2021-10-07 15:48:52 +02:00
|
|
|
// SPDX-FileCopyrightText: 2020 Paul Schaub <vanitasvitae@fsfe.org>
|
|
|
|
//
|
|
|
|
// SPDX-License-Identifier: Apache-2.0
|
|
|
|
|
2020-10-23 16:44:21 +02:00
|
|
|
package org.pgpainless.key.modification;
|
|
|
|
|
2020-11-13 16:31:59 +01:00
|
|
|
import static org.junit.jupiter.api.Assertions.assertDoesNotThrow;
|
|
|
|
import static org.junit.jupiter.api.Assertions.assertEquals;
|
|
|
|
import static org.junit.jupiter.api.Assertions.assertThrows;
|
2020-10-23 16:44:21 +02:00
|
|
|
|
|
|
|
import java.io.ByteArrayInputStream;
|
|
|
|
import java.io.ByteArrayOutputStream;
|
|
|
|
import java.io.IOException;
|
|
|
|
import java.security.InvalidAlgorithmParameterException;
|
|
|
|
import java.security.NoSuchAlgorithmException;
|
2020-10-30 13:30:21 +01:00
|
|
|
import java.util.Iterator;
|
2020-10-23 16:44:21 +02:00
|
|
|
|
|
|
|
import org.bouncycastle.openpgp.PGPException;
|
2020-10-30 13:30:21 +01:00
|
|
|
import org.bouncycastle.openpgp.PGPSecretKey;
|
2020-10-23 16:44:21 +02:00
|
|
|
import org.bouncycastle.openpgp.PGPSecretKeyRing;
|
2020-10-30 13:30:21 +01:00
|
|
|
import org.bouncycastle.openpgp.operator.PBESecretKeyDecryptor;
|
2021-07-31 20:40:31 +02:00
|
|
|
import org.bouncycastle.util.io.Streams;
|
2021-12-14 16:55:04 +01:00
|
|
|
import org.junit.jupiter.api.TestTemplate;
|
|
|
|
import org.junit.jupiter.api.extension.ExtendWith;
|
2020-10-23 16:44:21 +02:00
|
|
|
import org.pgpainless.PGPainless;
|
2021-06-29 16:43:37 +02:00
|
|
|
import org.pgpainless.algorithm.DocumentSignatureType;
|
2020-10-30 13:30:21 +01:00
|
|
|
import org.pgpainless.algorithm.SymmetricKeyAlgorithm;
|
2020-10-23 16:44:21 +02:00
|
|
|
import org.pgpainless.encryption_signing.EncryptionStream;
|
2021-06-29 16:43:37 +02:00
|
|
|
import org.pgpainless.encryption_signing.ProducerOptions;
|
|
|
|
import org.pgpainless.encryption_signing.SigningOptions;
|
2021-02-25 23:27:08 +01:00
|
|
|
import org.pgpainless.implementation.ImplementationFactory;
|
2020-10-30 13:30:21 +01:00
|
|
|
import org.pgpainless.key.protection.KeyRingProtectionSettings;
|
2020-10-23 16:44:21 +02:00
|
|
|
import org.pgpainless.key.protection.PasswordBasedSecretKeyRingProtector;
|
2021-05-14 13:18:34 +02:00
|
|
|
import org.pgpainless.key.protection.UnlockSecretKey;
|
2021-12-14 16:56:29 +01:00
|
|
|
import org.pgpainless.util.TestAllImplementations;
|
2022-09-07 13:35:58 +02:00
|
|
|
import org.pgpainless.s2k.Passphrase;
|
2020-10-23 16:44:21 +02:00
|
|
|
|
|
|
|
public class ChangeSecretKeyRingPassphraseTest {
|
|
|
|
|
2020-12-08 19:14:52 +01:00
|
|
|
private final PGPSecretKeyRing keyRing = PGPainless.generateKeyRing().simpleEcKeyRing("password@encryp.ted", "weakPassphrase");
|
2020-10-30 13:30:21 +01:00
|
|
|
|
|
|
|
public ChangeSecretKeyRingPassphraseTest() throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException {
|
|
|
|
}
|
|
|
|
|
2021-12-14 16:55:04 +01:00
|
|
|
@TestTemplate
|
2021-12-14 16:56:29 +01:00
|
|
|
@ExtendWith(TestAllImplementations.class)
|
2021-12-14 16:55:04 +01:00
|
|
|
public void changePassphraseOfWholeKeyRingTest() throws PGPException {
|
2020-10-30 13:30:21 +01:00
|
|
|
|
2020-12-08 19:14:52 +01:00
|
|
|
PGPSecretKeyRing secretKeys = PGPainless.modifyKeyRing(keyRing)
|
2020-10-23 16:44:21 +02:00
|
|
|
.changePassphraseFromOldPassphrase(Passphrase.fromPassword("weakPassphrase"))
|
|
|
|
.withSecureDefaultSettings()
|
|
|
|
.toNewPassphrase(Passphrase.fromPassword("1337p455phr453"))
|
|
|
|
.done();
|
|
|
|
|
2020-12-08 19:14:52 +01:00
|
|
|
PGPSecretKeyRing changedPassphraseKeyRing = secretKeys;
|
2020-10-30 13:30:21 +01:00
|
|
|
|
|
|
|
assertEquals(KeyRingProtectionSettings.secureDefaultSettings().getEncryptionAlgorithm().getAlgorithmId(),
|
2020-12-08 19:14:52 +01:00
|
|
|
changedPassphraseKeyRing.getSecretKey().getKeyEncryptionAlgorithm());
|
2020-10-23 16:44:21 +02:00
|
|
|
|
2020-11-13 16:31:59 +01:00
|
|
|
assertThrows(PGPException.class, () ->
|
|
|
|
signDummyMessageWithKeysAndPassphrase(changedPassphraseKeyRing, Passphrase.emptyPassphrase()),
|
|
|
|
"Unlocking secret key ring with empty passphrase MUST fail.");
|
|
|
|
|
|
|
|
assertThrows(PGPException.class, () ->
|
|
|
|
signDummyMessageWithKeysAndPassphrase(changedPassphraseKeyRing, Passphrase.fromPassword("weakPassphrase")),
|
|
|
|
"Unlocking secret key ring with old passphrase MUST fail.");
|
|
|
|
|
|
|
|
assertDoesNotThrow(() -> signDummyMessageWithKeysAndPassphrase(changedPassphraseKeyRing, Passphrase.fromPassword("1337p455phr453")),
|
|
|
|
"Unlocking the secret key ring with the new passphrase MUST succeed.");
|
2020-10-23 16:44:21 +02:00
|
|
|
}
|
|
|
|
|
2021-12-14 16:55:04 +01:00
|
|
|
@TestTemplate
|
2021-12-14 16:56:29 +01:00
|
|
|
@ExtendWith(TestAllImplementations.class)
|
2021-12-14 16:55:04 +01:00
|
|
|
public void changePassphraseOfWholeKeyRingToEmptyPassphrase() throws PGPException, IOException {
|
2020-12-08 19:14:52 +01:00
|
|
|
PGPSecretKeyRing secretKeys = PGPainless.modifyKeyRing(keyRing)
|
2020-10-30 13:30:21 +01:00
|
|
|
.changePassphraseFromOldPassphrase(Passphrase.fromPassword("weakPassphrase"))
|
|
|
|
.withSecureDefaultSettings()
|
|
|
|
.toNoPassphrase()
|
|
|
|
.done();
|
|
|
|
|
2020-12-08 19:14:52 +01:00
|
|
|
PGPSecretKeyRing changedPassphraseKeyRing = secretKeys;
|
2020-10-30 13:30:21 +01:00
|
|
|
|
|
|
|
assertEquals(SymmetricKeyAlgorithm.NULL.getAlgorithmId(),
|
2020-12-08 19:14:52 +01:00
|
|
|
changedPassphraseKeyRing.getSecretKey().getKeyEncryptionAlgorithm());
|
2020-10-30 13:30:21 +01:00
|
|
|
|
|
|
|
signDummyMessageWithKeysAndPassphrase(changedPassphraseKeyRing, Passphrase.emptyPassphrase());
|
|
|
|
}
|
|
|
|
|
2021-12-14 16:55:04 +01:00
|
|
|
@TestTemplate
|
2021-12-14 16:56:29 +01:00
|
|
|
@ExtendWith(TestAllImplementations.class)
|
2021-12-14 16:55:04 +01:00
|
|
|
public void changePassphraseOfSingleSubkeyToNewPassphrase() throws PGPException {
|
2020-10-30 13:30:21 +01:00
|
|
|
|
2020-12-08 19:14:52 +01:00
|
|
|
Iterator<PGPSecretKey> keys = keyRing.getSecretKeys();
|
2020-10-30 13:30:21 +01:00
|
|
|
PGPSecretKey primaryKey = keys.next();
|
|
|
|
PGPSecretKey subKey = keys.next();
|
|
|
|
|
|
|
|
extractPrivateKey(primaryKey, Passphrase.fromPassword("weakPassphrase"));
|
|
|
|
extractPrivateKey(subKey, Passphrase.fromPassword("weakPassphrase"));
|
|
|
|
|
2020-12-08 19:14:52 +01:00
|
|
|
PGPSecretKeyRing secretKeys = PGPainless.modifyKeyRing(keyRing)
|
2020-10-30 13:30:21 +01:00
|
|
|
.changeSubKeyPassphraseFromOldPassphrase(subKey.getPublicKey().getKeyID(),
|
|
|
|
Passphrase.fromPassword("weakPassphrase"))
|
|
|
|
.withSecureDefaultSettings()
|
|
|
|
.toNewPassphrase(Passphrase.fromPassword("subKeyPassphrase"))
|
|
|
|
.done();
|
|
|
|
|
|
|
|
keys = secretKeys.getSecretKeys();
|
|
|
|
primaryKey = keys.next();
|
|
|
|
subKey = keys.next();
|
|
|
|
|
|
|
|
extractPrivateKey(primaryKey, Passphrase.fromPassword("weakPassphrase"));
|
|
|
|
extractPrivateKey(subKey, Passphrase.fromPassword("subKeyPassphrase"));
|
|
|
|
|
2020-11-13 16:31:59 +01:00
|
|
|
final PGPSecretKey finalPrimaryKey = primaryKey;
|
|
|
|
assertThrows(PGPException.class,
|
|
|
|
() -> extractPrivateKey(finalPrimaryKey, Passphrase.fromPassword("subKeyPassphrase")),
|
|
|
|
"Unlocking the primary key with the subkey passphrase must fail.");
|
|
|
|
|
|
|
|
final PGPSecretKey finalSubKey = subKey;
|
|
|
|
assertThrows(PGPException.class,
|
|
|
|
() -> extractPrivateKey(finalSubKey, Passphrase.fromPassword("weakPassphrase")),
|
|
|
|
"Unlocking the subkey with the primary key passphrase must fail.");
|
2020-10-30 13:30:21 +01:00
|
|
|
}
|
|
|
|
|
2021-12-14 16:55:04 +01:00
|
|
|
@TestTemplate
|
2021-12-14 16:56:29 +01:00
|
|
|
@ExtendWith(TestAllImplementations.class)
|
2021-12-14 16:55:04 +01:00
|
|
|
public void changePassphraseOfSingleSubkeyToEmptyPassphrase() throws PGPException {
|
2021-02-25 23:27:08 +01:00
|
|
|
|
2020-12-08 19:14:52 +01:00
|
|
|
Iterator<PGPSecretKey> keys = keyRing.getSecretKeys();
|
2020-10-30 13:30:21 +01:00
|
|
|
PGPSecretKey primaryKey = keys.next();
|
|
|
|
PGPSecretKey subKey = keys.next();
|
|
|
|
|
2020-12-08 19:14:52 +01:00
|
|
|
PGPSecretKeyRing secretKeys = PGPainless.modifyKeyRing(keyRing)
|
2021-12-28 13:32:50 +01:00
|
|
|
.changeSubKeyPassphraseFromOldPassphrase(subKey.getKeyID(), Passphrase.fromPassword("weakPassphrase"))
|
2020-10-30 13:30:21 +01:00
|
|
|
.withSecureDefaultSettings()
|
|
|
|
.toNoPassphrase()
|
|
|
|
.done();
|
|
|
|
|
|
|
|
keys = secretKeys.getSecretKeys();
|
|
|
|
primaryKey = keys.next();
|
|
|
|
subKey = keys.next();
|
|
|
|
|
2021-12-28 13:32:50 +01:00
|
|
|
extractPrivateKey(primaryKey, Passphrase.fromPassword("weakPassphrase"));
|
|
|
|
extractPrivateKey(subKey, Passphrase.emptyPassphrase());
|
2020-10-30 13:30:21 +01:00
|
|
|
|
2020-11-13 16:31:59 +01:00
|
|
|
final PGPSecretKey finalPrimaryKey = primaryKey;
|
|
|
|
assertThrows(PGPException.class,
|
2021-12-28 13:32:50 +01:00
|
|
|
() -> extractPrivateKey(finalPrimaryKey, Passphrase.emptyPassphrase()),
|
2020-11-13 16:31:59 +01:00
|
|
|
"Unlocking the unprotected primary key with the old passphrase must fail.");
|
2020-10-30 13:30:21 +01:00
|
|
|
|
2020-11-13 16:31:59 +01:00
|
|
|
final PGPSecretKey finalSubKey = subKey;
|
|
|
|
assertThrows(PGPException.class,
|
2021-12-28 13:32:50 +01:00
|
|
|
() -> extractPrivateKey(finalSubKey, Passphrase.fromPassword("weakPassphrase")),
|
2020-11-13 16:31:59 +01:00
|
|
|
"Unlocking the still protected subkey with an empty passphrase must fail.");
|
2020-10-30 13:30:21 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* This method throws an PGPException if the provided passphrase cannot unlock the secret key.
|
|
|
|
*
|
|
|
|
* @param secretKey secret key
|
|
|
|
* @param passphrase passphrase
|
|
|
|
* @throws PGPException if passphrase is wrong
|
|
|
|
*/
|
|
|
|
private void extractPrivateKey(PGPSecretKey secretKey, Passphrase passphrase) throws PGPException {
|
|
|
|
if (passphrase.isEmpty() && secretKey.getKeyEncryptionAlgorithm() != SymmetricKeyAlgorithm.NULL.getAlgorithmId()) {
|
|
|
|
throw new PGPException("Cannot unlock encrypted private key with empty passphrase.");
|
|
|
|
} else if (!passphrase.isEmpty() && secretKey.getKeyEncryptionAlgorithm() == SymmetricKeyAlgorithm.NULL.getAlgorithmId()) {
|
|
|
|
throw new PGPException("Cannot unlock unprotected private key with non-empty passphrase.");
|
|
|
|
}
|
2021-12-14 15:03:45 +01:00
|
|
|
PBESecretKeyDecryptor decryptor = passphrase.isEmpty() ? null : ImplementationFactory.getInstance().getPBESecretKeyDecryptor(passphrase);
|
2020-10-30 13:30:21 +01:00
|
|
|
|
2021-05-14 13:18:34 +02:00
|
|
|
UnlockSecretKey.unlockSecretKey(secretKey, decryptor);
|
2020-10-30 13:30:21 +01:00
|
|
|
}
|
|
|
|
|
2020-12-08 19:14:52 +01:00
|
|
|
private void signDummyMessageWithKeysAndPassphrase(PGPSecretKeyRing keyRing, Passphrase passphrase) throws IOException, PGPException {
|
2020-10-23 16:44:21 +02:00
|
|
|
String dummyMessage = "dummy";
|
2020-10-25 20:43:09 +01:00
|
|
|
ByteArrayOutputStream dummy = new ByteArrayOutputStream();
|
2020-11-29 15:33:54 +01:00
|
|
|
EncryptionStream stream = PGPainless.encryptAndOrSign().onOutputStream(dummy)
|
2021-06-29 16:43:37 +02:00
|
|
|
.withOptions(ProducerOptions.sign(SigningOptions.get()
|
|
|
|
.addInlineSignature(PasswordBasedSecretKeyRingProtector.forKey(keyRing, passphrase),
|
|
|
|
keyRing, DocumentSignatureType.BINARY_DOCUMENT)));
|
2020-10-23 16:44:21 +02:00
|
|
|
|
2021-07-31 20:40:31 +02:00
|
|
|
Streams.pipeAll(new ByteArrayInputStream(dummyMessage.getBytes()), stream);
|
2020-10-25 20:43:09 +01:00
|
|
|
stream.close();
|
2020-10-23 16:44:21 +02:00
|
|
|
}
|
|
|
|
}
|