmetricKeyAlgorithm.NULL)); @@ -76,7 +75,7 @@ public class EncryptionOptionsTest { @Test public void testOverrideEncryptionOptions() { - EncryptionOptions options = EncryptionOptions.get(); + EncryptionOptions options = EncryptionOptions.get(api); assertNull(options.getEncryptionAlgorithmOverride()); options.overrideEncryptionAlgorithm(SymmetricKeyAlgorithm.AES_128); @@ -85,7 +84,7 @@ public class EncryptionOptionsTest { @Test public void testAddRecipients_EncryptCommunications() { - EncryptionOptions options = EncryptionOptions.encryptCommunications(); + EncryptionOptions options = EncryptionOptions.encryptCommunications(api); options.addRecipient(publicKeys); Set encryptionKeys = options.getEncryptionKeys(); @@ -95,7 +94,7 @@ public class EncryptionOptionsTest { @Test public void testAddRecipients_EncryptDataAtRest() { - EncryptionOptions options = EncryptionOptions.encryptDataAtRest(); + EncryptionOptions options = EncryptionOptions.encryptDataAtRest(api); options.addRecipient(publicKeys); Set encryptionKeys = options.getEncryptionKeys(); @@ -105,7 +104,7 @@ public class EncryptionOptionsTest { @Test public void testAddRecipients_AllKeys() { - EncryptionOptions options = EncryptionOptions.get(); + EncryptionOptions options = EncryptionOptions.get(api); options.addRecipient(publicKeys, EncryptionOptions.encryptToAllCapableSubkeys()); Set encryptionKeys = options.getEncryptionKeys(); @@ -115,9 +114,10 @@ public class EncryptionOptionsTest { assertTrue(encryptionKeys.contains(encryptStorage)); } + @SuppressWarnings("deprecation") @Test public void testAddEmptyRecipientsFails() { - EncryptionOptions options = EncryptionOptions.get(); + EncryptionOptions options = EncryptionOptions.get(api); assertThrows(IllegalArgumentException.class, () -> options.addRecipients(Collections.emptyList())); assertThrows(IllegalArgumentException.class, () -> options.addRecipients(Collections.emptyList(), ArrayList::new)); @@ -125,7 +125,7 @@ public class EncryptionOptionsTest { @Test public void testAddEmptyPassphraseFails() { - EncryptionOptions options = EncryptionOptions.get(); + EncryptionOptions options = EncryptionOptions.get(api); assertThrows(IllegalArgumentException.class, () -> options.addMessagePassphrase(Passphrase.emptyPassphrase())); } @@ -133,7 +133,7 @@ public class EncryptionOptionsTest { @Test public void testAddRecipient_KeyWithoutEncryptionKeyFails() { EncryptionOptions options = EncryptionOptions.get(); - OpenPGPKey secretKeys = PGPainless.buildKeyRing() + OpenPGPKey secretKeys = api.buildKey() .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA_LEGACY(EdDSALegacyCurve._Ed25519), KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA)) .addUserId("test@pgpainless.org") .build(); @@ -144,7 +144,7 @@ public class EncryptionOptionsTest { @Test public void testEncryptionKeySelectionStrategyEmpty_ThrowsAssertionError() { - EncryptionOptions options = EncryptionOptions.get(); + EncryptionOptions options = EncryptionOptions.get(api); assertThrows(KeyException.UnacceptableEncryptionKeyException.class, () -> options.addRecipient(publicKeys, new EncryptionOptions.EncryptionKeySelector() { @@ -157,6 +157,7 @@ public class EncryptionOptionsTest { assertThrows(KeyException.UnacceptableEncryptionKeyException.class, () -> options.addRecipient(publicKeys, "test@pgpainless.org", new EncryptionOptions.EncryptionKeySelector() { + @NotNull @Override public List selectEncryptionSubkeys(@Nonnull List encryptionCapableKeys) { return Collections.emptyList(); @@ -166,21 +167,21 @@ public class EncryptionOptionsTest { @Test public void testAddRecipients_PGPPublicKeyRingCollection() { - PGPPublicKeyRing secondKeyRing = KeyRingUtils.publicKeyRingFrom( - PGPainless.generateKeyRing().modernKeyRing("other@pgpainless.org") - .getPGPSecretKeyRing()); + OpenPGPKey secondKey = api.generateKey().modernKeyRing("Other "); + OpenPGPCertificate secondCert = secondKey.toCertificate(); PGPPublicKeyRingCollection collection = new PGPPublicKeyRingCollection( - Arrays.asList(publicKeys.getPGPPublicKeyRing(), secondKeyRing)); + Arrays.asList(publicKeys.getPGPPublicKeyRing(), secondCert.getPGPPublicKeyRing())); EncryptionOptions options = EncryptionOptions.get(); + // noinspection deprecation options.addRecipients(collection, EncryptionOptions.encryptToFirstSubkey()); assertEquals(2, options.getEncryptionKeyIdentifiers().size()); } @Test public void testAddRecipient_withValidUserId() { - EncryptionOptions options = EncryptionOptions.get(); + EncryptionOptions options = EncryptionOptions.get(api); options.addRecipient(publicKeys, "test@pgpainless.org", EncryptionOptions.encryptToFirstSubkey()); assertEquals(1, options.getEncryptionMethods().size()); @@ -188,7 +189,7 @@ public class EncryptionOptionsTest { @Test public void testAddRecipient_withInvalidUserId() { - EncryptionOptions options = EncryptionOptions.get(); + EncryptionOptions options = EncryptionOptions.get(api); assertThrows(KeyException.UnboundUserIdException.class, () -> options.addRecipient(publicKeys, "invalid@user.id")); } } diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/FileInformationTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/FileInformationTest.java index 0684c81e..7298c3d4 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/FileInformationTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/FileInformationTest.java @@ -17,8 +17,8 @@ import java.util.Date; import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPLiteralData; -import org.bouncycastle.openpgp.PGPPublicKeyRing; -import org.bouncycastle.openpgp.PGPSecretKeyRing; +import org.bouncycastle.openpgp.api.OpenPGPCertificate; +import org.bouncycastle.openpgp.api.OpenPGPKey; import org.bouncycastle.util.io.Streams; import org.junit.JUtils; import org.junit.jupiter.api.BeforeAll; @@ -32,14 +32,14 @@ import org.pgpainless.decryption_verification.MessageMetadata; public class FileInformationTest { private static final String data = "Hello, World!\n"; - private static PGPSecretKeyRing secretKey; - private static PGPPublicKeyRing certificate; + private static OpenPGPKey secretKey; + private static OpenPGPCertificate certificate; + private static final PGPainless api = PGPainless.getInstance(); @BeforeAll public static void generateKey() { - secretKey = PGPainless.generateKeyRing().modernKeyRing("alice@wonderland.lit") - .getPGPSecretKeyRing(); - certificate = PGPainless.extractCertificate(secretKey); + secretKey = api.generateKey().modernKeyRing("alice@wonderland.lit"); + certificate = secretKey.toCertificate(); } @Test @@ -50,11 +50,12 @@ public class FileInformationTest { ByteArrayInputStream dataIn = new ByteArrayInputStream(data.getBytes(StandardCharsets.UTF_8)); ByteArrayOutputStream dataOut = new ByteArrayOutputStream(); - EncryptionStream encryptionStream = PGPainless.encryptAndOrSign() + // noinspection deprecation + EncryptionStream encryptionStream = api.generateMessage() .onOutputStream(dataOut) .withOptions(ProducerOptions.encrypt( EncryptionOptions - .encryptCommunications() + .encryptCommunications(api) .addRecipient(certificate)) .setFileName(fileName) .setModificationDate(modificationDate) @@ -91,11 +92,11 @@ public class FileInformationTest { public void testDefaults() throws PGPException, IOException { ByteArrayInputStream dataIn = new ByteArrayInputStream(data.getBytes(StandardCharsets.UTF_8)); ByteArrayOutputStream dataOut = new ByteArrayOutputStream(); - EncryptionStream encryptionStream = PGPainless.encryptAndOrSign() + EncryptionStream encryptionStream = api.generateMessage() .onOutputStream(dataOut) .withOptions(ProducerOptions.encrypt( EncryptionOptions - .encryptCommunications() + .encryptCommunications(api) .addRecipient(certificate)) ); @@ -125,6 +126,7 @@ public class FileInformationTest { JUtils.assertDateEquals(PGPLiteralData.NOW, decResult.getModificationDate()); assertNotNull(decResult.getLiteralDataEncoding()); assertEquals(PGPLiteralData.BINARY, decResult.getLiteralDataEncoding().getCode()); + // noinspection deprecation assertFalse(decResult.isForYourEyesOnly()); } @@ -132,11 +134,12 @@ public class FileInformationTest { public void testForYourEyesOnly() throws PGPException, IOException { ByteArrayInputStream dataIn = new ByteArrayInputStream(data.getBytes(StandardCharsets.UTF_8)); ByteArrayOutputStream dataOut = new ByteArrayOutputStream(); - EncryptionStream encryptionStream = PGPainless.encryptAndOrSign() + // noinspection deprecation + EncryptionStream encryptionStream = api.generateMessage() .onOutputStream(dataOut) .withOptions(ProducerOptions.encrypt( EncryptionOptions - .encryptCommunications() + .encryptCommunications(api) .addRecipient(certificate)) .setForYourEyesOnly() ); @@ -167,6 +170,7 @@ public class FileInformationTest { JUtils.assertDateEquals(PGPLiteralData.NOW, decResult.getModificationDate()); assertNotNull(decResult.getLiteralDataEncoding()); assertEquals(PGPLiteralData.BINARY, decResult.getLiteralDataEncoding().getCode()); + // noinspection deprecation assertTrue(decResult.isForYourEyesOnly()); } } diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/HiddenRecipientEncryptionTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/HiddenRecipientEncryptionTest.java index af018584..5df689c5 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/HiddenRecipientEncryptionTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/HiddenRecipientEncryptionTest.java @@ -13,8 +13,8 @@ import java.io.IOException; import java.nio.charset.StandardCharsets; import org.bouncycastle.openpgp.PGPException; -import org.bouncycastle.openpgp.PGPPublicKeyRing; -import org.bouncycastle.openpgp.PGPSecretKeyRing; +import org.bouncycastle.openpgp.api.OpenPGPCertificate; +import org.bouncycastle.openpgp.api.OpenPGPKey; import org.bouncycastle.util.io.Streams; import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; @@ -30,18 +30,18 @@ public class HiddenRecipientEncryptionTest { @Test public void testAnonymousRecipientRoundtrip() throws PGPException, IOException { - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() - .modernKeyRing("Alice ") - .getPGPSecretKeyRing(); - PGPPublicKeyRing certificate = PGPainless.extractCertificate(secretKeys); + PGPainless api = PGPainless.getInstance(); + OpenPGPKey secretKeys = api.generateKey() + .modernKeyRing("Alice "); + OpenPGPCertificate certificate = secretKeys.toCertificate(); String msg = "Hello, World!\n"; ByteArrayOutputStream ciphertextOut = new ByteArrayOutputStream(); - EncryptionStream encryptionStream = PGPainless.encryptAndOrSign() + EncryptionStream encryptionStream = api.generateMessage() .onOutputStream(ciphertextOut) .withOptions(ProducerOptions.encrypt( - EncryptionOptions.get() + EncryptionOptions.get(api) .addHiddenRecipient(certificate) )); encryptionStream.write(msg.getBytes(StandardCharsets.UTF_8)); @@ -65,6 +65,8 @@ public class HiddenRecipientEncryptionTest { assertEquals(msg, plaintextOut.toString()); assertTrue(metadata.getRecipientKeyIds().contains(0L)); + assertEquals(1, metadata.getRecipientKeyIdentifiers().size()); + assertTrue(metadata.getRecipientKeyIdentifiers().get(0).isWildcard()); assertEquals(actualEncryptionKey, metadata.getDecryptionKey()); } } diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/WeirdKeys.java b/pgpainless-core/src/test/java/org/pgpainless/key/WeirdKeys.java index 97637c99..e5d96bc0 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/WeirdKeys.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/WeirdKeys.java @@ -13,17 +13,17 @@ import java.util.Collections; import org.bouncycastle.bcpg.HashAlgorithmTags; import org.bouncycastle.openpgp.PGPException; -import org.bouncycastle.openpgp.PGPPrivateKey; import org.bouncycastle.openpgp.PGPPublicKey; import org.bouncycastle.openpgp.PGPPublicKeyRing; -import org.bouncycastle.openpgp.PGPSecretKey; -import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.PGPSignature; import org.bouncycastle.openpgp.PGPSignatureGenerator; +import org.bouncycastle.openpgp.api.OpenPGPCertificate; import org.bouncycastle.openpgp.api.OpenPGPImplementation; +import org.bouncycastle.openpgp.api.OpenPGPKey; import org.bouncycastle.util.Strings; import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; +import org.pgpainless.algorithm.OpenPGPKeyVersion; import org.pgpainless.algorithm.SignatureType; import org.pgpainless.key.info.KeyRingInfo; import org.pgpainless.key.protection.UnlockSecretKey; @@ -67,8 +67,8 @@ public class WeirdKeys { "=BlPm\n" + "-----END PGP PRIVATE KEY BLOCK-----\n"; - public static PGPSecretKeyRing getTwoCryptSubkeysKey() throws IOException { - return PGPainless.readKeyRing().secretKeyRing(TWO_CRYPT_SUBKEYS); + public static OpenPGPKey getTwoCryptSubkeysKey() throws IOException { + return PGPainless.getInstance().readKey().parseKey(TWO_CRYPT_SUBKEYS); } /** @@ -96,18 +96,18 @@ public class WeirdKeys { "=h6sT\n" + "-----END PGP PRIVATE KEY BLOCK-----\n"; - public static PGPSecretKeyRing getArchiveCommsSubkeysKey() throws IOException { - return PGPainless.readKeyRing().secretKeyRing(ARCHIVE_COMMS_SUBKEYS); + public static OpenPGPKey getArchiveCommsSubkeysKey() throws IOException { + return PGPainless.getInstance().readKey().parseKey(ARCHIVE_COMMS_SUBKEYS); } @Test public void generateCertAndTestWithNonUTF8UserId() throws PGPException, IOException { - PGPSecretKeyRing nakedKey = PGPainless.generateKeyRing().modernKeyRing(null) - .getPGPSecretKeyRing(); - PGPPublicKey pubKey = nakedKey.getPublicKey(); - PGPSecretKey secKey = nakedKey.getSecretKey(); - PGPPrivateKey privKey = UnlockSecretKey.unlockSecretKey(secKey, Passphrase.emptyPassphrase()); + OpenPGPKey nakedKey = PGPainless.getInstance() + .generateKey(OpenPGPKeyVersion.v4) // v4, since we manually craft the binding sig later on + .modernKeyRing(null); + OpenPGPKey.OpenPGPSecretKey primaryKey = nakedKey.getPrimarySecretKey(); + OpenPGPKey.OpenPGPPrivateKey privateKey = UnlockSecretKey.unlockSecretKey(primaryKey, Passphrase.emptyPassphrase()); // Non-UTF8 User-ID ByteArrayOutputStream bOut = new ByteArrayOutputStream(); @@ -122,15 +122,15 @@ public class WeirdKeys { PGPSignatureGenerator sigGen = new PGPSignatureGenerator( OpenPGPImplementation.getInstance().pgpContentSignerBuilder( - pubKey.getAlgorithm(), + primaryKey.getAlgorithm(), HashAlgorithmTags.SHA512), - pubKey); - sigGen.init(SignatureType.GENERIC_CERTIFICATION.getCode(), privKey); + primaryKey.getPGPPublicKey()); + sigGen.init(SignatureType.GENERIC_CERTIFICATION.getCode(), privateKey.getKeyPair().getPrivateKey()); // We have to manually generate the signature over the user-ID // updateWithKey() - byte[] keyBytes = pubKey.getPublicKeyPacket().getEncodedContents(); - sigGen.update((byte) 0x99); + byte[] keyBytes = primaryKey.getPGPPublicKey().getPublicKeyPacket().getEncodedContents(); + sigGen.update((byte) 0x99); // 0x99 means v4 key sigGen.update((byte) (keyBytes.length >> 8)); sigGen.update((byte) (keyBytes.length)); sigGen.update(keyBytes); @@ -144,12 +144,13 @@ public class WeirdKeys { sigGen.update(idBytes); PGPSignature signature = sigGen.generate(); - pubKey = PGPPublicKey.addCertification(pubKey, idBytes, signature); + PGPPublicKey pubKey = PGPPublicKey.addCertification(primaryKey.getPGPPublicKey(), idBytes, signature); - PGPPublicKeyRing cert = new PGPPublicKeyRing(Collections.singletonList(pubKey)); + PGPPublicKeyRing pubRing = new PGPPublicKeyRing(Collections.singletonList(pubKey)); + OpenPGPCertificate cert = PGPainless.getInstance().toCertificate(pubRing); // This might fail - KeyRingInfo info = PGPainless.inspectKeyRing(cert); + KeyRingInfo info = PGPainless.getInstance().inspect(cert); assertTrue(info.getUserIds().isEmpty()); // Malformed ID is ignored } } diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/collection/PGPKeyRingCollectionTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/collection/PGPKeyRingCollectionTest.java index f356f007..769ead35 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/collection/PGPKeyRingCollectionTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/collection/PGPKeyRingCollectionTest.java @@ -54,10 +54,14 @@ public class PGPKeyRingCollectionTest { @Test public void testConstructorFromCollection() { - PGPSecretKeyRing first = PGPainless.generateKeyRing().simpleEcKeyRing("alice@wonderland.lit") + PGPainless api = PGPainless.getInstance(); + PGPSecretKeyRing first = api.generateKey() + .simpleEcKeyRing("alice@wonderland.lit") .getPGPSecretKeyRing(); - PGPSecretKeyRing second = PGPainless.generateKeyRing().simpleEcKeyRing("bob@the-builder.tv") + PGPSecretKeyRing second = api.generateKey() + .simpleEcKeyRing("bob@the-builder.tv") .getPGPSecretKeyRing(); + // noinspection deprecation PGPPublicKeyRing secondPub = KeyRingUtils.publicKeyRingFrom(second); Collection keys = Arrays.asList(first, second, secondPub); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/parsing/KeyRingCollectionReaderTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/parsing/KeyRingCollectionReaderTest.java index c91186c7..5d8c8027 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/parsing/KeyRingCollectionReaderTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/parsing/KeyRingCollectionReaderTest.java @@ -23,10 +23,13 @@ public class KeyRingCollectionReaderTest { @Test public void writeAndParseKeyRingCollections() throws IOException { + PGPainless api = PGPainless.getInstance(); // secret keys - PGPSecretKeyRing alice = PGPainless.generateKeyRing().modernKeyRing("Alice ") + PGPSecretKeyRing alice = api.generateKey() + .modernKeyRing("Alice ") .getPGPSecretKeyRing(); - PGPSecretKeyRing bob = PGPainless.generateKeyRing().modernKeyRing("Bob ") + PGPSecretKeyRing bob = api.generateKey() + .modernKeyRing("Bob ") .getPGPSecretKeyRing(); PGPSecretKeyRingCollection collection = KeyRingUtils.keyRingsToKeyRingCollection(alice, bob); @@ -36,8 +39,8 @@ public class KeyRingCollectionReaderTest { assertEquals(collection.size(), parsed.size()); // public keys - PGPPublicKeyRing pAlice = KeyRingUtils.publicKeyRingFrom(alice); - PGPPublicKeyRing pBob = KeyRingUtils.publicKeyRingFrom(bob); + PGPPublicKeyRing pAlice = alice.toCertificate(); + PGPPublicKeyRing pBob = bob.toCertificate(); PGPPublicKeyRingCollection pCollection = KeyRingUtils.keyRingsToKeyRingCollection(pAlice, pBob); ascii = ArmorUtils.toAsciiArmoredString(pCollection); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/parsing/KeyRingReaderTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/parsing/KeyRingReaderTest.java index 7bfffe92..7f0862d7 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/parsing/KeyRingReaderTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/parsing/KeyRingReaderTest.java @@ -6,6 +6,8 @@ package org.pgpainless.key.parsing; import static org.junit.jupiter.api.Assertions.assertArrayEquals; import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.assertInstanceOf; +import static org.junit.jupiter.api.Assertions.assertNotNull; import static org.junit.jupiter.api.Assertions.assertThrows; import static org.junit.jupiter.api.Assertions.assertTrue; @@ -30,6 +32,7 @@ import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.PGPSecretKeyRingCollection; import org.bouncycastle.openpgp.PGPSignature; import org.bouncycastle.openpgp.PGPUtil; +import org.bouncycastle.openpgp.api.OpenPGPCertificate; import org.bouncycastle.openpgp.api.OpenPGPImplementation; import org.bouncycastle.openpgp.api.OpenPGPKey; import org.bouncycastle.util.io.Streams; @@ -38,13 +41,14 @@ import org.opentest4j.TestAbortedException; import org.pgpainless.PGPainless; import org.pgpainless.key.OpenPgpV4Fingerprint; import org.pgpainless.key.collection.PGPKeyRingCollection; -import org.pgpainless.key.util.KeyRingUtils; import org.pgpainless.signature.SignatureUtils; import org.pgpainless.util.ArmoredOutputStreamFactory; import org.pgpainless.util.TestUtils; class KeyRingReaderTest { + private final PGPainless api = PGPainless.getInstance(); + private InputStream requireResource(String resourceName) { InputStream inputStream = getClass().getClassLoader().getResourceAsStream(resourceName); if (inputStream == null) { @@ -81,9 +85,9 @@ class KeyRingReaderTest { Collection collection = new ArrayList<>(); for (int i = 0; i < 10; i++) { - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().simpleEcKeyRing("user_" + i + "@encrypted.key") + PGPSecretKeyRing secretKeys = api.generateKey().simpleEcKeyRing("user_" + i + "@encrypted.key") .getPGPSecretKeyRing(); - collection.add(KeyRingUtils.publicKeyRingFrom(secretKeys)); + collection.add(secretKeys.toCertificate()); } PGPPublicKeyRingCollection originalRings = new PGPPublicKeyRingCollection(collection); @@ -275,7 +279,8 @@ class KeyRingReaderTest { "=9jtR\n" + "-----END PGP PRIVATE KEY BLOCK-----"; - PGPSecretKeyRing secretKey = PGPainless.readKeyRing().secretKeyRing(markerAndKey); + OpenPGPKey secretKey = api.readKey().parseKey(markerAndKey); + assertNotNull(secretKey); assertEquals( new OpenPgpV4Fingerprint("562584F8730F39FCB02AACAE735E5EB1C541C0CE"), new OpenPgpV4Fingerprint(secretKey)); @@ -304,7 +309,7 @@ class KeyRingReaderTest { "=6XFh\n" + "-----END PGP PUBLIC KEY BLOCK-----\n"; - PGPPublicKeyRing certificate = PGPainless.readKeyRing().publicKeyRing(markerAndCert); + OpenPGPCertificate certificate = api.readKey().parseCertificate(markerAndCert); assertEquals( new OpenPgpV4Fingerprint("4291C2BEF9B9209DF11128E7F6F2BBD4F5D29793"), @@ -450,10 +455,8 @@ class KeyRingReaderTest { @Test public void testReadSecretKeysIgnoresMultipleMarkers() throws IOException { - PGPSecretKeyRing alice = PGPainless.generateKeyRing().modernKeyRing("alice@pgpainless.org") - .getPGPSecretKeyRing(); - PGPSecretKeyRing bob = PGPainless.generateKeyRing().modernKeyRing("bob@pgpainless.org") - .getPGPSecretKeyRing(); + OpenPGPKey alice = api.generateKey().modernKeyRing("alice@pgpainless.org"); + OpenPGPKey bob = api.generateKey().modernKeyRing("bob@pgpainless.org"); MarkerPacket marker = TestUtils.getMarkerPacket(); ByteArrayOutputStream bytes = new ByteArrayOutputStream(); @@ -464,11 +467,11 @@ class KeyRingReaderTest { for (int i = 0; i < 25; i++) { marker.encode(outputStream); } - alice.encode(outputStream); + outputStream.write(alice.getEncoded()); for (int i = 0; i < 53; i++) { marker.encode(outputStream); } - bob.encode(outputStream); + outputStream.write(bob.getEncoded()); for (int i = 0; i < 102; i++) { marker.encode(outputStream); } @@ -479,15 +482,14 @@ class KeyRingReaderTest { PGPSecretKeyRingCollection secretKeys = PGPainless.readKeyRing().secretKeyRingCollection(armoredMess); assertEquals(2, secretKeys.size()); - assertTrue(secretKeys.contains(alice.getSecretKey().getKeyID())); - assertTrue(secretKeys.contains(bob.getSecretKey().getKeyID())); + assertTrue(secretKeys.contains(alice.getKeyIdentifier().getKeyId())); + assertTrue(secretKeys.contains(bob.getKeyIdentifier().getKeyId())); } @Test public void testReadingSecretKeysExceedsIterationLimit() throws IOException { - PGPSecretKeyRing alice = PGPainless.generateKeyRing().modernKeyRing("alice@pgpainless.org") - .getPGPSecretKeyRing(); + OpenPGPKey alice = api.generateKey().modernKeyRing("alice@pgpainless.org"); MarkerPacket marker = TestUtils.getMarkerPacket(); ByteArrayOutputStream bytes = new ByteArrayOutputStream(); @@ -497,7 +499,7 @@ class KeyRingReaderTest { for (int i = 0; i < 600; i++) { marker.encode(outputStream); } - alice.encode(outputStream); + outputStream.write(alice.getEncoded()); assertThrows(IOException.class, () -> KeyRingReader.readSecretKeyRing(new ByteArrayInputStream(bytes.toByteArray()), 512)); @@ -506,10 +508,8 @@ class KeyRingReaderTest { @Test public void testReadingSecretKeyCollectionExceedsIterationLimit() throws IOException { - PGPSecretKeyRing alice = PGPainless.generateKeyRing().modernKeyRing("alice@pgpainless.org") - .getPGPSecretKeyRing(); - PGPSecretKeyRing bob = PGPainless.generateKeyRing().modernKeyRing("bob@pgpainless.org") - .getPGPSecretKeyRing(); + OpenPGPKey alice = api.generateKey().modernKeyRing("alice@pgpainless.org"); + OpenPGPKey bob = api.generateKey().modernKeyRing("bob@pgpainless.org"); MarkerPacket marker = TestUtils.getMarkerPacket(); ByteArrayOutputStream bytes = new ByteArrayOutputStream(); @@ -519,8 +519,8 @@ class KeyRingReaderTest { for (int i = 0; i < 600; i++) { marker.encode(outputStream); } - alice.encode(outputStream); - bob.encode(outputStream); + outputStream.write(alice.getEncoded()); + outputStream.write(bob.getEncoded()); assertThrows(IOException.class, () -> KeyRingReader.readSecretKeyRingCollection(new ByteArrayInputStream(bytes.toByteArray()), 512)); @@ -530,9 +530,8 @@ class KeyRingReaderTest { @Test public void testReadingPublicKeysExceedsIterationLimit() throws IOException { - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("alice@pgpainless.org") - .getPGPSecretKeyRing(); - PGPPublicKeyRing alice = PGPainless.extractCertificate(secretKeys); + OpenPGPKey secretKeys = api.generateKey().modernKeyRing("alice@pgpainless.org"); + OpenPGPCertificate alice = secretKeys.toCertificate(); MarkerPacket marker = TestUtils.getMarkerPacket(); ByteArrayOutputStream bytes = new ByteArrayOutputStream(); @@ -542,7 +541,7 @@ class KeyRingReaderTest { for (int i = 0; i < 600; i++) { marker.encode(outputStream); } - alice.encode(outputStream); + outputStream.write(alice.getEncoded()); assertThrows(IOException.class, () -> KeyRingReader.readPublicKeyRing(new ByteArrayInputStream(bytes.toByteArray()), 512)); @@ -551,12 +550,10 @@ class KeyRingReaderTest { @Test public void testReadingPublicKeyCollectionExceedsIterationLimit() throws IOException { - PGPSecretKeyRing sec1 = PGPainless.generateKeyRing().modernKeyRing("alice@pgpainless.org") - .getPGPSecretKeyRing(); - PGPSecretKeyRing sec2 = PGPainless.generateKeyRing().modernKeyRing("bob@pgpainless.org") - .getPGPSecretKeyRing(); - PGPPublicKeyRing alice = PGPainless.extractCertificate(sec1); - PGPPublicKeyRing bob = PGPainless.extractCertificate(sec2); + OpenPGPKey sec1 = api.generateKey().modernKeyRing("alice@pgpainless.org"); + OpenPGPKey sec2 = api.generateKey().modernKeyRing("bob@pgpainless.org"); + OpenPGPCertificate alice = sec1.toCertificate(); + OpenPGPCertificate bob = sec2.toCertificate(); MarkerPacket marker = TestUtils.getMarkerPacket(); ByteArrayOutputStream bytes = new ByteArrayOutputStream(); @@ -566,8 +563,8 @@ class KeyRingReaderTest { for (int i = 0; i < 600; i++) { marker.encode(outputStream); } - alice.encode(outputStream); - bob.encode(outputStream); + outputStream.write(alice.getEncoded()); + outputStream.write(bob.getEncoded()); assertThrows(IOException.class, () -> KeyRingReader.readPublicKeyRingCollection(new ByteArrayInputStream(bytes.toByteArray()), 512)); @@ -575,48 +572,44 @@ class KeyRingReaderTest { @Test public void testReadKeyRingWithBinaryPublicKey() throws IOException { - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("Alice ") - .getPGPSecretKeyRing(); - PGPPublicKeyRing publicKeys = PGPainless.extractCertificate(secretKeys); + OpenPGPKey secretKeys = api.generateKey().modernKeyRing("Alice "); + OpenPGPCertificate publicKeys = secretKeys.toCertificate(); byte[] bytes = publicKeys.getEncoded(); PGPKeyRing keyRing = PGPainless.readKeyRing() .keyRing(bytes); - assertTrue(keyRing instanceof PGPPublicKeyRing); + assertInstanceOf(PGPPublicKeyRing.class, keyRing); assertArrayEquals(keyRing.getEncoded(), publicKeys.getEncoded()); } @Test public void testReadKeyRingWithBinarySecretKey() throws IOException { - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("Alice ") - .getPGPSecretKeyRing(); + OpenPGPKey secretKeys = api.generateKey().modernKeyRing("Alice "); byte[] bytes = secretKeys.getEncoded(); PGPKeyRing keyRing = PGPainless.readKeyRing() .keyRing(bytes); - assertTrue(keyRing instanceof PGPSecretKeyRing); + assertInstanceOf(PGPSecretKeyRing.class, keyRing); assertArrayEquals(keyRing.getEncoded(), secretKeys.getEncoded()); } @Test public void testReadKeyRingWithArmoredPublicKey() throws IOException { - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("Alice ") - .getPGPSecretKeyRing(); - PGPPublicKeyRing publicKeys = PGPainless.extractCertificate(secretKeys); + OpenPGPKey secretKeys = api.generateKey().modernKeyRing("Alice "); + OpenPGPCertificate publicKeys = secretKeys.toCertificate(); String armored = PGPainless.asciiArmor(publicKeys); PGPKeyRing keyRing = PGPainless.readKeyRing() .keyRing(armored); - assertTrue(keyRing instanceof PGPPublicKeyRing); + assertInstanceOf(PGPPublicKeyRing.class, keyRing); assertArrayEquals(keyRing.getEncoded(), publicKeys.getEncoded()); } @Test public void testReadKeyRingWithArmoredSecretKey() throws IOException { - PGPainless api = PGPainless.getInstance(); OpenPGPKey secretKeys = api.generateKey().modernKeyRing("Alice "); // remove PacketFormat argument once https://github.com/bcgit/bc-java/pull/1993 lands in BC String armored = secretKeys.toAsciiArmoredString(PacketFormat.LEGACY); @@ -624,7 +617,7 @@ class KeyRingReaderTest { PGPKeyRing keyRing = PGPainless.readKeyRing() .keyRing(armored); - assertTrue(keyRing instanceof PGPSecretKeyRing); + assertInstanceOf(PGPSecretKeyRing.class, keyRing); assertArrayEquals(keyRing.getEncoded(), secretKeys.getEncoded()); } } diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/protection/CachingSecretKeyRingProtectorTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/protection/CachingSecretKeyRingProtectorTest.java index 18c341da..90acf6d5 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/protection/CachingSecretKeyRingProtectorTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/protection/CachingSecretKeyRingProtectorTest.java @@ -15,10 +15,10 @@ import java.util.Random; import org.bouncycastle.bcpg.KeyIdentifier; import org.bouncycastle.openpgp.PGPException; -import org.bouncycastle.openpgp.PGPKeyRing; -import org.bouncycastle.openpgp.PGPPublicKey; import org.bouncycastle.openpgp.PGPSecretKey; import org.bouncycastle.openpgp.PGPSecretKeyRing; +import org.bouncycastle.openpgp.api.OpenPGPCertificate; +import org.bouncycastle.openpgp.api.OpenPGPKey; import org.jetbrains.annotations.NotNull; import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.Test; @@ -78,40 +78,39 @@ public class CachingSecretKeyRingProtectorTest { @Test public void testAddPassphraseForKeyRing() throws PGPException { - PGPSecretKeyRing keys = PGPainless.generateKeyRing() - .modernKeyRing("test@test.test", "Passphrase123") - .getPGPSecretKeyRing(); + OpenPGPKey keys = PGPainless.getInstance().generateKey() + .modernKeyRing("test@test.test", "Passphrase123"); Passphrase passphrase = Passphrase.fromPassword("Passphrase123"); protector.addPassphrase(keys, passphrase); - Iterator it = keys.getSecretKeys(); + Iterator it = keys.getSecretKeys().values().iterator(); while (it.hasNext()) { - PGPSecretKey key = it.next(); + OpenPGPKey.OpenPGPSecretKey key = it.next(); assertEquals(passphrase, protector.getPassphraseFor(key)); - assertNotNull(protector.getEncryptor(key.getPublicKey())); - assertNotNull(protector.getDecryptor(key.getKeyIdentifier())); + assertNotNull(protector.getEncryptor(key)); + assertNotNull(protector.getDecryptor(key)); } long nonMatching = findNonMatchingKeyId(keys); assertNull(protector.getPassphraseFor(new KeyIdentifier(nonMatching))); protector.forgetPassphrase(keys); - it = keys.getSecretKeys(); + it = keys.getSecretKeys().values().iterator(); while (it.hasNext()) { - PGPSecretKey key = it.next(); + OpenPGPKey.OpenPGPSecretKey key = it.next(); assertNull(protector.getPassphraseFor(key)); assertNull(protector.getEncryptor(key.getPublicKey())); assertNull(protector.getDecryptor(key.getKeyIdentifier())); } } - private static long findNonMatchingKeyId(PGPKeyRing keyRing) { + private static long findNonMatchingKeyId(OpenPGPCertificate cert) { Random random = new Random(); long nonMatchingKeyId = 123L; outerloop: while (true) { - Iterator pubKeys = keyRing.getPublicKeys(); + Iterator pubKeys = cert.getKeys().iterator(); while (pubKeys.hasNext()) { - if (pubKeys.next().getKeyID() == nonMatchingKeyId) { + if (pubKeys.next().getKeyIdentifier().getKeyId() == nonMatchingKeyId) { nonMatchingKeyId = random.nextLong(); continue outerloop; } diff --git a/pgpainless-core/src/test/java/org/pgpainless/weird_keys/TestTwoSubkeysEncryption.java b/pgpainless-core/src/test/java/org/pgpainless/weird_keys/TestTwoSubkeysEncryption.java index 373396df..f09f1445 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/weird_keys/TestTwoSubkeysEncryption.java +++ b/pgpainless-core/src/test/java/org/pgpainless/weird_keys/TestTwoSubkeysEncryption.java @@ -12,8 +12,8 @@ import java.io.IOException; import java.nio.charset.StandardCharsets; import org.bouncycastle.openpgp.PGPException; -import org.bouncycastle.openpgp.PGPPublicKeyRing; -import org.bouncycastle.openpgp.PGPSecretKeyRing; +import org.bouncycastle.openpgp.api.OpenPGPCertificate; +import org.bouncycastle.openpgp.api.OpenPGPKey; import org.bouncycastle.util.io.Streams; import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; @@ -22,7 +22,6 @@ import org.pgpainless.encryption_signing.EncryptionResult; import org.pgpainless.encryption_signing.EncryptionStream; import org.pgpainless.encryption_signing.ProducerOptions; import org.pgpainless.key.WeirdKeys; -import org.pgpainless.key.util.KeyRingUtils; public class TestTwoSubkeysEncryption { @@ -35,8 +34,8 @@ public class TestTwoSubkeysEncryption { /** * {@link WeirdKeys#TWO_CRYPT_SUBKEYS} is a key that has two subkeys which both carry the key flags * {@link org.pgpainless.algorithm.KeyFlag#ENCRYPT_COMMS} and {@link org.pgpainless.algorithm.KeyFlag#ENCRYPT_STORAGE}. - * - * This test verifies that {@link EncryptionOptions#addRecipient(PGPPublicKeyRing, EncryptionOptions.EncryptionKeySelector)} + *

+ * This test verifies that {@link EncryptionOptions#addRecipient(OpenPGPCertificate, EncryptionOptions.EncryptionKeySelector)} * works properly, if {@link EncryptionOptions#encryptToAllCapableSubkeys()} is provided as argument. * * @throws IOException not expected @@ -44,10 +43,10 @@ public class TestTwoSubkeysEncryption { */ @Test public void testEncryptsToBothSubkeys() throws IOException, PGPException { - PGPSecretKeyRing twoSuitableSubkeysKeyRing = WeirdKeys.getTwoCryptSubkeysKey(); - PGPPublicKeyRing publicKeys = KeyRingUtils.publicKeyRingFrom(twoSuitableSubkeysKeyRing); + OpenPGPKey twoSuitableSubkeysKeyRing = WeirdKeys.getTwoCryptSubkeysKey(); + OpenPGPCertificate publicKeys = twoSuitableSubkeysKeyRing.toCertificate(); ByteArrayOutputStream out = new ByteArrayOutputStream(); - EncryptionStream encryptionStream = PGPainless.encryptAndOrSign() + EncryptionStream encryptionStream = PGPainless.getInstance().generateMessage() .onOutputStream(out) .withOptions( ProducerOptions.encrypt(EncryptionOptions.get() From 8c291c8c45022be94125177cf1f081b422e6ce6d Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 3 Apr 2025 12:49:24 +0200 Subject: [PATCH 163/265] Port KeyWithUnknownSecretKeyEncryptionMethodTest --- .../key/KeyWithUnknownSecretKeyEncryptionMethodTest.kt | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/pgpainless-core/src/test/kotlin/org/pgpainless/key/KeyWithUnknownSecretKeyEncryptionMethodTest.kt b/pgpainless-core/src/test/kotlin/org/pgpainless/key/KeyWithUnknownSecretKeyEncryptionMethodTest.kt index 253c0f19..b45bfa39 100644 --- a/pgpainless-core/src/test/kotlin/org/pgpainless/key/KeyWithUnknownSecretKeyEncryptionMethodTest.kt +++ b/pgpainless-core/src/test/kotlin/org/pgpainless/key/KeyWithUnknownSecretKeyEncryptionMethodTest.kt @@ -31,13 +31,11 @@ DhxJVTgA/1WaFrKdP3AgL0Ffdooc5XXbjQsj0uHo6FZSHRI4pchMAQCyJnKQ3RvW @Test @Disabled("Disabled since BC 1.77 chokes on the test key") fun testExtractCertificate() { - val key = PGPainless.readKeyRing().secretKeyRing(KEY)!! - val cert = PGPainless.extractCertificate(key) + val key = PGPainless.getInstance().readKey().parseKey(KEY)!! + val cert = key.toCertificate() assertNotNull(cert) // Each secret key got its public key component extracted - assertEquals( - key.secretKeys.asSequence().map { it.keyID }.toSet(), - cert.publicKeys.asSequence().map { it.keyID }.toSet()) + assertEquals(key.secretKeys.keys.toSet(), cert.publicKeys.keys.toSet()) } } From 686244a7306e7179d5323cdda20550c13cf24f22 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 7 Apr 2025 13:34:23 +0200 Subject: [PATCH 164/265] Add tests for v6<->v4 certificate certification --- .../CertifyV6CertificateTest.java | 250 +++++++++++++++++- 1 file changed, 244 insertions(+), 6 deletions(-) diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/certification/CertifyV6CertificateTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/certification/CertifyV6CertificateTest.java index 6c37cbcc..a0b717f9 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/certification/CertifyV6CertificateTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/certification/CertifyV6CertificateTest.java @@ -1,18 +1,23 @@ -// SPDX-FileCopyrightText: 2022 Paul Schaub +// SPDX-FileCopyrightText: 2025 Paul Schaub // // SPDX-License-Identifier: Apache-2.0 package org.pgpainless.key.certification; +import org.bouncycastle.bcpg.SignaturePacket; import org.bouncycastle.openpgp.PGPException; +import org.bouncycastle.openpgp.PGPSignature; import org.bouncycastle.openpgp.PGPSignatureException; import org.bouncycastle.openpgp.api.OpenPGPCertificate; import org.bouncycastle.openpgp.api.OpenPGPKey; +import org.bouncycastle.openpgp.api.OpenPGPSignature; import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; +import org.pgpainless.algorithm.CertificationType; import org.pgpainless.algorithm.OpenPGPKeyVersion; import org.pgpainless.key.protection.SecretKeyRingProtector; +import static org.junit.jupiter.api.Assertions.assertEquals; import static org.junit.jupiter.api.Assertions.assertNotNull; import static org.junit.jupiter.api.Assertions.assertNull; import static org.junit.jupiter.api.Assertions.assertTrue; @@ -21,6 +26,7 @@ public class CertifyV6CertificateTest { @Test public void testCertifyV6UIDWithV6Key() throws PGPException { + // Alice (6) certifies Bob (6) PGPainless api = PGPainless.getInstance(); OpenPGPKey aliceKey = api.generateKey(OpenPGPKeyVersion.v6) @@ -32,16 +38,19 @@ public class CertifyV6CertificateTest { // Create a certification on Bobs certificate OpenPGPCertificate bobCertified = api.generateCertification() - .certifyUserId("Bob ", bobCert) + .certifyUserId("Bob ", bobCert, CertificationType.POSITIVE) .withKey(aliceKey, SecretKeyRingProtector.unprotectedKeys()) .build().getCertifiedCertificate(); // Check that there is a valid certification chain from Alice to Bobs UID - OpenPGPCertificate.OpenPGPSignatureChain signatureChain = + OpenPGPCertificate.OpenPGPSignatureChain certification = bobCertified.getUserId("Bob ") .getCertificationBy(aliceKey.toCertificate()); - assertNotNull(signatureChain); - assertTrue(signatureChain.isValid()); + assertNotNull(certification); + assertTrue(certification.isValid()); + OpenPGPSignature certificationSignature = certification.getSignature(); + assertEquals(SignaturePacket.VERSION_6, certificationSignature.getSignature().getVersion()); + assertEquals(PGPSignature.POSITIVE_CERTIFICATION, certificationSignature.getSignature().getSignatureType()); // Revoke Alice' key and... @@ -55,11 +64,15 @@ public class CertifyV6CertificateTest { .getCertificationBy(aliceRevoked.toCertificate()); assertNull(missingChain); + // ...but DO have a revocation chain OpenPGPCertificate.OpenPGPSignatureChain revokedChain = bobCertified.getUserId("Bob ") .getRevocationBy(aliceRevoked); assertNotNull(revokedChain); assertTrue(revokedChain.isValid()); + OpenPGPSignature revocationSignature = revokedChain.getRevocation(); + assertEquals(SignaturePacket.VERSION_6, revocationSignature.getSignature().getVersion()); + assertEquals(PGPSignature.KEY_REVOCATION, revocationSignature.getSignature().getSignatureType()); // Instead, revoke the certification itself and... @@ -74,10 +87,14 @@ public class CertifyV6CertificateTest { .getRevocationBy(aliceKey.toCertificate()); assertNotNull(brokenChain); assertTrue(brokenChain.isValid()); + revocationSignature = brokenChain.getSignature(); + assertEquals(SignaturePacket.VERSION_6, revocationSignature.getSignature().getVersion()); + assertEquals(PGPSignature.CERTIFICATION_REVOCATION, revocationSignature.getSignature().getSignatureType()); } @Test - public void testCertifyV6CertificateWithV6Key() throws PGPSignatureException { + public void testDelegateV6CertWithV6Key() throws PGPSignatureException { + // Alice (6) delegates Bob (6) PGPainless api = PGPainless.getInstance(); OpenPGPKey aliceKey = api.generateKey(OpenPGPKeyVersion.v6) @@ -96,6 +113,9 @@ public class CertifyV6CertificateTest { OpenPGPCertificate.OpenPGPSignatureChain delegation = bobDelegated.getDelegationBy(aliceKey.toCertificate()); assertNotNull(delegation); assertTrue(delegation.isValid()); + OpenPGPSignature delegationSignature = delegation.getSignature(); + assertEquals(SignaturePacket.VERSION_6, delegationSignature.getSignature().getVersion()); + assertEquals(PGPSignature.DIRECT_KEY, delegationSignature.getSignature().getSignatureType()); // Alice revokes the delegation OpenPGPCertificate bobRevoked = api.generateCertification() @@ -106,5 +126,223 @@ public class CertifyV6CertificateTest { OpenPGPCertificate.OpenPGPSignatureChain revocation = bobRevoked.getRevocationBy(aliceKey.toCertificate()); assertNotNull(revocation); assertTrue(revocation.isValid()); + OpenPGPSignature revocationSignature = revocation.getSignature(); + assertEquals(SignaturePacket.VERSION_6, revocationSignature.getSignature().getVersion()); + assertEquals(PGPSignature.KEY_REVOCATION, revocationSignature.getSignature().getSignatureType()); + } + + @Test + public void testCertifyV4UIDWithV6Key() throws PGPException { + // Alice (6) certifies Bob (4) + PGPainless api = PGPainless.getInstance(); + + OpenPGPKey aliceKey = api.generateKey(OpenPGPKeyVersion.v6) + .modernKeyRing("Alice "); + + OpenPGPKey bobKey = api.generateKey(OpenPGPKeyVersion.v4) + .modernKeyRing("Bob "); + OpenPGPCertificate bobCert = bobKey.toCertificate(); + + // Create a certification on Bobs certificate + // Alice => "Bob" (Bob) + OpenPGPCertificate bobCertified = api.generateCertification() + .certifyUserId("Bob ", bobCert, CertificationType.CASUAL) + .withKey(aliceKey, SecretKeyRingProtector.unprotectedKeys()) + .build().getCertifiedCertificate(); + + // Check that there is a valid certification chain from Alice to Bobs UID + OpenPGPCertificate.OpenPGPSignatureChain signatureChain = + bobCertified.getUserId("Bob ") + .getCertificationBy(aliceKey.toCertificate()); + assertNotNull(signatureChain); + assertTrue(signatureChain.isValid()); + OpenPGPSignature certificationSignature = signatureChain.getSignature(); + assertEquals(SignaturePacket.VERSION_6, certificationSignature.getSignature().getVersion()); + assertEquals(PGPSignature.CASUAL_CERTIFICATION, certificationSignature.getSignature().getSignatureType()); + + // Revoke Alice' key and... + OpenPGPKey aliceRevoked = api.modify(aliceKey) + .revoke(SecretKeyRingProtector.unprotectedKeys()) + .done(); + + // ...verify we no longer have a valid certification chain + OpenPGPCertificate.OpenPGPSignatureChain missingChain = + bobCertified.getUserId("Bob ") + .getCertificationBy(aliceRevoked.toCertificate()); + assertNull(missingChain); + + + // ...but DO have a revocation chain + OpenPGPCertificate.OpenPGPSignatureChain revokedChain = + bobCertified.getUserId("Bob ") + .getRevocationBy(aliceRevoked); + assertNotNull(revokedChain); + assertTrue(revokedChain.isValid()); + OpenPGPSignature revocationSignature = revokedChain.getRevocation(); + assertEquals(SignaturePacket.VERSION_6, revocationSignature.getSignature().getVersion()); + assertEquals(PGPSignature.KEY_REVOCATION, revocationSignature.getSignature().getSignatureType()); + + + // Instead, revoke the certification itself and... + bobCertified = api.generateCertification() + .revokeCertifiedUserId("Bob ", bobCertified) + .withKey(aliceKey, SecretKeyRingProtector.unprotectedKeys()) + .build().getCertifiedCertificate(); + + // ...verify we now have a valid certification chain + OpenPGPCertificate.OpenPGPSignatureChain brokenChain = + bobCertified.getUserId("Bob ") + .getRevocationBy(aliceKey.toCertificate()); + assertNotNull(brokenChain); + assertTrue(brokenChain.isValid()); + revocationSignature = brokenChain.getSignature(); + assertEquals(SignaturePacket.VERSION_6, revocationSignature.getSignature().getVersion()); + assertEquals(PGPSignature.CERTIFICATION_REVOCATION, revocationSignature.getSignature().getSignatureType()); + } + + @Test + public void testDelegateV4CertWithV6Key() throws PGPSignatureException { + PGPainless api = PGPainless.getInstance(); + + OpenPGPKey aliceKey = api.generateKey(OpenPGPKeyVersion.v6) + .modernKeyRing("Alice "); + OpenPGPKey bobKey = api.generateKey(OpenPGPKeyVersion.v6) + .modernKeyRing("Bob "); + OpenPGPCertificate bobCert = bobKey.toCertificate(); + + // Alice delegates trust to Bob + OpenPGPCertificate bobDelegated = api.generateCertification() + .delegateTrust(bobCert) + .withKey(aliceKey, SecretKeyRingProtector.unprotectedKeys()) + .build().getCertifiedCertificate(); + + // Check that Bob is actually delegated to by Alice + OpenPGPCertificate.OpenPGPSignatureChain delegation = bobDelegated.getDelegationBy(aliceKey.toCertificate()); + assertNotNull(delegation); + assertTrue(delegation.isValid()); + OpenPGPSignature delegationSignature = delegation.getSignature(); + assertEquals(SignaturePacket.VERSION_6, delegationSignature.getSignature().getVersion()); + assertEquals(PGPSignature.DIRECT_KEY, delegationSignature.getSignature().getSignatureType()); + + // Alice revokes the delegation + OpenPGPCertificate bobRevoked = api.generateCertification() + .revokeDelegatedTrust(bobDelegated) + .withKey(aliceKey, SecretKeyRingProtector.unprotectedKeys()) + .build().getCertifiedCertificate(); + + OpenPGPCertificate.OpenPGPSignatureChain revocation = bobRevoked.getRevocationBy(aliceKey.toCertificate()); + assertNotNull(revocation); + assertTrue(revocation.isValid()); + OpenPGPSignature revocationSignature = revocation.getSignature(); + assertEquals(SignaturePacket.VERSION_6, revocationSignature.getSignature().getVersion()); + assertEquals(PGPSignature.KEY_REVOCATION, revocationSignature.getSignature().getSignatureType()); + } + + @Test + public void testCertifyV6UIDWithV4Key() throws PGPException { + // Alice (4) certifies Bob (6) + PGPainless api = PGPainless.getInstance(); + + OpenPGPKey aliceKey = api.generateKey(OpenPGPKeyVersion.v4) + .modernKeyRing("Alice "); + + OpenPGPKey bobKey = api.generateKey(OpenPGPKeyVersion.v6) + .modernKeyRing("Bob "); + OpenPGPCertificate bobCert = bobKey.toCertificate(); + + // Create a certification on Bobs certificate + // Alice => "Bob" (Bob) + OpenPGPCertificate bobCertified = api.generateCertification() + .certifyUserId("Bob ", bobCert, CertificationType.CASUAL) + .withKey(aliceKey, SecretKeyRingProtector.unprotectedKeys()) + .build().getCertifiedCertificate(); + + // Check that there is a valid certification chain from Alice to Bobs UID + OpenPGPCertificate.OpenPGPSignatureChain signatureChain = + bobCertified.getUserId("Bob ") + .getCertificationBy(aliceKey.toCertificate()); + assertNotNull(signatureChain); + assertTrue(signatureChain.isValid()); + OpenPGPSignature certificationSignature = signatureChain.getSignature(); + assertEquals(SignaturePacket.VERSION_4, certificationSignature.getSignature().getVersion()); + assertEquals(PGPSignature.CASUAL_CERTIFICATION, certificationSignature.getSignature().getSignatureType()); + + // Revoke Alice' key and... + OpenPGPKey aliceRevoked = api.modify(aliceKey) + .revoke(SecretKeyRingProtector.unprotectedKeys()) + .done(); + + // ...verify we no longer have a valid certification chain + OpenPGPCertificate.OpenPGPSignatureChain missingChain = + bobCertified.getUserId("Bob ") + .getCertificationBy(aliceRevoked.toCertificate()); + assertNull(missingChain); + + + // ...but DO have a revocation chain + OpenPGPCertificate.OpenPGPSignatureChain revokedChain = + bobCertified.getUserId("Bob ") + .getRevocationBy(aliceRevoked); + assertNotNull(revokedChain); + assertTrue(revokedChain.isValid()); + OpenPGPSignature revocationSignature = revokedChain.getRevocation(); + assertEquals(SignaturePacket.VERSION_4, revocationSignature.getSignature().getVersion()); + assertEquals(PGPSignature.KEY_REVOCATION, revocationSignature.getSignature().getSignatureType()); + + + // Instead, revoke the certification itself and... + bobCertified = api.generateCertification() + .revokeCertifiedUserId("Bob ", bobCertified) + .withKey(aliceKey, SecretKeyRingProtector.unprotectedKeys()) + .build().getCertifiedCertificate(); + + // ...verify we now have a valid certification chain + OpenPGPCertificate.OpenPGPSignatureChain brokenChain = + bobCertified.getUserId("Bob ") + .getRevocationBy(aliceKey.toCertificate()); + assertNotNull(brokenChain); + assertTrue(brokenChain.isValid()); + revocationSignature = brokenChain.getSignature(); + assertEquals(SignaturePacket.VERSION_4, revocationSignature.getSignature().getVersion()); + assertEquals(PGPSignature.CERTIFICATION_REVOCATION, revocationSignature.getSignature().getSignatureType()); + } + + @Test + public void testDelegateV6CertWithV4Key() throws PGPSignatureException { + // Alice (4) delegates Bob (6) + PGPainless api = PGPainless.getInstance(); + + OpenPGPKey aliceKey = api.generateKey(OpenPGPKeyVersion.v4) + .modernKeyRing("Alice "); + OpenPGPKey bobKey = api.generateKey(OpenPGPKeyVersion.v6) + .modernKeyRing("Bob "); + OpenPGPCertificate bobCert = bobKey.toCertificate(); + + // Alice delegates trust to Bob + OpenPGPCertificate bobDelegated = api.generateCertification() + .delegateTrust(bobCert) + .withKey(aliceKey, SecretKeyRingProtector.unprotectedKeys()) + .build().getCertifiedCertificate(); + + // Check that Bob is actually delegated to by Alice + OpenPGPCertificate.OpenPGPSignatureChain delegation = bobDelegated.getDelegationBy(aliceKey.toCertificate()); + assertNotNull(delegation); + assertTrue(delegation.isValid()); + OpenPGPSignature delegationSignature = delegation.getSignature(); + assertEquals(SignaturePacket.VERSION_4, delegationSignature.getSignature().getVersion()); + assertEquals(PGPSignature.DIRECT_KEY, delegationSignature.getSignature().getSignatureType()); + + // Alice revokes the delegation + OpenPGPCertificate bobRevoked = api.generateCertification() + .revokeDelegatedTrust(bobDelegated) + .withKey(aliceKey, SecretKeyRingProtector.unprotectedKeys()) + .build().getCertifiedCertificate(); + + OpenPGPCertificate.OpenPGPSignatureChain revocation = bobRevoked.getRevocationBy(aliceKey.toCertificate()); + assertNotNull(revocation); + assertTrue(revocation.isValid()); + OpenPGPSignature revocationSignature = revocation.getSignature(); + assertEquals(SignaturePacket.VERSION_4, revocationSignature.getSignature().getVersion()); + assertEquals(PGPSignature.KEY_REVOCATION, revocationSignature.getSignature().getSignatureType()); } } From 049f7422c052f8f0e38d83cb1d535f4d021fd8c7 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 7 Apr 2025 14:09:21 +0200 Subject: [PATCH 165/265] Replace all remaining usages of PGPainless.generateKeyRing() --- .../PassphraseProtectedKeyTest.java | 18 ++++----- .../key/protection/UnlockSecretKeyTest.java | 3 +- .../pgpainless/key/util/KeyRingUtilTest.java | 34 ++++++++--------- .../org/pgpainless/policy/WeakRSAKeyTest.java | 18 +++++---- .../OnePassSignatureBracketingTest.java | 37 +++++++++---------- ...artyCertificationSignatureBuilderTest.java | 8 ++-- ...irdPartyDirectKeySignatureBuilderTest.java | 4 +- .../java/org/pgpainless/sop/ArmorTest.java | 4 +- 8 files changed, 64 insertions(+), 62 deletions(-) diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/protection/PassphraseProtectedKeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/protection/PassphraseProtectedKeyTest.java index 10c02bc2..c8a062a3 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/protection/PassphraseProtectedKeyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/protection/PassphraseProtectedKeyTest.java @@ -8,13 +8,12 @@ import static org.junit.jupiter.api.Assertions.assertNotNull; import static org.junit.jupiter.api.Assertions.assertNull; import java.io.IOException; -import java.util.Iterator; import javax.annotation.Nullable; import org.bouncycastle.bcpg.KeyIdentifier; import org.bouncycastle.openpgp.PGPException; -import org.bouncycastle.openpgp.PGPPublicKey; -import org.bouncycastle.openpgp.PGPSecretKeyRing; +import org.bouncycastle.openpgp.api.OpenPGPCertificate; +import org.bouncycastle.openpgp.api.OpenPGPKey; import org.jetbrains.annotations.NotNull; import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; @@ -60,13 +59,14 @@ public class PassphraseProtectedKeyTest { @Test public void testReturnsNonNullDecryptorForSubkeys() throws PGPException { - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("alice", "passphrase") - .getPGPSecretKeyRing(); - SecretKeyRingProtector protector = PasswordBasedSecretKeyRingProtector.forKey(secretKeys, Passphrase.fromPassword("passphrase")); - for (Iterator it = secretKeys.getPublicKeys(); it.hasNext(); ) { - PGPPublicKey subkey = it.next(); + PGPainless api = PGPainless.getInstance(); + OpenPGPKey key = api.generateKey() + .modernKeyRing("alice ", "passphrase"); + SecretKeyRingProtector protector = PasswordBasedSecretKeyRingProtector.forKey(key, Passphrase.fromPassword("passphrase")); + for (OpenPGPCertificate.OpenPGPComponentKey subkey : key.getPublicKeys().values()) { assertNotNull(protector.getEncryptor(subkey)); - assertNotNull(protector.getDecryptor(subkey.getKeyID())); + assertNotNull(protector.getDecryptor(subkey.getKeyIdentifier())); + assertNotNull(protector.getDecryptor(subkey.getKeyIdentifier().getKeyId())); } } } diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/protection/UnlockSecretKeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/protection/UnlockSecretKeyTest.java index ba98c2c2..5aa940f1 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/protection/UnlockSecretKeyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/protection/UnlockSecretKeyTest.java @@ -20,7 +20,8 @@ public class UnlockSecretKeyTest { @Test public void testUnlockSecretKey() throws PGPException { - PGPSecretKeyRing secretKeyRing = PGPainless.generateKeyRing() + PGPainless api = PGPainless.getInstance(); + PGPSecretKeyRing secretKeyRing = api.generateKey() .simpleEcKeyRing("alice@wonderland.lit", "heureka!") .getPGPSecretKeyRing(); PGPSecretKey secretKey = secretKeyRing.getSecretKey(); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/util/KeyRingUtilTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/util/KeyRingUtilTest.java index 8e445d29..f140b8ce 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/util/KeyRingUtilTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/util/KeyRingUtilTest.java @@ -14,7 +14,8 @@ import org.bouncycastle.openpgp.PGPSignature; import org.bouncycastle.openpgp.PGPSignatureGenerator; import org.bouncycastle.openpgp.PGPUserAttributeSubpacketVector; import org.bouncycastle.openpgp.PGPUserAttributeSubpacketVectorGenerator; -import org.bouncycastle.openpgp.api.OpenPGPImplementation; +import org.bouncycastle.openpgp.api.OpenPGPCertificate; +import org.bouncycastle.openpgp.api.OpenPGPKey; import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; import org.pgpainless.algorithm.HashAlgorithm; @@ -40,13 +41,12 @@ public class KeyRingUtilTest { @Test public void testInjectCertification() throws PGPException { - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() - .modernKeyRing("Alice") - .getPGPSecretKeyRing(); + PGPainless api = PGPainless.getInstance(); + OpenPGPKey key = api.generateKey().modernKeyRing("Alice"); // test preconditions - assertFalse(secretKeys.getPublicKey().getUserAttributes().hasNext()); - int sigCount = CollectionUtils.iteratorToList(secretKeys.getPublicKey().getSignatures()).size(); + assertFalse(key.getPrimaryKey().getPGPPublicKey().getUserAttributes().hasNext()); + int sigCount = CollectionUtils.iteratorToList(key.getPrimaryKey().getPGPPublicKey().getSignatures()).size(); // Create "image" byte[] image = new byte[512]; @@ -57,15 +57,15 @@ public class KeyRingUtilTest { // create sig PGPSignatureGenerator sigGen = new PGPSignatureGenerator( - OpenPGPImplementation.getInstance().pgpContentSignerBuilder( - secretKeys.getPublicKey().getAlgorithm(), HashAlgorithm.SHA512.getAlgorithmId() - ), secretKeys.getPublicKey()); + api.getImplementation().pgpContentSignerBuilder( + key.getPrimaryKey().getPGPPublicKey().getAlgorithm(), HashAlgorithm.SHA512.getAlgorithmId() + ), key.getPrimaryKey().getPGPPublicKey()); sigGen.init( SignatureType.POSITIVE_CERTIFICATION.getCode(), - UnlockSecretKey.unlockSecretKey(secretKeys.getSecretKey(), SecretKeyRingProtector.unprotectedKeys())); - PGPSignature signature = sigGen.generateCertification(userAttr, secretKeys.getPublicKey()); + UnlockSecretKey.unlockSecretKey(key.getPrimarySecretKey().getPGPSecretKey(), SecretKeyRingProtector.unprotectedKeys())); + PGPSignature signature = sigGen.generateCertification(userAttr, key.getPrimaryKey().getPGPPublicKey()); // inject sig - secretKeys = KeyRingUtils.injectCertification(secretKeys, userAttr, signature); + PGPSecretKeyRing secretKeys = KeyRingUtils.injectCertification(key.getPGPSecretKeyRing(), userAttr, signature); assertTrue(secretKeys.getPublicKey().getUserAttributes().hasNext()); assertEquals(userAttr, secretKeys.getPublicKey().getUserAttributes().next()); @@ -74,9 +74,9 @@ public class KeyRingUtilTest { @Test public void testKeysPlusPublicKey() { - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("Alice") - .getPGPSecretKeyRing(); - PGPPublicKeyRing publicKeys = PGPainless.extractCertificate(secretKeys); + PGPainless api = PGPainless.getInstance(); + OpenPGPKey key = api.generateKey().modernKeyRing("Alice"); + OpenPGPCertificate certificate = key.toCertificate(); PGPKeyPair keyPair = KeyRingBuilder.generateKeyPair(KeySpec.getBuilder( KeyType.ECDH(EllipticCurve._P256), KeyFlag.ENCRYPT_COMMS, KeyFlag.ENCRYPT_STORAGE).build(), @@ -84,10 +84,10 @@ public class KeyRingUtilTest { PGPPublicKey pubkey = keyPair.getPublicKey(); assertFalse(pubkey.isMasterKey()); - PGPSecretKeyRing secretKeysPlus = KeyRingUtils.keysPlusPublicKey(secretKeys, pubkey); + PGPSecretKeyRing secretKeysPlus = KeyRingUtils.keysPlusPublicKey(key.getPGPSecretKeyRing(), pubkey); assertNotNull(secretKeysPlus.getPublicKey(pubkey.getKeyID())); - PGPPublicKeyRing publicKeysPlus = KeyRingUtils.keysPlusPublicKey(publicKeys, pubkey); + PGPPublicKeyRing publicKeysPlus = KeyRingUtils.keysPlusPublicKey(certificate.getPGPPublicKeyRing(), pubkey); assertNotNull(publicKeysPlus.getPublicKey(pubkey.getKeyID())); } } diff --git a/pgpainless-core/src/test/java/org/pgpainless/policy/WeakRSAKeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/policy/WeakRSAKeyTest.java index a2813402..f7fceff2 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/policy/WeakRSAKeyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/policy/WeakRSAKeyTest.java @@ -13,8 +13,8 @@ import java.io.IOException; import java.nio.charset.StandardCharsets; import org.bouncycastle.openpgp.PGPException; -import org.bouncycastle.openpgp.PGPPublicKeyRing; -import org.bouncycastle.openpgp.PGPSecretKeyRing; +import org.bouncycastle.openpgp.api.OpenPGPCertificate; +import org.bouncycastle.openpgp.api.OpenPGPKey; import org.bouncycastle.util.io.Streams; import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; @@ -149,13 +149,14 @@ public class WeakRSAKeyTest { public void cannotGenerateWeakKeyWithDefaultPolicyTest() { String userId = "Alice "; assertThrows(IllegalArgumentException.class, () -> - PGPainless.generateKeyRing() + PGPainless.getInstance().generateKey() .rsaKeyRing(userId, RsaLength._1024, Passphrase.emptyPassphrase())); } @Test public void cannotSignWithWeakKey() throws IOException { - PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(WEAK_RSA_KEY); + PGPainless api = PGPainless.getInstance(); + OpenPGPKey secretKeys = api.readKey().parseKey(WEAK_RSA_KEY); SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys(); SigningOptions signingOptions = SigningOptions.get(); @@ -167,14 +168,15 @@ public class WeakRSAKeyTest { @Test public void encryptDecryptRoundTripWithWeakRSAKey() throws IOException, PGPException { - PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(WEAK_RSA_KEY); - PGPPublicKeyRing publicKeys = PGPainless.extractCertificate(secretKeys); + PGPainless api = PGPainless.getInstance(); + OpenPGPKey secretKeys = api.readKey().parseKey(WEAK_RSA_KEY); + OpenPGPCertificate publicKeys = secretKeys.toCertificate(); ByteArrayOutputStream encryptOut = new ByteArrayOutputStream(); - EncryptionOptions encryptionOptions = EncryptionOptions.encryptCommunications() + EncryptionOptions encryptionOptions = EncryptionOptions.encryptCommunications(api) .addRecipient(publicKeys); - EncryptionStream encryptionStream = PGPainless.encryptAndOrSign() + EncryptionStream encryptionStream = api.generateMessage() .onOutputStream(encryptOut) .withOptions(ProducerOptions.encrypt(encryptionOptions)); diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/OnePassSignatureBracketingTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/OnePassSignatureBracketingTest.java index 63ecace6..578094bb 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/OnePassSignatureBracketingTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/OnePassSignatureBracketingTest.java @@ -6,6 +6,7 @@ package org.pgpainless.signature; import static org.junit.jupiter.api.Assertions.assertEquals; import static org.junit.jupiter.api.Assertions.assertNotNull; +import static org.junit.jupiter.api.Assertions.assertTrue; import java.io.ByteArrayInputStream; import java.io.ByteArrayOutputStream; @@ -21,15 +22,12 @@ import org.bouncycastle.openpgp.PGPLiteralData; import org.bouncycastle.openpgp.PGPObjectFactory; import org.bouncycastle.openpgp.PGPOnePassSignature; import org.bouncycastle.openpgp.PGPOnePassSignatureList; -import org.bouncycastle.openpgp.PGPPrivateKey; import org.bouncycastle.openpgp.PGPPublicKeyEncryptedData; -import org.bouncycastle.openpgp.PGPPublicKeyRing; -import org.bouncycastle.openpgp.PGPSecretKey; -import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.PGPSignature; import org.bouncycastle.openpgp.PGPSignatureList; import org.bouncycastle.openpgp.PGPUtil; -import org.bouncycastle.openpgp.api.OpenPGPImplementation; +import org.bouncycastle.openpgp.api.OpenPGPCertificate; +import org.bouncycastle.openpgp.api.OpenPGPKey; import org.bouncycastle.openpgp.operator.PublicKeyDataDecryptorFactory; import org.bouncycastle.util.io.Streams; import org.junit.jupiter.api.TestTemplate; @@ -53,20 +51,19 @@ public class OnePassSignatureBracketingTest { @ExtendWith(TestAllImplementations.class) public void onePassSignaturePacketsAndSignaturesAreBracketedTest() throws PGPException, IOException { + PGPainless api = PGPainless.getInstance(); - PGPSecretKeyRing key1 = PGPainless.generateKeyRing().modernKeyRing("Alice") - .getPGPSecretKeyRing(); - PGPSecretKeyRing key2 = PGPainless.generateKeyRing().modernKeyRing("Bob") - .getPGPSecretKeyRing(); - PGPPublicKeyRing cert1 = PGPainless.extractCertificate(key1); + OpenPGPKey key1 = api.generateKey().modernKeyRing("Alice"); + OpenPGPKey key2 = api.generateKey().modernKeyRing("Bob"); + OpenPGPCertificate cert1 = key1.toCertificate(); ByteArrayOutputStream out = new ByteArrayOutputStream(); - EncryptionStream encryptionStream = PGPainless.encryptAndOrSign() + EncryptionStream encryptionStream = api.generateMessage() .onOutputStream(out) .withOptions(ProducerOptions.signAndEncrypt( - EncryptionOptions.encryptCommunications() + EncryptionOptions.encryptCommunications(api) .addRecipient(cert1), - SigningOptions.get() + SigningOptions.get(api) .addInlineSignature(SecretKeyRingProtector.unprotectedKeys(), key1, DocumentSignatureType.BINARY_DOCUMENT) .addInlineSignature(SecretKeyRingProtector.unprotectedKeys(), key2, DocumentSignatureType.BINARY_DOCUMENT) ).setAsciiArmor(true)); @@ -78,7 +75,7 @@ public class OnePassSignatureBracketingTest { ByteArrayInputStream ciphertextIn = new ByteArrayInputStream(out.toByteArray()); InputStream inputStream = PGPUtil.getDecoderStream(ciphertextIn); - PGPObjectFactory objectFactory = OpenPGPImplementation.getInstance().pgpObjectFactory(inputStream); + PGPObjectFactory objectFactory = api.getImplementation().pgpObjectFactory(inputStream); PGPOnePassSignatureList onePassSignatures = null; PGPSignatureList signatures = null; @@ -93,11 +90,12 @@ public class OnePassSignatureBracketingTest { for (PGPEncryptedData encryptedData : encryptedDataList) { if (encryptedData instanceof PGPPublicKeyEncryptedData) { PGPPublicKeyEncryptedData publicKeyEncryptedData = (PGPPublicKeyEncryptedData) encryptedData; - PGPSecretKey secretKey = key1.getSecretKey(publicKeyEncryptedData.getKeyID()); - PGPPrivateKey privateKey = UnlockSecretKey.unlockSecretKey(secretKey, SecretKeyRingProtector.unprotectedKeys()); - PublicKeyDataDecryptorFactory decryptorFactory = OpenPGPImplementation.getInstance().publicKeyDataDecryptorFactory(privateKey); + OpenPGPKey.OpenPGPSecretKey secretKey = key1.getSecretKey(publicKeyEncryptedData.getKeyIdentifier()); + OpenPGPKey.OpenPGPPrivateKey privateKey = UnlockSecretKey.unlockSecretKey(secretKey, SecretKeyRingProtector.unprotectedKeys()); + PublicKeyDataDecryptorFactory decryptorFactory = api.getImplementation() + .publicKeyDataDecryptorFactory(privateKey.getKeyPair().getPrivateKey()); InputStream decryptionStream = publicKeyEncryptedData.getDataStream(decryptorFactory); - objectFactory = OpenPGPImplementation.getInstance().pgpObjectFactory(decryptionStream); + objectFactory = api.getImplementation().pgpObjectFactory(decryptionStream); continue outerloop; } } @@ -107,7 +105,7 @@ public class OnePassSignatureBracketingTest { } else if (next instanceof PGPCompressedData) { PGPCompressedData compressed = (PGPCompressedData) next; InputStream decompressor = compressed.getDataStream(); - objectFactory = OpenPGPImplementation.getInstance().pgpObjectFactory(decompressor); + objectFactory = api.getImplementation().pgpObjectFactory(decompressor); continue outerloop; } else if (next instanceof PGPLiteralData) { continue outerloop; @@ -131,6 +129,7 @@ public class OnePassSignatureBracketingTest { // eg. (OPS1, OPS2, LiteralData, Sig2, Sig1) PGPOnePassSignature onePassSignature = onePassSignatures.get(i); PGPSignature signature = signatures.get(signatures.size() - 1 - i); + assertTrue(signature.hasKeyIdentifier(onePassSignature.getKeyIdentifier())); assertEquals(onePassSignature.getKeyID(), signature.getKeyID()); byte[] encoded = onePassSignature.getEncoded(); diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/builder/ThirdPartyCertificationSignatureBuilderTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/builder/ThirdPartyCertificationSignatureBuilderTest.java index 2fdb177f..931c36b7 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/builder/ThirdPartyCertificationSignatureBuilderTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/builder/ThirdPartyCertificationSignatureBuilderTest.java @@ -30,7 +30,7 @@ public class ThirdPartyCertificationSignatureBuilderTest { @Test public void testInvalidSignatureTypeThrows() { PGPainless api = PGPainless.getInstance(); - OpenPGPKey secretKeys = PGPainless.generateKeyRing() + OpenPGPKey secretKeys = api.generateKey() .modernKeyRing("Alice"); assertThrows(IllegalArgumentException.class, () -> new ThirdPartyCertificationSignatureBuilder( @@ -43,10 +43,10 @@ public class ThirdPartyCertificationSignatureBuilderTest { @Test public void testUserIdCertification() throws PGPException { PGPainless api = PGPainless.getInstance(); - OpenPGPKey secretKeys = PGPainless.generateKeyRing() + OpenPGPKey secretKeys = api.generateKey() .modernKeyRing("Alice"); - OpenPGPCertificate bobsPublicKeys = PGPainless.generateKeyRing().modernKeyRing("Bob") + OpenPGPCertificate bobsPublicKeys = api.generateKey().modernKeyRing("Bob") .toCertificate(); ThirdPartyCertificationSignatureBuilder signatureBuilder = new ThirdPartyCertificationSignatureBuilder( @@ -63,7 +63,7 @@ public class ThirdPartyCertificationSignatureBuilderTest { OpenPGPSignature certification = signatureBuilder.build(bobsPublicKeys, "Bob"); PGPSignature signature = certification.getSignature(); - assertEquals(SignatureType.GENERIC_CERTIFICATION, SignatureType.valueOf(signature.getSignatureType())); + assertEquals(SignatureType.GENERIC_CERTIFICATION, SignatureType.requireFromCode(signature.getSignatureType())); assertTrue(KeyIdentifier.matches(signature.getKeyIdentifiers(), secretKeys.getKeyIdentifier(), true)); assertArrayEquals( secretKeys.getPrimaryKey().getPGPPublicKey().getFingerprint(), diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/builder/ThirdPartyDirectKeySignatureBuilderTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/builder/ThirdPartyDirectKeySignatureBuilderTest.java index afa3710c..c71e3fc7 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/builder/ThirdPartyDirectKeySignatureBuilderTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/builder/ThirdPartyDirectKeySignatureBuilderTest.java @@ -35,7 +35,7 @@ public class ThirdPartyDirectKeySignatureBuilderTest { @Test public void testDirectKeySignatureBuilding() throws PGPException { PGPainless api = PGPainless.getInstance(); - OpenPGPKey secretKeys = PGPainless.generateKeyRing() + OpenPGPKey secretKeys = api.generateKey() .modernKeyRing("Alice"); DirectKeySelfSignatureBuilder dsb = new DirectKeySelfSignatureBuilder( @@ -70,7 +70,7 @@ public class ThirdPartyDirectKeySignatureBuilderTest { assertNotNull(signature); assertEquals(directKeySig.getSignature(), signature); - assertEquals(SignatureType.DIRECT_KEY, SignatureType.valueOf(signature.getSignatureType())); + assertEquals(SignatureType.DIRECT_KEY, SignatureType.requireFromCode(signature.getSignatureType())); assertEquals(Collections.singletonList(KeyFlag.CERTIFY_OTHER), SignatureSubpacketsUtil.parseKeyFlags(signature)); assertEquals(Collections.singleton(HashAlgorithm.SHA512), SignatureSubpacketsUtil.parsePreferredHashAlgorithms(signature)); assertEquals(Collections.singleton(CompressionAlgorithm.ZIP), SignatureSubpacketsUtil.parsePreferredCompressionAlgorithms(signature)); diff --git a/pgpainless-sop/src/test/java/org/pgpainless/sop/ArmorTest.java b/pgpainless-sop/src/test/java/org/pgpainless/sop/ArmorTest.java index 37ef1a75..2fbb4f64 100644 --- a/pgpainless-sop/src/test/java/org/pgpainless/sop/ArmorTest.java +++ b/pgpainless-sop/src/test/java/org/pgpainless/sop/ArmorTest.java @@ -17,9 +17,9 @@ public class ArmorTest { @Test public void armor() throws IOException { - byte[] data = PGPainless.generateKeyRing() + PGPainless api = PGPainless.getInstance(); + byte[] data = api.generateKey() .modernKeyRing("Alice") - .getPGPSecretKeyRing() .getEncoded(); byte[] knownGoodArmor = ArmorUtils.toAsciiArmoredString(data) .replace("Version: PGPainless\n", "") // armor command does not add version anymore From 335cf8d1629c6615ba537cd4196160c1bc940ac0 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 7 Apr 2025 16:03:01 +0200 Subject: [PATCH 166/265] Improve API for signatures in results --- ...oundTripInlineSignInlineVerifyCmdTest.java | 9 ++--- .../main/kotlin/org/pgpainless/PGPainless.kt | 7 ++-- .../OpenPgpMessageInputStream.kt | 33 +++++++++---------- .../SignatureVerification.kt | 13 +++++--- .../encryption_signing/EncryptionResult.kt | 26 +++++++++++---- .../encryption_signing/EncryptionStream.kt | 5 +-- .../encryption_signing/OpenPGPSignatureSet.kt | 23 +++++++++++++ .../java/org/pgpainless/example/Sign.java | 19 +++++------ .../org/pgpainless/sop/DetachedSignImpl.kt | 6 ++-- 9 files changed, 91 insertions(+), 50 deletions(-) create mode 100644 pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/OpenPGPSignatureSet.kt diff --git a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripInlineSignInlineVerifyCmdTest.java b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripInlineSignInlineVerifyCmdTest.java index 057cec98..50eeadab 100644 --- a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripInlineSignInlineVerifyCmdTest.java +++ b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripInlineSignInlineVerifyCmdTest.java @@ -15,8 +15,8 @@ import java.nio.charset.StandardCharsets; import org.bouncycastle.bcpg.ArmoredOutputStream; import org.bouncycastle.openpgp.PGPException; -import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.PGPSignature; +import org.bouncycastle.openpgp.api.OpenPGPKey; import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; import org.pgpainless.algorithm.CompressionAlgorithm; @@ -350,12 +350,13 @@ public class RoundTripInlineSignInlineVerifyCmdTest extends CLITest { @Test public void createMalformedMessage() throws IOException, PGPException { + PGPainless api = PGPainless.getInstance(); String msg = "Hello, World!\n"; - PGPSecretKeyRing key = PGPainless.readKeyRing().secretKeyRing(KEY_2); + OpenPGPKey key = api.readKey().parseKey(KEY_2); ByteArrayOutputStream ciphertext = new ByteArrayOutputStream(); - EncryptionStream encryptionStream = PGPainless.encryptAndOrSign() + EncryptionStream encryptionStream = api.generateMessage() .onOutputStream(ciphertext) - .withOptions(ProducerOptions.sign(SigningOptions.get() + .withOptions(ProducerOptions.sign(SigningOptions.get(api) .addDetachedSignature(SecretKeyRingProtector.unprotectedKeys(), key) ).overrideCompressionAlgorithm(CompressionAlgorithm.UNCOMPRESSED) .setAsciiArmor(false)); diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt index d4892d8a..d8bd8022 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt @@ -152,7 +152,9 @@ class PGPainless( */ @JvmStatic @JvmOverloads - @Deprecated("Call buildKey() on an instance of PGPainless instead.") + @Deprecated( + "Call buildKey() on an instance of PGPainless instead.", + replaceWith = ReplaceWith("buildKey(version)")) fun buildKeyRing(version: OpenPGPKeyVersion = OpenPGPKeyVersion.v4): KeyRingBuilder = getInstance().buildKey(version) @@ -186,7 +188,8 @@ class PGPainless( * @throws PGPException in case of an error */ @JvmStatic - @Deprecated("Use mergeCertificate() instead.") + @Deprecated( + "Use mergeCertificate() instead.", replaceWith = ReplaceWith("mergeCertificate()")) fun mergeCertificate( originalCopy: PGPPublicKeyRing, updatedCopy: PGPPublicKeyRing diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.kt index 68da867f..01456849 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.kt @@ -779,34 +779,37 @@ class OpenPgpMessageInputStream( fun addDetachedSignature(signature: PGPSignature) { val check = initializeSignature(signature) val keyId = signature.issuerKeyId - if (check != null) { + if (check.issuer != null) { detachedSignatures.add(check) } else { LOGGER.debug( "No suitable certificate for verification of signature by key ${keyId.openPgpKeyId()} found.") detachedSignaturesWithMissingCert.add( SignatureVerification.Failure( - signature, null, SignatureValidationException("Missing verification key."))) + check, SignatureValidationException("Missing verification key."))) } } fun addPrependedSignature(signature: PGPSignature) { val check = initializeSignature(signature) val keyId = signature.issuerKeyId - if (check != null) { + if (check.issuer != null) { prependedSignatures.add(check) } else { LOGGER.debug( "No suitable certificate for verification of signature by key ${keyId.openPgpKeyId()} found.") prependedSignaturesWithMissingCert.add( SignatureVerification.Failure( - signature, null, SignatureValidationException("Missing verification key"))) + check, SignatureValidationException("Missing verification key"))) } } - fun initializeSignature(signature: PGPSignature): OpenPGPDocumentSignature? { - val certificate = findCertificate(signature) ?: return null - val publicKey = certificate.getSigningKeyFor(signature) ?: return null + fun initializeSignature(signature: PGPSignature): OpenPGPDocumentSignature { + val certificate = + findCertificate(signature) ?: return OpenPGPDocumentSignature(signature, null) + val publicKey = + certificate.getSigningKeyFor(signature) + ?: return OpenPGPDocumentSignature(signature, null) initialize(signature, publicKey.pgpPublicKey) return OpenPGPDocumentSignature(signature, publicKey) } @@ -845,12 +848,7 @@ class OpenPgpMessageInputStream( val documentSignature = OpenPGPDocumentSignature( signature, check.verificationKeys.getSigningKeyFor(signature)) - val verification = - SignatureVerification( - signature, - SubkeyIdentifier( - check.verificationKeys.pgpPublicKeyRing, - check.onePassSignature.keyIdentifier)) + val verification = SignatureVerification(documentSignature) try { signature.assertCreatedInBounds( @@ -879,7 +877,8 @@ class OpenPgpMessageInputStream( "No suitable certificate for verification of signature by key ${signature.issuerKeyId.openPgpKeyId()} found.") inbandSignaturesWithMissingCert.add( SignatureVerification.Failure( - signature, null, SignatureValidationException("Missing verification key."))) + OpenPGPDocumentSignature(signature, null), + SignatureValidationException("Missing verification key."))) } } @@ -967,8 +966,7 @@ class OpenPgpMessageInputStream( fun finish(layer: Layer) { for (detached in detachedSignatures) { - val verification = - SignatureVerification(detached.signature, SubkeyIdentifier(detached.issuer)) + val verification = SignatureVerification(detached) try { detached.signature.assertCreatedInBounds( options.getVerifyNotBefore(), options.getVerifyNotAfter()) @@ -988,8 +986,7 @@ class OpenPgpMessageInputStream( } for (prepended in prependedSignatures) { - val verification = - SignatureVerification(prepended.signature, SubkeyIdentifier(prepended.issuer)) + val verification = SignatureVerification(prepended) try { prepended.signature.assertCreatedInBounds( options.getVerifyNotBefore(), options.getVerifyNotAfter()) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/SignatureVerification.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/SignatureVerification.kt index 3e00fbb2..c32cdc71 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/SignatureVerification.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/SignatureVerification.kt @@ -5,6 +5,7 @@ package org.pgpainless.decryption_verification import org.bouncycastle.openpgp.PGPSignature +import org.bouncycastle.openpgp.api.OpenPGPSignature.OpenPGPDocumentSignature import org.pgpainless.decryption_verification.SignatureVerification.Failure import org.pgpainless.exception.SignatureValidationException import org.pgpainless.key.SubkeyIdentifier @@ -20,7 +21,10 @@ import org.pgpainless.signature.SignatureUtils * @param signingKey [SubkeyIdentifier] of the (sub-) key that is used for signature verification. * Note, that this might be null, e.g. in case of a [Failure] due to missing verification key. */ -data class SignatureVerification(val signature: PGPSignature, val signingKey: SubkeyIdentifier) { +data class SignatureVerification(val documentSignature: OpenPGPDocumentSignature) { + + val signature: PGPSignature = documentSignature.signature + val signingKey: SubkeyIdentifier = SubkeyIdentifier(documentSignature.issuer) override fun toString(): String { return "Signature: ${SignatureUtils.getSignatureDigestPrefix(signature)};" + @@ -36,15 +40,16 @@ data class SignatureVerification(val signature: PGPSignature, val signingKey: Su * @param validationException exception that caused the verification to fail */ data class Failure( - val signature: PGPSignature, - val signingKey: SubkeyIdentifier?, + val documentSignature: OpenPGPDocumentSignature, val validationException: SignatureValidationException ) { + val signature: PGPSignature = documentSignature.signature + val signingKey: SubkeyIdentifier? = documentSignature.issuer?.let { SubkeyIdentifier(it) } constructor( verification: SignatureVerification, validationException: SignatureValidationException - ) : this(verification.signature, verification.signingKey, validationException) + ) : this(verification.documentSignature, validationException) override fun toString(): String { return "Signature: ${SignatureUtils.getSignatureDigestPrefix(signature)}; Key: ${signingKey?.toString() ?: "null"}; Failure: ${validationException.message}" diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionResult.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionResult.kt index a969d8c3..626c1de4 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionResult.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionResult.kt @@ -9,6 +9,7 @@ import org.bouncycastle.openpgp.PGPLiteralData import org.bouncycastle.openpgp.PGPPublicKeyRing import org.bouncycastle.openpgp.PGPSignature import org.bouncycastle.openpgp.api.OpenPGPCertificate +import org.bouncycastle.openpgp.api.OpenPGPSignature.OpenPGPDocumentSignature import org.pgpainless.algorithm.CompressionAlgorithm import org.pgpainless.algorithm.StreamEncoding import org.pgpainless.algorithm.SymmetricKeyAlgorithm @@ -19,13 +20,25 @@ import org.pgpainless.util.MultiMap data class EncryptionResult( val encryptionAlgorithm: SymmetricKeyAlgorithm, val compressionAlgorithm: CompressionAlgorithm, - val detachedSignatures: MultiMap, + val detachedDocumentSignatures: OpenPGPSignatureSet, val recipients: Set, val fileName: String, val modificationDate: Date, val fileEncoding: StreamEncoding ) { + @Deprecated( + "Use detachedSignatures instead", replaceWith = ReplaceWith("detachedDocumentSignatures")) + // TODO: Remove in 2.1 + val detachedSignatures: MultiMap + get() { + val map = MultiMap() + detachedDocumentSignatures.signatures + .map { SubkeyIdentifier(it.issuer) to it.signature } + .forEach { map.put(it.first, it.second) } + return map + } + /** * Return true, if the message is marked as for-your-eyes-only. This is typically done by * setting the filename "_CONSOLE". @@ -59,7 +72,7 @@ data class EncryptionResult( var _encryptionAlgorithm: SymmetricKeyAlgorithm? = null var _compressionAlgorithm: CompressionAlgorithm? = null - val detachedSignatures: MultiMap = MultiMap() + val detachedSignatures: MutableList = mutableListOf() val recipients: Set = mutableSetOf() private var _fileName = "" private var _modificationDate = Date(0) @@ -85,10 +98,9 @@ data class EncryptionResult( (recipients as MutableSet).add(recipient) } - fun addDetachedSignature( - signingSubkeyIdentifier: SubkeyIdentifier, - detachedSignature: PGPSignature - ) = apply { detachedSignatures.put(signingSubkeyIdentifier, detachedSignature) } + fun addDetachedSignature(signature: OpenPGPDocumentSignature): Builder = apply { + detachedSignatures.add(signature) + } fun build(): EncryptionResult { checkNotNull(_encryptionAlgorithm) { "Encryption algorithm not set." } @@ -97,7 +109,7 @@ data class EncryptionResult( return EncryptionResult( _encryptionAlgorithm!!, _compressionAlgorithm!!, - detachedSignatures, + OpenPGPSignatureSet(detachedSignatures), recipients, _fileName, _modificationDate, diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionStream.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionStream.kt index 67a83093..4c913a62 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionStream.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionStream.kt @@ -13,11 +13,11 @@ import org.bouncycastle.openpgp.PGPCompressedDataGenerator import org.bouncycastle.openpgp.PGPEncryptedDataGenerator import org.bouncycastle.openpgp.PGPException import org.bouncycastle.openpgp.PGPLiteralDataGenerator +import org.bouncycastle.openpgp.api.OpenPGPSignature.OpenPGPDocumentSignature import org.pgpainless.PGPainless import org.pgpainless.algorithm.CompressionAlgorithm import org.pgpainless.algorithm.StreamEncoding import org.pgpainless.algorithm.SymmetricKeyAlgorithm -import org.pgpainless.key.SubkeyIdentifier import org.pgpainless.util.ArmoredOutputStreamFactory // 1 << 8 causes wrong partial body length encoding @@ -246,8 +246,9 @@ class EncryptionStream( options.signingOptions.signingMethods.entries.reversed().forEach { (key, method) -> method.signatureGenerator.generate().let { sig -> + val documentSignature = OpenPGPDocumentSignature(sig, key.publicKey) if (method.isDetached) { - resultBuilder.addDetachedSignature(SubkeyIdentifier(key), sig) + resultBuilder.addDetachedSignature(documentSignature) } if (!method.isDetached || options.isCleartextSigned) { sig.encode(signatureLayerStream) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/OpenPGPSignatureSet.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/OpenPGPSignatureSet.kt new file mode 100644 index 00000000..8770b7e3 --- /dev/null +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/OpenPGPSignatureSet.kt @@ -0,0 +1,23 @@ +// SPDX-FileCopyrightText: 2025 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + +package org.pgpainless.encryption_signing + +import org.bouncycastle.openpgp.api.OpenPGPCertificate +import org.bouncycastle.openpgp.api.OpenPGPSignature + +class OpenPGPSignatureSet(val signatures: List) : Iterable { + + fun getSignaturesBy(cert: OpenPGPCertificate): List = + signatures.filter { sig -> sig.signature.keyIdentifiers.any { cert.getKey(it) != null } } + + fun getSignaturesBy(componentKey: OpenPGPCertificate.OpenPGPComponentKey): List = + signatures.filter { sig -> + sig.signature.keyIdentifiers.any { componentKey.keyIdentifier.matches(it) } + } + + override fun iterator(): Iterator { + return signatures.iterator() + } +} diff --git a/pgpainless-core/src/test/java/org/pgpainless/example/Sign.java b/pgpainless-core/src/test/java/org/pgpainless/example/Sign.java index 8d1320f5..fbef5b40 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/example/Sign.java +++ b/pgpainless-core/src/test/java/org/pgpainless/example/Sign.java @@ -14,9 +14,9 @@ import java.io.InputStream; import java.nio.charset.StandardCharsets; import org.bouncycastle.openpgp.PGPException; -import org.bouncycastle.openpgp.PGPSignature; import org.bouncycastle.openpgp.api.OpenPGPCertificate; import org.bouncycastle.openpgp.api.OpenPGPKey; +import org.bouncycastle.openpgp.api.OpenPGPSignature; import org.bouncycastle.util.io.Streams; import org.junit.jupiter.api.BeforeAll; import org.junit.jupiter.api.Test; @@ -26,7 +26,6 @@ import org.pgpainless.encryption_signing.EncryptionResult; import org.pgpainless.encryption_signing.EncryptionStream; import org.pgpainless.encryption_signing.ProducerOptions; import org.pgpainless.encryption_signing.SigningOptions; -import org.pgpainless.key.SubkeyIdentifier; import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.util.ArmorUtils; @@ -70,7 +69,7 @@ public class Sign { /** * Demonstration of how to create a detached signature for a message. * A detached signature can be distributed alongside the message/file itself. - * + *

* The message/file doesn't need to be altered for detached signature creation. */ @Test @@ -82,9 +81,9 @@ public class Sign { // After signing, you want to distribute the original value of 'message' along with the 'detachedSignature' // from below. ByteArrayOutputStream ignoreMe = new ByteArrayOutputStream(); - EncryptionStream signingStream = PGPainless.encryptAndOrSign() + EncryptionStream signingStream = api.generateMessage() .onOutputStream(ignoreMe) - .withOptions(ProducerOptions.sign(SigningOptions.get() + .withOptions(ProducerOptions.sign(SigningOptions.get(api) .addDetachedSignature(protector, key, DocumentSignatureType.CANONICAL_TEXT_DOCUMENT)) .setAsciiArmor(false) ); @@ -94,9 +93,9 @@ public class Sign { EncryptionResult result = signingStream.getResult(); - OpenPGPCertificate.OpenPGPComponentKey signingKey = PGPainless.inspectKeyRing(key).getSigningSubkeys().get(0); - PGPSignature signature = result.getDetachedSignatures().get(new SubkeyIdentifier(signingKey)).iterator().next(); - String detachedSignature = ArmorUtils.toAsciiArmoredString(signature.getEncoded()); + OpenPGPCertificate.OpenPGPComponentKey signingKey = api.inspect(key).getSigningSubkeys().get(0); + OpenPGPSignature.OpenPGPDocumentSignature signature = result.getDetachedDocumentSignatures().getSignaturesBy(signingKey).get(0); + String detachedSignature = ArmorUtils.toAsciiArmoredString(signature.getSignature().getEncoded()); assertTrue(detachedSignature.startsWith("-----BEGIN PGP SIGNATURE-----")); @@ -126,9 +125,9 @@ public class Sign { "limitations under the License."; InputStream messageIn = new ByteArrayInputStream(message.getBytes(StandardCharsets.UTF_8)); ByteArrayOutputStream signedOut = new ByteArrayOutputStream(); - EncryptionStream signingStream = PGPainless.encryptAndOrSign() + EncryptionStream signingStream = api.generateMessage() .onOutputStream(signedOut) - .withOptions(ProducerOptions.sign(SigningOptions.get() + .withOptions(ProducerOptions.sign(SigningOptions.get(api) .addDetachedSignature(protector, key, DocumentSignatureType.CANONICAL_TEXT_DOCUMENT)) // Human-readable text document .setCleartextSigned() // <- Explicitly use Cleartext Signature Framework!!! ); diff --git a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/DetachedSignImpl.kt b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/DetachedSignImpl.kt index 54c61aae..e23ca1c3 100644 --- a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/DetachedSignImpl.kt +++ b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/DetachedSignImpl.kt @@ -73,16 +73,16 @@ class DetachedSignImpl(private val api: PGPainless) : DetachedSign { // forget passphrases protector.clear() - val signatures = result.detachedSignatures.map { it.value }.flatten() + val signatures = result.detachedDocumentSignatures val out = if (armor) ArmoredOutputStreamFactory.get(outputStream) else outputStream - signatures.forEach { it.encode(out) } + signatures.forEach { it.signature.encode(out) } out.close() outputStream.close() return SigningResult.builder() - .setMicAlg(micAlgFromSignatures(signatures)) + .setMicAlg(micAlgFromSignatures(signatures.map { it.signature })) .build() } } From cb7c27751a1f8a8094c34209ce287a4e5d3f8d6b Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 7 Apr 2025 16:19:24 +0200 Subject: [PATCH 167/265] Port EncryptDecryptTest --- .../EncryptDecryptTest.java | 95 +++++++++---------- 1 file changed, 46 insertions(+), 49 deletions(-) diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java index 6561368d..1ecf856f 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java @@ -19,9 +19,9 @@ import java.util.Set; import org.bouncycastle.bcpg.ArmoredOutputStream; import org.bouncycastle.openpgp.PGPException; -import org.bouncycastle.openpgp.PGPPublicKeyRing; -import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.PGPSignature; +import org.bouncycastle.openpgp.api.OpenPGPCertificate; +import org.bouncycastle.openpgp.api.OpenPGPKey; import org.bouncycastle.util.io.Streams; import org.junit.jupiter.api.TestTemplate; import org.junit.jupiter.api.extension.ExtendWith; @@ -37,7 +37,6 @@ import org.pgpainless.key.TestKeys; import org.pgpainless.key.generation.type.rsa.RsaLength; import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.key.protection.UnprotectedKeysProtector; -import org.pgpainless.key.util.KeyRingUtils; import org.pgpainless.util.ArmoredOutputStreamFactory; import org.pgpainless.util.TestAllImplementations; @@ -60,12 +59,10 @@ public class EncryptDecryptTest { public void freshKeysRsaToRsaTest() throws PGPException, IOException { PGPainless api = PGPainless.getInstance(); - PGPSecretKeyRing sender = api.generateKey().simpleRsaKeyRing("romeo@montague.lit", RsaLength._3072) - .getPGPSecretKeyRing(); - PGPSecretKeyRing recipient = api.generateKey().simpleRsaKeyRing("juliet@capulet.lit", RsaLength._3072) - .getPGPSecretKeyRing(); + OpenPGPKey sender = api.generateKey().simpleRsaKeyRing("romeo@montague.lit", RsaLength._3072); + OpenPGPKey recipient = api.generateKey().simpleRsaKeyRing("juliet@capulet.lit", RsaLength._3072); - encryptDecryptForSecretKeyRings(sender, recipient); + encryptDecryptForSecretKeyRings(api, sender, recipient); } @TestTemplate @@ -73,12 +70,10 @@ public class EncryptDecryptTest { public void freshKeysEcToEcTest() throws IOException, PGPException { PGPainless api = PGPainless.getInstance(); - PGPSecretKeyRing sender = api.generateKey().simpleEcKeyRing("romeo@montague.lit") - .getPGPSecretKeyRing(); - PGPSecretKeyRing recipient = api.generateKey().simpleEcKeyRing("juliet@capulet.lit") - .getPGPSecretKeyRing(); + OpenPGPKey sender = api.generateKey().simpleEcKeyRing("romeo@montague.lit"); + OpenPGPKey recipient = api.generateKey().simpleEcKeyRing("juliet@capulet.lit"); - encryptDecryptForSecretKeyRings(sender, recipient); + encryptDecryptForSecretKeyRings(api, sender, recipient); } @TestTemplate @@ -86,12 +81,10 @@ public class EncryptDecryptTest { public void freshKeysEcToRsaTest() throws PGPException, IOException { PGPainless api = PGPainless.getInstance(); - PGPSecretKeyRing sender = api.generateKey().simpleEcKeyRing("romeo@montague.lit") - .getPGPSecretKeyRing(); - PGPSecretKeyRing recipient = api.generateKey().simpleRsaKeyRing("juliet@capulet.lit", RsaLength._3072) - .getPGPSecretKeyRing(); + OpenPGPKey sender = api.generateKey().simpleEcKeyRing("romeo@montague.lit"); + OpenPGPKey recipient = api.generateKey().simpleRsaKeyRing("juliet@capulet.lit", RsaLength._3072); - encryptDecryptForSecretKeyRings(sender, recipient); + encryptDecryptForSecretKeyRings(api, sender, recipient); } @TestTemplate @@ -99,28 +92,27 @@ public class EncryptDecryptTest { public void freshKeysRsaToEcTest() throws PGPException, IOException { PGPainless api = PGPainless.getInstance(); - PGPSecretKeyRing sender = api.generateKey().simpleRsaKeyRing("romeo@montague.lit", RsaLength._3072) - .getPGPSecretKeyRing(); - PGPSecretKeyRing recipient = api.generateKey().simpleEcKeyRing("juliet@capulet.lit") - .getPGPSecretKeyRing(); + OpenPGPKey sender = api.generateKey().simpleRsaKeyRing("romeo@montague.lit", RsaLength._3072); + OpenPGPKey recipient = api.generateKey().simpleEcKeyRing("juliet@capulet.lit"); - encryptDecryptForSecretKeyRings(sender, recipient); + encryptDecryptForSecretKeyRings(api, sender, recipient); } @TestTemplate @ExtendWith(TestAllImplementations.class) public void existingRsaKeysTest() throws IOException, PGPException { - PGPSecretKeyRing sender = TestKeys.getJulietSecretKeyRing(); - PGPSecretKeyRing recipient = TestKeys.getRomeoSecretKeyRing(); + PGPainless api = PGPainless.getInstance(); + OpenPGPKey sender = TestKeys.getJulietKey(); + OpenPGPKey recipient = TestKeys.getRomeoKey(); - encryptDecryptForSecretKeyRings(sender, recipient); + encryptDecryptForSecretKeyRings(api, sender, recipient); } - private void encryptDecryptForSecretKeyRings(PGPSecretKeyRing senderSec, PGPSecretKeyRing recipientSec) + private void encryptDecryptForSecretKeyRings(PGPainless api, OpenPGPKey senderSec, OpenPGPKey recipientSec) throws PGPException, IOException { - PGPPublicKeyRing recipientPub = KeyRingUtils.publicKeyRingFrom(recipientSec); - PGPPublicKeyRing senderPub = KeyRingUtils.publicKeyRingFrom(senderSec); + OpenPGPCertificate recipientPub = recipientSec.toCertificate(); + OpenPGPCertificate senderPub = senderSec.toCertificate(); SecretKeyRingProtector keyDecryptor = new UnprotectedKeysProtector(); @@ -128,11 +120,13 @@ public class EncryptDecryptTest { ByteArrayOutputStream envelope = new ByteArrayOutputStream(); - EncryptionStream encryptor = PGPainless.encryptAndOrSign() + EncryptionStream encryptor = api.generateMessage() .onOutputStream(envelope) .withOptions(ProducerOptions.signAndEncrypt( - EncryptionOptions.encryptCommunications().addRecipient(recipientPub), - SigningOptions.get().addInlineSignature(keyDecryptor, senderSec, DocumentSignatureType.BINARY_DOCUMENT) + EncryptionOptions.encryptCommunications(api) + .addRecipient(recipientPub), + SigningOptions.get(api) + .addInlineSignature(keyDecryptor, senderSec, DocumentSignatureType.BINARY_DOCUMENT) )); Streams.pipeAll(new ByteArrayInputStream(secretMessage), encryptor); @@ -143,7 +137,7 @@ public class EncryptDecryptTest { assertFalse(encryptionResult.getRecipients().isEmpty()); for (SubkeyIdentifier encryptionKey : encryptionResult.getRecipients()) { - assertNotNull(recipientPub.getPublicKey(encryptionKey.getKeyIdentifier())); + assertNotNull(recipientPub.getKey(encryptionKey.getKeyIdentifier())); } assertEquals(SymmetricKeyAlgorithm.AES_256, encryptionResult.getEncryptionAlgorithm()); @@ -153,7 +147,7 @@ public class EncryptDecryptTest { ByteArrayInputStream envelopeIn = new ByteArrayInputStream(encryptedSecretMessage); DecryptionStream decryptor = PGPainless.decryptAndOrVerify() .onInputStream(envelopeIn) - .withOptions(ConsumerOptions.get() + .withOptions(ConsumerOptions.get(api) .addDecryptionKey(recipientSec, keyDecryptor) .addVerificationCert(senderPub) ); @@ -173,22 +167,24 @@ public class EncryptDecryptTest { @TestTemplate @ExtendWith(TestAllImplementations.class) public void testDetachedSignatureCreationAndVerification() throws IOException, PGPException { - - PGPSecretKeyRing signingKeys = TestKeys.getJulietSecretKeyRing(); + PGPainless api = PGPainless.getInstance(); + OpenPGPKey signingKeys = TestKeys.getJulietKey(); SecretKeyRingProtector keyRingProtector = new UnprotectedKeysProtector(); byte[] data = testMessage.getBytes(); ByteArrayInputStream inputStream = new ByteArrayInputStream(data); ByteArrayOutputStream dummyOut = new ByteArrayOutputStream(); - EncryptionStream signer = PGPainless.encryptAndOrSign().onOutputStream(dummyOut) + EncryptionStream signer = api.generateMessage().onOutputStream(dummyOut) .withOptions(ProducerOptions.sign( - SigningOptions.get().addDetachedSignature(keyRingProtector, signingKeys, DocumentSignatureType.BINARY_DOCUMENT) + SigningOptions.get(api) + .addDetachedSignature(keyRingProtector, signingKeys, DocumentSignatureType.BINARY_DOCUMENT) )); Streams.pipeAll(inputStream, signer); signer.close(); EncryptionResult metadata = signer.getResult(); - Set signatureSet = metadata.getDetachedSignatures().get(metadata.getDetachedSignatures().keySet().iterator().next()); + Set signatureSet = metadata.getDetachedSignatures() + .get(metadata.getDetachedSignatures().keySet().iterator().next()); ByteArrayOutputStream sigOut = new ByteArrayOutputStream(); ArmoredOutputStream armorOut = ArmoredOutputStreamFactory.get(sigOut); signatureSet.iterator().next().encode(armorOut); @@ -202,9 +198,9 @@ public class EncryptDecryptTest { inputStream = new ByteArrayInputStream(testMessage.getBytes()); DecryptionStream verifier = PGPainless.decryptAndOrVerify() .onInputStream(inputStream) - .withOptions(ConsumerOptions.get() + .withOptions(ConsumerOptions.get(api) .addVerificationOfDetachedSignatures(new ByteArrayInputStream(armorSig.getBytes())) - .addVerificationCert(KeyRingUtils.publicKeyRingFrom(signingKeys)) + .addVerificationCert(signingKeys.toCertificate()) ); dummyOut = new ByteArrayOutputStream(); @@ -218,14 +214,15 @@ public class EncryptDecryptTest { @TestTemplate @ExtendWith(TestAllImplementations.class) public void testOnePassSignatureCreationAndVerification() throws IOException, PGPException { - PGPSecretKeyRing signingKeys = TestKeys.getJulietSecretKeyRing(); + PGPainless api = PGPainless.getInstance(); + OpenPGPKey signingKeys = TestKeys.getJulietKey(); SecretKeyRingProtector keyRingProtector = new UnprotectedKeysProtector(); byte[] data = testMessage.getBytes(); ByteArrayInputStream inputStream = new ByteArrayInputStream(data); ByteArrayOutputStream signOut = new ByteArrayOutputStream(); - EncryptionStream signer = PGPainless.encryptAndOrSign().onOutputStream(signOut) + EncryptionStream signer = api.generateMessage().onOutputStream(signOut) .withOptions(ProducerOptions.sign( - SigningOptions.get() + SigningOptions.get(api) .addInlineSignature(keyRingProtector, signingKeys, DocumentSignatureType.BINARY_DOCUMENT) ).setAsciiArmor(true)); Streams.pipeAll(inputStream, signer); @@ -234,8 +231,8 @@ public class EncryptDecryptTest { inputStream = new ByteArrayInputStream(signOut.toByteArray()); DecryptionStream verifier = PGPainless.decryptAndOrVerify() .onInputStream(inputStream) - .withOptions(ConsumerOptions.get() - .addVerificationCert(KeyRingUtils.publicKeyRingFrom(signingKeys)) + .withOptions(ConsumerOptions.get(api) + .addVerificationCert(signingKeys.toCertificate()) ); signOut = new ByteArrayOutputStream(); Streams.pipeAll(verifier, signOut); @@ -302,11 +299,11 @@ public class EncryptDecryptTest { "Ks2WqI282/DM+Lq/GCSd2nXtS3/KwErTFiF1uHi/N3TwdWA=\n" + "=j1TE\n" + "-----END PGP PUBLIC KEY BLOCK-----\n"; - - PGPPublicKeyRing publicKeys = PGPainless.readKeyRing().publicKeyRing(key); + PGPainless api = PGPainless.getInstance(); + OpenPGPCertificate publicKeys = api.readKey().parseCertificate(key); assertThrows(KeyException.UnacceptableEncryptionKeyException.class, () -> - EncryptionOptions.encryptCommunications() + EncryptionOptions.encryptCommunications(api) .addRecipient(publicKeys)); } } From a973e84d83626ab9b4b5e856eefac80e428c824e Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 7 Apr 2025 16:25:10 +0200 Subject: [PATCH 168/265] Port DecryptOrVerify example --- .../pgpainless/example/DecryptOrVerify.java | 21 ++++++------------- 1 file changed, 6 insertions(+), 15 deletions(-) diff --git a/pgpainless-core/src/test/java/org/pgpainless/example/DecryptOrVerify.java b/pgpainless-core/src/test/java/org/pgpainless/example/DecryptOrVerify.java index a7e9cb5a..779c7b20 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/example/DecryptOrVerify.java +++ b/pgpainless-core/src/test/java/org/pgpainless/example/DecryptOrVerify.java @@ -66,7 +66,7 @@ public class DecryptOrVerify { /** * Protector to unlock the secret key. * Since the key is not protected, it is enough to use an unprotectedKeys implementation. - * + *

* For more info on how to use the {@link SecretKeyRingProtector}, see {@link UnlockSecretKeys}. */ private static final SecretKeyRingProtector keyProtector = SecretKeyRingProtector.unprotectedKeys(); @@ -149,9 +149,6 @@ public class DecryptOrVerify { /** * This example demonstrates how to decrypt an encrypted message using a secret key. - * - * @throws PGPException - * @throws IOException */ @Test public void decryptMessage() throws PGPException, IOException { @@ -182,9 +179,6 @@ public class DecryptOrVerify { /** * In this example, an encrypted and signed message is processed. * The message gets decrypted using the secret key and the signatures are verified using the certificate. - * - * @throws PGPException - * @throws IOException */ @Test public void decryptMessageAndVerifySignatures() throws PGPException, IOException { @@ -215,8 +209,6 @@ public class DecryptOrVerify { /** * In this example, signed messages are verified. * The example shows that verification of inband signed, and cleartext signed messages works the same. - * @throws PGPException - * @throws IOException */ @Test public void verifySignatures() throws PGPException, IOException { @@ -245,11 +237,10 @@ public class DecryptOrVerify { /** * This example shows how to create - and verify - cleartext signed messages. - * @throws PGPException - * @throws IOException */ @Test public void createAndVerifyCleartextSignedMessage() throws PGPException, IOException { + PGPainless api = PGPainless.getInstance(); // In this example we sign and verify a number of different messages one after the other for (String msg : new String[] {"Hello World!", "- Hello - World -", "Hello, World!\n", "Hello\nWorld!"}) { // we need to read the plaintext message from somewhere @@ -257,14 +248,14 @@ public class DecryptOrVerify { // and write the signed message to an output stream ByteArrayOutputStream out = new ByteArrayOutputStream(); - SigningOptions signingOptions = SigningOptions.get(); + SigningOptions signingOptions = SigningOptions.get(api); // for cleartext signed messages, we need to add a detached signature... - signingOptions.addDetachedSignature(keyProtector, secretKey.getPGPSecretKeyRing(), DocumentSignatureType.CANONICAL_TEXT_DOCUMENT); + signingOptions.addDetachedSignature(keyProtector, secretKey, DocumentSignatureType.CANONICAL_TEXT_DOCUMENT); ProducerOptions producerOptions = ProducerOptions.sign(signingOptions) .setCleartextSigned(); // and declare that the message will be cleartext signed // Create the signing stream - EncryptionStream signingStream = PGPainless.encryptAndOrSign() + EncryptionStream signingStream = api.generateMessage() .onOutputStream(out) // on the output stream .withOptions(producerOptions); // with the options @@ -281,7 +272,7 @@ public class DecryptOrVerify { // and pass it to the decryption stream DecryptionStream verificationStream = PGPainless.decryptAndOrVerify() .onInputStream(signedIn) - .withOptions(ConsumerOptions.get().addVerificationCert(certificate)); + .withOptions(ConsumerOptions.get(api).addVerificationCert(certificate)); // plain will receive the plaintext message ByteArrayOutputStream plain = new ByteArrayOutputStream(); From dad4e2858099d04efd82d24d0f97ab56bfa10cf6 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 7 Apr 2025 16:27:39 +0200 Subject: [PATCH 169/265] Port Encrypt example --- .../java/org/pgpainless/example/Encrypt.java | 31 ++++++++++--------- 1 file changed, 17 insertions(+), 14 deletions(-) diff --git a/pgpainless-core/src/test/java/org/pgpainless/example/Encrypt.java b/pgpainless-core/src/test/java/org/pgpainless/example/Encrypt.java index bcf30e83..e7e5e115 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/example/Encrypt.java +++ b/pgpainless-core/src/test/java/org/pgpainless/example/Encrypt.java @@ -127,14 +127,15 @@ public class Encrypt { /** * In this example, Alice is sending a signed and encrypted message to Bob. * She signs the message using her key and then encrypts the message to both bobs certificate and her own. - * + *

* Bob subsequently decrypts the message using his key and verifies that the message was signed by Alice using * her certificate. */ @Test public void encryptAndSignMessage() throws PGPException, IOException { + PGPainless api = PGPainless.getInstance(); // Prepare keys - OpenPGPKeyReader reader = PGPainless.getInstance().readKey(); + OpenPGPKeyReader reader = api.readKey(); OpenPGPKey keyAlice = reader.parseKey(ALICE_KEY); OpenPGPCertificate certificateAlice = reader.parseCertificate(ALICE_CERT); SecretKeyRingProtector protectorAlice = SecretKeyRingProtector.unprotectedKeys(); @@ -147,14 +148,14 @@ public class Encrypt { String message = "Hello, World!\n"; ByteArrayOutputStream ciphertext = new ByteArrayOutputStream(); // Encrypt and sign - EncryptionStream encryptor = PGPainless.encryptAndOrSign() + EncryptionStream encryptor = api.generateMessage() .onOutputStream(ciphertext) .withOptions(ProducerOptions.signAndEncrypt( // we want to encrypt communication (affects key selection based on key flags) - EncryptionOptions.encryptCommunications() + EncryptionOptions.encryptCommunications(api) .addRecipient(certificateBob) .addRecipient(certificateAlice), - SigningOptions.get() + SigningOptions.get(api) .addInlineSignature(protectorAlice, keyAlice, DocumentSignatureType.CANONICAL_TEXT_DOCUMENT) ).setAsciiArmor(true) ); @@ -167,7 +168,7 @@ public class Encrypt { // Decrypt and verify signatures DecryptionStream decryptor = PGPainless.decryptAndOrVerify() .onInputStream(new ByteArrayInputStream(encryptedMessage.getBytes(StandardCharsets.UTF_8))) - .withOptions(ConsumerOptions.get() + .withOptions(ConsumerOptions.get(api) .addDecryptionKey(keyBob, protectorBob) .addVerificationCert(certificateAlice) ); @@ -190,13 +191,14 @@ public class Encrypt { */ @Test public void encryptUsingPassphrase() throws PGPException, IOException { + PGPainless api = PGPainless.getInstance(); String message = "Hello, World!"; ByteArrayOutputStream ciphertext = new ByteArrayOutputStream(); // Encrypt - EncryptionStream encryptor = PGPainless.encryptAndOrSign() + EncryptionStream encryptor = api.generateMessage() .onOutputStream(ciphertext) .withOptions(ProducerOptions - .encrypt(EncryptionOptions.encryptCommunications() + .encrypt(EncryptionOptions.encryptCommunications(api) .addMessagePassphrase(Passphrase.fromPassword("p4ssphr4s3")) ).setAsciiArmor(true) ); @@ -209,7 +211,7 @@ public class Encrypt { // Decrypt DecryptionStream decryptor = PGPainless.decryptAndOrVerify() .onInputStream(new ByteArrayInputStream(asciiCiphertext.getBytes(StandardCharsets.UTF_8))) - .withOptions(ConsumerOptions.get().addMessagePassphrase(Passphrase.fromPassword("p4ssphr4s3"))); + .withOptions(ConsumerOptions.get(api).addMessagePassphrase(Passphrase.fromPassword("p4ssphr4s3"))); ByteArrayOutputStream plaintext = new ByteArrayOutputStream(); Streams.pipeAll(decryptor, plaintext); @@ -223,13 +225,14 @@ public class Encrypt { * In this example, Alice is sending a signed and encrypted message to Bob. * She encrypts the message to both bobs certificate and her own. * A multiline comment header is added using the fluent ProducerOption syntax. - * + *

* Bob subsequently decrypts the message using his key. */ @Test public void encryptWithCommentHeader() throws PGPException, IOException { + PGPainless api = PGPainless.getInstance(); // Prepare keys - OpenPGPKeyReader reader = PGPainless.getInstance().readKey(); + OpenPGPKeyReader reader = api.readKey(); OpenPGPCertificate certificateAlice = reader.parseCertificate(ALICE_CERT); OpenPGPKey keyBob = reader.parseKey(BOB_KEY); @@ -247,11 +250,11 @@ public class Encrypt { String comment = comments[0] + "\n" + comments[1] + "\n" + comments[2] + "\n" + comments[3]; ByteArrayOutputStream ciphertext = new ByteArrayOutputStream(); // Encrypt and sign - EncryptionStream encryptor = PGPainless.encryptAndOrSign() + EncryptionStream encryptor = api.generateMessage() .onOutputStream(ciphertext) .withOptions(ProducerOptions.encrypt( // we want to encrypt communication (affects key selection based on key flags) - EncryptionOptions.encryptCommunications() + EncryptionOptions.encryptCommunications(api) .addRecipient(certificateBob) .addRecipient(certificateAlice) ).setAsciiArmor(true) @@ -273,7 +276,7 @@ public class Encrypt { // Decrypt and verify signatures DecryptionStream decryptor = PGPainless.decryptAndOrVerify() .onInputStream(new ByteArrayInputStream(encryptedMessage.getBytes(StandardCharsets.UTF_8))) - .withOptions(ConsumerOptions.get() + .withOptions(ConsumerOptions.get(api) .addDecryptionKey(keyBob, protectorBob) .addVerificationCert(certificateAlice) ); From ec86391d03f9dac9ec6729377b2a81fb8d6748d8 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 7 Apr 2025 16:30:27 +0200 Subject: [PATCH 170/265] Port ReadKeys example --- .../test/java/org/pgpainless/example/ReadKeys.java | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/pgpainless-core/src/test/java/org/pgpainless/example/ReadKeys.java b/pgpainless-core/src/test/java/org/pgpainless/example/ReadKeys.java index e6d529c4..bf67086c 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/example/ReadKeys.java +++ b/pgpainless-core/src/test/java/org/pgpainless/example/ReadKeys.java @@ -24,6 +24,7 @@ public class ReadKeys { */ @Test public void readCertificate() throws IOException { + PGPainless api = PGPainless.getInstance(); String certificate = "" + "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "Comment: Alice's OpenPGP certificate\n" + @@ -40,9 +41,9 @@ public class ReadKeys { "=iIGO\n" + "-----END PGP PUBLIC KEY BLOCK-----"; - OpenPGPCertificate publicKey = PGPainless.getInstance().readKey().parseCertificate(certificate); + OpenPGPCertificate publicKey = api.readKey().parseCertificate(certificate); - KeyRingInfo keyInfo = PGPainless.inspectKeyRing(publicKey); + KeyRingInfo keyInfo = api.inspect(publicKey); OpenPgpFingerprint fingerprint = new OpenPgpV4Fingerprint("EB85 BB5F A33A 75E1 5E94 4E63 F231 550C 4F47 E38E"); assertEquals(fingerprint, keyInfo.getFingerprint()); assertEquals("Alice Lovelace ", keyInfo.getPrimaryUserId()); @@ -53,6 +54,7 @@ public class ReadKeys { */ @Test public void readSecretKey() throws IOException { + PGPainless api = PGPainless.getInstance(); String key = "\n" + "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" + "Comment: Alice's OpenPGP Transferable Secret Key\n" + @@ -71,9 +73,9 @@ public class ReadKeys { "=n8OM\n" + "-----END PGP PRIVATE KEY BLOCK-----"; - OpenPGPKey secretKey = PGPainless.getInstance().readKey().parseKey(key); + OpenPGPKey secretKey = api.readKey().parseKey(key); - KeyRingInfo keyInfo = PGPainless.inspectKeyRing(secretKey); + KeyRingInfo keyInfo = api.inspect(secretKey); OpenPgpFingerprint fingerprint = new OpenPgpV4Fingerprint("EB85 BB5F A33A 75E1 5E94 4E63 F231 550C 4F47 E38E"); assertEquals(fingerprint, keyInfo.getFingerprint()); assertEquals("Alice Lovelace ", keyInfo.getPrimaryUserId()); @@ -87,6 +89,7 @@ public class ReadKeys { */ @Test public void readKeyRingCollection() throws IOException { + PGPainless api = PGPainless.getInstance(); String certificateCollection = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "Comment: Alice's OpenPGP certificate\n" + "\n" + @@ -145,7 +148,7 @@ public class ReadKeys { "=NXei\n" + "-----END PGP PUBLIC KEY BLOCK-----"; - List collection = PGPainless.getInstance().readKey().parseKeysOrCertificates(certificateCollection); + List collection = api.readKey().parseKeysOrCertificates(certificateCollection); assertEquals(2, collection.size()); } } From f42f60b97072a132ee71d1f1a57b3079726a3de5 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 8 Apr 2025 13:15:47 +0200 Subject: [PATCH 171/265] Remove unused test --- .../key/BouncycastleExportSubkeys.java | 118 ------------------ 1 file changed, 118 deletions(-) delete mode 100644 pgpainless-core/src/test/java/org/pgpainless/key/BouncycastleExportSubkeys.java diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/BouncycastleExportSubkeys.java b/pgpainless-core/src/test/java/org/pgpainless/key/BouncycastleExportSubkeys.java deleted file mode 100644 index 9836e077..00000000 --- a/pgpainless-core/src/test/java/org/pgpainless/key/BouncycastleExportSubkeys.java +++ /dev/null @@ -1,118 +0,0 @@ -// SPDX-FileCopyrightText: 2018 Paul Schaub -// -// SPDX-License-Identifier: Apache-2.0 - -package org.pgpainless.key; - -import java.security.InvalidAlgorithmParameterException; -import java.security.KeyPair; -import java.security.KeyPairGenerator; -import java.security.NoSuchAlgorithmException; -import java.security.Provider; -import java.util.Date; - -import org.bouncycastle.bcpg.CompressionAlgorithmTags; -import org.bouncycastle.bcpg.HashAlgorithmTags; -import org.bouncycastle.bcpg.PublicKeyAlgorithmTags; -import org.bouncycastle.bcpg.SymmetricKeyAlgorithmTags; -import org.bouncycastle.bcpg.sig.Features; -import org.bouncycastle.bcpg.sig.KeyFlags; -import org.bouncycastle.jce.provider.BouncyCastleProvider; -import org.bouncycastle.jce.spec.ECNamedCurveGenParameterSpec; -import org.bouncycastle.openpgp.PGPException; -import org.bouncycastle.openpgp.PGPKeyPair; -import org.bouncycastle.openpgp.PGPKeyRingGenerator; -import org.bouncycastle.openpgp.PGPPublicKeyRing; -import org.bouncycastle.openpgp.PGPSecretKeyRing; -import org.bouncycastle.openpgp.PGPSignature; -import org.bouncycastle.openpgp.PGPSignatureSubpacketGenerator; -import org.bouncycastle.openpgp.operator.PGPContentSignerBuilder; -import org.bouncycastle.openpgp.operator.PGPDigestCalculator; -import org.bouncycastle.openpgp.operator.jcajce.JcaPGPContentSignerBuilder; -import org.bouncycastle.openpgp.operator.jcajce.JcaPGPDigestCalculatorProviderBuilder; -import org.bouncycastle.openpgp.operator.jcajce.JcaPGPKeyPair; -import org.junit.jupiter.api.Test; - -public class BouncycastleExportSubkeys { - - @Test - public void testExportImport() throws NoSuchAlgorithmException, InvalidAlgorithmParameterException, PGPException { - Provider provider = new BouncyCastleProvider(); - KeyPairGenerator generator; - KeyPair pair; - - // Generate master key - - generator = KeyPairGenerator.getInstance("ECDSA", provider); - generator.initialize(new ECNamedCurveGenParameterSpec("P-256")); - - pair = generator.generateKeyPair(); - PGPKeyPair pgpMasterKey = new JcaPGPKeyPair(PublicKeyAlgorithmTags.ECDSA, pair, new Date()); - - PGPSignatureSubpacketGenerator subPackets = new PGPSignatureSubpacketGenerator(); - subPackets.setKeyFlags(false, KeyFlags.AUTHENTICATION & KeyFlags.CERTIFY_OTHER & KeyFlags.SIGN_DATA); - subPackets.setPreferredCompressionAlgorithms(false, new int[] { - SymmetricKeyAlgorithmTags.AES_256, - SymmetricKeyAlgorithmTags.AES_128, - SymmetricKeyAlgorithmTags.AES_128}); - subPackets.setPreferredHashAlgorithms(false, new int[] { - HashAlgorithmTags.SHA512, - HashAlgorithmTags.SHA384, - HashAlgorithmTags.SHA256, - HashAlgorithmTags.SHA224}); - subPackets.setPreferredCompressionAlgorithms(false, new int[] { - CompressionAlgorithmTags.ZLIB, - CompressionAlgorithmTags.BZIP2, - CompressionAlgorithmTags.ZIP, - CompressionAlgorithmTags.UNCOMPRESSED}); - subPackets.setFeature(false, Features.FEATURE_MODIFICATION_DETECTION); - - // Generate sub key - - generator = KeyPairGenerator.getInstance("ECDH", provider); - generator.initialize(new ECNamedCurveGenParameterSpec("P-256")); - - pair = generator.generateKeyPair(); - PGPKeyPair pgpSubKey = new JcaPGPKeyPair(PublicKeyAlgorithmTags.ECDH, pair, new Date()); - - // Assemble key - - PGPDigestCalculator calculator = new JcaPGPDigestCalculatorProviderBuilder() - .setProvider(provider) - .build() - .get(HashAlgorithmTags.SHA1); - - PGPContentSignerBuilder signerBuilder = new JcaPGPContentSignerBuilder( - pgpMasterKey.getPublicKey().getAlgorithm(), HashAlgorithmTags.SHA512) - .setProvider(provider); - - PGPKeyRingGenerator pgpGenerator = new PGPKeyRingGenerator(PGPSignature.POSITIVE_CERTIFICATION, - pgpMasterKey, "alice@wonderland.lit", calculator, subPackets.generate(), null, - signerBuilder, null); - - // Add sub key - - subPackets.setKeyFlags(false, KeyFlags.ENCRYPT_STORAGE & KeyFlags.ENCRYPT_COMMS); - - pgpGenerator.addSubKey(pgpSubKey, subPackets.generate(), null); - - // Generate SecretKeyRing - - PGPSecretKeyRing secretKeys = pgpGenerator.generateSecretKeyRing(); - PGPPublicKeyRing publicKeys = pgpGenerator.generatePublicKeyRing(); - - // Test - - /* - ByteArrayOutputStream outputStream = new ByteArrayOutputStream(2048); - outputStream.write(secretKeys.getEncoded()); - - PGPPublicKeyRing publicKeys = new PGPPublicKeyRing(outputStream.toByteArray(), new BcKeyFingerprintCalculator()); - - Iterator iterator = secretKeys.getPublicKeys(); - while (iterator.hasNext()) { - assertNotNull(publicKeys.getPublicKey(iterator.next().getKeyID())); - } - */ - } -} From 8819ba0201c0fa307ab994098fea4e0072f083de Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 8 Apr 2025 13:21:11 +0200 Subject: [PATCH 172/265] HardwareSecurity: Replace usage of Long KeyId with KeyIdentifier --- .../HardwareSecurity.kt | 27 ++++++++++++++++++- ...stomPublicKeyDataDecryptorFactoryTest.java | 5 ++-- 2 files changed, 29 insertions(+), 3 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/HardwareSecurity.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/HardwareSecurity.kt index 50ef3e02..b6e2bd17 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/HardwareSecurity.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/HardwareSecurity.kt @@ -6,6 +6,7 @@ package org.pgpainless.decryption_verification import kotlin.jvm.Throws import org.bouncycastle.bcpg.AEADEncDataPacket +import org.bouncycastle.bcpg.KeyIdentifier import org.bouncycastle.bcpg.SymmetricEncIntegrityPacket import org.bouncycastle.openpgp.PGPException import org.bouncycastle.openpgp.PGPSessionKey @@ -33,12 +34,36 @@ class HardwareSecurity { * @return decrypted session key * @throws HardwareSecurityException exception */ + @Deprecated("Pass in a KeyIdentifier instead of a Long keyId.") @Throws(HardwareSecurityException::class) fun decryptSessionKey( keyId: Long, keyAlgorithm: Int, sessionKeyData: ByteArray, pkeskVersion: Int + ): ByteArray = + decryptSessionKey(KeyIdentifier(keyId), keyAlgorithm, sessionKeyData, pkeskVersion) + + /** + * Delegate decryption of a Public-Key-Encrypted-Session-Key (PKESK) to an external API for + * dealing with hardware security modules such as smartcards or TPMs. + * + * If decryption fails for some reason, a subclass of the [HardwareSecurityException] is + * thrown. + * + * @param keyIdentifier identifier of the encryption component key + * @param keyAlgorithm algorithm + * @param sessionKeyData encrypted session key + * @param pkeskVersion version of the Public-Key-Encrypted-Session-Key packet (3 or 6) + * @return decrypted session key + * @throws HardwareSecurityException exception + */ + @Throws(HardwareSecurityException::class) + fun decryptSessionKey( + keyIdentifier: KeyIdentifier, + keyAlgorithm: Int, + sessionKeyData: ByteArray, + pkeskVersion: Int ): ByteArray } @@ -84,7 +109,7 @@ class HardwareSecurity { ): ByteArray { return try { callback.decryptSessionKey( - subkeyIdentifier.subkeyId, keyAlgorithm, secKeyData[0], pkeskVersion) + subkeyIdentifier.keyIdentifier, keyAlgorithm, secKeyData[0], pkeskVersion) } catch (e: HardwareSecurityException) { throw PGPException("Hardware-backed decryption failed.", e) } diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CustomPublicKeyDataDecryptorFactoryTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CustomPublicKeyDataDecryptorFactoryTest.java index 947b6980..9ce1f5d6 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CustomPublicKeyDataDecryptorFactoryTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CustomPublicKeyDataDecryptorFactoryTest.java @@ -4,6 +4,7 @@ package org.pgpainless.decryption_verification; +import org.bouncycastle.bcpg.KeyIdentifier; import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.api.OpenPGPCertificate; import org.bouncycastle.openpgp.api.OpenPGPKey; @@ -52,11 +53,11 @@ public class CustomPublicKeyDataDecryptorFactoryTest { HardwareSecurity.DecryptionCallback hardwareDecryptionCallback = new HardwareSecurity.DecryptionCallback() { @Override - public byte[] decryptSessionKey(long keyId, int keyAlgorithm, byte[] sessionKeyData, int pkeskVersion) + public byte[] decryptSessionKey(KeyIdentifier keyIdentifier, int keyAlgorithm, byte[] sessionKeyData, int pkeskVersion) throws HardwareSecurity.HardwareSecurityException { // Emulate hardware decryption. try { - OpenPGPKey.OpenPGPSecretKey decryptionKey = secretKey.getSecretKey(encryptionKey.getKeyIdentifier()); + OpenPGPKey.OpenPGPSecretKey decryptionKey = secretKey.getSecretKey(keyIdentifier); OpenPGPKey.OpenPGPPrivateKey privateKey = UnlockSecretKey.unlockSecretKey(decryptionKey, Passphrase.emptyPassphrase()); PublicKeyDataDecryptorFactory internal = new BcPublicKeyDataDecryptorFactory(privateKey.getKeyPair().getPrivateKey()); return internal.recoverSessionData(keyAlgorithm, new byte[][] {sessionKeyData}, pkeskVersion); From 5829b755edd5161e2aedd0de9f546d7561fe5545 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 8 Apr 2025 13:24:46 +0200 Subject: [PATCH 173/265] SOP-Java: These go to 11 --- .../main/kotlin/org/pgpainless/sop/SOPImpl.kt | 18 +++++++++++++++--- version.gradle | 1 + 2 files changed, 16 insertions(+), 3 deletions(-) diff --git a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/SOPImpl.kt b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/SOPImpl.kt index 2c393901..0c01c561 100644 --- a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/SOPImpl.kt +++ b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/SOPImpl.kt @@ -8,6 +8,7 @@ import org.pgpainless.PGPainless import sop.SOP import sop.SOPV import sop.operation.Armor +import sop.operation.CertifyUserId import sop.operation.ChangeKeyPassword import sop.operation.Dearmor import sop.operation.Decrypt @@ -20,7 +21,10 @@ import sop.operation.InlineDetach import sop.operation.InlineSign import sop.operation.InlineVerify import sop.operation.ListProfiles +import sop.operation.MergeCerts import sop.operation.RevokeKey +import sop.operation.UpdateKey +import sop.operation.ValidateUserId import sop.operation.Version class SOPImpl( @@ -32,6 +36,8 @@ class SOPImpl( override fun armor(): Armor = ArmorImpl(api) + override fun certifyUserId(): CertifyUserId? = null + override fun changeKeyPassword(): ChangeKeyPassword = ChangeKeyPasswordImpl(api) override fun dearmor(): Dearmor = DearmorImpl(api) @@ -40,7 +46,7 @@ class SOPImpl( override fun detachedSign(): DetachedSign = DetachedSignImpl(api) - override fun detachedVerify(): DetachedVerify = sopv.detachedVerify() + override fun detachedVerify(): DetachedVerify = sopv.detachedVerify()!! override fun encrypt(): Encrypt = EncryptImpl(api) @@ -52,11 +58,17 @@ class SOPImpl( override fun inlineSign(): InlineSign = InlineSignImpl(api) - override fun inlineVerify(): InlineVerify = sopv.inlineVerify() + override fun inlineVerify(): InlineVerify = sopv.inlineVerify()!! override fun listProfiles(): ListProfiles = ListProfilesImpl(api) + override fun mergeCerts(): MergeCerts? = null + override fun revokeKey(): RevokeKey = RevokeKeyImpl(api) - override fun version(): Version = sopv.version() + override fun updateKey(): UpdateKey? = null + + override fun validateUserId(): ValidateUserId? = null + + override fun version(): Version = sopv.version()!! } diff --git a/version.gradle b/version.gradle index 5cf20738..ca32ed04 100644 --- a/version.gradle +++ b/version.gradle @@ -14,5 +14,6 @@ allprojects { mockitoVersion = '4.5.1' slf4jVersion = '1.7.36' sopJavaVersion = '10.1.1' + sopJavaVersion = '11.0.0-SNAPSHOT' } } From f4cac6d20c46704cba60c03b8aec99feb75143ad Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 8 Apr 2025 15:42:16 +0200 Subject: [PATCH 174/265] Implement SOPs certify-userid command --- .../org/pgpainless/sop/CertifyUserIdImpl.kt | 86 +++++++++++++++++++ .../main/kotlin/org/pgpainless/sop/SOPImpl.kt | 2 +- 2 files changed, 87 insertions(+), 1 deletion(-) create mode 100644 pgpainless-sop/src/main/kotlin/org/pgpainless/sop/CertifyUserIdImpl.kt diff --git a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/CertifyUserIdImpl.kt b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/CertifyUserIdImpl.kt new file mode 100644 index 00000000..4b07237b --- /dev/null +++ b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/CertifyUserIdImpl.kt @@ -0,0 +1,86 @@ +// SPDX-FileCopyrightText: 2025 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + +package org.pgpainless.sop + +import java.io.InputStream +import java.io.OutputStream +import org.bouncycastle.bcpg.PacketFormat +import org.bouncycastle.openpgp.api.OpenPGPKey +import org.pgpainless.PGPainless +import org.pgpainless.exception.KeyException.UnboundUserIdException +import org.pgpainless.key.OpenPgpFingerprint +import org.pgpainless.util.ArmoredOutputStreamFactory +import org.pgpainless.util.Passphrase +import sop.Ready +import sop.operation.CertifyUserId + +class CertifyUserIdImpl(private val api: PGPainless) : CertifyUserId { + + private var armor: Boolean = true + private val keys: MutableList = mutableListOf() + private var requireSelfSig = true + private val userIds: MutableSet = mutableSetOf() + private var protector: MatchMakingSecretKeyRingProtector = MatchMakingSecretKeyRingProtector() + + override fun certs(certs: InputStream): Ready { + return object : Ready() { + override fun writeTo(outputStream: OutputStream) { + val out = + if (armor) { + ArmoredOutputStreamFactory.get(outputStream) + } else outputStream + + api.readKey() + .parseCertificates(certs) + .onEach { cert -> + if (requireSelfSig) { + // Check for non-bound user-ids + userIds + .find { cert.getUserId(it)?.isBound != true } + ?.let { + throw UnboundUserIdException( + OpenPgpFingerprint.Companion.of(cert), it, null, null) + } + } + } + .forEach { cert -> + var certificate = cert + keys.forEach { key -> + userIds.forEach { userId -> + certificate = + api.generateCertification() + .certifyUserId(userId, certificate) + .withKey(key, protector) + .build() + .certifiedCertificate + } + } + + out.write(certificate.getEncoded(PacketFormat.CURRENT)) + } + + out.close() + if (armor) { + // armored output stream does not close inner stream + outputStream.close() + } + } + } + } + + override fun keys(keys: InputStream): CertifyUserId = apply { + this.keys.addAll(api.readKey().parseKeys(keys).onEach { protector.addSecretKey(it) }) + } + + override fun noArmor(): CertifyUserId = apply { armor = false } + + override fun noRequireSelfSig(): CertifyUserId = apply { requireSelfSig = false } + + override fun userId(userId: String): CertifyUserId = apply { this.userIds.add(userId) } + + override fun withKeyPassword(password: ByteArray): CertifyUserId = apply { + protector.addPassphrase(Passphrase.fromPassword(String(password))) + } +} diff --git a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/SOPImpl.kt b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/SOPImpl.kt index 0c01c561..95f5d93a 100644 --- a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/SOPImpl.kt +++ b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/SOPImpl.kt @@ -36,7 +36,7 @@ class SOPImpl( override fun armor(): Armor = ArmorImpl(api) - override fun certifyUserId(): CertifyUserId? = null + override fun certifyUserId(): CertifyUserId = CertifyUserIdImpl(api) override fun changeKeyPassword(): ChangeKeyPassword = ChangeKeyPasswordImpl(api) From 6c0ffcb007f39afe9f84bb2a75c6a75a8b2df1ce Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 8 Apr 2025 16:10:38 +0200 Subject: [PATCH 175/265] Implement SOPs validate-userid command --- .../main/kotlin/org/pgpainless/sop/SOPImpl.kt | 2 +- .../org/pgpainless/sop/ValidateUserIdImpl.kt | 38 +++++++++++++++++++ 2 files changed, 39 insertions(+), 1 deletion(-) create mode 100644 pgpainless-sop/src/main/kotlin/org/pgpainless/sop/ValidateUserIdImpl.kt diff --git a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/SOPImpl.kt b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/SOPImpl.kt index 95f5d93a..4ad6bb26 100644 --- a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/SOPImpl.kt +++ b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/SOPImpl.kt @@ -68,7 +68,7 @@ class SOPImpl( override fun updateKey(): UpdateKey? = null - override fun validateUserId(): ValidateUserId? = null + override fun validateUserId(): ValidateUserId = ValidateUserIdImpl(api) override fun version(): Version = sopv.version()!! } diff --git a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/ValidateUserIdImpl.kt b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/ValidateUserIdImpl.kt new file mode 100644 index 00000000..35123109 --- /dev/null +++ b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/ValidateUserIdImpl.kt @@ -0,0 +1,38 @@ +// SPDX-FileCopyrightText: 2025 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + +package org.pgpainless.sop + +import java.io.InputStream +import java.util.* +import org.bouncycastle.openpgp.api.OpenPGPCertificate +import org.pgpainless.PGPainless +import sop.operation.ValidateUserId + +class ValidateUserIdImpl(private val api: PGPainless) : ValidateUserId { + + private var addSpecOnly = false + private var userId: String? = null + private val authorities: MutableList = mutableListOf() + private var validateAt: Date = Date() + + override fun addrSpecOnly(): ValidateUserId = apply { addSpecOnly = true } + + override fun authorities(certs: InputStream): ValidateUserId = apply { + authorities.addAll(api.readKey().parseCertificates(certs)) + } + + override fun subjects(certs: InputStream): Boolean { + requireNotNull(userId) { "Missing parameter USERID" } + return api.readKey().parseCertificates(certs).all { cert -> + authorities.all { authority -> + cert.getUserId(userId)?.getCertificationBy(authority, validateAt)?.isValid == true + } + } + } + + override fun userId(userId: String): ValidateUserId = apply { this.userId = userId } + + override fun validateAt(date: Date): ValidateUserId = apply { validateAt = date } +} From 334147c840647264951b57b40d7882304c703c04 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 8 Apr 2025 17:07:16 +0200 Subject: [PATCH 176/265] Add PublicKeyAlgorithmPolicy based on rfc9580 --- .../kotlin/org/pgpainless/policy/Policy.kt | 27 +++++++++++++++---- 1 file changed, 22 insertions(+), 5 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/policy/Policy.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/policy/Policy.kt index 233600c7..46dab518 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/policy/Policy.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/policy/Policy.kt @@ -31,7 +31,7 @@ class Policy( SymmetricKeyAlgorithmPolicy.symmetricKeyEncryptionPolicy2022(), SymmetricKeyAlgorithmPolicy.symmetricKeyDecryptionPolicy2022(), CompressionAlgorithmPolicy.anyCompressionAlgorithmPolicy(), - PublicKeyAlgorithmPolicy.bsi2021PublicKeyAlgorithmPolicy(), + PublicKeyAlgorithmPolicy.rfc9580PublicKeyAlgorithmPolicy(), KeyRingProtectionSettings.secureDefaultSettings(), NotationRegistry(), AlgorithmSuite.defaultAlgorithmSuite) @@ -334,8 +334,7 @@ class Policy( companion object { /** - * Return PGPainless' default public key algorithm policy. This policy is based upon - * recommendations made by the German Federal Office for Information Security (BSI). + * Return PGPainless' default public key algorithm policy. * * @return default algorithm policy * @deprecated not expressive - might be removed in a future release @@ -343,8 +342,8 @@ class Policy( @JvmStatic @Deprecated( "not expressive - might be removed in a future release", - ReplaceWith("bsi2021PublicKeyAlgorithmPolicy()")) - fun defaultPublicKeyAlgorithmPolicy() = bsi2021PublicKeyAlgorithmPolicy() + ReplaceWith("rfc9580PublicKeyAlgorithmPolicy()")) + fun defaultPublicKeyAlgorithmPolicy() = rfc9580PublicKeyAlgorithmPolicy() /** * This policy is based upon recommendations made by the German Federal Office for @@ -391,6 +390,24 @@ class Policy( put(PublicKeyAlgorithm.X448, 448) put(PublicKeyAlgorithm.ED448, 456) }) + + /** Public Key Algorithm Policy based upon recommendations from RFC9580. */ + fun rfc9580PublicKeyAlgorithmPolicy(): PublicKeyAlgorithmPolicy = + PublicKeyAlgorithmPolicy( + buildMap { + // https://www.rfc-editor.org/rfc/rfc9580.html#section-12.4 + put(PublicKeyAlgorithm.RSA_GENERAL, 2000) + // https://www.rfc-editor.org/rfc/rfc9580.html#name-ecc-curves-for-openpgp + put(PublicKeyAlgorithm.EDDSA_LEGACY, 250) + // https://www.rfc-editor.org/rfc/rfc9580.html#name-ecc-curves-for-openpgp + put(PublicKeyAlgorithm.ECDH, 250) + put(PublicKeyAlgorithm.ECDSA, 250) + // https://www.rfc-editor.org/rfc/rfc9580.html#name-eddsa + put(PublicKeyAlgorithm.X25519, 256) + put(PublicKeyAlgorithm.ED25519, 256) + put(PublicKeyAlgorithm.X448, 448) + put(PublicKeyAlgorithm.ED448, 456) + }) } } From 2d379f6fc805190aa20810d59c4e2a715ad5dc29 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 8 Apr 2025 17:22:27 +0200 Subject: [PATCH 177/265] Update SOP version in VersionImpl --- .../src/main/kotlin/org/pgpainless/sop/VersionImpl.kt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/VersionImpl.kt b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/VersionImpl.kt index b43ef9b9..6f16fc52 100644 --- a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/VersionImpl.kt +++ b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/VersionImpl.kt @@ -16,7 +16,7 @@ import sop.operation.Version class VersionImpl(private val api: PGPainless) : Version { companion object { - const val SOP_VERSION = 10 + const val SOP_VERSION = 11 const val SOPV_VERSION = "1.0" } @@ -24,7 +24,7 @@ class VersionImpl(private val api: PGPainless) : Version { override fun getExtendedVersion(): String { val bcVersion = - String.format(Locale.US, "Bouncy Castle %.2f", BouncyCastleProvider().version) + String.format(Locale.US, "Bouncy Castle %.2f", BouncyCastleProvider().versionStr.toDouble()) val specVersion = String.format("%02d", SOP_VERSION) return """${getName()} ${getVersion()} https://codeberg.org/PGPainless/pgpainless/src/branch/main/pgpainless-sop From b2d8935fc85bbb1129bf495e4e36a3c2b1b8109d Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 10 Apr 2025 12:26:58 +0200 Subject: [PATCH 178/265] SOP: Implement merge-certs subcommand --- .../org/pgpainless/sop/MergeCertsImpl.kt | 72 +++++++++++++++++++ .../main/kotlin/org/pgpainless/sop/SOPImpl.kt | 2 +- 2 files changed, 73 insertions(+), 1 deletion(-) create mode 100644 pgpainless-sop/src/main/kotlin/org/pgpainless/sop/MergeCertsImpl.kt diff --git a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/MergeCertsImpl.kt b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/MergeCertsImpl.kt new file mode 100644 index 00000000..346fee84 --- /dev/null +++ b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/MergeCertsImpl.kt @@ -0,0 +1,72 @@ +// SPDX-FileCopyrightText: 2025 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + +package org.pgpainless.sop + +import org.bouncycastle.bcpg.KeyIdentifier +import org.bouncycastle.bcpg.PacketFormat +import org.bouncycastle.openpgp.api.OpenPGPCertificate +import org.pgpainless.PGPainless +import org.pgpainless.util.ArmoredOutputStreamFactory +import sop.Ready +import sop.operation.MergeCerts +import java.io.InputStream +import java.io.OutputStream + +class MergeCertsImpl(private val api: PGPainless) : MergeCerts { + + private var armor = true + private val baseCerts: MutableMap = mutableMapOf() + private val updateCerts: MutableList = mutableListOf() + + // from standard input + override fun baseCertificates(certs: InputStream): Ready { + return object : Ready() { + override fun writeTo(outputStream: OutputStream) { + val certList = api.readKey().parseCertificates(certs) + for (cert in certList) { + if (!baseCerts.contains(cert.keyIdentifier)) { + baseCerts[cert.keyIdentifier] = cert + } else { + val baseCert = baseCerts[cert.keyIdentifier]!! + baseCerts[cert.keyIdentifier] = api.mergeCertificate(baseCert, cert) + } + } + + for (update in updateCerts) { + if (baseCerts[update.keyIdentifier] == null) { + continue + } + + val baseCert = baseCerts[update.keyIdentifier]!! + baseCerts[update.keyIdentifier] = api.mergeCertificate(baseCert, update) + } + + val out = if (armor) { + ArmoredOutputStreamFactory.get(outputStream) + } else { + outputStream + } + + for (merged in baseCerts.values) { + out.write(merged.getEncoded(PacketFormat.CURRENT)) + } + + if (armor) { + out.close() + } + outputStream.close() + } + } + } + + override fun noArmor(): MergeCerts = apply { + armor = false + } + + // from command line + override fun updates(updateCerts: InputStream): MergeCerts = apply { + this.updateCerts.addAll(api.readKey().parseCertificates(updateCerts)) + } +} diff --git a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/SOPImpl.kt b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/SOPImpl.kt index 4ad6bb26..c3ee703c 100644 --- a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/SOPImpl.kt +++ b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/SOPImpl.kt @@ -62,7 +62,7 @@ class SOPImpl( override fun listProfiles(): ListProfiles = ListProfilesImpl(api) - override fun mergeCerts(): MergeCerts? = null + override fun mergeCerts(): MergeCerts = MergeCertsImpl(api) override fun revokeKey(): RevokeKey = RevokeKeyImpl(api) From 151e0232c08c7c76aacfdf45faf99d5eb025e0ae Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 10 Apr 2025 12:29:37 +0200 Subject: [PATCH 179/265] Add comments --- .../src/main/kotlin/org/pgpainless/sop/MergeCertsImpl.kt | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/MergeCertsImpl.kt b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/MergeCertsImpl.kt index 346fee84..3f8a7731 100644 --- a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/MergeCertsImpl.kt +++ b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/MergeCertsImpl.kt @@ -24,8 +24,10 @@ class MergeCertsImpl(private val api: PGPainless) : MergeCerts { override fun baseCertificates(certs: InputStream): Ready { return object : Ready() { override fun writeTo(outputStream: OutputStream) { - val certList = api.readKey().parseCertificates(certs) - for (cert in certList) { + val baseCertsList = api.readKey().parseCertificates(certs) + + // Index and merge base certs + for (cert in baseCertsList) { if (!baseCerts.contains(cert.keyIdentifier)) { baseCerts[cert.keyIdentifier] = cert } else { @@ -34,8 +36,10 @@ class MergeCertsImpl(private val api: PGPainless) : MergeCerts { } } + // Merge updates with base certs for (update in updateCerts) { if (baseCerts[update.keyIdentifier] == null) { + // skip updates with missing base certs continue } @@ -49,6 +53,7 @@ class MergeCertsImpl(private val api: PGPainless) : MergeCerts { outputStream } + // emit merged and updated base certs for (merged in baseCerts.values) { out.write(merged.getEncoded(PacketFormat.CURRENT)) } From 2c11a141d7882b0784a0e0ab705cf8cde616d4cd Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 10 Apr 2025 13:12:45 +0200 Subject: [PATCH 180/265] Fix checkstyle issues --- .../org/pgpainless/sop/MergeCertsImpl.kt | 19 +++++++++---------- .../kotlin/org/pgpainless/sop/VersionImpl.kt | 3 ++- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/MergeCertsImpl.kt b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/MergeCertsImpl.kt index 3f8a7731..d0997041 100644 --- a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/MergeCertsImpl.kt +++ b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/MergeCertsImpl.kt @@ -4,6 +4,8 @@ package org.pgpainless.sop +import java.io.InputStream +import java.io.OutputStream import org.bouncycastle.bcpg.KeyIdentifier import org.bouncycastle.bcpg.PacketFormat import org.bouncycastle.openpgp.api.OpenPGPCertificate @@ -11,8 +13,6 @@ import org.pgpainless.PGPainless import org.pgpainless.util.ArmoredOutputStreamFactory import sop.Ready import sop.operation.MergeCerts -import java.io.InputStream -import java.io.OutputStream class MergeCertsImpl(private val api: PGPainless) : MergeCerts { @@ -47,11 +47,12 @@ class MergeCertsImpl(private val api: PGPainless) : MergeCerts { baseCerts[update.keyIdentifier] = api.mergeCertificate(baseCert, update) } - val out = if (armor) { - ArmoredOutputStreamFactory.get(outputStream) - } else { - outputStream - } + val out = + if (armor) { + ArmoredOutputStreamFactory.get(outputStream) + } else { + outputStream + } // emit merged and updated base certs for (merged in baseCerts.values) { @@ -66,9 +67,7 @@ class MergeCertsImpl(private val api: PGPainless) : MergeCerts { } } - override fun noArmor(): MergeCerts = apply { - armor = false - } + override fun noArmor(): MergeCerts = apply { armor = false } // from command line override fun updates(updateCerts: InputStream): MergeCerts = apply { diff --git a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/VersionImpl.kt b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/VersionImpl.kt index 6f16fc52..5aa405ad 100644 --- a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/VersionImpl.kt +++ b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/VersionImpl.kt @@ -24,7 +24,8 @@ class VersionImpl(private val api: PGPainless) : Version { override fun getExtendedVersion(): String { val bcVersion = - String.format(Locale.US, "Bouncy Castle %.2f", BouncyCastleProvider().versionStr.toDouble()) + String.format( + Locale.US, "Bouncy Castle %.2f", BouncyCastleProvider().versionStr.toDouble()) val specVersion = String.format("%02d", SOP_VERSION) return """${getName()} ${getVersion()} https://codeberg.org/PGPainless/pgpainless/src/branch/main/pgpainless-sop From 7d4c6a06b083cc7b50eb2fcf893afcbdf09b977b Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 10 Apr 2025 13:24:19 +0200 Subject: [PATCH 181/265] Set relaxed PK policies for tests with weak DSA keys --- .../sop/CarolKeySignEncryptRoundtripTest.java | 15 +++++++++++++ .../PGPainlessEncryptDecryptTest.java | 22 +++++++++++++++++++ 2 files changed, 37 insertions(+) diff --git a/pgpainless-sop/src/test/java/org/pgpainless/sop/CarolKeySignEncryptRoundtripTest.java b/pgpainless-sop/src/test/java/org/pgpainless/sop/CarolKeySignEncryptRoundtripTest.java index 83778106..9f25497d 100644 --- a/pgpainless-sop/src/test/java/org/pgpainless/sop/CarolKeySignEncryptRoundtripTest.java +++ b/pgpainless-sop/src/test/java/org/pgpainless/sop/CarolKeySignEncryptRoundtripTest.java @@ -9,6 +9,8 @@ import static org.junit.jupiter.api.Assertions.assertArrayEquals; import java.io.IOException; import org.junit.jupiter.api.Test; +import org.pgpainless.PGPainless; +import org.pgpainless.policy.Policy; import sop.ByteArrayAndResult; import sop.DecryptionResult; import sop.EncryptionResult; @@ -275,6 +277,17 @@ public class CarolKeySignEncryptRoundtripTest { @Test public void regressionTest() throws IOException { + // PGPainless default API is strict + PGPainless strictAPI = PGPainless.getInstance(); + PGPainless relaxedAPI = new PGPainless( + strictAPI.getImplementation(), + // BSI policy allows DSA + strictAPI.getAlgorithmPolicy().copy() + .withPublicKeyAlgorithmPolicy(Policy.PublicKeyAlgorithmPolicy.bsi2021PublicKeyAlgorithmPolicy()) + .build() + ); + PGPainless.setInstance(relaxedAPI); + SOPImpl sop = new SOPImpl(); byte[] msg = "Hello, World!\n".getBytes(); ReadyWithResult encryption = sop.encrypt() @@ -294,5 +307,7 @@ public class CarolKeySignEncryptRoundtripTest { VerificationListAssert.assertThatVerificationList(decryption.getResult().getVerifications()) .hasSingleItem() .issuedBy("71FFDA004409E5DDB0C3E8F19BA789DC76D6849A", "71FFDA004409E5DDB0C3E8F19BA789DC76D6849A"); + + PGPainless.setInstance(strictAPI); } } diff --git a/pgpainless-sop/src/test/java/sop/testsuite/pgpainless/operation/PGPainlessEncryptDecryptTest.java b/pgpainless-sop/src/test/java/sop/testsuite/pgpainless/operation/PGPainlessEncryptDecryptTest.java index b6264d3a..00fa3acc 100644 --- a/pgpainless-sop/src/test/java/sop/testsuite/pgpainless/operation/PGPainlessEncryptDecryptTest.java +++ b/pgpainless-sop/src/test/java/sop/testsuite/pgpainless/operation/PGPainlessEncryptDecryptTest.java @@ -4,8 +4,30 @@ package sop.testsuite.pgpainless.operation; +import org.pgpainless.PGPainless; +import org.pgpainless.policy.Policy; +import sop.SOP; import sop.testsuite.operation.EncryptDecryptTest; +import java.io.IOException; + public class PGPainlessEncryptDecryptTest extends EncryptDecryptTest { + @Override + public void encryptDecryptRoundTripCarolTest(SOP sop) throws IOException { + // Carols key is DSA, which is rejected by PGPainless default policy now. + // Therefore, we need to set a relaxed PGPainless API instance, allowing DSA keys. + PGPainless strictAPI = PGPainless.getInstance(); + PGPainless relaxedAPI = new PGPainless( + strictAPI.getImplementation(), + strictAPI.getAlgorithmPolicy().copy() + .withPublicKeyAlgorithmPolicy(Policy.PublicKeyAlgorithmPolicy.bsi2021PublicKeyAlgorithmPolicy()) + .build()); + PGPainless.setInstance(relaxedAPI); + + super.encryptDecryptRoundTripCarolTest(sop); + + PGPainless.setInstance(strictAPI); + } + } From c60512a26de31fce1ec38a86e024245e7f9eac2a Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 10 Apr 2025 13:51:52 +0200 Subject: [PATCH 182/265] Certify-UserId: Throw proper exception on unbound user-id --- .../main/kotlin/org/pgpainless/sop/CertifyUserIdImpl.kt | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/CertifyUserIdImpl.kt b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/CertifyUserIdImpl.kt index 4b07237b..498ed3d7 100644 --- a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/CertifyUserIdImpl.kt +++ b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/CertifyUserIdImpl.kt @@ -9,11 +9,10 @@ import java.io.OutputStream import org.bouncycastle.bcpg.PacketFormat import org.bouncycastle.openpgp.api.OpenPGPKey import org.pgpainless.PGPainless -import org.pgpainless.exception.KeyException.UnboundUserIdException -import org.pgpainless.key.OpenPgpFingerprint import org.pgpainless.util.ArmoredOutputStreamFactory import org.pgpainless.util.Passphrase import sop.Ready +import sop.exception.SOPGPException import sop.operation.CertifyUserId class CertifyUserIdImpl(private val api: PGPainless) : CertifyUserId { @@ -39,10 +38,7 @@ class CertifyUserIdImpl(private val api: PGPainless) : CertifyUserId { // Check for non-bound user-ids userIds .find { cert.getUserId(it)?.isBound != true } - ?.let { - throw UnboundUserIdException( - OpenPgpFingerprint.Companion.of(cert), it, null, null) - } + ?.let { throw SOPGPException.CertUserIdNoMatch(cert.fingerprint) } } } .forEach { cert -> From 7a3673516277cee0a85aa36ce7f7d93e4e9bc7dd Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 10 Apr 2025 13:52:13 +0200 Subject: [PATCH 183/265] Add PGPainlessCertifyValidateUserIdTest --- .../PGPainlessCertifyValidateUserIdTest.java | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 pgpainless-sop/src/test/java/sop/testsuite/pgpainless/operation/PGPainlessCertifyValidateUserIdTest.java diff --git a/pgpainless-sop/src/test/java/sop/testsuite/pgpainless/operation/PGPainlessCertifyValidateUserIdTest.java b/pgpainless-sop/src/test/java/sop/testsuite/pgpainless/operation/PGPainlessCertifyValidateUserIdTest.java new file mode 100644 index 00000000..77bd0226 --- /dev/null +++ b/pgpainless-sop/src/test/java/sop/testsuite/pgpainless/operation/PGPainlessCertifyValidateUserIdTest.java @@ -0,0 +1,11 @@ +// SPDX-FileCopyrightText: 2025 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + +package sop.testsuite.pgpainless.operation; + +import sop.testsuite.operation.CertifyValidateUserIdTest; + +public class PGPainlessCertifyValidateUserIdTest extends CertifyValidateUserIdTest { + +} From 1fca2dcb13b2c4879a9ec8bcfad9c6e5550762ab Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 10 Apr 2025 15:26:59 +0200 Subject: [PATCH 184/265] SOP certify-userid: Properly throw KeyCannotCertify exception --- .../org/pgpainless/sop/CertifyUserIdImpl.kt | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/CertifyUserIdImpl.kt b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/CertifyUserIdImpl.kt index 498ed3d7..4ab85803 100644 --- a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/CertifyUserIdImpl.kt +++ b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/CertifyUserIdImpl.kt @@ -9,6 +9,7 @@ import java.io.OutputStream import org.bouncycastle.bcpg.PacketFormat import org.bouncycastle.openpgp.api.OpenPGPKey import org.pgpainless.PGPainless +import org.pgpainless.exception.KeyException import org.pgpainless.util.ArmoredOutputStreamFactory import org.pgpainless.util.Passphrase import sop.Ready @@ -45,12 +46,16 @@ class CertifyUserIdImpl(private val api: PGPainless) : CertifyUserId { var certificate = cert keys.forEach { key -> userIds.forEach { userId -> - certificate = - api.generateCertification() - .certifyUserId(userId, certificate) - .withKey(key, protector) - .build() - .certifiedCertificate + try { + certificate = + api.generateCertification() + .certifyUserId(userId, certificate) + .withKey(key, protector) + .build() + .certifiedCertificate + } catch (e: KeyException) { + throw SOPGPException.KeyCannotCertify(e) + } } } From 239057cbdfe564ff56d7eaa98068bbf28c638ce8 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 10 Apr 2025 15:28:06 +0200 Subject: [PATCH 185/265] Implement crude update-key command (only merges certs for now) --- .../main/kotlin/org/pgpainless/sop/SOPImpl.kt | 2 +- .../org/pgpainless/sop/UpdateKeyImpl.kt | 84 +++++++++++++++++++ 2 files changed, 85 insertions(+), 1 deletion(-) create mode 100644 pgpainless-sop/src/main/kotlin/org/pgpainless/sop/UpdateKeyImpl.kt diff --git a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/SOPImpl.kt b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/SOPImpl.kt index c3ee703c..d2d3bf35 100644 --- a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/SOPImpl.kt +++ b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/SOPImpl.kt @@ -66,7 +66,7 @@ class SOPImpl( override fun revokeKey(): RevokeKey = RevokeKeyImpl(api) - override fun updateKey(): UpdateKey? = null + override fun updateKey(): UpdateKey = UpdateKeyImpl(api) override fun validateUserId(): ValidateUserId = ValidateUserIdImpl(api) diff --git a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/UpdateKeyImpl.kt b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/UpdateKeyImpl.kt new file mode 100644 index 00000000..28f4a296 --- /dev/null +++ b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/UpdateKeyImpl.kt @@ -0,0 +1,84 @@ +// SPDX-FileCopyrightText: 2025 Paul Schaub +// +// SPDX-License-Identifier: CC0-1.0 + +package org.pgpainless.sop + +import java.io.InputStream +import java.io.OutputStream +import org.bouncycastle.bcpg.KeyIdentifier +import org.bouncycastle.bcpg.PacketFormat +import org.bouncycastle.openpgp.PGPSecretKeyRing +import org.bouncycastle.openpgp.api.OpenPGPCertificate +import org.bouncycastle.openpgp.api.OpenPGPKey +import org.pgpainless.PGPainless +import org.pgpainless.util.ArmoredOutputStreamFactory +import org.pgpainless.util.Passphrase +import sop.Ready +import sop.operation.UpdateKey + +class UpdateKeyImpl(private val api: PGPainless) : UpdateKey { + + private var armor = true + private var addCapabilities = true + private var signingOnly = false + private val protector: MatchMakingSecretKeyRingProtector = MatchMakingSecretKeyRingProtector() + + private val mergeCerts: MutableMap = mutableMapOf() + + override fun key(key: InputStream): Ready { + return object : Ready() { + override fun writeTo(outputStream: OutputStream) { + val out = + if (armor) { + ArmoredOutputStreamFactory.get(outputStream) + } else { + outputStream + } + + val keyList = api.readKey().parseKeys(key) + for (k in keyList) { + val updatedKey: OpenPGPKey = + if (mergeCerts[k.keyIdentifier] == null) { + k + } else { + val updatedCert: OpenPGPCertificate = + api.mergeCertificate( + k.toCertificate(), mergeCerts[k.keyIdentifier]!!) + api.toKey( + PGPSecretKeyRing.replacePublicKeys( + k.pgpSecretKeyRing, updatedCert.pgpPublicKeyRing)) + } + out.write(updatedKey.getEncoded(PacketFormat.CURRENT)) + } + + if (armor) { + out.close() + } + outputStream.close() + } + } + } + + override fun mergeCerts(certs: InputStream): UpdateKey = apply { + val certList = api.readKey().parseCertificates(certs) + for (cert in certList) { + if (mergeCerts[cert.keyIdentifier] == null) { + mergeCerts[cert.keyIdentifier] = cert + } else { + val existing = mergeCerts[cert.keyIdentifier]!! + mergeCerts[cert.keyIdentifier] = api.mergeCertificate(existing, cert) + } + } + } + + override fun noAddedCapabilities(): UpdateKey = apply { addCapabilities = false } + + override fun noArmor(): UpdateKey = apply { armor = false } + + override fun signingOnly(): UpdateKey = apply { signingOnly = true } + + override fun withKeyPassword(password: ByteArray): UpdateKey = apply { + protector.addPassphrase(Passphrase.fromPassword(String(password))) + } +} From 90dce46b8d768244e4258e64783087bc70eba7e7 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 14 Apr 2025 11:11:32 +0200 Subject: [PATCH 186/265] Remove duplicate line in build.gradle --- build.gradle | 1 - 1 file changed, 1 deletion(-) diff --git a/build.gradle b/build.gradle index 93100f4d..f91af07f 100644 --- a/build.gradle +++ b/build.gradle @@ -37,7 +37,6 @@ allprojects { // without this we would generate an empty pgpainless.jar for the project root // https://stackoverflow.com/a/25445035 jar { - reproducibleFileOrder = true onlyIf { !sourceSets.main.allSource.files.isEmpty() } } From 661d4977eb1bb36b4f8d19f3242a10430623e6f5 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 14 Apr 2025 11:11:47 +0200 Subject: [PATCH 187/265] Raise kotlin lib version --- build.gradle | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build.gradle b/build.gradle index f91af07f..38b21d5f 100644 --- a/build.gradle +++ b/build.gradle @@ -18,7 +18,7 @@ buildscript { } plugins { - id 'org.jetbrains.kotlin.jvm' version "1.8.10" + id 'org.jetbrains.kotlin.jvm' version "1.9.21" id 'com.diffplug.spotless' version '6.22.0' apply false } From 9ba39045a7c7bf361712fdc8146fc13b71203de6 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 28 Apr 2025 10:40:49 +0200 Subject: [PATCH 188/265] Update README --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 65281607..2e3fa03e 100644 --- a/README.md +++ b/README.md @@ -217,10 +217,10 @@ which contains the bug you are fixing. That way we can update older revisions of Please follow the [code of conduct](CODE_OF_CONDUCT.md) if you want to be part of the project. ## Acknowledgements -Development on PGPainless is generously sponsored by [FlowCrypt.com](https://flowcrypt.com). Thank you very very very much! +In the past, development on PGPainless has been generously sponsored by [FlowCrypt.com](https://flowcrypt.com). Thank you very very very much! [![FlowCrypt Logo](https://blog.jabberhead.tk/wp-content/uploads/2022/05/flowcrypt-logo.svg)](https://flowcrypt.com) -Parts of PGPainless development ([project page](https://nlnet.nl/project/PGPainless/)) will be funded by [NGI Assure](https://nlnet.nl/assure/) through [NLNet](https://nlnet.nl). +Parts of PGPainless development ([project page](https://nlnet.nl/project/PGPainless/)) has been funded by [NGI Assure](https://nlnet.nl/assure/) through [NLNet](https://nlnet.nl). NGI Assure is made possible with financial support from the [European Commission](https://ec.europa.eu/)'s [Next Generation Internet](https://ngi.eu/) programme, under the aegis of [DG Communications Networks, Content and Technology](https://ec.europa.eu/info/departments/communications-networks-content-and-technology_en). [![NGI Assure Logo](https://blog.jabberhead.tk/wp-content/uploads/2022/05/NGIAssure_tag.svg)](https://nlnet.nl/assure/) From 3f6d4755e0dfbc78ff46a8b2eb8d5dca0a0162aa Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 30 Apr 2025 15:57:22 +0200 Subject: [PATCH 189/265] Add BUILD.md --- BUILD.md | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 BUILD.md diff --git a/BUILD.md b/BUILD.md new file mode 100644 index 00000000..8c4f4e6c --- /dev/null +++ b/BUILD.md @@ -0,0 +1,22 @@ + + +# Build PGPainless + +There are a number of different artifacts that can be built from the PGPainless source code: + +## `pgpainless-cli/build/libs/pgpainless-cli-X.Y.Z-all.jar` + +This is a fat jar, built using the Shadow plugin. +It bundles all necessary dependencies required by the CLI application at runtime. +This artifact will be produced by the `gradle shadowJar` task, which is run as part of the `gradle assemble` task. + +## `pgpainless-cli/build/native/nativeCompile/pgpainless-cli` + +This is a native image, that can be built using GraalVM which compared to the executable jar file above +offers greatly improved performance by skipping the JVM startup overhead. + +To build this image, you need to run `gradle nativeCompile` using a GraalVM-enabled Java SDK. From ef9fed28449af41736adbc720e3e3171955a25c8 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 30 Apr 2025 15:57:54 +0200 Subject: [PATCH 190/265] Expose encryption mechanism during decryption --- .../MessageMetadata.kt | 23 +++++- .../OpenPgpMessageInputStream.kt | 82 ++++++++++++++----- .../MessageMetadataTest.java | 5 +- .../EncryptDecryptTest.java | 81 ++++++++++++++++++ 4 files changed, 167 insertions(+), 24 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/MessageMetadata.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/MessageMetadata.kt index 3a62bc72..d36159ee 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/MessageMetadata.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/MessageMetadata.kt @@ -9,6 +9,7 @@ import javax.annotation.Nonnull import org.bouncycastle.bcpg.KeyIdentifier import org.bouncycastle.openpgp.PGPKeyRing import org.bouncycastle.openpgp.PGPLiteralData +import org.bouncycastle.openpgp.api.MessageEncryptionMechanism import org.bouncycastle.openpgp.api.OpenPGPCertificate import org.pgpainless.algorithm.CompressionAlgorithm import org.pgpainless.algorithm.StreamEncoding @@ -32,22 +33,34 @@ class MessageMetadata(val message: Message) { * The [SymmetricKeyAlgorithm] of the outermost encrypted data packet, or null if message is * unencrypted. */ + @Deprecated("Deprecated in favor of encryptionMechanism", + replaceWith = ReplaceWith("encryptionMechanism") + ) val encryptionAlgorithm: SymmetricKeyAlgorithm? get() = encryptionAlgorithms.let { if (it.hasNext()) it.next() else null } + val encryptionMechanism: MessageEncryptionMechanism? + get() = encryptionMechanisms.let { if (it.hasNext()) it.next() else null } + /** * [Iterator] of each [SymmetricKeyAlgorithm] encountered in the message. The first item * returned by the iterator is the algorithm of the outermost encrypted data packet, the next * item that of the next nested encrypted data packet and so on. The iterator might also be * empty, in case of an unencrypted message. */ + @Deprecated("Deprecated in favor of encryptionMechanisms", + replaceWith = ReplaceWith("encryptionMechanisms") + ) val encryptionAlgorithms: Iterator get() = encryptionLayers.asSequence().map { it.algorithm }.iterator() + val encryptionMechanisms: Iterator + get() = encryptionLayers.asSequence().map { it.mechanism }.iterator() + val isEncrypted: Boolean get() = - if (encryptionAlgorithm == null) false - else encryptionAlgorithm != SymmetricKeyAlgorithm.NULL + if (encryptionMechanism == null) false + else encryptionMechanism!!.symmetricKeyAlgorithm != SymmetricKeyAlgorithm.NULL.algorithmId fun isEncryptedFor(cert: OpenPGPCertificate): Boolean { return encryptionLayers.asSequence().any { @@ -472,7 +485,8 @@ class MessageMetadata(val message: Message) { * @param algorithm symmetric key algorithm used to encrypt the packet. * @param depth nesting depth at which this packet was encountered. */ - class EncryptedData(val algorithm: SymmetricKeyAlgorithm, depth: Int) : Layer(depth), Nested { + class EncryptedData(val mechanism: MessageEncryptionMechanism, depth: Int) : + Layer(depth), Nested { /** [SessionKey] used to decrypt the packet. */ var sessionKey: SessionKey? = null @@ -480,6 +494,9 @@ class MessageMetadata(val message: Message) { /** List of all recipient key ids to which the packet was encrypted for. */ val recipients: List = mutableListOf() + val algorithm: SymmetricKeyAlgorithm = + SymmetricKeyAlgorithm.requireFromId(mechanism.symmetricKeyAlgorithm) + fun addRecipients(keyIds: List) = apply { (recipients as MutableList).addAll(keyIds) } diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.kt index 01456849..a7f1cb22 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.kt @@ -11,9 +11,11 @@ import java.io.OutputStream import java.util.zip.Inflater import java.util.zip.InflaterInputStream import openpgp.openPgpKeyId +import org.bouncycastle.bcpg.AEADEncDataPacket import org.bouncycastle.bcpg.BCPGInputStream import org.bouncycastle.bcpg.CompressionAlgorithmTags import org.bouncycastle.bcpg.KeyIdentifier +import org.bouncycastle.bcpg.SymmetricEncIntegrityPacket import org.bouncycastle.bcpg.UnsupportedPacketVersionException import org.bouncycastle.openpgp.PGPCompressedData import org.bouncycastle.openpgp.PGPEncryptedData @@ -27,6 +29,8 @@ import org.bouncycastle.openpgp.PGPPublicKeyEncryptedData import org.bouncycastle.openpgp.PGPSessionKey import org.bouncycastle.openpgp.PGPSignature import org.bouncycastle.openpgp.PGPSignatureException +import org.bouncycastle.openpgp.api.EncryptedDataPacketType +import org.bouncycastle.openpgp.api.MessageEncryptionMechanism import org.bouncycastle.openpgp.api.OpenPGPCertificate import org.bouncycastle.openpgp.api.OpenPGPKey import org.bouncycastle.openpgp.api.OpenPGPKey.OpenPGPPrivateKey @@ -318,20 +322,38 @@ class OpenPgpMessageInputStream( } private fun processEncryptedData(): Boolean { - LOGGER.debug( - "Symmetrically Encrypted Data Packet at depth ${layerMetadata.depth} encountered.") + // TODO: Replace by dedicated encryption packet type input symbols syntaxVerifier.next(InputSymbol.ENCRYPTED_DATA) + val encDataList = packetInputStream!!.readEncryptedDataList() - if (!encDataList.isIntegrityProtected && !encDataList.get(0).isAEAD) { - LOGGER.warn("Symmetrically Encrypted Data Packet is not integrity-protected.") - if (!options.isIgnoreMDCErrors()) { - throw MessageNotIntegrityProtectedException() + val esks = ESKsAndData(encDataList) + + when (EncryptedDataPacketType.of(encDataList)!!) { + EncryptedDataPacketType.SEIPDv2 -> + LOGGER.debug( + "Symmetrically Encrypted Integrity Protected Data Packet version 2 at depth " + + "${layerMetadata.depth} encountered.") + EncryptedDataPacketType.SEIPDv1 -> + LOGGER.debug( + "Symmetrically Encrypted Integrity Protected Data Packet version 1 at depth " + + "${layerMetadata.depth} encountered.") + EncryptedDataPacketType.LIBREPGP_OED -> + LOGGER.debug( + "LibrePGP OCB-Encrypted Data Packet at depth " + + "${layerMetadata.depth} encountered.") + EncryptedDataPacketType.SED -> { + LOGGER.debug( + "(Deprecated) Symmetrically Encrypted Data Packet at depth " + + "${layerMetadata.depth} encountered.") + LOGGER.warn("Symmetrically Encrypted Data Packet is not integrity-protected.") + if (!options.isIgnoreMDCErrors()) { + throw MessageNotIntegrityProtectedException() + } } } - val esks = SortedESKs(encDataList) LOGGER.debug( - "Symmetrically Encrypted Integrity-Protected Data has ${esks.skesks.size} SKESK(s) and" + + "Encrypted Data has ${esks.skesks.size} SKESK(s) and" + " ${esks.pkesks.size + esks.anonPkesks.size} PKESK(s) from which ${esks.anonPkesks.size} PKESK(s)" + " have an anonymous recipient.") @@ -359,7 +381,7 @@ class OpenPgpMessageInputStream( val pgpSk = PGPSessionKey(sk.algorithm.algorithmId, sk.key) val decryptorFactory = api.implementation.sessionKeyDataDecryptorFactory(pgpSk) - val layer = EncryptedData(sk.algorithm, layerMetadata.depth + 1) + val layer = esks.toEncryptedData(sk, layerMetadata.depth + 1) val skEncData = encDataList.extractSessionKeyEncryptedData() try { val decrypted = skEncData.getDataStream(decryptorFactory) @@ -506,7 +528,7 @@ class OpenPgpMessageInputStream( } private fun decryptWithPrivateKey( - esks: SortedESKs, + esks: ESKsAndData, privateKey: PGPKeyPair, decryptionKeyId: SubkeyIdentifier, pkesk: PGPPublicKeyEncryptedData @@ -529,7 +551,7 @@ class OpenPgpMessageInputStream( } private fun decryptSKESKAndStream( - esks: SortedESKs, + esks: ESKsAndData, skesk: PGPPBEEncryptedData, decryptorFactory: PBEDataDecryptorFactory ): Boolean { @@ -537,7 +559,7 @@ class OpenPgpMessageInputStream( val decrypted = skesk.getDataStream(decryptorFactory) val sessionKey = SessionKey(skesk.getSessionKey(decryptorFactory)) throwIfUnacceptable(sessionKey.algorithm) - val encryptedData = EncryptedData(sessionKey.algorithm, layerMetadata.depth + 1) + val encryptedData = esks.toEncryptedData(sessionKey, layerMetadata.depth + 1) encryptedData.sessionKey = sessionKey encryptedData.addRecipients(esks.pkesks.map { it.keyIdentifier }) LOGGER.debug("Successfully decrypted data with passphrase") @@ -555,7 +577,7 @@ class OpenPgpMessageInputStream( } private fun decryptPKESKAndStream( - esks: SortedESKs, + esks: ESKsAndData, decryptionKeyId: SubkeyIdentifier, decryptorFactory: PublicKeyDataDecryptorFactory, pkesk: PGPPublicKeyEncryptedData @@ -565,11 +587,7 @@ class OpenPgpMessageInputStream( val sessionKey = SessionKey(pkesk.getSessionKey(decryptorFactory)) throwIfUnacceptable(sessionKey.algorithm) - val encryptedData = - EncryptedData( - SymmetricKeyAlgorithm.requireFromId( - pkesk.getSymmetricAlgorithm(decryptorFactory)), - layerMetadata.depth + 1) + val encryptedData = esks.toEncryptedData(sessionKey, layerMetadata.depth) encryptedData.decryptionKey = decryptionKeyId encryptedData.sessionKey = sessionKey encryptedData.addRecipients(esks.pkesks.plus(esks.anonPkesks).map { it.keyIdentifier }) @@ -730,7 +748,32 @@ class OpenPgpMessageInputStream( } } - private class SortedESKs(esks: PGPEncryptedDataList) { + private class ESKsAndData(private val esks: PGPEncryptedDataList) { + fun toEncryptedData(sk: SessionKey, depth: Int): EncryptedData { + return when (EncryptedDataPacketType.of(esks)!!) { + EncryptedDataPacketType.SED -> + EncryptedData( + MessageEncryptionMechanism.legacyEncryptedNonIntegrityProtected( + sk.algorithm.algorithmId), + depth) + EncryptedDataPacketType.SEIPDv1 -> + EncryptedData( + MessageEncryptionMechanism.integrityProtected(sk.algorithm.algorithmId), + depth) + EncryptedDataPacketType.SEIPDv2 -> { + val seipd2 = esks.encryptedData as SymmetricEncIntegrityPacket + EncryptedData( + MessageEncryptionMechanism.aead( + seipd2.cipherAlgorithm, seipd2.aeadAlgorithm), + depth) + } + EncryptedDataPacketType.LIBREPGP_OED -> { + val oed = esks.encryptedData as AEADEncDataPacket + EncryptedData(MessageEncryptionMechanism.librePgp(oed.algorithm.toInt()), depth) + } + }.also { it.sessionKey = sk } + } + val skesks: List val pkesks: List val anonPkesks: List @@ -739,6 +782,7 @@ class OpenPgpMessageInputStream( skesks = mutableListOf() pkesks = mutableListOf() anonPkesks = mutableListOf() + for (esk in esks) { if (esk is PGPPBEEncryptedData) { skesks.add(esk) diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/MessageMetadataTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/MessageMetadataTest.java index 7c443829..dfbbe7b6 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/MessageMetadataTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/MessageMetadataTest.java @@ -4,6 +4,7 @@ package org.pgpainless.decryption_verification; +import org.bouncycastle.openpgp.api.MessageEncryptionMechanism; import org.junit.JUtils; import org.junit.jupiter.api.Test; import org.pgpainless.algorithm.CompressionAlgorithm; @@ -29,8 +30,8 @@ public class MessageMetadataTest { MessageMetadata.Message message = new MessageMetadata.Message(); MessageMetadata.CompressedData compressedData = new MessageMetadata.CompressedData(CompressionAlgorithm.ZIP, message.getDepth() + 1); - MessageMetadata.EncryptedData encryptedData = new MessageMetadata.EncryptedData(SymmetricKeyAlgorithm.AES_128, compressedData.getDepth() + 1); - MessageMetadata.EncryptedData encryptedData1 = new MessageMetadata.EncryptedData(SymmetricKeyAlgorithm.AES_256, encryptedData.getDepth() + 1); + MessageMetadata.EncryptedData encryptedData = new MessageMetadata.EncryptedData(MessageEncryptionMechanism.integrityProtected(SymmetricKeyAlgorithm.AES_128.getAlgorithmId()), compressedData.getDepth() + 1); + MessageMetadata.EncryptedData encryptedData1 = new MessageMetadata.EncryptedData(MessageEncryptionMechanism.integrityProtected(SymmetricKeyAlgorithm.AES_256.getAlgorithmId()), encryptedData.getDepth() + 1); MessageMetadata.LiteralData literalData = new MessageMetadata.LiteralData(); message.setChild(compressedData); diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java index 1ecf856f..8f8b2b67 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java @@ -15,18 +15,25 @@ import java.io.ByteArrayInputStream; import java.io.ByteArrayOutputStream; import java.io.IOException; import java.nio.charset.Charset; +import java.nio.charset.StandardCharsets; import java.util.Set; import org.bouncycastle.bcpg.ArmoredOutputStream; import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPSignature; +import org.bouncycastle.openpgp.api.MessageEncryptionMechanism; import org.bouncycastle.openpgp.api.OpenPGPCertificate; import org.bouncycastle.openpgp.api.OpenPGPKey; import org.bouncycastle.util.io.Streams; import org.junit.jupiter.api.TestTemplate; import org.junit.jupiter.api.extension.ExtendWith; import org.pgpainless.PGPainless; +import org.pgpainless.algorithm.AEADAlgorithm; +import org.pgpainless.algorithm.AEADCipherMode; import org.pgpainless.algorithm.DocumentSignatureType; +import org.pgpainless.algorithm.Feature; +import org.pgpainless.algorithm.KeyFlag; +import org.pgpainless.algorithm.OpenPGPKeyVersion; import org.pgpainless.algorithm.SymmetricKeyAlgorithm; import org.pgpainless.decryption_verification.ConsumerOptions; import org.pgpainless.decryption_verification.DecryptionStream; @@ -34,7 +41,11 @@ import org.pgpainless.decryption_verification.MessageMetadata; import org.pgpainless.exception.KeyException; import org.pgpainless.key.SubkeyIdentifier; import org.pgpainless.key.TestKeys; +import org.pgpainless.key.generation.KeySpec; +import org.pgpainless.key.generation.type.KeyType; +import org.pgpainless.key.generation.type.eddsa_legacy.EdDSALegacyCurve; import org.pgpainless.key.generation.type.rsa.RsaLength; +import org.pgpainless.key.generation.type.xdh_legacy.XDHLegacySpec; import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.key.protection.UnprotectedKeysProtector; import org.pgpainless.util.ArmoredOutputStreamFactory; @@ -306,4 +317,74 @@ public class EncryptDecryptTest { EncryptionOptions.encryptCommunications(api) .addRecipient(publicKeys)); } + + @TestTemplate + @ExtendWith(TestAllImplementations.class) + public void testEncryptToOnlyV4CertWithOnlySEIPD1Feature() throws PGPException, IOException { + PGPainless api = PGPainless.getInstance(); + OpenPGPKey v4Key = api.buildKey(OpenPGPKeyVersion.v4) + .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA_LEGACY(EdDSALegacyCurve._Ed25519), KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA) + .overridePreferredSymmetricKeyAlgorithms(SymmetricKeyAlgorithm.AES_192) + .overrideFeatures(Feature.MODIFICATION_DETECTION)) // the key only supports SEIPD1 + .addSubkey(KeySpec.getBuilder(KeyType.XDH_LEGACY(XDHLegacySpec._X25519), KeyFlag.ENCRYPT_COMMS, KeyFlag.ENCRYPT_STORAGE)) + .build(); + + ByteArrayOutputStream bOut = new ByteArrayOutputStream(); + EncryptionStream eOut = api.generateMessage().onOutputStream(bOut) + .withOptions(ProducerOptions.encrypt(EncryptionOptions.encryptCommunications() + .addRecipient(v4Key.toCertificate()))); + eOut.write(testMessage.getBytes(StandardCharsets.UTF_8)); + eOut.close(); + + ByteArrayInputStream bIn = new ByteArrayInputStream(bOut.toByteArray()); + DecryptionStream dIn = PGPainless.decryptAndOrVerify() + .onInputStream(bIn) + .withOptions(ConsumerOptions.get().addDecryptionKey(v4Key)); + + bOut = new ByteArrayOutputStream(); + Streams.pipeAll(dIn, bOut); + dIn.close(); + + assertEquals(testMessage, bOut.toString()); + MessageMetadata metadata = dIn.getMetadata(); + MessageEncryptionMechanism encryptionMechanism = metadata.getEncryptionMechanism(); + assertEquals( + MessageEncryptionMechanism.integrityProtected(SymmetricKeyAlgorithm.AES_192.getAlgorithmId()), + encryptionMechanism); + } + + @TestTemplate + @ExtendWith(TestAllImplementations.class) + public void testEncryptToOnlyV6CertWithOnlySEIPD2Features() throws IOException, PGPException { + PGPainless api = PGPainless.getInstance(); + OpenPGPKey v6Key = api.buildKey(OpenPGPKeyVersion.v6) + .setPrimaryKey(KeySpec.getBuilder(KeyType.Ed25519(), KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA) + .overridePreferredAEADAlgorithms(new AEADCipherMode(AEADAlgorithm.OCB, SymmetricKeyAlgorithm.AES_128)) + .overrideFeatures(Feature.MODIFICATION_DETECTION_2)) // the key only supports SEIPD2 + .addSubkey(KeySpec.getBuilder(KeyType.X25519(), KeyFlag.ENCRYPT_COMMS, KeyFlag.ENCRYPT_STORAGE)) + .build(); + + ByteArrayOutputStream bOut = new ByteArrayOutputStream(); + EncryptionStream eOut = api.generateMessage().onOutputStream(bOut) + .withOptions(ProducerOptions.encrypt(EncryptionOptions.encryptCommunications() + .addRecipient(v6Key.toCertificate()))); + eOut.write(testMessage.getBytes(StandardCharsets.UTF_8)); + eOut.close(); + + ByteArrayInputStream bIn = new ByteArrayInputStream(bOut.toByteArray()); + DecryptionStream dIn = PGPainless.decryptAndOrVerify() + .onInputStream(bIn) + .withOptions(ConsumerOptions.get().addDecryptionKey(v6Key)); + + bOut = new ByteArrayOutputStream(); + Streams.pipeAll(dIn, bOut); + dIn.close(); + + assertEquals(testMessage, bOut.toString()); + MessageMetadata metadata = dIn.getMetadata(); + MessageEncryptionMechanism encryptionMechanism = metadata.getEncryptionMechanism(); + assertEquals( + MessageEncryptionMechanism.aead(SymmetricKeyAlgorithm.AES_128.getAlgorithmId(), AEADAlgorithm.OCB.getAlgorithmId()), + encryptionMechanism); + } } From 7a33e84497f4a3adfe3b72bfba0645a62a87e49b Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 5 May 2025 10:58:24 +0200 Subject: [PATCH 191/265] Rework KeyAccessor --- .../pgpainless/algorithm/AlgorithmSuite.kt | 91 ++++++++++++++++--- .../OpenPGPKeyGeneratorExtensions.kt | 4 +- .../MessageMetadata.kt | 16 ++-- .../encryption_signing/EncryptionOptions.kt | 8 +- .../key/generation/KeyRingBuilder.kt | 75 +++++++++++---- .../key/generation/KeyRingBuilderInterface.kt | 3 + .../org/pgpainless/key/generation/KeySpec.kt | 19 ++-- .../key/generation/KeySpecBuilder.kt | 37 +++----- .../org/pgpainless/key/info/KeyAccessor.kt | 83 +++++++---------- .../secretkeyring/SecretKeyRingEditor.kt | 20 +++- .../EncryptDecryptTest.java | 17 ++-- .../util/GuessPreferredHashAlgorithmTest.java | 13 ++- 12 files changed, 247 insertions(+), 139 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/AlgorithmSuite.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/AlgorithmSuite.kt index 801e674c..71a618a2 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/AlgorithmSuite.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/AlgorithmSuite.kt @@ -4,22 +4,91 @@ package org.pgpainless.algorithm -class AlgorithmSuite( - symmetricKeyAlgorithms: List?, - hashAlgorithms: List?, - compressionAlgorithms: List?, - aeadAlgorithms: List?, - features: List +class AlgorithmSuite +private constructor( + val symmetricKeyAlgorithms: Set?, + val hashAlgorithms: Set?, + val compressionAlgorithms: Set?, + val aeadAlgorithms: Set?, + val features: Set? ) { - val symmetricKeyAlgorithms: Set? = symmetricKeyAlgorithms?.toSet() - val hashAlgorithms: Set? = hashAlgorithms?.toSet() - val compressionAlgorithms: Set? = compressionAlgorithms?.toSet() - val aeadAlgorithms: Set? = aeadAlgorithms?.toSet() - val features: Set = features.toSet() + constructor( + symmetricKeyAlgorithms: List?, + hashAlgorithms: List?, + compressionAlgorithms: List?, + aeadAlgorithms: List?, + features: List? + ) : this( + symmetricKeyAlgorithms?.toSet(), + hashAlgorithms?.toSet(), + compressionAlgorithms?.toSet(), + aeadAlgorithms?.toSet(), + features?.toSet()) + + fun modify(): Builder = Builder(this) + + class Builder(suite: AlgorithmSuite? = null) { + private var symmetricKeyAlgorithms: Set? = + suite?.symmetricKeyAlgorithms + private var hashAlgorithms: Set? = suite?.hashAlgorithms + private var compressionAlgorithms: Set? = suite?.compressionAlgorithms + private var aeadAlgorithms: Set? = suite?.aeadAlgorithms + private var features: Set? = suite?.features + + fun overrideSymmetricKeyAlgorithms( + vararg symmetricKeyAlgorithms: SymmetricKeyAlgorithm + ): Builder = overrideSymmetricKeyAlgorithms(symmetricKeyAlgorithms.toSet()) + + fun overrideSymmetricKeyAlgorithms( + symmetricKeyAlgorithms: Collection? + ): Builder = apply { this.symmetricKeyAlgorithms = symmetricKeyAlgorithms?.toSet() } + + fun overrideHashAlgorithms(vararg hashAlgorithms: HashAlgorithm): Builder = + overrideHashAlgorithms(hashAlgorithms.toSet()) + + fun overrideHashAlgorithms(hashAlgorithms: Collection?): Builder = apply { + this.hashAlgorithms = hashAlgorithms?.toSet() + } + + fun overrideCompressionAlgorithms( + vararg compressionAlgorithms: CompressionAlgorithm + ): Builder = overrideCompressionAlgorithms(compressionAlgorithms.toSet()) + + fun overrideCompressionAlgorithms( + compressionAlgorithms: Collection? + ): Builder = apply { this.compressionAlgorithms = compressionAlgorithms?.toSet() } + + fun overrideAeadAlgorithms(vararg aeadAlgorithms: AEADCipherMode): Builder = + overrideAeadAlgorithms(aeadAlgorithms.toSet()) + + fun overrideAeadAlgorithms(aeadAlgorithms: Collection?): Builder = apply { + this.aeadAlgorithms = aeadAlgorithms?.toSet() + } + + fun overrideFeatures(vararg features: Feature): Builder = overrideFeatures(features.toSet()) + + fun overrideFeatures(features: Collection?): Builder = apply { + this.features = features?.toSet() + } + + fun build(): AlgorithmSuite { + return AlgorithmSuite( + symmetricKeyAlgorithms, + hashAlgorithms, + compressionAlgorithms, + aeadAlgorithms, + features) + } + } companion object { + @JvmStatic + fun emptyBuilder(): Builder { + return Builder() + } + @JvmStatic val defaultSymmetricKeyAlgorithms = listOf( diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/OpenPGPKeyGeneratorExtensions.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/OpenPGPKeyGeneratorExtensions.kt index 05a812d0..c085c08d 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/OpenPGPKeyGeneratorExtensions.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/OpenPGPKeyGeneratorExtensions.kt @@ -32,10 +32,10 @@ fun OpenPGPKeyGenerator.setAlgorithmSuite(algorithms: AlgorithmSuite): OpenPGPKe fun OpenPGPKeyGenerator.setDefaultFeatures( critical: Boolean = true, - features: Set + features: Set? ): OpenPGPKeyGenerator { this.setDefaultFeatures { - val b = Feature.toBitmask(*features.toTypedArray()) + val b = features?.let { f -> Feature.toBitmask(*f.toTypedArray()) } ?: 0 it.apply { setFeature(critical, b) } } return this diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/MessageMetadata.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/MessageMetadata.kt index d36159ee..bb96e117 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/MessageMetadata.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/MessageMetadata.kt @@ -33,9 +33,9 @@ class MessageMetadata(val message: Message) { * The [SymmetricKeyAlgorithm] of the outermost encrypted data packet, or null if message is * unencrypted. */ - @Deprecated("Deprecated in favor of encryptionMechanism", - replaceWith = ReplaceWith("encryptionMechanism") - ) + @Deprecated( + "Deprecated in favor of encryptionMechanism", + replaceWith = ReplaceWith("encryptionMechanism")) val encryptionAlgorithm: SymmetricKeyAlgorithm? get() = encryptionAlgorithms.let { if (it.hasNext()) it.next() else null } @@ -48,9 +48,9 @@ class MessageMetadata(val message: Message) { * item that of the next nested encrypted data packet and so on. The iterator might also be * empty, in case of an unencrypted message. */ - @Deprecated("Deprecated in favor of encryptionMechanisms", - replaceWith = ReplaceWith("encryptionMechanisms") - ) + @Deprecated( + "Deprecated in favor of encryptionMechanisms", + replaceWith = ReplaceWith("encryptionMechanisms")) val encryptionAlgorithms: Iterator get() = encryptionLayers.asSequence().map { it.algorithm }.iterator() @@ -60,7 +60,9 @@ class MessageMetadata(val message: Message) { val isEncrypted: Boolean get() = if (encryptionMechanism == null) false - else encryptionMechanism!!.symmetricKeyAlgorithm != SymmetricKeyAlgorithm.NULL.algorithmId + else + encryptionMechanism!!.symmetricKeyAlgorithm != + SymmetricKeyAlgorithm.NULL.algorithmId fun isEncryptedFor(cert: OpenPGPCertificate): Boolean { return encryptionLayers.asSequence().any { diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionOptions.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionOptions.kt index d6aef95d..7dd6b3fb 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionOptions.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionOptions.kt @@ -24,7 +24,6 @@ import org.pgpainless.util.Passphrase class EncryptionOptions(private val purpose: EncryptionPurpose, private val api: PGPainless) { private val _encryptionMethods: MutableSet = mutableSetOf() private val _encryptionKeys: MutableSet = mutableSetOf() - private val _encryptionKeyIdentifiers: MutableSet = mutableSetOf() private val _keyRingInfo: MutableMap = mutableMapOf() private val _keyViews: MutableMap = mutableMapOf() private val encryptionKeySelector: EncryptionKeySelector = encryptToAllCapableSubkeys() @@ -37,7 +36,7 @@ class EncryptionOptions(private val purpose: EncryptionPurpose, private val api: get() = _encryptionMethods.toSet() val encryptionKeyIdentifiers - get() = _encryptionKeyIdentifiers.toSet() + get() = _encryptionKeys.map { SubkeyIdentifier(it) } val encryptionKeys get() = _encryptionKeys.toSet() @@ -201,7 +200,7 @@ class EncryptionOptions(private val purpose: EncryptionPurpose, private val api: for (subkey in subkeys) { val keyId = SubkeyIdentifier(subkey) _keyRingInfo[keyId] = info - _keyViews[keyId] = KeyAccessor.ViaUserId(info, keyId, userId.toString()) + _keyViews[keyId] = KeyAccessor.ViaUserId(subkey, cert.getUserId(userId.toString())) addRecipientKey(subkey, false) } } @@ -320,14 +319,13 @@ class EncryptionOptions(private val purpose: EncryptionPurpose, private val api: for (subkey in encryptionSubkeys) { val keyId = SubkeyIdentifier(subkey) _keyRingInfo[keyId] = info - _keyViews[keyId] = KeyAccessor.ViaKeyId(info, keyId) + _keyViews[keyId] = KeyAccessor.ViaKeyIdentifier(subkey) addRecipientKey(subkey, wildcardKeyId) } } private fun addRecipientKey(key: OpenPGPComponentKey, wildcardRecipient: Boolean) { _encryptionKeys.add(key) - _encryptionKeyIdentifiers.add(SubkeyIdentifier(key)) addEncryptionMethod( api.implementation.publicKeyKeyEncryptionMethodGenerator(key.pgpPublicKey).also { it.setUseWildcardRecipient(wildcardRecipient) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingBuilder.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingBuilder.kt index 6d6481bd..2f25fc7a 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingBuilder.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingBuilder.kt @@ -14,6 +14,7 @@ import org.bouncycastle.openpgp.operator.PBESecretKeyEncryptor import org.bouncycastle.openpgp.operator.PGPContentSignerBuilder import org.bouncycastle.util.Strings import org.pgpainless.PGPainless +import org.pgpainless.algorithm.AlgorithmSuite import org.pgpainless.algorithm.KeyFlag import org.pgpainless.algorithm.OpenPGPKeyVersion import org.pgpainless.algorithm.SignatureType @@ -33,6 +34,11 @@ class KeyRingBuilder(private val version: OpenPGPKeyVersion, private val api: PG private val userIds = mutableMapOf() private var passphrase = Passphrase.emptyPassphrase() private var expirationDate: Date? = Date(System.currentTimeMillis() + (5 * MILLIS_IN_YEAR)) + private var algorithmSuite: AlgorithmSuite = api.algorithmPolicy.keyGenerationAlgorithmSuite + + override fun withPreferences(preferences: AlgorithmSuite): KeyRingBuilder = apply { + algorithmSuite = preferences + } override fun setPrimaryKey(keySpec: KeySpec): KeyRingBuilder = apply { verifyKeySpecCompliesToPolicy(keySpec, api.algorithmPolicy) @@ -95,14 +101,32 @@ class KeyRingBuilder(private val version: OpenPGPKeyVersion, private val api: PG val signer = buildContentSigner(certKey) val signatureGenerator = PGPSignatureGenerator(signer, certKey.publicKey) - val hashedSubPacketGenerator = primaryKeySpec!!.subpacketGenerator - hashedSubPacketGenerator.setAppropriateIssuerInfo(certKey.publicKey, version) - expirationDate?.let { hashedSubPacketGenerator.setKeyExpirationTime(certKey.publicKey, it) } + val hashedSignatureSubpackets: SignatureSubpackets = + SignatureSubpackets.createHashedSubpackets(certKey.publicKey).apply { + setKeyFlags(primaryKeySpec!!.keyFlags) + (primaryKeySpec!!.preferredHashAlgorithmsOverride ?: algorithmSuite.hashAlgorithms) + ?.let { setPreferredHashAlgorithms(it) } + (primaryKeySpec!!.preferredCompressionAlgorithmsOverride + ?: algorithmSuite.compressionAlgorithms) + ?.let { setPreferredCompressionAlgorithms(it) } + (primaryKeySpec!!.preferredSymmetricAlgorithmsOverride + ?: algorithmSuite.symmetricKeyAlgorithms) + ?.let { setPreferredSymmetricKeyAlgorithms(it) } + (primaryKeySpec!!.preferredAEADAlgorithmsOverride ?: algorithmSuite.aeadAlgorithms) + ?.let { setPreferredAEADCiphersuites(it) } + (primaryKeySpec!!.featuresOverride ?: algorithmSuite.features)?.let { + setFeatures(*it.toTypedArray()) + } + } + + expirationDate?.let { + hashedSignatureSubpackets.setKeyExpirationTime(certKey.publicKey, it) + } if (userIds.isNotEmpty()) { - hashedSubPacketGenerator.setPrimaryUserId() + hashedSignatureSubpackets.setPrimaryUserId() } - val hashedSubPackets = hashedSubPacketGenerator.subpacketsGenerator.generate() + val hashedSubPackets = hashedSignatureSubpackets.subpacketsGenerator.generate() val ringGenerator = if (userIds.isEmpty()) { PGPKeyRingGenerator( @@ -138,7 +162,7 @@ class KeyRingBuilder(private val version: OpenPGPKeyVersion, private val api: PG val callback = additionalUserId.value val subpackets = if (callback == null) { - hashedSubPacketGenerator.also { it.setPrimaryUserId(null) } + hashedSignatureSubpackets.also { it.setPrimaryUserId(null) } } else { SignatureSubpackets.createHashedSubpackets(primaryPubKey).also { callback.modifyHashedSubpackets(it) @@ -167,21 +191,34 @@ class KeyRingBuilder(private val version: OpenPGPKeyVersion, private val api: PG private fun addSubKeys(primaryKey: PGPKeyPair, ringGenerator: PGPKeyRingGenerator) { for (subKeySpec in subKeySpecs) { val subKey = generateKeyPair(subKeySpec, version, api.implementation) - if (subKeySpec.isInheritedSubPackets) { - ringGenerator.addSubKey(subKey) - } else { - var hashedSubpackets = subKeySpec.subpackets - try { - hashedSubpackets = - addPrimaryKeyBindingSignatureIfNecessary( - primaryKey, subKey, hashedSubpackets) - } catch (e: IOException) { - throw PGPException( - "Exception while adding primary key binding signature to signing subkey.", - e) + var hashedSignatureSubpackets: SignatureSubpackets = + SignatureSubpackets.createHashedSubpackets(subKey.publicKey).apply { + setKeyFlags(subKeySpec.keyFlags) + subKeySpec.preferredHashAlgorithmsOverride?.let { + setPreferredHashAlgorithms(it) + } + subKeySpec.preferredCompressionAlgorithmsOverride?.let { + setPreferredCompressionAlgorithms(it) + } + subKeySpec.preferredSymmetricAlgorithmsOverride?.let { + setPreferredSymmetricKeyAlgorithms(it) + } + subKeySpec.preferredAEADAlgorithmsOverride?.let { + setPreferredAEADCiphersuites(it) + } + subKeySpec.featuresOverride?.let { setFeatures(*it.toTypedArray()) } } - ringGenerator.addSubKey(subKey, hashedSubpackets, null) + + var hashedSubpackets: PGPSignatureSubpacketVector = + hashedSignatureSubpackets.subpacketsGenerator.generate() + try { + hashedSubpackets = + addPrimaryKeyBindingSignatureIfNecessary(primaryKey, subKey, hashedSubpackets) + } catch (e: IOException) { + throw PGPException( + "Exception while adding primary key binding signature to signing subkey.", e) } + ringGenerator.addSubKey(subKey, hashedSubpackets, null) } } diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingBuilderInterface.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingBuilderInterface.kt index 8004d9a3..3bf95996 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingBuilderInterface.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingBuilderInterface.kt @@ -9,10 +9,13 @@ import java.security.NoSuchAlgorithmException import java.util.* import org.bouncycastle.openpgp.PGPException import org.bouncycastle.openpgp.api.OpenPGPKey +import org.pgpainless.algorithm.AlgorithmSuite import org.pgpainless.util.Passphrase interface KeyRingBuilderInterface> { + fun withPreferences(preferences: AlgorithmSuite): B + fun setPrimaryKey(keySpec: KeySpec): B fun setPrimaryKey(builder: KeySpecBuilder): B = setPrimaryKey(builder.build()) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeySpec.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeySpec.kt index f616a7f2..66f5f9e0 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeySpec.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeySpec.kt @@ -5,22 +5,25 @@ package org.pgpainless.key.generation import java.util.* -import org.bouncycastle.openpgp.PGPSignatureSubpacketVector +import org.pgpainless.algorithm.AEADCipherMode +import org.pgpainless.algorithm.CompressionAlgorithm +import org.pgpainless.algorithm.Feature +import org.pgpainless.algorithm.HashAlgorithm import org.pgpainless.algorithm.KeyFlag +import org.pgpainless.algorithm.SymmetricKeyAlgorithm import org.pgpainless.key.generation.type.KeyType -import org.pgpainless.signature.subpackets.SignatureSubpackets -import org.pgpainless.signature.subpackets.SignatureSubpacketsHelper data class KeySpec( val keyType: KeyType, - val subpacketGenerator: SignatureSubpackets, - val isInheritedSubPackets: Boolean, + val keyFlags: List, + val preferredCompressionAlgorithmsOverride: Set?, + val preferredHashAlgorithmsOverride: Set?, + val preferredSymmetricAlgorithmsOverride: Set?, + val preferredAEADAlgorithmsOverride: Set?, + val featuresOverride: Set?, val keyCreationDate: Date? ) { - val subpackets: PGPSignatureSubpacketVector - get() = SignatureSubpacketsHelper.toVector(subpacketGenerator) - companion object { @JvmStatic fun getBuilder(type: KeyType, vararg flags: KeyFlag) = KeySpecBuilder(type, *flags) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeySpecBuilder.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeySpecBuilder.kt index 21cf5ec0..59d9efe7 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeySpecBuilder.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeySpecBuilder.kt @@ -5,11 +5,8 @@ package org.pgpainless.key.generation import java.util.* -import org.pgpainless.PGPainless import org.pgpainless.algorithm.* import org.pgpainless.key.generation.type.KeyType -import org.pgpainless.signature.subpackets.SelfSignatureSubpackets -import org.pgpainless.signature.subpackets.SignatureSubpackets import org.pgpainless.signature.subpackets.SignatureSubpacketsUtil class KeySpecBuilder( @@ -17,16 +14,11 @@ class KeySpecBuilder( private val keyFlags: List, ) : KeySpecBuilderInterface { - private val hashedSubpackets: SelfSignatureSubpackets = SignatureSubpackets() - private val algorithmSuite: AlgorithmSuite = - PGPainless.getInstance().algorithmPolicy.keyGenerationAlgorithmSuite - private var preferredCompressionAlgorithms: Set? = - algorithmSuite.compressionAlgorithms - private var preferredHashAlgorithms: Set? = algorithmSuite.hashAlgorithms - private var preferredSymmetricAlgorithms: Set? = - algorithmSuite.symmetricKeyAlgorithms - private var preferredAEADAlgorithms: Set? = algorithmSuite.aeadAlgorithms - private var features: Set? = algorithmSuite.features + private var preferredCompressionAlgorithms: Set? = null + private var preferredHashAlgorithms: Set? = null + private var preferredSymmetricAlgorithms: Set? = null + private var preferredAEADAlgorithms: Set? = null + private var features: Set? = null private var keyCreationDate: Date? = null constructor(type: KeyType, vararg keyFlags: KeyFlag) : this(type, listOf(*keyFlags)) @@ -70,15 +62,14 @@ class KeySpecBuilder( } override fun build(): KeySpec { - return hashedSubpackets - .apply { - setKeyFlags(keyFlags) - preferredCompressionAlgorithms?.let { setPreferredCompressionAlgorithms(it) } - preferredHashAlgorithms?.let { setPreferredHashAlgorithms(it) } - preferredSymmetricAlgorithms?.let { setPreferredSymmetricKeyAlgorithms(it) } - preferredAEADAlgorithms?.let { setPreferredAEADCiphersuites(it) } - features?.let { setFeatures(*it.toTypedArray()) } - } - .let { KeySpec(type, hashedSubpackets as SignatureSubpackets, false, keyCreationDate) } + return KeySpec( + type, + keyFlags, + preferredCompressionAlgorithms, + preferredHashAlgorithms, + preferredSymmetricAlgorithms, + preferredAEADAlgorithms, + features, + keyCreationDate) } } diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/info/KeyAccessor.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/info/KeyAccessor.kt index 735d4490..a5c2627e 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/info/KeyAccessor.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/info/KeyAccessor.kt @@ -4,80 +4,67 @@ package org.pgpainless.key.info -import org.bouncycastle.openpgp.PGPSignature +import java.util.* +import org.bouncycastle.openpgp.api.OpenPGPCertificate.OpenPGPCertificateComponent +import org.bouncycastle.openpgp.api.OpenPGPCertificate.OpenPGPComponentKey +import org.bouncycastle.openpgp.api.OpenPGPCertificate.OpenPGPIdentityComponent import org.pgpainless.algorithm.AEADCipherMode import org.pgpainless.algorithm.CompressionAlgorithm +import org.pgpainless.algorithm.Feature import org.pgpainless.algorithm.HashAlgorithm import org.pgpainless.algorithm.SymmetricKeyAlgorithm -import org.pgpainless.key.SubkeyIdentifier -import org.pgpainless.signature.subpackets.SignatureSubpacketsUtil +import org.pgpainless.bouncycastle.extensions.toAEADCipherModes +import org.pgpainless.bouncycastle.extensions.toCompressionAlgorithms +import org.pgpainless.bouncycastle.extensions.toHashAlgorithms +import org.pgpainless.bouncycastle.extensions.toSymmetricKeyAlgorithms -abstract class KeyAccessor(protected val info: KeyRingInfo, protected val key: SubkeyIdentifier) { +abstract class KeyAccessor( + protected val key: OpenPGPComponentKey, + private val referenceTime: Date +) { - /** - * Depending on the way we address the key (key-id or user-id), return the respective - * [PGPSignature] which contains the algorithm preferences we are going to use. - * - *

- * If we address a key via its user-id, we want to rely on the algorithm preferences in the - * user-id certification, while we would instead rely on those in the direct-key signature if - * we'd address the key by key-id. - * - * @return signature - */ - abstract val signatureWithPreferences: PGPSignature + abstract val component: OpenPGPCertificateComponent - /** Preferred symmetric key encryption algorithms. */ val preferredSymmetricKeyAlgorithms: Set get() = - SignatureSubpacketsUtil.parsePreferredSymmetricKeyAlgorithms(signatureWithPreferences) + component.getSymmetricCipherPreferences(referenceTime)?.toSymmetricKeyAlgorithms() + ?: setOf() - /** Preferred hash algorithms. */ val preferredHashAlgorithms: Set - get() = SignatureSubpacketsUtil.parsePreferredHashAlgorithms(signatureWithPreferences) + get() = component.getHashAlgorithmPreferences(referenceTime)?.toHashAlgorithms() ?: setOf() - /** Preferred compression algorithms. */ val preferredCompressionAlgorithms: Set get() = - SignatureSubpacketsUtil.parsePreferredCompressionAlgorithms(signatureWithPreferences) + component.getCompressionAlgorithmPreferences(referenceTime)?.toCompressionAlgorithms() + ?: setOf() - /** Preferred AEAD algorithm suites. */ val preferredAEADCipherSuites: Set - get() = SignatureSubpacketsUtil.parsePreferredAEADCipherSuites(signatureWithPreferences) + get() = + component.getAEADCipherSuitePreferences(referenceTime)?.toAEADCipherModes() ?: setOf() + + val features: Set + get() = + Feature.fromBitmask(component.getFeatures(referenceTime)?.features?.toInt() ?: 0) + .toSet() /** * Address the key via a user-id (e.g. `Alice `). In this case we are * sourcing preferred algorithms from the user-id certification first. */ - class ViaUserId(info: KeyRingInfo, key: SubkeyIdentifier, private val userId: CharSequence) : - KeyAccessor(info, key) { - override val signatureWithPreferences: PGPSignature - get() = - checkNotNull(info.getLatestUserIdCertification(userId.toString())) { - "No valid user-id certification signature found for '$userId'." - } + class ViaUserId( + key: OpenPGPComponentKey, + userId: OpenPGPIdentityComponent, + referenceTime: Date = Date() + ) : KeyAccessor(key, referenceTime) { + override val component: OpenPGPCertificateComponent = userId } /** * Address the key via key-id. In this case we are sourcing preferred algorithms from the keys * direct-key signature first. */ - class ViaKeyId(info: KeyRingInfo, key: SubkeyIdentifier) : KeyAccessor(info, key) { - override val signatureWithPreferences: PGPSignature - get() { - if (key.isPrimaryKey) { - // If the key is located by Key ID, the algorithm of the primary User ID of the - // key - // provides the - // preferred symmetric algorithm. - info.primaryUserId?.let { userId -> - info.getLatestUserIdCertification(userId).let { if (it != null) return it } - } - } - - return info.getCurrentSubkeyBindingSignature(key.keyIdentifier) - ?: throw NoSuchElementException( - "Key does not carry acceptable self-signature signature.") - } + class ViaKeyIdentifier(key: OpenPGPComponentKey, referenceTime: Date = Date()) : + KeyAccessor(key, referenceTime) { + override val component: OpenPGPCertificateComponent = key } } diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.kt index cece7657..8cf5338d 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.kt @@ -250,8 +250,22 @@ class SecretKeyRingEditor( val callback = object : SelfSignatureSubpackets.Callback { override fun modifyHashedSubpackets(hashedSubpackets: SelfSignatureSubpackets) { - SignatureSubpacketsHelper.applyFrom( - keySpec.subpackets, hashedSubpackets as SignatureSubpackets) + hashedSubpackets.apply { + setKeyFlags(keySpec.keyFlags) + keySpec.preferredHashAlgorithmsOverride?.let { + setPreferredHashAlgorithms(it) + } + keySpec.preferredCompressionAlgorithmsOverride?.let { + setPreferredCompressionAlgorithms(it) + } + keySpec.preferredSymmetricAlgorithmsOverride?.let { + setPreferredSymmetricKeyAlgorithms(it) + } + keySpec.preferredAEADAlgorithmsOverride?.let { + setPreferredAEADCiphersuites(it) + } + keySpec.featuresOverride?.let { setFeatures(*it.toTypedArray()) } + } hashedSubpackets.setSignatureCreationTime(referenceTime) } } @@ -268,7 +282,7 @@ class SecretKeyRingEditor( val keyPair = KeyRingBuilder.generateKeyPair(keySpec, version, api.implementation) val subkeyProtector = PasswordBasedSecretKeyRingProtector.forKeyId(keyPair.keyIdentifier, subkeyPassphrase) - val keyFlags = KeyFlag.fromBitmask(keySpec.subpackets.keyFlags).toMutableList() + val keyFlags = keySpec.keyFlags.toMutableList() return addSubKey( keyPair, callback, diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java index 8f8b2b67..b5713345 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java @@ -30,6 +30,7 @@ import org.junit.jupiter.api.extension.ExtendWith; import org.pgpainless.PGPainless; import org.pgpainless.algorithm.AEADAlgorithm; import org.pgpainless.algorithm.AEADCipherMode; +import org.pgpainless.algorithm.AlgorithmSuite; import org.pgpainless.algorithm.DocumentSignatureType; import org.pgpainless.algorithm.Feature; import org.pgpainless.algorithm.KeyFlag; @@ -323,9 +324,11 @@ public class EncryptDecryptTest { public void testEncryptToOnlyV4CertWithOnlySEIPD1Feature() throws PGPException, IOException { PGPainless api = PGPainless.getInstance(); OpenPGPKey v4Key = api.buildKey(OpenPGPKeyVersion.v4) - .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA_LEGACY(EdDSALegacyCurve._Ed25519), KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA) - .overridePreferredSymmetricKeyAlgorithms(SymmetricKeyAlgorithm.AES_192) - .overrideFeatures(Feature.MODIFICATION_DETECTION)) // the key only supports SEIPD1 + .withPreferences(AlgorithmSuite.emptyBuilder() + .overrideSymmetricKeyAlgorithms(SymmetricKeyAlgorithm.AES_192) + .overrideFeatures(Feature.MODIFICATION_DETECTION) + .build()) + .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA_LEGACY(EdDSALegacyCurve._Ed25519), KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA)) .addSubkey(KeySpec.getBuilder(KeyType.XDH_LEGACY(XDHLegacySpec._X25519), KeyFlag.ENCRYPT_COMMS, KeyFlag.ENCRYPT_STORAGE)) .build(); @@ -358,9 +361,11 @@ public class EncryptDecryptTest { public void testEncryptToOnlyV6CertWithOnlySEIPD2Features() throws IOException, PGPException { PGPainless api = PGPainless.getInstance(); OpenPGPKey v6Key = api.buildKey(OpenPGPKeyVersion.v6) - .setPrimaryKey(KeySpec.getBuilder(KeyType.Ed25519(), KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA) - .overridePreferredAEADAlgorithms(new AEADCipherMode(AEADAlgorithm.OCB, SymmetricKeyAlgorithm.AES_128)) - .overrideFeatures(Feature.MODIFICATION_DETECTION_2)) // the key only supports SEIPD2 + .withPreferences(AlgorithmSuite.emptyBuilder() + .overrideFeatures(Feature.MODIFICATION_DETECTION_2) + .overrideAeadAlgorithms(new AEADCipherMode(AEADAlgorithm.OCB, SymmetricKeyAlgorithm.AES_192)) + .build()) + .setPrimaryKey(KeySpec.getBuilder(KeyType.Ed25519(), KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA)) .addSubkey(KeySpec.getBuilder(KeyType.X25519(), KeyFlag.ENCRYPT_COMMS, KeyFlag.ENCRYPT_STORAGE)) .build(); diff --git a/pgpainless-core/src/test/java/org/pgpainless/util/GuessPreferredHashAlgorithmTest.java b/pgpainless-core/src/test/java/org/pgpainless/util/GuessPreferredHashAlgorithmTest.java index b6ebd8a2..136f0eef 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/util/GuessPreferredHashAlgorithmTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/util/GuessPreferredHashAlgorithmTest.java @@ -12,10 +12,10 @@ import org.bouncycastle.openpgp.PGPPublicKey; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; -import org.pgpainless.algorithm.CompressionAlgorithm; +import org.pgpainless.algorithm.AlgorithmSuite; import org.pgpainless.algorithm.HashAlgorithm; import org.pgpainless.algorithm.KeyFlag; -import org.pgpainless.algorithm.SymmetricKeyAlgorithm; +import org.pgpainless.algorithm.OpenPGPKeyVersion; import org.pgpainless.key.generation.KeySpec; import org.pgpainless.key.generation.type.KeyType; import org.pgpainless.key.generation.type.eddsa_legacy.EdDSALegacyCurve; @@ -25,12 +25,11 @@ public class GuessPreferredHashAlgorithmTest { @Test public void guessPreferredHashAlgorithmsAssumesHashAlgoUsedBySelfSig() { - PGPSecretKeyRing secretKeys = PGPainless.buildKeyRing() + PGPainless api = PGPainless.getInstance(); + PGPSecretKeyRing secretKeys = api.buildKey(OpenPGPKeyVersion.v4) + .withPreferences(AlgorithmSuite.emptyBuilder().build()) .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA_LEGACY(EdDSALegacyCurve._Ed25519), - KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA) - .overridePreferredHashAlgorithms(new HashAlgorithm[] {}) - .overridePreferredSymmetricKeyAlgorithms(new SymmetricKeyAlgorithm[] {}) - .overridePreferredCompressionAlgorithms(new CompressionAlgorithm[] {})) + KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA)) .addUserId("test@test.test") .build() .getPGPSecretKeyRing(); From b41fb2c468090cc7e6939ffb07ede0123e0dab9a Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 5 May 2025 12:17:47 +0200 Subject: [PATCH 192/265] First draft for SEIPD2 negotiation --- .../OpenPGPImplementationExtensions.kt | 25 ++++++ .../encryption_signing/EncryptionOptions.kt | 83 ++++++++++++++----- .../encryption_signing/EncryptionResult.kt | 18 ++-- .../encryption_signing/EncryptionStream.kt | 38 ++++----- .../org/pgpainless/key/info/KeyAccessor.kt | 6 +- .../EncryptDecryptTest.java | 3 +- 6 files changed, 124 insertions(+), 49 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/OpenPGPImplementationExtensions.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/OpenPGPImplementationExtensions.kt index 5a33b609..18a0a737 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/OpenPGPImplementationExtensions.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/OpenPGPImplementationExtensions.kt @@ -5,9 +5,34 @@ package org.pgpainless.bouncycastle.extensions import org.bouncycastle.bcpg.HashAlgorithmTags +import org.bouncycastle.openpgp.api.EncryptedDataPacketType +import org.bouncycastle.openpgp.api.MessageEncryptionMechanism import org.bouncycastle.openpgp.api.OpenPGPImplementation +import org.bouncycastle.openpgp.operator.PGPDataEncryptorBuilder import org.bouncycastle.openpgp.operator.PGPDigestCalculator fun OpenPGPImplementation.checksumCalculator(): PGPDigestCalculator { return pgpDigestCalculatorProvider().get(HashAlgorithmTags.SHA1) } + +fun OpenPGPImplementation.pgpDataEncryptorBuilder( + mechanism: MessageEncryptionMechanism +): PGPDataEncryptorBuilder { + require(mechanism.isEncrypted) { "Cannot create PGPDataEncryptorBuilder for NULL algorithm." } + return pgpDataEncryptorBuilder(mechanism.symmetricKeyAlgorithm).also { + when (mechanism.mode!!) { + EncryptedDataPacketType.SED -> it.setWithIntegrityPacket(false) + EncryptedDataPacketType.SEIPDv1 -> it.setWithIntegrityPacket(true) + EncryptedDataPacketType.SEIPDv2 -> { + it.setWithAEAD(mechanism.aeadAlgorithm, mechanism.symmetricKeyAlgorithm) + it.setUseV6AEAD() + } + EncryptedDataPacketType.LIBREPGP_OED -> { + it.setWithAEAD(mechanism.aeadAlgorithm, mechanism.symmetricKeyAlgorithm) + it.setUseV5AEAD() + } + } + + return it + } +} diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionOptions.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionOptions.kt index 7dd6b3fb..fb7881b4 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionOptions.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionOptions.kt @@ -6,11 +6,15 @@ package org.pgpainless.encryption_signing import java.util.* import org.bouncycastle.openpgp.PGPPublicKeyRing +import org.bouncycastle.openpgp.api.MessageEncryptionMechanism import org.bouncycastle.openpgp.api.OpenPGPCertificate import org.bouncycastle.openpgp.api.OpenPGPCertificate.OpenPGPComponentKey import org.bouncycastle.openpgp.operator.PGPKeyEncryptionMethodGenerator import org.pgpainless.PGPainless +import org.pgpainless.algorithm.AEADAlgorithm +import org.pgpainless.algorithm.AEADCipherMode import org.pgpainless.algorithm.EncryptionPurpose +import org.pgpainless.algorithm.Feature import org.pgpainless.algorithm.SymmetricKeyAlgorithm import org.pgpainless.algorithm.negotiation.SymmetricKeyAlgorithmNegotiator.Companion.byPopularity import org.pgpainless.authentication.CertificateAuthority @@ -23,32 +27,34 @@ import org.pgpainless.util.Passphrase class EncryptionOptions(private val purpose: EncryptionPurpose, private val api: PGPainless) { private val _encryptionMethods: MutableSet = mutableSetOf() - private val _encryptionKeys: MutableSet = mutableSetOf() + private val keysAndAccessors: MutableMap = mutableMapOf() private val _keyRingInfo: MutableMap = mutableMapOf() - private val _keyViews: MutableMap = mutableMapOf() private val encryptionKeySelector: EncryptionKeySelector = encryptToAllCapableSubkeys() private var allowEncryptionWithMissingKeyFlags = false private var evaluationDate = Date() - private var _encryptionAlgorithmOverride: SymmetricKeyAlgorithm? = null + private var _encryptionMechanismOverride: MessageEncryptionMechanism? = null val encryptionMethods get() = _encryptionMethods.toSet() val encryptionKeyIdentifiers - get() = _encryptionKeys.map { SubkeyIdentifier(it) } + get() = keysAndAccessors.keys.map { SubkeyIdentifier(it) } val encryptionKeys - get() = _encryptionKeys.toSet() - - val keyRingInfo - get() = _keyRingInfo.toMap() - - val keyViews - get() = _keyViews.toMap() + get() = keysAndAccessors.keys.toSet() + @Deprecated( + "Deprecated in favor of encryptionMechanismOverride", + replaceWith = ReplaceWith("encryptionMechanismOverride")) val encryptionAlgorithmOverride - get() = _encryptionAlgorithmOverride + get() = + _encryptionMechanismOverride?.let { + SymmetricKeyAlgorithm.requireFromId(it.symmetricKeyAlgorithm) + } + + val encryptionMechanismOverride + get() = _encryptionMechanismOverride constructor(api: PGPainless) : this(EncryptionPurpose.ANY, api) @@ -200,8 +206,8 @@ class EncryptionOptions(private val purpose: EncryptionPurpose, private val api: for (subkey in subkeys) { val keyId = SubkeyIdentifier(subkey) _keyRingInfo[keyId] = info - _keyViews[keyId] = KeyAccessor.ViaUserId(subkey, cert.getUserId(userId.toString())) - addRecipientKey(subkey, false) + val accessor = KeyAccessor.ViaUserId(subkey, cert.getUserId(userId.toString())) + addRecipientKey(subkey, accessor, false) } } @@ -319,13 +325,17 @@ class EncryptionOptions(private val purpose: EncryptionPurpose, private val api: for (subkey in encryptionSubkeys) { val keyId = SubkeyIdentifier(subkey) _keyRingInfo[keyId] = info - _keyViews[keyId] = KeyAccessor.ViaKeyIdentifier(subkey) - addRecipientKey(subkey, wildcardKeyId) + val accessor = KeyAccessor.ViaKeyIdentifier(subkey) + addRecipientKey(subkey, accessor, wildcardKeyId) } } - private fun addRecipientKey(key: OpenPGPComponentKey, wildcardRecipient: Boolean) { - _encryptionKeys.add(key) + private fun addRecipientKey( + key: OpenPGPComponentKey, + accessor: KeyAccessor, + wildcardRecipient: Boolean + ) { + keysAndAccessors[key] = accessor addEncryptionMethod( api.implementation.publicKeyKeyEncryptionMethodGenerator(key.pgpPublicKey).also { it.setUseWildcardRecipient(wildcardRecipient) @@ -381,11 +391,21 @@ class EncryptionOptions(private val purpose: EncryptionPurpose, private val api: * @param encryptionAlgorithm encryption algorithm override * @return this */ + @Deprecated( + "Deprecated in favor of overrideEncryptionMechanism", + replaceWith = + ReplaceWith( + "overrideEncryptionMechanism(MessageEncryptionMechanism.integrityProtected(encryptionAlgorithm.algorithmId))")) fun overrideEncryptionAlgorithm(encryptionAlgorithm: SymmetricKeyAlgorithm) = apply { require(encryptionAlgorithm != SymmetricKeyAlgorithm.NULL) { "Encryption algorithm override cannot be NULL." } - _encryptionAlgorithmOverride = encryptionAlgorithm + overrideEncryptionMechanism( + MessageEncryptionMechanism.integrityProtected(encryptionAlgorithm.algorithmId)) + } + + fun overrideEncryptionMechanism(encryptionMechanism: MessageEncryptionMechanism) = apply { + _encryptionMechanismOverride = encryptionMechanism } /** @@ -403,7 +423,8 @@ class EncryptionOptions(private val purpose: EncryptionPurpose, private val api: fun hasEncryptionMethod() = _encryptionMethods.isNotEmpty() internal fun negotiateSymmetricEncryptionAlgorithm(): SymmetricKeyAlgorithm { - val preferences = keyViews.values.map { it.preferredSymmetricKeyAlgorithms }.toList() + val preferences = + keysAndAccessors.values.map { it.preferredSymmetricKeyAlgorithms }.toList() val algorithm = byPopularity() .negotiate( @@ -413,6 +434,28 @@ class EncryptionOptions(private val purpose: EncryptionPurpose, private val api: return algorithm } + internal fun negotiateEncryptionMechanism(): MessageEncryptionMechanism { + val features = keysAndAccessors.values.map { it.features }.toList() + + if (features.all { it.contains(Feature.MODIFICATION_DETECTION_2) }) { + val aeadPrefs = keysAndAccessors.values.map { it.preferredAEADCipherSuites }.toList() + val counted = mutableMapOf() + for (pref in aeadPrefs) { + for (mode in pref) { + counted[mode] = counted.getOrDefault(mode, 0) + 1 + } + } + val max: AEADCipherMode = + counted.maxByOrNull { it.value }?.key + ?: AEADCipherMode(AEADAlgorithm.OCB, SymmetricKeyAlgorithm.AES_128) + return MessageEncryptionMechanism.aead( + max.ciphermode.algorithmId, max.aeadAlgorithm.algorithmId) + } else { + return MessageEncryptionMechanism.integrityProtected( + negotiateSymmetricEncryptionAlgorithm().algorithmId) + } + } + fun interface EncryptionKeySelector { fun selectEncryptionSubkeys( encryptionCapableKeys: List diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionResult.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionResult.kt index 626c1de4..e86b2d90 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionResult.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionResult.kt @@ -8,6 +8,7 @@ import java.util.* import org.bouncycastle.openpgp.PGPLiteralData import org.bouncycastle.openpgp.PGPPublicKeyRing import org.bouncycastle.openpgp.PGPSignature +import org.bouncycastle.openpgp.api.MessageEncryptionMechanism import org.bouncycastle.openpgp.api.OpenPGPCertificate import org.bouncycastle.openpgp.api.OpenPGPSignature.OpenPGPDocumentSignature import org.pgpainless.algorithm.CompressionAlgorithm @@ -18,7 +19,7 @@ import org.pgpainless.key.SubkeyIdentifier import org.pgpainless.util.MultiMap data class EncryptionResult( - val encryptionAlgorithm: SymmetricKeyAlgorithm, + val encryptionMechanism: MessageEncryptionMechanism, val compressionAlgorithm: CompressionAlgorithm, val detachedDocumentSignatures: OpenPGPSignatureSet, val recipients: Set, @@ -27,6 +28,11 @@ data class EncryptionResult( val fileEncoding: StreamEncoding ) { + @Deprecated( + "Use encryptionMechanism instead.", replaceWith = ReplaceWith("encryptionMechanism")) + val encryptionAlgorithm: SymmetricKeyAlgorithm? + get() = SymmetricKeyAlgorithm.fromId(encryptionMechanism.symmetricKeyAlgorithm) + @Deprecated( "Use detachedSignatures instead", replaceWith = ReplaceWith("detachedDocumentSignatures")) // TODO: Remove in 2.1 @@ -69,7 +75,8 @@ data class EncryptionResult( } class Builder { - var _encryptionAlgorithm: SymmetricKeyAlgorithm? = null + var _encryptionMechanism: MessageEncryptionMechanism = + MessageEncryptionMechanism.unencrypted() var _compressionAlgorithm: CompressionAlgorithm? = null val detachedSignatures: MutableList = mutableListOf() @@ -78,8 +85,8 @@ data class EncryptionResult( private var _modificationDate = Date(0) private var _encoding = StreamEncoding.BINARY - fun setEncryptionAlgorithm(encryptionAlgorithm: SymmetricKeyAlgorithm) = apply { - _encryptionAlgorithm = encryptionAlgorithm + fun setEncryptionMechanism(mechanism: MessageEncryptionMechanism): Builder = apply { + _encryptionMechanism = mechanism } fun setCompressionAlgorithm(compressionAlgorithm: CompressionAlgorithm) = apply { @@ -103,11 +110,10 @@ data class EncryptionResult( } fun build(): EncryptionResult { - checkNotNull(_encryptionAlgorithm) { "Encryption algorithm not set." } checkNotNull(_compressionAlgorithm) { "Compression algorithm not set." } return EncryptionResult( - _encryptionAlgorithm!!, + _encryptionMechanism, _compressionAlgorithm!!, OpenPGPSignatureSet(detachedSignatures), recipients, diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionStream.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionStream.kt index 4c913a62..d2a9a63c 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionStream.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionStream.kt @@ -13,11 +13,12 @@ import org.bouncycastle.openpgp.PGPCompressedDataGenerator import org.bouncycastle.openpgp.PGPEncryptedDataGenerator import org.bouncycastle.openpgp.PGPException import org.bouncycastle.openpgp.PGPLiteralDataGenerator +import org.bouncycastle.openpgp.api.MessageEncryptionMechanism import org.bouncycastle.openpgp.api.OpenPGPSignature.OpenPGPDocumentSignature import org.pgpainless.PGPainless import org.pgpainless.algorithm.CompressionAlgorithm import org.pgpainless.algorithm.StreamEncoding -import org.pgpainless.algorithm.SymmetricKeyAlgorithm +import org.pgpainless.bouncycastle.extensions.pgpDataEncryptorBuilder import org.pgpainless.util.ArmoredOutputStreamFactory // 1 << 8 causes wrong partial body length encoding @@ -74,34 +75,29 @@ class EncryptionStream( @Throws(IOException::class, PGPException::class) private fun prepareEncryption() { if (options.encryptionOptions == null) { - // No encryption options -> no encryption - resultBuilder.setEncryptionAlgorithm(SymmetricKeyAlgorithm.NULL) return } require(options.encryptionOptions.encryptionMethods.isNotEmpty()) { "If EncryptionOptions are provided, at least one encryption method MUST be provided as well." } - options.encryptionOptions.negotiateSymmetricEncryptionAlgorithm().let { - resultBuilder.setEncryptionAlgorithm(it) - val encryptedDataGenerator = - PGPEncryptedDataGenerator( - api.implementation.pgpDataEncryptorBuilder(it.algorithmId).apply { - setWithIntegrityPacket(true) - }) - options.encryptionOptions.encryptionMethods.forEach { m -> - encryptedDataGenerator.addMethod(m) - } - options.encryptionOptions.encryptionKeyIdentifiers.forEach { r -> - resultBuilder.addRecipient(r) - } + val mechanism: MessageEncryptionMechanism = + options.encryptionOptions.negotiateEncryptionMechanism() + resultBuilder.setEncryptionMechanism(mechanism) + val encryptedDataGenerator = + PGPEncryptedDataGenerator(api.implementation.pgpDataEncryptorBuilder(mechanism)) - publicKeyEncryptedStream = - encryptedDataGenerator.open(outermostStream, ByteArray(BUFFER_SIZE)).also { stream - -> - outermostStream = stream - } + options.encryptionOptions.encryptionMethods.forEach { m -> + encryptedDataGenerator.addMethod(m) } + options.encryptionOptions.encryptionKeyIdentifiers.forEach { r -> + resultBuilder.addRecipient(r) + } + + publicKeyEncryptedStream = + encryptedDataGenerator.open(outermostStream, ByteArray(BUFFER_SIZE)).also { stream -> + outermostStream = stream + } } @Throws(IOException::class) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/info/KeyAccessor.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/info/KeyAccessor.kt index a5c2627e..838fd222 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/info/KeyAccessor.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/info/KeyAccessor.kt @@ -4,6 +4,7 @@ package org.pgpainless.key.info +import org.bouncycastle.bcpg.sig.PreferredAEADCiphersuites.Combination import java.util.* import org.bouncycastle.openpgp.api.OpenPGPCertificate.OpenPGPCertificateComponent import org.bouncycastle.openpgp.api.OpenPGPCertificate.OpenPGPComponentKey @@ -40,7 +41,10 @@ abstract class KeyAccessor( val preferredAEADCipherSuites: Set get() = - component.getAEADCipherSuitePreferences(referenceTime)?.toAEADCipherModes() ?: setOf() + component.getAEADCipherSuitePreferences(referenceTime) + ?.rawAlgorithms + ?.map { AEADCipherMode(it) } + ?.toSet() ?: setOf() val features: Set get() = diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java index b5713345..11b5d9cc 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java @@ -376,6 +376,7 @@ public class EncryptDecryptTest { eOut.write(testMessage.getBytes(StandardCharsets.UTF_8)); eOut.close(); + ByteArrayInputStream bIn = new ByteArrayInputStream(bOut.toByteArray()); DecryptionStream dIn = PGPainless.decryptAndOrVerify() .onInputStream(bIn) @@ -389,7 +390,7 @@ public class EncryptDecryptTest { MessageMetadata metadata = dIn.getMetadata(); MessageEncryptionMechanism encryptionMechanism = metadata.getEncryptionMechanism(); assertEquals( - MessageEncryptionMechanism.aead(SymmetricKeyAlgorithm.AES_128.getAlgorithmId(), AEADAlgorithm.OCB.getAlgorithmId()), + MessageEncryptionMechanism.aead(SymmetricKeyAlgorithm.AES_192.getAlgorithmId(), AEADAlgorithm.OCB.getAlgorithmId()), encryptionMechanism); } } From 75174ae7a1c46b02ba04f1c986dcd0ab50138b8b Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 5 May 2025 13:30:21 +0200 Subject: [PATCH 193/265] Move negotiation tests to dedicated test class --- .../EncryptDecryptTest.java | 86 ---------- .../MechanismNegotiationTest.java | 156 ++++++++++++++++++ 2 files changed, 156 insertions(+), 86 deletions(-) create mode 100644 pgpainless-core/src/test/java/org/pgpainless/encryption_signing/MechanismNegotiationTest.java diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java index 11b5d9cc..81213085 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java @@ -15,26 +15,18 @@ import java.io.ByteArrayInputStream; import java.io.ByteArrayOutputStream; import java.io.IOException; import java.nio.charset.Charset; -import java.nio.charset.StandardCharsets; import java.util.Set; import org.bouncycastle.bcpg.ArmoredOutputStream; import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPSignature; -import org.bouncycastle.openpgp.api.MessageEncryptionMechanism; import org.bouncycastle.openpgp.api.OpenPGPCertificate; import org.bouncycastle.openpgp.api.OpenPGPKey; import org.bouncycastle.util.io.Streams; import org.junit.jupiter.api.TestTemplate; import org.junit.jupiter.api.extension.ExtendWith; import org.pgpainless.PGPainless; -import org.pgpainless.algorithm.AEADAlgorithm; -import org.pgpainless.algorithm.AEADCipherMode; -import org.pgpainless.algorithm.AlgorithmSuite; import org.pgpainless.algorithm.DocumentSignatureType; -import org.pgpainless.algorithm.Feature; -import org.pgpainless.algorithm.KeyFlag; -import org.pgpainless.algorithm.OpenPGPKeyVersion; import org.pgpainless.algorithm.SymmetricKeyAlgorithm; import org.pgpainless.decryption_verification.ConsumerOptions; import org.pgpainless.decryption_verification.DecryptionStream; @@ -42,11 +34,7 @@ import org.pgpainless.decryption_verification.MessageMetadata; import org.pgpainless.exception.KeyException; import org.pgpainless.key.SubkeyIdentifier; import org.pgpainless.key.TestKeys; -import org.pgpainless.key.generation.KeySpec; -import org.pgpainless.key.generation.type.KeyType; -import org.pgpainless.key.generation.type.eddsa_legacy.EdDSALegacyCurve; import org.pgpainless.key.generation.type.rsa.RsaLength; -import org.pgpainless.key.generation.type.xdh_legacy.XDHLegacySpec; import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.key.protection.UnprotectedKeysProtector; import org.pgpainless.util.ArmoredOutputStreamFactory; @@ -319,78 +307,4 @@ public class EncryptDecryptTest { .addRecipient(publicKeys)); } - @TestTemplate - @ExtendWith(TestAllImplementations.class) - public void testEncryptToOnlyV4CertWithOnlySEIPD1Feature() throws PGPException, IOException { - PGPainless api = PGPainless.getInstance(); - OpenPGPKey v4Key = api.buildKey(OpenPGPKeyVersion.v4) - .withPreferences(AlgorithmSuite.emptyBuilder() - .overrideSymmetricKeyAlgorithms(SymmetricKeyAlgorithm.AES_192) - .overrideFeatures(Feature.MODIFICATION_DETECTION) - .build()) - .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA_LEGACY(EdDSALegacyCurve._Ed25519), KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA)) - .addSubkey(KeySpec.getBuilder(KeyType.XDH_LEGACY(XDHLegacySpec._X25519), KeyFlag.ENCRYPT_COMMS, KeyFlag.ENCRYPT_STORAGE)) - .build(); - - ByteArrayOutputStream bOut = new ByteArrayOutputStream(); - EncryptionStream eOut = api.generateMessage().onOutputStream(bOut) - .withOptions(ProducerOptions.encrypt(EncryptionOptions.encryptCommunications() - .addRecipient(v4Key.toCertificate()))); - eOut.write(testMessage.getBytes(StandardCharsets.UTF_8)); - eOut.close(); - - ByteArrayInputStream bIn = new ByteArrayInputStream(bOut.toByteArray()); - DecryptionStream dIn = PGPainless.decryptAndOrVerify() - .onInputStream(bIn) - .withOptions(ConsumerOptions.get().addDecryptionKey(v4Key)); - - bOut = new ByteArrayOutputStream(); - Streams.pipeAll(dIn, bOut); - dIn.close(); - - assertEquals(testMessage, bOut.toString()); - MessageMetadata metadata = dIn.getMetadata(); - MessageEncryptionMechanism encryptionMechanism = metadata.getEncryptionMechanism(); - assertEquals( - MessageEncryptionMechanism.integrityProtected(SymmetricKeyAlgorithm.AES_192.getAlgorithmId()), - encryptionMechanism); - } - - @TestTemplate - @ExtendWith(TestAllImplementations.class) - public void testEncryptToOnlyV6CertWithOnlySEIPD2Features() throws IOException, PGPException { - PGPainless api = PGPainless.getInstance(); - OpenPGPKey v6Key = api.buildKey(OpenPGPKeyVersion.v6) - .withPreferences(AlgorithmSuite.emptyBuilder() - .overrideFeatures(Feature.MODIFICATION_DETECTION_2) - .overrideAeadAlgorithms(new AEADCipherMode(AEADAlgorithm.OCB, SymmetricKeyAlgorithm.AES_192)) - .build()) - .setPrimaryKey(KeySpec.getBuilder(KeyType.Ed25519(), KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA)) - .addSubkey(KeySpec.getBuilder(KeyType.X25519(), KeyFlag.ENCRYPT_COMMS, KeyFlag.ENCRYPT_STORAGE)) - .build(); - - ByteArrayOutputStream bOut = new ByteArrayOutputStream(); - EncryptionStream eOut = api.generateMessage().onOutputStream(bOut) - .withOptions(ProducerOptions.encrypt(EncryptionOptions.encryptCommunications() - .addRecipient(v6Key.toCertificate()))); - eOut.write(testMessage.getBytes(StandardCharsets.UTF_8)); - eOut.close(); - - - ByteArrayInputStream bIn = new ByteArrayInputStream(bOut.toByteArray()); - DecryptionStream dIn = PGPainless.decryptAndOrVerify() - .onInputStream(bIn) - .withOptions(ConsumerOptions.get().addDecryptionKey(v6Key)); - - bOut = new ByteArrayOutputStream(); - Streams.pipeAll(dIn, bOut); - dIn.close(); - - assertEquals(testMessage, bOut.toString()); - MessageMetadata metadata = dIn.getMetadata(); - MessageEncryptionMechanism encryptionMechanism = metadata.getEncryptionMechanism(); - assertEquals( - MessageEncryptionMechanism.aead(SymmetricKeyAlgorithm.AES_192.getAlgorithmId(), AEADAlgorithm.OCB.getAlgorithmId()), - encryptionMechanism); - } } diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/MechanismNegotiationTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/MechanismNegotiationTest.java new file mode 100644 index 00000000..44a10a65 --- /dev/null +++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/MechanismNegotiationTest.java @@ -0,0 +1,156 @@ +// SPDX-FileCopyrightText: 2025 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + +package org.pgpainless.encryption_signing; + +import org.bouncycastle.openpgp.PGPException; +import org.bouncycastle.openpgp.api.MessageEncryptionMechanism; +import org.bouncycastle.openpgp.api.OpenPGPKey; +import org.bouncycastle.util.io.Streams; +import org.junit.jupiter.api.TestTemplate; +import org.junit.jupiter.api.extension.ExtendWith; +import org.pgpainless.PGPainless; +import org.pgpainless.algorithm.AEADAlgorithm; +import org.pgpainless.algorithm.AEADCipherMode; +import org.pgpainless.algorithm.AlgorithmSuite; +import org.pgpainless.algorithm.Feature; +import org.pgpainless.algorithm.KeyFlag; +import org.pgpainless.algorithm.OpenPGPKeyVersion; +import org.pgpainless.algorithm.SymmetricKeyAlgorithm; +import org.pgpainless.decryption_verification.ConsumerOptions; +import org.pgpainless.decryption_verification.DecryptionStream; +import org.pgpainless.decryption_verification.MessageMetadata; +import org.pgpainless.key.generation.KeySpec; +import org.pgpainless.key.generation.type.KeyType; +import org.pgpainless.key.generation.type.eddsa_legacy.EdDSALegacyCurve; +import org.pgpainless.key.generation.type.xdh_legacy.XDHLegacySpec; +import org.pgpainless.util.TestAllImplementations; + +import java.io.ByteArrayInputStream; +import java.io.ByteArrayOutputStream; +import java.io.IOException; +import java.nio.charset.StandardCharsets; +import java.util.ArrayList; +import java.util.List; + +import static org.junit.jupiter.api.Assertions.assertEquals; + +public class MechanismNegotiationTest { + + private static final String testMessage = + "Ah, Juliet, if the measure of thy joy\n" + + "Be heaped like mine, and that thy skill be more\n" + + "To blazon it, then sweeten with thy breath\n" + + "This neighbor air, and let rich music’s tongue\n" + + "Unfold the imagined happiness that both\n" + + "Receive in either by this dear encounter."; + + @TestTemplate + @ExtendWith(TestAllImplementations.class) + public void testEncryptToOnlyV4CertWithOnlySEIPD1Feature() throws PGPException, IOException { + testEncryptDecryptAndCheckExpectations( + MessageEncryptionMechanism.integrityProtected(SymmetricKeyAlgorithm.AES_192.getAlgorithmId()), + new KeySpecification(OpenPGPKeyVersion.v4, AlgorithmSuite.emptyBuilder() + .overrideSymmetricKeyAlgorithms(SymmetricKeyAlgorithm.AES_192) + .overrideFeatures(Feature.MODIFICATION_DETECTION) + .build())); + } + + @TestTemplate + @ExtendWith(TestAllImplementations.class) + public void testEncryptToOnlyV4CertWithOnlySEIPD2Feature() throws PGPException, IOException { + testEncryptDecryptAndCheckExpectations( + MessageEncryptionMechanism.aead(SymmetricKeyAlgorithm.AES_256.getAlgorithmId(), AEADAlgorithm.OCB.getAlgorithmId()), + new KeySpecification(OpenPGPKeyVersion.v4, AlgorithmSuite.emptyBuilder() + .overrideAeadAlgorithms(new AEADCipherMode(AEADAlgorithm.OCB, SymmetricKeyAlgorithm.AES_256)) + .overrideFeatures(Feature.MODIFICATION_DETECTION_2) + .build())); + } + + @TestTemplate + @ExtendWith(TestAllImplementations.class) + public void testEncryptToOnlyV6CertWithOnlySEIPD2Features() throws IOException, PGPException { + testEncryptDecryptAndCheckExpectations( + MessageEncryptionMechanism.aead(SymmetricKeyAlgorithm.AES_256.getAlgorithmId(), AEADAlgorithm.OCB.getAlgorithmId()), + new KeySpecification(OpenPGPKeyVersion.v6, AlgorithmSuite.emptyBuilder() + .overrideAeadAlgorithms(new AEADCipherMode(AEADAlgorithm.OCB, SymmetricKeyAlgorithm.AES_256)) + .overrideFeatures(Feature.MODIFICATION_DETECTION_2) + .build())); + } + + @TestTemplate + @ExtendWith(TestAllImplementations.class) + public void testEncryptToV6SEIPD1CertAndV6SEIPD2Cert() throws IOException, PGPException { + testEncryptDecryptAndCheckExpectations( + MessageEncryptionMechanism.integrityProtected(SymmetricKeyAlgorithm.AES_192.getAlgorithmId()), + + new KeySpecification(OpenPGPKeyVersion.v6, AlgorithmSuite.emptyBuilder() + .overrideAeadAlgorithms(new AEADCipherMode(AEADAlgorithm.OCB, SymmetricKeyAlgorithm.AES_256)) + .overrideFeatures(Feature.MODIFICATION_DETECTION_2) + .build()), + new KeySpecification(OpenPGPKeyVersion.v6, AlgorithmSuite.emptyBuilder() + .overrideSymmetricKeyAlgorithms(SymmetricKeyAlgorithm.AES_192) + .overrideFeatures(Feature.MODIFICATION_DETECTION) + .build())); + } + + + private void testEncryptDecryptAndCheckExpectations(MessageEncryptionMechanism expectation, KeySpecification... keys) + throws PGPException, IOException { + PGPainless api = PGPainless.getInstance(); + List keyList = new ArrayList<>(); + for (KeySpecification spec : keys) { + if (spec.version == OpenPGPKeyVersion.v4) { + keyList.add(api.buildKey(spec.version) + .withPreferences(spec.preferences) + .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA_LEGACY(EdDSALegacyCurve._Ed25519), KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA)) + .addSubkey(KeySpec.getBuilder(KeyType.XDH_LEGACY(XDHLegacySpec._X25519), KeyFlag.ENCRYPT_STORAGE, KeyFlag.ENCRYPT_COMMS)) + .build()); + } else { + keyList.add(api.buildKey(spec.version) + .withPreferences(spec.preferences) + .setPrimaryKey(KeySpec.getBuilder(KeyType.Ed25519(), KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA)) + .addSubkey(KeySpec.getBuilder(KeyType.X25519(), KeyFlag.ENCRYPT_COMMS, KeyFlag.ENCRYPT_STORAGE)) + .build()); + } + } + + EncryptionOptions encOpts = EncryptionOptions.encryptCommunications(); + for (OpenPGPKey k : keyList) { + encOpts.addRecipient(k.toCertificate()); + } + + ByteArrayOutputStream bOut = new ByteArrayOutputStream(); + EncryptionStream eOut = api.generateMessage().onOutputStream(bOut) + .withOptions(ProducerOptions.encrypt(encOpts)); + eOut.write(testMessage.getBytes(StandardCharsets.UTF_8)); + eOut.close(); + + ByteArrayInputStream bIn = new ByteArrayInputStream(bOut.toByteArray()); + DecryptionStream dIn = PGPainless.decryptAndOrVerify() + .onInputStream(bIn) + .withOptions(ConsumerOptions.get().addDecryptionKey(keyList.get(0))); + + bOut = new ByteArrayOutputStream(); + Streams.pipeAll(dIn, bOut); + dIn.close(); + + assertEquals(testMessage, bOut.toString()); + MessageMetadata metadata = dIn.getMetadata(); + MessageEncryptionMechanism encryptionMechanism = metadata.getEncryptionMechanism(); + assertEquals(expectation, encryptionMechanism); + } + + private static class KeySpecification { + private final OpenPGPKeyVersion version; + private final AlgorithmSuite preferences; + + public KeySpecification(OpenPGPKeyVersion version, + AlgorithmSuite preferences) { + this.version = version; + this.preferences = preferences; + } + } + +} From 42a30825688bf584a3b0f3dba58ee65f30681a41 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 5 May 2025 13:30:52 +0200 Subject: [PATCH 194/265] Fix checkstyle issues --- .../main/kotlin/org/pgpainless/key/info/KeyAccessor.kt | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/info/KeyAccessor.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/info/KeyAccessor.kt index 838fd222..3e1bc8c2 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/info/KeyAccessor.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/info/KeyAccessor.kt @@ -4,7 +4,6 @@ package org.pgpainless.key.info -import org.bouncycastle.bcpg.sig.PreferredAEADCiphersuites.Combination import java.util.* import org.bouncycastle.openpgp.api.OpenPGPCertificate.OpenPGPCertificateComponent import org.bouncycastle.openpgp.api.OpenPGPCertificate.OpenPGPComponentKey @@ -14,7 +13,6 @@ import org.pgpainless.algorithm.CompressionAlgorithm import org.pgpainless.algorithm.Feature import org.pgpainless.algorithm.HashAlgorithm import org.pgpainless.algorithm.SymmetricKeyAlgorithm -import org.pgpainless.bouncycastle.extensions.toAEADCipherModes import org.pgpainless.bouncycastle.extensions.toCompressionAlgorithms import org.pgpainless.bouncycastle.extensions.toHashAlgorithms import org.pgpainless.bouncycastle.extensions.toSymmetricKeyAlgorithms @@ -41,10 +39,12 @@ abstract class KeyAccessor( val preferredAEADCipherSuites: Set get() = - component.getAEADCipherSuitePreferences(referenceTime) + component + .getAEADCipherSuitePreferences(referenceTime) ?.rawAlgorithms ?.map { AEADCipherMode(it) } - ?.toSet() ?: setOf() + ?.toSet() + ?: setOf() val features: Set get() = From bc3cb9594596f819dd8bfe39f5ab9ac2fe695a9b Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 5 May 2025 14:19:32 +0200 Subject: [PATCH 195/265] Workaround for OpenPGPInputStream to recognize PKESKv6 packets --- .../OpenPgpInputStream.java | 44 ++++++++++++++----- .../MechanismNegotiationTest.java | 2 +- 2 files changed, 34 insertions(+), 12 deletions(-) diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpInputStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpInputStream.java index 3522f509..4904d808 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpInputStream.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpInputStream.java @@ -178,22 +178,44 @@ public class OpenPgpInputStream extends BufferedInputStream { case PUBLIC_KEY_ENC_SESSION: int pkeskVersion = bcpgIn.read(); - if (pkeskVersion <= 0 || pkeskVersion > 5) { + if (pkeskVersion <= 0 || pkeskVersion > 6) { return; } - // Skip Key-ID - for (int i = 0; i < 8; i++) { - bcpgIn.read(); - } + if (pkeskVersion == 3) { + // Skip Key-ID + for (int i = 0; i < 8; i++) { + bcpgIn.read(); + } - int pkeskAlg = bcpgIn.read(); - if (PublicKeyAlgorithm.fromId(pkeskAlg) == null) { - return; - } + int pkeskAlg = bcpgIn.read(); + if (PublicKeyAlgorithm.fromId(pkeskAlg) == null) { + return; + } - containsOpenPgpPackets = true; - isLikelyOpenPgpMessage = true; + containsOpenPgpPackets = true; + isLikelyOpenPgpMessage = true; + } else if (pkeskVersion == 6) { + int len = bcpgIn.read(); + if (len != 0) { + int ver = bcpgIn.read(); + if (ver == 4) { + for (int i = 0; i < 20; i++) { + bcpgIn.read(); + } + } else { + for (int i = 0; i < 32; i++) { + bcpgIn.read(); + } + } + int pkeskAlg = bcpgIn.read(); + if (PublicKeyAlgorithm.fromId(pkeskAlg) == null) { + return; + } + } + containsOpenPgpPackets = true; + isLikelyOpenPgpMessage = true; + } break; case SIGNATURE: diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/MechanismNegotiationTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/MechanismNegotiationTest.java index 44a10a65..448a7646 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/MechanismNegotiationTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/MechanismNegotiationTest.java @@ -146,7 +146,7 @@ public class MechanismNegotiationTest { private final OpenPGPKeyVersion version; private final AlgorithmSuite preferences; - public KeySpecification(OpenPGPKeyVersion version, + KeySpecification(OpenPGPKeyVersion version, AlgorithmSuite preferences) { this.version = version; this.preferences = preferences; From 5afd22b2193db180a431487eda2171937bdb3a6f Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 6 May 2025 00:07:27 +0200 Subject: [PATCH 196/265] Rework OpenPGPInputStream to rely on BCPGInputStream for packet parsing --- .../OpenPgpInputStream.java | 326 ++++++------------ .../OpenPgpInputStreamTest.java | 4 +- 2 files changed, 117 insertions(+), 213 deletions(-) diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpInputStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpInputStream.java index 4904d808..e0194902 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpInputStream.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpInputStream.java @@ -4,6 +4,7 @@ package org.pgpainless.decryption_verification; +import static org.bouncycastle.bcpg.PacketTags.AEAD_ENC_DATA; import static org.bouncycastle.bcpg.PacketTags.COMPRESSED_DATA; import static org.bouncycastle.bcpg.PacketTags.EXPERIMENTAL_1; import static org.bouncycastle.bcpg.PacketTags.EXPERIMENTAL_2; @@ -13,6 +14,7 @@ import static org.bouncycastle.bcpg.PacketTags.LITERAL_DATA; import static org.bouncycastle.bcpg.PacketTags.MARKER; import static org.bouncycastle.bcpg.PacketTags.MOD_DETECTION_CODE; import static org.bouncycastle.bcpg.PacketTags.ONE_PASS_SIGNATURE; +import static org.bouncycastle.bcpg.PacketTags.PADDING; import static org.bouncycastle.bcpg.PacketTags.PUBLIC_KEY; import static org.bouncycastle.bcpg.PacketTags.PUBLIC_KEY_ENC_SESSION; import static org.bouncycastle.bcpg.PacketTags.PUBLIC_SUBKEY; @@ -32,18 +34,32 @@ import java.io.ByteArrayInputStream; import java.io.IOException; import java.io.InputStream; import java.nio.charset.Charset; -import java.util.NoSuchElementException; +import org.bouncycastle.bcpg.AEADEncDataPacket; import org.bouncycastle.bcpg.BCPGInputStream; +import org.bouncycastle.bcpg.CompressedDataPacket; +import org.bouncycastle.bcpg.LiteralDataPacket; +import org.bouncycastle.bcpg.MarkerPacket; +import org.bouncycastle.bcpg.OnePassSignaturePacket; +import org.bouncycastle.bcpg.Packet; +import org.bouncycastle.bcpg.PacketFormat; +import org.bouncycastle.bcpg.PublicKeyEncSessionPacket; +import org.bouncycastle.bcpg.PublicKeyPacket; +import org.bouncycastle.bcpg.SecretKeyPacket; +import org.bouncycastle.bcpg.SignaturePacket; +import org.bouncycastle.bcpg.SymmetricEncIntegrityPacket; +import org.bouncycastle.bcpg.SymmetricKeyEncSessionPacket; +import org.bouncycastle.bcpg.UnsupportedPacketVersionException; import org.bouncycastle.openpgp.PGPCompressedData; import org.bouncycastle.openpgp.PGPEncryptedData; import org.bouncycastle.openpgp.PGPLiteralData; import org.bouncycastle.openpgp.PGPOnePassSignature; +import org.bouncycastle.util.Arrays; +import org.pgpainless.algorithm.AEADAlgorithm; import org.pgpainless.algorithm.CompressionAlgorithm; import org.pgpainless.algorithm.HashAlgorithm; import org.pgpainless.algorithm.PublicKeyAlgorithm; import org.pgpainless.algorithm.SignatureType; -import org.pgpainless.algorithm.StreamEncoding; import org.pgpainless.algorithm.SymmetricKeyAlgorithm; /** @@ -101,7 +117,7 @@ public class OpenPgpInputStream extends BufferedInputStream { * This method is still brittle. * Basically we try to parse OpenPGP packets from the buffer. * If we run into exceptions, then we know that the data is non-OpenPGP'ish. - * + *

* This breaks down though if we read plausible garbage where the data accidentally makes sense, * or valid, yet incomplete packets (remember, we are still only working on a portion of the data). */ @@ -112,270 +128,156 @@ public class OpenPgpInputStream extends BufferedInputStream { } ByteArrayInputStream bufferIn = new ByteArrayInputStream(buffer, 0, bufferLen); - nonExhaustiveParseAndCheckPlausibility(bufferIn); + BCPGInputStream pIn = new BCPGInputStream(bufferIn); + try { + nonExhaustiveParseAndCheckPlausibility(pIn); + } catch (IOException | UnsupportedPacketVersionException | NegativeArraySizeException e) { + return; + } } - private void nonExhaustiveParseAndCheckPlausibility(ByteArrayInputStream bufferIn) throws IOException { - // Read the packet header - int hdr = bufferIn.read(); - if (hdr < 0 || (hdr & 0x80) == 0) { - return; - } - - boolean newPacket = (hdr & 0x40) != 0; - int tag = 0; - int bodyLen = 0; - boolean partial = false; - - // Determine the packet length - if (newPacket) { - tag = hdr & 0x3f; - - int l = bufferIn.read(); - if (l < 192) { - bodyLen = l; - } else if (l <= 223) { - int b = bufferIn.read(); - bodyLen = ((l - 192) << 8) + (b) + 192; - } else if (l == 255) { - bodyLen = (bufferIn.read() << 24) | (bufferIn.read() << 16) | (bufferIn.read() << 8) | bufferIn.read(); - } else { - partial = true; - bodyLen = 1 << (l & 0x1f); - } - } else { - int lengthType = hdr & 0x3; - tag = (hdr & 0x3f) >> 2; - switch (lengthType) { - case 0: - bodyLen = bufferIn.read(); - break; - case 1: - bodyLen = (bufferIn.read() << 8) | bufferIn.read(); - break; - case 2: - bodyLen = (bufferIn.read() << 24) | (bufferIn.read() << 16) | (bufferIn.read() << 8) | bufferIn.read(); - break; - case 3: - partial = true; - break; - default: - return; - } - } - - // Negative body length -> garbage - if (bodyLen < 0) { - return; - } - - // Try to unexhaustively parse the first packet bit by bit and check for plausibility - BCPGInputStream bcpgIn = new BCPGInputStream(bufferIn); - switch (tag) { - case RESERVED: - // How to handle this? Probably discard as garbage... - return; - + private void nonExhaustiveParseAndCheckPlausibility(BCPGInputStream packetIn) + throws IOException { + Packet packet = packetIn.readPacket(); + System.out.println(packet.getPacketTag()); + switch (packet.getPacketTag()) { case PUBLIC_KEY_ENC_SESSION: - int pkeskVersion = bcpgIn.read(); - if (pkeskVersion <= 0 || pkeskVersion > 6) { + PublicKeyEncSessionPacket pkesk = (PublicKeyEncSessionPacket) packet; + if (PublicKeyAlgorithm.fromId(pkesk.getAlgorithm()) == null) { return; } - - if (pkeskVersion == 3) { - // Skip Key-ID - for (int i = 0; i < 8; i++) { - bcpgIn.read(); - } - - int pkeskAlg = bcpgIn.read(); - if (PublicKeyAlgorithm.fromId(pkeskAlg) == null) { - return; - } - - containsOpenPgpPackets = true; - isLikelyOpenPgpMessage = true; - } else if (pkeskVersion == 6) { - int len = bcpgIn.read(); - if (len != 0) { - int ver = bcpgIn.read(); - if (ver == 4) { - for (int i = 0; i < 20; i++) { - bcpgIn.read(); - } - } else { - for (int i = 0; i < 32; i++) { - bcpgIn.read(); - } - } - int pkeskAlg = bcpgIn.read(); - if (PublicKeyAlgorithm.fromId(pkeskAlg) == null) { - return; - } - } - containsOpenPgpPackets = true; - isLikelyOpenPgpMessage = true; - } break; case SIGNATURE: - int sigVersion = bcpgIn.read(); - int sigType; - if (sigVersion == 2 || sigVersion == 3) { - int l = bcpgIn.read(); - sigType = bcpgIn.read(); - } else if (sigVersion == 4 || sigVersion == 5) { - sigType = bcpgIn.read(); - } else { + SignaturePacket sig = (SignaturePacket) packet; + if (SignatureType.fromCode(sig.getSignatureType()) == null) { return; } - - try { - SignatureType.requireFromCode(sigType); - } catch (NoSuchElementException e) { + if (PublicKeyAlgorithm.fromId(sig.getKeyAlgorithm()) == null) { return; } - - containsOpenPgpPackets = true; - break; - - case SYMMETRIC_KEY_ENC_SESSION: - int skeskVersion = bcpgIn.read(); - if (skeskVersion == 4) { - int skeskAlg = bcpgIn.read(); - if (SymmetricKeyAlgorithm.fromId(skeskAlg) == null) { - return; - } - // TODO: Parse S2K? - } else { + if (HashAlgorithm.fromId(sig.getHashAlgorithm()) == null) { return; } - containsOpenPgpPackets = true; - isLikelyOpenPgpMessage = true; break; case ONE_PASS_SIGNATURE: - int opsVersion = bcpgIn.read(); - if (opsVersion == 3) { - int opsSigType = bcpgIn.read(); - try { - SignatureType.requireFromCode(opsSigType); - } catch (NoSuchElementException e) { - return; - } - int opsHashAlg = bcpgIn.read(); - if (HashAlgorithm.fromId(opsHashAlg) == null) { - return; - } - int opsKeyAlg = bcpgIn.read(); - if (PublicKeyAlgorithm.fromId(opsKeyAlg) == null) { - return; - } - } else { + OnePassSignaturePacket ops = (OnePassSignaturePacket) packet; + if (SignatureType.fromCode(ops.getSignatureType()) == null) { return; } + if (PublicKeyAlgorithm.fromId(ops.getKeyAlgorithm()) == null) { + return; + } + if (HashAlgorithm.fromId(ops.getHashAlgorithm()) == null) { + return; + } + break; - containsOpenPgpPackets = true; - isLikelyOpenPgpMessage = true; + case SYMMETRIC_KEY_ENC_SESSION: + SymmetricKeyEncSessionPacket skesk = (SymmetricKeyEncSessionPacket) packet; + if (SymmetricKeyAlgorithm.fromId(skesk.getEncAlgorithm()) == null) { + return; + } break; case SECRET_KEY: + SecretKeyPacket secKey = (SecretKeyPacket) packet; + PublicKeyPacket sPubKey = secKey.getPublicKeyPacket(); + if (PublicKeyAlgorithm.fromId(sPubKey.getAlgorithm()) == null) { + return; + } + if (sPubKey.getVersion() < 3 && sPubKey.getVersion() > 6) { + return; + } + break; + case PUBLIC_KEY: - case SECRET_SUBKEY: - case PUBLIC_SUBKEY: - int keyVersion = bcpgIn.read(); - for (int i = 0; i < 4; i++) { - // Creation time - bcpgIn.read(); - } - if (keyVersion == 3) { - long validDays = (in.read() << 8) | in.read(); - if (validDays < 0) { - return; - } - } else if (keyVersion == 4) { - - } else if (keyVersion == 5) { - - } else { + PublicKeyPacket pubKey = (PublicKeyPacket) packet; + if (PublicKeyAlgorithm.fromId(pubKey.getAlgorithm()) == null) { return; } - int keyAlg = bcpgIn.read(); - if (PublicKeyAlgorithm.fromId(keyAlg) == null) { + if (pubKey.getVersion() < 3 && pubKey.getVersion() > 6) { return; } - - containsOpenPgpPackets = true; break; case COMPRESSED_DATA: - int compAlg = bcpgIn.read(); - if (CompressionAlgorithm.fromId(compAlg) == null) { + CompressedDataPacket comp = (CompressedDataPacket) packet; + if (CompressionAlgorithm.fromId(comp.getAlgorithm()) == null) { return; } - - containsOpenPgpPackets = true; - isLikelyOpenPgpMessage = true; break; case SYMMETRIC_KEY_ENC: - // No data to compare :( - containsOpenPgpPackets = true; - // While this is a valid OpenPGP message, enabling the line below would lead to too many false positives - // isLikelyOpenPgpMessage = true; + // Not much we can check here break; case MARKER: - byte[] marker = new byte[3]; - bcpgIn.readFully(marker); - if (marker[0] != 0x50 || marker[1] != 0x47 || marker[2] != 0x50) { + MarkerPacket m = (MarkerPacket) packet; + if (!Arrays.areEqual( + m.getEncoded(PacketFormat.CURRENT), + new byte[] {(byte) 0xca, 0x03, 0x50, 0x47, 0x50})) { return; } - - containsOpenPgpPackets = true; break; case LITERAL_DATA: - int format = bcpgIn.read(); - if (StreamEncoding.fromCode(format) == null) { + LiteralDataPacket lit = (LiteralDataPacket) packet; + if (lit.getFormat() != 'b' && + lit.getFormat() != 'u' && + lit.getFormat() != 't' && + lit.getFormat() != 'l' && + lit.getFormat() != '1' && + lit.getFormat() != 'm') { return; } - - containsOpenPgpPackets = true; - isLikelyOpenPgpMessage = true; - break; - - case TRUST: - case USER_ID: - case USER_ATTRIBUTE: - // Not much to compare - containsOpenPgpPackets = true; break; case SYM_ENC_INTEGRITY_PRO: - int seipVersion = bcpgIn.read(); - if (seipVersion != 1) { + SymmetricEncIntegrityPacket seipd = (SymmetricEncIntegrityPacket) packet; + if (seipd.getVersion() == SymmetricEncIntegrityPacket.VERSION_1) { + break; // not much to check here + } + if (seipd.getVersion() != SymmetricEncIntegrityPacket.VERSION_2) { + if (SymmetricKeyAlgorithm.fromId(seipd.getCipherAlgorithm()) == null) { + return; + } + if (AEADAlgorithm.fromId(seipd.getAeadAlgorithm()) == null) { + return; + } + } + break; + + case AEAD_ENC_DATA: + AEADEncDataPacket oed = (AEADEncDataPacket) packet; + if (SymmetricKeyAlgorithm.fromId(oed.getAlgorithm()) == null) { return; } - isLikelyOpenPgpMessage = true; - containsOpenPgpPackets = true; break; - case MOD_DETECTION_CODE: - byte[] digest = new byte[20]; - bcpgIn.readFully(digest); - + case RESERVED: // this Packet Type ID MUST NOT be used + case PUBLIC_SUBKEY: // Never found at the start of a stream + case SECRET_SUBKEY: // Never found at the start of a stream + case TRUST: // Never found at the start of a stream + case MOD_DETECTION_CODE: // At the end of SED data - Never found at the start of a stream + case USER_ID: // Never found at the start of a stream + case USER_ATTRIBUTE: // Never found at the start of a stream + case PADDING: // At the end of messages (optionally padded message) or certificates + case EXPERIMENTAL_1: // experimental + case EXPERIMENTAL_2: // experimental + case EXPERIMENTAL_3: // experimental + case EXPERIMENTAL_4: // experimental containsOpenPgpPackets = true; - break; - - case EXPERIMENTAL_1: - case EXPERIMENTAL_2: - case EXPERIMENTAL_3: - case EXPERIMENTAL_4: + isLikelyOpenPgpMessage = false; return; default: - containsOpenPgpPackets = false; - break; + return; + } + + containsOpenPgpPackets = true; + if (packet.getPacketTag() != SYMMETRIC_KEY_ENC) { + isLikelyOpenPgpMessage = true; } } @@ -412,7 +314,7 @@ public class OpenPgpInputStream extends BufferedInputStream { * Return true, if the data is possibly binary OpenPGP. * The criterion for this are less strict than for {@link #isLikelyOpenPgpMessage()}, * as it also accepts other OpenPGP packets at the beginning of the data stream. - * + *

* Use with caution. * * @return true if data appears to be binary OpenPGP data diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpInputStreamTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpInputStreamTest.java index 8d2e2307..8534cb60 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpInputStreamTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpInputStreamTest.java @@ -20,6 +20,7 @@ import org.bouncycastle.bcpg.CompressionAlgorithmTags; import org.bouncycastle.openpgp.PGPCompressedDataGenerator; import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.api.OpenPGPKey; +import org.bouncycastle.util.encoders.Hex; import org.bouncycastle.util.io.Streams; import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; @@ -41,7 +42,8 @@ public class OpenPgpInputStreamTest { OpenPgpInputStream openPgpInputStream = new OpenPgpInputStream(randomIn); assertFalse(openPgpInputStream.isAsciiArmored()); - assertFalse(openPgpInputStream.isLikelyOpenPgpMessage()); + assertFalse(openPgpInputStream.isLikelyOpenPgpMessage(), + Hex.toHexString(randomBytes, 0, 150)); ByteArrayOutputStream out = new ByteArrayOutputStream(); Streams.pipeAll(openPgpInputStream, out); From 3729e0fa6d12f803b8740c096af60c3c67db3133 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 6 May 2025 12:04:08 +0200 Subject: [PATCH 197/265] Add documentation --- .../extensions/PGPKeyRingExtensions.kt | 4 ++++ .../MessageMetadata.kt | 19 +++++++++++++++++ .../SignatureVerification.kt | 21 ++++++++++++------- 3 files changed, 37 insertions(+), 7 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/PGPKeyRingExtensions.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/PGPKeyRingExtensions.kt index f7222c67..50633fcf 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/PGPKeyRingExtensions.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/PGPKeyRingExtensions.kt @@ -10,6 +10,7 @@ import org.bouncycastle.openpgp.PGPOnePassSignature import org.bouncycastle.openpgp.PGPPublicKey import org.bouncycastle.openpgp.PGPSignature import org.bouncycastle.openpgp.api.OpenPGPCertificate +import org.bouncycastle.openpgp.api.OpenPGPCertificate.OpenPGPComponentKey import org.bouncycastle.openpgp.api.OpenPGPImplementation import org.pgpainless.PGPainless import org.pgpainless.key.OpenPgpFingerprint @@ -20,6 +21,9 @@ fun PGPKeyRing.matches(subkeyIdentifier: SubkeyIdentifier): Boolean = this.publicKey.keyIdentifier.matches(subkeyIdentifier.certificateIdentifier) && this.getPublicKey(subkeyIdentifier.componentKeyIdentifier) != null +fun PGPKeyRing.matches(componentKey: OpenPGPComponentKey): Boolean = + this.matches(SubkeyIdentifier(componentKey)) + /** * Return true, if the [PGPKeyRing] contains a public key with the given [keyIdentifier]. * diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/MessageMetadata.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/MessageMetadata.kt index bb96e117..33e4c862 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/MessageMetadata.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/MessageMetadata.kt @@ -39,6 +39,10 @@ class MessageMetadata(val message: Message) { val encryptionAlgorithm: SymmetricKeyAlgorithm? get() = encryptionAlgorithms.let { if (it.hasNext()) it.next() else null } + /** + * The [MessageEncryptionMechanism] of the outermost encrypted data packet, or null if the + * message is unencrypted. + */ val encryptionMechanism: MessageEncryptionMechanism? get() = encryptionMechanisms.let { if (it.hasNext()) it.next() else null } @@ -54,9 +58,16 @@ class MessageMetadata(val message: Message) { val encryptionAlgorithms: Iterator get() = encryptionLayers.asSequence().map { it.algorithm }.iterator() + /** + * [Iterator] of each [MessageEncryptionMechanism] encountered in the message. The first item + * returned by the iterator is the encryption mechanism of the outermost encrypted data packet, + * the next item that of the next nested encrypted data packet and so on. The iterator might + * also be empty in case of an unencrypted message. + */ val encryptionMechanisms: Iterator get() = encryptionLayers.asSequence().map { it.mechanism }.iterator() + /** Return true, if the message is encrypted, false otherwise. */ val isEncrypted: Boolean get() = if (encryptionMechanism == null) false @@ -64,12 +75,14 @@ class MessageMetadata(val message: Message) { encryptionMechanism!!.symmetricKeyAlgorithm != SymmetricKeyAlgorithm.NULL.algorithmId + /** Return true, if the message was encrypted for the given [OpenPGPCertificate]. */ fun isEncryptedFor(cert: OpenPGPCertificate): Boolean { return encryptionLayers.asSequence().any { it.recipients.any { identifier -> cert.getKey(identifier) != null } } } + /** Return true, if the message was encrypted for the given [PGPKeyRing]. */ fun isEncryptedFor(cert: PGPKeyRing): Boolean { return encryptionLayers.asSequence().any { it.recipients.any { keyId -> cert.getPublicKey(keyId) != null } @@ -101,9 +114,13 @@ class MessageMetadata(val message: Message) { get() = encryptionLayers.asSequence().mapNotNull { it.decryptionKey }.firstOrNull() /** List containing all recipient keyIDs. */ + @Deprecated( + "Use of key-ids is discouraged in favor of KeyIdentifiers", + replaceWith = ReplaceWith("recipientKeyIdentifiers")) val recipientKeyIds: List get() = recipientKeyIdentifiers.map { it.keyId }.toList() + /** List containing all recipient [KeyIdentifiers][KeyIdentifier]. */ val recipientKeyIdentifiers: List get() = encryptionLayers @@ -115,6 +132,7 @@ class MessageMetadata(val message: Message) { } .toList() + /** [Iterator] of all [EncryptedData] layers of the message. */ val encryptionLayers: Iterator get() = object : LayerIterator(message) { @@ -144,6 +162,7 @@ class MessageMetadata(val message: Message) { val compressionAlgorithms: Iterator get() = compressionLayers.asSequence().map { it.algorithm }.iterator() + /** [Iterator] of all [CompressedData] layers of the message. */ val compressionLayers: Iterator get() = object : LayerIterator(message) { diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/SignatureVerification.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/SignatureVerification.kt index c32cdc71..b5a5bc0d 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/SignatureVerification.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/SignatureVerification.kt @@ -14,16 +14,17 @@ import org.pgpainless.signature.SignatureUtils /** * Tuple of a signature and an identifier of its corresponding verification key. Semantic meaning of * the signature verification (success, failure) is merely given by context. E.g. - * [MessageMetadata.getVerifiedInlineSignatures] contains verified verifications, while the class - * [Failure] contains failed verifications. + * [MessageMetadata.verifiedSignatures] contains verified verifications, while the class [Failure] + * contains failed verifications. * - * @param signature PGPSignature object - * @param signingKey [SubkeyIdentifier] of the (sub-) key that is used for signature verification. - * Note, that this might be null, e.g. in case of a [Failure] due to missing verification key. + * @param documentSignature OpenPGPDocumentSignature object */ data class SignatureVerification(val documentSignature: OpenPGPDocumentSignature) { + /** Underlying [PGPSignature]. */ val signature: PGPSignature = documentSignature.signature + + /** [SubkeyIdentifier] of the component key that created the signature. */ val signingKey: SubkeyIdentifier = SubkeyIdentifier(documentSignature.issuer) override fun toString(): String { @@ -35,15 +36,21 @@ data class SignatureVerification(val documentSignature: OpenPGPDocumentSignature * Tuple object of a [SignatureVerification] and the corresponding * [SignatureValidationException] that caused the verification to fail. * - * @param signatureVerification verification (tuple of [PGPSignature] and corresponding - * [SubkeyIdentifier]) + * @param documentSignature signature that could not be verified * @param validationException exception that caused the verification to fail */ data class Failure( val documentSignature: OpenPGPDocumentSignature, val validationException: SignatureValidationException ) { + + /** Underlying [PGPSignature]. */ val signature: PGPSignature = documentSignature.signature + + /** + * [SubkeyIdentifier] of the component key that created the signature. Note: In case of a + * missing verification key, this might be null. + */ val signingKey: SubkeyIdentifier? = documentSignature.issuer?.let { SubkeyIdentifier(it) } constructor( From 6fec51c91c5ea8602f949d6b96a60d99caed222f Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 6 May 2025 16:53:05 +0200 Subject: [PATCH 198/265] Remove debugging prints --- .../pgpainless/decryption_verification/OpenPgpInputStream.java | 1 - 1 file changed, 1 deletion(-) diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpInputStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpInputStream.java index e0194902..c4e15314 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpInputStream.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpInputStream.java @@ -139,7 +139,6 @@ public class OpenPgpInputStream extends BufferedInputStream { private void nonExhaustiveParseAndCheckPlausibility(BCPGInputStream packetIn) throws IOException { Packet packet = packetIn.readPacket(); - System.out.println(packet.getPacketTag()); switch (packet.getPacketTag()) { case PUBLIC_KEY_ENC_SESSION: PublicKeyEncSessionPacket pkesk = (PublicKeyEncSessionPacket) packet; From af7b0a8a5f6adc90ea794b04bf2a87ea4b0b6a44 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 6 May 2025 16:53:24 +0200 Subject: [PATCH 199/265] Respect encryptionMechanismOverride --- .../org/pgpainless/encryption_signing/EncryptionOptions.kt | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionOptions.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionOptions.kt index fb7881b4..a52c4722 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionOptions.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionOptions.kt @@ -435,6 +435,10 @@ class EncryptionOptions(private val purpose: EncryptionPurpose, private val api: } internal fun negotiateEncryptionMechanism(): MessageEncryptionMechanism { + if (encryptionMechanismOverride != null) { + return encryptionMechanismOverride!! + } + val features = keysAndAccessors.values.map { it.features }.toList() if (features.all { it.contains(Feature.MODIFICATION_DETECTION_2) }) { From 620f35cdd1ad780df102712b33b90b315c15e455 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 6 May 2025 16:53:44 +0200 Subject: [PATCH 200/265] Test encryptionMechanismOverride for symmetric and asymmetric encryption --- .../EncryptDecryptTest.java | 91 +++++++++++++++++++ 1 file changed, 91 insertions(+) diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java index 81213085..7e7b8cb4 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java @@ -15,18 +15,25 @@ import java.io.ByteArrayInputStream; import java.io.ByteArrayOutputStream; import java.io.IOException; import java.nio.charset.Charset; +import java.nio.charset.StandardCharsets; import java.util.Set; import org.bouncycastle.bcpg.ArmoredOutputStream; import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPSignature; +import org.bouncycastle.openpgp.api.MessageEncryptionMechanism; import org.bouncycastle.openpgp.api.OpenPGPCertificate; import org.bouncycastle.openpgp.api.OpenPGPKey; import org.bouncycastle.util.io.Streams; import org.junit.jupiter.api.TestTemplate; import org.junit.jupiter.api.extension.ExtendWith; import org.pgpainless.PGPainless; +import org.pgpainless.algorithm.AEADAlgorithm; +import org.pgpainless.algorithm.AlgorithmSuite; import org.pgpainless.algorithm.DocumentSignatureType; +import org.pgpainless.algorithm.Feature; +import org.pgpainless.algorithm.KeyFlag; +import org.pgpainless.algorithm.OpenPGPKeyVersion; import org.pgpainless.algorithm.SymmetricKeyAlgorithm; import org.pgpainless.decryption_verification.ConsumerOptions; import org.pgpainless.decryption_verification.DecryptionStream; @@ -34,10 +41,15 @@ import org.pgpainless.decryption_verification.MessageMetadata; import org.pgpainless.exception.KeyException; import org.pgpainless.key.SubkeyIdentifier; import org.pgpainless.key.TestKeys; +import org.pgpainless.key.generation.KeySpec; +import org.pgpainless.key.generation.type.KeyType; +import org.pgpainless.key.generation.type.eddsa_legacy.EdDSALegacyCurve; import org.pgpainless.key.generation.type.rsa.RsaLength; +import org.pgpainless.key.generation.type.xdh_legacy.XDHLegacySpec; import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.key.protection.UnprotectedKeysProtector; import org.pgpainless.util.ArmoredOutputStreamFactory; +import org.pgpainless.util.Passphrase; import org.pgpainless.util.TestAllImplementations; public class EncryptDecryptTest { @@ -307,4 +319,83 @@ public class EncryptDecryptTest { .addRecipient(publicKeys)); } + @TestTemplate + @ExtendWith(TestAllImplementations.class) + public void testAsymmetricEncryptionWithMechanismOverride() throws PGPException, IOException { + PGPainless api = PGPainless.getInstance(); + + OpenPGPKey keyWithoutSEIPD2Feature = api.buildKey(OpenPGPKeyVersion.v4) + .withPreferences(AlgorithmSuite.emptyBuilder() + .overrideFeatures(Feature.MODIFICATION_DETECTION) + .overrideSymmetricKeyAlgorithms(SymmetricKeyAlgorithm.AES_128) + .build()) + .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA_LEGACY(EdDSALegacyCurve._Ed25519), KeyFlag.SIGN_DATA, KeyFlag.CERTIFY_OTHER)) + .addSubkey(KeySpec.getBuilder(KeyType.XDH_LEGACY(XDHLegacySpec._X25519), KeyFlag.ENCRYPT_STORAGE, KeyFlag.ENCRYPT_COMMS)) + .build(); + + ByteArrayOutputStream bOut = new ByteArrayOutputStream(); + EncryptionStream eOut = api.generateMessage() + .onOutputStream(bOut) + .withOptions(ProducerOptions.encrypt( + EncryptionOptions.encryptCommunications() + .overrideEncryptionMechanism(MessageEncryptionMechanism.aead(SymmetricKeyAlgorithm.AES_192.getAlgorithmId(), AEADAlgorithm.OCB.getAlgorithmId())) + .addRecipient(keyWithoutSEIPD2Feature.toCertificate()))); + + eOut.write(testMessage.getBytes(StandardCharsets.UTF_8)); + eOut.close(); + EncryptionResult result = eOut.getResult(); + assertEquals(MessageEncryptionMechanism.aead( + SymmetricKeyAlgorithm.AES_192.getAlgorithmId(), AEADAlgorithm.OCB.getAlgorithmId()), + result.getEncryptionMechanism()); + + ByteArrayInputStream bIn = new ByteArrayInputStream(bOut.toByteArray()); + DecryptionStream decIn = PGPainless.decryptAndOrVerify() + .onInputStream(bIn) + .withOptions(ConsumerOptions.get() + .addDecryptionKey(keyWithoutSEIPD2Feature)); + Streams.drain(decIn); + decIn.close(); + + MessageMetadata metadata = decIn.getMetadata(); + assertEquals(MessageEncryptionMechanism.aead(SymmetricKeyAlgorithm.AES_192.getAlgorithmId(), AEADAlgorithm.OCB.getAlgorithmId()), + metadata.getEncryptionMechanism()); + } + + @TestTemplate + @ExtendWith(TestAllImplementations.class) + public void testSymmetricEncryptionWithMechanismOverride() throws PGPException, IOException { + PGPainless api = PGPainless.getInstance(); + + ByteArrayOutputStream bOut = new ByteArrayOutputStream(); + EncryptionStream eOut = api.generateMessage().onOutputStream(bOut) + .withOptions( + ProducerOptions.encrypt(EncryptionOptions.encryptCommunications() + .overrideEncryptionMechanism( + MessageEncryptionMechanism.aead( + SymmetricKeyAlgorithm.AES_192.getAlgorithmId(), + AEADAlgorithm.OCB.getAlgorithmId() + )) + .addMessagePassphrase(Passphrase.fromPassword("sw0rdf1sh")) + )); + + eOut.write(testMessage.getBytes(StandardCharsets.UTF_8)); + eOut.close(); + EncryptionResult result = eOut.getResult(); + + assertEquals(MessageEncryptionMechanism.aead( + SymmetricKeyAlgorithm.AES_192.getAlgorithmId(), AEADAlgorithm.OCB.getAlgorithmId()), + result.getEncryptionMechanism()); + + ByteArrayInputStream bIn = new ByteArrayInputStream(bOut.toByteArray()); + DecryptionStream decIn = PGPainless.decryptAndOrVerify() + .onInputStream(bIn) + .withOptions(ConsumerOptions.get() + .addMessagePassphrase(Passphrase.fromPassword("sw0rdf1sh"))); + Streams.drain(decIn); + decIn.close(); + MessageMetadata metadata = decIn.getMetadata(); + assertEquals(MessageEncryptionMechanism.aead(SymmetricKeyAlgorithm.AES_192.getAlgorithmId(), AEADAlgorithm.OCB.getAlgorithmId()), + metadata.getEncryptionMechanism()); + } + } From 7062681d0384de568a72e9784c6f87c9dfa6862c Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 6 May 2025 17:05:47 +0200 Subject: [PATCH 201/265] Prevent NULL encryption algorithm --- .../negotiation/SymmetricKeyAlgorithmNegotiator.kt | 6 ++---- .../org/pgpainless/encryption_signing/EncryptionOptions.kt | 4 ++++ 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/negotiation/SymmetricKeyAlgorithmNegotiator.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/negotiation/SymmetricKeyAlgorithmNegotiator.kt index d11f2c03..63cc6a59 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/negotiation/SymmetricKeyAlgorithmNegotiator.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/negotiation/SymmetricKeyAlgorithmNegotiator.kt @@ -4,7 +4,6 @@ package org.pgpainless.algorithm.negotiation -import java.lang.IllegalArgumentException import org.pgpainless.algorithm.SymmetricKeyAlgorithm import org.pgpainless.policy.Policy @@ -36,9 +35,8 @@ interface SymmetricKeyAlgorithmNegotiator { override: SymmetricKeyAlgorithm?, keyPreferences: List> ): SymmetricKeyAlgorithm { - if (override == SymmetricKeyAlgorithm.NULL) { - throw IllegalArgumentException( - "Algorithm override cannot be NULL (plaintext).") + require (override != SymmetricKeyAlgorithm.NULL) { + "Algorithm override cannot be NULL (plaintext)." } if (override != null) { diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionOptions.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionOptions.kt index a52c4722..96258b9b 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionOptions.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionOptions.kt @@ -405,6 +405,10 @@ class EncryptionOptions(private val purpose: EncryptionPurpose, private val api: } fun overrideEncryptionMechanism(encryptionMechanism: MessageEncryptionMechanism) = apply { + require(api.algorithmPolicy.symmetricKeyEncryptionAlgorithmPolicy.isAcceptable( + encryptionMechanism.symmetricKeyAlgorithm)) { + "Provided symmetric encryption algorithm is not acceptable." + } _encryptionMechanismOverride = encryptionMechanism } From 9ed53308c61dc24430a445d31b6c9620fbd69552 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 6 May 2025 22:21:02 +0200 Subject: [PATCH 202/265] Replace static decryptAndOrVerify() method with non-static processMessage() function --- .../main/kotlin/org/pgpainless/PGPainless.kt | 12 +++++++++- .../SymmetricKeyAlgorithmNegotiator.kt | 2 +- .../encryption_signing/EncryptionOptions.kt | 9 +++---- ...vestigateMultiSEIPMessageHandlingTest.java | 2 +- ...artialLengthLiteralDataRegressionTest.java | 2 +- .../org/bouncycastle/AsciiArmorCRCTests.java | 2 +- ...ngBcPublicKeyDataDecryptorFactoryTest.java | 4 ++-- .../CanonicalizedDataEncryptionTest.java | 10 ++++---- .../CertificateWithMissingSecretKeyTest.java | 2 +- .../CleartextSignatureVerificationTest.java | 10 ++++---- ...stomPublicKeyDataDecryptorFactoryTest.java | 2 +- .../DecryptAndVerifyMessageTest.java | 8 +++---- .../DecryptHiddenRecipientMessageTest.java | 2 +- .../IgnoreUnknownSignatureVersionsTest.java | 2 +- .../MissingPassphraseForDecryptionTest.java | 4 ++-- .../ModificationDetectionTests.java | 24 +++++++++---------- ...tionUsingKeyWithMissingPassphraseTest.java | 6 ++--- ...ntDecryptionUsingNonEncryptionKeyTest.java | 8 +++---- .../RecursionDepthTest.java | 2 +- ...ymmetricAlgorithmDuringDecryptionTest.java | 8 +++---- ...ificationWithoutCertIsStillSignedTest.java | 2 +- ...ionOfMessageWithoutESKUsingSessionKey.java | 4 ++-- ...DecryptWithUnavailableGnuDummyKeyTest.java | 2 +- .../UnsupportedPacketVersionsTest.java | 2 +- .../VerifyDetachedSignatureTest.java | 4 ++-- .../VerifyNotBeforeNotAfterTest.java | 20 ++++++++-------- ...ySignatureByCertificationKeyFailsTest.java | 2 +- .../VerifyVersion3SignaturePacketTest.java | 2 +- ...erifyWithMissingPublicKeyCallbackTest.java | 4 ++-- .../BcHashContextSignerTest.java | 2 +- .../EncryptDecryptTest.java | 10 ++++---- .../EncryptionWithMissingKeyFlagsTest.java | 4 ++-- .../FileInformationTest.java | 6 ++--- .../HiddenRecipientEncryptionTest.java | 2 +- .../MechanismNegotiationTest.java | 2 +- .../MultiSigningSubkeyTest.java | 17 +++++++------ .../encryption_signing/SigningTest.java | 2 +- .../pgpainless/example/DecryptOrVerify.java | 8 +++---- .../java/org/pgpainless/example/Encrypt.java | 6 ++--- ...GenerateKeyWithoutPrimaryKeyFlagsTest.java | 2 +- .../GenerateKeyWithoutUserIdTest.java | 2 +- ...dDoesNotBreakEncryptionCapabilityTest.java | 2 +- .../key/protection/fixes/S2KUsageFixTest.java | 2 +- .../org/pgpainless/policy/WeakRSAKeyTest.java | 2 +- .../BindingSignatureSubpacketsTest.java | 4 ++-- .../signature/CertificateValidatorTest.java | 7 +++--- .../signature/IgnoreMarkerPacketsTest.java | 4 ++-- .../signature/KeyRevocationTest.java | 2 +- ...ultiPassphraseSymmetricEncryptionTest.java | 4 ++-- .../SymmetricEncryptionTest.java | 8 +++---- .../kotlin/org/pgpainless/sop/DecryptImpl.kt | 4 +--- .../org/pgpainless/sop/DetachedVerifyImpl.kt | 3 +-- .../org/pgpainless/sop/InlineVerifyImpl.kt | 2 +- 53 files changed, 141 insertions(+), 129 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt index d8bd8022..5cc88804 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt @@ -112,6 +112,12 @@ class PGPainless( /** Generate an encrypted and/or signed OpenPGP message. */ fun generateMessage(): EncryptionBuilder = EncryptionBuilder(this) + /** + * Process an OpenPGP message. This method attempts decryption of encrypted messages and + * performs signature verification. + */ + fun processMessage(): DecryptionBuilder = DecryptionBuilder(this) + /** * Create certification signatures on third-party [OpenPGPCertificates][OpenPGPCertificate]. * @@ -253,7 +259,11 @@ class PGPainless( * * @return builder */ - @JvmStatic fun decryptAndOrVerify(): DecryptionBuilder = DecryptionBuilder(getInstance()) + @Deprecated( + "Call processMessage() on an instance of PGPainless instead.", + replaceWith = ReplaceWith("processMessage()")) + @JvmStatic + fun decryptAndOrVerify(): DecryptionBuilder = getInstance().processMessage() /** * Make changes to a secret key at the given reference time. This method can be used to diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/negotiation/SymmetricKeyAlgorithmNegotiator.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/negotiation/SymmetricKeyAlgorithmNegotiator.kt index 63cc6a59..909b8c1c 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/negotiation/SymmetricKeyAlgorithmNegotiator.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/negotiation/SymmetricKeyAlgorithmNegotiator.kt @@ -35,7 +35,7 @@ interface SymmetricKeyAlgorithmNegotiator { override: SymmetricKeyAlgorithm?, keyPreferences: List> ): SymmetricKeyAlgorithm { - require (override != SymmetricKeyAlgorithm.NULL) { + require(override != SymmetricKeyAlgorithm.NULL) { "Algorithm override cannot be NULL (plaintext)." } diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionOptions.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionOptions.kt index 96258b9b..1f3852f3 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionOptions.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionOptions.kt @@ -405,10 +405,11 @@ class EncryptionOptions(private val purpose: EncryptionPurpose, private val api: } fun overrideEncryptionMechanism(encryptionMechanism: MessageEncryptionMechanism) = apply { - require(api.algorithmPolicy.symmetricKeyEncryptionAlgorithmPolicy.isAcceptable( - encryptionMechanism.symmetricKeyAlgorithm)) { - "Provided symmetric encryption algorithm is not acceptable." - } + require( + api.algorithmPolicy.symmetricKeyEncryptionAlgorithmPolicy.isAcceptable( + encryptionMechanism.symmetricKeyAlgorithm)) { + "Provided symmetric encryption algorithm is not acceptable." + } _encryptionMechanismOverride = encryptionMechanism } diff --git a/pgpainless-core/src/test/java/investigations/InvestigateMultiSEIPMessageHandlingTest.java b/pgpainless-core/src/test/java/investigations/InvestigateMultiSEIPMessageHandlingTest.java index 7ce8f393..fd623ed9 100644 --- a/pgpainless-core/src/test/java/investigations/InvestigateMultiSEIPMessageHandlingTest.java +++ b/pgpainless-core/src/test/java/investigations/InvestigateMultiSEIPMessageHandlingTest.java @@ -187,7 +187,7 @@ public class InvestigateMultiSEIPMessageHandlingTest { .addVerificationCert(ring2) .addDecryptionKey(ring1); - DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() + DecryptionStream decryptionStream = api.processMessage() .onInputStream(new ByteArrayInputStream(MESSAGE.getBytes(StandardCharsets.UTF_8))) .withOptions(options); diff --git a/pgpainless-core/src/test/java/investigations/OnePassSignatureVerificationWithPartialLengthLiteralDataRegressionTest.java b/pgpainless-core/src/test/java/investigations/OnePassSignatureVerificationWithPartialLengthLiteralDataRegressionTest.java index 3afcce54..35fb8043 100644 --- a/pgpainless-core/src/test/java/investigations/OnePassSignatureVerificationWithPartialLengthLiteralDataRegressionTest.java +++ b/pgpainless-core/src/test/java/investigations/OnePassSignatureVerificationWithPartialLengthLiteralDataRegressionTest.java @@ -122,7 +122,7 @@ public class OnePassSignatureVerificationWithPartialLengthLiteralDataRegressionT ByteArrayInputStream in = new ByteArrayInputStream(dearmored.toByteArray()); - DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() + DecryptionStream decryptionStream = PGPainless.getInstance().processMessage() .onInputStream(in) .withOptions(ConsumerOptions.get() .addVerificationCert(cert) diff --git a/pgpainless-core/src/test/java/org/bouncycastle/AsciiArmorCRCTests.java b/pgpainless-core/src/test/java/org/bouncycastle/AsciiArmorCRCTests.java index 495bea5b..3fff4f00 100644 --- a/pgpainless-core/src/test/java/org/bouncycastle/AsciiArmorCRCTests.java +++ b/pgpainless-core/src/test/java/org/bouncycastle/AsciiArmorCRCTests.java @@ -542,7 +542,7 @@ public class AsciiArmorCRCTests { OpenPGPKey key = PGPainless.getInstance().readKey().parseKey(ASCII_KEY); assertThrows(IOException.class, () -> { - DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() + DecryptionStream decryptionStream = PGPainless.getInstance().processMessage() .onInputStream(new ByteArrayInputStream(message.getBytes(StandardCharsets.UTF_8))) .withOptions(ConsumerOptions.get().addDecryptionKey( key, SecretKeyRingProtector.unlockAnyKeyWith(passphrase) diff --git a/pgpainless-core/src/test/java/org/bouncycastle/CachingBcPublicKeyDataDecryptorFactoryTest.java b/pgpainless-core/src/test/java/org/bouncycastle/CachingBcPublicKeyDataDecryptorFactoryTest.java index bb5f260c..2d857254 100644 --- a/pgpainless-core/src/test/java/org/bouncycastle/CachingBcPublicKeyDataDecryptorFactoryTest.java +++ b/pgpainless-core/src/test/java/org/bouncycastle/CachingBcPublicKeyDataDecryptorFactoryTest.java @@ -76,7 +76,7 @@ public class CachingBcPublicKeyDataDecryptorFactoryTest { privateKey, decryptionKey); ByteArrayInputStream ciphertextIn = new ByteArrayInputStream(MSG.getBytes()); - DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() + DecryptionStream decryptionStream = PGPainless.getInstance().processMessage() .onInputStream(ciphertextIn) .withOptions(ConsumerOptions.get() .addCustomDecryptorFactory(cachingFactory)); @@ -87,7 +87,7 @@ public class CachingBcPublicKeyDataDecryptorFactoryTest { assertEquals("Hello, World!\n", out.toString()); ciphertextIn = new ByteArrayInputStream(MSG.getBytes()); - decryptionStream = PGPainless.decryptAndOrVerify() + decryptionStream = PGPainless.getInstance().processMessage() .onInputStream(ciphertextIn) .withOptions(ConsumerOptions.get() .addCustomDecryptorFactory(cachingFactory)); diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CanonicalizedDataEncryptionTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CanonicalizedDataEncryptionTest.java index 9ce0b106..e9f2332d 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CanonicalizedDataEncryptionTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CanonicalizedDataEncryptionTest.java @@ -297,7 +297,7 @@ public class CanonicalizedDataEncryptionTest { String encrypted = encryptAndSign(before, DocumentSignatureType.BINARY_DOCUMENT, StreamEncoding.TEXT, true); ByteArrayInputStream in = new ByteArrayInputStream(encrypted.getBytes(StandardCharsets.UTF_8)); - DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() + DecryptionStream decryptionStream = PGPainless.getInstance().processMessage() .onInputStream(in) .withOptions(ConsumerOptions.get() .addDecryptionKey(secretKeys, SecretKeyRingProtector.unprotectedKeys()) @@ -327,7 +327,7 @@ public class CanonicalizedDataEncryptionTest { String encrypted = encryptAndSign(beforeAndAfter, DocumentSignatureType.BINARY_DOCUMENT, StreamEncoding.TEXT, false); ByteArrayInputStream in = new ByteArrayInputStream(encrypted.getBytes(StandardCharsets.UTF_8)); - DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() + DecryptionStream decryptionStream = PGPainless.getInstance().processMessage() .onInputStream(in) .withOptions(ConsumerOptions.get() .addDecryptionKey(secretKeys, SecretKeyRingProtector.unprotectedKeys()) @@ -359,7 +359,7 @@ public class CanonicalizedDataEncryptionTest { options.applyCRLFEncoding(); } - EncryptionStream encryptionStream = PGPainless.encryptAndOrSign() + EncryptionStream encryptionStream = PGPainless.getInstance().generateMessage() .onOutputStream(out) .withOptions(options); @@ -373,7 +373,7 @@ public class CanonicalizedDataEncryptionTest { private MessageMetadata decryptAndVerify(String msg) throws PGPException, IOException { ByteArrayInputStream in = new ByteArrayInputStream(msg.getBytes(StandardCharsets.UTF_8)); - DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() + DecryptionStream decryptionStream = PGPainless.getInstance().processMessage() .onInputStream(in) .withOptions(ConsumerOptions.get() .addDecryptionKey(secretKeys, SecretKeyRingProtector.unprotectedKeys()) @@ -444,7 +444,7 @@ public class CanonicalizedDataEncryptionTest { ByteArrayInputStream cipherIn = new ByteArrayInputStream(ciphertext.getBytes(StandardCharsets.UTF_8)); ByteArrayOutputStream decrypted = new ByteArrayOutputStream(); - DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() + DecryptionStream decryptionStream = PGPainless.getInstance().processMessage() .onInputStream(cipherIn) .withOptions(ConsumerOptions.get() .addVerificationCert(publicKeys)); diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CertificateWithMissingSecretKeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CertificateWithMissingSecretKeyTest.java index 0536a03f..4483c2d5 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CertificateWithMissingSecretKeyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CertificateWithMissingSecretKeyTest.java @@ -144,7 +144,7 @@ public class CertificateWithMissingSecretKeyTest { .addDecryptionKey(missingDecryptionSecKey); assertThrows(MissingDecryptionMethodException.class, () -> - PGPainless.decryptAndOrVerify() + api.processMessage() .onInputStream(cipherIn) .withOptions(consumerOptions)); // <- cannot find decryption key } diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CleartextSignatureVerificationTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CleartextSignatureVerificationTest.java index 457c7fa7..6b393e90 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CleartextSignatureVerificationTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CleartextSignatureVerificationTest.java @@ -83,7 +83,7 @@ public class CleartextSignatureVerificationTest { InMemoryMultiPassStrategy multiPassStrategy = MultiPassStrategy.keepMessageInMemory(); options.setMultiPassStrategy(multiPassStrategy); - DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() + DecryptionStream decryptionStream = api.processMessage() .onInputStream(new ByteArrayInputStream(MESSAGE_SIGNED)) .withOptions(options); @@ -112,7 +112,7 @@ public class CleartextSignatureVerificationTest { File file = new File(tempDir, "file"); MultiPassStrategy multiPassStrategy = MultiPassStrategy.writeMessageToFile(file); options.setMultiPassStrategy(multiPassStrategy); - DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() + DecryptionStream decryptionStream = api.processMessage() .onInputStream(new ByteArrayInputStream(MESSAGE_SIGNED)) .withOptions(options); @@ -152,7 +152,7 @@ public class CleartextSignatureVerificationTest { .addVerificationCert(TestKeys.getEmilCertificate()) .addVerificationOfDetachedSignature(signature); - DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() + DecryptionStream decryptionStream = api.processMessage() .onInputStream(new ByteArrayInputStream(MESSAGE_BODY)) .withOptions(options); @@ -183,7 +183,7 @@ public class CleartextSignatureVerificationTest { String signed = signedOut.toString(); ByteArrayInputStream signedIn = new ByteArrayInputStream(signed.getBytes(StandardCharsets.UTF_8)); - DecryptionStream verificationStream = PGPainless.decryptAndOrVerify() + DecryptionStream verificationStream = api.processMessage() .onInputStream(signedIn) .withOptions(ConsumerOptions.get(api) .addVerificationCert(TestKeys.getEmilCertificate())); @@ -217,7 +217,7 @@ public class CleartextSignatureVerificationTest { String cleartextSigned = out.toString(); ByteArrayInputStream in = new ByteArrayInputStream(cleartextSigned.getBytes(StandardCharsets.UTF_8)); - DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() + DecryptionStream decryptionStream = api.processMessage() .onInputStream(in) .withOptions(ConsumerOptions.get() .addVerificationCert(secretKeys.toCertificate())); diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CustomPublicKeyDataDecryptorFactoryTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CustomPublicKeyDataDecryptorFactoryTest.java index 9ce1f5d6..b428ae5c 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CustomPublicKeyDataDecryptorFactoryTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CustomPublicKeyDataDecryptorFactoryTest.java @@ -68,7 +68,7 @@ public class CustomPublicKeyDataDecryptorFactoryTest { }; // Decrypt - DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() + DecryptionStream decryptionStream = api.processMessage() .onInputStream(new ByteArrayInputStream(ciphertextOut.toByteArray())) .withOptions(ConsumerOptions.get() .addCustomDecryptorFactory( diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/DecryptAndVerifyMessageTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/DecryptAndVerifyMessageTest.java index 22372f2e..895cc6f2 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/DecryptAndVerifyMessageTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/DecryptAndVerifyMessageTest.java @@ -56,7 +56,7 @@ public class DecryptAndVerifyMessageTest { .addDecryptionKey(juliet) .addVerificationCert(KeyRingUtils.publicKeyRingFrom(juliet)); - DecryptionStream decryptor = PGPainless.decryptAndOrVerify() + DecryptionStream decryptor = PGPainless.getInstance().processMessage() .onInputStream(new ByteArrayInputStream(encryptedMessage.getBytes())) .withOptions(options); @@ -91,7 +91,7 @@ public class DecryptAndVerifyMessageTest { .addDecryptionKey(juliet) .addVerificationCert(KeyRingUtils.publicKeyRingFrom(juliet)); - try (DecryptionStream decryptor = PGPainless.decryptAndOrVerify() + try (DecryptionStream decryptor = PGPainless.getInstance().processMessage() .onInputStream(new ByteArrayInputStream(encryptedMessage.getBytes())) .withOptions(options); ByteArrayOutputStream toPlain = new ByteArrayOutputStream()) { @@ -109,7 +109,7 @@ public class DecryptAndVerifyMessageTest { .addDecryptionKey(juliet) .addVerificationCert(KeyRingUtils.publicKeyRingFrom(juliet)); - DecryptionStream decryptor = PGPainless.decryptAndOrVerify() + DecryptionStream decryptor = PGPainless.getInstance().processMessage() .onInputStream(new ByteArrayInputStream(encryptedMessage.getBytes())) .withOptions(options); @@ -150,7 +150,7 @@ public class DecryptAndVerifyMessageTest { "-----END PGP MESSAGE-----"; ByteArrayInputStream ciphertextIn = new ByteArrayInputStream(ciphertext.getBytes()); assertThrows(MissingDecryptionMethodException.class, - () -> PGPainless.decryptAndOrVerify() + () -> PGPainless.getInstance().processMessage() .onInputStream(ciphertextIn) .withOptions(ConsumerOptions.get() .addMessagePassphrase(Passphrase.fromPassword("sw0rdf1sh")))); diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/DecryptHiddenRecipientMessageTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/DecryptHiddenRecipientMessageTest.java index a5f39d0f..341c4b91 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/DecryptHiddenRecipientMessageTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/DecryptHiddenRecipientMessageTest.java @@ -131,7 +131,7 @@ public class DecryptHiddenRecipientMessageTest { ConsumerOptions options = ConsumerOptions.get() .addDecryptionKey(secretKeys); - DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() + DecryptionStream decryptionStream = PGPainless.getInstance().processMessage() .onInputStream(messageIn) .withOptions(options); diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/IgnoreUnknownSignatureVersionsTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/IgnoreUnknownSignatureVersionsTest.java index b5c1bed0..155030da 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/IgnoreUnknownSignatureVersionsTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/IgnoreUnknownSignatureVersionsTest.java @@ -176,7 +176,7 @@ public class IgnoreUnknownSignatureVersionsTest { } private MessageMetadata verifySignature(PGPPublicKeyRing cert, String BASE_CASE) throws PGPException, IOException { - DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify().onInputStream(new ByteArrayInputStream(message.getBytes(StandardCharsets.UTF_8))) + DecryptionStream decryptionStream = PGPainless.getInstance().processMessage().onInputStream(new ByteArrayInputStream(message.getBytes(StandardCharsets.UTF_8))) .withOptions(ConsumerOptions.get() .addVerificationCert(cert) .addVerificationOfDetachedSignatures(new ByteArrayInputStream(BASE_CASE.getBytes(StandardCharsets.UTF_8)))); diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/MissingPassphraseForDecryptionTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/MissingPassphraseForDecryptionTest.java index 338d1fbb..cde31de5 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/MissingPassphraseForDecryptionTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/MissingPassphraseForDecryptionTest.java @@ -77,7 +77,7 @@ public class MissingPassphraseForDecryptionTest { .setMissingKeyPassphraseStrategy(MissingKeyPassphraseStrategy.INTERACTIVE) .addDecryptionKey(secretKeys, SecretKeyRingProtector.defaultSecretKeyRingProtector(callback)); - DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() + DecryptionStream decryptionStream = api.processMessage() .onInputStream(new ByteArrayInputStream(message)) .withOptions(options); @@ -112,7 +112,7 @@ public class MissingPassphraseForDecryptionTest { .addDecryptionKey(secretKeys, SecretKeyRingProtector.defaultSecretKeyRingProtector(callback)); try { - PGPainless.decryptAndOrVerify() + api.processMessage() .onInputStream(new ByteArrayInputStream(message)) .withOptions(options); fail("Expected exception!"); diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/ModificationDetectionTests.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/ModificationDetectionTests.java index 84953983..07a06ba9 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/ModificationDetectionTests.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/ModificationDetectionTests.java @@ -215,7 +215,7 @@ public class ModificationDetectionTests { PGPSecretKeyRingCollection secretKeyRings = getDecryptionKey(); InputStream in = new ByteArrayInputStream(MESSAGE_MISSING_MDC.getBytes(StandardCharsets.UTF_8)); - DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() + DecryptionStream decryptionStream = PGPainless.getInstance().processMessage() .onInputStream(in) .withOptions(ConsumerOptions.get() .addDecryptionKeys(secretKeyRings, SecretKeyRingProtector.unprotectedKeys()) @@ -232,7 +232,7 @@ public class ModificationDetectionTests { @ExtendWith(TestAllImplementations.class) public void testTamperedCiphertextThrows() throws IOException, PGPException { ByteArrayInputStream in = new ByteArrayInputStream(MESSAGE_TAMPERED_CIPHERTEXT.getBytes(StandardCharsets.UTF_8)); - DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() + DecryptionStream decryptionStream = PGPainless.getInstance().processMessage() .onInputStream(in) .withOptions(ConsumerOptions.get() .addDecryptionKeys(getDecryptionKey(), SecretKeyRingProtector.unprotectedKeys()) @@ -249,7 +249,7 @@ public class ModificationDetectionTests { @ExtendWith(TestAllImplementations.class) public void testIgnoreTamperedCiphertext() throws IOException, PGPException { ByteArrayInputStream in = new ByteArrayInputStream(MESSAGE_TAMPERED_CIPHERTEXT.getBytes(StandardCharsets.UTF_8)); - DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() + DecryptionStream decryptionStream = PGPainless.getInstance().processMessage() .onInputStream(in) .withOptions(ConsumerOptions.get() .addDecryptionKeys(getDecryptionKey(), SecretKeyRingProtector.unprotectedKeys()) @@ -265,7 +265,7 @@ public class ModificationDetectionTests { @ExtendWith(TestAllImplementations.class) public void testTamperedMDCThrowsByDefault() throws IOException, PGPException { ByteArrayInputStream in = new ByteArrayInputStream(MESSAGE_TAMPERED_MDC.getBytes(StandardCharsets.UTF_8)); - DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() + DecryptionStream decryptionStream = PGPainless.getInstance().processMessage() .onInputStream(in) .withOptions(ConsumerOptions.get() .addDecryptionKeys(getDecryptionKey(), SecretKeyRingProtector.unprotectedKeys()) @@ -282,7 +282,7 @@ public class ModificationDetectionTests { @ExtendWith(TestAllImplementations.class) public void testIgnoreTamperedMDC() throws IOException, PGPException { ByteArrayInputStream in = new ByteArrayInputStream(MESSAGE_TAMPERED_MDC.getBytes(StandardCharsets.UTF_8)); - DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() + DecryptionStream decryptionStream = PGPainless.getInstance().processMessage() .onInputStream(in) .withOptions(ConsumerOptions.get() .addDecryptionKeys(getDecryptionKey(), SecretKeyRingProtector.unprotectedKeys()) @@ -297,7 +297,7 @@ public class ModificationDetectionTests { @ExtendWith(TestAllImplementations.class) public void testTruncatedMDCThrows() throws IOException, PGPException { ByteArrayInputStream in = new ByteArrayInputStream(MESSAGE_TRUNCATED_MDC.getBytes(StandardCharsets.UTF_8)); - DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() + DecryptionStream decryptionStream = PGPainless.getInstance().processMessage() .onInputStream(in) .withOptions(ConsumerOptions.get() .addDecryptionKeys(getDecryptionKey(), SecretKeyRingProtector.unprotectedKeys()) @@ -311,7 +311,7 @@ public class ModificationDetectionTests { @ExtendWith(TestAllImplementations.class) public void testMDCWithBadCTBThrows() throws IOException, PGPException { ByteArrayInputStream in = new ByteArrayInputStream(MESSAGE_MDC_WITH_BAD_CTB.getBytes(StandardCharsets.UTF_8)); - DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() + DecryptionStream decryptionStream = PGPainless.getInstance().processMessage() .onInputStream(in) .withOptions(ConsumerOptions.get() .addDecryptionKeys(getDecryptionKey(), SecretKeyRingProtector.unprotectedKeys()) @@ -328,7 +328,7 @@ public class ModificationDetectionTests { @ExtendWith(TestAllImplementations.class) public void testIgnoreMDCWithBadCTB() throws IOException, PGPException { ByteArrayInputStream in = new ByteArrayInputStream(MESSAGE_MDC_WITH_BAD_CTB.getBytes(StandardCharsets.UTF_8)); - DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() + DecryptionStream decryptionStream = PGPainless.getInstance().processMessage() .onInputStream(in) .withOptions(ConsumerOptions.get() .addDecryptionKeys(getDecryptionKey(), SecretKeyRingProtector.unprotectedKeys()) @@ -344,7 +344,7 @@ public class ModificationDetectionTests { @ExtendWith(TestAllImplementations.class) public void testMDCWithBadLengthThrows() throws IOException, PGPException { ByteArrayInputStream in = new ByteArrayInputStream(MESSAGE_MDC_WITH_BAD_LENGTH.getBytes(StandardCharsets.UTF_8)); - DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() + DecryptionStream decryptionStream = PGPainless.getInstance().processMessage() .onInputStream(in) .withOptions(ConsumerOptions.get() .addDecryptionKeys(getDecryptionKey(), SecretKeyRingProtector.unprotectedKeys()) @@ -361,7 +361,7 @@ public class ModificationDetectionTests { @ExtendWith(TestAllImplementations.class) public void testIgnoreMDCWithBadLength() throws IOException, PGPException { ByteArrayInputStream in = new ByteArrayInputStream(MESSAGE_MDC_WITH_BAD_LENGTH.getBytes(StandardCharsets.UTF_8)); - DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() + DecryptionStream decryptionStream = PGPainless.getInstance().processMessage() .onInputStream(in) .withOptions(ConsumerOptions.get() .addDecryptionKeys(getDecryptionKey(), SecretKeyRingProtector.unprotectedKeys()) @@ -532,13 +532,13 @@ public class ModificationDetectionTests { "-----END PGP MESSAGE-----\n" + "\n"; - assertThrows(MessageNotIntegrityProtectedException.class, () -> PGPainless.decryptAndOrVerify() + assertThrows(MessageNotIntegrityProtectedException.class, () -> PGPainless.getInstance().processMessage() .onInputStream(new ByteArrayInputStream(ciphertext.getBytes(StandardCharsets.UTF_8))) .withOptions(ConsumerOptions.get().addDecryptionKey(secretKeyRing, SecretKeyRingProtector.unlockAnyKeyWith(passphrase))) ); - DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() + DecryptionStream decryptionStream = PGPainless.getInstance().processMessage() .onInputStream(new ByteArrayInputStream(ciphertext.getBytes(StandardCharsets.UTF_8))) .withOptions(ConsumerOptions.get().addDecryptionKey(secretKeyRing, SecretKeyRingProtector.unlockAnyKeyWith(passphrase)) diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/PostponeDecryptionUsingKeyWithMissingPassphraseTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/PostponeDecryptionUsingKeyWithMissingPassphraseTest.java index 1a4137f7..63f2ae76 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/PostponeDecryptionUsingKeyWithMissingPassphraseTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/PostponeDecryptionUsingKeyWithMissingPassphraseTest.java @@ -135,7 +135,7 @@ public class PostponeDecryptionUsingKeyWithMissingPassphraseTest { }); SecretKeyRingProtector protector2 = SecretKeyRingProtector.unlockEachKeyWith(p2, k2); - DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() + DecryptionStream decryptionStream = PGPainless.getInstance().processMessage() .onInputStream(new ByteArrayInputStream(ENCRYPTED_FOR_K1_K2.getBytes(StandardCharsets.UTF_8))) .withOptions(ConsumerOptions.get() .addDecryptionKey(k1, protector1) @@ -164,7 +164,7 @@ public class PostponeDecryptionUsingKeyWithMissingPassphraseTest { } }); - DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() + DecryptionStream decryptionStream = PGPainless.getInstance().processMessage() .onInputStream(new ByteArrayInputStream(ENCRYPTED_FOR_K1_K2.getBytes(StandardCharsets.UTF_8))) .withOptions(ConsumerOptions.get() .addDecryptionKey(k1, protector1) @@ -193,7 +193,7 @@ public class PostponeDecryptionUsingKeyWithMissingPassphraseTest { }; SecretKeyRingProtector protector = new CachingSecretKeyRingProtector(provider); - DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() + DecryptionStream decryptionStream = PGPainless.getInstance().processMessage() .onInputStream(new ByteArrayInputStream(ENCRYPTED_FOR_K2_PASS_K1.getBytes(StandardCharsets.UTF_8))) .withOptions(ConsumerOptions.get() .addMessagePassphrase(PASSPHRASE) diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/PreventDecryptionUsingNonEncryptionKeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/PreventDecryptionUsingNonEncryptionKeyTest.java index be30f40d..7889cb2d 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/PreventDecryptionUsingNonEncryptionKeyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/PreventDecryptionUsingNonEncryptionKeyTest.java @@ -177,7 +177,7 @@ public class PreventDecryptionUsingNonEncryptionKeyTest { PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(ENCRYPTION_CAPABLE_KEY); ByteArrayInputStream msgIn = new ByteArrayInputStream(MSG.getBytes(StandardCharsets.UTF_8)); - DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() + DecryptionStream decryptionStream = PGPainless.getInstance().processMessage() .onInputStream(msgIn) .withOptions(ConsumerOptions.get().addDecryptionKey(secretKeys)); @@ -193,7 +193,7 @@ public class PreventDecryptionUsingNonEncryptionKeyTest { PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(ENCRYPTION_INCAPABLE_KEY); ByteArrayInputStream msgIn = new ByteArrayInputStream(MSG.getBytes(StandardCharsets.UTF_8)); - DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() + DecryptionStream decryptionStream = PGPainless.getInstance().processMessage() .onInputStream(msgIn) .withOptions(ConsumerOptions.get() .setAllowDecryptionWithMissingKeyFlags() @@ -213,7 +213,7 @@ public class PreventDecryptionUsingNonEncryptionKeyTest { ByteArrayInputStream msgIn = new ByteArrayInputStream(MSG.getBytes(StandardCharsets.UTF_8)); assertThrows(MissingDecryptionMethodException.class, () -> - PGPainless.decryptAndOrVerify() + PGPainless.getInstance().processMessage() .onInputStream(msgIn) .withOptions(ConsumerOptions.get().addDecryptionKey(secretKeys))); } @@ -224,7 +224,7 @@ public class PreventDecryptionUsingNonEncryptionKeyTest { ByteArrayInputStream msgIn = new ByteArrayInputStream(MSG.getBytes(StandardCharsets.UTF_8)); - DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() + DecryptionStream decryptionStream = PGPainless.getInstance().processMessage() .onInputStream(msgIn) .withOptions(ConsumerOptions.get() .setAllowDecryptionWithMissingKeyFlags() diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/RecursionDepthTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/RecursionDepthTest.java index e79b5213..d34258bf 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/RecursionDepthTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/RecursionDepthTest.java @@ -144,7 +144,7 @@ public class RecursionDepthTest { assertThrows(MalformedOpenPgpMessageException.class, () -> { - DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() + DecryptionStream decryptionStream = PGPainless.getInstance().processMessage() .onInputStream(new ByteArrayInputStream(msg.getBytes(StandardCharsets.UTF_8))) .withOptions(ConsumerOptions.get().addDecryptionKey(secretKey)); diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/RejectWeakSymmetricAlgorithmDuringDecryptionTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/RejectWeakSymmetricAlgorithmDuringDecryptionTest.java index 6b512bde..05af3233 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/RejectWeakSymmetricAlgorithmDuringDecryptionTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/RejectWeakSymmetricAlgorithmDuringDecryptionTest.java @@ -138,7 +138,7 @@ public class RejectWeakSymmetricAlgorithmDuringDecryptionTest { InputStream messageIn = new ByteArrayInputStream(message.getBytes(StandardCharsets.UTF_8)); assertThrows(UnacceptableAlgorithmException.class, () -> - PGPainless.decryptAndOrVerify() + PGPainless.getInstance().processMessage() .onInputStream(messageIn) .withOptions(ConsumerOptions.get().addDecryptionKey(secretKeys)) ); @@ -166,7 +166,7 @@ public class RejectWeakSymmetricAlgorithmDuringDecryptionTest { InputStream messageIn = new ByteArrayInputStream(message.getBytes(StandardCharsets.UTF_8)); assertThrows(UnacceptableAlgorithmException.class, () -> - PGPainless.decryptAndOrVerify() + PGPainless.getInstance().processMessage() .onInputStream(messageIn) .withOptions(ConsumerOptions.get().addDecryptionKey(secretKeys)) ); @@ -193,7 +193,7 @@ public class RejectWeakSymmetricAlgorithmDuringDecryptionTest { InputStream messageIn = new ByteArrayInputStream(message.getBytes(StandardCharsets.UTF_8)); assertThrows(UnacceptableAlgorithmException.class, () -> - PGPainless.decryptAndOrVerify().onInputStream(messageIn) + PGPainless.getInstance().processMessage().onInputStream(messageIn) .withOptions(ConsumerOptions.get().addDecryptionKey(secretKeys)) ); } @@ -218,7 +218,7 @@ public class RejectWeakSymmetricAlgorithmDuringDecryptionTest { "-----END PGP ARMORED FILE-----\n"; InputStream messageIn = new ByteArrayInputStream(message.getBytes(StandardCharsets.UTF_8)); - PGPainless.decryptAndOrVerify().onInputStream(messageIn) + PGPainless.getInstance().processMessage().onInputStream(messageIn) .withOptions(ConsumerOptions.get().addDecryptionKey(secretKeys)); } diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/SignedMessageVerificationWithoutCertIsStillSignedTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/SignedMessageVerificationWithoutCertIsStillSignedTest.java index dfacbaac..f7dda4a7 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/SignedMessageVerificationWithoutCertIsStillSignedTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/SignedMessageVerificationWithoutCertIsStillSignedTest.java @@ -31,7 +31,7 @@ public class SignedMessageVerificationWithoutCertIsStillSignedTest { @Test public void verifyMissingVerificationCertOptionStillResultsInMessageIsSigned() throws IOException, PGPException { ConsumerOptions withoutVerificationCert = ConsumerOptions.get(); - DecryptionStream verificationStream = PGPainless.decryptAndOrVerify() + DecryptionStream verificationStream = PGPainless.getInstance().processMessage() .onInputStream(new ByteArrayInputStream(message.getBytes(StandardCharsets.UTF_8))) .withOptions(withoutVerificationCert); diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/TestDecryptionOfMessageWithoutESKUsingSessionKey.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/TestDecryptionOfMessageWithoutESKUsingSessionKey.java index b28af822..74e73e03 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/TestDecryptionOfMessageWithoutESKUsingSessionKey.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/TestDecryptionOfMessageWithoutESKUsingSessionKey.java @@ -44,7 +44,7 @@ public class TestDecryptionOfMessageWithoutESKUsingSessionKey { @Test public void decryptMessageWithSKESK() throws PGPException, IOException { ByteArrayInputStream in = new ByteArrayInputStream(encryptedMessageWithSKESK.getBytes(StandardCharsets.UTF_8)); - DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() + DecryptionStream decryptionStream = PGPainless.getInstance().processMessage() .onInputStream(in) .withOptions(ConsumerOptions.get() .setSessionKey(sessionKey)); @@ -57,7 +57,7 @@ public class TestDecryptionOfMessageWithoutESKUsingSessionKey { @Test public void decryptMessageWithoutSKESK() throws PGPException, IOException { ByteArrayInputStream in = new ByteArrayInputStream(encryptedMessageWithoutESK.getBytes(StandardCharsets.UTF_8)); - DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() + DecryptionStream decryptionStream = PGPainless.getInstance().processMessage() .onInputStream(in) .withOptions(ConsumerOptions.get() .setSessionKey(sessionKey)); diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/TryDecryptWithUnavailableGnuDummyKeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/TryDecryptWithUnavailableGnuDummyKeyTest.java index 4093b1ec..125219b5 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/TryDecryptWithUnavailableGnuDummyKeyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/TryDecryptWithUnavailableGnuDummyKeyTest.java @@ -46,7 +46,7 @@ public class TryDecryptWithUnavailableGnuDummyKeyTest { .removePrivateKeys(GnuPGDummyKeyUtil.KeyFilter.any())); ByteArrayInputStream ciphertextIn = new ByteArrayInputStream(ciphertextOut.toByteArray()); - assertThrows(MissingDecryptionMethodException.class, () -> PGPainless.decryptAndOrVerify() + assertThrows(MissingDecryptionMethodException.class, () -> api.processMessage() .onInputStream(ciphertextIn) .withOptions(ConsumerOptions.get(api).addDecryptionKey(removedKeys))); } diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/UnsupportedPacketVersionsTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/UnsupportedPacketVersionsTest.java index f8ce9e29..7981a4ae 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/UnsupportedPacketVersionsTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/UnsupportedPacketVersionsTest.java @@ -392,7 +392,7 @@ public class UnsupportedPacketVersionsTest { public void decryptAndCompare(String msg, String plain) throws IOException, PGPException { // noinspection CharsetObjectCanBeUsed ByteArrayInputStream inputStream = new ByteArrayInputStream(msg.getBytes(Charset.forName("UTF8"))); - DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() + DecryptionStream decryptionStream = PGPainless.getInstance().processMessage() .onInputStream(inputStream) .withOptions(ConsumerOptions.get() .addDecryptionKey(key) diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifyDetachedSignatureTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifyDetachedSignatureTest.java index e344d55f..77b9ac68 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifyDetachedSignatureTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifyDetachedSignatureTest.java @@ -54,7 +54,7 @@ public class VerifyDetachedSignatureTest { "-----END PGP PUBLIC KEY BLOCK-----\n"; - DecryptionStream verifier = PGPainless.decryptAndOrVerify() + DecryptionStream verifier = PGPainless.getInstance().processMessage() .onInputStream(new ByteArrayInputStream(signedContent.getBytes(StandardCharsets.UTF_8))) .withOptions( ConsumerOptions.get() @@ -129,7 +129,7 @@ public class VerifyDetachedSignatureTest { "=pXF6\n" + "-----END PGP PUBLIC KEY BLOCK-----\n"; - DecryptionStream verifier = PGPainless.decryptAndOrVerify() + DecryptionStream verifier = PGPainless.getInstance().processMessage() .onInputStream(new ByteArrayInputStream(signedContent.getBytes(StandardCharsets.UTF_8))) .withOptions( ConsumerOptions.get() diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifyNotBeforeNotAfterTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifyNotBeforeNotAfterTest.java index e0608723..a88bf3e6 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifyNotBeforeNotAfterTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifyNotBeforeNotAfterTest.java @@ -64,7 +64,7 @@ public class VerifyNotBeforeNotAfterTest { public void noConstraintsVerifyInlineSig() throws PGPException, IOException { ConsumerOptions options = ConsumerOptions.get() .addVerificationCert(certificate); - DecryptionStream verifier = PGPainless.decryptAndOrVerify() + DecryptionStream verifier = PGPainless.getInstance().processMessage() .onInputStream(new ByteArrayInputStream(inlineSigned)) .withOptions(options); @@ -77,7 +77,7 @@ public class VerifyNotBeforeNotAfterTest { ConsumerOptions options = ConsumerOptions.get() .addVerificationCert(certificate) .addVerificationOfDetachedSignatures(new ByteArrayInputStream(detachedSignature)); - DecryptionStream verifier = PGPainless.decryptAndOrVerify() + DecryptionStream verifier = PGPainless.getInstance().processMessage() .onInputStream(new ByteArrayInputStream(data)) .withOptions(options); @@ -90,7 +90,7 @@ public class VerifyNotBeforeNotAfterTest { ConsumerOptions options = ConsumerOptions.get() .verifyNotBefore(T1) .addVerificationCert(certificate); - DecryptionStream verifier = PGPainless.decryptAndOrVerify() + DecryptionStream verifier = PGPainless.getInstance().processMessage() .onInputStream(new ByteArrayInputStream(inlineSigned)) .withOptions(options); MessageMetadata metadata = processSignedData(verifier); @@ -103,7 +103,7 @@ public class VerifyNotBeforeNotAfterTest { .verifyNotBefore(T1) .addVerificationCert(certificate) .addVerificationOfDetachedSignatures(new ByteArrayInputStream(detachedSignature)); - DecryptionStream verifier = PGPainless.decryptAndOrVerify() + DecryptionStream verifier = PGPainless.getInstance().processMessage() .onInputStream(new ByteArrayInputStream(data)) .withOptions(options); MessageMetadata metadata = processSignedData(verifier); @@ -115,7 +115,7 @@ public class VerifyNotBeforeNotAfterTest { ConsumerOptions options = ConsumerOptions.get() .verifyNotBefore(T2) .addVerificationCert(certificate); - DecryptionStream verifier = PGPainless.decryptAndOrVerify() + DecryptionStream verifier = PGPainless.getInstance().processMessage() .onInputStream(new ByteArrayInputStream(inlineSigned)) .withOptions(options); MessageMetadata metadata = processSignedData(verifier); @@ -128,7 +128,7 @@ public class VerifyNotBeforeNotAfterTest { .verifyNotBefore(T2) .addVerificationCert(certificate) .addVerificationOfDetachedSignatures(new ByteArrayInputStream(detachedSignature)); - DecryptionStream verifier = PGPainless.decryptAndOrVerify() + DecryptionStream verifier = PGPainless.getInstance().processMessage() .onInputStream(new ByteArrayInputStream(data)) .withOptions(options); MessageMetadata metadata = processSignedData(verifier); @@ -140,7 +140,7 @@ public class VerifyNotBeforeNotAfterTest { ConsumerOptions options = ConsumerOptions.get() .verifyNotAfter(T1) .addVerificationCert(certificate); - DecryptionStream verifier = PGPainless.decryptAndOrVerify() + DecryptionStream verifier = PGPainless.getInstance().processMessage() .onInputStream(new ByteArrayInputStream(inlineSigned)) .withOptions(options); MessageMetadata metadata = processSignedData(verifier); @@ -153,7 +153,7 @@ public class VerifyNotBeforeNotAfterTest { .verifyNotAfter(T1) .addVerificationCert(certificate) .addVerificationOfDetachedSignatures(new ByteArrayInputStream(detachedSignature)); - DecryptionStream verifier = PGPainless.decryptAndOrVerify() + DecryptionStream verifier = PGPainless.getInstance().processMessage() .onInputStream(new ByteArrayInputStream(data)) .withOptions(options); MessageMetadata metadata = processSignedData(verifier); @@ -165,7 +165,7 @@ public class VerifyNotBeforeNotAfterTest { ConsumerOptions options = ConsumerOptions.get() .verifyNotAfter(T0) .addVerificationCert(certificate); - DecryptionStream verifier = PGPainless.decryptAndOrVerify() + DecryptionStream verifier = PGPainless.getInstance().processMessage() .onInputStream(new ByteArrayInputStream(inlineSigned)) .withOptions(options); MessageMetadata metadata = processSignedData(verifier); @@ -178,7 +178,7 @@ public class VerifyNotBeforeNotAfterTest { .verifyNotAfter(T0) .addVerificationCert(certificate) .addVerificationOfDetachedSignatures(new ByteArrayInputStream(detachedSignature)); - DecryptionStream verifier = PGPainless.decryptAndOrVerify() + DecryptionStream verifier = PGPainless.getInstance().processMessage() .onInputStream(new ByteArrayInputStream(data)) .withOptions(options); MessageMetadata metadata = processSignedData(verifier); diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifySignatureByCertificationKeyFailsTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifySignatureByCertificationKeyFailsTest.java index 3d2ea092..f2250455 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifySignatureByCertificationKeyFailsTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifySignatureByCertificationKeyFailsTest.java @@ -213,7 +213,7 @@ public class VerifySignatureByCertificationKeyFailsTest { public void testSignatureByNonSigningPrimaryKeyIsRejected() throws Exception { PGPSecretKeyRing key = PGPainless.readKeyRing().secretKeyRing(KEY); - DecryptionStream verifier = PGPainless.decryptAndOrVerify() + DecryptionStream verifier = PGPainless.getInstance().processMessage() .onInputStream(new ByteArrayInputStream(DATA)) .withOptions(ConsumerOptions.get() .addVerificationCert(PGPainless.extractCertificate(key)) diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifyVersion3SignaturePacketTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifyVersion3SignaturePacketTest.java index 833de609..a6240072 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifyVersion3SignaturePacketTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifyVersion3SignaturePacketTest.java @@ -39,7 +39,7 @@ class VerifyVersion3SignaturePacketTest { .addVerificationCert(TestKeys.getEmilPublicKeyRing()) .addVerificationOfDetachedSignatures(new ByteArrayInputStream(version3Signature.getEncoded())); - DecryptionStream verifier = PGPainless.decryptAndOrVerify() + DecryptionStream verifier = PGPainless.getInstance().processMessage() .onInputStream(new ByteArrayInputStream(DATA)) .withOptions(options); diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifyWithMissingPublicKeyCallbackTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifyWithMissingPublicKeyCallbackTest.java index 0b875901..65e8ae08 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifyWithMissingPublicKeyCallbackTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifyWithMissingPublicKeyCallbackTest.java @@ -52,7 +52,7 @@ public class VerifyWithMissingPublicKeyCallbackTest { String msg = "Arguing that you don't care about the right to privacy because you have nothing to hide" + "is no different than saying you don't care about free speech because you have nothing to say."; ByteArrayOutputStream signOut = new ByteArrayOutputStream(); - EncryptionStream signingStream = PGPainless.encryptAndOrSign().onOutputStream(signOut) + EncryptionStream signingStream = api.generateMessage().onOutputStream(signOut) .withOptions(ProducerOptions.sign(SigningOptions.get().addInlineSignature( SecretKeyRingProtector.unprotectedKeys(), signingSecKeys.getPGPSecretKeyRing(), DocumentSignatureType.CANONICAL_TEXT_DOCUMENT @@ -60,7 +60,7 @@ public class VerifyWithMissingPublicKeyCallbackTest { Streams.pipeAll(new ByteArrayInputStream(msg.getBytes(StandardCharsets.UTF_8)), signingStream); signingStream.close(); - DecryptionStream verificationStream = PGPainless.decryptAndOrVerify() + DecryptionStream verificationStream = api.processMessage() .onInputStream(new ByteArrayInputStream(signOut.toByteArray())) .withOptions(ConsumerOptions.get() .addVerificationCert(unrelatedKeys) diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/BcHashContextSignerTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/BcHashContextSignerTest.java index fe89af80..017125ec 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/BcHashContextSignerTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/BcHashContextSignerTest.java @@ -96,7 +96,7 @@ public class BcHashContextSignerTest { OpenPGPSignature.OpenPGPDocumentSignature signature = signMessage(messageBytes, hashAlgorithm, secretKeys); assertEquals(hashAlgorithm.getAlgorithmId(), signature.getSignature().getHashAlgorithm()); - DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() + DecryptionStream decryptionStream = PGPainless.getInstance().processMessage() .onInputStream(messageIn) .withOptions(ConsumerOptions.get() .addVerificationCert(certificate) diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java index 7e7b8cb4..c6fafa16 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java @@ -157,7 +157,7 @@ public class EncryptDecryptTest { // Juliet trieth to comprehend Romeos words ByteArrayInputStream envelopeIn = new ByteArrayInputStream(encryptedSecretMessage); - DecryptionStream decryptor = PGPainless.decryptAndOrVerify() + DecryptionStream decryptor = api.processMessage() .onInputStream(envelopeIn) .withOptions(ConsumerOptions.get(api) .addDecryptionKey(recipientSec, keyDecryptor) @@ -208,7 +208,7 @@ public class EncryptDecryptTest { // CHECKSTYLE:ON inputStream = new ByteArrayInputStream(testMessage.getBytes()); - DecryptionStream verifier = PGPainless.decryptAndOrVerify() + DecryptionStream verifier = api.processMessage() .onInputStream(inputStream) .withOptions(ConsumerOptions.get(api) .addVerificationOfDetachedSignatures(new ByteArrayInputStream(armorSig.getBytes())) @@ -241,7 +241,7 @@ public class EncryptDecryptTest { signer.close(); inputStream = new ByteArrayInputStream(signOut.toByteArray()); - DecryptionStream verifier = PGPainless.decryptAndOrVerify() + DecryptionStream verifier = api.processMessage() .onInputStream(inputStream) .withOptions(ConsumerOptions.get(api) .addVerificationCert(signingKeys.toCertificate()) @@ -349,7 +349,7 @@ public class EncryptDecryptTest { result.getEncryptionMechanism()); ByteArrayInputStream bIn = new ByteArrayInputStream(bOut.toByteArray()); - DecryptionStream decIn = PGPainless.decryptAndOrVerify() + DecryptionStream decIn = api.processMessage() .onInputStream(bIn) .withOptions(ConsumerOptions.get() .addDecryptionKey(keyWithoutSEIPD2Feature)); @@ -387,7 +387,7 @@ public class EncryptDecryptTest { result.getEncryptionMechanism()); ByteArrayInputStream bIn = new ByteArrayInputStream(bOut.toByteArray()); - DecryptionStream decIn = PGPainless.decryptAndOrVerify() + DecryptionStream decIn = api.processMessage() .onInputStream(bIn) .withOptions(ConsumerOptions.get() .addMessagePassphrase(Passphrase.fromPassword("sw0rdf1sh"))); diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptionWithMissingKeyFlagsTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptionWithMissingKeyFlagsTest.java index 10b1656c..05352c96 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptionWithMissingKeyFlagsTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptionWithMissingKeyFlagsTest.java @@ -164,7 +164,7 @@ public class EncryptionWithMissingKeyFlagsTest { // Prepare encryption ByteArrayOutputStream out = new ByteArrayOutputStream(); - EncryptionStream encOut = PGPainless.encryptAndOrSign() + EncryptionStream encOut = PGPainless.getInstance().generateMessage() .onOutputStream(out) .withOptions(ProducerOptions.encrypt(EncryptionOptions.get() .setEvaluationDate(evaluationDate) @@ -177,7 +177,7 @@ public class EncryptionWithMissingKeyFlagsTest { // Prepare decryption ByteArrayInputStream in = new ByteArrayInputStream(out.toByteArray()); - DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() + DecryptionStream decryptionStream = PGPainless.getInstance().processMessage() .onInputStream(in) .withOptions(ConsumerOptions.get() .setAllowDecryptionWithMissingKeyFlags() diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/FileInformationTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/FileInformationTest.java index 7298c3d4..8c22e96c 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/FileInformationTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/FileInformationTest.java @@ -73,7 +73,7 @@ public class FileInformationTest { ByteArrayInputStream cryptIn = new ByteArrayInputStream(dataOut.toByteArray()); ByteArrayOutputStream plainOut = new ByteArrayOutputStream(); - DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() + DecryptionStream decryptionStream = api.processMessage() .onInputStream(cryptIn) .withOptions(ConsumerOptions.get() .addDecryptionKey(secretKey)); @@ -112,7 +112,7 @@ public class FileInformationTest { ByteArrayInputStream cryptIn = new ByteArrayInputStream(dataOut.toByteArray()); ByteArrayOutputStream plainOut = new ByteArrayOutputStream(); - DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() + DecryptionStream decryptionStream = api.processMessage() .onInputStream(cryptIn) .withOptions(ConsumerOptions.get() .addDecryptionKey(secretKey)); @@ -156,7 +156,7 @@ public class FileInformationTest { ByteArrayInputStream cryptIn = new ByteArrayInputStream(dataOut.toByteArray()); ByteArrayOutputStream plainOut = new ByteArrayOutputStream(); - DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() + DecryptionStream decryptionStream = api.processMessage() .onInputStream(cryptIn) .withOptions(ConsumerOptions.get() .addDecryptionKey(secretKey)); diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/HiddenRecipientEncryptionTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/HiddenRecipientEncryptionTest.java index 5df689c5..28bd91d3 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/HiddenRecipientEncryptionTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/HiddenRecipientEncryptionTest.java @@ -52,7 +52,7 @@ public class HiddenRecipientEncryptionTest { byte[] ciphertext = ciphertextOut.toByteArray(); ByteArrayInputStream ciphertextIn = new ByteArrayInputStream(ciphertext); - DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() + DecryptionStream decryptionStream = api.processMessage() .onInputStream(ciphertextIn) .withOptions(ConsumerOptions.get() .addDecryptionKey(secretKeys)); diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/MechanismNegotiationTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/MechanismNegotiationTest.java index 448a7646..e55b08fd 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/MechanismNegotiationTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/MechanismNegotiationTest.java @@ -128,7 +128,7 @@ public class MechanismNegotiationTest { eOut.close(); ByteArrayInputStream bIn = new ByteArrayInputStream(bOut.toByteArray()); - DecryptionStream dIn = PGPainless.decryptAndOrVerify() + DecryptionStream dIn = api.processMessage() .onInputStream(bIn) .withOptions(ConsumerOptions.get().addDecryptionKey(keyList.get(0))); diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/MultiSigningSubkeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/MultiSigningSubkeyTest.java index 9abfeb08..21e8283f 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/MultiSigningSubkeyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/MultiSigningSubkeyTest.java @@ -49,7 +49,8 @@ public class MultiSigningSubkeyTest { @BeforeAll public static void generateKey() { - signingKey = PGPainless.buildKeyRing() + PGPainless api = PGPainless.getInstance(); + signingKey = api.buildKey() .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA_LEGACY(EdDSALegacyCurve._Ed25519), KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA)) .addSubkey(KeySpec.getBuilder(KeyType.EDDSA_LEGACY(EdDSALegacyCurve._Ed25519), KeyFlag.SIGN_DATA)) .addSubkey(KeySpec.getBuilder(KeyType.RSA(RsaLength._3072), KeyFlag.SIGN_DATA)) @@ -69,7 +70,7 @@ public class MultiSigningSubkeyTest { public void detachedSignWithAllSubkeys() throws PGPException, IOException { ByteArrayInputStream dataIn = new ByteArrayInputStream("Hello, World!\n".getBytes(StandardCharsets.UTF_8)); ByteArrayOutputStream out = new ByteArrayOutputStream(); - EncryptionStream signingStream = PGPainless.encryptAndOrSign() + EncryptionStream signingStream = PGPainless.getInstance().generateMessage() .onOutputStream(out) .withOptions(ProducerOptions.sign(SigningOptions.get().addDetachedSignature(protector, signingKey, DocumentSignatureType.BINARY_DOCUMENT))); Streams.pipeAll(dataIn, signingStream); @@ -85,7 +86,7 @@ public class MultiSigningSubkeyTest { public void detachedSignWithSingleSubkey() throws PGPException, IOException { ByteArrayInputStream dataIn = new ByteArrayInputStream("Hello, World!\n".getBytes(StandardCharsets.UTF_8)); ByteArrayOutputStream out = new ByteArrayOutputStream(); - EncryptionStream signingStream = PGPainless.encryptAndOrSign() + EncryptionStream signingStream = PGPainless.getInstance().generateMessage() .onOutputStream(out) .withOptions(ProducerOptions.sign(SigningOptions.get().addDetachedSignature(protector, signingKey, signingKey1.getKeyId()))); Streams.pipeAll(dataIn, signingStream); @@ -98,16 +99,17 @@ public class MultiSigningSubkeyTest { @Test public void inlineSignWithAllSubkeys() throws PGPException, IOException { + PGPainless api = PGPainless.getInstance(); ByteArrayInputStream dataIn = new ByteArrayInputStream("Hello, World!\n".getBytes(StandardCharsets.UTF_8)); ByteArrayOutputStream out = new ByteArrayOutputStream(); - EncryptionStream signingStream = PGPainless.encryptAndOrSign() + EncryptionStream signingStream = api.generateMessage() .onOutputStream(out) .withOptions(ProducerOptions.sign(SigningOptions.get().addInlineSignature(protector, signingKey, DocumentSignatureType.BINARY_DOCUMENT))); Streams.pipeAll(dataIn, signingStream); signingStream.close(); ByteArrayInputStream signedIn = new ByteArrayInputStream(out.toByteArray()); - DecryptionStream verificationStream = PGPainless.decryptAndOrVerify().onInputStream(signedIn) + DecryptionStream verificationStream = api.processMessage().onInputStream(signedIn) .withOptions(ConsumerOptions.get().addVerificationCert(signingCert)); Streams.drain(verificationStream); verificationStream.close(); @@ -122,16 +124,17 @@ public class MultiSigningSubkeyTest { @Test public void inlineSignWithSingleSubkey() throws PGPException, IOException { + PGPainless api = PGPainless.getInstance(); ByteArrayInputStream dataIn = new ByteArrayInputStream("Hello, World!\n".getBytes(StandardCharsets.UTF_8)); ByteArrayOutputStream out = new ByteArrayOutputStream(); - EncryptionStream signingStream = PGPainless.encryptAndOrSign() + EncryptionStream signingStream = api.generateMessage() .onOutputStream(out) .withOptions(ProducerOptions.sign(SigningOptions.get().addInlineSignature(protector, signingKey, signingKey1.getKeyId()))); Streams.pipeAll(dataIn, signingStream); signingStream.close(); ByteArrayInputStream signedIn = new ByteArrayInputStream(out.toByteArray()); - DecryptionStream verificationStream = PGPainless.decryptAndOrVerify().onInputStream(signedIn) + DecryptionStream verificationStream = api.processMessage().onInputStream(signedIn) .withOptions(ConsumerOptions.get().addVerificationCert(signingCert)); Streams.drain(verificationStream); verificationStream.close(); diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/SigningTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/SigningTest.java index b1c1191d..d67a119a 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/SigningTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/SigningTest.java @@ -82,7 +82,7 @@ public class SigningTest { OpenPGPKey romeoKey = TestKeys.getRomeoKey(); OpenPGPKey julietKey = TestKeys.getJulietKey(); - DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() + DecryptionStream decryptionStream = api.processMessage() .onInputStream(cryptIn) .withOptions(ConsumerOptions.get(api) .addDecryptionKey(romeoKey, SecretKeyRingProtector.unprotectedKeys()) diff --git a/pgpainless-core/src/test/java/org/pgpainless/example/DecryptOrVerify.java b/pgpainless-core/src/test/java/org/pgpainless/example/DecryptOrVerify.java index 779c7b20..f427c681 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/example/DecryptOrVerify.java +++ b/pgpainless-core/src/test/java/org/pgpainless/example/DecryptOrVerify.java @@ -159,7 +159,7 @@ public class DecryptOrVerify { ByteArrayInputStream ciphertextIn = new ByteArrayInputStream(ENCRYPTED.getBytes(StandardCharsets.UTF_8)); // The decryption stream is an input stream from which we read the decrypted data - DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() + DecryptionStream decryptionStream = PGPainless.getInstance().processMessage() .onInputStream(ciphertextIn) .withOptions(consumerOptions); @@ -189,7 +189,7 @@ public class DecryptOrVerify { ByteArrayOutputStream plaintextOut = new ByteArrayOutputStream(); ByteArrayInputStream ciphertextIn = new ByteArrayInputStream(ENCRYPTED_AND_SIGNED.getBytes(StandardCharsets.UTF_8)); - DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() + DecryptionStream decryptionStream = PGPainless.getInstance().processMessage() .onInputStream(ciphertextIn) .withOptions(consumerOptions); @@ -219,7 +219,7 @@ public class DecryptOrVerify { ByteArrayOutputStream out = new ByteArrayOutputStream(); ByteArrayInputStream in = new ByteArrayInputStream(signed.getBytes(StandardCharsets.UTF_8)); - DecryptionStream verificationStream = PGPainless.decryptAndOrVerify() + DecryptionStream verificationStream = PGPainless.getInstance().processMessage() .onInputStream(in) .withOptions(options); @@ -270,7 +270,7 @@ public class DecryptOrVerify { ByteArrayInputStream signedIn = new ByteArrayInputStream(signedMessage); // and pass it to the decryption stream - DecryptionStream verificationStream = PGPainless.decryptAndOrVerify() + DecryptionStream verificationStream = api.processMessage() .onInputStream(signedIn) .withOptions(ConsumerOptions.get(api).addVerificationCert(certificate)); diff --git a/pgpainless-core/src/test/java/org/pgpainless/example/Encrypt.java b/pgpainless-core/src/test/java/org/pgpainless/example/Encrypt.java index e7e5e115..360476a6 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/example/Encrypt.java +++ b/pgpainless-core/src/test/java/org/pgpainless/example/Encrypt.java @@ -166,7 +166,7 @@ public class Encrypt { String encryptedMessage = ciphertext.toString(); // Decrypt and verify signatures - DecryptionStream decryptor = PGPainless.decryptAndOrVerify() + DecryptionStream decryptor = api.processMessage() .onInputStream(new ByteArrayInputStream(encryptedMessage.getBytes(StandardCharsets.UTF_8))) .withOptions(ConsumerOptions.get(api) .addDecryptionKey(keyBob, protectorBob) @@ -209,7 +209,7 @@ public class Encrypt { String asciiCiphertext = ciphertext.toString(); // Decrypt - DecryptionStream decryptor = PGPainless.decryptAndOrVerify() + DecryptionStream decryptor = api.processMessage() .onInputStream(new ByteArrayInputStream(asciiCiphertext.getBytes(StandardCharsets.UTF_8))) .withOptions(ConsumerOptions.get(api).addMessagePassphrase(Passphrase.fromPassword("p4ssphr4s3"))); @@ -274,7 +274,7 @@ public class Encrypt { // also test, that decryption still works... // Decrypt and verify signatures - DecryptionStream decryptor = PGPainless.decryptAndOrVerify() + DecryptionStream decryptor = api.processMessage() .onInputStream(new ByteArrayInputStream(encryptedMessage.getBytes(StandardCharsets.UTF_8))) .withOptions(ConsumerOptions.get(api) .addDecryptionKey(keyBob, protectorBob) diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithoutPrimaryKeyFlagsTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithoutPrimaryKeyFlagsTest.java index 32792b4a..60d49db7 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithoutPrimaryKeyFlagsTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithoutPrimaryKeyFlagsTest.java @@ -77,7 +77,7 @@ public class GenerateKeyWithoutPrimaryKeyFlagsTest { EncryptionResult result = encryptionStream.getResult(); assertTrue(result.isEncryptedFor(cert)); - DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() + DecryptionStream decryptionStream = api.processMessage() .onInputStream(new ByteArrayInputStream(ciphertext.toByteArray())) .withOptions(ConsumerOptions.get().addDecryptionKey(key) .addVerificationCert(cert)); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithoutUserIdTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithoutUserIdTest.java index 24fb8088..8d0e1df1 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithoutUserIdTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithoutUserIdTest.java @@ -78,7 +78,7 @@ public class GenerateKeyWithoutUserIdTest { ByteArrayInputStream ciphertextIn = new ByteArrayInputStream(ciphertextOut.toByteArray()); ByteArrayOutputStream plaintextOut = new ByteArrayOutputStream(); - DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() + DecryptionStream decryptionStream = api.processMessage() .onInputStream(ciphertextIn) .withOptions(ConsumerOptions.get() .addDecryptionKey(secretKey) diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/FixUserIdDoesNotBreakEncryptionCapabilityTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/FixUserIdDoesNotBreakEncryptionCapabilityTest.java index ccf07e56..909c8cc8 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/FixUserIdDoesNotBreakEncryptionCapabilityTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/FixUserIdDoesNotBreakEncryptionCapabilityTest.java @@ -160,7 +160,7 @@ public class FixUserIdDoesNotBreakEncryptionCapabilityTest { ByteArrayInputStream in = new ByteArrayInputStream(out.toByteArray()); ByteArrayOutputStream plain = new ByteArrayOutputStream(); - DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() + DecryptionStream decryptionStream = api.processMessage() .onInputStream(in) .withOptions(ConsumerOptions.get() .addDecryptionKey(edited)); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/protection/fixes/S2KUsageFixTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/protection/fixes/S2KUsageFixTest.java index 0fd98622..e8d73ddb 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/protection/fixes/S2KUsageFixTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/protection/fixes/S2KUsageFixTest.java @@ -111,7 +111,7 @@ public class S2KUsageFixTest { private void testCanStillDecrypt(OpenPGPKey keys, SecretKeyRingProtector protector) throws PGPException, IOException { ByteArrayInputStream in = new ByteArrayInputStream(MESSAGE.getBytes(StandardCharsets.UTF_8)); - DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() + DecryptionStream decryptionStream = PGPainless.getInstance().processMessage() .onInputStream(in) .withOptions(ConsumerOptions.get() .addDecryptionKey(keys, protector)); diff --git a/pgpainless-core/src/test/java/org/pgpainless/policy/WeakRSAKeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/policy/WeakRSAKeyTest.java index f7fceff2..52c60c2e 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/policy/WeakRSAKeyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/policy/WeakRSAKeyTest.java @@ -185,7 +185,7 @@ public class WeakRSAKeyTest { ByteArrayInputStream ciphertextIn = new ByteArrayInputStream(encryptOut.toByteArray()); ByteArrayOutputStream plaintextOut = new ByteArrayOutputStream(); - DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() + DecryptionStream decryptionStream = api.processMessage() .onInputStream(ciphertextIn) .withOptions(ConsumerOptions.get() .addDecryptionKey(secretKeys)); diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/BindingSignatureSubpacketsTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/BindingSignatureSubpacketsTest.java index fa018909..5155861d 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/BindingSignatureSubpacketsTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/BindingSignatureSubpacketsTest.java @@ -1970,7 +1970,7 @@ public class BindingSignatureSubpacketsTest { PGPainless api = PGPainless.getInstance(); OpenPGPCertificate certificate = api.readKey().parseCertificate(key); - DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify().onInputStream(getSignedData(data)) + DecryptionStream decryptionStream = api.processMessage().onInputStream(getSignedData(data)) .withOptions(ConsumerOptions.get(api) .addVerificationCert(certificate) .addVerificationOfDetachedSignatures(SignatureUtils.readSignatures(sig))); @@ -1990,7 +1990,7 @@ public class BindingSignatureSubpacketsTest { PGPainless api = PGPainless.getInstance(); OpenPGPCertificate certificate = api.readKey().parseCertificate(key); - DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify().onInputStream(getSignedData(data)) + DecryptionStream decryptionStream = api.processMessage().onInputStream(getSignedData(data)) .withOptions(ConsumerOptions.get(api) .addVerificationCert(certificate) .addVerificationOfDetachedSignatures(SignatureUtils.readSignatures(sig))); diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/CertificateValidatorTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/CertificateValidatorTest.java index 1ab69990..63c2be55 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/CertificateValidatorTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/CertificateValidatorTest.java @@ -1305,7 +1305,7 @@ public class CertificateValidatorTest { PGPainless api = PGPainless.getInstance(); OpenPGPCertificate certificate = api.toCertificate(cert); - DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() + DecryptionStream decryptionStream = api.processMessage() .onInputStream(dataIn) .withOptions(ConsumerOptions.get(api) .addVerificationOfDetachedSignature(signature) @@ -1385,11 +1385,12 @@ public class CertificateValidatorTest { "=NXei\n" + "-----END PGP PUBLIC KEY BLOCK-----\n"; String DATA = "Hello World :)"; + PGPainless api = PGPainless.getInstance(); - DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() + DecryptionStream decryptionStream = api.processMessage() .onInputStream(new ByteArrayInputStream(DATA.getBytes(StandardCharsets.UTF_8))) .withOptions(ConsumerOptions.get() - .addVerificationCert(PGPainless.readKeyRing().publicKeyRing(CERT)) + .addVerificationCert(api.readKey().parseCertificate(CERT)) .addVerificationOfDetachedSignatures(new ByteArrayInputStream(SIG.getBytes(StandardCharsets.UTF_8)))); Streams.drain(decryptionStream); diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/IgnoreMarkerPacketsTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/IgnoreMarkerPacketsTest.java index a5c61ac3..8b7bff74 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/IgnoreMarkerPacketsTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/IgnoreMarkerPacketsTest.java @@ -142,7 +142,7 @@ public class IgnoreMarkerPacketsTest { PGPSignature signature = SignatureUtils.readSignatures(sig).get(0); InputStream messageIn = new ByteArrayInputStream(data.getBytes(StandardCharsets.UTF_8)); - DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() + DecryptionStream decryptionStream = PGPainless.getInstance().processMessage() .onInputStream(messageIn) .withOptions(ConsumerOptions.get() .addVerificationCert(publicKeys) @@ -191,7 +191,7 @@ public class IgnoreMarkerPacketsTest { String data = "Marker + Encrypted Message"; InputStream messageIn = new ByteArrayInputStream(msg.getBytes(StandardCharsets.UTF_8)); - DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() + DecryptionStream decryptionStream = PGPainless.getInstance().processMessage() .onInputStream(messageIn) .withOptions(ConsumerOptions.get() .addDecryptionKey(secretKeys) diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/KeyRevocationTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/KeyRevocationTest.java index 160fc1d6..9d21e9a8 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/KeyRevocationTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/KeyRevocationTest.java @@ -269,7 +269,7 @@ public class KeyRevocationTest { private void verify(PGPSignature signature, InputStream dataIn, OpenPGPCertificate certificate, PGPainless api) throws PGPException, IOException { - DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() + DecryptionStream decryptionStream = api.processMessage() .onInputStream(dataIn) .withOptions(ConsumerOptions.get(api) .addVerificationOfDetachedSignature(signature) diff --git a/pgpainless-core/src/test/java/org/pgpainless/symmetric_encryption/MultiPassphraseSymmetricEncryptionTest.java b/pgpainless-core/src/test/java/org/pgpainless/symmetric_encryption/MultiPassphraseSymmetricEncryptionTest.java index 029f59ac..127eb521 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/symmetric_encryption/MultiPassphraseSymmetricEncryptionTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/symmetric_encryption/MultiPassphraseSymmetricEncryptionTest.java @@ -31,7 +31,7 @@ public class MultiPassphraseSymmetricEncryptionTest { "the decryptor finds the session key encrypted for the right passphrase."; ByteArrayInputStream plaintextIn = new ByteArrayInputStream(message.getBytes(StandardCharsets.UTF_8)); ByteArrayOutputStream ciphertextOut = new ByteArrayOutputStream(); - EncryptionStream encryptor = PGPainless.encryptAndOrSign() + EncryptionStream encryptor = PGPainless.getInstance().generateMessage() .onOutputStream(ciphertextOut) .withOptions(ProducerOptions.encrypt( EncryptionOptions.encryptCommunications() @@ -46,7 +46,7 @@ public class MultiPassphraseSymmetricEncryptionTest { // decrypting the p1 package with p2 first will not work. Test if it is handled correctly. for (Passphrase passphrase : new Passphrase[] {Passphrase.fromPassword("p2"), Passphrase.fromPassword("p1")}) { - DecryptionStream decryptor = PGPainless.decryptAndOrVerify() + DecryptionStream decryptor = PGPainless.getInstance().processMessage() .onInputStream(new ByteArrayInputStream(ciphertext)) .withOptions(ConsumerOptions.get() .addMessagePassphrase(passphrase)); diff --git a/pgpainless-core/src/test/java/org/pgpainless/symmetric_encryption/SymmetricEncryptionTest.java b/pgpainless-core/src/test/java/org/pgpainless/symmetric_encryption/SymmetricEncryptionTest.java index 3fa54bf6..bf0c15f5 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/symmetric_encryption/SymmetricEncryptionTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/symmetric_encryption/SymmetricEncryptionTest.java @@ -63,7 +63,7 @@ public class SymmetricEncryptionTest { byte[] ciphertext = ciphertextOut.toByteArray(); // Test symmetric decryption - DecryptionStream decryptor = PGPainless.decryptAndOrVerify() + DecryptionStream decryptor = PGPainless.getInstance().processMessage() .onInputStream(new ByteArrayInputStream(ciphertext)) .withOptions(ConsumerOptions.get() .addMessagePassphrase(encryptionPassphrase)); @@ -80,7 +80,7 @@ public class SymmetricEncryptionTest { SecretKeyRingProtector protector = new PasswordBasedSecretKeyRingProtector( KeyRingProtectionSettings.secureDefaultSettings(), new SolitaryPassphraseProvider(Passphrase.fromPassword(TestKeys.CRYPTIE_PASSWORD))); - decryptor = PGPainless.decryptAndOrVerify() + decryptor = PGPainless.getInstance().processMessage() .onInputStream(new ByteArrayInputStream(ciphertext)) .withOptions(ConsumerOptions.get() .addDecryptionKeys(decryptionKeys, protector)); @@ -100,7 +100,7 @@ public class SymmetricEncryptionTest { new Random().nextBytes(bytes); ByteArrayOutputStream ciphertextOut = new ByteArrayOutputStream(); - EncryptionStream encryptor = PGPainless.encryptAndOrSign().onOutputStream(ciphertextOut) + EncryptionStream encryptor = PGPainless.getInstance().generateMessage().onOutputStream(ciphertextOut) .withOptions(ProducerOptions.encrypt( EncryptionOptions.encryptCommunications() .addMessagePassphrase(Passphrase.fromPassword("mellon")))); @@ -108,7 +108,7 @@ public class SymmetricEncryptionTest { Streams.pipeAll(new ByteArrayInputStream(bytes), encryptor); encryptor.close(); - assertThrows(MissingDecryptionMethodException.class, () -> PGPainless.decryptAndOrVerify() + assertThrows(MissingDecryptionMethodException.class, () -> PGPainless.getInstance().processMessage() .onInputStream(new ByteArrayInputStream(ciphertextOut.toByteArray())) .withOptions(ConsumerOptions.get() .setMissingKeyPassphraseStrategy(MissingKeyPassphraseStrategy.THROW_EXCEPTION) diff --git a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/DecryptImpl.kt b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/DecryptImpl.kt index fad50c5b..7b869c32 100644 --- a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/DecryptImpl.kt +++ b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/DecryptImpl.kt @@ -39,9 +39,7 @@ class DecryptImpl(private val api: PGPainless) : Decrypt { val decryptionStream = try { - PGPainless.decryptAndOrVerify() - .onInputStream(ciphertext) - .withOptions(consumerOptions) + api.processMessage().onInputStream(ciphertext).withOptions(consumerOptions) } catch (e: MissingDecryptionMethodException) { throw SOPGPException.CannotDecrypt( "No usable decryption key or password provided.", e) diff --git a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/DetachedVerifyImpl.kt b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/DetachedVerifyImpl.kt index 1a252bfa..d9837def 100644 --- a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/DetachedVerifyImpl.kt +++ b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/DetachedVerifyImpl.kt @@ -28,8 +28,7 @@ class DetachedVerifyImpl(private val api: PGPainless) : DetachedVerify { override fun data(data: InputStream): List { try { - val verificationStream = - PGPainless.decryptAndOrVerify().onInputStream(data).withOptions(options) + val verificationStream = api.processMessage().onInputStream(data).withOptions(options) Streams.drain(verificationStream) verificationStream.close() diff --git a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/InlineVerifyImpl.kt b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/InlineVerifyImpl.kt index 332c1445..416b53b3 100644 --- a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/InlineVerifyImpl.kt +++ b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/InlineVerifyImpl.kt @@ -32,7 +32,7 @@ class InlineVerifyImpl(private val api: PGPainless) : InlineVerify { override fun writeTo(outputStream: OutputStream): List { try { val verificationStream = - PGPainless.decryptAndOrVerify().onInputStream(data).withOptions(options) + api.processMessage().onInputStream(data).withOptions(options) Streams.pipeAll(verificationStream, outputStream) verificationStream.close() From 9856aa43c4337cc88d11a15488f4cf94c8c646b7 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 7 May 2025 11:29:06 +0200 Subject: [PATCH 203/265] Add documentation to PGPainless class --- .../main/kotlin/org/pgpainless/PGPainless.kt | 86 ++++++++++++++++++- 1 file changed, 83 insertions(+), 3 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt index 5cc88804..74323d6b 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt @@ -31,6 +31,17 @@ import org.pgpainless.key.parsing.KeyRingReader import org.pgpainless.policy.Policy import org.pgpainless.util.ArmorUtils +/** + * Main entry point to the PGPainless OpenPGP API. Historically, this class was used through static + * factory methods only, and configuration was done using the Singleton pattern. However, now it is + * recommended to instantiate the API and apply configuration on a per-instance manner. The benefit + * of this being that you can have multiple differently configured instances at the same time. + * + * @param implementation OpenPGP Implementation - either BCs lightweight + * [org.bouncycastle.openpgp.api.bc.BcOpenPGPImplementation] or JCAs + * [org.bouncycastle.openpgp.api.jcajce.JcaOpenPGPImplementation]. + * @param algorithmPolicy policy, deciding acceptable algorithms + */ class PGPainless( val implementation: OpenPGPImplementation = OpenPGPImplementation.getInstance(), val algorithmPolicy: Policy = Policy() @@ -48,16 +59,36 @@ class PGPainless( api = BcOpenPGPApi(implementation) } + /** + * Generate a new [OpenPGPKey] from predefined templates. + * + * @param version [OpenPGPKeyVersion], defaults to [OpenPGPKeyVersion.v4] + * @param creationTime of the key, defaults to now + * @return [KeyRingTemplates] api + */ @JvmOverloads fun generateKey( version: OpenPGPKeyVersion = OpenPGPKeyVersion.v4, creationTime: Date = Date() ): KeyRingTemplates = KeyRingTemplates(version, creationTime, this) + /** + * Build a fresh, custom [OpenPGPKey] using PGPainless' API. + * + * @param version [OpenPGPKeyVersion], defaults to [OpenPGPKeyVersion.v4] + * @return [KeyRingBuilder] api + */ @JvmOverloads fun buildKey(version: OpenPGPKeyVersion = OpenPGPKeyVersion.v4): KeyRingBuilder = KeyRingBuilder(version, this) + /** + * Build a fresh, custom [OpenPGPKey] using BCs new API. + * + * @param version [OpenPGPKeyVersion], defaults to [OpenPGPKeyVersion.v4] + * @param creationTime creation time of the key, defaults to now + * @return [OpenPGPKeyGenerator] api + */ @JvmOverloads fun _buildKey( version: OpenPGPKeyVersion = OpenPGPKeyVersion.v4, @@ -81,18 +112,52 @@ class PGPainless( fun inspect(keyOrCertificate: OpenPGPCertificate, referenceTime: Date = Date()): KeyRingInfo = KeyRingInfo(keyOrCertificate, this, referenceTime) + /** + * Modify an [OpenPGPKey], adding new components and signatures. This API can be used to add new + * subkeys, user-ids or user-attributes to the key, extend or alter its expiration time, revoke + * individual components of the entire certificate, etc. + * + * @param key key to modify + * @param referenceTime timestamp for modifications + * @return [SecretKeyRingEditor] api + */ @JvmOverloads fun modify(key: OpenPGPKey, referenceTime: Date = Date()): SecretKeyRingEditor = SecretKeyRingEditor(key, this, referenceTime) + /** + * Parse [OpenPGPKey]/[OpenPGPCertificate] material from binary or ASCII armored encoding. + * + * @return [OpenPGPKeyReader] api + */ fun readKey(): OpenPGPKeyReader = api.readKeyOrCertificate() + /** + * Convert a [PGPSecretKeyRing] into an [OpenPGPKey]. + * + * @param secretKeyRing mid-level API [PGPSecretKeyRing] object + * @return high-level API [OpenPGPKey] object + */ fun toKey(secretKeyRing: PGPSecretKeyRing): OpenPGPKey = OpenPGPKey(secretKeyRing, implementation) + /** + * Convert a [PGPPublicKeyRing] into an [OpenPGPCertificate]. + * + * @param certificate mid-level API [PGPSecretKeyRing] object + * @return high-level API [OpenPGPCertificate] object + */ fun toCertificate(certificate: PGPPublicKeyRing): OpenPGPCertificate = OpenPGPCertificate(certificate, implementation) + /** + * Depending on the type, convert either a [PGPSecretKeyRing] into an [OpenPGPKey] or a + * [PGPPublicKeyRing] into an [OpenPGPCertificate]. + * + * @param keyOrCertificate [PGPKeyRing], either [PGPSecretKeyRing] or [PGPPublicKeyRing] + * @return depending on the type of [keyOrCertificate], either an [OpenPGPKey] or + * [OpenPGPCertificate] + */ fun toKeyOrCertificate(keyOrCertificate: PGPKeyRing): OpenPGPCertificate = when (keyOrCertificate) { is PGPSecretKeyRing -> toKey(keyOrCertificate) @@ -102,6 +167,15 @@ class PGPainless( "Unexpected PGPKeyRing subclass: ${keyOrCertificate.javaClass.name}") } + /** + * Merge two copies of an [OpenPGPCertificate] into a single copy. This method can be used to + * import new third-party signatures into a certificate. + * + * @param originalCopy local copy of the certificate + * @param updatedCopy copy of the same certificate, potentially carrying new signatures and + * components + * @return merged [OpenPGPCertificate] + */ fun mergeCertificate( originalCopy: OpenPGPCertificate, updatedCopy: OpenPGPCertificate @@ -109,19 +183,25 @@ class PGPainless( return OpenPGPCertificate.join(originalCopy, updatedCopy) } - /** Generate an encrypted and/or signed OpenPGP message. */ + /** + * Generate an encrypted and/or signed OpenPGP message. + * + * @return [EncryptionBuilder] api + */ fun generateMessage(): EncryptionBuilder = EncryptionBuilder(this) /** * Process an OpenPGP message. This method attempts decryption of encrypted messages and * performs signature verification. + * + * @return [DecryptionBuilder] api */ fun processMessage(): DecryptionBuilder = DecryptionBuilder(this) /** * Create certification signatures on third-party [OpenPGPCertificates][OpenPGPCertificate]. * - * @return builder + * @return [CertifyCertificate] api */ fun generateCertification(): CertifyCertificate = CertifyCertificate(this) @@ -289,7 +369,7 @@ class PGPainless( * [PGPSecretKeyRing]. This method can be used to determine expiration dates, key flags and * other information about a key at a specific time. * - * @param keyRing key ring + * @param key key ring * @param referenceTime date of inspection * @return access object */ From 3ccc8601d7fea885cbf931d8a130aab962979d81 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 7 May 2025 14:06:34 +0200 Subject: [PATCH 204/265] Rework ASCII armor API --- .../main/kotlin/org/pgpainless/PGPainless.kt | 60 +++++++++++++++++-- .../kotlin/org/pgpainless/util/ArmorUtils.kt | 2 +- .../CanonicalizedDataEncryptionTest.java | 5 +- .../key/parsing/KeyRingReaderTest.java | 2 +- .../org/pgpainless/util/ArmorUtilsTest.java | 2 +- .../org/pgpainless/sop/ExtractCertImpl.kt | 7 +-- .../org/pgpainless/sop/GenerateKeyImpl.kt | 6 +- 7 files changed, 65 insertions(+), 19 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt index 74323d6b..602510cb 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt @@ -4,8 +4,12 @@ package org.pgpainless +import java.io.ByteArrayOutputStream import java.io.OutputStream import java.util.* +import org.bouncycastle.bcpg.ArmoredOutputStream +import org.bouncycastle.bcpg.BCPGOutputStream +import org.bouncycastle.bcpg.PacketFormat import org.bouncycastle.openpgp.PGPKeyRing import org.bouncycastle.openpgp.PGPPublicKeyRing import org.bouncycastle.openpgp.PGPSecretKeyRing @@ -16,6 +20,7 @@ import org.bouncycastle.openpgp.api.OpenPGPImplementation import org.bouncycastle.openpgp.api.OpenPGPKey import org.bouncycastle.openpgp.api.OpenPGPKeyGenerator import org.bouncycastle.openpgp.api.OpenPGPKeyReader +import org.bouncycastle.openpgp.api.OpenPGPSignature import org.bouncycastle.openpgp.api.bc.BcOpenPGPApi import org.pgpainless.algorithm.OpenPGPKeyVersion import org.pgpainless.bouncycastle.PolicyAdapter @@ -59,6 +64,46 @@ class PGPainless( api = BcOpenPGPApi(implementation) } + @JvmOverloads + fun toAsciiArmor( + certOrKey: OpenPGPCertificate, + packetFormat: PacketFormat = PacketFormat.ROUNDTRIP + ): String { + val armorBuilder = ArmoredOutputStream.builder().clearHeaders() + ArmorUtils.keyToHeader(certOrKey.primaryKey.pgpPublicKey) + .getOrDefault(ArmorUtils.HEADER_COMMENT, setOf()) + .forEach { armorBuilder.addComment(it) } + return certOrKey.toAsciiArmoredString(packetFormat, armorBuilder) + } + + @JvmOverloads + fun toAsciiArmor( + signature: OpenPGPSignature, + packetFormat: PacketFormat = PacketFormat.ROUNDTRIP + ): String { + val armorBuilder = ArmoredOutputStream.builder().clearHeaders() + armorBuilder.addComment(signature.keyIdentifier.toPrettyPrint()) + return signature.toAsciiArmoredString(packetFormat, armorBuilder) + } + + @JvmOverloads + fun toAsciiArmor( + signature: PGPSignature, + packetFormat: PacketFormat = PacketFormat.ROUNDTRIP + ): String { + val armorBuilder = ArmoredOutputStream.builder().clearHeaders() + OpenPGPSignature.getMostExpressiveIdentifier(signature.keyIdentifiers)?.let { + armorBuilder.addComment(it.toPrettyPrint()) + } + val bOut = ByteArrayOutputStream() + val aOut = armorBuilder.build(bOut) + val pOut = BCPGOutputStream(aOut, packetFormat) + signature.encode(pOut) + pOut.close() + aOut.close() + return bOut.toString() + } + /** * Generate a new [OpenPGPKey] from predefined templates. * @@ -290,10 +335,13 @@ class PGPainless( */ @JvmStatic fun asciiArmor(key: PGPKeyRing): String = - if (key is PGPSecretKeyRing) ArmorUtils.toAsciiArmoredString(key) - else ArmorUtils.toAsciiArmoredString(key as PGPPublicKeyRing) + getInstance().toAsciiArmor(getInstance().toKeyOrCertificate(key)) - @JvmStatic fun asciiArmor(cert: OpenPGPCertificate) = asciiArmor(cert.pgpKeyRing) + @JvmStatic + @Deprecated( + "Call getInstance().toAsciiArmor(cert) instead.", + replaceWith = ReplaceWith("getInstance().toAsciiArmor(cert)")) + fun asciiArmor(cert: OpenPGPCertificate): String = getInstance().toAsciiArmor(cert) /** * Wrap a key of certificate in ASCII armor and write the result into the given @@ -318,8 +366,10 @@ class PGPainless( * @throws IOException in case of an error during the armoring process */ @JvmStatic - @Deprecated("Covert to OpenPGPSignature and call .toAsciiArmoredString() instead.") - fun asciiArmor(signature: PGPSignature): String = ArmorUtils.toAsciiArmoredString(signature) + @Deprecated( + "Call toAsciiArmor(signature) on an instance of PGPainless instead.", + replaceWith = ReplaceWith("getInstance().toAsciiArmor(signature)")) + fun asciiArmor(signature: PGPSignature): String = getInstance().toAsciiArmor(signature) /** * Create an [EncryptionBuilder], which can be used to encrypt and/or sign data using diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/util/ArmorUtils.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/util/ArmorUtils.kt index b6e802b2..ede45ce6 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/util/ArmorUtils.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/util/ArmorUtils.kt @@ -229,7 +229,7 @@ class ArmorUtils { * @return header map */ @JvmStatic - private fun keyToHeader(publicKey: PGPPublicKey): Map> { + fun keyToHeader(publicKey: PGPPublicKey): Map> { val headerMap = mutableMapOf>() val userIds = KeyRingUtils.getUserIdsIgnoringInvalidUTF8(publicKey) val first: String? = userIds.firstOrNull() diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CanonicalizedDataEncryptionTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CanonicalizedDataEncryptionTest.java index e9f2332d..7b586277 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CanonicalizedDataEncryptionTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CanonicalizedDataEncryptionTest.java @@ -113,10 +113,11 @@ public class CanonicalizedDataEncryptionTest { @BeforeAll public static void readKeys() throws IOException { - secretKeys = PGPainless.getInstance().readKey().parseKey(KEY); + PGPainless api = PGPainless.getInstance(); + secretKeys = api.readKey().parseKey(KEY); publicKeys = secretKeys.toCertificate(); // CHECKSTYLE:OFF - System.out.println(PGPainless.asciiArmor(secretKeys)); + System.out.println(api.toAsciiArmor(secretKeys)); // CHECKSTYLE:ON } diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/parsing/KeyRingReaderTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/parsing/KeyRingReaderTest.java index 7f0862d7..f16375a5 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/parsing/KeyRingReaderTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/parsing/KeyRingReaderTest.java @@ -599,7 +599,7 @@ class KeyRingReaderTest { public void testReadKeyRingWithArmoredPublicKey() throws IOException { OpenPGPKey secretKeys = api.generateKey().modernKeyRing("Alice "); OpenPGPCertificate publicKeys = secretKeys.toCertificate(); - String armored = PGPainless.asciiArmor(publicKeys); + String armored = api.toAsciiArmor(publicKeys); PGPKeyRing keyRing = PGPainless.readKeyRing() .keyRing(armored); diff --git a/pgpainless-core/src/test/java/org/pgpainless/util/ArmorUtilsTest.java b/pgpainless-core/src/test/java/org/pgpainless/util/ArmorUtilsTest.java index 05a955f8..9d3ad35a 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/util/ArmorUtilsTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/util/ArmorUtilsTest.java @@ -132,7 +132,7 @@ public class ArmorUtilsTest { @Test public void signatureToAsciiArmoredString() { String SIG = "-----BEGIN PGP SIGNATURE-----\n" + - "Version: PGPainless\n" + + "Comment: 4F66 5C4D C2C4 660B C642 5E41 5736 E693 1ACF 370C\n" + "\n" + "iHUEARMKAB0WIQRPZlxNwsRmC8ZCXkFXNuaTGs83DAUCYJ/x5gAKCRBXNuaTGs83\n" + "DFRwAP9/4wMvV3WcX59Clo7mkRce6iwW3VBdiN+yMu3tjmHB2wD/RfE28Q1v4+eo\n" + diff --git a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/ExtractCertImpl.kt b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/ExtractCertImpl.kt index 3a5993b4..b4677a56 100644 --- a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/ExtractCertImpl.kt +++ b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/ExtractCertImpl.kt @@ -7,7 +7,6 @@ package org.pgpainless.sop import java.io.InputStream import java.io.OutputStream import org.pgpainless.PGPainless -import org.pgpainless.util.ArmorUtils import org.pgpainless.util.ArmoredOutputStreamFactory import sop.Ready import sop.operation.ExtractCert @@ -26,10 +25,8 @@ class ExtractCertImpl(private val api: PGPainless) : ExtractCert { if (certs.size == 1) { val cert = certs[0] // This way we have a nice armor header with fingerprint and user-ids - val armorOut = - ArmorUtils.toAsciiArmoredStream(cert.pgpKeyRing, outputStream) - armorOut.write(cert.encoded) - armorOut.close() + val armored = cert.toAsciiArmoredString() + outputStream.write(armored.toByteArray()) } else { // for multiple certs, add no info headers to the ASCII armor val armorOut = ArmoredOutputStreamFactory.get(outputStream) diff --git a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/GenerateKeyImpl.kt b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/GenerateKeyImpl.kt index 3d914946..d343652d 100644 --- a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/GenerateKeyImpl.kt +++ b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/GenerateKeyImpl.kt @@ -18,7 +18,6 @@ import org.pgpainless.key.generation.type.KeyType import org.pgpainless.key.generation.type.eddsa_legacy.EdDSALegacyCurve import org.pgpainless.key.generation.type.rsa.RsaLength import org.pgpainless.key.generation.type.xdh_legacy.XDHLegacySpec -import org.pgpainless.util.ArmorUtils import org.pgpainless.util.Passphrase import sop.Profile import sop.Ready @@ -50,9 +49,8 @@ class GenerateKeyImpl(private val api: PGPainless) : GenerateKey { return object : Ready() { override fun writeTo(outputStream: OutputStream) { if (armor) { - val armorOut = ArmorUtils.toAsciiArmoredStream(key.pgpKeyRing, outputStream) - key.pgpKeyRing.encode(armorOut) - armorOut.close() + val armored = key.toAsciiArmoredString() + outputStream.write(armored.toByteArray()) } else { key.pgpKeyRing.encode(outputStream) } From 380191c35b8b94fe1382264d7b9d59fd442abd9a Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 8 May 2025 12:47:53 +0200 Subject: [PATCH 205/265] Update documentation of SignatureVerification --- .../decryption_verification/SignatureVerification.kt | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/SignatureVerification.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/SignatureVerification.kt index b5a5bc0d..ed6ead40 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/SignatureVerification.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/SignatureVerification.kt @@ -6,16 +6,12 @@ package org.pgpainless.decryption_verification import org.bouncycastle.openpgp.PGPSignature import org.bouncycastle.openpgp.api.OpenPGPSignature.OpenPGPDocumentSignature -import org.pgpainless.decryption_verification.SignatureVerification.Failure import org.pgpainless.exception.SignatureValidationException import org.pgpainless.key.SubkeyIdentifier import org.pgpainless.signature.SignatureUtils /** - * Tuple of a signature and an identifier of its corresponding verification key. Semantic meaning of - * the signature verification (success, failure) is merely given by context. E.g. - * [MessageMetadata.verifiedSignatures] contains verified verifications, while the class [Failure] - * contains failed verifications. + * An evaluated document signature. * * @param documentSignature OpenPGPDocumentSignature object */ From 02a997fb26f5ae9190bc203ebf6d00f393c79142 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 8 May 2025 12:50:36 +0200 Subject: [PATCH 206/265] Fix comment block layout --- .../MessageMetadata.kt | 35 ++++++++----------- 1 file changed, 15 insertions(+), 20 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/MessageMetadata.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/MessageMetadata.kt index 33e4c862..c1dfac93 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/MessageMetadata.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/MessageMetadata.kt @@ -24,10 +24,9 @@ import org.pgpainless.util.SessionKey /** View for extracting metadata about a [Message]. */ class MessageMetadata(val message: Message) { - // ################################################################################################################ - // ### Encryption - // ### - // ################################################################################################################ + // ########################################################################################################## + // Encryption + // ########################################################################################################## /** * The [SymmetricKeyAlgorithm] of the outermost encrypted data packet, or null if message is @@ -141,10 +140,9 @@ class MessageMetadata(val message: Message) { override fun getProperty(last: Layer) = last as EncryptedData } - // ################################################################################################################ - // ### Compression - // ### - // ################################################################################################################ + // ########################################################################################################## + // Compression + // ########################################################################################################## /** * [CompressionAlgorithm] of the outermost compressed data packet, or null, if the message does @@ -171,10 +169,9 @@ class MessageMetadata(val message: Message) { override fun getProperty(last: Layer) = last as CompressedData } - // ################################################################################################################ - // ### Signatures - // ### - // ################################################################################################################ + // ########################################################################################################## + // Signatures + // ########################################################################################################## val isUsingCleartextSignatureFramework: Boolean get() = message.cleartextSigned @@ -330,10 +327,9 @@ class MessageMetadata(val message: Message) { fun isVerifiedInlineSignedBy(keys: PGPKeyRing) = verifiedInlineSignatures.any { keys.matches(it.signingKey) } - // ################################################################################################################ - // ### Literal Data - // ### - // ################################################################################################################ + // ########################################################################################################## + // Literal Data + // ########################################################################################################## /** * Value of the literal data packet's filename field. This value can be used to store a @@ -397,10 +393,9 @@ class MessageMetadata(val message: Message) { return nested as LiteralData } - // ################################################################################################################ - // ### Message Structure - // ### - // ################################################################################################################ + // ########################################################################################################## + // Message Structure + // ########################################################################################################## interface Packet From 334061459553143e7d3feade0cd0227b363489b9 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 8 May 2025 12:54:25 +0200 Subject: [PATCH 207/265] Remove unused SignatureComparator classes --- .../SignatureCreationDateComparator.kt | 30 ----------------- .../consumer/SignatureValidityComparator.kt | 32 ------------------- 2 files changed, 62 deletions(-) delete mode 100644 pgpainless-core/src/main/kotlin/org/pgpainless/signature/consumer/SignatureCreationDateComparator.kt delete mode 100644 pgpainless-core/src/main/kotlin/org/pgpainless/signature/consumer/SignatureValidityComparator.kt diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/consumer/SignatureCreationDateComparator.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/consumer/SignatureCreationDateComparator.kt deleted file mode 100644 index a913bf32..00000000 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/consumer/SignatureCreationDateComparator.kt +++ /dev/null @@ -1,30 +0,0 @@ -// SPDX-FileCopyrightText: 2023 Paul Schaub -// -// SPDX-License-Identifier: Apache-2.0 - -package org.pgpainless.signature.consumer - -import org.bouncycastle.openpgp.PGPSignature - -/** - * Create a new comparator which sorts signatures according to the passed ordering. - * - * @param order ordering - */ -class SignatureCreationDateComparator(private val order: Order = Order.OLD_TO_NEW) : - Comparator { - - enum class Order { - /** Oldest signatures first. */ - OLD_TO_NEW, - /** Newest signatures first. */ - NEW_TO_OLD - } - - override fun compare(one: PGPSignature, two: PGPSignature): Int { - return when (order) { - Order.OLD_TO_NEW -> one.creationTime.compareTo(two.creationTime) - Order.NEW_TO_OLD -> two.creationTime.compareTo(one.creationTime) - } - } -} diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/consumer/SignatureValidityComparator.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/consumer/SignatureValidityComparator.kt deleted file mode 100644 index 1153b875..00000000 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/consumer/SignatureValidityComparator.kt +++ /dev/null @@ -1,32 +0,0 @@ -// SPDX-FileCopyrightText: 2023 Paul Schaub -// -// SPDX-License-Identifier: Apache-2.0 - -package org.pgpainless.signature.consumer - -import org.bouncycastle.openpgp.PGPSignature -import org.pgpainless.bouncycastle.extensions.isHardRevocation - -/** - * Comparator which sorts signatures based on an ordering and on revocation hardness. - * - * If a list of signatures gets ordered using this comparator, hard revocations will always come - * first. Further, signatures are ordered by date according to the - * [SignatureCreationDateComparator.Order]. - */ -class SignatureValidityComparator( - order: SignatureCreationDateComparator.Order = SignatureCreationDateComparator.Order.OLD_TO_NEW -) : Comparator { - - private val creationDateComparator: SignatureCreationDateComparator = - SignatureCreationDateComparator(order) - - override fun compare(one: PGPSignature, two: PGPSignature): Int { - return if (one.isHardRevocation == two.isHardRevocation) { - // Both have the same hardness, so compare creation time - creationDateComparator.compare(one, two) - } - // else favor the "harder" signature - else if (one.isHardRevocation) -1 else 1 - } -} From 8cb94a89249df068393ad01d7023db8bab7ea355 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 8 May 2025 12:57:59 +0200 Subject: [PATCH 208/265] Clean up OnePassSignatureCheck --- .../consumer/OnePassSignatureCheck.kt | 18 ------------------ 1 file changed, 18 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/consumer/OnePassSignatureCheck.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/consumer/OnePassSignatureCheck.kt index 97248420..80773d7d 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/consumer/OnePassSignatureCheck.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/consumer/OnePassSignatureCheck.kt @@ -7,9 +7,6 @@ package org.pgpainless.signature.consumer import org.bouncycastle.openpgp.PGPOnePassSignature import org.bouncycastle.openpgp.PGPSignature import org.bouncycastle.openpgp.api.OpenPGPCertificate -import org.bouncycastle.openpgp.api.OpenPGPCertificate.OpenPGPComponentKey -import org.pgpainless.bouncycastle.extensions.getSigningKeyFor -import org.pgpainless.key.SubkeyIdentifier /** * Tuple-class that bundles together a [PGPOnePassSignature] object, an [OpenPGPCertificate] @@ -24,19 +21,4 @@ data class OnePassSignatureCheck( ) { var signature: PGPSignature? = null - - constructor( - onePassSignature: PGPOnePassSignature, - verificationKey: OpenPGPComponentKey - ) : this(onePassSignature, verificationKey.certificate) - - val signingKey: OpenPGPComponentKey? = verificationKeys.getSigningKeyFor(onePassSignature) - - /** - * Return an identifier for the signing key. - * - * @return signing key fingerprint - */ - val signingKeyIdentifier: SubkeyIdentifier? - get() = signingKey?.let { SubkeyIdentifier(it) } } From 3a0ee1c101b7af0e217c7f20e5353d424a496fa1 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 8 May 2025 13:53:00 +0200 Subject: [PATCH 209/265] Typo --- .../pgpainless/decryption_verification/OpenPgpInputStream.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpInputStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpInputStream.java index c4e15314..491f5d43 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpInputStream.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpInputStream.java @@ -326,7 +326,7 @@ public class OpenPgpInputStream extends BufferedInputStream { * Returns true, if the underlying data is very likely (more than 99,9%) an OpenPGP message. * OpenPGP Message means here that it starts with either an {@link PGPEncryptedData}, * {@link PGPCompressedData}, {@link PGPOnePassSignature} or {@link PGPLiteralData} packet. - * The plausability of these data packets is checked as far as possible. + * The plausibility of these data packets is checked as far as possible. * * @return true if likely OpenPGP message */ From 702db4d75c5f4ce99c517eee5f82a6b1954dc74e Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 8 May 2025 14:38:48 +0200 Subject: [PATCH 210/265] Port OpenPGPInputStream to Kotlin as OpenPGPAnimalSnifferInputStream --- .../OpenPgpInputStream.java | 340 ------------------ .../decryption_verification/package-info.java | 8 - .../OpenPGPAnimalSnifferInputStream.kt | 321 +++++++++++++++++ .../OpenPgpMessageInputStream.kt | 2 +- .../kotlin/org/pgpainless/util/ArmorUtils.kt | 4 +- ... OpenPGPAnimalSnifferInputStreamTest.java} | 22 +- .../kotlin/org/pgpainless/sop/ArmorImpl.kt | 4 +- .../org/pgpainless/sop/InlineDetachImpl.kt | 6 +- 8 files changed, 340 insertions(+), 367 deletions(-) delete mode 100644 pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpInputStream.java delete mode 100644 pgpainless-core/src/main/java/org/pgpainless/decryption_verification/package-info.java create mode 100644 pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPGPAnimalSnifferInputStream.kt rename pgpainless-core/src/test/java/org/pgpainless/decryption_verification/{OpenPgpInputStreamTest.java => OpenPGPAnimalSnifferInputStreamTest.java} (97%) diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpInputStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpInputStream.java deleted file mode 100644 index 491f5d43..00000000 --- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpInputStream.java +++ /dev/null @@ -1,340 +0,0 @@ -// SPDX-FileCopyrightText: 2022 Paul Schaub -// -// SPDX-License-Identifier: Apache-2.0 - -package org.pgpainless.decryption_verification; - -import static org.bouncycastle.bcpg.PacketTags.AEAD_ENC_DATA; -import static org.bouncycastle.bcpg.PacketTags.COMPRESSED_DATA; -import static org.bouncycastle.bcpg.PacketTags.EXPERIMENTAL_1; -import static org.bouncycastle.bcpg.PacketTags.EXPERIMENTAL_2; -import static org.bouncycastle.bcpg.PacketTags.EXPERIMENTAL_3; -import static org.bouncycastle.bcpg.PacketTags.EXPERIMENTAL_4; -import static org.bouncycastle.bcpg.PacketTags.LITERAL_DATA; -import static org.bouncycastle.bcpg.PacketTags.MARKER; -import static org.bouncycastle.bcpg.PacketTags.MOD_DETECTION_CODE; -import static org.bouncycastle.bcpg.PacketTags.ONE_PASS_SIGNATURE; -import static org.bouncycastle.bcpg.PacketTags.PADDING; -import static org.bouncycastle.bcpg.PacketTags.PUBLIC_KEY; -import static org.bouncycastle.bcpg.PacketTags.PUBLIC_KEY_ENC_SESSION; -import static org.bouncycastle.bcpg.PacketTags.PUBLIC_SUBKEY; -import static org.bouncycastle.bcpg.PacketTags.RESERVED; -import static org.bouncycastle.bcpg.PacketTags.SECRET_KEY; -import static org.bouncycastle.bcpg.PacketTags.SECRET_SUBKEY; -import static org.bouncycastle.bcpg.PacketTags.SIGNATURE; -import static org.bouncycastle.bcpg.PacketTags.SYMMETRIC_KEY_ENC; -import static org.bouncycastle.bcpg.PacketTags.SYMMETRIC_KEY_ENC_SESSION; -import static org.bouncycastle.bcpg.PacketTags.SYM_ENC_INTEGRITY_PRO; -import static org.bouncycastle.bcpg.PacketTags.TRUST; -import static org.bouncycastle.bcpg.PacketTags.USER_ATTRIBUTE; -import static org.bouncycastle.bcpg.PacketTags.USER_ID; - -import java.io.BufferedInputStream; -import java.io.ByteArrayInputStream; -import java.io.IOException; -import java.io.InputStream; -import java.nio.charset.Charset; - -import org.bouncycastle.bcpg.AEADEncDataPacket; -import org.bouncycastle.bcpg.BCPGInputStream; -import org.bouncycastle.bcpg.CompressedDataPacket; -import org.bouncycastle.bcpg.LiteralDataPacket; -import org.bouncycastle.bcpg.MarkerPacket; -import org.bouncycastle.bcpg.OnePassSignaturePacket; -import org.bouncycastle.bcpg.Packet; -import org.bouncycastle.bcpg.PacketFormat; -import org.bouncycastle.bcpg.PublicKeyEncSessionPacket; -import org.bouncycastle.bcpg.PublicKeyPacket; -import org.bouncycastle.bcpg.SecretKeyPacket; -import org.bouncycastle.bcpg.SignaturePacket; -import org.bouncycastle.bcpg.SymmetricEncIntegrityPacket; -import org.bouncycastle.bcpg.SymmetricKeyEncSessionPacket; -import org.bouncycastle.bcpg.UnsupportedPacketVersionException; -import org.bouncycastle.openpgp.PGPCompressedData; -import org.bouncycastle.openpgp.PGPEncryptedData; -import org.bouncycastle.openpgp.PGPLiteralData; -import org.bouncycastle.openpgp.PGPOnePassSignature; -import org.bouncycastle.util.Arrays; -import org.pgpainless.algorithm.AEADAlgorithm; -import org.pgpainless.algorithm.CompressionAlgorithm; -import org.pgpainless.algorithm.HashAlgorithm; -import org.pgpainless.algorithm.PublicKeyAlgorithm; -import org.pgpainless.algorithm.SignatureType; -import org.pgpainless.algorithm.SymmetricKeyAlgorithm; - -/** - * InputStream used to determine the nature of potential OpenPGP data. - */ -public class OpenPgpInputStream extends BufferedInputStream { - - @SuppressWarnings("CharsetObjectCanBeUsed") - private static final byte[] ARMOR_HEADER = "-----BEGIN PGP ".getBytes(Charset.forName("UTF8")); - - // Buffer beginning bytes of the data - public static final int MAX_BUFFER_SIZE = 8192 * 2; - - private final byte[] buffer; - private final int bufferLen; - - private boolean containsArmorHeader; - private boolean containsOpenPgpPackets; - private boolean isLikelyOpenPgpMessage; - - public OpenPgpInputStream(InputStream in, boolean check) throws IOException { - super(in, MAX_BUFFER_SIZE); - - mark(MAX_BUFFER_SIZE); - buffer = new byte[MAX_BUFFER_SIZE]; - bufferLen = read(buffer); - reset(); - - if (check) { - inspectBuffer(); - } - } - - public OpenPgpInputStream(InputStream in) throws IOException { - this(in, true); - } - - private void inspectBuffer() throws IOException { - if (checkForAsciiArmor()) { - return; - } - - checkForBinaryOpenPgp(); - } - - private boolean checkForAsciiArmor() { - if (startsWithIgnoringWhitespace(buffer, ARMOR_HEADER, bufferLen)) { - containsArmorHeader = true; - return true; - } - return false; - } - - /** - * This method is still brittle. - * Basically we try to parse OpenPGP packets from the buffer. - * If we run into exceptions, then we know that the data is non-OpenPGP'ish. - *

- * This breaks down though if we read plausible garbage where the data accidentally makes sense, - * or valid, yet incomplete packets (remember, we are still only working on a portion of the data). - */ - private void checkForBinaryOpenPgp() throws IOException { - if (bufferLen == -1) { - // Empty data - return; - } - - ByteArrayInputStream bufferIn = new ByteArrayInputStream(buffer, 0, bufferLen); - BCPGInputStream pIn = new BCPGInputStream(bufferIn); - try { - nonExhaustiveParseAndCheckPlausibility(pIn); - } catch (IOException | UnsupportedPacketVersionException | NegativeArraySizeException e) { - return; - } - } - - private void nonExhaustiveParseAndCheckPlausibility(BCPGInputStream packetIn) - throws IOException { - Packet packet = packetIn.readPacket(); - switch (packet.getPacketTag()) { - case PUBLIC_KEY_ENC_SESSION: - PublicKeyEncSessionPacket pkesk = (PublicKeyEncSessionPacket) packet; - if (PublicKeyAlgorithm.fromId(pkesk.getAlgorithm()) == null) { - return; - } - break; - - case SIGNATURE: - SignaturePacket sig = (SignaturePacket) packet; - if (SignatureType.fromCode(sig.getSignatureType()) == null) { - return; - } - if (PublicKeyAlgorithm.fromId(sig.getKeyAlgorithm()) == null) { - return; - } - if (HashAlgorithm.fromId(sig.getHashAlgorithm()) == null) { - return; - } - break; - - case ONE_PASS_SIGNATURE: - OnePassSignaturePacket ops = (OnePassSignaturePacket) packet; - if (SignatureType.fromCode(ops.getSignatureType()) == null) { - return; - } - if (PublicKeyAlgorithm.fromId(ops.getKeyAlgorithm()) == null) { - return; - } - if (HashAlgorithm.fromId(ops.getHashAlgorithm()) == null) { - return; - } - break; - - case SYMMETRIC_KEY_ENC_SESSION: - SymmetricKeyEncSessionPacket skesk = (SymmetricKeyEncSessionPacket) packet; - if (SymmetricKeyAlgorithm.fromId(skesk.getEncAlgorithm()) == null) { - return; - } - break; - - case SECRET_KEY: - SecretKeyPacket secKey = (SecretKeyPacket) packet; - PublicKeyPacket sPubKey = secKey.getPublicKeyPacket(); - if (PublicKeyAlgorithm.fromId(sPubKey.getAlgorithm()) == null) { - return; - } - if (sPubKey.getVersion() < 3 && sPubKey.getVersion() > 6) { - return; - } - break; - - case PUBLIC_KEY: - PublicKeyPacket pubKey = (PublicKeyPacket) packet; - if (PublicKeyAlgorithm.fromId(pubKey.getAlgorithm()) == null) { - return; - } - if (pubKey.getVersion() < 3 && pubKey.getVersion() > 6) { - return; - } - break; - - case COMPRESSED_DATA: - CompressedDataPacket comp = (CompressedDataPacket) packet; - if (CompressionAlgorithm.fromId(comp.getAlgorithm()) == null) { - return; - } - break; - - case SYMMETRIC_KEY_ENC: - // Not much we can check here - break; - - case MARKER: - MarkerPacket m = (MarkerPacket) packet; - if (!Arrays.areEqual( - m.getEncoded(PacketFormat.CURRENT), - new byte[] {(byte) 0xca, 0x03, 0x50, 0x47, 0x50})) { - return; - } - break; - - case LITERAL_DATA: - LiteralDataPacket lit = (LiteralDataPacket) packet; - if (lit.getFormat() != 'b' && - lit.getFormat() != 'u' && - lit.getFormat() != 't' && - lit.getFormat() != 'l' && - lit.getFormat() != '1' && - lit.getFormat() != 'm') { - return; - } - break; - - case SYM_ENC_INTEGRITY_PRO: - SymmetricEncIntegrityPacket seipd = (SymmetricEncIntegrityPacket) packet; - if (seipd.getVersion() == SymmetricEncIntegrityPacket.VERSION_1) { - break; // not much to check here - } - if (seipd.getVersion() != SymmetricEncIntegrityPacket.VERSION_2) { - if (SymmetricKeyAlgorithm.fromId(seipd.getCipherAlgorithm()) == null) { - return; - } - if (AEADAlgorithm.fromId(seipd.getAeadAlgorithm()) == null) { - return; - } - } - break; - - case AEAD_ENC_DATA: - AEADEncDataPacket oed = (AEADEncDataPacket) packet; - if (SymmetricKeyAlgorithm.fromId(oed.getAlgorithm()) == null) { - return; - } - break; - - case RESERVED: // this Packet Type ID MUST NOT be used - case PUBLIC_SUBKEY: // Never found at the start of a stream - case SECRET_SUBKEY: // Never found at the start of a stream - case TRUST: // Never found at the start of a stream - case MOD_DETECTION_CODE: // At the end of SED data - Never found at the start of a stream - case USER_ID: // Never found at the start of a stream - case USER_ATTRIBUTE: // Never found at the start of a stream - case PADDING: // At the end of messages (optionally padded message) or certificates - case EXPERIMENTAL_1: // experimental - case EXPERIMENTAL_2: // experimental - case EXPERIMENTAL_3: // experimental - case EXPERIMENTAL_4: // experimental - containsOpenPgpPackets = true; - isLikelyOpenPgpMessage = false; - return; - default: - return; - } - - containsOpenPgpPackets = true; - if (packet.getPacketTag() != SYMMETRIC_KEY_ENC) { - isLikelyOpenPgpMessage = true; - } - } - - private boolean startsWithIgnoringWhitespace(byte[] bytes, byte[] subsequence, int bufferLen) { - if (bufferLen == -1) { - return false; - } - - for (int i = 0; i < bufferLen; i++) { - // Working on bytes is not trivial with unicode data, but its good enough here - if (Character.isWhitespace(bytes[i])) { - continue; - } - - if ((i + subsequence.length) > bytes.length) { - return false; - } - - for (int j = 0; j < subsequence.length; j++) { - if (bytes[i + j] != subsequence[j]) { - return false; - } - } - return true; - } - return false; - } - - public boolean isAsciiArmored() { - return containsArmorHeader; - } - - /** - * Return true, if the data is possibly binary OpenPGP. - * The criterion for this are less strict than for {@link #isLikelyOpenPgpMessage()}, - * as it also accepts other OpenPGP packets at the beginning of the data stream. - *

- * Use with caution. - * - * @return true if data appears to be binary OpenPGP data - */ - public boolean isBinaryOpenPgp() { - return containsOpenPgpPackets; - } - - /** - * Returns true, if the underlying data is very likely (more than 99,9%) an OpenPGP message. - * OpenPGP Message means here that it starts with either an {@link PGPEncryptedData}, - * {@link PGPCompressedData}, {@link PGPOnePassSignature} or {@link PGPLiteralData} packet. - * The plausibility of these data packets is checked as far as possible. - * - * @return true if likely OpenPGP message - */ - public boolean isLikelyOpenPgpMessage() { - return isLikelyOpenPgpMessage; - } - - public boolean isNonOpenPgp() { - return !isAsciiArmored() && !isBinaryOpenPgp(); - } -} diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/package-info.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/package-info.java deleted file mode 100644 index 07e7cd3d..00000000 --- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/package-info.java +++ /dev/null @@ -1,8 +0,0 @@ -// SPDX-FileCopyrightText: 2018 Paul Schaub -// -// SPDX-License-Identifier: Apache-2.0 - -/** - * Classes used to decryption and verification of OpenPGP encrypted / signed data. - */ -package org.pgpainless.decryption_verification; diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPGPAnimalSnifferInputStream.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPGPAnimalSnifferInputStream.kt new file mode 100644 index 00000000..8eb7f44c --- /dev/null +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPGPAnimalSnifferInputStream.kt @@ -0,0 +1,321 @@ +// SPDX-FileCopyrightText: 2025 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + +package org.pgpainless.decryption_verification + +import java.io.BufferedInputStream +import java.io.ByteArrayInputStream +import java.io.InputStream +import org.bouncycastle.bcpg.AEADEncDataPacket +import org.bouncycastle.bcpg.BCPGInputStream +import org.bouncycastle.bcpg.CompressedDataPacket +import org.bouncycastle.bcpg.LiteralDataPacket +import org.bouncycastle.bcpg.MarkerPacket +import org.bouncycastle.bcpg.OnePassSignaturePacket +import org.bouncycastle.bcpg.PacketFormat +import org.bouncycastle.bcpg.PacketTags.AEAD_ENC_DATA +import org.bouncycastle.bcpg.PacketTags.COMPRESSED_DATA +import org.bouncycastle.bcpg.PacketTags.EXPERIMENTAL_1 +import org.bouncycastle.bcpg.PacketTags.EXPERIMENTAL_2 +import org.bouncycastle.bcpg.PacketTags.EXPERIMENTAL_3 +import org.bouncycastle.bcpg.PacketTags.EXPERIMENTAL_4 +import org.bouncycastle.bcpg.PacketTags.LITERAL_DATA +import org.bouncycastle.bcpg.PacketTags.MARKER +import org.bouncycastle.bcpg.PacketTags.MOD_DETECTION_CODE +import org.bouncycastle.bcpg.PacketTags.ONE_PASS_SIGNATURE +import org.bouncycastle.bcpg.PacketTags.PADDING +import org.bouncycastle.bcpg.PacketTags.PUBLIC_KEY +import org.bouncycastle.bcpg.PacketTags.PUBLIC_KEY_ENC_SESSION +import org.bouncycastle.bcpg.PacketTags.PUBLIC_SUBKEY +import org.bouncycastle.bcpg.PacketTags.RESERVED +import org.bouncycastle.bcpg.PacketTags.SECRET_KEY +import org.bouncycastle.bcpg.PacketTags.SECRET_SUBKEY +import org.bouncycastle.bcpg.PacketTags.SIGNATURE +import org.bouncycastle.bcpg.PacketTags.SYMMETRIC_KEY_ENC +import org.bouncycastle.bcpg.PacketTags.SYMMETRIC_KEY_ENC_SESSION +import org.bouncycastle.bcpg.PacketTags.SYM_ENC_INTEGRITY_PRO +import org.bouncycastle.bcpg.PacketTags.TRUST +import org.bouncycastle.bcpg.PacketTags.USER_ATTRIBUTE +import org.bouncycastle.bcpg.PacketTags.USER_ID +import org.bouncycastle.bcpg.PublicKeyEncSessionPacket +import org.bouncycastle.bcpg.PublicKeyPacket +import org.bouncycastle.bcpg.SecretKeyPacket +import org.bouncycastle.bcpg.SignaturePacket +import org.bouncycastle.bcpg.SymmetricEncIntegrityPacket +import org.bouncycastle.bcpg.SymmetricKeyEncSessionPacket +import org.bouncycastle.util.Arrays +import org.pgpainless.algorithm.AEADAlgorithm +import org.pgpainless.algorithm.CompressionAlgorithm +import org.pgpainless.algorithm.HashAlgorithm +import org.pgpainless.algorithm.PublicKeyAlgorithm +import org.pgpainless.algorithm.SignatureType +import org.pgpainless.algorithm.SymmetricKeyAlgorithm + +/** + * InputStream used to determine the nature of potential OpenPGP data. + * + * @param input underlying input stream + * @param check whether to perform the costly checking inside the constructor + */ +class OpenPGPAnimalSnifferInputStream(input: InputStream, check: Boolean) : + BufferedInputStream(input) { + + private val buffer: ByteArray + private val bufferLen: Int + + private var containsArmorHeader: Boolean = false + private var containsOpenPgpPackets: Boolean = false + private var resemblesMessage: Boolean = false + + init { + mark(MAX_BUFFER_SIZE) + buffer = ByteArray(MAX_BUFFER_SIZE) + bufferLen = read(buffer) + reset() + + if (check) { + inspectBuffer() + } + } + + constructor(input: InputStream) : this(input, true) + + /** Return true, if the underlying data is ASCII armored. */ + val isAsciiArmored: Boolean + get() = containsArmorHeader + + /** + * Return true, if the data is possibly binary OpenPGP. The criterion for this are less strict + * than for [resemblesMessage], as it also accepts other OpenPGP packets at the beginning of the + * data stream. + * + *

+ * Use with caution. + * + * @return true if data appears to be binary OpenPGP data + */ + val isBinaryOpenPgp: Boolean + get() = containsOpenPgpPackets + + /** + * Returns true, if the underlying data is very likely (more than 99,9%) an OpenPGP message. + * OpenPGP Message means here that it starts with either a [PGPEncryptedData], + * [PGPCompressedData], [PGPOnePassSignature] or [PGPLiteralData] packet. The plausibility of + * these data packets is checked as far as possible. + * + * @return true if likely OpenPGP message + */ + val isLikelyOpenPgpMessage: Boolean + get() = resemblesMessage + + /** Return true, if the underlying data is non-OpenPGP data. */ + val isNonOpenPgp: Boolean + get() = !isAsciiArmored && !isBinaryOpenPgp + + /** Costly perform a plausibility check of the first encountered OpenPGP packet. */ + fun inspectBuffer() { + if (checkForAsciiArmor()) { + return + } + + checkForBinaryOpenPgp() + } + + private fun checkForAsciiArmor(): Boolean { + if (startsWithIgnoringWhitespace(buffer, ARMOR_HEADER, bufferLen)) { + containsArmorHeader = true + return true + } + return false + } + + /** + * This method is still brittle. Basically we try to parse OpenPGP packets from the buffer. If + * we run into exceptions, then we know that the data is non-OpenPGP'ish. + * + *

+ * This breaks down though if we read plausible garbage where the data accidentally makes sense, + * or valid, yet incomplete packets (remember, we are still only working on a portion of the + * data). + */ + private fun checkForBinaryOpenPgp() { + if (bufferLen == -1) { + // empty data + return + } + + val bufferIn = ByteArrayInputStream(buffer, 0, bufferLen) + val pIn = BCPGInputStream(bufferIn) + try { + nonExhaustiveParseAndCheckPlausibility(pIn) + } catch (e: Exception) { + return + } + } + + private fun nonExhaustiveParseAndCheckPlausibility(packetIn: BCPGInputStream) { + val packet = packetIn.readPacket() + when (packet.packetTag) { + PUBLIC_KEY_ENC_SESSION -> { + packet as PublicKeyEncSessionPacket + if (PublicKeyAlgorithm.fromId(packet.algorithm) == null) { + return + } + } + SIGNATURE -> { + packet as SignaturePacket + if (SignatureType.fromCode(packet.signatureType) == null) { + return + } + if (PublicKeyAlgorithm.fromId(packet.keyAlgorithm) == null) { + return + } + if (HashAlgorithm.fromId(packet.hashAlgorithm) == null) { + return + } + } + ONE_PASS_SIGNATURE -> { + packet as OnePassSignaturePacket + if (SignatureType.fromCode(packet.signatureType) == null) { + return + } + if (PublicKeyAlgorithm.fromId(packet.keyAlgorithm) == null) { + return + } + if (HashAlgorithm.fromId(packet.hashAlgorithm) == null) { + return + } + } + SYMMETRIC_KEY_ENC_SESSION -> { + packet as SymmetricKeyEncSessionPacket + if (SymmetricKeyAlgorithm.fromId(packet.encAlgorithm) == null) { + return + } + } + SECRET_KEY -> { + packet as SecretKeyPacket + val publicKey = packet.publicKeyPacket + if (PublicKeyAlgorithm.fromId(publicKey.algorithm) == null) { + return + } + if (publicKey.version !in 3..6) { + return + } + } + PUBLIC_KEY -> { + packet as PublicKeyPacket + if (PublicKeyAlgorithm.fromId(packet.algorithm) == null) { + return + } + if (packet.version !in 3..6) { + return + } + } + COMPRESSED_DATA -> { + packet as CompressedDataPacket + if (CompressionAlgorithm.fromId(packet.algorithm) == null) { + return + } + } + SYMMETRIC_KEY_ENC -> { + // Not much we can check here + } + MARKER -> { + packet as MarkerPacket + if (!Arrays.areEqual( + packet.getEncoded(PacketFormat.CURRENT), + byteArrayOf(0xca.toByte(), 0x03, 0x50, 0x47, 0x50), + )) { + return + } + } + LITERAL_DATA -> { + packet as LiteralDataPacket + if (packet.format.toChar() !in charArrayOf('b', 'u', 't', 'l', '1', 'm')) { + return + } + } + SYM_ENC_INTEGRITY_PRO -> { + packet as SymmetricEncIntegrityPacket + if (packet.version !in + intArrayOf( + SymmetricEncIntegrityPacket.VERSION_1, + SymmetricEncIntegrityPacket.VERSION_2)) { + return + } + + if (packet.version == SymmetricEncIntegrityPacket.VERSION_2) { + if (SymmetricKeyAlgorithm.fromId(packet.cipherAlgorithm) == null) { + return + } + if (AEADAlgorithm.fromId(packet.aeadAlgorithm) == null) { + return + } + } + } + AEAD_ENC_DATA -> { + packet as AEADEncDataPacket + if (SymmetricKeyAlgorithm.fromId(packet.algorithm.toInt()) == null) { + return + } + } + RESERVED, // this Packet Type ID MUST NOT be used + PUBLIC_SUBKEY, // Never found at the start of a stream + SECRET_SUBKEY, // Never found at the start of a stream + TRUST, // Never found at the start of a stream + MOD_DETECTION_CODE, // At the end of SED data - Never found at the start of a stream + USER_ID, // Never found at the start of a stream + USER_ATTRIBUTE, // Never found at the start of a stream + PADDING, // At the end of messages (optionally padded message) or certificates + EXPERIMENTAL_1, // experimental + EXPERIMENTAL_2, // experimental + EXPERIMENTAL_3, // experimental + EXPERIMENTAL_4 -> { // experimental + containsOpenPgpPackets = true + resemblesMessage = false + return + } + else -> return + } + + containsOpenPgpPackets = true + if (packet.packetTag != SYMMETRIC_KEY_ENC) { + resemblesMessage = true + } + } + + private fun startsWithIgnoringWhitespace( + bytes: ByteArray, + subSequence: CharSequence, + bufferLen: Int + ): Boolean { + if (bufferLen == -1) { + return false + } + + for (i in 0 until bufferLen) { + // Working on bytes is not trivial with unicode data, but its good enough here + if (Character.isWhitespace(bytes[i].toInt())) { + continue + } + + if ((i + subSequence.length) > bytes.size) { + return false + } + + for (j in subSequence.indices) { + if (bytes[i + j].toInt().toChar() != subSequence[j]) { + return false + } + } + return true + } + return false + } + + companion object { + const val ARMOR_HEADER = "-----BEGIN PGP " + const val MAX_BUFFER_SIZE = 8192 * 2 + } +} diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.kt index a7f1cb22..15695fd6 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.kt @@ -1114,7 +1114,7 @@ class OpenPgpMessageInputStream( metadata: Layer, api: PGPainless ): OpenPgpMessageInputStream { - val openPgpIn = OpenPgpInputStream(inputStream) + val openPgpIn = OpenPGPAnimalSnifferInputStream(inputStream) openPgpIn.reset() if (openPgpIn.isNonOpenPgp || options.isForceNonOpenPgpData()) { diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/util/ArmorUtils.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/util/ArmorUtils.kt index ede45ce6..18b64453 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/util/ArmorUtils.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/util/ArmorUtils.kt @@ -21,7 +21,7 @@ import org.bouncycastle.openpgp.PGPSignature import org.bouncycastle.openpgp.PGPUtil import org.bouncycastle.util.io.Streams import org.pgpainless.algorithm.HashAlgorithm -import org.pgpainless.decryption_verification.OpenPgpInputStream +import org.pgpainless.decryption_verification.OpenPGPAnimalSnifferInputStream import org.pgpainless.key.OpenPgpFingerprint import org.pgpainless.key.util.KeyRingUtils @@ -422,7 +422,7 @@ class ArmorUtils { @JvmStatic @Throws(IOException::class) fun getDecoderStream(inputStream: InputStream): InputStream = - OpenPgpInputStream(inputStream).let { + OpenPGPAnimalSnifferInputStream(inputStream).let { if (it.isAsciiArmored) { PGPUtil.getDecoderStream(ArmoredInputStreamFactory.get(it)) } else { diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpInputStreamTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPGPAnimalSnifferInputStreamTest.java similarity index 97% rename from pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpInputStreamTest.java rename to pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPGPAnimalSnifferInputStreamTest.java index 8534cb60..2d00c8ae 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpInputStreamTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPGPAnimalSnifferInputStreamTest.java @@ -30,7 +30,7 @@ import org.pgpainless.encryption_signing.ProducerOptions; import org.pgpainless.encryption_signing.SigningOptions; import org.pgpainless.key.protection.SecretKeyRingProtector; -public class OpenPgpInputStreamTest { +public class OpenPGPAnimalSnifferInputStreamTest { private static final Random RANDOM = new Random(); @@ -40,7 +40,7 @@ public class OpenPgpInputStreamTest { RANDOM.nextBytes(randomBytes); ByteArrayInputStream randomIn = new ByteArrayInputStream(randomBytes); - OpenPgpInputStream openPgpInputStream = new OpenPgpInputStream(randomIn); + OpenPGPAnimalSnifferInputStream openPgpInputStream = new OpenPGPAnimalSnifferInputStream(randomIn); assertFalse(openPgpInputStream.isAsciiArmored()); assertFalse(openPgpInputStream.isLikelyOpenPgpMessage(), Hex.toHexString(randomBytes, 0, 150)); @@ -56,7 +56,7 @@ public class OpenPgpInputStreamTest { public void largeCompressedDataIsBinaryOpenPgp() throws IOException { // Since we are compressing RANDOM data, the output will likely be roughly the same size // So we very likely will end up with data larger than the MAX_BUFFER_SIZE - byte[] randomBytes = new byte[OpenPgpInputStream.MAX_BUFFER_SIZE * 10]; + byte[] randomBytes = new byte[OpenPGPAnimalSnifferInputStream.MAX_BUFFER_SIZE * 10]; RANDOM.nextBytes(randomBytes); ByteArrayOutputStream compressedDataPacket = new ByteArrayOutputStream(); @@ -65,7 +65,7 @@ public class OpenPgpInputStreamTest { compressor.write(randomBytes); compressor.close(); - OpenPgpInputStream inputStream = new OpenPgpInputStream(new ByteArrayInputStream(compressedDataPacket.toByteArray())); + OpenPGPAnimalSnifferInputStream inputStream = new OpenPGPAnimalSnifferInputStream(new ByteArrayInputStream(compressedDataPacket.toByteArray())); assertFalse(inputStream.isAsciiArmored()); assertFalse(inputStream.isNonOpenPgp()); assertTrue(inputStream.isBinaryOpenPgp()); @@ -90,7 +90,7 @@ public class OpenPgpInputStreamTest { "-----END PGP MESSAGE-----"; ByteArrayInputStream asciiIn = new ByteArrayInputStream(asciiArmoredMessage.getBytes(StandardCharsets.UTF_8)); - OpenPgpInputStream openPgpInputStream = new OpenPgpInputStream(asciiIn); + OpenPGPAnimalSnifferInputStream openPgpInputStream = new OpenPGPAnimalSnifferInputStream(asciiIn); assertTrue(openPgpInputStream.isAsciiArmored()); assertFalse(openPgpInputStream.isNonOpenPgp()); @@ -663,9 +663,9 @@ public class OpenPgpInputStreamTest { @Test public void longAsciiArmoredMessageIsAsciiArmored() throws IOException { byte[] asciiArmoredBytes = longAsciiArmoredMessage.getBytes(StandardCharsets.UTF_8); - assertTrue(asciiArmoredBytes.length > OpenPgpInputStream.MAX_BUFFER_SIZE); + assertTrue(asciiArmoredBytes.length > OpenPGPAnimalSnifferInputStream.MAX_BUFFER_SIZE); ByteArrayInputStream asciiIn = new ByteArrayInputStream(asciiArmoredBytes); - OpenPgpInputStream openPgpInputStream = new OpenPgpInputStream(asciiIn); + OpenPGPAnimalSnifferInputStream openPgpInputStream = new OpenPGPAnimalSnifferInputStream(asciiIn); assertTrue(openPgpInputStream.isAsciiArmored()); assertFalse(openPgpInputStream.isNonOpenPgp()); @@ -694,7 +694,7 @@ public class OpenPgpInputStreamTest { byte[] binaryBytes = binaryOut.toByteArray(); ByteArrayInputStream binaryIn = new ByteArrayInputStream(binaryBytes); - OpenPgpInputStream openPgpInputStream = new OpenPgpInputStream(binaryIn); + OpenPGPAnimalSnifferInputStream openPgpInputStream = new OpenPGPAnimalSnifferInputStream(binaryIn); assertTrue(openPgpInputStream.isBinaryOpenPgp()); assertFalse(openPgpInputStream.isAsciiArmored()); @@ -714,7 +714,7 @@ public class OpenPgpInputStreamTest { byte[] binaryBytes = binaryOut.toByteArray(); ByteArrayInputStream binaryIn = new ByteArrayInputStream(binaryBytes); - OpenPgpInputStream openPgpInputStream = new OpenPgpInputStream(binaryIn); + OpenPGPAnimalSnifferInputStream openPgpInputStream = new OpenPGPAnimalSnifferInputStream(binaryIn); assertTrue(openPgpInputStream.isBinaryOpenPgp()); assertFalse(openPgpInputStream.isAsciiArmored()); @@ -728,7 +728,7 @@ public class OpenPgpInputStreamTest { @Test public void emptyStreamTest() throws IOException { ByteArrayInputStream in = new ByteArrayInputStream(new byte[0]); - OpenPgpInputStream openPgpInputStream = new OpenPgpInputStream(in); + OpenPGPAnimalSnifferInputStream openPgpInputStream = new OpenPGPAnimalSnifferInputStream(in); assertFalse(openPgpInputStream.isBinaryOpenPgp()); assertFalse(openPgpInputStream.isAsciiArmored()); @@ -755,7 +755,7 @@ public class OpenPgpInputStreamTest { byte[] binary = signedOut.toByteArray(); - OpenPgpInputStream openPgpIn = new OpenPgpInputStream(new ByteArrayInputStream(binary)); + OpenPGPAnimalSnifferInputStream openPgpIn = new OpenPGPAnimalSnifferInputStream(new ByteArrayInputStream(binary)); assertFalse(openPgpIn.isAsciiArmored()); assertTrue(openPgpIn.isLikelyOpenPgpMessage()); } diff --git a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/ArmorImpl.kt b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/ArmorImpl.kt index daffcd30..be2f272f 100644 --- a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/ArmorImpl.kt +++ b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/ArmorImpl.kt @@ -10,7 +10,7 @@ import java.io.OutputStream import kotlin.jvm.Throws import org.bouncycastle.util.io.Streams import org.pgpainless.PGPainless -import org.pgpainless.decryption_verification.OpenPgpInputStream +import org.pgpainless.decryption_verification.OpenPGPAnimalSnifferInputStream import org.pgpainless.util.ArmoredOutputStreamFactory import sop.Ready import sop.exception.SOPGPException @@ -27,7 +27,7 @@ class ArmorImpl(private val api: PGPainless) : Armor { val bufferedOutputStream = BufferedOutputStream(outputStream) // Determine the nature of the given data - val openPgpIn = OpenPgpInputStream(data) + val openPgpIn = OpenPGPAnimalSnifferInputStream(data) openPgpIn.reset() if (openPgpIn.isAsciiArmored) { diff --git a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/InlineDetachImpl.kt b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/InlineDetachImpl.kt index 6a751550..6c571163 100644 --- a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/InlineDetachImpl.kt +++ b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/InlineDetachImpl.kt @@ -15,7 +15,7 @@ import org.bouncycastle.openpgp.PGPOnePassSignatureList import org.bouncycastle.openpgp.PGPSignatureList import org.bouncycastle.util.io.Streams import org.pgpainless.PGPainless -import org.pgpainless.decryption_verification.OpenPgpInputStream +import org.pgpainless.decryption_verification.OpenPGPAnimalSnifferInputStream import org.pgpainless.decryption_verification.cleartext_signatures.ClearsignedMessageUtil import org.pgpainless.exception.WrongConsumingMethodException import org.pgpainless.util.ArmoredOutputStreamFactory @@ -35,7 +35,7 @@ class InlineDetachImpl(private val api: PGPainless) : InlineDetach { private val sigOut = ByteArrayOutputStream() override fun writeTo(outputStream: OutputStream): Signatures { - var pgpIn = OpenPgpInputStream(messageInputStream) + var pgpIn = OpenPGPAnimalSnifferInputStream(messageInputStream) if (pgpIn.isNonOpenPgp) { throw SOPGPException.BadData("Data appears to be non-OpenPGP.") } @@ -61,7 +61,7 @@ class InlineDetachImpl(private val api: PGPainless) : InlineDetach { } // else just dearmor - pgpIn = OpenPgpInputStream(armorIn) + pgpIn = OpenPGPAnimalSnifferInputStream(armorIn) } // If data was not using cleartext signature framework From aaf88b8d3e918267e5955abbbab8fba178677b09 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 8 May 2025 14:56:35 +0200 Subject: [PATCH 211/265] Remove usage of OpenPgpKeyAttributeUtil --- .../java/org/pgpainless/key/package-info.java | 8 -- .../key/util/OpenPgpKeyAttributeUtil.java | 113 ------------------ .../org/pgpainless/key/util/package-info.java | 8 -- .../builder/AbstractSignatureBuilder.kt | 21 +--- .../util/GuessPreferredHashAlgorithmTest.java | 43 ------- 5 files changed, 5 insertions(+), 188 deletions(-) delete mode 100644 pgpainless-core/src/main/java/org/pgpainless/key/package-info.java delete mode 100644 pgpainless-core/src/main/java/org/pgpainless/key/util/OpenPgpKeyAttributeUtil.java delete mode 100644 pgpainless-core/src/main/java/org/pgpainless/key/util/package-info.java delete mode 100644 pgpainless-core/src/test/java/org/pgpainless/util/GuessPreferredHashAlgorithmTest.java diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/package-info.java b/pgpainless-core/src/main/java/org/pgpainless/key/package-info.java deleted file mode 100644 index 060cd540..00000000 --- a/pgpainless-core/src/main/java/org/pgpainless/key/package-info.java +++ /dev/null @@ -1,8 +0,0 @@ -// SPDX-FileCopyrightText: 2018 Paul Schaub -// -// SPDX-License-Identifier: Apache-2.0 - -/** - * Classes related to OpenPGP keys. - */ -package org.pgpainless.key; diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/util/OpenPgpKeyAttributeUtil.java b/pgpainless-core/src/main/java/org/pgpainless/key/util/OpenPgpKeyAttributeUtil.java deleted file mode 100644 index f7a78404..00000000 --- a/pgpainless-core/src/main/java/org/pgpainless/key/util/OpenPgpKeyAttributeUtil.java +++ /dev/null @@ -1,113 +0,0 @@ -// SPDX-FileCopyrightText: 2020 Paul Schaub -// -// SPDX-License-Identifier: Apache-2.0 - -package org.pgpainless.key.util; - -import java.util.ArrayList; -import java.util.Collections; -import java.util.Date; -import java.util.Iterator; -import java.util.LinkedHashSet; -import java.util.List; -import java.util.Set; - -import org.bouncycastle.openpgp.PGPPublicKey; -import org.bouncycastle.openpgp.PGPSignature; -import org.pgpainless.algorithm.HashAlgorithm; -import org.pgpainless.algorithm.SignatureType; - -public final class OpenPgpKeyAttributeUtil { - - private OpenPgpKeyAttributeUtil() { - - } - - public static List getPreferredHashAlgorithms(PGPPublicKey publicKey) { - List hashAlgorithms = new ArrayList<>(); - Iterator keySignatures = publicKey.getSignatures(); - while (keySignatures.hasNext()) { - PGPSignature signature = (PGPSignature) keySignatures.next(); - - if (signature.getKeyID() != publicKey.getKeyID()) { - // Signature from a foreign key. Skip. - continue; - } - - SignatureType signatureType = SignatureType.fromCode(signature.getSignatureType()); - if (signatureType == null) { - // unknown signature type - continue; - } - if (signatureType == SignatureType.POSITIVE_CERTIFICATION - || signatureType == SignatureType.GENERIC_CERTIFICATION) { - int[] hashAlgos = signature.getHashedSubPackets().getPreferredHashAlgorithms(); - if (hashAlgos == null) { - continue; - } - for (int h : hashAlgos) { - HashAlgorithm algorithm = HashAlgorithm.fromId(h); - if (algorithm != null) { - hashAlgorithms.add(algorithm); - } - } - // Exit the loop after the first key signature with hash algorithms. - break; - } - } - return hashAlgorithms; - } - - /** - * Return the hash algorithm that was used in the latest self signature. - * - * @param publicKey public key - * @return list of hash algorithm - */ - public static List guessPreferredHashAlgorithms(PGPPublicKey publicKey) { - HashAlgorithm hashAlgorithm = null; - Date lastCreationDate = null; - - Iterator keySignatures = publicKey.getSignatures(); - while (keySignatures.hasNext()) { - PGPSignature signature = (PGPSignature) keySignatures.next(); - if (signature.getKeyID() != publicKey.getKeyID()) { - continue; - } - - SignatureType signatureType = SignatureType.fromCode(signature.getSignatureType()); - if (signatureType == null || signatureType != SignatureType.POSITIVE_CERTIFICATION - && signatureType != SignatureType.GENERIC_CERTIFICATION) { - continue; - } - - Date creationDate = signature.getCreationTime(); - if (lastCreationDate == null || lastCreationDate.before(creationDate)) { - lastCreationDate = creationDate; - hashAlgorithm = HashAlgorithm.fromId(signature.getHashAlgorithm()); - } - } - - if (hashAlgorithm == null) { - return Collections.emptyList(); - } - return Collections.singletonList(hashAlgorithm); - } - - /** - * Try to extract hash algorithm preferences from self signatures. - * If no self-signature containing hash algorithm preferences is found, - * try to derive a hash algorithm preference by inspecting the hash algorithm used by existing - * self-signatures. - * - * @param publicKey key - * @return hash algorithm preferences (might be empty!) - */ - public static Set getOrGuessPreferredHashAlgorithms(PGPPublicKey publicKey) { - List preferredHashAlgorithms = OpenPgpKeyAttributeUtil.getPreferredHashAlgorithms(publicKey); - if (preferredHashAlgorithms.isEmpty()) { - preferredHashAlgorithms = OpenPgpKeyAttributeUtil.guessPreferredHashAlgorithms(publicKey); - } - return new LinkedHashSet<>(preferredHashAlgorithms); - } -} diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/util/package-info.java b/pgpainless-core/src/main/java/org/pgpainless/key/util/package-info.java deleted file mode 100644 index 4609c126..00000000 --- a/pgpainless-core/src/main/java/org/pgpainless/key/util/package-info.java +++ /dev/null @@ -1,8 +0,0 @@ -// SPDX-FileCopyrightText: 2020 Paul Schaub -// -// SPDX-License-Identifier: Apache-2.0 - -/** - * Utility functions to deal with OpenPGP keys. - */ -package org.pgpainless.key.util; diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/builder/AbstractSignatureBuilder.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/builder/AbstractSignatureBuilder.kt index 4fa7ba31..cc2fb19d 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/builder/AbstractSignatureBuilder.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/builder/AbstractSignatureBuilder.kt @@ -6,7 +6,6 @@ package org.pgpainless.signature.builder import java.util.function.Predicate import org.bouncycastle.openpgp.PGPException -import org.bouncycastle.openpgp.PGPPublicKey import org.bouncycastle.openpgp.PGPSignature import org.bouncycastle.openpgp.PGPSignatureGenerator import org.bouncycastle.openpgp.api.OpenPGPCertificate.OpenPGPComponentKey @@ -14,10 +13,9 @@ import org.bouncycastle.openpgp.api.OpenPGPKey import org.pgpainless.PGPainless import org.pgpainless.algorithm.HashAlgorithm import org.pgpainless.algorithm.SignatureType -import org.pgpainless.algorithm.negotiation.HashAlgorithmNegotiator +import org.pgpainless.bouncycastle.extensions.toHashAlgorithms import org.pgpainless.key.protection.SecretKeyRingProtector import org.pgpainless.key.protection.UnlockSecretKey -import org.pgpainless.key.util.OpenPgpKeyAttributeUtil import org.pgpainless.signature.subpackets.SignatureSubpackets import org.pgpainless.signature.subpackets.SignatureSubpacketsHelper @@ -127,20 +125,11 @@ abstract class AbstractSignatureBuilder>( companion object { - /** - * Negotiate a [HashAlgorithm] to be used when creating the signature. - * - * @param publicKey signing public key - * @return hash algorithm - */ - @JvmStatic - fun negotiateHashAlgorithm(publicKey: PGPPublicKey, api: PGPainless): HashAlgorithm = - HashAlgorithmNegotiator.negotiateSignatureHashAlgorithm(api.algorithmPolicy) - .negotiateHashAlgorithm( - OpenPgpKeyAttributeUtil.getOrGuessPreferredHashAlgorithms(publicKey)) - @JvmStatic fun negotiateHashAlgorithm(key: OpenPGPComponentKey, api: PGPainless): HashAlgorithm = - negotiateHashAlgorithm(key.pgpPublicKey, api) + key.hashAlgorithmPreferences?.toHashAlgorithms()?.first { + api.algorithmPolicy.dataSignatureHashAlgorithmPolicy.isAcceptable(it) + } + ?: api.algorithmPolicy.dataSignatureHashAlgorithmPolicy.defaultHashAlgorithm } } diff --git a/pgpainless-core/src/test/java/org/pgpainless/util/GuessPreferredHashAlgorithmTest.java b/pgpainless-core/src/test/java/org/pgpainless/util/GuessPreferredHashAlgorithmTest.java deleted file mode 100644 index 136f0eef..00000000 --- a/pgpainless-core/src/test/java/org/pgpainless/util/GuessPreferredHashAlgorithmTest.java +++ /dev/null @@ -1,43 +0,0 @@ -// SPDX-FileCopyrightText: 2021 Paul Schaub -// -// SPDX-License-Identifier: Apache-2.0 - -package org.pgpainless.util; - -import static org.junit.jupiter.api.Assertions.assertEquals; - -import java.util.Collections; - -import org.bouncycastle.openpgp.PGPPublicKey; -import org.bouncycastle.openpgp.PGPSecretKeyRing; -import org.junit.jupiter.api.Test; -import org.pgpainless.PGPainless; -import org.pgpainless.algorithm.AlgorithmSuite; -import org.pgpainless.algorithm.HashAlgorithm; -import org.pgpainless.algorithm.KeyFlag; -import org.pgpainless.algorithm.OpenPGPKeyVersion; -import org.pgpainless.key.generation.KeySpec; -import org.pgpainless.key.generation.type.KeyType; -import org.pgpainless.key.generation.type.eddsa_legacy.EdDSALegacyCurve; -import org.pgpainless.key.util.OpenPgpKeyAttributeUtil; - -public class GuessPreferredHashAlgorithmTest { - - @Test - public void guessPreferredHashAlgorithmsAssumesHashAlgoUsedBySelfSig() { - PGPainless api = PGPainless.getInstance(); - PGPSecretKeyRing secretKeys = api.buildKey(OpenPGPKeyVersion.v4) - .withPreferences(AlgorithmSuite.emptyBuilder().build()) - .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA_LEGACY(EdDSALegacyCurve._Ed25519), - KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA)) - .addUserId("test@test.test") - .build() - .getPGPSecretKeyRing(); - - PGPPublicKey publicKey = secretKeys.getPublicKey(); - assertEquals(Collections.emptyList(), - OpenPgpKeyAttributeUtil.getPreferredHashAlgorithms(publicKey)); - assertEquals(Collections.singletonList(HashAlgorithm.SHA512), - OpenPgpKeyAttributeUtil.guessPreferredHashAlgorithms(publicKey)); - } -} From 0e6fa4b619157d9bc35695c2b940254815c4151e Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 8 May 2025 16:16:08 +0200 Subject: [PATCH 212/265] Port Exception classes to Kotlin --- .../pgpainless/exception/KeyException.java | 190 ---------------- .../exception/KeyIntegrityException.java | 16 -- .../MalformedOpenPgpMessageException.java | 30 --- ...MessageNotIntegrityProtectedException.java | 15 -- .../MissingDecryptionMethodException.java | 19 -- .../exception/MissingPassphraseException.java | 26 --- .../ModificationDetectionException.java | 14 -- .../SignatureValidationException.java | 44 ---- .../UnacceptableAlgorithmException.java | 17 -- .../WrongConsumingMethodException.java | 14 -- .../exception/WrongPassphraseException.java | 27 --- .../pgpainless/exception/package-info.java | 8 - .../java/org/pgpainless/package-info.java | 10 - .../org/pgpainless/exception/KeyException.kt | 203 ++++++++++++++++++ .../exception/KeyIntegrityException.kt | 13 ++ .../MalformedOpenPgpMessageException.kt | 29 +++ .../MessageNotIntegrityProtectedException.kt | 13 ++ .../MissingDecryptionMethodException.kt | 14 ++ .../exception/MissingPassphraseException.kt | 11 + .../ModificationDetectionException.kt | 10 + .../exception/SignatureValidationException.kt | 42 ++++ .../UnacceptableAlgorithmException.kt | 10 + .../WrongConsumingMethodException.kt | 9 + .../exception/WrongPassphraseException.kt | 23 ++ 24 files changed, 377 insertions(+), 430 deletions(-) delete mode 100644 pgpainless-core/src/main/java/org/pgpainless/exception/KeyException.java delete mode 100644 pgpainless-core/src/main/java/org/pgpainless/exception/KeyIntegrityException.java delete mode 100644 pgpainless-core/src/main/java/org/pgpainless/exception/MalformedOpenPgpMessageException.java delete mode 100644 pgpainless-core/src/main/java/org/pgpainless/exception/MessageNotIntegrityProtectedException.java delete mode 100644 pgpainless-core/src/main/java/org/pgpainless/exception/MissingDecryptionMethodException.java delete mode 100644 pgpainless-core/src/main/java/org/pgpainless/exception/MissingPassphraseException.java delete mode 100644 pgpainless-core/src/main/java/org/pgpainless/exception/ModificationDetectionException.java delete mode 100644 pgpainless-core/src/main/java/org/pgpainless/exception/SignatureValidationException.java delete mode 100644 pgpainless-core/src/main/java/org/pgpainless/exception/UnacceptableAlgorithmException.java delete mode 100644 pgpainless-core/src/main/java/org/pgpainless/exception/WrongConsumingMethodException.java delete mode 100644 pgpainless-core/src/main/java/org/pgpainless/exception/WrongPassphraseException.java delete mode 100644 pgpainless-core/src/main/java/org/pgpainless/exception/package-info.java delete mode 100644 pgpainless-core/src/main/java/org/pgpainless/package-info.java create mode 100644 pgpainless-core/src/main/kotlin/org/pgpainless/exception/KeyException.kt create mode 100644 pgpainless-core/src/main/kotlin/org/pgpainless/exception/KeyIntegrityException.kt create mode 100644 pgpainless-core/src/main/kotlin/org/pgpainless/exception/MalformedOpenPgpMessageException.kt create mode 100644 pgpainless-core/src/main/kotlin/org/pgpainless/exception/MessageNotIntegrityProtectedException.kt create mode 100644 pgpainless-core/src/main/kotlin/org/pgpainless/exception/MissingDecryptionMethodException.kt create mode 100644 pgpainless-core/src/main/kotlin/org/pgpainless/exception/MissingPassphraseException.kt create mode 100644 pgpainless-core/src/main/kotlin/org/pgpainless/exception/ModificationDetectionException.kt create mode 100644 pgpainless-core/src/main/kotlin/org/pgpainless/exception/SignatureValidationException.kt create mode 100644 pgpainless-core/src/main/kotlin/org/pgpainless/exception/UnacceptableAlgorithmException.kt create mode 100644 pgpainless-core/src/main/kotlin/org/pgpainless/exception/WrongConsumingMethodException.kt create mode 100644 pgpainless-core/src/main/kotlin/org/pgpainless/exception/WrongPassphraseException.kt diff --git a/pgpainless-core/src/main/java/org/pgpainless/exception/KeyException.java b/pgpainless-core/src/main/java/org/pgpainless/exception/KeyException.java deleted file mode 100644 index 6664dea7..00000000 --- a/pgpainless-core/src/main/java/org/pgpainless/exception/KeyException.java +++ /dev/null @@ -1,190 +0,0 @@ -// SPDX-FileCopyrightText: 2022 Paul Schaub -// -// SPDX-License-Identifier: Apache-2.0 - -package org.pgpainless.exception; - -import org.bouncycastle.bcpg.KeyIdentifier; -import org.bouncycastle.openpgp.PGPSignature; -import org.bouncycastle.openpgp.api.OpenPGPCertificate; -import org.pgpainless.algorithm.PublicKeyAlgorithm; -import org.pgpainless.key.OpenPgpFingerprint; -import org.pgpainless.util.DateUtil; - -import javax.annotation.Nonnull; -import javax.annotation.Nullable; -import java.util.Date; - -public abstract class KeyException extends RuntimeException { - - private final OpenPgpFingerprint fingerprint; - - protected KeyException(@Nonnull String message, @Nonnull OpenPgpFingerprint fingerprint) { - super(message); - this.fingerprint = fingerprint; - } - - protected KeyException(@Nonnull String message, @Nonnull OpenPgpFingerprint fingerprint, @Nonnull Throwable underlying) { - super(message, underlying); - this.fingerprint = fingerprint; - } - - public OpenPgpFingerprint getFingerprint() { - return fingerprint; - } - - public static class ExpiredKeyException extends KeyException { - - public ExpiredKeyException(@Nonnull OpenPGPCertificate cert, @Nonnull Date expirationDate) { - this(OpenPgpFingerprint.of(cert), expirationDate); - } - - public ExpiredKeyException(@Nonnull OpenPgpFingerprint fingerprint, @Nonnull Date expirationDate) { - super("Key " + fingerprint + " is expired. Expiration date: " + DateUtil.formatUTCDate(expirationDate), fingerprint); - } - } - - public static class RevokedKeyException extends KeyException { - - public RevokedKeyException(@Nonnull OpenPgpFingerprint fingerprint) { - super("Key " + fingerprint + " appears to be revoked.", fingerprint); - } - - public RevokedKeyException(@Nonnull OpenPGPCertificate.OpenPGPComponentKey key) { - super("Subkey " + key.getKeyIdentifier() + " appears to be revoked.", - OpenPgpFingerprint.of(key)); - } - - public RevokedKeyException(@Nonnull OpenPGPCertificate cert) { - super("Key or certificate " + cert.getKeyIdentifier() + " appears to be revoked.", - OpenPgpFingerprint.of(cert)); - } - } - - public static class UnacceptableEncryptionKeyException extends KeyException { - - public UnacceptableEncryptionKeyException(@Nonnull OpenPGPCertificate cert) { - this(OpenPgpFingerprint.of(cert)); - } - - public UnacceptableEncryptionKeyException(@Nonnull OpenPGPCertificate.OpenPGPComponentKey subkey) { - super("Subkey " + subkey.getKeyIdentifier() + " is not an acceptable encryption key.", - OpenPgpFingerprint.of(subkey)); - } - - public UnacceptableEncryptionKeyException(@Nonnull OpenPgpFingerprint fingerprint) { - super("Key " + fingerprint + " has no acceptable encryption key.", fingerprint); - } - - public UnacceptableEncryptionKeyException(@Nonnull PublicKeyAlgorithmPolicyException reason) { - super("Key " + reason.getFingerprint() + " has no acceptable encryption key.", reason.getFingerprint(), reason); - } - } - - public static class UnacceptableSigningKeyException extends KeyException { - - public UnacceptableSigningKeyException(OpenPGPCertificate certificate) { - this(OpenPgpFingerprint.of(certificate)); - } - - public UnacceptableSigningKeyException(OpenPGPCertificate.OpenPGPComponentKey subkey) { - this(OpenPgpFingerprint.of(subkey)); - } - - public UnacceptableSigningKeyException(@Nonnull OpenPgpFingerprint fingerprint) { - super("Key " + fingerprint + " has no acceptable signing key.", fingerprint); - } - - public UnacceptableSigningKeyException(@Nonnull PublicKeyAlgorithmPolicyException reason) { - super("Key " + reason.getFingerprint() + " has no acceptable signing key.", reason.getFingerprint(), reason); - } - } - - public static class UnacceptableThirdPartyCertificationKeyException extends KeyException { - - public UnacceptableThirdPartyCertificationKeyException(@Nonnull OpenPgpFingerprint fingerprint) { - super("Key " + fingerprint + " has no acceptable certification key.", fingerprint); - } - } - - public static class UnacceptableSelfSignatureException extends KeyException { - - public UnacceptableSelfSignatureException(@Nonnull OpenPGPCertificate cert) { - this(OpenPgpFingerprint.of(cert)); - } - - public UnacceptableSelfSignatureException(@Nonnull OpenPgpFingerprint fingerprint) { - super("Key " + fingerprint + " does not have a valid/acceptable signature to derive an expiration date from.", fingerprint); - } - } - - public static class MissingSecretKeyException extends KeyException { - - private final KeyIdentifier missingSecretKeyIdentifier; - - public MissingSecretKeyException(@Nonnull OpenPGPCertificate.OpenPGPComponentKey publicKey) { - this(OpenPgpFingerprint.of(publicKey.getCertificate()), publicKey.getKeyIdentifier()); - } - - public MissingSecretKeyException(@Nonnull OpenPgpFingerprint fingerprint, KeyIdentifier keyIdentifier) { - super("Key " + fingerprint + " does not contain a secret key for public key " + keyIdentifier, fingerprint); - this.missingSecretKeyIdentifier = keyIdentifier; - } - - @Deprecated - public MissingSecretKeyException(@Nonnull OpenPgpFingerprint fingerprint, long keyId) { - this(fingerprint, new KeyIdentifier(keyId)); - } - - public KeyIdentifier getMissingSecretKeyIdentifier() { - return missingSecretKeyIdentifier; - } - } - - public static class PublicKeyAlgorithmPolicyException extends KeyException { - - private final KeyIdentifier violatingSubkeyId; - - public PublicKeyAlgorithmPolicyException(@Nonnull OpenPGPCertificate.OpenPGPComponentKey subkey, - @Nonnull PublicKeyAlgorithm algorithm, - int bitSize) { - super("Subkey " + subkey.getKeyIdentifier() + " of key " + subkey.getCertificate().getKeyIdentifier() + - " is violating the Public Key Algorithm Policy:\n" + - algorithm + " of size " + bitSize + " is not acceptable.", OpenPgpFingerprint.of(subkey)); - this.violatingSubkeyId = subkey.getKeyIdentifier(); - } - - public PublicKeyAlgorithmPolicyException(@Nonnull OpenPgpFingerprint fingerprint, - long keyId, - @Nonnull PublicKeyAlgorithm algorithm, - int bitSize) { - super("Subkey " + Long.toHexString(keyId) + " of key " + fingerprint + " is violating the Public Key Algorithm Policy:\n" + - algorithm + " of size " + bitSize + " is not acceptable.", fingerprint); - this.violatingSubkeyId = new KeyIdentifier(keyId); - } - - public KeyIdentifier getViolatingSubkeyId() { - return violatingSubkeyId; - } - } - - public static class UnboundUserIdException extends KeyException { - - public UnboundUserIdException(@Nonnull OpenPgpFingerprint fingerprint, @Nonnull String userId, - @Nullable PGPSignature userIdSignature, @Nullable PGPSignature userIdRevocation) { - super(errorMessage(fingerprint, userId, userIdSignature, userIdRevocation), fingerprint); - } - - private static String errorMessage(@Nonnull OpenPgpFingerprint fingerprint, @Nonnull String userId, - @Nullable PGPSignature userIdSignature, @Nullable PGPSignature userIdRevocation) { - String errorMessage = "UserID '" + userId + "' is not valid for key " + fingerprint + ": "; - if (userIdSignature == null) { - return errorMessage + "Missing binding signature."; - } - if (userIdRevocation != null) { - return errorMessage + "UserID is revoked."; - } - return errorMessage + "Unacceptable binding signature."; - } - } -} diff --git a/pgpainless-core/src/main/java/org/pgpainless/exception/KeyIntegrityException.java b/pgpainless-core/src/main/java/org/pgpainless/exception/KeyIntegrityException.java deleted file mode 100644 index b7a87ab7..00000000 --- a/pgpainless-core/src/main/java/org/pgpainless/exception/KeyIntegrityException.java +++ /dev/null @@ -1,16 +0,0 @@ -// SPDX-FileCopyrightText: 2021 Paul Schaub -// -// SPDX-License-Identifier: Apache-2.0 - -package org.pgpainless.exception; - -/** - * This exception gets thrown, when the integrity of an OpenPGP key is broken. - * That could happen on accident, or during an active attack, so take this exception seriously. - */ -public class KeyIntegrityException extends AssertionError { - - public KeyIntegrityException() { - super("Key Integrity Exception"); - } -} diff --git a/pgpainless-core/src/main/java/org/pgpainless/exception/MalformedOpenPgpMessageException.java b/pgpainless-core/src/main/java/org/pgpainless/exception/MalformedOpenPgpMessageException.java deleted file mode 100644 index f98a4048..00000000 --- a/pgpainless-core/src/main/java/org/pgpainless/exception/MalformedOpenPgpMessageException.java +++ /dev/null @@ -1,30 +0,0 @@ -// SPDX-FileCopyrightText: 2022 Paul Schaub -// -// SPDX-License-Identifier: Apache-2.0 - -package org.pgpainless.exception; - -import org.pgpainless.decryption_verification.syntax_check.InputSymbol; -import org.pgpainless.decryption_verification.syntax_check.StackSymbol; -import org.pgpainless.decryption_verification.syntax_check.State; - -/** - * Exception that gets thrown if the OpenPGP message is malformed. - * Malformed messages are messages which do not follow the grammar specified in the RFC. - * - * @see RFC4880 §11.3. OpenPGP Messages - */ -public class MalformedOpenPgpMessageException extends RuntimeException { - - public MalformedOpenPgpMessageException(String message) { - super(message); - } - - public MalformedOpenPgpMessageException(State state, InputSymbol input, StackSymbol stackItem) { - this("There is no legal transition from state '" + state + "' for input '" + input + "' when '" + stackItem + "' is on top of the stack."); - } - - public MalformedOpenPgpMessageException(String s, MalformedOpenPgpMessageException e) { - super(s, e); - } -} diff --git a/pgpainless-core/src/main/java/org/pgpainless/exception/MessageNotIntegrityProtectedException.java b/pgpainless-core/src/main/java/org/pgpainless/exception/MessageNotIntegrityProtectedException.java deleted file mode 100644 index 1d8559e1..00000000 --- a/pgpainless-core/src/main/java/org/pgpainless/exception/MessageNotIntegrityProtectedException.java +++ /dev/null @@ -1,15 +0,0 @@ -// SPDX-FileCopyrightText: 2021 Paul Schaub -// -// SPDX-License-Identifier: Apache-2.0 - -package org.pgpainless.exception; - -import org.bouncycastle.openpgp.PGPException; - -public class MessageNotIntegrityProtectedException extends PGPException { - - public MessageNotIntegrityProtectedException() { - super("Message is encrypted using a 'Symmetrically Encrypted Data' (SED) packet, which enables certain types of attacks. " + - "A 'Symmetrically Encrypted Integrity Protected' (SEIP) packet should be used instead."); - } -} diff --git a/pgpainless-core/src/main/java/org/pgpainless/exception/MissingDecryptionMethodException.java b/pgpainless-core/src/main/java/org/pgpainless/exception/MissingDecryptionMethodException.java deleted file mode 100644 index 0e856ba6..00000000 --- a/pgpainless-core/src/main/java/org/pgpainless/exception/MissingDecryptionMethodException.java +++ /dev/null @@ -1,19 +0,0 @@ -// SPDX-FileCopyrightText: 2021 Paul Schaub -// -// SPDX-License-Identifier: Apache-2.0 - -package org.pgpainless.exception; - -import org.bouncycastle.openpgp.PGPException; - -/** - * Exception that is thrown when decryption fails due to a missing decryption key or decryption passphrase. - * This can happen when the user does not provide the right set of keys / the right password when decrypting - * a message. - */ -public class MissingDecryptionMethodException extends PGPException { - - public MissingDecryptionMethodException(String message) { - super(message); - } -} diff --git a/pgpainless-core/src/main/java/org/pgpainless/exception/MissingPassphraseException.java b/pgpainless-core/src/main/java/org/pgpainless/exception/MissingPassphraseException.java deleted file mode 100644 index 3f8e0799..00000000 --- a/pgpainless-core/src/main/java/org/pgpainless/exception/MissingPassphraseException.java +++ /dev/null @@ -1,26 +0,0 @@ -// SPDX-FileCopyrightText: 2021 Paul Schaub -// -// SPDX-License-Identifier: Apache-2.0 - -package org.pgpainless.exception; - -import java.util.Arrays; -import java.util.Collections; -import java.util.Set; - -import org.bouncycastle.openpgp.PGPException; -import org.pgpainless.key.SubkeyIdentifier; - -public class MissingPassphraseException extends PGPException { - - private final Set keyIds; - - public MissingPassphraseException(Set keyIds) { - super("Missing passphrase encountered for keys " + Arrays.toString(keyIds.toArray())); - this.keyIds = Collections.unmodifiableSet(keyIds); - } - - public Set getKeyIds() { - return keyIds; - } -} diff --git a/pgpainless-core/src/main/java/org/pgpainless/exception/ModificationDetectionException.java b/pgpainless-core/src/main/java/org/pgpainless/exception/ModificationDetectionException.java deleted file mode 100644 index 5be1b359..00000000 --- a/pgpainless-core/src/main/java/org/pgpainless/exception/ModificationDetectionException.java +++ /dev/null @@ -1,14 +0,0 @@ -// SPDX-FileCopyrightText: 2021 Paul Schaub -// -// SPDX-License-Identifier: Apache-2.0 - -package org.pgpainless.exception; - -import java.io.IOException; - -/** - * Exception that gets thrown when the verification of a modification detection code failed. - */ -public class ModificationDetectionException extends IOException { - -} diff --git a/pgpainless-core/src/main/java/org/pgpainless/exception/SignatureValidationException.java b/pgpainless-core/src/main/java/org/pgpainless/exception/SignatureValidationException.java deleted file mode 100644 index 2141ec5c..00000000 --- a/pgpainless-core/src/main/java/org/pgpainless/exception/SignatureValidationException.java +++ /dev/null @@ -1,44 +0,0 @@ -// SPDX-FileCopyrightText: 2021 Paul Schaub -// -// SPDX-License-Identifier: Apache-2.0 - -package org.pgpainless.exception; - -import java.util.Map; - -import org.bouncycastle.openpgp.PGPException; -import org.bouncycastle.openpgp.PGPSignature; -import org.pgpainless.algorithm.SignatureType; - -public class SignatureValidationException extends PGPException { - - public SignatureValidationException(String message) { - super(message); - } - - public SignatureValidationException(String message, Exception underlying) { - super(message, underlying); - } - - public SignatureValidationException(String message, Map rejections) { - super(message + ": " + exceptionMapToString(rejections)); - } - - private static String exceptionMapToString(Map rejections) { - StringBuilder sb = new StringBuilder(); - sb.append(rejections.size()).append(" rejected signatures:\n"); - for (PGPSignature signature : rejections.keySet()) { - String typeString; - SignatureType type = SignatureType.fromCode(signature.getSignatureType()); - if (type == null) { - typeString = "0x" + Long.toHexString(signature.getSignatureType()); - } else { - typeString = type.toString(); - } - sb.append(typeString).append(' ') - .append(signature.getCreationTime()).append(": ") - .append(rejections.get(signature).getMessage()).append('\n'); - } - return sb.toString(); - } -} diff --git a/pgpainless-core/src/main/java/org/pgpainless/exception/UnacceptableAlgorithmException.java b/pgpainless-core/src/main/java/org/pgpainless/exception/UnacceptableAlgorithmException.java deleted file mode 100644 index aa3c8603..00000000 --- a/pgpainless-core/src/main/java/org/pgpainless/exception/UnacceptableAlgorithmException.java +++ /dev/null @@ -1,17 +0,0 @@ -// SPDX-FileCopyrightText: 2021 Paul Schaub -// -// SPDX-License-Identifier: Apache-2.0 - -package org.pgpainless.exception; - -import org.bouncycastle.openpgp.PGPException; - -/** - * Exception that gets thrown if unacceptable algorithms are encountered. - */ -public class UnacceptableAlgorithmException extends PGPException { - - public UnacceptableAlgorithmException(String message) { - super(message); - } -} diff --git a/pgpainless-core/src/main/java/org/pgpainless/exception/WrongConsumingMethodException.java b/pgpainless-core/src/main/java/org/pgpainless/exception/WrongConsumingMethodException.java deleted file mode 100644 index 93d2e9c5..00000000 --- a/pgpainless-core/src/main/java/org/pgpainless/exception/WrongConsumingMethodException.java +++ /dev/null @@ -1,14 +0,0 @@ -// SPDX-FileCopyrightText: 2021 Paul Schaub -// -// SPDX-License-Identifier: Apache-2.0 - -package org.pgpainless.exception; - -import org.bouncycastle.openpgp.PGPException; - -public class WrongConsumingMethodException extends PGPException { - - public WrongConsumingMethodException(String message) { - super(message); - } -} diff --git a/pgpainless-core/src/main/java/org/pgpainless/exception/WrongPassphraseException.java b/pgpainless-core/src/main/java/org/pgpainless/exception/WrongPassphraseException.java deleted file mode 100644 index d039ca6a..00000000 --- a/pgpainless-core/src/main/java/org/pgpainless/exception/WrongPassphraseException.java +++ /dev/null @@ -1,27 +0,0 @@ -// SPDX-FileCopyrightText: 2021 Paul Schaub -// -// SPDX-License-Identifier: Apache-2.0 - -package org.pgpainless.exception; - -import org.bouncycastle.bcpg.KeyIdentifier; -import org.bouncycastle.openpgp.PGPException; - -public class WrongPassphraseException extends PGPException { - - public WrongPassphraseException(String message) { - super(message); - } - - public WrongPassphraseException(long keyId, PGPException cause) { - this(new KeyIdentifier(keyId), cause); - } - - public WrongPassphraseException(KeyIdentifier keyIdentifier, PGPException cause) { - this("Wrong passphrase provided for key " + keyIdentifier, cause); - } - - public WrongPassphraseException(String message, PGPException cause) { - super(message, cause); - } -} diff --git a/pgpainless-core/src/main/java/org/pgpainless/exception/package-info.java b/pgpainless-core/src/main/java/org/pgpainless/exception/package-info.java deleted file mode 100644 index 01a786aa..00000000 --- a/pgpainless-core/src/main/java/org/pgpainless/exception/package-info.java +++ /dev/null @@ -1,8 +0,0 @@ -// SPDX-FileCopyrightText: 2018 Paul Schaub -// -// SPDX-License-Identifier: Apache-2.0 - -/** - * Exceptions. - */ -package org.pgpainless.exception; diff --git a/pgpainless-core/src/main/java/org/pgpainless/package-info.java b/pgpainless-core/src/main/java/org/pgpainless/package-info.java deleted file mode 100644 index 3573fcdc..00000000 --- a/pgpainless-core/src/main/java/org/pgpainless/package-info.java +++ /dev/null @@ -1,10 +0,0 @@ -// SPDX-FileCopyrightText: 2018 Paul Schaub -// -// SPDX-License-Identifier: Apache-2.0 - -/** - * PGPainless - Use OpenPGP Painlessly! - * - * @see org.pgpainless.core.org - */ -package org.pgpainless; diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/exception/KeyException.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/exception/KeyException.kt new file mode 100644 index 00000000..de9a7211 --- /dev/null +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/exception/KeyException.kt @@ -0,0 +1,203 @@ +package org.pgpainless.exception + +import java.util.* +import javax.annotation.Nonnull +import org.bouncycastle.bcpg.KeyIdentifier +import org.bouncycastle.openpgp.PGPSignature +import org.bouncycastle.openpgp.api.OpenPGPCertificate +import org.bouncycastle.openpgp.api.OpenPGPCertificate.OpenPGPComponentKey +import org.pgpainless.algorithm.PublicKeyAlgorithm +import org.pgpainless.key.OpenPgpFingerprint +import org.pgpainless.key.OpenPgpFingerprint.Companion.of +import org.pgpainless.util.DateUtil.Companion.formatUTCDate + +abstract class KeyException : RuntimeException { + + val fingerprint: OpenPgpFingerprint + + protected constructor(message: String, fingerprint: OpenPgpFingerprint) : super(message) { + this.fingerprint = fingerprint + } + + protected constructor( + message: String, + fingerprint: OpenPgpFingerprint, + underlying: Throwable + ) : super(message, underlying) { + this.fingerprint = fingerprint + } + + class ExpiredKeyException(fingerprint: OpenPgpFingerprint, expirationDate: Date) : + KeyException( + "Key $fingerprint is expired. Expiration date: ${formatUTCDate(expirationDate)}", + fingerprint, + ) { + + constructor(cert: OpenPGPCertificate, expirationDate: Date) : this(of(cert), expirationDate) + } + + class RevokedKeyException : KeyException { + constructor( + fingerprint: OpenPgpFingerprint + ) : super( + "Key $fingerprint appears to be revoked.", + fingerprint, + ) + + constructor( + componentKey: OpenPGPComponentKey + ) : super( + "Subkey ${componentKey.keyIdentifier} appears to be revoked.", + of(componentKey), + ) + + constructor( + cert: OpenPGPCertificate + ) : super( + "Key or certificate ${cert.keyIdentifier} appears to be revoked.", + of(cert), + ) + } + + class UnacceptableEncryptionKeyException : KeyException { + constructor(cert: OpenPGPCertificate) : this(of(cert)) + + constructor( + subkey: OpenPGPComponentKey + ) : super( + "Subkey ${subkey.keyIdentifier} is not an acceptable encryption key.", + of(subkey), + ) + + constructor( + fingerprint: OpenPgpFingerprint + ) : super("Key $fingerprint has no acceptable encryption key.", fingerprint) + + constructor( + reason: PublicKeyAlgorithmPolicyException + ) : super( + "Key ${reason.fingerprint} has no acceptable encryption key.", + reason.fingerprint, + reason) + } + + class UnacceptableSigningKeyException : KeyException { + constructor(cert: OpenPGPCertificate) : this(of(cert)) + + constructor(subkey: OpenPGPComponentKey) : this(of(subkey)) + + constructor( + fingerprint: OpenPgpFingerprint + ) : super("Key $fingerprint has no acceptable signing key.", fingerprint) + + constructor( + reason: KeyException.PublicKeyAlgorithmPolicyException + ) : super( + "Key ${reason.fingerprint} has no acceptable signing key.", reason.fingerprint, reason) + } + + class UnacceptableThirdPartyCertificationKeyException(fingerprint: OpenPgpFingerprint) : + KeyException("Key $fingerprint has no acceptable certification key.", fingerprint) {} + + class UnacceptableSelfSignatureException : KeyException { + constructor(cert: OpenPGPCertificate) : this(of(cert)) + + constructor( + fingerprint: OpenPgpFingerprint + ) : super( + "Key $fingerprint does not have a valid/acceptable signature to derive an expiration date from.", + fingerprint, + ) + } + + class MissingSecretKeyException : KeyException { + val missingSecretKeyIdentifier: KeyIdentifier + + constructor( + publicKey: OpenPGPComponentKey + ) : this( + of(publicKey.certificate), + publicKey.keyIdentifier, + ) + + constructor( + fingerprint: OpenPgpFingerprint, + keyIdentifier: KeyIdentifier + ) : super( + "Key $fingerprint does not contain a secret key for public key $keyIdentifier", + fingerprint, + ) { + missingSecretKeyIdentifier = keyIdentifier + } + + @Deprecated("Pass in a KeyIdentifier instead.") + constructor( + fingerprint: OpenPgpFingerprint, + keyId: Long + ) : this(fingerprint, KeyIdentifier(keyId)) + } + + class PublicKeyAlgorithmPolicyException : KeyException { + val violatingSubkeyId: KeyIdentifier + + constructor( + subkey: OpenPGPComponentKey, + algorithm: PublicKeyAlgorithm, + bitSize: Int + ) : super( + """Subkey ${subkey.keyIdentifier} of key ${subkey.certificate.keyIdentifier} is violating the Public Key Algorithm Policy: +$algorithm of size $bitSize is not acceptable.""", + of(subkey), + ) { + this.violatingSubkeyId = subkey.keyIdentifier + } + + constructor( + fingerprint: OpenPgpFingerprint, + keyId: Long, + algorithm: PublicKeyAlgorithm, + bitSize: Int + ) : super( + """Subkey ${java.lang.Long.toHexString(keyId)} of key $fingerprint is violating the Public Key Algorithm Policy: +$algorithm of size $bitSize is not acceptable.""", + fingerprint, + ) { + this.violatingSubkeyId = KeyIdentifier(keyId) + } + } + + class UnboundUserIdException( + fingerprint: OpenPgpFingerprint, + userId: String, + userIdSignature: PGPSignature?, + userIdRevocation: PGPSignature? + ) : + KeyException( + errorMessage( + fingerprint, + userId, + userIdSignature, + userIdRevocation, + ), + fingerprint, + ) { + + companion object { + private fun errorMessage( + @Nonnull fingerprint: OpenPgpFingerprint, + @Nonnull userId: String, + userIdSignature: PGPSignature?, + userIdRevocation: PGPSignature? + ): String { + val errorMessage = "UserID '$userId' is not valid for key $fingerprint: " + if (userIdSignature == null) { + return errorMessage + "Missing binding signature." + } + if (userIdRevocation != null) { + return errorMessage + "UserID is revoked." + } + return errorMessage + "Unacceptable binding signature." + } + } + } +} diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/exception/KeyIntegrityException.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/exception/KeyIntegrityException.kt new file mode 100644 index 00000000..a4444020 --- /dev/null +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/exception/KeyIntegrityException.kt @@ -0,0 +1,13 @@ +// SPDX-FileCopyrightText: 2025 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + +package org.pgpainless.exception + +import java.lang.AssertionError + +/** + * This exception gets thrown, when the integrity of an OpenPGP key is broken. That could happen on + * accident, or during an active attack, so take this exception seriously. + */ +class KeyIntegrityException : AssertionError("Key Integrity Exception") diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/exception/MalformedOpenPgpMessageException.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/exception/MalformedOpenPgpMessageException.kt new file mode 100644 index 00000000..23d9ffdc --- /dev/null +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/exception/MalformedOpenPgpMessageException.kt @@ -0,0 +1,29 @@ +// SPDX-FileCopyrightText: 2025 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + +package org.pgpainless.exception + +import org.pgpainless.decryption_verification.syntax_check.InputSymbol +import org.pgpainless.decryption_verification.syntax_check.StackSymbol +import org.pgpainless.decryption_verification.syntax_check.State + +/** + * Exception that gets thrown if the OpenPGP message is malformed. Malformed messages are messages + * which do not follow the grammar specified in the RFC. + * + * @see [RFC4880 §11.3. OpenPGP Messages](https://www.rfc-editor.org/rfc/rfc4880#section-11.3) + */ +class MalformedOpenPgpMessageException : RuntimeException { + constructor(message: String) : super(message) + + constructor(message: String, e: MalformedOpenPgpMessageException) : super(message, e) + + constructor( + state: State, + input: InputSymbol, + stackItem: StackSymbol? + ) : this( + "There is no legal transition from state '$state' for input '$input' when '${stackItem ?: "null"}' is on top of the stack.", + ) +} diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/exception/MessageNotIntegrityProtectedException.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/exception/MessageNotIntegrityProtectedException.kt new file mode 100644 index 00000000..df3b8eb8 --- /dev/null +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/exception/MessageNotIntegrityProtectedException.kt @@ -0,0 +1,13 @@ +// SPDX-FileCopyrightText: 2025 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + +package org.pgpainless.exception + +import org.bouncycastle.openpgp.PGPException + +class MessageNotIntegrityProtectedException : + PGPException( + "Message is encrypted using a 'Symmetrically Encrypted Data' (SED) packet, which enables certain types of attacks. " + + "A 'Symmetrically Encrypted Integrity Protected' (SEIP) packet should be used instead.", + ) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/exception/MissingDecryptionMethodException.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/exception/MissingDecryptionMethodException.kt new file mode 100644 index 00000000..1f1237f2 --- /dev/null +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/exception/MissingDecryptionMethodException.kt @@ -0,0 +1,14 @@ +// SPDX-FileCopyrightText: 2025 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + +package org.pgpainless.exception + +import org.bouncycastle.openpgp.PGPException + +/** + * Exception that is thrown when decryption fails due to a missing decryption key or decryption + * passphrase. This can happen when the user does not provide the right set of keys / the right + * password when decrypting a message. + */ +class MissingDecryptionMethodException(message: String) : PGPException(message) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/exception/MissingPassphraseException.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/exception/MissingPassphraseException.kt new file mode 100644 index 00000000..010f4fc7 --- /dev/null +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/exception/MissingPassphraseException.kt @@ -0,0 +1,11 @@ +package org.pgpainless.exception + +import java.util.* +import org.bouncycastle.openpgp.PGPException +import org.pgpainless.key.SubkeyIdentifier + +class MissingPassphraseException(keyIds: Set) : + PGPException( + "Missing passphrase encountered for keys ${keyIds.toTypedArray().contentToString()}") { + val keyIds: Set = Collections.unmodifiableSet(keyIds) +} diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/exception/ModificationDetectionException.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/exception/ModificationDetectionException.kt new file mode 100644 index 00000000..09796f85 --- /dev/null +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/exception/ModificationDetectionException.kt @@ -0,0 +1,10 @@ +// SPDX-FileCopyrightText: 2025 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + +package org.pgpainless.exception + +import java.io.IOException + +/** Exception that gets thrown when the verification of a modification detection code failed. */ +class ModificationDetectionException : IOException() diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/exception/SignatureValidationException.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/exception/SignatureValidationException.kt new file mode 100644 index 00000000..6cc6b32e --- /dev/null +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/exception/SignatureValidationException.kt @@ -0,0 +1,42 @@ +// SPDX-FileCopyrightText: 2025 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + +package org.pgpainless.exception + +import org.bouncycastle.openpgp.PGPException +import org.bouncycastle.openpgp.PGPSignature +import org.pgpainless.algorithm.SignatureType + +class SignatureValidationException : PGPException { + + constructor(message: String?) : super(message) + + constructor(message: String?, underlying: Exception) : super(message, underlying) + + constructor( + message: String, + rejections: Map + ) : super("$message: ${exceptionMapToString(rejections)}") + + companion object { + @JvmStatic + private fun exceptionMapToString(rejections: Map): String = + buildString { + append(rejections.size).append(" rejected signatures:\n") + for (signature in rejections.keys) { + append(sigTypeToString(signature.signatureType)) + .append(' ') + .append(signature.creationTime) + .append(": ") + .append(rejections[signature]!!.message) + .append('\n') + } + } + + @JvmStatic + private fun sigTypeToString(type: Int): String = + SignatureType.fromCode(type)?.toString() + ?: "0x${java.lang.Long.toHexString(type.toLong())}" + } +} diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/exception/UnacceptableAlgorithmException.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/exception/UnacceptableAlgorithmException.kt new file mode 100644 index 00000000..b2783cd6 --- /dev/null +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/exception/UnacceptableAlgorithmException.kt @@ -0,0 +1,10 @@ +// SPDX-FileCopyrightText: 2025 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + +package org.pgpainless.exception + +import org.bouncycastle.openpgp.PGPException + +/** Exception that gets thrown if unacceptable algorithms are encountered. */ +class UnacceptableAlgorithmException(message: String) : PGPException(message) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/exception/WrongConsumingMethodException.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/exception/WrongConsumingMethodException.kt new file mode 100644 index 00000000..e1fe0842 --- /dev/null +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/exception/WrongConsumingMethodException.kt @@ -0,0 +1,9 @@ +// SPDX-FileCopyrightText: 2025 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + +package org.pgpainless.exception + +import org.bouncycastle.openpgp.PGPException + +class WrongConsumingMethodException(message: String) : PGPException(message) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/exception/WrongPassphraseException.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/exception/WrongPassphraseException.kt new file mode 100644 index 00000000..4ac7cf68 --- /dev/null +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/exception/WrongPassphraseException.kt @@ -0,0 +1,23 @@ +// SPDX-FileCopyrightText: 2025 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + +package org.pgpainless.exception + +import org.bouncycastle.bcpg.KeyIdentifier +import org.bouncycastle.openpgp.PGPException + +class WrongPassphraseException : PGPException { + + constructor(message: String) : super(message) + + constructor(message: String, cause: PGPException) : super(message, cause) + + @Deprecated("Pass in a KeyIdentifier instead.") + constructor(keyId: Long, cause: PGPException) : this(KeyIdentifier(keyId), cause) + + constructor( + keyIdentifier: KeyIdentifier, + cause: PGPException + ) : this("Wrong passphrase provided for key $keyIdentifier", cause) +} From be5c2a01a123144189ab055cb7dc608b2b548d76 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 8 May 2025 16:54:39 +0200 Subject: [PATCH 213/265] Port GnuPGDummyExtension implementation --- .../java/org/gnupg/GnuPGDummyExtension.java | 31 --- .../java/org/gnupg/GnuPGDummyKeyUtil.java | 228 ------------------ .../src/main/java/org/gnupg/package-info.java | 8 - .../kotlin/org/gnupg/GnuPGDummyExtension.kt | 16 ++ .../kotlin/org/gnupg/GnuPGDummyKeyUtil.kt | 204 ++++++++++++++++ 5 files changed, 220 insertions(+), 267 deletions(-) delete mode 100644 pgpainless-core/src/main/java/org/gnupg/GnuPGDummyExtension.java delete mode 100644 pgpainless-core/src/main/java/org/gnupg/GnuPGDummyKeyUtil.java delete mode 100644 pgpainless-core/src/main/java/org/gnupg/package-info.java create mode 100644 pgpainless-core/src/main/kotlin/org/gnupg/GnuPGDummyExtension.kt create mode 100644 pgpainless-core/src/main/kotlin/org/gnupg/GnuPGDummyKeyUtil.kt diff --git a/pgpainless-core/src/main/java/org/gnupg/GnuPGDummyExtension.java b/pgpainless-core/src/main/java/org/gnupg/GnuPGDummyExtension.java deleted file mode 100644 index d744e222..00000000 --- a/pgpainless-core/src/main/java/org/gnupg/GnuPGDummyExtension.java +++ /dev/null @@ -1,31 +0,0 @@ -// SPDX-FileCopyrightText: 2022 Paul Schaub -// -// SPDX-License-Identifier: Apache-2.0 - -package org.gnupg; - -import org.bouncycastle.bcpg.S2K; - -public enum GnuPGDummyExtension { - - /** - * Do not store the secret part at all. - */ - NO_PRIVATE_KEY(S2K.GNU_PROTECTION_MODE_NO_PRIVATE_KEY), - - /** - * A stub to access smartcards. - */ - DIVERT_TO_CARD(S2K.GNU_PROTECTION_MODE_DIVERT_TO_CARD), - ; - - private final int id; - - GnuPGDummyExtension(int id) { - this.id = id; - } - - public int getId() { - return id; - } -} diff --git a/pgpainless-core/src/main/java/org/gnupg/GnuPGDummyKeyUtil.java b/pgpainless-core/src/main/java/org/gnupg/GnuPGDummyKeyUtil.java deleted file mode 100644 index d2f1dedb..00000000 --- a/pgpainless-core/src/main/java/org/gnupg/GnuPGDummyKeyUtil.java +++ /dev/null @@ -1,228 +0,0 @@ -// SPDX-FileCopyrightText: 2022 Paul Schaub -// -// SPDX-License-Identifier: Apache-2.0 - -package org.gnupg; - -import org.bouncycastle.bcpg.KeyIdentifier; -import org.bouncycastle.bcpg.PublicKeyPacket; -import org.bouncycastle.bcpg.S2K; -import org.bouncycastle.bcpg.SecretKeyPacket; -import org.bouncycastle.bcpg.SecretSubkeyPacket; -import org.bouncycastle.openpgp.PGPSecretKey; -import org.bouncycastle.openpgp.PGPSecretKeyRing; -import org.bouncycastle.openpgp.api.OpenPGPKey; -import org.pgpainless.key.SubkeyIdentifier; - -import javax.annotation.Nonnull; -import javax.annotation.Nullable; -import java.util.ArrayList; -import java.util.Collection; -import java.util.HashSet; -import java.util.List; -import java.util.Set; - -/** - * This class can be used to remove private keys from secret software-keys by replacing them with - * stub secret keys in the style of GnuPGs proprietary extensions. - * - * @see - * GnuPGs doc/DETAILS - GNU extensions to the S2K algorithm - */ -public final class GnuPGDummyKeyUtil { - - private GnuPGDummyKeyUtil() { - - } - - /** - * Return the key-ids of all keys which appear to be stored on a hardware token / smartcard by GnuPG. - * Note, that this functionality is based on GnuPGs proprietary S2K extensions, which are not strictly required - * for dealing with hardware-backed keys. - * - * @param secretKeys secret keys - * @return set of keys with S2K type GNU_DUMMY_S2K and protection mode DIVERT_TO_CARD - */ - public static Set getIdsOfKeysWithGnuPGS2KDivertedToCard(@Nonnull PGPSecretKeyRing secretKeys) { - Set hardwareBackedKeys = new HashSet<>(); - for (PGPSecretKey secretKey : secretKeys) { - S2K s2K = secretKey.getS2K(); - if (s2K == null) { - continue; - } - - int type = s2K.getType(); - int mode = s2K.getProtectionMode(); - // TODO: Is GNU_DUMMY_S2K appropriate? - if (type == S2K.GNU_DUMMY_S2K && mode == S2K.GNU_PROTECTION_MODE_DIVERT_TO_CARD) { - SubkeyIdentifier hardwareBackedKey = new SubkeyIdentifier(secretKeys, secretKey.getKeyIdentifier()); - hardwareBackedKeys.add(hardwareBackedKey); - } - } - return hardwareBackedKeys; - } - - public static Builder modify(@Nonnull OpenPGPKey key) { - return modify(key.getPGPSecretKeyRing()); - } - - /** - * Modify the given {@link PGPSecretKeyRing}. - * - * @param secretKeys secret keys - * @return builder - */ - public static Builder modify(@Nonnull PGPSecretKeyRing secretKeys) { - return new Builder(secretKeys); - } - - public static final class Builder { - - private final PGPSecretKeyRing keys; - - private Builder(@Nonnull PGPSecretKeyRing keys) { - this.keys = keys; - } - - /** - * Remove all private keys that match the given {@link KeyFilter} from the key ring and replace them with - * GNU_DUMMY keys with S2K protection mode {@link GnuPGDummyExtension#NO_PRIVATE_KEY}. - * - * @param filter filter to select keys for removal - * @return modified key ring - */ - public PGPSecretKeyRing removePrivateKeys(@Nonnull KeyFilter filter) { - return replacePrivateKeys(GnuPGDummyExtension.NO_PRIVATE_KEY, null, filter); - } - - /** - * Remove all private keys that match the given {@link KeyFilter} from the key ring and replace them with - * GNU_DUMMY keys with S2K protection mode {@link GnuPGDummyExtension#DIVERT_TO_CARD}. - * This method will set the serial number of the card to 0x00000000000000000000000000000000. - * NOTE: This method does not actually move any keys to a card. - * - * @param filter filter to select keys for removal - * @return modified key ring - */ - public PGPSecretKeyRing divertPrivateKeysToCard(@Nonnull KeyFilter filter) { - return divertPrivateKeysToCard(filter, new byte[16]); - } - - /** - * Remove all private keys that match the given {@link KeyFilter} from the key ring and replace them with - * GNU_DUMMY keys with S2K protection mode {@link GnuPGDummyExtension#DIVERT_TO_CARD}. - * This method will include the card serial number into the encoded dummy key. - * NOTE: This method does not actually move any keys to a card. - * - * @param filter filter to select keys for removal - * @param cardSerialNumber serial number of the card (at most 16 bytes long) - * @return modified key ring - */ - public PGPSecretKeyRing divertPrivateKeysToCard(@Nonnull KeyFilter filter, @Nullable byte[] cardSerialNumber) { - if (cardSerialNumber != null && cardSerialNumber.length > 16) { - throw new IllegalArgumentException("Card serial number length cannot exceed 16 bytes."); - } - return replacePrivateKeys(GnuPGDummyExtension.DIVERT_TO_CARD, cardSerialNumber, filter); - } - - private PGPSecretKeyRing replacePrivateKeys(@Nonnull GnuPGDummyExtension extension, - @Nullable byte[] serial, - @Nonnull KeyFilter filter) { - byte[] encodedSerial = serial != null ? encodeSerial(serial) : null; - S2K s2k = extensionToS2K(extension); - - List secretKeyList = new ArrayList<>(); - for (PGPSecretKey secretKey : keys) { - if (!filter.filter(secretKey.getKeyIdentifier())) { - // No conversion, do not modify subkey - secretKeyList.add(secretKey); - continue; - } - - PublicKeyPacket publicKeyPacket = secretKey.getPublicKey().getPublicKeyPacket(); - if (secretKey.isMasterKey()) { - SecretKeyPacket keyPacket = new SecretKeyPacket(publicKeyPacket, - 0, SecretKeyPacket.USAGE_SHA1, s2k, null, encodedSerial); - PGPSecretKey onCard = new PGPSecretKey(keyPacket, secretKey.getPublicKey()); - secretKeyList.add(onCard); - } else { - SecretSubkeyPacket keyPacket = new SecretSubkeyPacket(publicKeyPacket, - 0, SecretKeyPacket.USAGE_SHA1, s2k, null, encodedSerial); - PGPSecretKey onCard = new PGPSecretKey(keyPacket, secretKey.getPublicKey()); - secretKeyList.add(onCard); - } - } - - return new PGPSecretKeyRing(secretKeyList); - } - - private byte[] encodeSerial(@Nonnull byte[] serial) { - byte[] encoded = new byte[serial.length + 1]; - encoded[0] = (byte) (serial.length & 0xff); - System.arraycopy(serial, 0, encoded, 1, serial.length); - return encoded; - } - - private S2K extensionToS2K(@Nonnull GnuPGDummyExtension extension) { - return S2K.gnuDummyS2K(extension == GnuPGDummyExtension.DIVERT_TO_CARD ? - S2K.GNUDummyParams.divertToCard() : S2K.GNUDummyParams.noPrivateKey()); - } - } - - /** - * Filter for selecting keys. - */ - @FunctionalInterface - public interface KeyFilter { - - /** - * Return true, if the given key should be selected, false otherwise. - * - * @param keyIdentifier id of the key - * @return select - */ - boolean filter(KeyIdentifier keyIdentifier); - - /** - * Select any key. - * - * @return filter - */ - static KeyFilter any() { - return keyId -> true; - } - - /** - * Select only the given keyId. - * - * @param onlyKeyId only acceptable key id - * @return filter - * @deprecated use {@link #only(KeyIdentifier)} instead. - */ - @Deprecated - static KeyFilter only(long onlyKeyId) { - return only(new KeyIdentifier(onlyKeyId)); - } - - /** - * Select only the given keyIdentifier. - * - * @param onlyKeyIdentifier only acceptable key identifier - * @return filter - */ - static KeyFilter only(KeyIdentifier onlyKeyIdentifier) { - return keyIdentifier -> keyIdentifier.matches(onlyKeyIdentifier); - } - - /** - * Select all keyIds which are contained in the given set of ids. - * - * @param ids set of acceptable keyIds - * @return filter - */ - static KeyFilter selected(Collection ids) { - // noinspection Convert2MethodRef - return keyId -> ids.contains(keyId); - } - } -} diff --git a/pgpainless-core/src/main/java/org/gnupg/package-info.java b/pgpainless-core/src/main/java/org/gnupg/package-info.java deleted file mode 100644 index 03268619..00000000 --- a/pgpainless-core/src/main/java/org/gnupg/package-info.java +++ /dev/null @@ -1,8 +0,0 @@ -// SPDX-FileCopyrightText: 2022 Paul Schaub -// -// SPDX-License-Identifier: Apache-2.0 - -/** - * Utility classes related to creating keys with GNU DUMMY S2K values. - */ -package org.gnupg; diff --git a/pgpainless-core/src/main/kotlin/org/gnupg/GnuPGDummyExtension.kt b/pgpainless-core/src/main/kotlin/org/gnupg/GnuPGDummyExtension.kt new file mode 100644 index 00000000..4831878a --- /dev/null +++ b/pgpainless-core/src/main/kotlin/org/gnupg/GnuPGDummyExtension.kt @@ -0,0 +1,16 @@ +// SPDX-FileCopyrightText: 2025 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + +package org.gnupg + +import org.bouncycastle.bcpg.S2K + +enum class GnuPGDummyExtension(val id: Int) { + + /** Do not store the secret part at all. */ + NO_PRIVATE_KEY(S2K.GNU_PROTECTION_MODE_NO_PRIVATE_KEY), + + /** A stub to access smartcards. */ + DIVERT_TO_CARD(S2K.GNU_PROTECTION_MODE_DIVERT_TO_CARD) +} diff --git a/pgpainless-core/src/main/kotlin/org/gnupg/GnuPGDummyKeyUtil.kt b/pgpainless-core/src/main/kotlin/org/gnupg/GnuPGDummyKeyUtil.kt new file mode 100644 index 00000000..467a87bc --- /dev/null +++ b/pgpainless-core/src/main/kotlin/org/gnupg/GnuPGDummyKeyUtil.kt @@ -0,0 +1,204 @@ +// SPDX-FileCopyrightText: 2025 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + +package org.gnupg + +import kotlin.experimental.and +import org.bouncycastle.bcpg.KeyIdentifier +import org.bouncycastle.bcpg.S2K +import org.bouncycastle.bcpg.SecretKeyPacket +import org.bouncycastle.bcpg.SecretSubkeyPacket +import org.bouncycastle.openpgp.PGPSecretKey +import org.bouncycastle.openpgp.PGPSecretKeyRing +import org.bouncycastle.openpgp.api.OpenPGPKey +import org.gnupg.GnuPGDummyKeyUtil.KeyFilter +import org.pgpainless.key.SubkeyIdentifier + +/** + * This class can be used to remove private keys from secret software-keys by replacing them with + * stub secret keys in the style of GnuPGs proprietary extensions. + * + * @see + * [GnuPGs doc/DETAILS - GNU extensions to the S2K algorithm](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob;f=doc/DETAILS;hb=HEAD#l1489) + */ +class GnuPGDummyKeyUtil private constructor() { + + companion object { + + /** + * Return the key-ids of all keys which appear to be stored on a hardware token / smartcard + * by GnuPG. Note, that this functionality is based on GnuPGs proprietary S2K extensions, + * which are not strictly required for dealing with hardware-backed keys. + * + * @param secretKeys secret keys + * @return set of keys with S2K type [S2K.GNU_DUMMY_S2K] and protection mode + * [GnuPGDummyExtension.DIVERT_TO_CARD] + */ + @JvmStatic + fun getIdsOfKeysWithGnuPGS2KDivertedToCard( + secretKeys: PGPSecretKeyRing + ): Set = + secretKeys + .filter { + it.s2K?.type == S2K.GNU_DUMMY_S2K && + it.s2K?.protectionMode == S2K.GNU_PROTECTION_MODE_DIVERT_TO_CARD + } + .map { SubkeyIdentifier(secretKeys, it.keyIdentifier) } + .toSet() + + @JvmStatic fun modify(key: OpenPGPKey): Builder = modify(key.pgpSecretKeyRing) + + /** + * Modify the given [PGPSecretKeyRing]. + * + * @param secretKeys secret keys + * @return builder + */ + @JvmStatic fun modify(secretKeys: PGPSecretKeyRing) = Builder(secretKeys) + } + + class Builder(private val keys: PGPSecretKeyRing) { + + /** + * Remove all private keys that match the given [KeyFilter] from the key ring and replace + * them with GNU_DUMMY keys with S2K protection mode [GnuPGDummyExtension.NO_PRIVATE_KEY]. + * + * @param filter filter to select keys for removal + * @return modified key ring + */ + fun removePrivateKeys(filter: KeyFilter): PGPSecretKeyRing { + return replacePrivateKeys(GnuPGDummyExtension.NO_PRIVATE_KEY, null, filter) + } + + /** + * Remove all private keys that match the given [KeyFilter] from the key ring and replace + * them with GNU_DUMMY keys with S2K protection mode [GnuPGDummyExtension.DIVERT_TO_CARD]. + * This method will set the serial number of the card to 0x00000000000000000000000000000000. + * NOTE: This method does not actually move any keys to a card. + * + * @param filter filter to select keys for removal + * @return modified key ring + */ + fun divertPrivateKeysToCard(filter: KeyFilter): PGPSecretKeyRing { + return divertPrivateKeysToCard(filter, ByteArray(16)) + } + + /** + * Remove all private keys that match the given [KeyFilter] from the key ring and replace + * them with GNU_DUMMY keys with S2K protection mode [GnuPGDummyExtension.DIVERT_TO_CARD]. + * This method will include the card serial number into the encoded dummy key. NOTE: This + * method does not actually move any keys to a card. + * + * @param filter filter to select keys for removal + * @param cardSerialNumber serial number of the card (at most 16 bytes long) + * @return modified key ring + */ + fun divertPrivateKeysToCard( + filter: KeyFilter, + cardSerialNumber: ByteArray? + ): PGPSecretKeyRing { + require(cardSerialNumber == null || cardSerialNumber.size <= 16) { + "Card serial number length cannot exceed 16 bytes." + } + return replacePrivateKeys(GnuPGDummyExtension.DIVERT_TO_CARD, cardSerialNumber, filter) + } + + private fun replacePrivateKeys( + extension: GnuPGDummyExtension, + serial: ByteArray?, + filter: KeyFilter + ): PGPSecretKeyRing { + val encodedSerial: ByteArray? = serial?.let { encodeSerial(it) } + val s2k: S2K = extensionToS2K(extension) + + return PGPSecretKeyRing( + keys + .map { + if (!filter.filter(it.keyIdentifier)) { + // Leave non-filtered key intact + it + } else { + val publicKeyPacket = it.publicKey.publicKeyPacket + // Convert key packet + val keyPacket: SecretKeyPacket = + if (it.isMasterKey) { + SecretKeyPacket( + publicKeyPacket, + 0, + SecretKeyPacket.USAGE_SHA1, + s2k, + null, + encodedSerial) + } else { + SecretSubkeyPacket( + publicKeyPacket, + 0, + SecretKeyPacket.USAGE_SHA1, + s2k, + null, + encodedSerial) + } + PGPSecretKey(keyPacket, it.publicKey) + } + } + .toList()) + } + + private fun encodeSerial(serial: ByteArray): ByteArray { + val encoded = ByteArray(serial.size + 1) + encoded[0] = serial.size.toByte().and(0xff.toByte()) + System.arraycopy(serial, 0, encoded, 1, serial.size) + return encoded + } + + private fun extensionToS2K(extension: GnuPGDummyExtension): S2K { + return S2K.gnuDummyS2K( + if (extension == GnuPGDummyExtension.DIVERT_TO_CARD) + S2K.GNUDummyParams.divertToCard() + else S2K.GNUDummyParams.noPrivateKey()) + } + } + + /** Filter for selecting keys. */ + fun interface KeyFilter { + fun filter(keyIdentifier: KeyIdentifier): Boolean + + companion object { + + /** + * Select any key. + * + * @return filter + */ + @JvmStatic fun any(): KeyFilter = KeyFilter { true } + + /** + * Select only the given keyId. + * + * @param onlyKeyId only acceptable key id + * @return filter + */ + @JvmStatic + @Deprecated("Use only(KeyIdentifier) instead.") + fun only(onlyKeyId: Long) = only(KeyIdentifier(onlyKeyId)) + + /** + * Select only the given keyIdentifier. + * + * @param onlyKeyIdentifier only acceptable key identifier + * @return filter + */ + @JvmStatic + fun only(onlyKeyIdentifier: KeyIdentifier) = KeyFilter { it.matches(onlyKeyIdentifier) } + + /** + * Select all keyIds which are contained in the given set of ids. + * + * @param ids set of acceptable keyIds + * @return filter + */ + @JvmStatic fun selected(ids: Collection) = KeyFilter { ids.contains(it) } + } + } +} From 9d75026bab7b41a9da68a1068d1d15addb76f7c8 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 8 May 2025 20:58:03 +0200 Subject: [PATCH 214/265] Update README --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 2e3fa03e..05734ed6 100644 --- a/README.md +++ b/README.md @@ -99,7 +99,7 @@ There are some predefined key archetypes, but it is possible to fully customize .modernKeyRing("Romeo ", "I defy you, stars!"); // Customized key - OpenPGPKey keyRing = PGPainless.buildKeyRing() + OpenPGPKey keyRing = api.buildKey() .setPrimaryKey(KeySpec.getBuilder( RSA.withLength(RsaLength._8192), KeyFlag.SIGN_DATA, KeyFlag.CERTIFY_OTHER)) @@ -163,7 +163,7 @@ Furthermore, PGPainless will reject signatures made using weak algorithms like S This behaviour can be modified though using the `Policy` class. ```java - DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() + DecryptionStream decryptionStream = PGPainless.getInstance().processMessage() .onInputStream(encryptedInputStream) .withOptions(ConsumerOptions.get(api) .addDecryptionKey(bobSecKeys, secretKeyProtector) From f694720c978a133ab7d063703585ed48fa410995 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 12 May 2025 12:32:06 +0200 Subject: [PATCH 215/265] Add AEADAlkgorithm.toMechanism(SymAlg) shortcut method --- .../org/pgpainless/algorithm/AEADAlgorithm.kt | 5 +++++ .../encryption_signing/EncryptDecryptTest.java | 18 ++++++------------ 2 files changed, 11 insertions(+), 12 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/AEADAlgorithm.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/AEADAlgorithm.kt index 6a3a6214..8bafa811 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/AEADAlgorithm.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/AEADAlgorithm.kt @@ -4,6 +4,8 @@ package org.pgpainless.algorithm +import org.bouncycastle.openpgp.api.MessageEncryptionMechanism + enum class AEADAlgorithm(val algorithmId: Int, val ivLength: Int, val tagLength: Int) { /** @@ -27,6 +29,9 @@ enum class AEADAlgorithm(val algorithmId: Int, val ivLength: Int, val tagLength: GCM(3, 12, 16), ; + fun toMechanism(ciphermode: SymmetricKeyAlgorithm): MessageEncryptionMechanism = + MessageEncryptionMechanism.aead(ciphermode.algorithmId, this.algorithmId) + companion object { @JvmStatic fun fromId(id: Int): AEADAlgorithm? { diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java index c6fafa16..8de0d9ad 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java @@ -21,7 +21,6 @@ import java.util.Set; import org.bouncycastle.bcpg.ArmoredOutputStream; import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPSignature; -import org.bouncycastle.openpgp.api.MessageEncryptionMechanism; import org.bouncycastle.openpgp.api.OpenPGPCertificate; import org.bouncycastle.openpgp.api.OpenPGPKey; import org.bouncycastle.util.io.Streams; @@ -338,14 +337,13 @@ public class EncryptDecryptTest { .onOutputStream(bOut) .withOptions(ProducerOptions.encrypt( EncryptionOptions.encryptCommunications() - .overrideEncryptionMechanism(MessageEncryptionMechanism.aead(SymmetricKeyAlgorithm.AES_192.getAlgorithmId(), AEADAlgorithm.OCB.getAlgorithmId())) + .overrideEncryptionMechanism(AEADAlgorithm.OCB.toMechanism(SymmetricKeyAlgorithm.AES_192)) .addRecipient(keyWithoutSEIPD2Feature.toCertificate()))); eOut.write(testMessage.getBytes(StandardCharsets.UTF_8)); eOut.close(); EncryptionResult result = eOut.getResult(); - assertEquals(MessageEncryptionMechanism.aead( - SymmetricKeyAlgorithm.AES_192.getAlgorithmId(), AEADAlgorithm.OCB.getAlgorithmId()), + assertEquals(AEADAlgorithm.OCB.toMechanism(SymmetricKeyAlgorithm.AES_192), result.getEncryptionMechanism()); ByteArrayInputStream bIn = new ByteArrayInputStream(bOut.toByteArray()); @@ -357,7 +355,7 @@ public class EncryptDecryptTest { decIn.close(); MessageMetadata metadata = decIn.getMetadata(); - assertEquals(MessageEncryptionMechanism.aead(SymmetricKeyAlgorithm.AES_192.getAlgorithmId(), AEADAlgorithm.OCB.getAlgorithmId()), + assertEquals(AEADAlgorithm.OCB.toMechanism(SymmetricKeyAlgorithm.AES_192), metadata.getEncryptionMechanism()); } @@ -371,10 +369,7 @@ public class EncryptDecryptTest { .withOptions( ProducerOptions.encrypt(EncryptionOptions.encryptCommunications() .overrideEncryptionMechanism( - MessageEncryptionMechanism.aead( - SymmetricKeyAlgorithm.AES_192.getAlgorithmId(), - AEADAlgorithm.OCB.getAlgorithmId() - )) + AEADAlgorithm.OCB.toMechanism(SymmetricKeyAlgorithm.AES_192)) .addMessagePassphrase(Passphrase.fromPassword("sw0rdf1sh")) )); @@ -382,8 +377,7 @@ public class EncryptDecryptTest { eOut.close(); EncryptionResult result = eOut.getResult(); - assertEquals(MessageEncryptionMechanism.aead( - SymmetricKeyAlgorithm.AES_192.getAlgorithmId(), AEADAlgorithm.OCB.getAlgorithmId()), + assertEquals(AEADAlgorithm.OCB.toMechanism(SymmetricKeyAlgorithm.AES_192), result.getEncryptionMechanism()); ByteArrayInputStream bIn = new ByteArrayInputStream(bOut.toByteArray()); @@ -394,7 +388,7 @@ public class EncryptDecryptTest { Streams.drain(decIn); decIn.close(); MessageMetadata metadata = decIn.getMetadata(); - assertEquals(MessageEncryptionMechanism.aead(SymmetricKeyAlgorithm.AES_192.getAlgorithmId(), AEADAlgorithm.OCB.getAlgorithmId()), + assertEquals(AEADAlgorithm.OCB.toMechanism(SymmetricKeyAlgorithm.AES_192), metadata.getEncryptionMechanism()); } From 070780675e3d78a1b3df6471ea04d7f1770107e5 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 12 May 2025 12:32:26 +0200 Subject: [PATCH 216/265] Some updates to the README file --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 05734ed6..ecc5826f 100644 --- a/README.md +++ b/README.md @@ -24,7 +24,7 @@ PGPainless aims to make using OpenPGP in Java projects as simple as possible. It does so by introducing an intuitive Builder structure, which allows easy setup of encryption/decryption operations, as well as straight forward key generation. -PGPainless is based around the Bouncy Castle java library and can be used on Android down to API level 10. +PGPainless is based around the Bouncy Castle java library and can be used on Android. It can be configured to either use the Java Cryptographic Engine (JCE), or Bouncy Castles lightweight reimplementation. While signature verification in Bouncy Castle is limited to signature correctness, PGPainless goes much further. @@ -32,7 +32,7 @@ It also checks if signing subkeys are properly bound to their primary key, if ke if keys are allowed to create signatures in the first place. These rigorous checks make PGPainless stand out from other Java-based OpenPGP libraries and are the reason why -PGPainless currently [*scores first place* on Sequoia-PGPs Interoperability Test-Suite](https://tests.sequoia-pgp.org). +PGPainless currently scores above average on Sequoia-PGPs [Interoperability Test-Suite](https://tests.sequoia-pgp.org). > At FlowCrypt we are using PGPainless in our Kotlin code bases on Android and on server side. > The ergonomics of legacy PGP tooling on Java is not very good, and PGPainless improves it greatly. From 71168d2091f8d7b9386115f6d19487073bf61d82 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 12 May 2025 12:45:32 +0200 Subject: [PATCH 217/265] Add test and documentation to DateExtensions --- .../src/main/kotlin/openpgp/DateExtensions.kt | 11 ++++- .../test/java/openpgp/DateExtensionTest.java | 44 +++++++++++++++++++ 2 files changed, 54 insertions(+), 1 deletion(-) create mode 100644 pgpainless-core/src/test/java/openpgp/DateExtensionTest.java diff --git a/pgpainless-core/src/main/kotlin/openpgp/DateExtensions.kt b/pgpainless-core/src/main/kotlin/openpgp/DateExtensions.kt index 2763cb55..0dc6de40 100644 --- a/pgpainless-core/src/main/kotlin/openpgp/DateExtensions.kt +++ b/pgpainless-core/src/main/kotlin/openpgp/DateExtensions.kt @@ -14,7 +14,6 @@ import java.util.* * Since '0' is a special date value in the OpenPGP specification (e.g. '0' means no expiration for * expiration dates), this method will return 'null' if seconds is 0. * - * @param date date * @param seconds number of seconds to be added * @return date plus seconds or null if seconds is '0' */ @@ -25,9 +24,19 @@ fun Date.plusSeconds(seconds: Long): Date? { return if (seconds == 0L) null else Date(this.time + 1000 * seconds) } +/** This date in seconds since epoch. */ val Date.asSeconds: Long get() = time / 1000 +/** + * Return the number of seconds that would need to be added to this date in order to reach the later + * date. Note: This method requires the [later] date to be indeed greater or equal to this date, + * otherwise an [IllegalArgumentException] is thrown. + * + * @param later later date + * @return difference between this and [later] in seconds + * @throws IllegalArgumentException if later is not greater or equal to this date + */ fun Date.secondsTill(later: Date): Long { require(this <= later) { "Timestamp MUST be before the later timestamp." } return later.asSeconds - this.asSeconds diff --git a/pgpainless-core/src/test/java/openpgp/DateExtensionTest.java b/pgpainless-core/src/test/java/openpgp/DateExtensionTest.java new file mode 100644 index 00000000..c36315bb --- /dev/null +++ b/pgpainless-core/src/test/java/openpgp/DateExtensionTest.java @@ -0,0 +1,44 @@ +// SPDX-FileCopyrightText: 2025 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + +package openpgp; + +import org.junit.jupiter.api.Test; + +import java.util.Date; + +import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.assertNull; +import static org.junit.jupiter.api.Assertions.assertThrows; + +public class DateExtensionTest { + + @Test + public void testDatePlusSecondsBaseCase() { + Date t0 = DateExtensionsKt.parseUTC("2025-05-12 10:36:53 UTC"); + Date t1 = DateExtensionsKt.plusSeconds(t0, 7); + assertEquals("2025-05-12 10:37:00 UTC", DateExtensionsKt.formatUTC(t1)); + } + + @Test + public void testDatePlusZeroReturnsNull() { + Date t0 = DateExtensionsKt.parseUTC("2025-05-12 10:36:53 UTC"); + Date t1 = DateExtensionsKt.plusSeconds(t0, 0); + assertNull(t1); + } + + @Test + public void testDatePlusSecondsOverflowing() { + Date now = new Date(); + // expect IAE because of time field overflowing + assertThrows(IllegalArgumentException.class, () -> + DateExtensionsKt.plusSeconds(now, Long.MAX_VALUE - 10000)); + } + + @Test + public void testParsingMalformedUTCTimestampThrows() { + assertThrows(IllegalArgumentException.class, () -> + DateExtensionsKt.parseUTC("2025-05-12 10:36:XX UTC")); + } +} From 302e690b44b044d4de9bb53f35a1b45afb7dfca6 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 12 May 2025 13:06:21 +0200 Subject: [PATCH 218/265] Add tests for LongExtension methods --- .../src/main/kotlin/openpgp/LongExtensions.kt | 2 +- .../org/pgpainless/key/util/KeyIdUtil.kt | 5 +-- .../test/java/openpgp/LongExtensionTest.java | 38 +++++++++++++++++++ 3 files changed, 40 insertions(+), 5 deletions(-) create mode 100644 pgpainless-core/src/test/java/openpgp/LongExtensionTest.java diff --git a/pgpainless-core/src/main/kotlin/openpgp/LongExtensions.kt b/pgpainless-core/src/main/kotlin/openpgp/LongExtensions.kt index c6c318b3..c6f3039e 100644 --- a/pgpainless-core/src/main/kotlin/openpgp/LongExtensions.kt +++ b/pgpainless-core/src/main/kotlin/openpgp/LongExtensions.kt @@ -9,7 +9,7 @@ fun Long.openPgpKeyId(): String { return String.format("%016X", this).uppercase() } -/** Parse a Long form a 16 digit hex encoded OpenPgp key-ID. */ +/** Parse a Long from a 16 digit hex encoded OpenPgp key-ID. */ fun Long.Companion.fromOpenPgpKeyId(hexKeyId: String): Long { require("^[0-9A-Fa-f]{16}$".toRegex().matches(hexKeyId)) { "Provided long key-id does not match expected format. " + diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/util/KeyIdUtil.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/util/KeyIdUtil.kt index 3f1b98b1..78ca75ff 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/util/KeyIdUtil.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/util/KeyIdUtil.kt @@ -17,10 +17,7 @@ class KeyIdUtil { * @param longKeyId 16-digit hexadecimal string * @return key-id converted to [Long]. */ - @JvmStatic - @Deprecated( - "Superseded by Long extension method.", ReplaceWith("Long.fromHexKeyId(longKeyId)")) - fun fromLongKeyId(longKeyId: String) = Long.fromOpenPgpKeyId(longKeyId) + @JvmStatic fun fromLongKeyId(longKeyId: String) = Long.fromOpenPgpKeyId(longKeyId) /** * Format a long key-ID as upper-case hex string. diff --git a/pgpainless-core/src/test/java/openpgp/LongExtensionTest.java b/pgpainless-core/src/test/java/openpgp/LongExtensionTest.java new file mode 100644 index 00000000..8f046968 --- /dev/null +++ b/pgpainless-core/src/test/java/openpgp/LongExtensionTest.java @@ -0,0 +1,38 @@ +// SPDX-FileCopyrightText: 2025 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + +package openpgp; + +import org.junit.jupiter.api.Test; +import org.pgpainless.key.util.KeyIdUtil; + +import java.util.Random; + +import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.assertThrows; + +public class LongExtensionTest { + + private final Random random = new Random(); + + @Test + public void testFromOpenPGPKeyId() { + long id = random.nextLong(); + String hexId = LongExtensionsKt.openPgpKeyId(id); + assertEquals(16, hexId.length()); + // Calling companion object extension methods from java is tricky. + // KeyIdUtil delegates to Long.Companion extension method though. + long parsed = KeyIdUtil.fromLongKeyId(hexId); + assertEquals(id, parsed, "Long MUST still match after converting to hex and back."); + } + + @Test + public void testParsingMalformedHexIdFails() { + assertThrows(IllegalArgumentException.class, () -> + KeyIdUtil.fromLongKeyId("00"), + "Hex encoding is too short, expect 16 chars.");assertThrows(IllegalArgumentException.class, () -> + KeyIdUtil.fromLongKeyId("00010203040506XX"), + "Hex encoding contains non-hex chars."); + } +} From 8b9d41004b8c3ee6a008fc65d7ca8985bd38aa6f Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 13 May 2025 12:28:54 +0200 Subject: [PATCH 219/265] Port CertificateAuthority to KeyIdentifier, add tests for authenticated cert selection --- .../authentication/CertificateAuthenticity.kt | 57 +++++- .../authentication/CertificateAuthority.kt | 45 ++++- .../MessageMetadata.kt | 3 +- .../encryption_signing/EncryptionOptions.kt | 4 +- .../VerifyWithCertificateAuthorityTest.java | 166 ++++++++++++++++++ 5 files changed, 265 insertions(+), 10 deletions(-) create mode 100644 pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifyWithCertificateAuthorityTest.java diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/authentication/CertificateAuthenticity.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/authentication/CertificateAuthenticity.kt index f3d60bf6..650b3722 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/authentication/CertificateAuthenticity.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/authentication/CertificateAuthenticity.kt @@ -5,14 +5,46 @@ package org.pgpainless.authentication import org.bouncycastle.openpgp.PGPPublicKeyRing +import org.bouncycastle.openpgp.api.OpenPGPCertificate +import org.pgpainless.PGPainless +/** + * A certificate authenticity record, indicating, to what degree the certificate is authenticated. + * + * @param userId identity, was changed to [CharSequence] instead of [String] starting with + * PGPainless 2.0. + * @param certificate certificate, was changed to [OpenPGPCertificate] instead of + * [PGPPublicKeyRing]. Use [pgpPublicKeyRing] if you need to access a [PGPPublicKeyRing]. + * @param certificationChains map of chains and their trust degrees + * @param targetAmount targeted trust amount + */ class CertificateAuthenticity( - val userId: String, - val certificate: PGPPublicKeyRing, + val userId: CharSequence, + val certificate: OpenPGPCertificate, val certificationChains: Map, val targetAmount: Int ) { + /** Legacy constructor accepting a [PGPPublicKeyRing]. */ + @Deprecated("Pass in an OpenPGPCertificate instead of a PGPPublicKeyRing.") + constructor( + userId: String, + certificate: PGPPublicKeyRing, + certificationChains: Map, + targetAmount: Int + ) : this( + userId, + PGPainless.getInstance().toCertificate(certificate), + certificationChains, + targetAmount) + + /** + * Field was introduced to allow backwards compatibility with pre-2.0 API as replacement for + * [certificate]. + */ + @Deprecated("Use certificate instead.", replaceWith = ReplaceWith("certificate")) + val pgpPublicKeyRing: PGPPublicKeyRing = certificate.pgpPublicKeyRing + val totalTrustAmount: Int get() = certificationChains.values.sum() @@ -44,5 +76,22 @@ class CertificateAuthenticity( */ class CertificationChain(val trustAmount: Int, val chainLinks: List) {} -/** A chain link contains a node in the trust chain. */ -class ChainLink(val certificate: PGPPublicKeyRing) {} +/** + * A chain link contains a node in the trust chain. + * + * @param certificate chain link certificate, was changed from [PGPPublicKeyRing] to + * [OpenPGPCertificate] with PGPainless 2.0. Use [pgpPublicKeyRing] if you need to access the + * field as [PGPPublicKeyRing]. + */ +class ChainLink(val certificate: OpenPGPCertificate) { + constructor( + certificate: PGPPublicKeyRing + ) : this(PGPainless.getInstance().toCertificate(certificate)) + + /** + * Field was introduced to allow backwards compatibility with pre-2.0 API as replacement for + * [certificate]. + */ + @Deprecated("Use certificate instead.", replaceWith = ReplaceWith("certificate")) + val pgpPublicKeyRing: PGPPublicKeyRing = certificate.pgpPublicKeyRing +} diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/authentication/CertificateAuthority.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/authentication/CertificateAuthority.kt index 093c2325..861ac22c 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/authentication/CertificateAuthority.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/authentication/CertificateAuthority.kt @@ -5,6 +5,7 @@ package org.pgpainless.authentication import java.util.* +import org.bouncycastle.bcpg.KeyIdentifier import org.pgpainless.key.OpenPgpFingerprint /** @@ -36,7 +37,30 @@ interface CertificateAuthority { email: Boolean, referenceTime: Date, targetAmount: Int - ): CertificateAuthenticity + ): CertificateAuthenticity? = + authenticateBinding(fingerprint.keyIdentifier, userId, email, referenceTime, targetAmount) + + /** + * Determine the authenticity of the binding between the given cert identifier and the userId. + * In other words, determine, how much evidence can be gathered, that the certificate with the + * given fingerprint really belongs to the user with the given userId. + * + * @param certIdentifier identifier of the certificate + * @param userId userId + * @param email if true, the userId will be treated as an email address and all user-IDs + * containing the email address will be matched. + * @param referenceTime reference time at which the binding shall be evaluated + * @param targetAmount target trust amount (120 = fully authenticated, 240 = doubly + * authenticated, 60 = partially authenticated...) + * @return information about the authenticity of the binding + */ + fun authenticateBinding( + certIdentifier: KeyIdentifier, + userId: CharSequence, + email: Boolean, + referenceTime: Date, + targetAmount: Int + ): CertificateAuthenticity? /** * Lookup certificates, which carry a trustworthy binding to the given userId. @@ -50,7 +74,7 @@ interface CertificateAuthority { * @return list of identified bindings */ fun lookupByUserId( - userId: String, + userId: CharSequence, email: Boolean, referenceTime: Date, targetAmount: Int @@ -70,5 +94,22 @@ interface CertificateAuthority { fingerprint: OpenPgpFingerprint, referenceTime: Date, targetAmount: Int + ): List = + identifyByFingerprint(fingerprint.keyIdentifier, referenceTime, targetAmount) + + /** + * Identify trustworthy bindings for a certificate. The result is a list of authenticatable + * userIds on the certificate. + * + * @param certIdentifier identifier of the certificate + * @param referenceTime reference time for trust calculations + * @param targetAmount target trust amount (120 = fully authenticated, 240 = doubly + * authenticated, 60 = partially authenticated...) + * @return list of identified bindings + */ + fun identifyByFingerprint( + certIdentifier: KeyIdentifier, + referenceTime: Date, + targetAmount: Int ): List } diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/MessageMetadata.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/MessageMetadata.kt index c1dfac93..8e257a23 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/MessageMetadata.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/MessageMetadata.kt @@ -295,7 +295,8 @@ class MessageMetadata(val message: Message) { email, it.signature.creationTime, targetAmount) - .authenticated + ?.authenticated + ?: false } } diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionOptions.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionOptions.kt index 1f3852f3..16333df4 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionOptions.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionOptions.kt @@ -90,9 +90,7 @@ class EncryptionOptions(private val purpose: EncryptionPurpose, private val api: authority .lookupByUserId(userId, email, evaluationDate, targetAmount) .filter { it.isAuthenticated() } - .forEach { - addRecipient(api.toCertificate(it.certificate)).also { foundAcceptable = true } - } + .forEach { addRecipient(it.certificate).also { foundAcceptable = true } } require(foundAcceptable) { "Could not identify any trust-worthy certificates for '$userId' and target trust amount $targetAmount." } diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifyWithCertificateAuthorityTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifyWithCertificateAuthorityTest.java new file mode 100644 index 00000000..6dfdf7db --- /dev/null +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifyWithCertificateAuthorityTest.java @@ -0,0 +1,166 @@ +// SPDX-FileCopyrightText: 2025 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + +package org.pgpainless.decryption_verification; + +import org.bouncycastle.bcpg.KeyIdentifier; +import org.bouncycastle.openpgp.PGPException; +import org.bouncycastle.openpgp.api.OpenPGPCertificate; +import org.bouncycastle.openpgp.api.OpenPGPKey; +import org.bouncycastle.util.io.Streams; +import org.jetbrains.annotations.NotNull; +import org.junit.jupiter.api.TestTemplate; +import org.junit.jupiter.api.extension.ExtendWith; +import org.pgpainless.PGPainless; +import org.pgpainless.authentication.CertificateAuthenticity; +import org.pgpainless.authentication.CertificateAuthority; +import org.pgpainless.authentication.CertificationChain; +import org.pgpainless.authentication.ChainLink; +import org.pgpainless.encryption_signing.EncryptionOptions; +import org.pgpainless.encryption_signing.EncryptionStream; +import org.pgpainless.encryption_signing.ProducerOptions; +import org.pgpainless.encryption_signing.SigningOptions; +import org.pgpainless.key.protection.SecretKeyRingProtector; +import org.pgpainless.util.TestAllImplementations; + +import java.io.ByteArrayInputStream; +import java.io.ByteArrayOutputStream; +import java.io.IOException; +import java.nio.charset.StandardCharsets; +import java.util.ArrayList; +import java.util.Collections; +import java.util.Date; +import java.util.HashMap; +import java.util.List; +import java.util.Map; +import java.util.Optional; + +import static org.junit.jupiter.api.Assertions.assertFalse; +import static org.junit.jupiter.api.Assertions.assertTrue; + +public class VerifyWithCertificateAuthorityTest { + + @TestTemplate + @ExtendWith(TestAllImplementations.class) + public void testVerifySignatureFromAuthenticatedCert() throws PGPException, IOException { + PGPainless api = PGPainless.getInstance(); + + OpenPGPKey aliceKey = api.generateKey().modernKeyRing("Alice "); + OpenPGPCertificate aliceCert = aliceKey.toCertificate(); + + SimpleCertificateAuthority authority = new SimpleCertificateAuthority(); + authority.addDirectlyAuthenticatedCert(aliceCert, 120); + + ByteArrayOutputStream bOut = new ByteArrayOutputStream(); + EncryptionStream eOut = api.generateMessage() + .onOutputStream(bOut) + .withOptions(ProducerOptions.signAndEncrypt( + EncryptionOptions.encryptCommunications() + .addAuthenticatableRecipients("Alice ", false, authority), + SigningOptions.get().addInlineSignature(SecretKeyRingProtector.unprotectedKeys(), aliceKey) + )); + + eOut.write("Hello, World!\n".getBytes(StandardCharsets.UTF_8)); + eOut.close(); + + ByteArrayInputStream bIn = new ByteArrayInputStream(bOut.toByteArray()); + DecryptionStream dIn = api.processMessage() + .onInputStream(bIn) + .withOptions(ConsumerOptions.get() + .addVerificationCert(aliceCert) + .addDecryptionKey(aliceKey)); + Streams.drain(dIn); + dIn.close(); + + MessageMetadata metadata = dIn.getMetadata(); + assertTrue(metadata.isEncryptedFor(aliceCert)); + + assertTrue(metadata.isAuthenticatablySignedBy("Alice ", false, authority)); + assertTrue(metadata.isAuthenticatablySignedBy("alice@pgpainless.org", true, authority)); + assertFalse(metadata.isAuthenticatablySignedBy("mallory@pgpainless.org", true, authority)); + } + + public static class SimpleCertificateAuthority implements CertificateAuthority { + + Map directlyAuthenticatedCerts = new HashMap<>(); + + public void addDirectlyAuthenticatedCert(OpenPGPCertificate cert, int trustAmount) { + directlyAuthenticatedCerts.put(cert, trustAmount); + } + + @Override + public CertificateAuthenticity authenticateBinding( + @NotNull KeyIdentifier certIdentifier, + @NotNull CharSequence userId, + boolean email, + @NotNull Date referenceTime, + int targetAmount) { + Optional opt = directlyAuthenticatedCerts.keySet().stream() + .filter(it -> it.getKey(certIdentifier) != null) + .findFirst(); + if (opt.isEmpty()) { + return null; + } + + OpenPGPCertificate cert = opt.get(); + Optional uid; + if (email) { + uid = cert.getAllUserIds().stream().filter(it -> it.getUserId().contains("<" + userId + ">")) + .findFirst(); + } else { + uid = cert.getAllUserIds().stream().filter(it -> it.getUserId().contentEquals(userId)) + .findFirst(); + } + return uid.map(openPGPUserId -> authenticatedUserId(openPGPUserId, targetAmount)).orElse(null); + } + + @NotNull + @Override + public List lookupByUserId( + @NotNull CharSequence userId, + boolean email, + @NotNull Date referenceTime, + int targetAmount) { + List matches = new ArrayList<>(); + + for (OpenPGPCertificate cert : directlyAuthenticatedCerts.keySet()) { + cert.getAllUserIds() + .stream().filter(it -> { + if (email) return it.getUserId().contains("<" + userId + ">"); + else return it.getUserId().contentEquals(userId); + }).forEach(it -> { + matches.add(authenticatedUserId(it, targetAmount)); + }); + } + return matches; + } + + @NotNull + @Override + public List identifyByFingerprint( + @NotNull KeyIdentifier certIdentifier, + @NotNull Date referenceTime, + int targetAmount) { + List matches = new ArrayList<>(); + + directlyAuthenticatedCerts.keySet() + .stream().filter(it -> it.getKey(certIdentifier) != null) + .forEach(it -> { + for (OpenPGPCertificate.OpenPGPUserId userId : it.getAllUserIds()) { + matches.add(authenticatedUserId(userId, targetAmount)); + } + }); + + return matches; + } + + private CertificateAuthenticity authenticatedUserId(OpenPGPCertificate.OpenPGPUserId userId, int targetAmount) { + OpenPGPCertificate cert = userId.getCertificate(); + int certTrust = directlyAuthenticatedCerts.get(cert); + Map chains = new HashMap<>(); + chains.put(new CertificationChain(certTrust, Collections.singletonList(new ChainLink(cert))), certTrust); + return new CertificateAuthenticity(userId.getUserId(), cert, chains, targetAmount); + } + } +} From 2014db4112468336fb322f2e1d68cb284a85447d Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 13 May 2025 13:10:21 +0200 Subject: [PATCH 220/265] Update documentation of AEADAlgorithm --- .../org/pgpainless/algorithm/AEADAlgorithm.kt | 40 +++++++++++++++++-- 1 file changed, 37 insertions(+), 3 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/AEADAlgorithm.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/AEADAlgorithm.kt index 8bafa811..d6f5423d 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/AEADAlgorithm.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/AEADAlgorithm.kt @@ -6,38 +6,72 @@ package org.pgpainless.algorithm import org.bouncycastle.openpgp.api.MessageEncryptionMechanism +/** + * AEAD Algorithm. + * @param algorithmId numeric algorithm id + * @param ivLength length of the initialization vector + * @param tagLength length of the tag + * + * @see [RFC9580 - AEAD Algorithms](https://www.rfc-editor.org/rfc/rfc9580.html#name-aead-algorithms) + */ enum class AEADAlgorithm(val algorithmId: Int, val ivLength: Int, val tagLength: Int) { /** * Encrypt-then-Authenticate-then-Translate mode. - * https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-13.html#name-eax-mode + * + * @see [RFC9580 - EAX Mode](https://www.rfc-editor.org/rfc/rfc9580.html#name-eax-mode) */ EAX(1, 16, 16), /** * Offset-Codebook mode. OCB is mandatory to implement in crypto-refresh. Favored by GnuPG. Is * not yet FIPS compliant, but supported by most implementations and therefore favorable. - * https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-13.html#name-ocb-mode + * + * @see [RFC9580 - OCB Mode](https://www.rfc-editor.org/rfc/rfc9580.html#name-ocb-mode) */ OCB(2, 15, 16), /** * Galois/Counter-Mode. GCM is controversial. Some say it is hard to get right. Some * implementations like GnuPG therefore avoid it. May be necessary to achieve FIPS compliance. - * https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-13.html#name-gcm-mode + * + * @see [RFC9580 - GCM Mode](https://www.rfc-editor.org/rfc/rfc9580.html#name-gcm-mode) */ GCM(3, 12, 16), ; + /** + * Return a [MessageEncryptionMechanism] instance representing AEAD using this algorithm and + * the given [SymmetricKeyAlgorithm]. + * + * @param ciphermode symmetric key algorithm + * @return MessageEncryptionMechanism representing aead(this, ciphermode) + */ fun toMechanism(ciphermode: SymmetricKeyAlgorithm): MessageEncryptionMechanism = MessageEncryptionMechanism.aead(ciphermode.algorithmId, this.algorithmId) companion object { + + /** + * Parse an [AEADAlgorithm] from an algorithm id. + * If no matching [AEADAlgorithm] is known, return `null`. + * + * @param id algorithm id + * @return aeadAlgorithm or null + */ @JvmStatic fun fromId(id: Int): AEADAlgorithm? { return values().firstOrNull { algorithm -> algorithm.algorithmId == id } } + /** + * Parse an [AEADAlgorithm] from an algorithm id. + * If no matching [AEADAlgorithm] is known, throw a [NoSuchElementException]. + * + * @param id algorithm id + * @return aeadAlgorithm + * @throws NoSuchElementException for unknown algorithm ids + */ @JvmStatic fun requireFromId(id: Int): AEADAlgorithm { return fromId(id) ?: throw NoSuchElementException("No AEADAlgorithm found for id $id") From d839e2eed16361d6cedac9bc24a8ba6b4f47ddd6 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 13 May 2025 13:53:55 +0200 Subject: [PATCH 221/265] Add documentation --- .../org/pgpainless/algorithm/AEADAlgorithm.kt | 17 ++++--- .../OpenPGPCertificateExtensions.kt | 5 ++ .../OpenPGPImplementationExtensions.kt | 12 ++++- .../extensions/OpenPGPKeyExtensions.kt | 18 +++++-- .../extensions/PGPKeyRingExtensions.kt | 49 ++++++++++++++++++- .../extensions/PGPSecretKeyRingExtensions.kt | 18 +++++++ .../extensions/PGPSignatureExtensions.kt | 39 ++++++++++++++- .../PreferredAEADCipherSuitesExtensions.kt | 1 + .../PreferredAlgorithmsExtensions.kt | 3 ++ .../PGPSecretKeyRingExtensionsTest.kt | 25 ---------- 10 files changed, 144 insertions(+), 43 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/AEADAlgorithm.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/AEADAlgorithm.kt index d6f5423d..6e06abe3 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/AEADAlgorithm.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/AEADAlgorithm.kt @@ -8,11 +8,12 @@ import org.bouncycastle.openpgp.api.MessageEncryptionMechanism /** * AEAD Algorithm. + * * @param algorithmId numeric algorithm id * @param ivLength length of the initialization vector * @param tagLength length of the tag - * - * @see [RFC9580 - AEAD Algorithms](https://www.rfc-editor.org/rfc/rfc9580.html#name-aead-algorithms) + * @see + * [RFC9580 - AEAD Algorithms](https://www.rfc-editor.org/rfc/rfc9580.html#name-aead-algorithms) */ enum class AEADAlgorithm(val algorithmId: Int, val ivLength: Int, val tagLength: Int) { @@ -41,8 +42,8 @@ enum class AEADAlgorithm(val algorithmId: Int, val ivLength: Int, val tagLength: ; /** - * Return a [MessageEncryptionMechanism] instance representing AEAD using this algorithm and - * the given [SymmetricKeyAlgorithm]. + * Return a [MessageEncryptionMechanism] instance representing AEAD using this algorithm and the + * given [SymmetricKeyAlgorithm]. * * @param ciphermode symmetric key algorithm * @return MessageEncryptionMechanism representing aead(this, ciphermode) @@ -53,8 +54,8 @@ enum class AEADAlgorithm(val algorithmId: Int, val ivLength: Int, val tagLength: companion object { /** - * Parse an [AEADAlgorithm] from an algorithm id. - * If no matching [AEADAlgorithm] is known, return `null`. + * Parse an [AEADAlgorithm] from an algorithm id. If no matching [AEADAlgorithm] is known, + * return `null`. * * @param id algorithm id * @return aeadAlgorithm or null @@ -65,8 +66,8 @@ enum class AEADAlgorithm(val algorithmId: Int, val ivLength: Int, val tagLength: } /** - * Parse an [AEADAlgorithm] from an algorithm id. - * If no matching [AEADAlgorithm] is known, throw a [NoSuchElementException]. + * Parse an [AEADAlgorithm] from an algorithm id. If no matching [AEADAlgorithm] is known, + * throw a [NoSuchElementException]. * * @param id algorithm id * @return aeadAlgorithm diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/OpenPGPCertificateExtensions.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/OpenPGPCertificateExtensions.kt index 008ed758..886f6830 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/OpenPGPCertificateExtensions.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/OpenPGPCertificateExtensions.kt @@ -9,6 +9,11 @@ import org.bouncycastle.openpgp.api.OpenPGPCertificate import org.bouncycastle.openpgp.api.OpenPGPCertificate.OpenPGPComponentKey import org.pgpainless.algorithm.OpenPGPKeyVersion +/** + * Return the [OpenPGPComponentKey] that issued the given [PGPOnePassSignature]. + * + * @param ops one pass signature + */ fun OpenPGPCertificate.getSigningKeyFor(ops: PGPOnePassSignature): OpenPGPComponentKey? = this.getKey(ops.keyIdentifier) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/OpenPGPImplementationExtensions.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/OpenPGPImplementationExtensions.kt index 18a0a737..a546c1a1 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/OpenPGPImplementationExtensions.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/OpenPGPImplementationExtensions.kt @@ -11,10 +11,20 @@ import org.bouncycastle.openpgp.api.OpenPGPImplementation import org.bouncycastle.openpgp.operator.PGPDataEncryptorBuilder import org.bouncycastle.openpgp.operator.PGPDigestCalculator +/** + * Return a [PGPDigestCalculator] that is based on [HashAlgorithmTags.SHA1], used for key checksum + * calculations. + */ fun OpenPGPImplementation.checksumCalculator(): PGPDigestCalculator { return pgpDigestCalculatorProvider().get(HashAlgorithmTags.SHA1) } +/** + * Return a [PGPDataEncryptorBuilder] for the given [MessageEncryptionMechanism]. + * + * @param mechanism + * @return data encryptor builder + */ fun OpenPGPImplementation.pgpDataEncryptorBuilder( mechanism: MessageEncryptionMechanism ): PGPDataEncryptorBuilder { @@ -32,7 +42,5 @@ fun OpenPGPImplementation.pgpDataEncryptorBuilder( it.setUseV5AEAD() } } - - return it } } diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/OpenPGPKeyExtensions.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/OpenPGPKeyExtensions.kt index 06a7e8ed..cbdf97ef 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/OpenPGPKeyExtensions.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/OpenPGPKeyExtensions.kt @@ -5,17 +5,25 @@ package org.pgpainless.bouncycastle.extensions import org.bouncycastle.openpgp.PGPPublicKeyEncryptedData -import org.bouncycastle.openpgp.PGPSignature import org.bouncycastle.openpgp.api.OpenPGPKey import org.bouncycastle.openpgp.api.OpenPGPKey.OpenPGPPrivateKey import org.bouncycastle.openpgp.api.OpenPGPKey.OpenPGPSecretKey import org.pgpainless.util.Passphrase +/** + * Return the [OpenPGPSecretKey] that can be used to decrypt the given [PGPPublicKeyEncryptedData]. + * + * @param pkesk public-key encrypted session-key packet + * @return secret key or null if no matching secret key was found + */ fun OpenPGPKey.getSecretKeyFor(pkesk: PGPPublicKeyEncryptedData): OpenPGPSecretKey? = this.getSecretKey(pkesk.keyIdentifier) -fun OpenPGPKey.getSecretKeyFor(signature: PGPSignature): OpenPGPSecretKey? = - this.getSecretKey(signature.fingerprint!!.keyIdentifier) - -fun OpenPGPKey.OpenPGPSecretKey.unlock(passphrase: Passphrase): OpenPGPPrivateKey = +/** + * Unlock the [OpenPGPSecretKey], returning the unlocked [OpenPGPPrivateKey]. + * + * @param passphrase passphrase to unlock the key + * @return unlocked [OpenPGPPrivateKey] + */ +fun OpenPGPSecretKey.unlock(passphrase: Passphrase): OpenPGPPrivateKey = this.unlock(passphrase.getChars()) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/PGPKeyRingExtensions.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/PGPKeyRingExtensions.kt index 50633fcf..10b90d64 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/PGPKeyRingExtensions.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/PGPKeyRingExtensions.kt @@ -16,11 +16,22 @@ import org.pgpainless.PGPainless import org.pgpainless.key.OpenPgpFingerprint import org.pgpainless.key.SubkeyIdentifier -/** Return true, if this [PGPKeyRing] contains the subkey identified by the [SubkeyIdentifier]. */ +/** + * Return true, if this [PGPKeyRing] contains the subkey identified by the [SubkeyIdentifier]. + * + * @param subkeyIdentifier subkey identifier + * @return true if the [PGPKeyRing] contains the [SubkeyIdentifier] + */ fun PGPKeyRing.matches(subkeyIdentifier: SubkeyIdentifier): Boolean = this.publicKey.keyIdentifier.matches(subkeyIdentifier.certificateIdentifier) && this.getPublicKey(subkeyIdentifier.componentKeyIdentifier) != null +/** + * Return true, if this [PGPKeyRing] contains the given [componentKey]. + * + * @param componentKey component key + * @return true if the [PGPKeyRing] contains the [componentKey] + */ fun PGPKeyRing.matches(componentKey: OpenPGPComponentKey): Boolean = this.matches(SubkeyIdentifier(componentKey)) @@ -60,13 +71,37 @@ fun PGPKeyRing.hasPublicKey(fingerprint: OpenPgpFingerprint): Boolean = fun PGPKeyRing.getPublicKey(fingerprint: OpenPgpFingerprint): PGPPublicKey? = this.getPublicKey(fingerprint.keyIdentifier) +/** + * Return the [PGPPublicKey] with the given [keyIdentifier], or throw a [NoSuchElementException] if + * no matching public key was found. + * + * @param keyIdentifier key identifier + * @return public key + * @throws NoSuchElementException if no matching public key was found + */ fun PGPKeyRing.requirePublicKey(keyIdentifier: KeyIdentifier): PGPPublicKey = getPublicKey(keyIdentifier) ?: throw NoSuchElementException("OpenPGP key does not contain key with id $keyIdentifier.") +/** + * Return the [PGPPublicKey] with the given key-id, or throw a [NoSuchElementException] if no + * matching public key was found. + * + * @param keyId key id + * @return public key + * @throws NoSuchElementException if no matching public key was found + */ @Deprecated("Pass in a KeyIdentifier instead.") fun PGPKeyRing.requirePublicKey(keyId: Long): PGPPublicKey = requirePublicKey(KeyIdentifier(keyId)) +/** + * Return the [PGPPublicKey] with the given [fingerprint], or throw a [NoSuchElementException] if no + * matching public key was found. + * + * @param fingerprint key fingerprint + * @return public key + * @throws NoSuchElementException if no matching public key was found + */ fun PGPKeyRing.requirePublicKey(fingerprint: OpenPgpFingerprint): PGPPublicKey = requirePublicKey(fingerprint.keyIdentifier) @@ -90,9 +125,21 @@ val PGPKeyRing.openPgpFingerprint: OpenPgpFingerprint /** Return this OpenPGP key as an ASCII armored String. */ fun PGPKeyRing.toAsciiArmor(): String = PGPainless.asciiArmor(this) +/** + * Convert the given [PGPKeyRing] into an [OpenPGPCertificate]. + * + * @return certificate + */ @Deprecated("Use toOpenPGPCertificate(implementation) instead.") fun PGPKeyRing.toOpenPGPCertificate(): OpenPGPCertificate = toOpenPGPCertificate(PGPainless.getInstance().implementation) +/** + * Convert the given [PGPKeyRing] into an [OpenPGPCertificate] using the given + * [OpenPGPImplementation]. + * + * @param implementation OpenPGP implementation + * @return certificate + */ fun PGPKeyRing.toOpenPGPCertificate(implementation: OpenPGPImplementation): OpenPGPCertificate = OpenPGPCertificate(this, implementation) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/PGPSecretKeyRingExtensions.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/PGPSecretKeyRingExtensions.kt index 9566988f..44570f17 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/PGPSecretKeyRingExtensions.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/PGPSecretKeyRingExtensions.kt @@ -98,12 +98,30 @@ fun PGPSecretKeyRing.getSecretKeyFor(signature: PGPSignature): PGPSecretKey? = fun PGPSecretKeyRing.getSecretKeyFor(onePassSignature: PGPOnePassSignature): PGPSecretKey? = this.getSecretKey(onePassSignature.keyIdentifier) +/** + * Return the [PGPSecretKey] that can be used to decrypt the given [PGPPublicKeyEncryptedData] + * packet. + * + * @param pkesk public-key encrypted session-key packet + * @return secret-key or null if no matching secret key was found + */ fun PGPSecretKeyRing.getSecretKeyFor(pkesk: PGPPublicKeyEncryptedData): PGPSecretKey? = this.getSecretKey(pkesk.keyIdentifier) +/** + * Convert the [PGPSecretKeyRing] into an [OpenPGPKey]. + * + * @return key + */ @Deprecated("Use toOpenPGPKey(implementation) instead.") fun PGPSecretKeyRing.toOpenPGPKey(): OpenPGPKey = toOpenPGPKey(PGPainless.getInstance().implementation) +/** + * Convert the [PGPSecretKeyRing] into an [OpenPGPKey] using the given [OpenPGPImplementation]. + * + * @param implementation openpgp implementation + * @return key + */ fun PGPSecretKeyRing.toOpenPGPKey(implementation: OpenPGPImplementation): OpenPGPKey = OpenPGPKey(this, implementation) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/PGPSignatureExtensions.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/PGPSignatureExtensions.kt index 2b3d08c2..8ffd81a1 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/PGPSignatureExtensions.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/PGPSignatureExtensions.kt @@ -57,17 +57,29 @@ val PGPSignature.issuerKeyId: Long } } -/** Return true, if the signature was likely issued by a key with the given fingerprint. */ +/** + * Return true, if the signature was likely issued by a key with the given fingerprint. + * + * @param fingerprint fingerprint of the key + * @return true if signature was likely issued by the key + */ fun PGPSignature.wasIssuedBy(fingerprint: OpenPgpFingerprint): Boolean = wasIssuedBy(fingerprint.keyIdentifier) /** - * Return true, if the signature was likely issued by a key with the given fingerprint. + * Return true, if the signature was likely issued by the given key. * * @param key key + * @return true if signature was likely issued by the key */ fun PGPSignature.wasIssuedBy(key: PGPPublicKey): Boolean = wasIssuedBy(key.keyIdentifier) +/** + * Return true, if the signature was likely issued by a key with the given identifier. + * + * @param keyIdentifier key identifier + * @return true if signature was likely issued by the key + */ fun PGPSignature.wasIssuedBy(keyIdentifier: KeyIdentifier): Boolean = KeyIdentifier.matches(this.keyIdentifiers, keyIdentifier, true) @@ -87,6 +99,13 @@ val PGPSignature.isHardRevocation else -> false // Not a revocation } +/** + * Assert that the signatures creation time falls into the period between [notBefore] and + * [notAfter]. + * + * @param notBefore lower bound. If null, do not check the lower bound + * @param notAfter upper bound. If null, do not check the upper bound + */ fun PGPSignature.assertCreatedInBounds(notBefore: Date?, notAfter: Date?) { if (notBefore != null && creationTime < notBefore) { throw SignatureValidationException( @@ -102,19 +121,35 @@ fun PGPSignature.assertCreatedInBounds(notBefore: Date?, notAfter: Date?) { } } +/** + * Deduce a [RevocationState] from the signature. Non-revocation signatures result in + * [RevocationState.notRevoked]. Hard revocations result in [RevocationState.hardRevoked], while + * soft revocations return [RevocationState.softRevoked] + * + * @return revocation state + */ fun PGPSignature?.toRevocationState() = if (this == null) RevocationState.notRevoked() else if (isHardRevocation) RevocationState.hardRevoked() else RevocationState.softRevoked(creationTime) +/** The signatures issuer fingerprint as [OpenPgpFingerprint]. */ val PGPSignature.fingerprint: OpenPgpFingerprint? get() = SignatureSubpacketsUtil.getIssuerFingerprintAsOpenPgpFingerprint(this) +/** The signatures [PublicKeyAlgorithm]. */ val PGPSignature.publicKeyAlgorithm: PublicKeyAlgorithm get() = PublicKeyAlgorithm.requireFromId(keyAlgorithm) +/** The signatures [HashAlgorithm]. */ val PGPSignature.signatureHashAlgorithm: HashAlgorithm get() = HashAlgorithm.requireFromId(hashAlgorithm) +/** + * Return true if the signature has the given [SignatureType]. + * + * @param type signature type + * @return true if the signature type matches the signatures type + */ fun PGPSignature.isOfType(type: SignatureType): Boolean = SignatureType.fromCode(signatureType) == type diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/PreferredAEADCipherSuitesExtensions.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/PreferredAEADCipherSuitesExtensions.kt index fec2dcc1..0d7f8539 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/PreferredAEADCipherSuitesExtensions.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/PreferredAEADCipherSuitesExtensions.kt @@ -7,6 +7,7 @@ package org.pgpainless.bouncycastle.extensions import org.bouncycastle.bcpg.sig.PreferredAEADCiphersuites import org.pgpainless.algorithm.AEADCipherMode +/** Convert the [PreferredAEADCiphersuites] packet into a [Set] of [AEADCipherMode]. */ fun PreferredAEADCiphersuites?.toAEADCipherModes(): Set { return this?.algorithms?.asSequence()?.map { AEADCipherMode(it) }?.toSet() ?: setOf() } diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/PreferredAlgorithmsExtensions.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/PreferredAlgorithmsExtensions.kt index e78e7568..1fadd60b 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/PreferredAlgorithmsExtensions.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/PreferredAlgorithmsExtensions.kt @@ -9,16 +9,19 @@ import org.pgpainless.algorithm.CompressionAlgorithm import org.pgpainless.algorithm.HashAlgorithm import org.pgpainless.algorithm.SymmetricKeyAlgorithm +/** Convert the [PreferredAlgorithms] packet into a [Set] of [HashAlgorithm] preferences. */ fun PreferredAlgorithms?.toHashAlgorithms(): Set { return this?.preferences?.asSequence()?.map { HashAlgorithm.requireFromId(it) }?.toSet() ?: setOf() } +/** Convert the [PreferredAlgorithms] packet into a [Set] of [SymmetricKeyAlgorithm] preferences. */ fun PreferredAlgorithms?.toSymmetricKeyAlgorithms(): Set { return this?.preferences?.asSequence()?.map { SymmetricKeyAlgorithm.requireFromId(it) }?.toSet() ?: setOf() } +/** Convert the [PreferredAlgorithms] packet into a [Set] of [CompressionAlgorithm] preferences. */ fun PreferredAlgorithms?.toCompressionAlgorithms(): Set { return this?.preferences?.asSequence()?.map { CompressionAlgorithm.requireFromId(it) }?.toSet() ?: setOf() diff --git a/pgpainless-core/src/test/kotlin/org/pgpainless/bouncycastle/extensions/PGPSecretKeyRingExtensionsTest.kt b/pgpainless-core/src/test/kotlin/org/pgpainless/bouncycastle/extensions/PGPSecretKeyRingExtensionsTest.kt index d1aa7682..cb3004ca 100644 --- a/pgpainless-core/src/test/kotlin/org/pgpainless/bouncycastle/extensions/PGPSecretKeyRingExtensionsTest.kt +++ b/pgpainless-core/src/test/kotlin/org/pgpainless/bouncycastle/extensions/PGPSecretKeyRingExtensionsTest.kt @@ -4,18 +4,12 @@ package org.pgpainless.bouncycastle.extensions -import java.io.ByteArrayOutputStream import org.junit.jupiter.api.Assertions.assertFalse import org.junit.jupiter.api.Assertions.assertNotNull -import org.junit.jupiter.api.Assertions.assertNull import org.junit.jupiter.api.Assertions.assertTrue import org.junit.jupiter.api.Test import org.junit.jupiter.api.assertThrows -import org.pgpainless.PGPainless -import org.pgpainless.encryption_signing.ProducerOptions -import org.pgpainless.encryption_signing.SigningOptions import org.pgpainless.key.TestKeys -import org.pgpainless.key.protection.SecretKeyRingProtector class PGPSecretKeyRingExtensionsTest { @@ -46,23 +40,4 @@ class PGPSecretKeyRingExtensionsTest { } assertThrows { key.requireSecretKey(TestKeys.ROMEO_FINGERPRINT) } } - - @Test - fun testGetSecretKeyForSignature() { - val key = TestKeys.getEmilKey() - val signer = - PGPainless.getInstance() - .generateMessage() - .onOutputStream(ByteArrayOutputStream()) - .withOptions( - ProducerOptions.sign( - SigningOptions.get() - .addDetachedSignature(SecretKeyRingProtector.unprotectedKeys(), key))) - signer.write("Hello, World!\n".toByteArray()) - signer.close() - val sig = signer.result.detachedSignatures.first().value.first() - - assertNotNull(key.getSecretKeyFor(sig)) - assertNull(TestKeys.getRomeoSecretKeyRing().getSecretKeyFor(sig)) - } } From 963e442b3cf366dbc9271624c6730d31647a49bd Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 13 May 2025 15:35:31 +0200 Subject: [PATCH 222/265] Add missing license headers --- .../src/main/kotlin/org/pgpainless/exception/KeyException.kt | 4 ++++ .../org/pgpainless/exception/MissingPassphraseException.kt | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/exception/KeyException.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/exception/KeyException.kt index de9a7211..56d685c9 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/exception/KeyException.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/exception/KeyException.kt @@ -1,3 +1,7 @@ +// SPDX-FileCopyrightText: 2025 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.exception import java.util.* diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/exception/MissingPassphraseException.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/exception/MissingPassphraseException.kt index 010f4fc7..ee404a99 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/exception/MissingPassphraseException.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/exception/MissingPassphraseException.kt @@ -1,3 +1,7 @@ +// SPDX-FileCopyrightText: 2025 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.exception import java.util.* From e552255aa6a518ea0c6d9543d9912ccc2dd40e85 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 13 May 2025 15:36:09 +0200 Subject: [PATCH 223/265] Generate-Key: Use new packet tags --- .../kotlin/org/pgpainless/sop/GenerateKeyImpl.kt | 5 +++-- .../main/kotlin/org/pgpainless/sop/MergeCertsImpl.kt | 3 +-- .../main/kotlin/org/pgpainless/sop/RevokeKeyImpl.kt | 12 ++++++------ .../operation/PGPainlessMergeCertsTest.java | 11 +++++++++++ 4 files changed, 21 insertions(+), 10 deletions(-) create mode 100644 pgpainless-sop/src/test/java/sop/testsuite/pgpainless/operation/PGPainlessMergeCertsTest.java diff --git a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/GenerateKeyImpl.kt b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/GenerateKeyImpl.kt index d343652d..841a12ae 100644 --- a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/GenerateKeyImpl.kt +++ b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/GenerateKeyImpl.kt @@ -8,6 +8,7 @@ import java.io.OutputStream import java.lang.RuntimeException import java.security.InvalidAlgorithmParameterException import java.security.NoSuchAlgorithmException +import org.bouncycastle.bcpg.PacketFormat import org.bouncycastle.openpgp.PGPException import org.bouncycastle.openpgp.api.OpenPGPKey import org.pgpainless.PGPainless @@ -49,10 +50,10 @@ class GenerateKeyImpl(private val api: PGPainless) : GenerateKey { return object : Ready() { override fun writeTo(outputStream: OutputStream) { if (armor) { - val armored = key.toAsciiArmoredString() + val armored = key.toAsciiArmoredString(PacketFormat.CURRENT) outputStream.write(armored.toByteArray()) } else { - key.pgpKeyRing.encode(outputStream) + outputStream.write(key.getEncoded(PacketFormat.CURRENT)) } } } diff --git a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/MergeCertsImpl.kt b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/MergeCertsImpl.kt index d0997041..13fd0065 100644 --- a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/MergeCertsImpl.kt +++ b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/MergeCertsImpl.kt @@ -7,7 +7,6 @@ package org.pgpainless.sop import java.io.InputStream import java.io.OutputStream import org.bouncycastle.bcpg.KeyIdentifier -import org.bouncycastle.bcpg.PacketFormat import org.bouncycastle.openpgp.api.OpenPGPCertificate import org.pgpainless.PGPainless import org.pgpainless.util.ArmoredOutputStreamFactory @@ -56,7 +55,7 @@ class MergeCertsImpl(private val api: PGPainless) : MergeCerts { // emit merged and updated base certs for (merged in baseCerts.values) { - out.write(merged.getEncoded(PacketFormat.CURRENT)) + out.write(merged.getEncoded()) } if (armor) { diff --git a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/RevokeKeyImpl.kt b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/RevokeKeyImpl.kt index 40b5103f..27717ec0 100644 --- a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/RevokeKeyImpl.kt +++ b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/RevokeKeyImpl.kt @@ -7,9 +7,7 @@ package org.pgpainless.sop import java.io.IOException import java.io.InputStream import java.io.OutputStream -import java.lang.RuntimeException import org.bouncycastle.openpgp.PGPException -import org.bouncycastle.openpgp.PGPPublicKeyRingCollection import org.bouncycastle.openpgp.api.OpenPGPCertificate import org.pgpainless.PGPainless import org.pgpainless.bouncycastle.extensions.toOpenPGPCertificate @@ -68,14 +66,16 @@ class RevokeKeyImpl(private val api: PGPainless) : RevokeKey { return object : Ready() { override fun writeTo(outputStream: OutputStream) { - val collection = - PGPPublicKeyRingCollection(revocationCertificates.map { it.pgpPublicKeyRing }) if (armor) { val armorOut = ArmoredOutputStreamFactory.get(outputStream) - collection.encode(armorOut) + for (cert in revocationCertificates) { + armorOut.write(cert.getEncoded()) + } armorOut.close() } else { - collection.encode(outputStream) + for (cert in revocationCertificates) { + outputStream.write(cert.getEncoded()) + } } } } diff --git a/pgpainless-sop/src/test/java/sop/testsuite/pgpainless/operation/PGPainlessMergeCertsTest.java b/pgpainless-sop/src/test/java/sop/testsuite/pgpainless/operation/PGPainlessMergeCertsTest.java new file mode 100644 index 00000000..ba674c5a --- /dev/null +++ b/pgpainless-sop/src/test/java/sop/testsuite/pgpainless/operation/PGPainlessMergeCertsTest.java @@ -0,0 +1,11 @@ +// SPDX-FileCopyrightText: 2025 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + +package sop.testsuite.pgpainless.operation; + +import sop.testsuite.operation.MergeCertsTest; + +public class PGPainlessMergeCertsTest extends MergeCertsTest { + +} From af500bdec1c4e245abe64255bcc880a9aab0b7ca Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 14 May 2025 12:17:36 +0200 Subject: [PATCH 224/265] Fix test --- .../java/org/pgpainless/key/parsing/KeyRingReaderTest.java | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/parsing/KeyRingReaderTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/parsing/KeyRingReaderTest.java index f16375a5..0fbc78be 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/parsing/KeyRingReaderTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/parsing/KeyRingReaderTest.java @@ -611,8 +611,7 @@ class KeyRingReaderTest { @Test public void testReadKeyRingWithArmoredSecretKey() throws IOException { OpenPGPKey secretKeys = api.generateKey().modernKeyRing("Alice "); - // remove PacketFormat argument once https://github.com/bcgit/bc-java/pull/1993 lands in BC - String armored = secretKeys.toAsciiArmoredString(PacketFormat.LEGACY); + String armored = secretKeys.toAsciiArmoredString(); PGPKeyRing keyRing = PGPainless.readKeyRing() .keyRing(armored); From 66d270c0719f8e7eef736342a599995773f99d19 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 14 May 2025 13:26:01 +0200 Subject: [PATCH 225/265] TestAllImplementations: Fix javadoc --- .../main/kotlin/org/pgpainless/util/OpenPGPCertificateUtil.kt | 4 ++++ .../java/org/pgpainless/util/OpenPGPCertificateUtilTest.java | 4 ++++ .../test/java/org/pgpainless/util/TestAllImplementations.java | 2 +- 3 files changed, 9 insertions(+), 1 deletion(-) create mode 100644 pgpainless-core/src/main/kotlin/org/pgpainless/util/OpenPGPCertificateUtil.kt create mode 100644 pgpainless-core/src/test/java/org/pgpainless/util/OpenPGPCertificateUtilTest.java diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/util/OpenPGPCertificateUtil.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/util/OpenPGPCertificateUtil.kt new file mode 100644 index 00000000..ee8ca8ac --- /dev/null +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/util/OpenPGPCertificateUtil.kt @@ -0,0 +1,4 @@ +package org.pgpainless.util + +class OpenPGPCertificateUtil { +} diff --git a/pgpainless-core/src/test/java/org/pgpainless/util/OpenPGPCertificateUtilTest.java b/pgpainless-core/src/test/java/org/pgpainless/util/OpenPGPCertificateUtilTest.java new file mode 100644 index 00000000..7943c195 --- /dev/null +++ b/pgpainless-core/src/test/java/org/pgpainless/util/OpenPGPCertificateUtilTest.java @@ -0,0 +1,4 @@ +package org.pgpainless.util; + +public class OpenPGPCertificateUtilTest { +} diff --git a/pgpainless-core/src/test/java/org/pgpainless/util/TestAllImplementations.java b/pgpainless-core/src/test/java/org/pgpainless/util/TestAllImplementations.java index c9897acf..8467a0eb 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/util/TestAllImplementations.java +++ b/pgpainless-core/src/test/java/org/pgpainless/util/TestAllImplementations.java @@ -25,7 +25,7 @@ import org.junit.jupiter.api.extension.TestTemplateInvocationContextProvider; * Example test annotation: * {@code * @TestTemplate - * @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + * @ExtendWith(TestAllImplementations.class) * public void testAllImplementationFactories() { * ... * } From b8841a4415f510a3a701c7e4565f56a49b4bda77 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 14 May 2025 13:26:30 +0200 Subject: [PATCH 226/265] KeyRingReaderTest: Remove unused import --- .../test/java/org/pgpainless/key/parsing/KeyRingReaderTest.java | 1 - 1 file changed, 1 deletion(-) diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/parsing/KeyRingReaderTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/parsing/KeyRingReaderTest.java index 0fbc78be..f868c6b7 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/parsing/KeyRingReaderTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/parsing/KeyRingReaderTest.java @@ -23,7 +23,6 @@ import java.util.List; import org.bouncycastle.bcpg.ArmoredOutputStream; import org.bouncycastle.bcpg.BCPGOutputStream; import org.bouncycastle.bcpg.MarkerPacket; -import org.bouncycastle.bcpg.PacketFormat; import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPKeyRing; import org.bouncycastle.openpgp.PGPPublicKeyRing; From 92d66f7f3017f6d5c3299c6d2d0c4976118cf2b9 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 14 May 2025 13:27:06 +0200 Subject: [PATCH 227/265] Add OpenPGPCertificateUtil and unify the way, SOP encodes/armors certificates/keys --- .../OpenPGPCertificateExtensions.kt | 38 ++++++ .../pgpainless/util/OpenPGPCertificateUtil.kt | 47 +++++++- .../util/OpenPGPCertificateUtilTest.java | 114 ++++++++++++++++++ .../org/pgpainless/sop/CertifyUserIdImpl.kt | 69 +++++------ .../pgpainless/sop/ChangeKeyPasswordImpl.kt | 11 +- .../org/pgpainless/sop/ExtractCertImpl.kt | 16 +-- .../org/pgpainless/sop/GenerateKeyImpl.kt | 7 +- .../org/pgpainless/sop/MergeCertsImpl.kt | 19 +-- .../org/pgpainless/sop/RevokeKeyImpl.kt | 12 +- .../org/pgpainless/sop/UpdateKeyImpl.kt | 32 ++--- 10 files changed, 260 insertions(+), 105 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/OpenPGPCertificateExtensions.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/OpenPGPCertificateExtensions.kt index 886f6830..04053547 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/OpenPGPCertificateExtensions.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/OpenPGPCertificateExtensions.kt @@ -4,6 +4,9 @@ package org.pgpainless.bouncycastle.extensions +import java.io.OutputStream +import org.bouncycastle.bcpg.ArmoredOutputStream +import org.bouncycastle.bcpg.PacketFormat import org.bouncycastle.openpgp.PGPOnePassSignature import org.bouncycastle.openpgp.api.OpenPGPCertificate import org.bouncycastle.openpgp.api.OpenPGPCertificate.OpenPGPComponentKey @@ -22,3 +25,38 @@ fun OpenPGPCertificate.getKeyVersion(): OpenPGPKeyVersion = primaryKey.getKeyVer /** Return the [OpenPGPKeyVersion] of the component key. */ fun OpenPGPComponentKey.getKeyVersion(): OpenPGPKeyVersion = OpenPGPKeyVersion.from(this.version) + +/** + * ASCII-armor-encode the certificate into the given [OutputStream]. + * + * @param outputStream output stream + * @param format packet length encoding format, defaults to [PacketFormat.ROUNDTRIP] + */ +fun OpenPGPCertificate.asciiArmor( + outputStream: OutputStream, + format: PacketFormat = PacketFormat.ROUNDTRIP +) { + outputStream.write(toAsciiArmoredString(format).encodeToByteArray()) +} + +/** + * ASCII-armor-encode the certificate into the given [OutputStream]. + * + * @param outputStream output stream + * @param format packet length encoding format, defaults to [PacketFormat.ROUNDTRIP] + * @param armorBuilder builder for the ASCII armored output stream + */ +fun OpenPGPCertificate.asciiArmor( + outputStream: OutputStream, + format: PacketFormat, + armorBuilder: ArmoredOutputStream.Builder +) { + outputStream.write(toAsciiArmoredString(format, armorBuilder).encodeToByteArray()) +} + +fun OpenPGPCertificate.encode( + outputStream: OutputStream, + format: PacketFormat = PacketFormat.ROUNDTRIP +) { + outputStream.write(getEncoded(format)) +} diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/util/OpenPGPCertificateUtil.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/util/OpenPGPCertificateUtil.kt index ee8ca8ac..48475547 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/util/OpenPGPCertificateUtil.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/util/OpenPGPCertificateUtil.kt @@ -1,4 +1,49 @@ +// SPDX-FileCopyrightText: 2025 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.util -class OpenPGPCertificateUtil { +import java.io.OutputStream +import org.bouncycastle.bcpg.ArmoredOutputStream +import org.bouncycastle.bcpg.PacketFormat +import org.bouncycastle.openpgp.api.OpenPGPCertificate +import org.pgpainless.bouncycastle.extensions.asciiArmor +import org.pgpainless.bouncycastle.extensions.encode + +class OpenPGPCertificateUtil private constructor() { + + companion object { + @JvmStatic + @JvmOverloads + fun encode( + certs: Collection, + outputStream: OutputStream, + packetFormat: PacketFormat = PacketFormat.ROUNDTRIP + ) { + for (cert in certs) { + cert.encode(outputStream, packetFormat) + } + } + + @JvmStatic + @JvmOverloads + fun armor( + certs: Collection, + outputStream: OutputStream, + packetFormat: PacketFormat = PacketFormat.ROUNDTRIP + ) { + if (certs.size == 1) { + // Add pretty armor header to single cert/key + certs.iterator().next().asciiArmor(outputStream, packetFormat) + } else { + // Do not add a pretty header + val aOut = ArmoredOutputStream(outputStream) + for (cert in certs) { + cert.encode(aOut, packetFormat) + } + aOut.close() + } + } + } } diff --git a/pgpainless-core/src/test/java/org/pgpainless/util/OpenPGPCertificateUtilTest.java b/pgpainless-core/src/test/java/org/pgpainless/util/OpenPGPCertificateUtilTest.java index 7943c195..520dc303 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/util/OpenPGPCertificateUtilTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/util/OpenPGPCertificateUtilTest.java @@ -1,4 +1,118 @@ +// SPDX-FileCopyrightText: 2025 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.util; +import org.bouncycastle.bcpg.PacketFormat; +import org.bouncycastle.openpgp.api.OpenPGPCertificate; +import org.junit.jupiter.api.TestTemplate; +import org.junit.jupiter.api.extension.ExtendWith; +import org.pgpainless.PGPainless; + +import java.io.ByteArrayOutputStream; +import java.util.ArrayList; +import java.util.List; + +import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.assertFalse; +import static org.junit.jupiter.api.Assertions.assertTrue; + public class OpenPGPCertificateUtilTest { + + @TestTemplate + @ExtendWith(TestAllImplementations.class) + public void testEncodeSingleCert() { + PGPainless api = PGPainless.getInstance(); + + List certs = new ArrayList<>(); + certs.add(api.generateKey().modernKeyRing("Alice ").toCertificate()); + + ByteArrayOutputStream bOut = new ByteArrayOutputStream(); + OpenPGPCertificateUtil.armor(certs, bOut, PacketFormat.CURRENT); + String armor = bOut.toString(); + + assertTrue(armor.startsWith("-----BEGIN PGP PUBLIC KEY BLOCK-----\nComment: "), + "For a single cert, the ASCII armor MUST contain a comment with the fingerprint"); + } + + @TestTemplate + @ExtendWith(TestAllImplementations.class) + public void testEncodeSingleKey() { + PGPainless api = PGPainless.getInstance(); + + List certs = new ArrayList<>(); + certs.add(api.generateKey().modernKeyRing("Alice ")); + + ByteArrayOutputStream bOut = new ByteArrayOutputStream(); + OpenPGPCertificateUtil.armor(certs, bOut, PacketFormat.CURRENT); + String armor = bOut.toString(); + + assertTrue(armor.startsWith("-----BEGIN PGP PRIVATE KEY BLOCK-----\nComment: "), + "For a single key, the ASCII armor MUST contain a comment with the fingerprint"); + } + + @TestTemplate + @ExtendWith(TestAllImplementations.class) + public void testEncodeTwoCerts() { + PGPainless api = PGPainless.getInstance(); + + List certs = new ArrayList<>(); + certs.add(api.generateKey().modernKeyRing("Alice ").toCertificate()); + certs.add(api.generateKey().modernKeyRing("Bob ").toCertificate()); + + ByteArrayOutputStream bOut = new ByteArrayOutputStream(); + OpenPGPCertificateUtil.armor(certs, bOut, PacketFormat.CURRENT); + String armor = bOut.toString(); + + assertTrue(armor.startsWith("-----BEGIN PGP PUBLIC KEY BLOCK-----")); + assertEquals( + armor.indexOf("-----BEGIN PGP PUBLIC KEY BLOCK-----"), + armor.lastIndexOf("-----BEGIN PGP PUBLIC KEY BLOCK-----"), + "There MUST only be a single block in the armor."); + assertFalse(armor.startsWith("-----BEGIN PGP PUBLIC KEY BLOCK-----\nComment: "), + "For multiple certs, the ASCII armor MUST NOT contain a comment containing the fingerprint"); + } + + @TestTemplate + @ExtendWith(TestAllImplementations.class) + public void testEncodeCertAndKey() { + PGPainless api = PGPainless.getInstance(); + + List certs = new ArrayList<>(); + certs.add(api.generateKey().modernKeyRing("Alice ").toCertificate()); + certs.add(api.generateKey().modernKeyRing("Bob ")); + + ByteArrayOutputStream bOut = new ByteArrayOutputStream(); + OpenPGPCertificateUtil.armor(certs, bOut, PacketFormat.CURRENT); + String armor = bOut.toString(); + + assertTrue(armor.startsWith("-----BEGIN PGP PUBLIC KEY BLOCK-----")); + assertEquals( + armor.indexOf("-----BEGIN PGP PUBLIC KEY BLOCK-----"), + armor.lastIndexOf("-----BEGIN PGP PUBLIC KEY BLOCK-----")); + assertFalse(armor.startsWith("-----BEGIN PGP PUBLIC KEY BLOCK-----\nComment: "), + "For multiple certs/keys, the ASCII armor MUST NOT contain a comment containing the fingerprint"); + } + + @TestTemplate + @ExtendWith(TestAllImplementations.class) + public void testEncodeKeyAndCert() { + PGPainless api = PGPainless.getInstance(); + + List certs = new ArrayList<>(); + certs.add(api.generateKey().modernKeyRing("Alice ")); + certs.add(api.generateKey().modernKeyRing("Bob ").toCertificate()); + + ByteArrayOutputStream bOut = new ByteArrayOutputStream(); + OpenPGPCertificateUtil.armor(certs, bOut, PacketFormat.CURRENT); + String armor = bOut.toString(); + + assertTrue(armor.startsWith("-----BEGIN PGP PRIVATE KEY BLOCK-----")); + assertEquals( + armor.indexOf("-----BEGIN PGP PRIVATE KEY BLOCK-----"), + armor.lastIndexOf("-----BEGIN PGP PRIVATE KEY BLOCK-----")); + assertFalse(armor.startsWith("-----BEGIN PGP PRIVATE KEY BLOCK-----\nComment: "), + "For multiple certs, the ASCII armor MUST NOT contain a comment containing the fingerprint"); + } } diff --git a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/CertifyUserIdImpl.kt b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/CertifyUserIdImpl.kt index 4ab85803..cbd97934 100644 --- a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/CertifyUserIdImpl.kt +++ b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/CertifyUserIdImpl.kt @@ -6,11 +6,10 @@ package org.pgpainless.sop import java.io.InputStream import java.io.OutputStream -import org.bouncycastle.bcpg.PacketFormat import org.bouncycastle.openpgp.api.OpenPGPKey import org.pgpainless.PGPainless import org.pgpainless.exception.KeyException -import org.pgpainless.util.ArmoredOutputStreamFactory +import org.pgpainless.util.OpenPGPCertificateUtil import org.pgpainless.util.Passphrase import sop.Ready import sop.exception.SOPGPException @@ -27,45 +26,43 @@ class CertifyUserIdImpl(private val api: PGPainless) : CertifyUserId { override fun certs(certs: InputStream): Ready { return object : Ready() { override fun writeTo(outputStream: OutputStream) { - val out = - if (armor) { - ArmoredOutputStreamFactory.get(outputStream) - } else outputStream - api.readKey() - .parseCertificates(certs) - .onEach { cert -> - if (requireSelfSig) { - // Check for non-bound user-ids - userIds - .find { cert.getUserId(it)?.isBound != true } - ?.let { throw SOPGPException.CertUserIdNoMatch(cert.fingerprint) } - } - } - .forEach { cert -> - var certificate = cert - keys.forEach { key -> - userIds.forEach { userId -> - try { - certificate = - api.generateCertification() - .certifyUserId(userId, certificate) - .withKey(key, protector) - .build() - .certifiedCertificate - } catch (e: KeyException) { - throw SOPGPException.KeyCannotCertify(e) - } + val certificates = + api.readKey() + .parseCertificates(certs) + .onEach { cert -> + if (requireSelfSig) { + // Check for non-bound user-ids + userIds + .find { cert.getUserId(it)?.isBound != true } + ?.let { + throw SOPGPException.CertUserIdNoMatch(cert.fingerprint) + } } } + .map { cert -> + var certificate = cert + keys.forEach { key -> + userIds.forEach { userId -> + try { + certificate = + api.generateCertification() + .certifyUserId(userId, certificate) + .withKey(key, protector) + .build() + .certifiedCertificate + } catch (e: KeyException) { + throw SOPGPException.KeyCannotCertify(e) + } + } + } + certificate + } - out.write(certificate.getEncoded(PacketFormat.CURRENT)) - } - - out.close() if (armor) { - // armored output stream does not close inner stream - outputStream.close() + OpenPGPCertificateUtil.armor(certificates, outputStream) + } else { + OpenPGPCertificateUtil.encode(certificates, outputStream) } } } diff --git a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/ChangeKeyPasswordImpl.kt b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/ChangeKeyPasswordImpl.kt index f8b66896..a7d0c530 100644 --- a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/ChangeKeyPasswordImpl.kt +++ b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/ChangeKeyPasswordImpl.kt @@ -8,12 +8,11 @@ import java.io.IOException import java.io.InputStream import java.io.OutputStream import org.bouncycastle.openpgp.PGPException -import org.bouncycastle.openpgp.PGPSecretKeyRingCollection import org.pgpainless.PGPainless import org.pgpainless.exception.MissingPassphraseException import org.pgpainless.key.protection.SecretKeyRingProtector import org.pgpainless.key.util.KeyRingUtils -import org.pgpainless.util.ArmoredOutputStreamFactory +import org.pgpainless.util.OpenPGPCertificateUtil import org.pgpainless.util.Passphrase import sop.Ready import sop.exception.SOPGPException @@ -54,16 +53,14 @@ class ChangeKeyPasswordImpl(private val api: PGPainless) : ChangeKeyPassword { "Cannot change passphrase of key ${it.keyIdentifier}", e) } } - .let { PGPSecretKeyRingCollection(it) } + .map { api.toKey(it) } return object : Ready() { override fun writeTo(outputStream: OutputStream) { if (armor) { - ArmoredOutputStreamFactory.get(outputStream).use { - updatedSecretKeys.encode(it) - } + OpenPGPCertificateUtil.armor(updatedSecretKeys, outputStream) } else { - updatedSecretKeys.encode(outputStream) + OpenPGPCertificateUtil.encode(updatedSecretKeys, outputStream) } } } diff --git a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/ExtractCertImpl.kt b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/ExtractCertImpl.kt index b4677a56..fc72d994 100644 --- a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/ExtractCertImpl.kt +++ b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/ExtractCertImpl.kt @@ -7,7 +7,7 @@ package org.pgpainless.sop import java.io.InputStream import java.io.OutputStream import org.pgpainless.PGPainless -import org.pgpainless.util.ArmoredOutputStreamFactory +import org.pgpainless.util.OpenPGPCertificateUtil import sop.Ready import sop.operation.ExtractCert @@ -22,19 +22,9 @@ class ExtractCertImpl(private val api: PGPainless) : ExtractCert { return object : Ready() { override fun writeTo(outputStream: OutputStream) { if (armor) { - if (certs.size == 1) { - val cert = certs[0] - // This way we have a nice armor header with fingerprint and user-ids - val armored = cert.toAsciiArmoredString() - outputStream.write(armored.toByteArray()) - } else { - // for multiple certs, add no info headers to the ASCII armor - val armorOut = ArmoredOutputStreamFactory.get(outputStream) - certs.forEach { armorOut.write(it.encoded) } - armorOut.close() - } + OpenPGPCertificateUtil.armor(certs, outputStream) } else { - certs.forEach { outputStream.write(it.encoded) } + OpenPGPCertificateUtil.encode(certs, outputStream) } } } diff --git a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/GenerateKeyImpl.kt b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/GenerateKeyImpl.kt index 841a12ae..a85468ee 100644 --- a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/GenerateKeyImpl.kt +++ b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/GenerateKeyImpl.kt @@ -13,6 +13,8 @@ import org.bouncycastle.openpgp.PGPException import org.bouncycastle.openpgp.api.OpenPGPKey import org.pgpainless.PGPainless import org.pgpainless.algorithm.KeyFlag +import org.pgpainless.bouncycastle.extensions.asciiArmor +import org.pgpainless.bouncycastle.extensions.encode import org.pgpainless.key.generation.KeyRingBuilder import org.pgpainless.key.generation.KeySpec import org.pgpainless.key.generation.type.KeyType @@ -50,10 +52,9 @@ class GenerateKeyImpl(private val api: PGPainless) : GenerateKey { return object : Ready() { override fun writeTo(outputStream: OutputStream) { if (armor) { - val armored = key.toAsciiArmoredString(PacketFormat.CURRENT) - outputStream.write(armored.toByteArray()) + key.asciiArmor(outputStream, PacketFormat.CURRENT) } else { - outputStream.write(key.getEncoded(PacketFormat.CURRENT)) + key.encode(outputStream, PacketFormat.CURRENT) } } } diff --git a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/MergeCertsImpl.kt b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/MergeCertsImpl.kt index 13fd0065..dc429c9e 100644 --- a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/MergeCertsImpl.kt +++ b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/MergeCertsImpl.kt @@ -9,7 +9,7 @@ import java.io.OutputStream import org.bouncycastle.bcpg.KeyIdentifier import org.bouncycastle.openpgp.api.OpenPGPCertificate import org.pgpainless.PGPainless -import org.pgpainless.util.ArmoredOutputStreamFactory +import org.pgpainless.util.OpenPGPCertificateUtil import sop.Ready import sop.operation.MergeCerts @@ -46,22 +46,11 @@ class MergeCertsImpl(private val api: PGPainless) : MergeCerts { baseCerts[update.keyIdentifier] = api.mergeCertificate(baseCert, update) } - val out = - if (armor) { - ArmoredOutputStreamFactory.get(outputStream) - } else { - outputStream - } - - // emit merged and updated base certs - for (merged in baseCerts.values) { - out.write(merged.getEncoded()) - } - if (armor) { - out.close() + OpenPGPCertificateUtil.armor(baseCerts.values, outputStream) + } else { + OpenPGPCertificateUtil.encode(baseCerts.values, outputStream) } - outputStream.close() } } } diff --git a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/RevokeKeyImpl.kt b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/RevokeKeyImpl.kt index 27717ec0..0c7e3585 100644 --- a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/RevokeKeyImpl.kt +++ b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/RevokeKeyImpl.kt @@ -14,7 +14,7 @@ import org.pgpainless.bouncycastle.extensions.toOpenPGPCertificate import org.pgpainless.exception.WrongPassphraseException import org.pgpainless.key.util.KeyRingUtils import org.pgpainless.key.util.RevocationAttributes -import org.pgpainless.util.ArmoredOutputStreamFactory +import org.pgpainless.util.OpenPGPCertificateUtil import org.pgpainless.util.Passphrase import sop.Ready import sop.exception.SOPGPException @@ -67,15 +67,9 @@ class RevokeKeyImpl(private val api: PGPainless) : RevokeKey { return object : Ready() { override fun writeTo(outputStream: OutputStream) { if (armor) { - val armorOut = ArmoredOutputStreamFactory.get(outputStream) - for (cert in revocationCertificates) { - armorOut.write(cert.getEncoded()) - } - armorOut.close() + OpenPGPCertificateUtil.armor(revocationCertificates, outputStream) } else { - for (cert in revocationCertificates) { - outputStream.write(cert.getEncoded()) - } + OpenPGPCertificateUtil.encode(revocationCertificates, outputStream) } } } diff --git a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/UpdateKeyImpl.kt b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/UpdateKeyImpl.kt index 28f4a296..c9f8e605 100644 --- a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/UpdateKeyImpl.kt +++ b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/UpdateKeyImpl.kt @@ -7,12 +7,10 @@ package org.pgpainless.sop import java.io.InputStream import java.io.OutputStream import org.bouncycastle.bcpg.KeyIdentifier -import org.bouncycastle.bcpg.PacketFormat import org.bouncycastle.openpgp.PGPSecretKeyRing import org.bouncycastle.openpgp.api.OpenPGPCertificate -import org.bouncycastle.openpgp.api.OpenPGPKey import org.pgpainless.PGPainless -import org.pgpainless.util.ArmoredOutputStreamFactory +import org.pgpainless.util.OpenPGPCertificateUtil import org.pgpainless.util.Passphrase import sop.Ready import sop.operation.UpdateKey @@ -29,33 +27,25 @@ class UpdateKeyImpl(private val api: PGPainless) : UpdateKey { override fun key(key: InputStream): Ready { return object : Ready() { override fun writeTo(outputStream: OutputStream) { - val out = - if (armor) { - ArmoredOutputStreamFactory.get(outputStream) - } else { - outputStream - } - - val keyList = api.readKey().parseKeys(key) - for (k in keyList) { - val updatedKey: OpenPGPKey = - if (mergeCerts[k.keyIdentifier] == null) { - k + val keyList = + api.readKey().parseKeys(key).map { + if (mergeCerts[it.keyIdentifier] == null) { + it } else { val updatedCert: OpenPGPCertificate = api.mergeCertificate( - k.toCertificate(), mergeCerts[k.keyIdentifier]!!) + it.toCertificate(), mergeCerts[it.keyIdentifier]!!) api.toKey( PGPSecretKeyRing.replacePublicKeys( - k.pgpSecretKeyRing, updatedCert.pgpPublicKeyRing)) + it.pgpSecretKeyRing, updatedCert.pgpPublicKeyRing)) } - out.write(updatedKey.getEncoded(PacketFormat.CURRENT)) - } + } if (armor) { - out.close() + OpenPGPCertificateUtil.armor(keyList, outputStream) + } else { + OpenPGPCertificateUtil.encode(keyList, outputStream) } - outputStream.close() } } } From ca1dfae86f0dafb719f04e4faad910264d0f96fb Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 15 May 2025 14:05:36 +0200 Subject: [PATCH 228/265] Fix references in javadoc --- .../org/pgpainless/authentication/CertificateAuthority.kt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/authentication/CertificateAuthority.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/authentication/CertificateAuthority.kt index 861ac22c..95e23bc7 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/authentication/CertificateAuthority.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/authentication/CertificateAuthority.kt @@ -12,8 +12,8 @@ import org.pgpainless.key.OpenPgpFingerprint * Interface for a CA that can authenticate trust-worthy certificates. Such a CA might be a fixed * list of trustworthy certificates, or a dynamic implementation like the Web-of-Trust. * - * @see PGPainless-WOT - * @see OpenPGP Web of Trust + * @see [PGPainless-WOT](https://github.com/pgpainless/pgpainless-wot) + * @see [OpenPGP Web of Trust](https://sequoia-pgp.gitlab.io/sequoia-wot/) */ interface CertificateAuthority { From 30de257d463e314a89fc44f1b3bfbc3ee4520052 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 15 May 2025 14:21:06 +0200 Subject: [PATCH 229/265] Fix more javadoc references --- .../pgpainless/algorithm/PublicKeyAlgorithm.kt | 9 +++------ .../decryption_verification/MessageMetadata.kt | 15 ++++++--------- .../encryption_signing/EncryptionStream.kt | 6 +++--- .../encryption_signing/ProducerOptions.kt | 4 ++-- .../org/pgpainless/key/OpenPgpFingerprint.kt | 4 ++-- .../key/protection/KeyRingProtectionSettings.kt | 2 +- .../key/protection/fixes/S2KUsageFix.kt | 9 +++------ .../key/util/PublicKeyParameterValidationUtil.kt | 8 ++++---- .../main/kotlin/org/pgpainless/key/util/UserId.kt | 4 ++-- .../main/kotlin/org/pgpainless/policy/Policy.kt | 10 ++++------ .../main/kotlin/org/pgpainless/util/ArmorUtils.kt | 12 ++++++------ 11 files changed, 36 insertions(+), 47 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/PublicKeyAlgorithm.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/PublicKeyAlgorithm.kt index 075316ed..a5da51b5 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/PublicKeyAlgorithm.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/PublicKeyAlgorithm.kt @@ -25,8 +25,7 @@ enum class PublicKeyAlgorithm(val algorithmId: Int) { /** * RSA with usage encryption. * - * @deprecated see Deprecation - * notice + * @deprecated see [Deprecation notice](https://tools.ietf.org/html/rfc4880#section-13.5) */ @Deprecated("RSA_ENCRYPT is deprecated in favor of RSA_GENERAL", ReplaceWith("RSA_GENERAL")) RSA_ENCRYPT(2), @@ -34,8 +33,7 @@ enum class PublicKeyAlgorithm(val algorithmId: Int) { /** * RSA with usage of creating signatures. * - * @deprecated see Deprecation - * notice + * @deprecated see [Deprecation notice](https://tools.ietf.org/html/rfc4880#section-13.5) */ @Deprecated("RSA_SIGN is deprecated in favor of RSA_GENERAL", ReplaceWith("RSA_GENERAL")) RSA_SIGN(3), @@ -55,8 +53,7 @@ enum class PublicKeyAlgorithm(val algorithmId: Int) { /** * ElGamal General. * - * @deprecated see Deprecation - * notice + * @deprecated see [Deprecation notice](https://tools.ietf.org/html/rfc4880#section-13.8) */ @Deprecated("ElGamal is deprecated") ELGAMAL_GENERAL(20), diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/MessageMetadata.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/MessageMetadata.kt index 8e257a23..4e0260c1 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/MessageMetadata.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/MessageMetadata.kt @@ -337,8 +337,7 @@ class MessageMetadata(val message: Message) { * decrypted file under its original filename, but since this field is not necessarily part of * the signed data of a message, usage of this field is discouraged. * - * @see RFC4880 §5.9. Literal Data - * Packet + * @see [RFC4880 §5.9. Literal Data Packet](https://www.rfc-editor.org/rfc/rfc4880#section-5.9) */ val filename: String? = findLiteralData()?.fileName @@ -355,8 +354,7 @@ class MessageMetadata(val message: Message) { * the modification date of a decrypted file, but since this field is not necessarily part of * the signed data, its use is discouraged. * - * @see RFC4880 §5.9. Literal Data - * Packet + * @see [RFC4880 §5.9. Literal Data Packet](https://www.rfc-editor.org/rfc/rfc4880#section-5.9) */ val modificationDate: Date? = findLiteralData()?.modificationDate @@ -365,8 +363,7 @@ class MessageMetadata(val message: Message) { * binary data, ...) the data has. Since this field is not necessarily part of the signed data * of a message, its usage is discouraged. * - * @see RFC4880 §5.9. Literal Data - * Packet + * @see [RFC4880 §5.9. Literal Data Packet](https://www.rfc-editor.org/rfc/rfc4880#section-5.9) */ val literalDataEncoding: StreamEncoding? = findLiteralData()?.format @@ -459,8 +456,8 @@ class MessageMetadata(val message: Message) { * Outermost OpenPGP Message structure. * * @param cleartextSigned whether the message is using the Cleartext Signature Framework - * @see RFC4880 §7. Cleartext - * Signature Framework + * @see + * [RFC4880 §7. Cleartext Signature Framework](https://www.rfc-editor.org/rfc/rfc4880#section-7) */ class Message(var cleartextSigned: Boolean = false) : Layer(0) { fun setCleartextSigned() = apply { cleartextSigned = true } @@ -499,7 +496,7 @@ class MessageMetadata(val message: Message) { /** * Encrypted Data. * - * @param algorithm symmetric key algorithm used to encrypt the packet. + * @param mechanism mechanism used to encrypt the packet. * @param depth nesting depth at which this packet was encountered. */ class EncryptedData(val mechanism: MessageEncryptionMechanism, depth: Int) : diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionStream.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionStream.kt index d2a9a63c..9ccbfc10 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionStream.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionStream.kt @@ -30,10 +30,10 @@ const val BUFFER_SIZE = 1 shl 9 * OutputStream that produces an OpenPGP message. The message can be encrypted, signed, or both, * depending on its configuration. * - * This class is based upon Jens Neuhalfen's Bouncy-GPG PGPEncryptingStream. + * This class was originally based upon Jens Neuhalfen's Bouncy-GPG PGPEncryptingStream. * - * @see Source + * @see + * [PGPEncryptingStream](https://github.com/neuhalje/bouncy-gpg/blob/master/src/main/java/name/neuhalfen/projects/crypto/bouncycastle/openpgp/encrypting/PGPEncryptingStream.java) */ class EncryptionStream( private var outermostStream: OutputStream, diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/ProducerOptions.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/ProducerOptions.kt index b58c6e78..e2c4596f 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/ProducerOptions.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/ProducerOptions.kt @@ -180,8 +180,8 @@ class ProducerOptions( * * @param encoding encoding * @return this - * @see RFC4880 §5.9. - * Literal Data Packet + * @see + * [RFC4880 §5.9. Literal Data Packet](https://datatracker.ietf.org/doc/html/rfc4880#section-5.9) * @deprecated options other than the default value of [StreamEncoding.BINARY] are discouraged. */ @Deprecated("Options other than BINARY are discouraged.") diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/OpenPgpFingerprint.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/OpenPgpFingerprint.kt index d4925252..7508ca77 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/OpenPgpFingerprint.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/OpenPgpFingerprint.kt @@ -32,8 +32,8 @@ abstract class OpenPgpFingerprint : CharSequence, Comparable * fingerprint, but we don't care, since V3 is deprecated. * * @return key id - * @see RFC-4880 §12.2: Key IDs and - * Fingerprints + * @see + * [RFC-4880 §12.2: Key IDs and Fingerprints](https://tools.ietf.org/html/rfc4880#section-12.2) */ abstract val keyId: Long diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/KeyRingProtectionSettings.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/KeyRingProtectionSettings.kt index e9cdb973..b6c0e492 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/KeyRingProtectionSettings.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/KeyRingProtectionSettings.kt @@ -14,7 +14,7 @@ import org.pgpainless.algorithm.SymmetricKeyAlgorithm * @param encryptionAlgorithm encryption algorithm * @param hashAlgorithm hash algorithm * @param s2kCount encoded (!) s2k iteration count - * @see Encoding Formula + * @see [Encoding Formula](https://www.rfc-editor.org/rfc/rfc4880#section-3.7.1.3) */ data class KeyRingProtectionSettings( val encryptionAlgorithm: SymmetricKeyAlgorithm, diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/fixes/S2KUsageFix.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/fixes/S2KUsageFix.kt index b7447af7..fee9047f 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/fixes/S2KUsageFix.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/fixes/S2KUsageFix.kt @@ -19,11 +19,9 @@ import org.pgpainless.key.protection.fixes.S2KUsageFix.Companion.replaceUsageChe * method [replaceUsageChecksumWithUsageSha1] ensures that such keys are encrypted using S2K usage * [SecretKeyPacket.USAGE_SHA1] instead. * - * @see Related PGPainless Bug - * Report - * @see Related PGPainless Feature - * Request - * @see Related upstream BC bug report + * @see [Related PGPainless Bug Report](https://github.com/pgpainless/pgpainless/issues/176) + * @see [Related PGPainless Feature Request](https://github.com/pgpainless/pgpainless/issues/178) + * @see [Related upstream BC bug report](https://github.com/bcgit/bc-java/issues/1020) */ class S2KUsageFix { @@ -39,7 +37,6 @@ class S2KUsageFix { * @param skipKeysWithMissingPassphrase if set to true, missing subkey passphrases will * cause the subkey to stay unaffected. * @return fixed key ring - * @throws PGPException in case of a PGP error. */ @JvmStatic @JvmOverloads diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/util/PublicKeyParameterValidationUtil.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/util/PublicKeyParameterValidationUtil.kt index fa91b1aa..130e12ff 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/util/PublicKeyParameterValidationUtil.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/util/PublicKeyParameterValidationUtil.kt @@ -24,7 +24,7 @@ import org.pgpainless.exception.KeyIntegrityException * modified public key in combination with the unmodified secret key material can then lead to the * extraction of secret key parameters via weakly crafted messages. * - * @see Key Overwriting (KO) Attacks against OpenPGP + * @see [Key Overwriting (KO) Attacks against OpenPGP](https://www.kopenpgp.com/) */ class PublicKeyParameterValidationUtil { @@ -153,13 +153,13 @@ class PublicKeyParameterValidationUtil { /** * Validate ElGamal public key parameters. * - * Original implementation by the openpgpjs authors: RFC5322 §3.4. Address - * Specification + * @see + * [RFC5322 §3.4. Address Specification](https://www.rfc-editor.org/rfc/rfc5322#page-16) */ @JvmStatic fun parse(string: String): UserId { diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/policy/Policy.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/policy/Policy.kt index 46dab518..9b23074f 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/policy/Policy.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/policy/Policy.kt @@ -354,12 +354,10 @@ class Policy( * problems to have a strength of at least 2000 bits. * * @return default algorithm policy - * @see BSI - - * Technical Guideline - Cryptographic Mechanisms: Recommendations and Key Lengths - * (2021-01) - * @see BlueKrypt | Cryptographic Key Length - * Recommendation + * @see + * [BSI - Technical Guideline - Cryptographic Mechanisms: Recommendations and Key Lengths (2021-01)](https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TG02102/BSI-TR-02102-1.pdf) + * @see + * [BlueKrypt | Cryptographic Key Length Recommendation](https://www.keylength.com/) */ @JvmStatic fun bsi2021PublicKeyAlgorithmPolicy() = diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/util/ArmorUtils.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/util/ArmorUtils.kt index 18b64453..92da93c5 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/util/ArmorUtils.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/util/ArmorUtils.kt @@ -283,8 +283,8 @@ class ArmorUtils { * * @param armor armored output stream * @param hashAlgorithm hash algorithm - * @see RFC 4880 - - * OpenPGP Message Format §6.2. Forming ASCII Armor + * @see + * [RFC 4880 - OpenPGP Message Format §6.2. Forming ASCII Armor](https://datatracker.ietf.org/doc/html/rfc4880#section-6.2) */ @JvmStatic @Deprecated( @@ -298,8 +298,8 @@ class ArmorUtils { * * @param armor armored output stream * @param comment free-text comment - * @see RFC 4880 - - * OpenPGP Message Format §6.2. Forming ASCII Armor + * @see + * [RFC 4880 - OpenPGP Message Format §6.2. Forming ASCII Armor](https://datatracker.ietf.org/doc/html/rfc4880#section-6.2) */ @JvmStatic @Deprecated( @@ -313,8 +313,8 @@ class ArmorUtils { * * @param armor armored output stream * @param messageId message id - * @see RFC 4880 - - * OpenPGP Message Format §6.2. Forming ASCII Armor + * @see + * [RFC 4880 - OpenPGP Message Format §6.2. Forming ASCII Armor](https://datatracker.ietf.org/doc/html/rfc4880#section-6.2) */ @JvmStatic @Deprecated( From 197c1337c652ef713dd5a66e53040aa5af2d1ee4 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 15 May 2025 14:31:40 +0200 Subject: [PATCH 230/265] Document KOpenPGP mitigations --- .../src/main/kotlin/org/pgpainless/policy/Policy.kt | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/policy/Policy.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/policy/Policy.kt index 9b23074f..2759272a 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/policy/Policy.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/policy/Policy.kt @@ -36,6 +36,14 @@ class Policy( NotationRegistry(), AlgorithmSuite.defaultAlgorithmSuite) + /** + * Decide, whether to sanitize public key parameters when unlocking OpenPGP secret keys. + * OpenPGP v4 keys are susceptible to a class of attacks, where an attacker with access + * to the locked key material (e.g. a cloud email provider) might manipulate unprotected + * public key parameters of the key, leading to potential secret key leakage. + * + * @see [Key Overwriting (KO) Attacks against OpenPGP](https://www.kopenpgp.com/) + */ var enableKeyParameterValidation = false fun copy() = Builder(this) From c99402dc3c2124fb170ec051c8710665d03b3ed1 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 15 May 2025 14:34:48 +0200 Subject: [PATCH 231/265] Simplify SessionKey conversion --- .../src/main/kotlin/org/pgpainless/sop/DecryptImpl.kt | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/DecryptImpl.kt b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/DecryptImpl.kt index 7b869c32..ddd11d50 100644 --- a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/DecryptImpl.kt +++ b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/DecryptImpl.kt @@ -69,13 +69,10 @@ class DecryptImpl(private val api: PGPainless) : Decrypt { val verificationList = metadata.verifiedInlineSignatures.map { VerificationHelper.mapVerification(it) } - var sessionKey: SessionKey? = null - if (metadata.sessionKey != null) { - sessionKey = - SessionKey( - metadata.sessionKey!!.algorithm.algorithmId.toByte(), - metadata.sessionKey!!.key) - } + val sessionKey: SessionKey? = + metadata.sessionKey?.let { + SessionKey(it.algorithm.algorithmId.toByte(), it.key) + } return DecryptionResult(sessionKey, verificationList) } } From 139565369887f3c8082767c87886c5c4a5692ac1 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 15 May 2025 14:49:35 +0200 Subject: [PATCH 232/265] Document KOpenPGP mitigations --- .../src/main/kotlin/org/pgpainless/policy/Policy.kt | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/policy/Policy.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/policy/Policy.kt index 2759272a..0e343cbf 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/policy/Policy.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/policy/Policy.kt @@ -37,10 +37,10 @@ class Policy( AlgorithmSuite.defaultAlgorithmSuite) /** - * Decide, whether to sanitize public key parameters when unlocking OpenPGP secret keys. - * OpenPGP v4 keys are susceptible to a class of attacks, where an attacker with access - * to the locked key material (e.g. a cloud email provider) might manipulate unprotected - * public key parameters of the key, leading to potential secret key leakage. + * Decide, whether to sanitize public key parameters when unlocking OpenPGP secret keys. OpenPGP + * v4 keys are susceptible to a class of attacks, where an attacker with access to the locked + * key material (e.g. a cloud email provider) might manipulate unprotected public key parameters + * of the key, leading to potential secret key leakage. * * @see [Key Overwriting (KO) Attacks against OpenPGP](https://www.kopenpgp.com/) */ From a46f1706369c3bceb3abaaabd12a4b37427d3cfa Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 15 May 2025 14:50:21 +0200 Subject: [PATCH 233/265] Test edge-cases in inline-detach operation --- .../org/pgpainless/sop/InlineDetachTest.java | 66 +++++++++++++++++++ 1 file changed, 66 insertions(+) diff --git a/pgpainless-sop/src/test/java/org/pgpainless/sop/InlineDetachTest.java b/pgpainless-sop/src/test/java/org/pgpainless/sop/InlineDetachTest.java index acbba821..ebb39694 100644 --- a/pgpainless-sop/src/test/java/org/pgpainless/sop/InlineDetachTest.java +++ b/pgpainless-sop/src/test/java/org/pgpainless/sop/InlineDetachTest.java @@ -5,6 +5,8 @@ package org.pgpainless.sop; import static org.junit.jupiter.api.Assertions.assertArrayEquals; +import static org.junit.jupiter.api.Assertions.assertFalse; +import static org.junit.jupiter.api.Assertions.assertThrows; import java.io.ByteArrayInputStream; import java.io.ByteArrayOutputStream; @@ -23,10 +25,16 @@ import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.PGPSignature; import org.bouncycastle.openpgp.PGPSignatureList; import org.bouncycastle.openpgp.api.OpenPGPImplementation; +import org.bouncycastle.openpgp.api.OpenPGPKey; import org.bouncycastle.util.io.Streams; import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; +import org.pgpainless.algorithm.CompressionAlgorithm; +import org.pgpainless.encryption_signing.EncryptionStream; +import org.pgpainless.encryption_signing.ProducerOptions; +import org.pgpainless.encryption_signing.SigningOptions; import org.pgpainless.key.OpenPgpV4Fingerprint; +import org.pgpainless.key.protection.SecretKeyRingProtector; import sop.ByteArrayAndResult; import sop.SOP; import sop.Signatures; @@ -201,4 +209,62 @@ public class InlineDetachTest { assertArrayEquals(data, message); } + + @Test + public void detachSignaturesFromCompressedMessage() throws PGPException, IOException { + PGPainless api = PGPainless.getInstance(); + OpenPGPKey key = api.generateKey() + .modernKeyRing("Alice "); + byte[] cert = key.toCertificate().getEncoded(); + + ByteArrayOutputStream bOut = new ByteArrayOutputStream(); + EncryptionStream eOut = api.generateMessage() + .onOutputStream(bOut) + .withOptions(ProducerOptions.sign( + SigningOptions.get().addInlineSignature(SecretKeyRingProtector.unprotectedKeys(), key) + ).overrideCompressionAlgorithm(CompressionAlgorithm.ZIP)); + eOut.write("Hello, World!\n".getBytes(StandardCharsets.UTF_8)); + eOut.close(); + + ByteArrayAndResult result = sop.inlineDetach() + .message(bOut.toByteArray()) + .toByteArrayAndResult(); + + byte[] message = result.getBytes(); + byte[] signatures = result.getResult().getBytes(); + + List verifications = sop.detachedVerify() + .cert(cert) + .signatures(signatures) + .data(message); + + assertFalse(verifications.isEmpty()); + } + + @Test + public void detachMissingSignaturesFails() throws PGPException, IOException { + PGPainless api = PGPainless.getInstance(); + + ByteArrayOutputStream bOut = new ByteArrayOutputStream(); + EncryptionStream eOut = api.generateMessage() + .onOutputStream(bOut) + .withOptions(ProducerOptions.noEncryptionNoSigning() + .overrideCompressionAlgorithm(CompressionAlgorithm.ZIP)); + + eOut.write("Hello, World!\n".getBytes(StandardCharsets.UTF_8)); + eOut.close(); + + assertThrows(SOPGPException.BadData.class, () -> + sop.inlineDetach() + .message(bOut.toByteArray()) + .toByteArrayAndResult()); + } + + @Test + public void detachBadDataFails() { + byte[] bytes = "Hello, World\n".getBytes(StandardCharsets.UTF_8); + assertThrows(SOPGPException.BadData.class, () -> + sop.inlineDetach().message(bytes) + .toByteArrayAndResult()); + } } From 2afa614731a5a557fc10d20df4320e192c15344f Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 15 May 2025 14:58:24 +0200 Subject: [PATCH 234/265] Test v6 key revocation --- .../org/pgpainless/sop/RevokeKeyTest.java | 44 +++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 pgpainless-sop/src/test/java/org/pgpainless/sop/RevokeKeyTest.java diff --git a/pgpainless-sop/src/test/java/org/pgpainless/sop/RevokeKeyTest.java b/pgpainless-sop/src/test/java/org/pgpainless/sop/RevokeKeyTest.java new file mode 100644 index 00000000..0d77b952 --- /dev/null +++ b/pgpainless-sop/src/test/java/org/pgpainless/sop/RevokeKeyTest.java @@ -0,0 +1,44 @@ +// SPDX-FileCopyrightText: 2025 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + +package org.pgpainless.sop; + +import org.bouncycastle.openpgp.api.OpenPGPCertificate; +import org.bouncycastle.openpgp.api.OpenPGPKey; +import org.junit.jupiter.api.BeforeAll; +import org.junit.jupiter.api.Test; +import org.pgpainless.PGPainless; +import org.pgpainless.algorithm.OpenPGPKeyVersion; +import sop.SOP; + +import java.io.IOException; + +import static org.junit.jupiter.api.Assertions.assertEquals; + +public class RevokeKeyTest { + + private static SOP sop; + + @BeforeAll + public static void setup() { + sop = new SOPImpl(); + } + + @Test + public void revokeV6CertResultsInMinimalRevCert() throws IOException { + PGPainless api = PGPainless.getInstance(); + OpenPGPKey v6Key = api.generateKey(OpenPGPKeyVersion.v6) + .modernKeyRing("Alice "); + assertEquals(3, v6Key.getKeys().size()); + + byte[] revoked = sop.revokeKey() + .keys(v6Key.getEncoded()) + .getBytes(); + + OpenPGPCertificate revocationCert = api.readKey().parseCertificate(revoked); + assertEquals(1, revocationCert.getKeys().size(), + "V6 keys are revoked using a minimal revocation cert," + + " consisting only of the primary key and a rev sig."); + } +} From de7c2ea63305f32dcf3b98e202add80e41b04902 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 19 May 2025 14:22:52 +0200 Subject: [PATCH 235/265] Improve GnuPGDummyKeyUtilTest --- .../java/org/gnupg/GnuPGDummyKeyUtilTest.java | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/pgpainless-core/src/test/java/org/gnupg/GnuPGDummyKeyUtilTest.java b/pgpainless-core/src/test/java/org/gnupg/GnuPGDummyKeyUtilTest.java index 0a32aa2c..1d9ea6d3 100644 --- a/pgpainless-core/src/test/java/org/gnupg/GnuPGDummyKeyUtilTest.java +++ b/pgpainless-core/src/test/java/org/gnupg/GnuPGDummyKeyUtilTest.java @@ -9,10 +9,12 @@ import static org.junit.jupiter.api.Assertions.assertEquals; import static org.junit.jupiter.api.Assertions.assertTrue; import java.io.IOException; +import java.util.Arrays; import java.util.Collections; import java.util.HashSet; import java.util.Set; +import org.bouncycastle.bcpg.KeyIdentifier; import org.bouncycastle.bcpg.S2K; import org.bouncycastle.bcpg.SecretKeyPacket; import org.bouncycastle.openpgp.PGPSecretKey; @@ -232,6 +234,20 @@ public class GnuPGDummyKeyUtilTest { assertArrayEquals(expected.getPGPSecretKeyRing().getEncoded(), onCard.getEncoded()); } + @Test + public void testMoveSelectedKeyToCard() throws IOException { + OpenPGPKeyReader reader = PGPainless.getInstance().readKey(); + OpenPGPKey secretKeys = reader.parseKey(FULL_KEY); + OpenPGPKey expected = reader.parseKey(SIGNATURE_KEY_ON_CARD); + + PGPSecretKeyRing onCard = GnuPGDummyKeyUtil.modify(secretKeys) + .divertPrivateKeysToCard(GnuPGDummyKeyUtil.KeyFilter.selected( + Arrays.asList(new KeyIdentifier(signatureKeyId))) + , cardSerial); + + assertArrayEquals(expected.getPGPSecretKeyRing().getEncoded(), onCard.getEncoded()); + } + @Test public void testRemoveAllKeys() throws IOException { OpenPGPKeyReader reader = PGPainless.getInstance().readKey(); From 5c0cdfd494f09c791064fd1ba797f4d58149c1d9 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 20 May 2025 15:05:24 +0200 Subject: [PATCH 236/265] WIP: EncryptionMechanismPolicy --- .../pgpainless/bouncycastle/PolicyAdapter.kt | 7 +- .../OpenPgpMessageInputStream.kt | 3 +- .../encryption_signing/EncryptionOptions.kt | 6 +- .../kotlin/org/pgpainless/policy/Policy.kt | 254 ++++++++++++++++-- 4 files changed, 241 insertions(+), 29 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/PolicyAdapter.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/PolicyAdapter.kt index 7a6f4bcb..64e7cc41 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/PolicyAdapter.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/PolicyAdapter.kt @@ -92,7 +92,8 @@ class PolicyAdapter(val policy: Policy) : OpenPGPPolicy { * @return boolean indicating, whether the encryption algorithm is acceptable */ override fun isAcceptableSymmetricKeyAlgorithm(algorithmId: Int): Boolean { - return policy.symmetricKeyEncryptionAlgorithmPolicy.isAcceptable(algorithmId) + return policy.messageEncryptionAlgorithmPolicy.symmetricAlgorithmPolicy.isAcceptable( + algorithmId) } /** * Return the default symmetric encryption algorithm. This algorithm is used as fallback to @@ -101,7 +102,9 @@ class PolicyAdapter(val policy: Policy) : OpenPGPPolicy { * @return default symmetric encryption algorithm */ override fun getDefaultSymmetricKeyAlgorithm(): Int { - return policy.symmetricKeyEncryptionAlgorithmPolicy.defaultSymmetricKeyAlgorithm.algorithmId + return policy.messageEncryptionAlgorithmPolicy.symmetricAlgorithmPolicy + .defaultSymmetricKeyAlgorithm + .algorithmId } /** diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.kt index 15695fd6..30ee3cd7 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.kt @@ -739,7 +739,8 @@ class OpenPgpMessageInputStream( } private fun isAcceptable(algorithm: SymmetricKeyAlgorithm): Boolean = - api.algorithmPolicy.symmetricKeyDecryptionAlgorithmPolicy.isAcceptable(algorithm) + api.algorithmPolicy.messageDecryptionAlgorithmPolicy.symmetricAlgorithmPolicy.isAcceptable( + algorithm) private fun throwIfUnacceptable(algorithm: SymmetricKeyAlgorithm) { if (!isAcceptable(algorithm)) { diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionOptions.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionOptions.kt index 16333df4..e971189d 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionOptions.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionOptions.kt @@ -404,8 +404,8 @@ class EncryptionOptions(private val purpose: EncryptionPurpose, private val api: fun overrideEncryptionMechanism(encryptionMechanism: MessageEncryptionMechanism) = apply { require( - api.algorithmPolicy.symmetricKeyEncryptionAlgorithmPolicy.isAcceptable( - encryptionMechanism.symmetricKeyAlgorithm)) { + api.algorithmPolicy.messageEncryptionAlgorithmPolicy.isAcceptable( + encryptionMechanism)) { "Provided symmetric encryption algorithm is not acceptable." } _encryptionMechanismOverride = encryptionMechanism @@ -431,7 +431,7 @@ class EncryptionOptions(private val purpose: EncryptionPurpose, private val api: val algorithm = byPopularity() .negotiate( - api.algorithmPolicy.symmetricKeyEncryptionAlgorithmPolicy, + api.algorithmPolicy.messageEncryptionAlgorithmPolicy.symmetricAlgorithmPolicy, encryptionAlgorithmOverride, preferences) return algorithm diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/policy/Policy.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/policy/Policy.kt index 0e343cbf..f6e1a4f0 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/policy/Policy.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/policy/Policy.kt @@ -5,23 +5,77 @@ package org.pgpainless.policy import java.util.* +import org.bouncycastle.openpgp.api.EncryptedDataPacketType +import org.bouncycastle.openpgp.api.MessageEncryptionMechanism import org.pgpainless.algorithm.* import org.pgpainless.key.protection.KeyRingProtectionSettings import org.pgpainless.util.DateUtil import org.pgpainless.util.NotationRegistry -class Policy( - val certificationSignatureHashAlgorithmPolicy: HashAlgorithmPolicy, - val revocationSignatureHashAlgorithmPolicy: HashAlgorithmPolicy, - val dataSignatureHashAlgorithmPolicy: HashAlgorithmPolicy, - val symmetricKeyEncryptionAlgorithmPolicy: SymmetricKeyAlgorithmPolicy, - val symmetricKeyDecryptionAlgorithmPolicy: SymmetricKeyAlgorithmPolicy, - val compressionAlgorithmPolicy: CompressionAlgorithmPolicy, - val publicKeyAlgorithmPolicy: PublicKeyAlgorithmPolicy, - val keyProtectionSettings: KeyRingProtectionSettings, - val notationRegistry: NotationRegistry, +class Policy { + + val certificationSignatureHashAlgorithmPolicy: HashAlgorithmPolicy + val revocationSignatureHashAlgorithmPolicy: HashAlgorithmPolicy + val dataSignatureHashAlgorithmPolicy: HashAlgorithmPolicy + val messageEncryptionAlgorithmPolicy: MessageEncryptionMechanismPolicy + val messageDecryptionAlgorithmPolicy: MessageEncryptionMechanismPolicy + val compressionAlgorithmPolicy: CompressionAlgorithmPolicy + val publicKeyAlgorithmPolicy: PublicKeyAlgorithmPolicy + val keyProtectionSettings: KeyRingProtectionSettings + val notationRegistry: NotationRegistry val keyGenerationAlgorithmSuite: AlgorithmSuite -) { + + constructor( + certificationSignatureHashAlgorithmPolicy: HashAlgorithmPolicy, + revocationSignatureHashAlgorithmPolicy: HashAlgorithmPolicy, + dataSignatureHashAlgorithmPolicy: HashAlgorithmPolicy, + messageEncryptionMechanismPolicy: MessageEncryptionMechanismPolicy, + messageDecryptionMechanismPolicy: MessageEncryptionMechanismPolicy, + compressionAlgorithmPolicy: CompressionAlgorithmPolicy, + publicKeyAlgorithmPolicy: PublicKeyAlgorithmPolicy, + keyProtectionSettings: KeyRingProtectionSettings, + notationRegistry: NotationRegistry, + keyGenerationAlgorithmSuite: AlgorithmSuite + ) { + this.certificationSignatureHashAlgorithmPolicy = certificationSignatureHashAlgorithmPolicy + this.revocationSignatureHashAlgorithmPolicy = revocationSignatureHashAlgorithmPolicy + this.dataSignatureHashAlgorithmPolicy = dataSignatureHashAlgorithmPolicy + this.messageEncryptionAlgorithmPolicy = messageEncryptionMechanismPolicy + this.messageDecryptionAlgorithmPolicy = messageDecryptionMechanismPolicy + this.compressionAlgorithmPolicy = compressionAlgorithmPolicy + this.publicKeyAlgorithmPolicy = publicKeyAlgorithmPolicy + this.keyProtectionSettings = keyProtectionSettings + this.notationRegistry = notationRegistry + this.keyGenerationAlgorithmSuite = keyGenerationAlgorithmSuite + } + + constructor( + certificationSignatureHashAlgorithmPolicy: HashAlgorithmPolicy, + revocationSignatureHashAlgorithmPolicy: HashAlgorithmPolicy, + dataSignatureHashAlgorithmPolicy: HashAlgorithmPolicy, + symmetricKeyEncryptionAlgorithmPolicy: SymmetricKeyAlgorithmPolicy, + symmetricKeyDecryptionAlgorithmPolicy: SymmetricKeyAlgorithmPolicy, + compressionAlgorithmPolicy: CompressionAlgorithmPolicy, + publicKeyAlgorithmPolicy: PublicKeyAlgorithmPolicy, + keyProtectionSettings: KeyRingProtectionSettings, + notationRegistry: NotationRegistry, + keyGenerationAlgorithmSuite: AlgorithmSuite + ) { + this.certificationSignatureHashAlgorithmPolicy = certificationSignatureHashAlgorithmPolicy + this.revocationSignatureHashAlgorithmPolicy = revocationSignatureHashAlgorithmPolicy + this.dataSignatureHashAlgorithmPolicy = dataSignatureHashAlgorithmPolicy + this.messageEncryptionAlgorithmPolicy = + MessageEncryptionMechanismPolicy.rfc4880Plus9580PlusLibrePGP( + symmetricKeyEncryptionAlgorithmPolicy) + this.messageDecryptionAlgorithmPolicy = + MessageEncryptionMechanismPolicy.rfc4880Plus9580PlusLibrePGP( + symmetricKeyDecryptionAlgorithmPolicy) + this.compressionAlgorithmPolicy = compressionAlgorithmPolicy + this.publicKeyAlgorithmPolicy = publicKeyAlgorithmPolicy + this.keyProtectionSettings = keyProtectionSettings + this.notationRegistry = notationRegistry + this.keyGenerationAlgorithmSuite = keyGenerationAlgorithmSuite + } constructor() : this( @@ -36,6 +90,14 @@ class Policy( NotationRegistry(), AlgorithmSuite.defaultAlgorithmSuite) + @Deprecated("Deprecated in favor of messageEncryptionAlgorithmPolicy") + val symmetricKeyEncryptionAlgorithmPolicy + get() = messageEncryptionAlgorithmPolicy.symmetricAlgorithmPolicy + + @Deprecated("Deprecated in favor of messageDecryptionAlgorithmPolicy") + val symmetricKeyDecryptionAlgorithmPolicy + get() = messageDecryptionAlgorithmPolicy.symmetricAlgorithmPolicy + /** * Decide, whether to sanitize public key parameters when unlocking OpenPGP secret keys. OpenPGP * v4 keys are susceptible to a class of attacks, where an attacker with access to the locked @@ -189,6 +251,138 @@ class Policy( } } + abstract class MessageEncryptionMechanismPolicy( + val symmetricAlgorithmPolicy: SymmetricKeyAlgorithmPolicy, + val asymmetricFallbackMechanism: MessageEncryptionMechanism, + val symmetricFallbackMechanism: MessageEncryptionMechanism = asymmetricFallbackMechanism + ) { + abstract fun isAcceptable(encryptionMechanism: MessageEncryptionMechanism): Boolean + + companion object { + + @JvmStatic + fun rfc4880( + symAlgPolicy: SymmetricKeyAlgorithmPolicy + ): MessageEncryptionMechanismPolicy { + return object : + MessageEncryptionMechanismPolicy( + symAlgPolicy, + MessageEncryptionMechanism.integrityProtected( + symAlgPolicy.defaultSymmetricKeyAlgorithm.algorithmId)) { + override fun isAcceptable( + encryptionMechanism: MessageEncryptionMechanism + ): Boolean { + return encryptionMechanism.mode == EncryptedDataPacketType.SEIPDv1 && + symAlgPolicy.isAcceptable(encryptionMechanism.symmetricKeyAlgorithm) + } + } + } + + @JvmStatic + fun rfc9580( + symAlgPolicy: SymmetricKeyAlgorithmPolicy + ): MessageEncryptionMechanismPolicy { + return object : + MessageEncryptionMechanismPolicy( + symAlgPolicy, + MessageEncryptionMechanism.aead( + symAlgPolicy.defaultSymmetricKeyAlgorithm.algorithmId, + AEADAlgorithm.OCB.algorithmId)) { + val acceptableAEADAlgorithms = + listOf(AEADAlgorithm.OCB, AEADAlgorithm.GCM, AEADAlgorithm.EAX).map { + it.algorithmId + } + + override fun isAcceptable( + encryptionMechanism: MessageEncryptionMechanism + ): Boolean { + return when (encryptionMechanism.mode) { + EncryptedDataPacketType.SEIPDv1 -> + symAlgPolicy.isAcceptable(encryptionMechanism.symmetricKeyAlgorithm) + EncryptedDataPacketType.SEIPDv2 -> + symAlgPolicy.isAcceptable( + encryptionMechanism.symmetricKeyAlgorithm) && + acceptableAEADAlgorithms.contains( + encryptionMechanism.aeadAlgorithm) + else -> false + } + } + } + } + + @JvmStatic + fun librePgp( + symAlgPolicy: SymmetricKeyAlgorithmPolicy + ): MessageEncryptionMechanismPolicy { + return object : + MessageEncryptionMechanismPolicy( + symAlgPolicy, + MessageEncryptionMechanism.integrityProtected( + symAlgPolicy.defaultSymmetricKeyAlgorithm.algorithmId)) { + val acceptableAEADAlgorithms = listOf(AEADAlgorithm.OCB).map { it.algorithmId } + + override fun isAcceptable( + encryptionMechanism: MessageEncryptionMechanism + ): Boolean { + return when (encryptionMechanism.mode) { + EncryptedDataPacketType.SEIPDv1 -> + symAlgPolicy.isAcceptable(encryptionMechanism.symmetricKeyAlgorithm) + EncryptedDataPacketType.LIBREPGP_OED -> + symAlgPolicy.isAcceptable( + encryptionMechanism.symmetricKeyAlgorithm) && + acceptableAEADAlgorithms.contains( + encryptionMechanism.aeadAlgorithm) + else -> false + } + } + } + } + + @JvmStatic + fun rfc4880Plus9580( + symAlgPolicy: SymmetricKeyAlgorithmPolicy + ): MessageEncryptionMechanismPolicy { + val rfc4880 = rfc4880(symAlgPolicy) + val rfc9580 = rfc9580(symAlgPolicy) + return object : + MessageEncryptionMechanismPolicy( + symAlgPolicy, + rfc4880.asymmetricFallbackMechanism, + rfc4880.symmetricFallbackMechanism) { + override fun isAcceptable( + encryptionMechanism: MessageEncryptionMechanism + ): Boolean { + return rfc9580.isAcceptable(encryptionMechanism) || + rfc4880.isAcceptable(encryptionMechanism) + } + } + } + + @JvmStatic + fun rfc4880Plus9580PlusLibrePGP( + symAlgPolicy: SymmetricKeyAlgorithmPolicy + ): MessageEncryptionMechanismPolicy { + return object : + MessageEncryptionMechanismPolicy( + symAlgPolicy, + MessageEncryptionMechanism.integrityProtected( + symAlgPolicy.defaultSymmetricKeyAlgorithm.algorithmId)) { + override fun isAcceptable( + encryptionMechanism: MessageEncryptionMechanism + ): Boolean { + val rfc4480 = rfc4880(symAlgPolicy) + val rfc9580 = rfc9580(symAlgPolicy) + val librePgp = librePgp(symAlgPolicy) + + return rfc4480.isAcceptable(encryptionMechanism) || + rfc9580.isAcceptable(encryptionMechanism) || + librePgp.isAcceptable(encryptionMechanism) + } + } + } + } + } + class SymmetricKeyAlgorithmPolicy( val defaultSymmetricKeyAlgorithm: SymmetricKeyAlgorithm, val acceptableSymmetricKeyAlgorithms: List @@ -440,10 +634,10 @@ class Policy( origin.revocationSignatureHashAlgorithmPolicy private var dataSignatureHashAlgorithmPolicy: HashAlgorithmPolicy = origin.dataSignatureHashAlgorithmPolicy - private var symmetricKeyEncryptionAlgorithmPolicy: SymmetricKeyAlgorithmPolicy = - origin.symmetricKeyEncryptionAlgorithmPolicy - private var symmetricKeyDecryptionAlgorithmPolicy: SymmetricKeyAlgorithmPolicy = - origin.symmetricKeyDecryptionAlgorithmPolicy + private var messageEncryptionMechanismPolicy: MessageEncryptionMechanismPolicy = + origin.messageEncryptionAlgorithmPolicy + private var messageDecryptionMechanismPolicy: MessageEncryptionMechanismPolicy = + origin.messageDecryptionAlgorithmPolicy private var compressionAlgorithmPolicy: CompressionAlgorithmPolicy = origin.compressionAlgorithmPolicy private var publicKeyAlgorithmPolicy: PublicKeyAlgorithmPolicy = @@ -469,17 +663,31 @@ class Policy( dataSignatureHashAlgorithmPolicy: HashAlgorithmPolicy ) = apply { this.dataSignatureHashAlgorithmPolicy = dataSignatureHashAlgorithmPolicy } + @Deprecated( + "Usage of SymmetricKeyAlgorithmPolicy is deprecated in favor of MessageEncryptionMechanismPolicy.") fun withSymmetricKeyEncryptionAlgorithmPolicy( symmetricKeyEncryptionAlgorithmPolicy: SymmetricKeyAlgorithmPolicy - ) = apply { - this.symmetricKeyEncryptionAlgorithmPolicy = symmetricKeyEncryptionAlgorithmPolicy - } + ) = + withMessageEncryptionAlgorithmPolicy( + MessageEncryptionMechanismPolicy.rfc4880Plus9580PlusLibrePGP( + symmetricKeyEncryptionAlgorithmPolicy)) + @Deprecated( + "Usage of SymmetricKeyAlgorithmPolicy is deprecated in favor of MessageEncryptionMechanismPolicy.") fun withSymmetricKeyDecryptionAlgorithmPolicy( symmetricKeyDecryptionAlgorithmPolicy: SymmetricKeyAlgorithmPolicy - ) = apply { - this.symmetricKeyDecryptionAlgorithmPolicy = symmetricKeyDecryptionAlgorithmPolicy - } + ) = + withMessageDecryptionAlgorithmPolicy( + MessageEncryptionMechanismPolicy.rfc4880Plus9580PlusLibrePGP( + symmetricKeyDecryptionAlgorithmPolicy)) + + fun withMessageEncryptionAlgorithmPolicy( + encryptionMechanismPolicy: MessageEncryptionMechanismPolicy + ) = apply { messageEncryptionMechanismPolicy = encryptionMechanismPolicy } + + fun withMessageDecryptionAlgorithmPolicy( + decryptionMechanismPolicy: MessageEncryptionMechanismPolicy + ) = apply { messageDecryptionMechanismPolicy = decryptionMechanismPolicy } fun withCompressionAlgorithmPolicy(compressionAlgorithmPolicy: CompressionAlgorithmPolicy) = apply { @@ -508,8 +716,8 @@ class Policy( certificationSignatureHashAlgorithmPolicy, revocationSignatureHashAlgorithmPolicy, dataSignatureHashAlgorithmPolicy, - symmetricKeyEncryptionAlgorithmPolicy, - symmetricKeyDecryptionAlgorithmPolicy, + messageEncryptionMechanismPolicy, + messageDecryptionMechanismPolicy, compressionAlgorithmPolicy, publicKeyAlgorithmPolicy, keyProtectionSettings, From 34766abdfb409a25eb3e57e3bc2ecfbbd614fdd1 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 20 May 2025 15:32:07 +0200 Subject: [PATCH 237/265] Add deprecation notices --- .../org/pgpainless/encryption_signing/EncryptionOptions.kt | 2 ++ .../src/main/kotlin/org/pgpainless/policy/Policy.kt | 6 ++++++ 2 files changed, 8 insertions(+) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionOptions.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionOptions.kt index e971189d..45a8ba4e 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionOptions.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionOptions.kt @@ -47,6 +47,7 @@ class EncryptionOptions(private val purpose: EncryptionPurpose, private val api: @Deprecated( "Deprecated in favor of encryptionMechanismOverride", replaceWith = ReplaceWith("encryptionMechanismOverride")) + // TODO: Remove in 2.1 val encryptionAlgorithmOverride get() = _encryptionMechanismOverride?.let { @@ -394,6 +395,7 @@ class EncryptionOptions(private val purpose: EncryptionPurpose, private val api: replaceWith = ReplaceWith( "overrideEncryptionMechanism(MessageEncryptionMechanism.integrityProtected(encryptionAlgorithm.algorithmId))")) + // TODO: Remove in 2.1 fun overrideEncryptionAlgorithm(encryptionAlgorithm: SymmetricKeyAlgorithm) = apply { require(encryptionAlgorithm != SymmetricKeyAlgorithm.NULL) { "Encryption algorithm override cannot be NULL." diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/policy/Policy.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/policy/Policy.kt index f6e1a4f0..be3d266c 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/policy/Policy.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/policy/Policy.kt @@ -49,6 +49,7 @@ class Policy { this.keyGenerationAlgorithmSuite = keyGenerationAlgorithmSuite } + @Deprecated("Constructors receiving SymmetricKeyAlgorithmPolicy objects are deprecated in favor of ones receiving MessageEncryptionMechanismPolicy objects.") constructor( certificationSignatureHashAlgorithmPolicy: HashAlgorithmPolicy, revocationSignatureHashAlgorithmPolicy: HashAlgorithmPolicy, @@ -77,6 +78,7 @@ class Policy { this.keyGenerationAlgorithmSuite = keyGenerationAlgorithmSuite } + @Deprecated("Constructors receiving SymmetricKeyAlgorithmPolicy objects are deprecated in favor of ones receiving MessageEncryptionMechanismPolicy objects.") constructor() : this( HashAlgorithmPolicy.smartCertificationSignatureHashAlgorithmPolicy(), @@ -91,10 +93,12 @@ class Policy { AlgorithmSuite.defaultAlgorithmSuite) @Deprecated("Deprecated in favor of messageEncryptionAlgorithmPolicy") + // TODO: Remove in 2.1 val symmetricKeyEncryptionAlgorithmPolicy get() = messageEncryptionAlgorithmPolicy.symmetricAlgorithmPolicy @Deprecated("Deprecated in favor of messageDecryptionAlgorithmPolicy") + // TODO: Remove in 2.1 val symmetricKeyDecryptionAlgorithmPolicy get() = messageDecryptionAlgorithmPolicy.symmetricAlgorithmPolicy @@ -665,6 +669,7 @@ class Policy { @Deprecated( "Usage of SymmetricKeyAlgorithmPolicy is deprecated in favor of MessageEncryptionMechanismPolicy.") + // TODO: Remove in 2.1 fun withSymmetricKeyEncryptionAlgorithmPolicy( symmetricKeyEncryptionAlgorithmPolicy: SymmetricKeyAlgorithmPolicy ) = @@ -674,6 +679,7 @@ class Policy { @Deprecated( "Usage of SymmetricKeyAlgorithmPolicy is deprecated in favor of MessageEncryptionMechanismPolicy.") + // TODO: Remove in 2.1 fun withSymmetricKeyDecryptionAlgorithmPolicy( symmetricKeyDecryptionAlgorithmPolicy: SymmetricKeyAlgorithmPolicy ) = From c8bad83346633823081a40f64b8fd0d3104ee9a5 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 20 May 2025 15:32:34 +0200 Subject: [PATCH 238/265] Remove SignerUserIdValidation enum --- .../main/kotlin/org/pgpainless/policy/Policy.kt | 16 ---------------- 1 file changed, 16 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/policy/Policy.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/policy/Policy.kt index be3d266c..1df56259 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/policy/Policy.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/policy/Policy.kt @@ -615,22 +615,6 @@ class Policy { } } - enum class SignerUserIdValidationLevel { - /** - * PGPainless will verify [org.bouncycastle.bcpg.sig.SignerUserID] subpackets in signatures - * strictly. This means, that signatures with Signer's User-ID subpackets containing a value - * that does not match the signer key's user-id exactly, will be rejected. E.g. Signer's - * user-id "alice@pgpainless.org", User-ID: "Alice <alice@pgpainless.org>" does not - * match exactly and is therefore rejected. - */ - STRICT, - - /** - * PGPainless will ignore [org.bouncycastle.bcpg.sig.SignerUserID] subpackets on signature. - */ - DISABLED - } - class Builder(private val origin: Policy) { private var certificationSignatureHashAlgorithmPolicy: HashAlgorithmPolicy = origin.certificationSignatureHashAlgorithmPolicy From 33ea12adbfef0b22f34949627a8bf687853fbd30 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 21 May 2025 11:57:13 +0200 Subject: [PATCH 239/265] Replace usage of KeyIdentifier.matches() with matchesExplicitly() --- .../src/main/kotlin/org/gnupg/GnuPGDummyKeyUtil.kt | 4 +++- .../bouncycastle/extensions/PGPKeyRingExtensions.kt | 2 +- .../OpenPgpMessageInputStream.kt | 4 ++-- .../encryption_signing/OpenPGPSignatureSet.kt | 2 +- .../pgpainless/encryption_signing/SigningOptions.kt | 2 +- .../main/kotlin/org/pgpainless/key/SubkeyIdentifier.kt | 2 +- .../main/kotlin/org/pgpainless/key/info/KeyRingInfo.kt | 10 +++++----- .../modification/secretkeyring/SecretKeyRingEditor.kt | 2 +- .../protection/PasswordBasedSecretKeyRingProtector.kt | 2 +- .../kotlin/org/pgpainless/key/util/KeyRingUtils.kt | 2 +- .../src/main/kotlin/org/pgpainless/policy/Policy.kt | 6 ++++-- .../test/java/org/pgpainless/example/ModifyKeys.java | 2 +- 12 files changed, 22 insertions(+), 18 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/gnupg/GnuPGDummyKeyUtil.kt b/pgpainless-core/src/main/kotlin/org/gnupg/GnuPGDummyKeyUtil.kt index 467a87bc..eafe2cf2 100644 --- a/pgpainless-core/src/main/kotlin/org/gnupg/GnuPGDummyKeyUtil.kt +++ b/pgpainless-core/src/main/kotlin/org/gnupg/GnuPGDummyKeyUtil.kt @@ -190,7 +190,9 @@ class GnuPGDummyKeyUtil private constructor() { * @return filter */ @JvmStatic - fun only(onlyKeyIdentifier: KeyIdentifier) = KeyFilter { it.matches(onlyKeyIdentifier) } + fun only(onlyKeyIdentifier: KeyIdentifier) = KeyFilter { + it.matchesExplicit(onlyKeyIdentifier) + } /** * Select all keyIds which are contained in the given set of ids. diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/PGPKeyRingExtensions.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/PGPKeyRingExtensions.kt index 10b90d64..adde4dc6 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/PGPKeyRingExtensions.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/PGPKeyRingExtensions.kt @@ -23,7 +23,7 @@ import org.pgpainless.key.SubkeyIdentifier * @return true if the [PGPKeyRing] contains the [SubkeyIdentifier] */ fun PGPKeyRing.matches(subkeyIdentifier: SubkeyIdentifier): Boolean = - this.publicKey.keyIdentifier.matches(subkeyIdentifier.certificateIdentifier) && + this.publicKey.keyIdentifier.matchesExplicit(subkeyIdentifier.certificateIdentifier) && this.getPublicKey(subkeyIdentifier.componentKeyIdentifier) != null /** diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.kt index 30ee3cd7..8425181a 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.kt @@ -709,7 +709,7 @@ class OpenPgpMessageInputStream( options.getDecryptionKeys().firstOrNull { it.pgpSecretKeyRing.getSecretKeyFor(pkesk) != null && api.inspect(it).decryptionSubkeys.any { subkey -> - pkesk.keyIdentifier.matches(subkey.keyIdentifier) + pkesk.keyIdentifier.matchesExplicit(subkey.keyIdentifier) } } @@ -717,7 +717,7 @@ class OpenPgpMessageInputStream( options.getDecryptionKeys().filter { it.pgpSecretKeyRing.getSecretKeyFor(pkesk) != null && api.inspect(it).decryptionSubkeys.any { subkey -> - pkesk.keyIdentifier.matches(subkey.keyIdentifier) + pkesk.keyIdentifier.matchesExplicit(subkey.keyIdentifier) } } diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/OpenPGPSignatureSet.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/OpenPGPSignatureSet.kt index 8770b7e3..c93fef37 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/OpenPGPSignatureSet.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/OpenPGPSignatureSet.kt @@ -14,7 +14,7 @@ class OpenPGPSignatureSet(val signatures: List) : Itera fun getSignaturesBy(componentKey: OpenPGPCertificate.OpenPGPComponentKey): List = signatures.filter { sig -> - sig.signature.keyIdentifiers.any { componentKey.keyIdentifier.matches(it) } + sig.signature.keyIdentifiers.any { componentKey.keyIdentifier.matchesExplicit(it) } } override fun iterator(): Iterator { diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/SigningOptions.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/SigningOptions.kt index 5a0b4f62..0df6c931 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/SigningOptions.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/SigningOptions.kt @@ -262,7 +262,7 @@ class SigningOptions(private val api: PGPainless) { throw UnacceptableSigningKeyException(openPGPKey) } - if (!signingPubKeys.any { it.keyIdentifier.matches(signingKey.keyIdentifier) }) { + if (!signingPubKeys.any { it.keyIdentifier.matchesExplicit(signingKey.keyIdentifier) }) { throw MissingSecretKeyException(signingKey) } diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/SubkeyIdentifier.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/SubkeyIdentifier.kt index ee8bb043..5dfee653 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/SubkeyIdentifier.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/SubkeyIdentifier.kt @@ -127,7 +127,7 @@ class SubkeyIdentifier( @Deprecated("Use of key-ids is discouraged.") val primaryKeyId = certificateIdentifier.keyId /** True, if the component key is the primary key. */ - val isPrimaryKey = certificateIdentifier.matches(componentKeyIdentifier) + val isPrimaryKey = certificateIdentifier.matchesExplicit(componentKeyIdentifier) /** * Return true, if the provided [fingerprint] matches either the [certificateFingerprint] or diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/info/KeyRingInfo.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/info/KeyRingInfo.kt index 5ae87e38..3197dc51 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/info/KeyRingInfo.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/info/KeyRingInfo.kt @@ -167,7 +167,7 @@ class KeyRingInfo( keys.keys .asSequence() .filter { - if (!it.keyIdentifier.matches(keyIdentifier)) { + if (!it.keyIdentifier.matchesExplicit(keyIdentifier)) { if (it.getLatestSelfSignature(referenceDate) == null) { LOGGER.debug("Subkey ${it.keyIdentifier} has no binding signature.") return@filter false @@ -281,7 +281,7 @@ class KeyRingInfo( * @return expiration date */ fun getSubkeyExpirationDate(keyIdentifier: KeyIdentifier): Date? { - if (primaryKey.keyIdentifier.matches(keyIdentifier)) return primaryKeyExpirationDate + if (primaryKey.keyIdentifier.matchesExplicit(keyIdentifier)) return primaryKeyExpirationDate val subkey = getPublicKey(keyIdentifier) ?: throw NoSuchElementException("No subkey with key-ID ${keyIdentifier} found.") @@ -522,7 +522,7 @@ class KeyRingInfo( * @return list of key flags */ fun getKeyFlagsOf(keyIdentifier: KeyIdentifier): List = - if (primaryKey.keyIdentifier.matches(keyIdentifier)) { + if (primaryKey.keyIdentifier.matchesExplicit(keyIdentifier)) { latestDirectKeySelfSignature?.let { sig -> SignatureSubpacketsUtil.parseKeyFlags(sig)?.let { flags -> return flags @@ -655,7 +655,7 @@ class KeyRingInfo( * key of the key. */ fun getPublicKey(identifier: SubkeyIdentifier): OpenPGPComponentKey? { - require(primaryKey.keyIdentifier.matches(identifier.keyIdentifier)) { + require(primaryKey.keyIdentifier.matchesExplicit(identifier.keyIdentifier)) { "Mismatching primary key ID." } return getPublicKey(identifier.componentKeyIdentifier) @@ -669,7 +669,7 @@ class KeyRingInfo( * key of the key. */ fun getSecretKey(identifier: SubkeyIdentifier): OpenPGPComponentKey? { - require(primaryKey.keyIdentifier.matches(identifier.keyIdentifier)) { + require(primaryKey.keyIdentifier.matchesExplicit(identifier.keyIdentifier)) { "Mismatching primary key ID." } return getSecretKey(identifier.componentKeyIdentifier) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.kt index 8cf5338d..c98fd4bd 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.kt @@ -522,7 +522,7 @@ class SecretKeyRingEditor( var secretKeyRing = key.pgpSecretKeyRing // is primary key - if (keyId.matches(key.keyIdentifier)) { + if (keyId.matchesExplicit(key.keyIdentifier)) { return setExpirationDate(expiration, protector) } diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/PasswordBasedSecretKeyRingProtector.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/PasswordBasedSecretKeyRingProtector.kt index 1a1125e6..1a106093 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/PasswordBasedSecretKeyRingProtector.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/PasswordBasedSecretKeyRingProtector.kt @@ -85,7 +85,7 @@ class PasswordBasedSecretKeyRingProtector : BaseSecretKeyRingProtector { } override fun hasPassphrase(keyIdentifier: KeyIdentifier): Boolean { - return keyIdentifier.matches(singleKeyIdentifier) + return keyIdentifier.matchesExplicit(singleKeyIdentifier) } } .let { PasswordBasedSecretKeyRingProtector(it) } diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/util/KeyRingUtils.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/util/KeyRingUtils.kt index d788d1f9..f449487c 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/util/KeyRingUtils.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/util/KeyRingUtils.kt @@ -495,7 +495,7 @@ class KeyRingUtils { secretKeys.secretKeys .asSequence() .map { - if (it.keyIdentifier.matches(keyId)) { + if (it.keyIdentifier.matchesExplicit(keyId)) { reencryptPrivateKey(it, oldProtector, newProtector) } else { it diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/policy/Policy.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/policy/Policy.kt index 1df56259..872aa972 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/policy/Policy.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/policy/Policy.kt @@ -49,7 +49,8 @@ class Policy { this.keyGenerationAlgorithmSuite = keyGenerationAlgorithmSuite } - @Deprecated("Constructors receiving SymmetricKeyAlgorithmPolicy objects are deprecated in favor of ones receiving MessageEncryptionMechanismPolicy objects.") + @Deprecated( + "Constructors receiving SymmetricKeyAlgorithmPolicy objects are deprecated in favor of ones receiving MessageEncryptionMechanismPolicy objects.") constructor( certificationSignatureHashAlgorithmPolicy: HashAlgorithmPolicy, revocationSignatureHashAlgorithmPolicy: HashAlgorithmPolicy, @@ -78,7 +79,8 @@ class Policy { this.keyGenerationAlgorithmSuite = keyGenerationAlgorithmSuite } - @Deprecated("Constructors receiving SymmetricKeyAlgorithmPolicy objects are deprecated in favor of ones receiving MessageEncryptionMechanismPolicy objects.") + @Deprecated( + "Constructors receiving SymmetricKeyAlgorithmPolicy objects are deprecated in favor of ones receiving MessageEncryptionMechanismPolicy objects.") constructor() : this( HashAlgorithmPolicy.smartCertificationSignatureHashAlgorithmPolicy(), diff --git a/pgpainless-core/src/test/java/org/pgpainless/example/ModifyKeys.java b/pgpainless-core/src/test/java/org/pgpainless/example/ModifyKeys.java index 487a8817..ba424402 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/example/ModifyKeys.java +++ b/pgpainless-core/src/test/java/org/pgpainless/example/ModifyKeys.java @@ -178,7 +178,7 @@ public class ModifyKeys { List encryptionSubkeys = info.getEncryptionSubkeys(EncryptionPurpose.COMMUNICATIONS); assertEquals(2, encryptionSubkeys.size()); OpenPGPCertificate.OpenPGPComponentKey addedKey = encryptionSubkeys.stream() - .filter(it -> !it.getKeyIdentifier().matches(encryptionSubkeyId)).findFirst() + .filter(it -> !it.getKeyIdentifier().matchesExplicit(encryptionSubkeyId)).findFirst() .get(); UnlockSecretKey.unlockSecretKey(secretKey.getSecretKey(addedKey.getKeyIdentifier()).getPGPSecretKey(), subkeyPassphrase); } From 8623352bf23b80b3ef548e46db059e9c25047da1 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Sun, 25 May 2025 16:27:49 +0200 Subject: [PATCH 240/265] Move EncryptionMechanismNegotiator into own interface, improve negotiation --- .../EncryptionMechanismNegotiator.kt | 89 +++++++++++++++++++ .../encryption_signing/EncryptionOptions.kt | 50 ++++------- .../MechanismNegotiationTest.java | 6 +- 3 files changed, 111 insertions(+), 34 deletions(-) create mode 100644 pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/negotiation/EncryptionMechanismNegotiator.kt diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/negotiation/EncryptionMechanismNegotiator.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/negotiation/EncryptionMechanismNegotiator.kt new file mode 100644 index 00000000..c8476910 --- /dev/null +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/negotiation/EncryptionMechanismNegotiator.kt @@ -0,0 +1,89 @@ +// SPDX-FileCopyrightText: 2025 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + +package org.pgpainless.algorithm.negotiation + +import org.bouncycastle.openpgp.api.MessageEncryptionMechanism +import org.pgpainless.algorithm.AEADAlgorithm +import org.pgpainless.algorithm.AEADCipherMode +import org.pgpainless.algorithm.Feature +import org.pgpainless.algorithm.SymmetricKeyAlgorithm +import org.pgpainless.policy.Policy + +fun interface EncryptionMechanismNegotiator { + + fun negotiate( + policy: Policy, + override: MessageEncryptionMechanism?, + features: List>, + aeadAlgorithmPreferences: List>, + symmetricAlgorithmPreferences: List> + ): MessageEncryptionMechanism + + companion object { + @JvmStatic + fun modificationDetectionOrBetter( + symmetricKeyAlgorithmNegotiator: SymmetricKeyAlgorithmNegotiator + ): EncryptionMechanismNegotiator = + object : EncryptionMechanismNegotiator { + + override fun negotiate( + policy: Policy, + override: MessageEncryptionMechanism?, + features: List>, + aeadAlgorithmPreferences: List>, + symmetricAlgorithmPreferences: List> + ): MessageEncryptionMechanism { + + // If the user supplied an override, use that + if (override != null) { + return override + } + + // If all support SEIPD2, use SEIPD2 + if (features.all { it.contains(Feature.MODIFICATION_DETECTION_2) }) { + // Find best supported algorithm combination + val counted = mutableMapOf() + for (pref in aeadAlgorithmPreferences) { + for (mode in pref) { + counted[mode] = counted.getOrDefault(mode, 0) + 1 + } + } + // filter for supported combinations and find most widely supported + val bestSupportedMode: AEADCipherMode = + counted + .filter { + policy.messageEncryptionAlgorithmPolicy.isAcceptable( + MessageEncryptionMechanism.aead( + it.key.ciphermode.algorithmId, + it.key.aeadAlgorithm.algorithmId)) + } + .maxByOrNull { it.value } + ?.key + ?: AEADCipherMode(AEADAlgorithm.OCB, SymmetricKeyAlgorithm.AES_128) + + // return best supported mode or symmetric key fallback mechanism + return MessageEncryptionMechanism.aead( + bestSupportedMode.ciphermode.algorithmId, + bestSupportedMode.aeadAlgorithm.algorithmId) + } + // If all support SEIPD1, negotiate SEIPD1 using symmetricKeyAlgorithmNegotiator + else if (features.all { it.contains(Feature.MODIFICATION_DETECTION) }) { + return MessageEncryptionMechanism.integrityProtected( + symmetricKeyAlgorithmNegotiator + .negotiate( + policy.messageEncryptionAlgorithmPolicy + .symmetricAlgorithmPolicy, + null, + symmetricAlgorithmPreferences) + .algorithmId) + } + // Else fall back to fallback mechanism from policy + else { + return policy.messageEncryptionAlgorithmPolicy.asymmetricFallbackMechanism + } + } + } + } +} diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionOptions.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionOptions.kt index 45a8ba4e..980a2278 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionOptions.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionOptions.kt @@ -11,15 +11,15 @@ import org.bouncycastle.openpgp.api.OpenPGPCertificate import org.bouncycastle.openpgp.api.OpenPGPCertificate.OpenPGPComponentKey import org.bouncycastle.openpgp.operator.PGPKeyEncryptionMethodGenerator import org.pgpainless.PGPainless -import org.pgpainless.algorithm.AEADAlgorithm -import org.pgpainless.algorithm.AEADCipherMode import org.pgpainless.algorithm.EncryptionPurpose -import org.pgpainless.algorithm.Feature import org.pgpainless.algorithm.SymmetricKeyAlgorithm +import org.pgpainless.algorithm.negotiation.EncryptionMechanismNegotiator import org.pgpainless.algorithm.negotiation.SymmetricKeyAlgorithmNegotiator.Companion.byPopularity import org.pgpainless.authentication.CertificateAuthority import org.pgpainless.encryption_signing.EncryptionOptions.EncryptionKeySelector -import org.pgpainless.exception.KeyException.* +import org.pgpainless.exception.KeyException.ExpiredKeyException +import org.pgpainless.exception.KeyException.UnacceptableEncryptionKeyException +import org.pgpainless.exception.KeyException.UnacceptableSelfSignatureException import org.pgpainless.key.SubkeyIdentifier import org.pgpainless.key.info.KeyAccessor import org.pgpainless.key.info.KeyRingInfo @@ -427,42 +427,26 @@ class EncryptionOptions(private val purpose: EncryptionPurpose, private val api: fun hasEncryptionMethod() = _encryptionMethods.isNotEmpty() - internal fun negotiateSymmetricEncryptionAlgorithm(): SymmetricKeyAlgorithm { - val preferences = - keysAndAccessors.values.map { it.preferredSymmetricKeyAlgorithms }.toList() - val algorithm = - byPopularity() - .negotiate( - api.algorithmPolicy.messageEncryptionAlgorithmPolicy.symmetricAlgorithmPolicy, - encryptionAlgorithmOverride, - preferences) - return algorithm - } - internal fun negotiateEncryptionMechanism(): MessageEncryptionMechanism { if (encryptionMechanismOverride != null) { return encryptionMechanismOverride!! } val features = keysAndAccessors.values.map { it.features }.toList() + val aeadAlgorithms = keysAndAccessors.values.map { it.preferredAEADCipherSuites }.toList() + val symmetricKeyAlgorithms = + keysAndAccessors.values.map { it.preferredSymmetricKeyAlgorithms }.toList() - if (features.all { it.contains(Feature.MODIFICATION_DETECTION_2) }) { - val aeadPrefs = keysAndAccessors.values.map { it.preferredAEADCipherSuites }.toList() - val counted = mutableMapOf() - for (pref in aeadPrefs) { - for (mode in pref) { - counted[mode] = counted.getOrDefault(mode, 0) + 1 - } - } - val max: AEADCipherMode = - counted.maxByOrNull { it.value }?.key - ?: AEADCipherMode(AEADAlgorithm.OCB, SymmetricKeyAlgorithm.AES_128) - return MessageEncryptionMechanism.aead( - max.ciphermode.algorithmId, max.aeadAlgorithm.algorithmId) - } else { - return MessageEncryptionMechanism.integrityProtected( - negotiateSymmetricEncryptionAlgorithm().algorithmId) - } + val mechanism = + EncryptionMechanismNegotiator.modificationDetectionOrBetter(byPopularity()) + .negotiate( + api.algorithmPolicy, + encryptionMechanismOverride, + features, + aeadAlgorithms, + symmetricKeyAlgorithms) + + return mechanism } fun interface EncryptionKeySelector { diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/MechanismNegotiationTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/MechanismNegotiationTest.java index e55b08fd..5f32e678 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/MechanismNegotiationTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/MechanismNegotiationTest.java @@ -79,11 +79,15 @@ public class MechanismNegotiationTest { .build())); } + + /** + * Here, we fall back to SEIPD1(AES128), as that is the policy fallback mechanism. + */ @TestTemplate @ExtendWith(TestAllImplementations.class) public void testEncryptToV6SEIPD1CertAndV6SEIPD2Cert() throws IOException, PGPException { testEncryptDecryptAndCheckExpectations( - MessageEncryptionMechanism.integrityProtected(SymmetricKeyAlgorithm.AES_192.getAlgorithmId()), + MessageEncryptionMechanism.integrityProtected(SymmetricKeyAlgorithm.AES_128.getAlgorithmId()), new KeySpecification(OpenPGPKeyVersion.v6, AlgorithmSuite.emptyBuilder() .overrideAeadAlgorithms(new AEADCipherMode(AEADAlgorithm.OCB, SymmetricKeyAlgorithm.AES_256)) From e280aa34a0307f2f870e34ca234e97feed13ac27 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 27 May 2025 19:27:19 +0200 Subject: [PATCH 241/265] SOP generate-key: Add rfc9580 profile --- .../org/pgpainless/sop/GenerateKeyImpl.kt | 29 ++++++++++++++++--- 1 file changed, 25 insertions(+), 4 deletions(-) diff --git a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/GenerateKeyImpl.kt b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/GenerateKeyImpl.kt index a85468ee..5b14ac9f 100644 --- a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/GenerateKeyImpl.kt +++ b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/GenerateKeyImpl.kt @@ -13,6 +13,7 @@ import org.bouncycastle.openpgp.PGPException import org.bouncycastle.openpgp.api.OpenPGPKey import org.pgpainless.PGPainless import org.pgpainless.algorithm.KeyFlag +import org.pgpainless.algorithm.OpenPGPKeyVersion import org.pgpainless.bouncycastle.extensions.asciiArmor import org.pgpainless.bouncycastle.extensions.encode import org.pgpainless.key.generation.KeyRingBuilder @@ -36,8 +37,14 @@ class GenerateKeyImpl(private val api: PGPainless) : GenerateKey { Profile( "draft-koch-eddsa-for-openpgp-00", "Generate EdDSA / ECDH keys using Curve25519") @JvmField val RSA4096_PROFILE = Profile("rfc4880", "Generate 4096-bit RSA keys") + @JvmField val RFC9580_PROFILE = Profile("rfc9580", "Generate OpenPGP v6 keys") - @JvmField val SUPPORTED_PROFILES = listOf(CURVE25519_PROFILE, RSA4096_PROFILE) + @JvmField + val SUPPORTED_PROFILES = + listOf( + CURVE25519_PROFILE.withAliases("default", "compatibility"), + RSA4096_PROFILE, + RFC9580_PROFILE.withAliases("performance", "security")) } private val userIds = mutableSetOf() @@ -71,7 +78,7 @@ class GenerateKeyImpl(private val api: PGPainless) : GenerateKey { override fun profile(profile: String): GenerateKey = apply { this.profile = - SUPPORTED_PROFILES.find { it.name == profile }?.name + SUPPORTED_PROFILES.find { it.name == profile || it.aliases.contains(profile) }?.name ?: throw SOPGPException.UnsupportedProfile("generate-key", profile) } @@ -92,7 +99,7 @@ class GenerateKeyImpl(private val api: PGPainless) : GenerateKey { val keyBuilder: KeyRingBuilder = when (profile) { CURVE25519_PROFILE.name -> - api.buildKey() + api.buildKey(OpenPGPKeyVersion.v4) .setPrimaryKey( KeySpec.getBuilder( KeyType.EDDSA_LEGACY(EdDSALegacyCurve._Ed25519), @@ -110,7 +117,7 @@ class GenerateKeyImpl(private val api: PGPainless) : GenerateKey { } } RSA4096_PROFILE.name -> { - api.buildKey() + api.buildKey(OpenPGPKeyVersion.v4) .setPrimaryKey( KeySpec.getBuilder(KeyType.RSA(RsaLength._4096), KeyFlag.CERTIFY_OTHER)) .addSubkey( @@ -125,6 +132,20 @@ class GenerateKeyImpl(private val api: PGPainless) : GenerateKey { } } } + RFC9580_PROFILE.name -> { + api.buildKey(OpenPGPKeyVersion.v6) + .setPrimaryKey(KeySpec.getBuilder(KeyType.Ed25519(), KeyFlag.CERTIFY_OTHER)) + .addSubkey(KeySpec.getBuilder(KeyType.Ed25519(), KeyFlag.SIGN_DATA)) + .apply { + if (!signingOnly) { + addSubkey( + KeySpec.getBuilder( + KeyType.X25519(), + KeyFlag.ENCRYPT_COMMS, + KeyFlag.ENCRYPT_STORAGE)) + } + } + } else -> throw SOPGPException.UnsupportedProfile("generate-key", profile) } From 330e7eaee8ed2fc1d558af89c4848585bcdfe883 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Fri, 30 May 2025 14:21:43 +0200 Subject: [PATCH 242/265] SOP generate-key: Implement additional profiles --- .../RoundTripEncryptDecryptCmdTest.java | 6 +- .../org/pgpainless/sop/GenerateKeyImpl.kt | 92 +++++++++++++++++-- .../sop/EncryptDecryptRoundTripTest.java | 4 +- 3 files changed, 90 insertions(+), 12 deletions(-) diff --git a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripEncryptDecryptCmdTest.java b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripEncryptDecryptCmdTest.java index bafc19e9..fdc341b0 100644 --- a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripEncryptDecryptCmdTest.java +++ b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripEncryptDecryptCmdTest.java @@ -21,6 +21,8 @@ import org.pgpainless.key.generation.KeySpec; import org.pgpainless.key.generation.type.KeyType; import org.pgpainless.key.generation.type.eddsa_legacy.EdDSALegacyCurve; import org.pgpainless.key.generation.type.xdh_legacy.XDHLegacySpec; +import org.pgpainless.sop.EncryptImpl; +import org.pgpainless.sop.GenerateKeyImpl; import org.slf4j.LoggerFactory; import sop.exception.SOPGPException; @@ -647,7 +649,7 @@ public class RoundTripEncryptDecryptCmdTest extends CLITest { // Generate key File passwordFile = writeFile("password", "sw0rdf1sh"); File keyFile = pipeStdoutToFile("key.asc"); - assertSuccess(executeCommand("generate-key", "--profile=rfc4880", "--with-key-password", passwordFile.getAbsolutePath(), "Alice ")); + assertSuccess(executeCommand("generate-key", "--profile=" + GenerateKeyImpl.RFC4880_RSA4096_PROFILE.getName(), "--with-key-password", passwordFile.getAbsolutePath(), "Alice ")); File certFile = pipeStdoutToFile("cert.asc"); pipeFileToStdin(keyFile); @@ -659,7 +661,7 @@ public class RoundTripEncryptDecryptCmdTest extends CLITest { // Encrypt File ciphertextFile = pipeStdoutToFile("msg.asc"); pipeFileToStdin(plaintextFile); - assertSuccess(executeCommand("encrypt", "--profile=rfc4880", certFile.getAbsolutePath())); + assertSuccess(executeCommand("encrypt", "--profile=" + EncryptImpl.RFC4880_PROFILE.getName(), certFile.getAbsolutePath())); ByteArrayOutputStream decrypted = pipeStdoutToStream(); pipeFileToStdin(ciphertextFile); diff --git a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/GenerateKeyImpl.kt b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/GenerateKeyImpl.kt index 5b14ac9f..d146d0b4 100644 --- a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/GenerateKeyImpl.kt +++ b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/GenerateKeyImpl.kt @@ -19,6 +19,7 @@ import org.pgpainless.bouncycastle.extensions.encode import org.pgpainless.key.generation.KeyRingBuilder import org.pgpainless.key.generation.KeySpec import org.pgpainless.key.generation.type.KeyType +import org.pgpainless.key.generation.type.ecc.EllipticCurve import org.pgpainless.key.generation.type.eddsa_legacy.EdDSALegacyCurve import org.pgpainless.key.generation.type.rsa.RsaLength import org.pgpainless.key.generation.type.xdh_legacy.XDHLegacySpec @@ -34,17 +35,24 @@ class GenerateKeyImpl(private val api: PGPainless) : GenerateKey { companion object { @JvmField val CURVE25519_PROFILE = - Profile( - "draft-koch-eddsa-for-openpgp-00", "Generate EdDSA / ECDH keys using Curve25519") - @JvmField val RSA4096_PROFILE = Profile("rfc4880", "Generate 4096-bit RSA keys") - @JvmField val RFC9580_PROFILE = Profile("rfc9580", "Generate OpenPGP v6 keys") + Profile("draft-koch-eddsa-for-openpgp-00", "OpenPGP v4 keys over Curve25519") + @JvmField + val RFC4880_RSA4096_PROFILE = Profile("rfc4880-rsa4096", "OpenPGP v4 keys with RSA 4096") + @JvmField val RFC6637_NIST_P256_PROFILE = Profile("rfc6637-nist-p256") + @JvmField val RFC6637_NIST_P384_PROFILE = Profile("rfc6637-nist-p384") + @JvmField val RFC6637_NIST_P521_PROFILE = Profile("rfc6637-nist-p521") + @JvmField + val RFC9580_CURVE25519_PROFILE = + Profile("rfc9580-curve25519", "OpenPGP v6 keys over Curve25519") + @JvmField + val RFC9580_CURVE448_PROFILE = Profile("rfc9580-curve448", "OpenPGP v6 keys over Curve448") @JvmField val SUPPORTED_PROFILES = listOf( CURVE25519_PROFILE.withAliases("default", "compatibility"), - RSA4096_PROFILE, - RFC9580_PROFILE.withAliases("performance", "security")) + RFC4880_RSA4096_PROFILE, + RFC9580_CURVE25519_PROFILE.withAliases("performance", "security")) } private val userIds = mutableSetOf() @@ -116,7 +124,7 @@ class GenerateKeyImpl(private val api: PGPainless) : GenerateKey { KeyFlag.ENCRYPT_STORAGE)) } } - RSA4096_PROFILE.name -> { + RFC4880_RSA4096_PROFILE.name -> { api.buildKey(OpenPGPKeyVersion.v4) .setPrimaryKey( KeySpec.getBuilder(KeyType.RSA(RsaLength._4096), KeyFlag.CERTIFY_OTHER)) @@ -132,7 +140,61 @@ class GenerateKeyImpl(private val api: PGPainless) : GenerateKey { } } } - RFC9580_PROFILE.name -> { + RFC6637_NIST_P256_PROFILE.name -> { + api.buildKey(OpenPGPKeyVersion.v4) + .setPrimaryKey( + KeySpec.getBuilder( + KeyType.ECDSA(EllipticCurve._P256), KeyFlag.CERTIFY_OTHER)) + .addSubkey( + KeySpec.getBuilder( + KeyType.ECDSA(EllipticCurve._P256), KeyFlag.SIGN_DATA)) + .apply { + if (!signingOnly) { + addSubkey( + KeySpec.getBuilder( + KeyType.ECDH(EllipticCurve._P256), + KeyFlag.ENCRYPT_COMMS, + KeyFlag.ENCRYPT_STORAGE)) + } + } + } + RFC6637_NIST_P384_PROFILE.name -> { + api.buildKey(OpenPGPKeyVersion.v4) + .setPrimaryKey( + KeySpec.getBuilder( + KeyType.ECDSA(EllipticCurve._P384), KeyFlag.CERTIFY_OTHER)) + .addSubkey( + KeySpec.getBuilder( + KeyType.ECDSA(EllipticCurve._P384), KeyFlag.SIGN_DATA)) + .apply { + if (!signingOnly) { + addSubkey( + KeySpec.getBuilder( + KeyType.ECDH(EllipticCurve._P384), + KeyFlag.ENCRYPT_COMMS, + KeyFlag.ENCRYPT_STORAGE)) + } + } + } + RFC6637_NIST_P521_PROFILE.name -> { + api.buildKey(OpenPGPKeyVersion.v4) + .setPrimaryKey( + KeySpec.getBuilder( + KeyType.ECDSA(EllipticCurve._P521), KeyFlag.CERTIFY_OTHER)) + .addSubkey( + KeySpec.getBuilder( + KeyType.ECDSA(EllipticCurve._P521), KeyFlag.SIGN_DATA)) + .apply { + if (!signingOnly) { + addSubkey( + KeySpec.getBuilder( + KeyType.ECDH(EllipticCurve._P521), + KeyFlag.ENCRYPT_COMMS, + KeyFlag.ENCRYPT_STORAGE)) + } + } + } + RFC9580_CURVE25519_PROFILE.name -> { api.buildKey(OpenPGPKeyVersion.v6) .setPrimaryKey(KeySpec.getBuilder(KeyType.Ed25519(), KeyFlag.CERTIFY_OTHER)) .addSubkey(KeySpec.getBuilder(KeyType.Ed25519(), KeyFlag.SIGN_DATA)) @@ -146,6 +208,20 @@ class GenerateKeyImpl(private val api: PGPainless) : GenerateKey { } } } + RFC9580_CURVE448_PROFILE.name -> { + api.buildKey(OpenPGPKeyVersion.v6) + .setPrimaryKey(KeySpec.getBuilder(KeyType.Ed448(), KeyFlag.CERTIFY_OTHER)) + .addSubkey(KeySpec.getBuilder(KeyType.Ed448(), KeyFlag.SIGN_DATA)) + .apply { + if (!signingOnly) { + addSubkey( + KeySpec.getBuilder( + KeyType.X448(), + KeyFlag.ENCRYPT_COMMS, + KeyFlag.ENCRYPT_STORAGE)) + } + } + } else -> throw SOPGPException.UnsupportedProfile("generate-key", profile) } diff --git a/pgpainless-sop/src/test/java/org/pgpainless/sop/EncryptDecryptRoundTripTest.java b/pgpainless-sop/src/test/java/org/pgpainless/sop/EncryptDecryptRoundTripTest.java index aa366ef1..30616b22 100644 --- a/pgpainless-sop/src/test/java/org/pgpainless/sop/EncryptDecryptRoundTripTest.java +++ b/pgpainless-sop/src/test/java/org/pgpainless/sop/EncryptDecryptRoundTripTest.java @@ -568,7 +568,7 @@ public class EncryptDecryptRoundTripTest { public void encryptWithSupportedProfileTest() throws IOException { byte[] key = sop.generateKey() - .profile("rfc4880") + .profile(GenerateKeyImpl.RFC4880_RSA4096_PROFILE.getName()) .userId("Alice ") .generate() .getBytes(); @@ -578,7 +578,7 @@ public class EncryptDecryptRoundTripTest { .getBytes(); byte[] encrypted = sop.encrypt() - .profile("rfc4880") + .profile(EncryptImpl.RFC4880_PROFILE.getName()) .withCert(cert) .plaintext(message) .toByteArrayAndResult() From d8a1a272d9aaf9f129ced9066820c6ade6912d1d Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Fri, 30 May 2025 14:29:55 +0200 Subject: [PATCH 243/265] Enable additional profiles --- .../src/main/kotlin/org/pgpainless/sop/GenerateKeyImpl.kt | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/GenerateKeyImpl.kt b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/GenerateKeyImpl.kt index d146d0b4..e220f1bf 100644 --- a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/GenerateKeyImpl.kt +++ b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/GenerateKeyImpl.kt @@ -52,7 +52,11 @@ class GenerateKeyImpl(private val api: PGPainless) : GenerateKey { listOf( CURVE25519_PROFILE.withAliases("default", "compatibility"), RFC4880_RSA4096_PROFILE, - RFC9580_CURVE25519_PROFILE.withAliases("performance", "security")) + RFC6637_NIST_P256_PROFILE, + RFC6637_NIST_P384_PROFILE, + RFC6637_NIST_P521_PROFILE, + RFC9580_CURVE25519_PROFILE.withAliases("performance", "security"), + RFC9580_CURVE448_PROFILE) } private val userIds = mutableSetOf() From e988796ea9548d2e8be8ece5a99de23944fe1b80 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Fri, 30 May 2025 14:45:34 +0200 Subject: [PATCH 244/265] SOP encrypt: Add profile for rfc9580 --- .../kotlin/org/pgpainless/sop/EncryptImpl.kt | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/EncryptImpl.kt b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/EncryptImpl.kt index bacd53e9..87d87b45 100644 --- a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/EncryptImpl.kt +++ b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/EncryptImpl.kt @@ -8,11 +8,14 @@ import java.io.IOException import java.io.InputStream import java.io.OutputStream import org.bouncycastle.openpgp.PGPException +import org.bouncycastle.openpgp.api.MessageEncryptionMechanism import org.bouncycastle.openpgp.api.OpenPGPKey import org.bouncycastle.util.io.Streams import org.pgpainless.PGPainless +import org.pgpainless.algorithm.AEADAlgorithm import org.pgpainless.algorithm.DocumentSignatureType import org.pgpainless.algorithm.StreamEncoding +import org.pgpainless.algorithm.SymmetricKeyAlgorithm import org.pgpainless.encryption_signing.EncryptionOptions import org.pgpainless.encryption_signing.ProducerOptions import org.pgpainless.encryption_signing.SigningOptions @@ -33,8 +36,13 @@ class EncryptImpl(private val api: PGPainless) : Encrypt { companion object { @JvmField val RFC4880_PROFILE = Profile("rfc4880", "Follow the packet format of rfc4880") + @JvmField val RFC9580_PROFILE = Profile("rfc9580", "Follow the packet format of rfc9580") - @JvmField val SUPPORTED_PROFILES = listOf(RFC4880_PROFILE) + @JvmField + val SUPPORTED_PROFILES = + listOf( + RFC4880_PROFILE.withAliases("default", "compatibility"), + RFC9580_PROFILE.withAliases("security", "performance")) } private val encryptionOptions = EncryptionOptions.get(api) @@ -55,6 +63,12 @@ class EncryptImpl(private val api: PGPainless) : Encrypt { throw SOPGPException.MissingArg("Missing encryption method.") } + if (profile == RFC9580_PROFILE.name) { + encryptionOptions.overrideEncryptionMechanism( + MessageEncryptionMechanism.aead( + SymmetricKeyAlgorithm.AES_128.algorithmId, AEADAlgorithm.OCB.algorithmId)) + } + val options = if (signingOptions != null) { ProducerOptions.signAndEncrypt(encryptionOptions, signingOptions!!) @@ -94,7 +108,8 @@ class EncryptImpl(private val api: PGPainless) : Encrypt { override fun profile(profileName: String): Encrypt = apply { profile = - SUPPORTED_PROFILES.find { it.name == profileName }?.name + SUPPORTED_PROFILES.find { it.name == profileName || it.aliases.contains(profileName) } + ?.name ?: throw SOPGPException.UnsupportedProfile("encrypt", profileName) } From b10b65d7cc0264099d8233726e30d0c094026618 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 2 Jun 2025 14:45:51 +0200 Subject: [PATCH 245/265] ValidateUserIdImpl: throw CertUserIdNoMatch for unbound user-ids --- .../src/main/kotlin/org/pgpainless/sop/ValidateUserIdImpl.kt | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/ValidateUserIdImpl.kt b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/ValidateUserIdImpl.kt index 35123109..1949f280 100644 --- a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/ValidateUserIdImpl.kt +++ b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/ValidateUserIdImpl.kt @@ -8,6 +8,7 @@ import java.io.InputStream import java.util.* import org.bouncycastle.openpgp.api.OpenPGPCertificate import org.pgpainless.PGPainless +import sop.exception.SOPGPException import sop.operation.ValidateUserId class ValidateUserIdImpl(private val api: PGPainless) : ValidateUserId { @@ -28,7 +29,9 @@ class ValidateUserIdImpl(private val api: PGPainless) : ValidateUserId { return api.readKey().parseCertificates(certs).all { cert -> authorities.all { authority -> cert.getUserId(userId)?.getCertificationBy(authority, validateAt)?.isValid == true - } + } || + throw SOPGPException.CertUserIdNoMatch( + "${cert.keyIdentifier} does not carry valid user-id '$userId'") } } From 8290c7a3de2e1c621a87b1fc975248f7ac360e41 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 3 Jun 2025 11:49:59 +0200 Subject: [PATCH 246/265] EncryptionMechanismNegotiator: Allow producing AEADED/OED packets --- .../negotiation/EncryptionMechanismNegotiator.kt | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/negotiation/EncryptionMechanismNegotiator.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/negotiation/EncryptionMechanismNegotiator.kt index c8476910..238e3212 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/negotiation/EncryptionMechanismNegotiator.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/negotiation/EncryptionMechanismNegotiator.kt @@ -67,6 +67,15 @@ fun interface EncryptionMechanismNegotiator { return MessageEncryptionMechanism.aead( bestSupportedMode.ciphermode.algorithmId, bestSupportedMode.aeadAlgorithm.algorithmId) + } else if (features.all { it.contains(Feature.LIBREPGP_OCB_ENCRYPTED_DATA) }) { + return MessageEncryptionMechanism.librePgp( + symmetricKeyAlgorithmNegotiator + .negotiate( + policy.messageEncryptionAlgorithmPolicy + .symmetricAlgorithmPolicy, + null, + symmetricAlgorithmPreferences) + .algorithmId) } // If all support SEIPD1, negotiate SEIPD1 using symmetricKeyAlgorithmNegotiator else if (features.all { it.contains(Feature.MODIFICATION_DETECTION) }) { From 91730fd13fe028eb8582ab9dc8deab9acdddfc60 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 3 Jun 2025 11:51:30 +0200 Subject: [PATCH 247/265] SOP encrypt --profile=rfc9580: Only override enc mechanism with seipd2 if exclusively symmetric encryption is used --- .../org/pgpainless/encryption_signing/EncryptionOptions.kt | 4 ++++ .../src/main/kotlin/org/pgpainless/sop/EncryptImpl.kt | 3 ++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionOptions.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionOptions.kt index 980a2278..60e98626 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionOptions.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionOptions.kt @@ -9,6 +9,7 @@ import org.bouncycastle.openpgp.PGPPublicKeyRing import org.bouncycastle.openpgp.api.MessageEncryptionMechanism import org.bouncycastle.openpgp.api.OpenPGPCertificate import org.bouncycastle.openpgp.api.OpenPGPCertificate.OpenPGPComponentKey +import org.bouncycastle.openpgp.operator.PBEKeyEncryptionMethodGenerator import org.bouncycastle.openpgp.operator.PGPKeyEncryptionMethodGenerator import org.pgpainless.PGPainless import org.pgpainless.algorithm.EncryptionPurpose @@ -427,6 +428,9 @@ class EncryptionOptions(private val purpose: EncryptionPurpose, private val api: fun hasEncryptionMethod() = _encryptionMethods.isNotEmpty() + fun usesOnlyPasswordBasedEncryption() = + _encryptionMethods.all { it is PBEKeyEncryptionMethodGenerator } + internal fun negotiateEncryptionMechanism(): MessageEncryptionMechanism { if (encryptionMechanismOverride != null) { return encryptionMechanismOverride!! diff --git a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/EncryptImpl.kt b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/EncryptImpl.kt index 87d87b45..6e371ff0 100644 --- a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/EncryptImpl.kt +++ b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/EncryptImpl.kt @@ -63,7 +63,8 @@ class EncryptImpl(private val api: PGPainless) : Encrypt { throw SOPGPException.MissingArg("Missing encryption method.") } - if (profile == RFC9580_PROFILE.name) { + if (encryptionOptions.usesOnlyPasswordBasedEncryption() && + profile == RFC9580_PROFILE.name) { encryptionOptions.overrideEncryptionMechanism( MessageEncryptionMechanism.aead( SymmetricKeyAlgorithm.AES_128.algorithmId, AEADAlgorithm.OCB.algorithmId)) From fa289e9ca2caab72e04f86aec0b5cd1e02d07463 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 3 Jun 2025 11:58:59 +0200 Subject: [PATCH 248/265] Swappable algorithm negotiation delegates --- .../CompressionAlgorithmNegotiator.kt | 24 +++++++++++++++++++ .../encryption_signing/EncryptionOptions.kt | 16 +++++++------ .../encryption_signing/ProducerOptions.kt | 8 ++++--- .../encryption_signing/SigningOptions.kt | 21 +++++++--------- 4 files changed, 46 insertions(+), 23 deletions(-) create mode 100644 pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/negotiation/CompressionAlgorithmNegotiator.kt diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/negotiation/CompressionAlgorithmNegotiator.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/negotiation/CompressionAlgorithmNegotiator.kt new file mode 100644 index 00000000..a028fc84 --- /dev/null +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/negotiation/CompressionAlgorithmNegotiator.kt @@ -0,0 +1,24 @@ +// SPDX-FileCopyrightText: 2025 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + +package org.pgpainless.algorithm.negotiation + +import org.pgpainless.algorithm.CompressionAlgorithm +import org.pgpainless.policy.Policy + +fun interface CompressionAlgorithmNegotiator { + fun negotiate( + policy: Policy, + override: CompressionAlgorithm?, + orderedPreferences: Set? + ): CompressionAlgorithm + + companion object { + @JvmStatic + fun staticNegotiation(): CompressionAlgorithmNegotiator = + CompressionAlgorithmNegotiator { policy, override, _ -> + override ?: policy.compressionAlgorithmPolicy.defaultCompressionAlgorithm + } + } +} diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionOptions.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionOptions.kt index 60e98626..ee2c5b18 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionOptions.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionOptions.kt @@ -27,6 +27,9 @@ import org.pgpainless.key.info.KeyRingInfo import org.pgpainless.util.Passphrase class EncryptionOptions(private val purpose: EncryptionPurpose, private val api: PGPainless) { + + var encryptionMechanismNegotiator: EncryptionMechanismNegotiator = + EncryptionMechanismNegotiator.modificationDetectionOrBetter(byPopularity()) private val _encryptionMethods: MutableSet = mutableSetOf() private val keysAndAccessors: MutableMap = mutableMapOf() private val _keyRingInfo: MutableMap = mutableMapOf() @@ -442,13 +445,12 @@ class EncryptionOptions(private val purpose: EncryptionPurpose, private val api: keysAndAccessors.values.map { it.preferredSymmetricKeyAlgorithms }.toList() val mechanism = - EncryptionMechanismNegotiator.modificationDetectionOrBetter(byPopularity()) - .negotiate( - api.algorithmPolicy, - encryptionMechanismOverride, - features, - aeadAlgorithms, - symmetricKeyAlgorithms) + encryptionMechanismNegotiator.negotiate( + api.algorithmPolicy, + encryptionMechanismOverride, + features, + aeadAlgorithms, + symmetricKeyAlgorithms) return mechanism } diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/ProducerOptions.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/ProducerOptions.kt index e2c4596f..900d7fe6 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/ProducerOptions.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/ProducerOptions.kt @@ -8,13 +8,15 @@ import java.util.* import org.bouncycastle.openpgp.PGPLiteralData import org.pgpainless.algorithm.CompressionAlgorithm import org.pgpainless.algorithm.StreamEncoding +import org.pgpainless.algorithm.negotiation.CompressionAlgorithmNegotiator import org.pgpainless.policy.Policy class ProducerOptions( val encryptionOptions: EncryptionOptions?, val signingOptions: SigningOptions? ) { - + var compressionAlgorithmNegotiator: CompressionAlgorithmNegotiator = + CompressionAlgorithmNegotiator.staticNegotiation() private var _fileName: String = "" private var _modificationDate: Date = PGPLiteralData.NOW private var encodingField: StreamEncoding = StreamEncoding.BINARY @@ -237,8 +239,8 @@ class ProducerOptions( } internal fun negotiateCompressionAlgorithm(policy: Policy): CompressionAlgorithm { - return compressionAlgorithmOverride - ?: policy.compressionAlgorithmPolicy.defaultCompressionAlgorithm + return compressionAlgorithmNegotiator.negotiate( + policy, compressionAlgorithmOverride, setOf()) } companion object { diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/SigningOptions.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/SigningOptions.kt index 0df6c931..ce0774e8 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/SigningOptions.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/SigningOptions.kt @@ -15,6 +15,7 @@ import org.pgpainless.PGPainless import org.pgpainless.algorithm.DocumentSignatureType import org.pgpainless.algorithm.HashAlgorithm import org.pgpainless.algorithm.PublicKeyAlgorithm.Companion.requireFromId +import org.pgpainless.algorithm.negotiation.HashAlgorithmNegotiator import org.pgpainless.algorithm.negotiation.HashAlgorithmNegotiator.Companion.negotiateSignatureHashAlgorithm import org.pgpainless.exception.KeyException import org.pgpainless.exception.KeyException.* @@ -27,7 +28,8 @@ import org.pgpainless.signature.subpackets.SignatureSubpackets import org.pgpainless.signature.subpackets.SignatureSubpacketsHelper class SigningOptions(private val api: PGPainless) { - + var hashAlgorithmNegotiator: HashAlgorithmNegotiator = + negotiateSignatureHashAlgorithm(api.algorithmPolicy) val signingMethods: Map = mutableMapOf() private var _hashAlgorithmOverride: HashAlgorithm? = null private var _evaluationDate: Date = Date() @@ -200,8 +202,7 @@ class SigningOptions(private val api: PGPainless) { val hashAlgorithms = if (userId != null) keyRingInfo.getPreferredHashAlgorithms(userId) else keyRingInfo.getPreferredHashAlgorithms(signingPubKey.keyIdentifier) - val hashAlgorithm: HashAlgorithm = - negotiateHashAlgorithm(hashAlgorithms, api.algorithmPolicy) + val hashAlgorithm: HashAlgorithm = negotiateHashAlgorithm(hashAlgorithms) addSigningMethod( signingPrivKey, hashAlgorithm, signatureType, false, subpacketsCallback) } @@ -268,8 +269,7 @@ class SigningOptions(private val api: PGPainless) { val signingPrivKey = unlockSecretKey(signingKey, signingKeyProtector) val hashAlgorithms = keyRingInfo.getPreferredHashAlgorithms(signingKey.keyIdentifier) - val hashAlgorithm: HashAlgorithm = - negotiateHashAlgorithm(hashAlgorithms, api.algorithmPolicy) + val hashAlgorithm: HashAlgorithm = negotiateHashAlgorithm(hashAlgorithms) addSigningMethod(signingPrivKey, hashAlgorithm, signatureType, false, subpacketsCallback) } @@ -467,8 +467,7 @@ class SigningOptions(private val api: PGPainless) { val hashAlgorithms = if (userId != null) keyRingInfo.getPreferredHashAlgorithms(userId) else keyRingInfo.getPreferredHashAlgorithms(signingKey.keyIdentifier) - val hashAlgorithm: HashAlgorithm = - negotiateHashAlgorithm(hashAlgorithms, api.algorithmPolicy) + val hashAlgorithm: HashAlgorithm = negotiateHashAlgorithm(hashAlgorithms) addSigningMethod(signingPrivKey, hashAlgorithm, signatureType, true, subpacketCallback) } @@ -559,12 +558,8 @@ class SigningOptions(private val api: PGPainless) { * @param policy policy * @return selected hash algorithm */ - private fun negotiateHashAlgorithm( - preferences: Set?, - policy: Policy - ): HashAlgorithm { - return _hashAlgorithmOverride - ?: negotiateSignatureHashAlgorithm(policy).negotiateHashAlgorithm(preferences) + private fun negotiateHashAlgorithm(preferences: Set?): HashAlgorithm { + return _hashAlgorithmOverride ?: hashAlgorithmNegotiator.negotiateHashAlgorithm(preferences) } @Throws(PGPException::class) From 6429e3f77c4905d3ae46bc8e55996ec9ba748ab8 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 3 Jun 2025 12:11:30 +0200 Subject: [PATCH 249/265] Move SymmetricKeyAlgorithmNegotiatorTest to negotiation package --- .../SymmetricKeyAlgorithmNegotiatorTest.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) rename pgpainless-core/src/test/java/org/pgpainless/algorithm/{ => negotiation}/SymmetricKeyAlgorithmNegotiatorTest.java (97%) diff --git a/pgpainless-core/src/test/java/org/pgpainless/algorithm/SymmetricKeyAlgorithmNegotiatorTest.java b/pgpainless-core/src/test/java/org/pgpainless/algorithm/negotiation/SymmetricKeyAlgorithmNegotiatorTest.java similarity index 97% rename from pgpainless-core/src/test/java/org/pgpainless/algorithm/SymmetricKeyAlgorithmNegotiatorTest.java rename to pgpainless-core/src/test/java/org/pgpainless/algorithm/negotiation/SymmetricKeyAlgorithmNegotiatorTest.java index 3b9cd1b1..2ff83f6c 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/algorithm/SymmetricKeyAlgorithmNegotiatorTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/algorithm/negotiation/SymmetricKeyAlgorithmNegotiatorTest.java @@ -2,7 +2,7 @@ // // SPDX-License-Identifier: Apache-2.0 -package org.pgpainless.algorithm; +package org.pgpainless.algorithm.negotiation; import static org.junit.jupiter.api.Assertions.assertEquals; import static org.junit.jupiter.api.Assertions.assertThrows; @@ -15,7 +15,7 @@ import java.util.List; import java.util.Set; import org.junit.jupiter.api.Test; -import org.pgpainless.algorithm.negotiation.SymmetricKeyAlgorithmNegotiator; +import org.pgpainless.algorithm.SymmetricKeyAlgorithm; import org.pgpainless.policy.Policy; public class SymmetricKeyAlgorithmNegotiatorTest { From d18158ac83536f00436577c1021f9866a1d67f80 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 3 Jun 2025 12:25:40 +0200 Subject: [PATCH 250/265] Add test for CompressionAlgorithmNegotiator --- .../CompressionAlgorithmNegotiator.kt | 20 ++++++- .../CompressionAlgorithmNegotiatorTest.java | 52 +++++++++++++++++++ 2 files changed, 71 insertions(+), 1 deletion(-) create mode 100644 pgpainless-core/src/test/java/org/pgpainless/algorithm/negotiation/CompressionAlgorithmNegotiatorTest.java diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/negotiation/CompressionAlgorithmNegotiator.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/negotiation/CompressionAlgorithmNegotiator.kt index a028fc84..ab3128db 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/negotiation/CompressionAlgorithmNegotiator.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/algorithm/negotiation/CompressionAlgorithmNegotiator.kt @@ -8,13 +8,31 @@ import org.pgpainless.algorithm.CompressionAlgorithm import org.pgpainless.policy.Policy fun interface CompressionAlgorithmNegotiator { + + /** + * Negotiate a suitable [CompressionAlgorithm] by taking into consideration the [Policy], a + * user-provided [compressionAlgorithmOverride] and the users set of [orderedPreferences]. + * + * @param policy implementations [Policy] + * @param compressionAlgorithmOverride user-provided [CompressionAlgorithm] override. + * @param orderedPreferences preferred compression algorithms taken from the users certificate + * @return negotiated [CompressionAlgorithm] + */ fun negotiate( policy: Policy, - override: CompressionAlgorithm?, + compressionAlgorithmOverride: CompressionAlgorithm?, orderedPreferences: Set? ): CompressionAlgorithm companion object { + + /** + * Static negotiation of compression algorithms. This implementation discards compression + * algorithm preferences and instead either returns the non-null algorithm override, + * otherwise the policies default hash algorithm. + * + * @return delegate implementation + */ @JvmStatic fun staticNegotiation(): CompressionAlgorithmNegotiator = CompressionAlgorithmNegotiator { policy, override, _ -> diff --git a/pgpainless-core/src/test/java/org/pgpainless/algorithm/negotiation/CompressionAlgorithmNegotiatorTest.java b/pgpainless-core/src/test/java/org/pgpainless/algorithm/negotiation/CompressionAlgorithmNegotiatorTest.java new file mode 100644 index 00000000..ced8b4a1 --- /dev/null +++ b/pgpainless-core/src/test/java/org/pgpainless/algorithm/negotiation/CompressionAlgorithmNegotiatorTest.java @@ -0,0 +1,52 @@ +// SPDX-FileCopyrightText: 2025 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + +package org.pgpainless.algorithm.negotiation; + +import org.junit.jupiter.api.Test; +import org.pgpainless.PGPainless; +import org.pgpainless.algorithm.CompressionAlgorithm; +import org.pgpainless.policy.Policy; + +import java.util.Arrays; +import java.util.Collections; + +import static org.junit.jupiter.api.Assertions.assertEquals; + +public class CompressionAlgorithmNegotiatorTest { + + @Test + public void staticNegotiateWithoutOverride() { + Policy policy = PGPainless.getInstance().getAlgorithmPolicy() + .copy() + .withCompressionAlgorithmPolicy(new Policy.CompressionAlgorithmPolicy( + CompressionAlgorithm.BZIP2, + Arrays.asList(CompressionAlgorithm.BZIP2, CompressionAlgorithm.UNCOMPRESSED) + )) + .build(); + CompressionAlgorithmNegotiator negotiator = CompressionAlgorithmNegotiator.staticNegotiation(); + + // If the user did not pass an override, return the policy default + assertEquals( + CompressionAlgorithm.BZIP2, + negotiator.negotiate(policy, null, Collections.emptySet())); + } + + @Test + public void staticNegotiateWithOverride() { + Policy policy = PGPainless.getInstance().getAlgorithmPolicy() + .copy() + .withCompressionAlgorithmPolicy(new Policy.CompressionAlgorithmPolicy( + CompressionAlgorithm.BZIP2, + Arrays.asList(CompressionAlgorithm.BZIP2, CompressionAlgorithm.UNCOMPRESSED) + )) + .build(); + CompressionAlgorithmNegotiator negotiator = CompressionAlgorithmNegotiator.staticNegotiation(); + + // If the user passed an override, return that + assertEquals( + CompressionAlgorithm.ZLIB, + negotiator.negotiate(policy, CompressionAlgorithm.ZLIB, Collections.emptySet())); + } +} From 19534fef0938aede7b0896afddceceedc8b63ea0 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 12 Jun 2025 13:35:24 +0200 Subject: [PATCH 251/265] Implement update-key command properly --- .../secretkeyring/OpenPGPKeyUpdater.kt | 221 ++++++++++++++++++ .../kotlin/org/pgpainless/policy/Policy.kt | 62 +++++ .../org/pgpainless/sop/UpdateKeyImpl.kt | 16 +- 3 files changed, 297 insertions(+), 2 deletions(-) create mode 100644 pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/OpenPGPKeyUpdater.kt diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/OpenPGPKeyUpdater.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/OpenPGPKeyUpdater.kt new file mode 100644 index 00000000..def452ac --- /dev/null +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/OpenPGPKeyUpdater.kt @@ -0,0 +1,221 @@ +// SPDX-FileCopyrightText: 2025 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + +package org.pgpainless.key.modification.secretkeyring + +import java.util.* +import org.bouncycastle.bcpg.sig.PreferredAEADCiphersuites.Combination +import org.bouncycastle.openpgp.api.KeyPairGeneratorCallback +import org.bouncycastle.openpgp.api.MessageEncryptionMechanism +import org.bouncycastle.openpgp.api.OpenPGPKey +import org.bouncycastle.openpgp.api.OpenPGPKeyEditor +import org.bouncycastle.openpgp.api.SignatureParameters +import org.bouncycastle.openpgp.operator.PGPKeyPairGenerator +import org.pgpainless.PGPainless +import org.pgpainless.algorithm.Feature +import org.pgpainless.bouncycastle.PolicyAdapter +import org.pgpainless.bouncycastle.extensions.getKeyVersion +import org.pgpainless.bouncycastle.extensions.toAEADCipherModes +import org.pgpainless.bouncycastle.extensions.toCompressionAlgorithms +import org.pgpainless.bouncycastle.extensions.toHashAlgorithms +import org.pgpainless.bouncycastle.extensions.toSymmetricKeyAlgorithms +import org.pgpainless.key.protection.SecretKeyRingProtector +import org.pgpainless.policy.Policy + +class OpenPGPKeyUpdater( + private var key: OpenPGPKey, + private val protector: SecretKeyRingProtector, + private val api: PGPainless = PGPainless.getInstance(), + private val policy: Policy = api.algorithmPolicy, + private val referenceTime: Date = Date() +) { + + init { + key = + OpenPGPKey( + key.pgpSecretKeyRing, api.implementation, PolicyAdapter(Policy.wildcardPolicy())) + } + + private val keyEditor = OpenPGPKeyEditor(key, protector) + + fun extendExpirationIfExpiresBefore( + expiresBeforeSeconds: Long, + newExpirationTimeSecondsFromNow: Long? = _5YEARS + ) = apply { + require(expiresBeforeSeconds > 0) { + "Time period to check expiration within MUST be positive." + } + require(newExpirationTimeSecondsFromNow == null || newExpirationTimeSecondsFromNow > 0) { + "New expiration period MUST be null or positive." + } + } + + fun replaceRejectedAlgorithmPreferencesAndFeatures(addNewAlgorithms: Boolean = false) = apply { + val features = key.primaryKey.getFeatures(referenceTime)?.features ?: 0 + val newFeatures = + Feature.fromBitmask(features.toInt()) + // Filter out unsupported features + .filter { policy.featurePolicy.isAcceptable(it) } + .toSet() + // Optionally add in new capabilities + .plus( + if (addNewAlgorithms) policy.keyGenerationAlgorithmSuite.features ?: listOf() + else listOf()) + .toTypedArray() + .let { Feature.toBitmask(*it) } + + // Hash Algs + val hashAlgs = key.primaryKey.hashAlgorithmPreferences.toHashAlgorithms() + val newHashAlgs = + hashAlgs + // Filter out unsupported hash algorithms + .filter { policy.dataSignatureHashAlgorithmPolicy.isAcceptable(it) } + // Optionally add in new hash algorithms + .plus( + if (addNewAlgorithms) + policy.keyGenerationAlgorithmSuite.hashAlgorithms ?: listOf() + else listOf()) + .toSet() + + // Sym Algs + val symAlgs = key.primaryKey.symmetricCipherPreferences.toSymmetricKeyAlgorithms() + val newSymAlgs = + symAlgs + .filter { + policy.messageEncryptionAlgorithmPolicy.symmetricAlgorithmPolicy.isAcceptable( + it) + } + .plus( + if (addNewAlgorithms) + policy.keyGenerationAlgorithmSuite.symmetricKeyAlgorithms ?: listOf() + else listOf()) + .toSet() + + // Comp Algs + val compAlgs = key.primaryKey.compressionAlgorithmPreferences.toCompressionAlgorithms() + val newCompAlgs = + compAlgs + .filter { policy.compressionAlgorithmPolicy.isAcceptable(it) } + .plus( + if (addNewAlgorithms) + policy.keyGenerationAlgorithmSuite.compressionAlgorithms ?: listOf() + else listOf()) + .toSet() + + // AEAD Prefs + val aeadAlgs = key.primaryKey.aeadCipherSuitePreferences.toAEADCipherModes() + val newAeadAlgs = + aeadAlgs + .filter { + policy.messageEncryptionAlgorithmPolicy.isAcceptable( + MessageEncryptionMechanism.aead( + it.ciphermode.algorithmId, it.aeadAlgorithm.algorithmId)) + } + .plus(policy.keyGenerationAlgorithmSuite.aeadAlgorithms ?: listOf()) + .toSet() + + if (features != newFeatures || + hashAlgs != newHashAlgs || + symAlgs != newSymAlgs || + compAlgs != newCompAlgs || + aeadAlgs != newAeadAlgs) { + keyEditor.addDirectKeySignature( + SignatureParameters.Callback.modifyHashedSubpackets { sigGen -> + sigGen.apply { + setKeyFlags(key.primaryKey.keyFlags?.flags ?: 0) + setFeature(true, newFeatures) + setPreferredHashAlgorithms( + true, newHashAlgs.map { it.algorithmId }.toIntArray()) + setPreferredSymmetricAlgorithms( + true, newSymAlgs.map { it.algorithmId }.toIntArray()) + setPreferredCompressionAlgorithms( + true, newCompAlgs.map { it.algorithmId }.toIntArray()) + setPreferredAEADCiphersuites( + true, + newAeadAlgs + .map { + Combination( + it.ciphermode.algorithmId, it.aeadAlgorithm.algorithmId) + } + .toTypedArray()) + } + }) + } + } + + fun replaceWeakSubkeys( + revokeWeakKeys: Boolean = true, + signingKeysOnly: Boolean + ): OpenPGPKeyUpdater = apply { + replaceWeakSigningSubkeys(revokeWeakKeys) + if (!signingKeysOnly) { + replaceWeakEncryptionSubkeys(revokeWeakKeys) + } + } + + fun replaceWeakEncryptionSubkeys( + revokeWeakKeys: Boolean, + keyPairGeneratorCallback: KeyPairGeneratorCallback = + KeyPairGeneratorCallback.encryptionKey() + ) { + val weakEncryptionKeys = + key.getEncryptionKeys(referenceTime).filterNot { + policy.publicKeyAlgorithmPolicy.isAcceptable( + it.algorithm, it.pgpPublicKey.bitStrength) + } + + if (weakEncryptionKeys.isNotEmpty()) { + keyEditor.addEncryptionSubkey(keyPairGeneratorCallback) + } + + if (revokeWeakKeys) { + weakEncryptionKeys + .filterNot { it.keyIdentifier.matches(key.primaryKey.keyIdentifier) } + .forEach { keyEditor.revokeComponentKey(it) } + } + } + + fun replaceWeakSigningSubkeys( + revokeWeakKeys: Boolean, + keyPairGenerator: PGPKeyPairGenerator = provideKeyPairGenerator(), + keyPairGeneratorCallback: KeyPairGeneratorCallback = KeyPairGeneratorCallback.signingKey() + ) { + val weakSigningKeys = + key.getSigningKeys(referenceTime).filterNot { + policy.publicKeyAlgorithmPolicy.isAcceptable( + it.algorithm, it.pgpPublicKey.bitStrength) + } + + if (weakSigningKeys.isNotEmpty()) { + keyEditor.addSigningSubkey(keyPairGeneratorCallback) + } + + if (revokeWeakKeys) { + weakSigningKeys + .filterNot { it.keyIdentifier.matches(key.primaryKey.keyIdentifier) } + .forEach { keyEditor.revokeComponentKey(it) } + } + + keyPairGeneratorCallback.generateFrom(keyPairGenerator) + } + + private fun provideKeyPairGenerator(): PGPKeyPairGenerator { + return api.implementation + .pgpKeyPairGeneratorProvider() + .get(key.primaryKey.getKeyVersion().numeric, referenceTime) + } + + fun finish(): OpenPGPKey { + return keyEditor.done() + } + + companion object { + const val SECOND: Long = 1000 + const val MINUTE: Long = 60 * SECOND + const val HOUR: Long = 60 * MINUTE + const val DAY: Long = 24 * HOUR + const val YEAR: Long = 365 * DAY + const val _5YEARS: Long = 5 * YEAR + } +} diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/policy/Policy.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/policy/Policy.kt index 872aa972..5d8ba4d0 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/policy/Policy.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/policy/Policy.kt @@ -21,6 +21,7 @@ class Policy { val messageDecryptionAlgorithmPolicy: MessageEncryptionMechanismPolicy val compressionAlgorithmPolicy: CompressionAlgorithmPolicy val publicKeyAlgorithmPolicy: PublicKeyAlgorithmPolicy + val featurePolicy: FeaturePolicy = FeaturePolicy.defaultFeaturePolicy() val keyProtectionSettings: KeyRingProtectionSettings val notationRegistry: NotationRegistry val keyGenerationAlgorithmSuite: AlgorithmSuite @@ -717,4 +718,65 @@ class Policy { keyGenerationAlgorithmSuite) .apply { enableKeyParameterValidation = origin.enableKeyParameterValidation } } + + abstract class FeaturePolicy { + fun isAcceptable(feature: Byte): Boolean = + Feature.fromId(feature)?.let { isAcceptable(it) } ?: false + + abstract fun isAcceptable(feature: Feature): Boolean + + companion object { + @JvmStatic + fun defaultFeaturePolicy(): FeaturePolicy { + return whiteList( + listOf(Feature.MODIFICATION_DETECTION, Feature.MODIFICATION_DETECTION_2)) + } + + @JvmStatic + fun whiteList(whitelistedFeatures: List): FeaturePolicy { + return object : FeaturePolicy() { + override fun isAcceptable(feature: Feature): Boolean { + return whitelistedFeatures.contains(feature) + } + } + } + } + } + + companion object { + fun wildcardPolicy(): Policy = + Policy( + HashAlgorithmPolicy(HashAlgorithm.SHA512, HashAlgorithm.entries), + HashAlgorithmPolicy(HashAlgorithm.SHA512, HashAlgorithm.entries), + HashAlgorithmPolicy(HashAlgorithm.SHA512, HashAlgorithm.entries), + object : + MessageEncryptionMechanismPolicy( + SymmetricKeyAlgorithmPolicy( + SymmetricKeyAlgorithm.AES_256, SymmetricKeyAlgorithm.entries), + MessageEncryptionMechanism.integrityProtected( + SymmetricKeyAlgorithm.AES_256.algorithmId)) { + override fun isAcceptable( + encryptionMechanism: MessageEncryptionMechanism + ): Boolean { + return true + } + }, + object : + MessageEncryptionMechanismPolicy( + SymmetricKeyAlgorithmPolicy( + SymmetricKeyAlgorithm.AES_256, SymmetricKeyAlgorithm.entries), + MessageEncryptionMechanism.integrityProtected( + SymmetricKeyAlgorithm.AES_256.algorithmId)) { + override fun isAcceptable( + encryptionMechanism: MessageEncryptionMechanism + ): Boolean { + return true + } + }, + CompressionAlgorithmPolicy.anyCompressionAlgorithmPolicy(), + PublicKeyAlgorithmPolicy(PublicKeyAlgorithm.entries.associateWith { 0 }.toMap()), + KeyRingProtectionSettings.secureDefaultSettings(), + NotationRegistry(setOf()), + AlgorithmSuite.defaultAlgorithmSuite) + } } diff --git a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/UpdateKeyImpl.kt b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/UpdateKeyImpl.kt index c9f8e605..37767424 100644 --- a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/UpdateKeyImpl.kt +++ b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/UpdateKeyImpl.kt @@ -1,15 +1,17 @@ // SPDX-FileCopyrightText: 2025 Paul Schaub // -// SPDX-License-Identifier: CC0-1.0 +// SPDX-License-Identifier: Apache-2.0 package org.pgpainless.sop import java.io.InputStream import java.io.OutputStream +import java.util.* import org.bouncycastle.bcpg.KeyIdentifier import org.bouncycastle.openpgp.PGPSecretKeyRing import org.bouncycastle.openpgp.api.OpenPGPCertificate import org.pgpainless.PGPainless +import org.pgpainless.key.modification.secretkeyring.OpenPGPKeyUpdater import org.pgpainless.util.OpenPGPCertificateUtil import org.pgpainless.util.Passphrase import sop.Ready @@ -27,8 +29,9 @@ class UpdateKeyImpl(private val api: PGPainless) : UpdateKey { override fun key(key: InputStream): Ready { return object : Ready() { override fun writeTo(outputStream: OutputStream) { - val keyList = + var keyList = api.readKey().parseKeys(key).map { + // Merge keys if (mergeCerts[it.keyIdentifier] == null) { it } else { @@ -41,6 +44,15 @@ class UpdateKeyImpl(private val api: PGPainless) : UpdateKey { } } + // Update keys + keyList = + keyList.map { + OpenPGPKeyUpdater(it, protector, api) + .replaceRejectedAlgorithmPreferencesAndFeatures(addCapabilities) + .replaceWeakSubkeys(true, signingOnly) + .finish() + } + if (armor) { OpenPGPCertificateUtil.armor(keyList, outputStream) } else { From 1ee77f1db7cf2aa40d7cadd9139c82a32b5b41e4 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 16 Jun 2025 11:10:35 +0200 Subject: [PATCH 252/265] Remove unused SignatureSubpackets callback related methods --- .../subpackets/BaseSignatureSubpackets.kt | 48 ------------------- .../subpackets/SignatureSubpackets.kt | 45 ----------------- 2 files changed, 93 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/BaseSignatureSubpackets.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/BaseSignatureSubpackets.kt index 4b4c40d5..87e8d57e 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/BaseSignatureSubpackets.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/BaseSignatureSubpackets.kt @@ -175,52 +175,4 @@ interface BaseSignatureSubpackets { fun addEmbeddedSignature(embeddedSignature: EmbeddedSignature): BaseSignatureSubpackets fun clearEmbeddedSignatures(): BaseSignatureSubpackets - - companion object { - - /** Factory method for a [Callback] that does nothing. */ - @JvmStatic fun nop() = object : Callback {} - - /** - * Factory function with receiver, which returns a [Callback] that modifies the hashed - * subpacket area of a [BaseSignatureSubpackets] object. - * - * Can be called like this: - * ``` - * val callback = BaseSignatureSubpackets.applyHashed { - * setCreationTime(date) - * ... - * } - * ``` - */ - @JvmStatic - fun applyHashed(function: BaseSignatureSubpackets.() -> Unit): Callback { - return object : Callback { - override fun modifyHashedSubpackets(hashedSubpackets: BaseSignatureSubpackets) { - function(hashedSubpackets) - } - } - } - - /** - * Factory function with receiver, which returns a [Callback] that modifies the unhashed - * subpacket area of a [BaseSignatureSubpackets] object. - * - * Can be called like this: - * ``` - * val callback = BaseSignatureSubpackets.applyUnhashed { - * setCreationTime(date) - * ... - * } - * ``` - */ - @JvmStatic - fun applyUnhashed(function: BaseSignatureSubpackets.() -> Unit): Callback { - return object : Callback { - override fun modifyUnhashedSubpackets(unhashedSubpackets: BaseSignatureSubpackets) { - function(unhashedSubpackets) - } - } - } - } } diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/SignatureSubpackets.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/SignatureSubpackets.kt index e30c6100..8b831969 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/SignatureSubpackets.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/SignatureSubpackets.kt @@ -70,51 +70,6 @@ class SignatureSubpackets( fun createEmptySubpackets(): SignatureSubpackets { return SignatureSubpackets(PGPSignatureSubpacketGenerator()) } - - /** Factory method for a [Callback] that does nothing. */ - @JvmStatic fun nop() = object : Callback {} - - /** - * Factory function with receiver, which returns a [Callback] that modifies the hashed - * subpacket area of a [SignatureSubpackets] object. - * - * Can be called like this: - * ``` - * val callback = SignatureSubpackets.applyHashed { - * setCreationTime(date) - * ... - * } - * ``` - */ - @JvmStatic - fun applyHashed(function: SignatureSubpackets.() -> Unit): Callback { - return object : Callback { - override fun modifyHashedSubpackets(hashedSubpackets: SignatureSubpackets) { - function(hashedSubpackets) - } - } - } - - /** - * Factory function with receiver, which returns a [Callback] that modifies the unhashed - * subpacket area of a [SignatureSubpackets] object. - * - * Can be called like this: - * ``` - * val callback = SignatureSubpackets.applyUnhashed { - * setCreationTime(date) - * ... - * } - * ``` - */ - @JvmStatic - fun applyUnhashed(function: SignatureSubpackets.() -> Unit): Callback { - return object : Callback { - override fun modifyUnhashedSubpackets(unhashedSubpackets: SignatureSubpackets) { - function(unhashedSubpackets) - } - } - } } override fun setRevocationReason( From 1106cb42281c6b36798ba64652d65e1794bb826a Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 16 Jun 2025 11:11:20 +0200 Subject: [PATCH 253/265] Add missing implementations of then() method --- .../subpackets/CertificationSubpackets.kt | 17 ++++++++++++- .../RevocationSignatureSubpackets.kt | 24 ++++++++++++++++++- 2 files changed, 39 insertions(+), 2 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/CertificationSubpackets.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/CertificationSubpackets.kt index bb1d6550..a37c6984 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/CertificationSubpackets.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/CertificationSubpackets.kt @@ -6,7 +6,22 @@ package org.pgpainless.signature.subpackets interface CertificationSubpackets : BaseSignatureSubpackets { - interface Callback : SignatureSubpacketCallback + interface Callback : SignatureSubpacketCallback { + fun then(nextCallback: SignatureSubpacketCallback): Callback { + val currCallback = this + return object : Callback { + override fun modifyHashedSubpackets(hashedSubpackets: CertificationSubpackets) { + currCallback.modifyHashedSubpackets(hashedSubpackets) + nextCallback.modifyHashedSubpackets(hashedSubpackets) + } + + override fun modifyUnhashedSubpackets(unhashedSubpackets: CertificationSubpackets) { + currCallback.modifyUnhashedSubpackets(unhashedSubpackets) + nextCallback.modifyUnhashedSubpackets(unhashedSubpackets) + } + } + } + } companion object { diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/RevocationSignatureSubpackets.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/RevocationSignatureSubpackets.kt index 79807322..5eaf5313 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/RevocationSignatureSubpackets.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/RevocationSignatureSubpackets.kt @@ -6,10 +6,32 @@ package org.pgpainless.signature.subpackets import org.bouncycastle.bcpg.sig.RevocationReason import org.pgpainless.key.util.RevocationAttributes +import org.pgpainless.signature.subpackets.SelfSignatureSubpackets.Callback interface RevocationSignatureSubpackets : BaseSignatureSubpackets { - interface Callback : SignatureSubpacketCallback + interface Callback : SignatureSubpacketCallback { + fun then( + nextCallback: SignatureSubpacketCallback + ): Callback { + val currCallback = this + return object : Callback { + override fun modifyHashedSubpackets( + hashedSubpackets: RevocationSignatureSubpackets + ) { + currCallback.modifyHashedSubpackets(hashedSubpackets) + nextCallback.modifyHashedSubpackets(hashedSubpackets) + } + + override fun modifyUnhashedSubpackets( + unhashedSubpackets: RevocationSignatureSubpackets + ) { + currCallback.modifyUnhashedSubpackets(unhashedSubpackets) + nextCallback.modifyUnhashedSubpackets(unhashedSubpackets) + } + } + } + } fun setRevocationReason( revocationAttributes: RevocationAttributes From 319847d4a8da08331c269200ee27499dd85b0a78 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 16 Jun 2025 11:12:08 +0200 Subject: [PATCH 254/265] setPreferredAEADCiphersuites(): Add missing method taking PreferredAEADCiphersuites object --- .../signature/subpackets/SelfSignatureSubpackets.kt | 4 ++++ .../signature/subpackets/SignatureSubpackets.kt | 10 ++++++++-- .../signature/subpackets/SignatureSubpacketsHelper.kt | 6 +++++- 3 files changed, 17 insertions(+), 3 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/SelfSignatureSubpackets.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/SelfSignatureSubpackets.kt index f15f0071..8619155c 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/SelfSignatureSubpackets.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/SelfSignatureSubpackets.kt @@ -121,6 +121,10 @@ interface SelfSignatureSubpackets : BaseSignatureSubpackets { algorithms: PreferredAEADCiphersuites.Builder? ): SelfSignatureSubpackets + fun setPreferredAEADCiphersuites( + preferredAEADCiphersuites: PreferredAEADCiphersuites? + ): SelfSignatureSubpackets + @Deprecated("Use of this subpacket is discouraged.") fun addRevocationKey(revocationKey: PGPPublicKey): SelfSignatureSubpackets diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/SignatureSubpackets.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/SignatureSubpackets.kt index 8b831969..2a5ea016 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/SignatureSubpackets.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/SignatureSubpackets.kt @@ -281,9 +281,15 @@ class SignatureSubpackets( override fun setPreferredAEADCiphersuites( algorithms: PreferredAEADCiphersuites.Builder? - ): SignatureSubpackets = apply { + ): SignatureSubpackets = setPreferredAEADCiphersuites(algorithms?.build()) + + override fun setPreferredAEADCiphersuites( + preferredAEADCiphersuites: PreferredAEADCiphersuites? + ) = apply { subpacketsGenerator.removePacketsOfType(SignatureSubpacketTags.PREFERRED_AEAD_ALGORITHMS) - algorithms?.let { subpacketsGenerator.setPreferredAEADCiphersuites(algorithms) } + preferredAEADCiphersuites?.let { + subpacketsGenerator.setPreferredAEADCiphersuites(it.isCritical, it.rawAlgorithms) + } } override fun addRevocationKey(revocationKey: PGPPublicKey): SignatureSubpackets = apply { diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/SignatureSubpacketsHelper.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/SignatureSubpacketsHelper.kt index ceb484d3..203b8e4f 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/SignatureSubpacketsHelper.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/SignatureSubpacketsHelper.kt @@ -61,6 +61,11 @@ class SignatureSubpacketsHelper { PreferredAlgorithms( it.type, it.isCritical, it.isLongLength, it.data)) } + SignatureSubpacket.preferredAEADAlgorithms -> + (subpacket as PreferredAEADCiphersuites).let { + subpackets.setPreferredAEADCiphersuites( + PreferredAEADCiphersuites(it.isCritical, it.rawAlgorithms)) + } SignatureSubpacket.revocationKey -> (subpacket as RevocationKey).let { subpackets.addRevocationKey( @@ -130,7 +135,6 @@ class SignatureSubpacketsHelper { SignatureSubpacket.keyServerPreferences, SignatureSubpacket.preferredKeyServers, SignatureSubpacket.placeholder, - SignatureSubpacket.preferredAEADAlgorithms, SignatureSubpacket.attestedCertification -> subpackets.addResidualSubpacket(subpacket) else -> subpackets.addResidualSubpacket(subpacket) From 8d00ecf3fc7bca63d5b49623b3b396a25e64550c Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 16 Jun 2025 11:12:30 +0200 Subject: [PATCH 255/265] Add tests for SignatureSubpacketsCallback implementations --- .../CertificationSubpacketsTest.java | 101 ++++++++++++++++ .../RevocationSignatureSubpacketsTest.java | 101 ++++++++++++++++ .../SelfSignatureSubpacketsTest.java | 108 ++++++++++++++++++ .../subpackets/SignatureSubpacketsTest.java | 4 + 4 files changed, 314 insertions(+) create mode 100644 pgpainless-core/src/test/java/org/pgpainless/signature/subpackets/CertificationSubpacketsTest.java create mode 100644 pgpainless-core/src/test/java/org/pgpainless/signature/subpackets/RevocationSignatureSubpacketsTest.java create mode 100644 pgpainless-core/src/test/java/org/pgpainless/signature/subpackets/SelfSignatureSubpacketsTest.java diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/subpackets/CertificationSubpacketsTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/subpackets/CertificationSubpacketsTest.java new file mode 100644 index 00000000..4394ee47 --- /dev/null +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/subpackets/CertificationSubpacketsTest.java @@ -0,0 +1,101 @@ +// SPDX-FileCopyrightText: 2025 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + +package org.pgpainless.signature.subpackets; + +import kotlin.Unit; +import org.bouncycastle.bcpg.SignatureSubpacket; +import org.bouncycastle.bcpg.sig.IssuerFingerprint; +import org.bouncycastle.bcpg.sig.NotationData; +import org.junit.jupiter.api.Test; +import org.pgpainless.key.TestKeys; + +import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.assertTrue; +import static org.pgpainless.signature.subpackets.SignatureSubpacketsTest.toArray; + +public class CertificationSubpacketsTest { + + @Test + public void testNopDoesNothing() { + SignatureSubpackets subpackets = new SignatureSubpackets(); + CertificationSubpackets.Callback cb = CertificationSubpackets.nop(); + + cb.modifyHashedSubpackets(subpackets); + assertEquals(0, toArray(subpackets).length); + + cb.modifyUnhashedSubpackets(subpackets); + assertEquals(0, toArray(subpackets).length); + } + + @Test + public void testApplyHashed() { + SignatureSubpackets subpackets = new SignatureSubpackets(); + CertificationSubpackets.Callback cb = CertificationSubpackets.applyHashed( + selfSignatureSubpackets -> { + selfSignatureSubpackets.setIssuerFingerprint(new IssuerFingerprint(false, 4, TestKeys.ROMEO_FINGERPRINT.getBytes())); + return Unit.INSTANCE; + }); + + assertEquals(0, toArray(subpackets).length); + + // The callback only applies to hashed subpackets, so modifying unhashed area does nothing + cb.modifyUnhashedSubpackets(subpackets); + assertEquals(0, toArray(subpackets).length); + + cb.modifyHashedSubpackets(subpackets); + assertEquals(1, toArray(subpackets).length); + } + + @Test + public void testApplyUnhashed() { + SignatureSubpackets subpackets = new SignatureSubpackets(); + CertificationSubpackets.Callback cb = CertificationSubpackets.applyUnhashed( + selfSignatureSubpackets -> { + selfSignatureSubpackets.setIssuerKeyId(123L); + return Unit.INSTANCE; + }); + + assertEquals(0, toArray(subpackets).length); + + // The callback only applies to unhashed subpackets, so modifying hashed area does nothing + cb.modifyHashedSubpackets(subpackets); + assertEquals(0, toArray(subpackets).length); + + cb.modifyUnhashedSubpackets(subpackets); + assertEquals(1, toArray(subpackets).length); + } + + @Test + public void testThen() { + SignatureSubpackets subpackets = new SignatureSubpackets(); + + CertificationSubpackets.Callback first = CertificationSubpackets.applyHashed(selfSignatureSubpackets -> { + selfSignatureSubpackets.setIssuerFingerprint(new IssuerFingerprint(false, 4, TestKeys.ROMEO_FINGERPRINT.getBytes())); + selfSignatureSubpackets.addNotationData(false, "test@pgpainless.org", "foo"); + return Unit.INSTANCE; + }); + + CertificationSubpackets.Callback second = CertificationSubpackets.applyHashed(selfSignatureSubpackets -> { + selfSignatureSubpackets.setIssuerFingerprint(new IssuerFingerprint(true, 4, TestKeys.ROMEO_FINGERPRINT.getBytes())); + selfSignatureSubpackets.addNotationData(false, "test@pgpainless.org", "bar"); + return Unit.INSTANCE; + }); + + CertificationSubpackets.Callback both = first.then(second); + both.modifyUnhashedSubpackets(subpackets); + assertEquals(0, toArray(subpackets).length); + + both.modifyHashedSubpackets(subpackets); + + SignatureSubpacket[] array = toArray(subpackets); + assertEquals(3, array.length); + NotationData n1 = (NotationData) array[0]; + assertEquals("foo", n1.getNotationValue()); + IssuerFingerprint fingerprint = (IssuerFingerprint) array[1]; + assertTrue(fingerprint.isCritical()); + NotationData n2 = (NotationData) array[2]; + assertEquals("bar", n2.getNotationValue()); + } +} diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/subpackets/RevocationSignatureSubpacketsTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/subpackets/RevocationSignatureSubpacketsTest.java new file mode 100644 index 00000000..8d4d2d96 --- /dev/null +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/subpackets/RevocationSignatureSubpacketsTest.java @@ -0,0 +1,101 @@ +// SPDX-FileCopyrightText: 2025 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + +package org.pgpainless.signature.subpackets; + +import kotlin.Unit; +import org.bouncycastle.bcpg.SignatureSubpacket; +import org.bouncycastle.bcpg.sig.NotationData; +import org.bouncycastle.bcpg.sig.RevocationReason; +import org.junit.jupiter.api.Test; +import org.pgpainless.key.util.RevocationAttributes; + +import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.pgpainless.signature.subpackets.SignatureSubpacketsTest.toArray; + +public class RevocationSignatureSubpacketsTest { + + @Test + public void testNopDoesNothing() { + SignatureSubpackets subpackets = new SignatureSubpackets(); + RevocationSignatureSubpackets.Callback cb = RevocationSignatureSubpackets.nop(); + + cb.modifyHashedSubpackets(subpackets); + assertEquals(0, toArray(subpackets).length); + + cb.modifyUnhashedSubpackets(subpackets); + assertEquals(0, toArray(subpackets).length); + } + + + @Test + public void testApplyHashed() { + SignatureSubpackets subpackets = new SignatureSubpackets(); + RevocationSignatureSubpackets.Callback cb = RevocationSignatureSubpackets.applyHashed( + selfSignatureSubpackets -> { + selfSignatureSubpackets.setRevocationReason(true, RevocationAttributes.Reason.KEY_COMPROMISED, "Leaked"); + return Unit.INSTANCE; + }); + + assertEquals(0, toArray(subpackets).length); + + // The callback only applies to hashed subpackets, so modifying unhashed area does nothing + cb.modifyUnhashedSubpackets(subpackets); + assertEquals(0, toArray(subpackets).length); + + cb.modifyHashedSubpackets(subpackets); + assertEquals(1, toArray(subpackets).length); + } + + @Test + public void testApplyUnhashed() { + SignatureSubpackets subpackets = new SignatureSubpackets(); + RevocationSignatureSubpackets.Callback cb = RevocationSignatureSubpackets.applyUnhashed( + selfSignatureSubpackets -> { + selfSignatureSubpackets.setIssuerKeyId(123L); + return Unit.INSTANCE; + }); + + assertEquals(0, toArray(subpackets).length); + + // The callback only applies to unhashed subpackets, so modifying hashed area does nothing + cb.modifyHashedSubpackets(subpackets); + assertEquals(0, toArray(subpackets).length); + + cb.modifyUnhashedSubpackets(subpackets); + assertEquals(1, toArray(subpackets).length); + } + + @Test + public void testThen() { + SignatureSubpackets subpackets = new SignatureSubpackets(); + + RevocationSignatureSubpackets.Callback first = RevocationSignatureSubpackets.applyHashed(selfSignatureSubpackets -> { + selfSignatureSubpackets.setRevocationReason(true, RevocationAttributes.Reason.KEY_COMPROMISED, "Leakett (typo)"); + selfSignatureSubpackets.addNotationData(false, "test@pgpainless.org", "foo"); + return Unit.INSTANCE; + }); + + RevocationSignatureSubpackets.Callback second = RevocationSignatureSubpackets.applyHashed(selfSignatureSubpackets -> { + selfSignatureSubpackets.setRevocationReason(true, RevocationAttributes.Reason.KEY_COMPROMISED, "Leaked"); + selfSignatureSubpackets.addNotationData(false, "test@pgpainless.org", "bar"); + return Unit.INSTANCE; + }); + + RevocationSignatureSubpackets.Callback both = first.then(second); + both.modifyUnhashedSubpackets(subpackets); + assertEquals(0, toArray(subpackets).length); + + both.modifyHashedSubpackets(subpackets); + + SignatureSubpacket[] array = toArray(subpackets); + assertEquals(3, array.length); + NotationData n1 = (NotationData) array[0]; + assertEquals("foo", n1.getNotationValue()); + RevocationReason reason = (RevocationReason) array[1]; + assertEquals(RevocationAttributes.Reason.KEY_COMPROMISED.code(), reason.getRevocationReason()); + NotationData n2 = (NotationData) array[2]; + assertEquals("bar", n2.getNotationValue()); + } +} diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/subpackets/SelfSignatureSubpacketsTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/subpackets/SelfSignatureSubpacketsTest.java new file mode 100644 index 00000000..6a19a3ff --- /dev/null +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/subpackets/SelfSignatureSubpacketsTest.java @@ -0,0 +1,108 @@ +// SPDX-FileCopyrightText: 2025 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + +package org.pgpainless.signature.subpackets; + +import kotlin.Unit; +import org.bouncycastle.bcpg.SignatureSubpacket; +import org.bouncycastle.bcpg.sig.KeyFlags; +import org.bouncycastle.bcpg.sig.NotationData; +import org.bouncycastle.bcpg.sig.PreferredAlgorithms; +import org.junit.jupiter.api.Test; +import org.pgpainless.algorithm.HashAlgorithm; +import org.pgpainless.algorithm.KeyFlag; + +import static org.junit.jupiter.api.Assertions.assertArrayEquals; +import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.pgpainless.signature.subpackets.SignatureSubpacketsTest.toArray; + +public class SelfSignatureSubpacketsTest { + + @Test + public void testNopDoesNothing() { + SignatureSubpackets subpackets = new SignatureSubpackets(); + SelfSignatureSubpackets.Callback cb = SelfSignatureSubpackets.nop(); + + cb.modifyHashedSubpackets(subpackets); + assertEquals(0, toArray(subpackets).length); + + cb.modifyUnhashedSubpackets(subpackets); + assertEquals(0, toArray(subpackets).length); + } + + @Test + public void testApplyHashed() { + SignatureSubpackets subpackets = new SignatureSubpackets(); + SelfSignatureSubpackets.Callback cb = SelfSignatureSubpackets.applyHashed( + selfSignatureSubpackets -> { + selfSignatureSubpackets.setKeyFlags(KeyFlag.CERTIFY_OTHER); + return Unit.INSTANCE; + }); + + assertEquals(0, toArray(subpackets).length); + + // The callback only applies to hashed subpackets, so modifying unhashed area does nothing + cb.modifyUnhashedSubpackets(subpackets); + assertEquals(0, toArray(subpackets).length); + + cb.modifyHashedSubpackets(subpackets); + assertEquals(1, toArray(subpackets).length); + } + + @Test + public void testApplyUnhashed() { + SignatureSubpackets subpackets = new SignatureSubpackets(); + SelfSignatureSubpackets.Callback cb = SelfSignatureSubpackets.applyUnhashed( + selfSignatureSubpackets -> { + selfSignatureSubpackets.setIssuerKeyId(123L); + return Unit.INSTANCE; + }); + + assertEquals(0, toArray(subpackets).length); + + // The callback only applies to unhashed subpackets, so modifying hashed area does nothing + cb.modifyHashedSubpackets(subpackets); + assertEquals(0, toArray(subpackets).length); + + cb.modifyUnhashedSubpackets(subpackets); + assertEquals(1, toArray(subpackets).length); + } + + @Test + public void testThen() { + SignatureSubpackets subpackets = new SignatureSubpackets(); + + SelfSignatureSubpackets.Callback first = SelfSignatureSubpackets.applyHashed(selfSignatureSubpackets -> { + selfSignatureSubpackets.setPreferredHashAlgorithms(HashAlgorithm.SHA256, HashAlgorithm.SHA512); + selfSignatureSubpackets.setKeyFlags(KeyFlag.CERTIFY_OTHER); + selfSignatureSubpackets.addNotationData(false, "test@pgpainless.org", "foo"); + return Unit.INSTANCE; + }); + + SelfSignatureSubpackets.Callback second = SelfSignatureSubpackets.applyHashed(selfSignatureSubpackets -> { + selfSignatureSubpackets.setKeyFlags(KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA); + selfSignatureSubpackets.addNotationData(false, "test@pgpainless.org", "bar"); + return Unit.INSTANCE; + }); + + SelfSignatureSubpackets.Callback both = first.then(second); + both.modifyUnhashedSubpackets(subpackets); + assertEquals(0, toArray(subpackets).length); + + both.modifyHashedSubpackets(subpackets); + + SignatureSubpacket[] array = toArray(subpackets); + assertEquals(4, array.length); + PreferredAlgorithms hashAlgs = (PreferredAlgorithms) array[0]; + assertArrayEquals( + new int[] {HashAlgorithm.SHA256.getAlgorithmId(), HashAlgorithm.SHA512.getAlgorithmId()}, + hashAlgs.getPreferences()); + NotationData n1 = (NotationData) array[1]; + assertEquals("foo", n1.getNotationValue()); + KeyFlags flags = (KeyFlags) array[2]; + assertEquals(KeyFlag.toBitmask(KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA), flags.getFlags()); + NotationData n2 = (NotationData) array[3]; + assertEquals("bar", n2.getNotationValue()); + } +} diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/subpackets/SignatureSubpacketsTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/subpackets/SignatureSubpacketsTest.java index d4897a7b..733356d5 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/subpackets/SignatureSubpacketsTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/subpackets/SignatureSubpacketsTest.java @@ -534,4 +534,8 @@ public class SignatureSubpacketsTest { PreferredAlgorithms aeadAlgorithms = (PreferredAlgorithms) vector.getSubpacket(SignatureSubpacketTags.PREFERRED_AEAD_ALGORITHMS); assertArrayEquals(aead.getPreferences(), aeadAlgorithms.getPreferences()); } + + public static SignatureSubpacket[] toArray(SignatureSubpackets subpackets) { + return subpackets.getSubpacketsGenerator().generate().toArray(); + } } From fdcdf6270fe6d1250aa3c5155e8108b5929c5551 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 16 Jun 2025 11:21:31 +0200 Subject: [PATCH 256/265] Add test for PolicyAdapter properly adapting NotationRegistry implementations --- .../org/bouncycastle/PolicyAdapterTest.java | 37 +++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 pgpainless-core/src/test/java/org/bouncycastle/PolicyAdapterTest.java diff --git a/pgpainless-core/src/test/java/org/bouncycastle/PolicyAdapterTest.java b/pgpainless-core/src/test/java/org/bouncycastle/PolicyAdapterTest.java new file mode 100644 index 00000000..9407d7d0 --- /dev/null +++ b/pgpainless-core/src/test/java/org/bouncycastle/PolicyAdapterTest.java @@ -0,0 +1,37 @@ +// SPDX-FileCopyrightText: 2025 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + +package org.bouncycastle; + +import org.bouncycastle.openpgp.api.OpenPGPPolicy; +import org.junit.jupiter.api.Test; +import org.pgpainless.PGPainless; +import org.pgpainless.bouncycastle.PolicyAdapter; +import org.pgpainless.policy.Policy; +import org.pgpainless.util.NotationRegistry; + +import static org.junit.jupiter.api.Assertions.assertFalse; +import static org.junit.jupiter.api.Assertions.assertTrue; + +public class PolicyAdapterTest { + + @Test + public void testNotationRegistryAdaption() { + NotationRegistry pgpainlessNotationReg = new NotationRegistry(); + pgpainlessNotationReg.addKnownNotation("foo"); + + Policy policy = PGPainless.getInstance().getAlgorithmPolicy() + .copy() + .withNotationRegistry(pgpainlessNotationReg) + .build(); + + PolicyAdapter adapter = new PolicyAdapter(policy); + OpenPGPPolicy.OpenPGPNotationRegistry bcNotationReg = adapter.getNotationRegistry(); + assertTrue(bcNotationReg.isNotationKnown("foo")); + assertFalse(bcNotationReg.isNotationKnown("bar")); + bcNotationReg.addKnownNotation("bar"); + + assertTrue(pgpainlessNotationReg.isKnownNotation("bar")); + } +} From e611311f2c61888d734a4be97ccac1feb8e55080 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 16 Jun 2025 13:34:37 +0200 Subject: [PATCH 257/265] EncryptImpl: Emit session-key --- .../org/pgpainless/encryption_signing/EncryptionResult.kt | 6 ++++++ .../org/pgpainless/encryption_signing/EncryptionStream.kt | 6 ++++++ .../src/main/kotlin/org/pgpainless/sop/EncryptImpl.kt | 7 +++++-- 3 files changed, 17 insertions(+), 2 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionResult.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionResult.kt index e86b2d90..410deba1 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionResult.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionResult.kt @@ -17,9 +17,11 @@ import org.pgpainless.algorithm.SymmetricKeyAlgorithm import org.pgpainless.bouncycastle.extensions.matches import org.pgpainless.key.SubkeyIdentifier import org.pgpainless.util.MultiMap +import org.pgpainless.util.SessionKey data class EncryptionResult( val encryptionMechanism: MessageEncryptionMechanism, + val sessionKey: SessionKey?, val compressionAlgorithm: CompressionAlgorithm, val detachedDocumentSignatures: OpenPGPSignatureSet, val recipients: Set, @@ -84,6 +86,7 @@ data class EncryptionResult( private var _fileName = "" private var _modificationDate = Date(0) private var _encoding = StreamEncoding.BINARY + private var _sessionKey: SessionKey? = null fun setEncryptionMechanism(mechanism: MessageEncryptionMechanism): Builder = apply { _encryptionMechanism = mechanism @@ -105,6 +108,8 @@ data class EncryptionResult( (recipients as MutableSet).add(recipient) } + fun setSessionKey(sessionKey: SessionKey) = apply { _sessionKey = sessionKey } + fun addDetachedSignature(signature: OpenPGPDocumentSignature): Builder = apply { detachedSignatures.add(signature) } @@ -114,6 +119,7 @@ data class EncryptionResult( return EncryptionResult( _encryptionMechanism, + _sessionKey, _compressionAlgorithm!!, OpenPGPSignatureSet(detachedSignatures), recipients, diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionStream.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionStream.kt index 9ccbfc10..12d8a115 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionStream.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionStream.kt @@ -20,6 +20,7 @@ import org.pgpainless.algorithm.CompressionAlgorithm import org.pgpainless.algorithm.StreamEncoding import org.pgpainless.bouncycastle.extensions.pgpDataEncryptorBuilder import org.pgpainless.util.ArmoredOutputStreamFactory +import org.pgpainless.util.SessionKey // 1 << 8 causes wrong partial body length encoding // 1 << 9 fixes this. @@ -93,6 +94,11 @@ class EncryptionStream( options.encryptionOptions.encryptionKeyIdentifiers.forEach { r -> resultBuilder.addRecipient(r) } + encryptedDataGenerator.setSessionKeyExtractionCallback { pgpSessionKey -> + if (pgpSessionKey != null) { + resultBuilder.setSessionKey(SessionKey(pgpSessionKey)) + } + } publicKeyEncryptedStream = encryptedDataGenerator.open(outermostStream, ByteArray(BUFFER_SIZE)).also { stream -> diff --git a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/EncryptImpl.kt b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/EncryptImpl.kt index 6e371ff0..c8a71c24 100644 --- a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/EncryptImpl.kt +++ b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/EncryptImpl.kt @@ -26,6 +26,7 @@ import org.pgpainless.util.Passphrase import sop.EncryptionResult import sop.Profile import sop.ReadyWithResult +import sop.SessionKey import sop.enums.EncryptAs import sop.exception.SOPGPException import sop.operation.Encrypt @@ -98,8 +99,10 @@ class EncryptImpl(private val api: PGPainless) : Encrypt { api.generateMessage().onOutputStream(outputStream).withOptions(options) Streams.pipeAll(plaintext, encryptionStream) encryptionStream.close() - // TODO: Extract and emit session key once BC supports that - return EncryptionResult(null) + return EncryptionResult( + encryptionStream.result.sessionKey?.let { + SessionKey(it.algorithm.algorithmId.toByte(), it.key) + }) } } } catch (e: PGPException) { From c9b562fde504b6fae2a89573671d28ba0723932f Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 17 Jun 2025 10:19:58 +0200 Subject: [PATCH 258/265] Bump BC to 1.81 + BC/#2105 --- .../key/modification/secretkeyring/OpenPGPKeyUpdater.kt | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/OpenPGPKeyUpdater.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/OpenPGPKeyUpdater.kt index def452ac..d0c5c524 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/OpenPGPKeyUpdater.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/OpenPGPKeyUpdater.kt @@ -121,7 +121,7 @@ class OpenPGPKeyUpdater( compAlgs != newCompAlgs || aeadAlgs != newAeadAlgs) { keyEditor.addDirectKeySignature( - SignatureParameters.Callback.modifyHashedSubpackets { sigGen -> + SignatureParameters.Callback.Util.modifyHashedSubpackets { sigGen -> sigGen.apply { setKeyFlags(key.primaryKey.keyFlags?.flags ?: 0) setFeature(true, newFeatures) @@ -157,7 +157,7 @@ class OpenPGPKeyUpdater( fun replaceWeakEncryptionSubkeys( revokeWeakKeys: Boolean, keyPairGeneratorCallback: KeyPairGeneratorCallback = - KeyPairGeneratorCallback.encryptionKey() + KeyPairGeneratorCallback.Util.encryptionKey() ) { val weakEncryptionKeys = key.getEncryptionKeys(referenceTime).filterNot { @@ -179,7 +179,8 @@ class OpenPGPKeyUpdater( fun replaceWeakSigningSubkeys( revokeWeakKeys: Boolean, keyPairGenerator: PGPKeyPairGenerator = provideKeyPairGenerator(), - keyPairGeneratorCallback: KeyPairGeneratorCallback = KeyPairGeneratorCallback.signingKey() + keyPairGeneratorCallback: KeyPairGeneratorCallback = + KeyPairGeneratorCallback.Util.signingKey() ) { val weakSigningKeys = key.getSigningKeys(referenceTime).filterNot { From 74661f17edb003a20d73012441ae3f51c6a54595 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 17 Jun 2025 11:48:39 +0200 Subject: [PATCH 259/265] Bump sop-java to 14.0.0-SNAPSHOT --- pgpainless-sop/src/main/kotlin/org/pgpainless/sop/SOPImpl.kt | 2 +- pgpainless-sop/src/main/kotlin/org/pgpainless/sop/SOPVImpl.kt | 3 +++ .../src/main/kotlin/org/pgpainless/sop/VersionImpl.kt | 4 ++-- version.gradle | 3 +-- 4 files changed, 7 insertions(+), 5 deletions(-) diff --git a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/SOPImpl.kt b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/SOPImpl.kt index d2d3bf35..9a1b1ad5 100644 --- a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/SOPImpl.kt +++ b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/SOPImpl.kt @@ -68,7 +68,7 @@ class SOPImpl( override fun updateKey(): UpdateKey = UpdateKeyImpl(api) - override fun validateUserId(): ValidateUserId = ValidateUserIdImpl(api) + override fun validateUserId(): ValidateUserId = sopv.validateUserId()!! override fun version(): Version = sopv.version()!! } diff --git a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/SOPVImpl.kt b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/SOPVImpl.kt index d1f729cf..e5a18c97 100644 --- a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/SOPVImpl.kt +++ b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/SOPVImpl.kt @@ -9,6 +9,7 @@ import org.pgpainless.util.ArmoredOutputStreamFactory import sop.SOPV import sop.operation.DetachedVerify import sop.operation.InlineVerify +import sop.operation.ValidateUserId import sop.operation.Version class SOPVImpl(private val api: PGPainless) : SOPV { @@ -22,4 +23,6 @@ class SOPVImpl(private val api: PGPainless) : SOPV { override fun inlineVerify(): InlineVerify = InlineVerifyImpl(api) override fun version(): Version = VersionImpl(api) + + override fun validateUserId(): ValidateUserId = ValidateUserIdImpl(api) } diff --git a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/VersionImpl.kt b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/VersionImpl.kt index 5aa405ad..1296fed8 100644 --- a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/VersionImpl.kt +++ b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/VersionImpl.kt @@ -16,8 +16,8 @@ import sop.operation.Version class VersionImpl(private val api: PGPainless) : Version { companion object { - const val SOP_VERSION = 11 - const val SOPV_VERSION = "1.0" + const val SOP_VERSION = 14 + const val SOPV_VERSION = "1.2" } override fun getBackendVersion(): String = "PGPainless ${getVersion()}" diff --git a/version.gradle b/version.gradle index ca32ed04..7a7a0a4b 100644 --- a/version.gradle +++ b/version.gradle @@ -13,7 +13,6 @@ allprojects { logbackVersion = '1.5.13' mockitoVersion = '4.5.1' slf4jVersion = '1.7.36' - sopJavaVersion = '10.1.1' - sopJavaVersion = '11.0.0-SNAPSHOT' + sopJavaVersion = '14.0.0-SNAPSHOT' } } From d313b87feedccecb5ba26889d0cd6a0a79a01894 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 18 Jun 2025 12:16:48 +0200 Subject: [PATCH 260/265] Bump sop-java to 14.0.0 --- version.gradle | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version.gradle b/version.gradle index 7a7a0a4b..0eea2c2a 100644 --- a/version.gradle +++ b/version.gradle @@ -13,6 +13,6 @@ allprojects { logbackVersion = '1.5.13' mockitoVersion = '4.5.1' slf4jVersion = '1.7.36' - sopJavaVersion = '14.0.0-SNAPSHOT' + sopJavaVersion = '14.0.0' } } From 1c7f869bf7a65f40f55bd1d146b7baf91a43b39e Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 1 Jul 2025 23:29:45 +0200 Subject: [PATCH 261/265] Bump dependencies --- version.gradle | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/version.gradle b/version.gradle index 0eea2c2a..776f30f6 100644 --- a/version.gradle +++ b/version.gradle @@ -7,12 +7,12 @@ allprojects { shortVersion = '2.0.0' isSnapshot = true javaSourceCompatibility = 11 - bouncyCastleVersion = '1.81' + bouncyCastleVersion = '1.82-SNAPSHOT' bouncyPgVersion = bouncyCastleVersion junitVersion = '5.8.2' logbackVersion = '1.5.13' mockitoVersion = '4.5.1' slf4jVersion = '1.7.36' - sopJavaVersion = '14.0.0' + sopJavaVersion = '14.0.1-SNAPSHOT' } } From b30f0fd76a91b1d740072b248a7d7d2d4897b0f9 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 24 Jul 2025 11:49:38 +0200 Subject: [PATCH 262/265] Add overridden @Deprecated annotations --- .../CachingBcPublicKeyDataDecryptorFactory.kt | 1 + .../decryption_verification/HardwareSecurity.kt | 1 + .../signature/subpackets/SignatureSubpackets.kt | 8 ++++++++ 3 files changed, 10 insertions(+) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/CachingBcPublicKeyDataDecryptorFactory.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/CachingBcPublicKeyDataDecryptorFactory.kt index 9bafa6da..1da0a42d 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/CachingBcPublicKeyDataDecryptorFactory.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/CachingBcPublicKeyDataDecryptorFactory.kt @@ -46,6 +46,7 @@ class CachingBcPublicKeyDataDecryptorFactory( return decryptorFactory.createDataDecryptor(p0, p1) } + @Deprecated("Deprecated in Java") override fun recoverSessionData( keyAlgorithm: Int, secKeyData: Array, diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/HardwareSecurity.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/HardwareSecurity.kt index b6e2bd17..27f53bc6 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/HardwareSecurity.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/HardwareSecurity.kt @@ -102,6 +102,7 @@ class HardwareSecurity { return factory.createDataDecryptor(seipd, sessionKey) } + @Deprecated("Deprecated in Java") override fun recoverSessionData( keyAlgorithm: Int, secKeyData: Array, diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/SignatureSubpackets.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/SignatureSubpackets.kt index 2a5ea016..28f9ee82 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/SignatureSubpackets.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/SignatureSubpackets.kt @@ -292,15 +292,18 @@ class SignatureSubpackets( } } + @Deprecated("Use of this subpacket is discouraged.") override fun addRevocationKey(revocationKey: PGPPublicKey): SignatureSubpackets = apply { addRevocationKey(true, revocationKey) } + @Deprecated("Use of this subpacket is discouraged.") override fun addRevocationKey( isCritical: Boolean, revocationKey: PGPPublicKey ): SignatureSubpackets = apply { addRevocationKey(isCritical, false, revocationKey) } + @Deprecated("Use of this subpacket is discouraged.") override fun addRevocationKey( isCritical: Boolean, isSensitive: Boolean, @@ -311,10 +314,12 @@ class SignatureSubpackets( RevocationKey(isCritical, clazz, revocationKey.algorithm, revocationKey.fingerprint)) } + @Deprecated("Use of this subpacket is discouraged.") override fun addRevocationKey(revocationKey: RevocationKey): SignatureSubpackets = apply { subpacketsGenerator.addCustomSubpacket(revocationKey) } + @Deprecated("Use of this subpacket is discouraged.") override fun clearRevocationKeys(): SignatureSubpackets = apply { subpacketsGenerator.removePacketsOfType(SignatureSubpacketTags.REVOCATION_KEY) } @@ -450,15 +455,18 @@ class SignatureSubpackets( } } + @Deprecated("Usage of subpacket is discouraged") override fun setSignerUserId(userId: CharSequence): SignatureSubpackets = apply { setSignerUserId(false, userId) } + @Deprecated("Usage of subpacket is discouraged") override fun setSignerUserId(isCritical: Boolean, userId: CharSequence): SignatureSubpackets = apply { setSignerUserId(SignerUserID(isCritical, userId.toString())) } + @Deprecated("Usage of subpacket is discouraged") override fun setSignerUserId(signerUserID: SignerUserID?): SignatureSubpackets = apply { subpacketsGenerator.removePacketsOfType(SignatureSubpacketTags.SIGNER_USER_ID) signerUserID?.let { subpacketsGenerator.setSignerUserID(it.isCritical, it.rawID) } From 312c47c47314b14617184686d783c6dbcdc6bb0f Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 24 Jul 2025 11:49:47 +0200 Subject: [PATCH 263/265] Turn var into val --- .../main/kotlin/org/pgpainless/key/generation/KeyRingBuilder.kt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingBuilder.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingBuilder.kt index 2f25fc7a..b7038307 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingBuilder.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingBuilder.kt @@ -191,7 +191,7 @@ class KeyRingBuilder(private val version: OpenPGPKeyVersion, private val api: PG private fun addSubKeys(primaryKey: PGPKeyPair, ringGenerator: PGPKeyRingGenerator) { for (subKeySpec in subKeySpecs) { val subKey = generateKeyPair(subKeySpec, version, api.implementation) - var hashedSignatureSubpackets: SignatureSubpackets = + val hashedSignatureSubpackets: SignatureSubpackets = SignatureSubpackets.createHashedSubpackets(subKey.publicKey).apply { setKeyFlags(subKeySpec.keyFlags) subKeySpec.preferredHashAlgorithmsOverride?.let { From 75093de96154ff148aabe30fbb8c800d3e7d8087 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Sun, 27 Jul 2025 19:44:20 +0200 Subject: [PATCH 264/265] Issue templates: Add question about AI tooling --- .github/ISSUE_TEMPLATE/cli-application.md | 3 +++ .github/ISSUE_TEMPLATE/library.md | 3 +++ 2 files changed, 6 insertions(+) diff --git a/.github/ISSUE_TEMPLATE/cli-application.md b/.github/ISSUE_TEMPLATE/cli-application.md index 68f35b74..b0d7b452 100644 --- a/.github/ISSUE_TEMPLATE/cli-application.md +++ b/.github/ISSUE_TEMPLATE/cli-application.md @@ -7,6 +7,9 @@ assignees: '' --- +**Preliminary** +[ ] This bug was found using AI assistance. + **Describe the bug** diff --git a/.github/ISSUE_TEMPLATE/library.md b/.github/ISSUE_TEMPLATE/library.md index 74f5f666..eae6f2d4 100644 --- a/.github/ISSUE_TEMPLATE/library.md +++ b/.github/ISSUE_TEMPLATE/library.md @@ -7,6 +7,9 @@ assignees: '' --- +**Preliminary** +[ ] This bug was found using AI assistance. + **Describe the bug** From 2ed16e8f52563058c4ed100ba9c825292a511947 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 20 Aug 2025 11:31:50 +0200 Subject: [PATCH 265/265] KeyRingInfo: Pass API instance to key constructors --- .../src/main/kotlin/org/pgpainless/exception/KeyException.kt | 5 +++++ .../src/main/kotlin/org/pgpainless/key/info/KeyRingInfo.kt | 3 ++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/exception/KeyException.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/exception/KeyException.kt index 56d685c9..584de2ad 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/exception/KeyException.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/exception/KeyException.kt @@ -38,6 +38,11 @@ abstract class KeyException : RuntimeException { ) { constructor(cert: OpenPGPCertificate, expirationDate: Date) : this(of(cert), expirationDate) + + constructor( + componentKey: OpenPGPComponentKey, + expirationDate: Date + ) : this(of(componentKey), expirationDate) } class RevokedKeyException : KeyException { diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/info/KeyRingInfo.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/info/KeyRingInfo.kt index 3197dc51..d324b953 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/info/KeyRingInfo.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/info/KeyRingInfo.kt @@ -35,7 +35,8 @@ class KeyRingInfo( api: PGPainless = PGPainless.getInstance(), referenceDate: Date = Date() ) : this( - if (keys is PGPSecretKeyRing) OpenPGPKey(keys) else OpenPGPCertificate(keys), + if (keys is PGPSecretKeyRing) OpenPGPKey(keys, api.implementation) + else OpenPGPCertificate(keys, api.implementation), api, referenceDate)