2021-10-07 15:48:52 +02:00
|
|
|
// SPDX-FileCopyrightText: 2020 Paul Schaub <vanitasvitae@fsfe.org>
|
|
|
|
//
|
|
|
|
// SPDX-License-Identifier: Apache-2.0
|
|
|
|
|
2020-11-19 17:51:57 +01:00
|
|
|
package org.pgpainless.key.modification.secretkeyring;
|
2020-10-22 01:20:43 +02:00
|
|
|
|
2021-07-19 14:52:59 +02:00
|
|
|
import org.bouncycastle.bcpg.S2K;
|
2021-09-10 20:14:12 +02:00
|
|
|
import org.bouncycastle.bcpg.SecretKeyPacket;
|
2021-12-20 12:46:31 +01:00
|
|
|
import org.bouncycastle.bcpg.sig.KeyExpirationTime;
|
2020-10-23 16:44:21 +02:00
|
|
|
import org.bouncycastle.openpgp.PGPException;
|
2020-11-10 17:25:35 +01:00
|
|
|
import org.bouncycastle.openpgp.PGPKeyPair;
|
2020-10-23 16:44:21 +02:00
|
|
|
import org.bouncycastle.openpgp.PGPPublicKey;
|
2023-06-20 17:30:19 +02:00
|
|
|
import org.bouncycastle.openpgp.PGPPublicKeyRing;
|
2020-10-23 16:44:21 +02:00
|
|
|
import org.bouncycastle.openpgp.PGPSecretKey;
|
2020-10-22 01:20:43 +02:00
|
|
|
import org.bouncycastle.openpgp.PGPSecretKeyRing;
|
2020-10-23 16:44:21 +02:00
|
|
|
import org.bouncycastle.openpgp.PGPSignature;
|
|
|
|
import org.bouncycastle.openpgp.operator.PBESecretKeyDecryptor;
|
2020-10-25 20:43:09 +01:00
|
|
|
import org.bouncycastle.openpgp.operator.PBESecretKeyEncryptor;
|
2021-11-12 15:07:09 +01:00
|
|
|
import org.pgpainless.PGPainless;
|
2021-11-21 22:25:45 +01:00
|
|
|
import org.pgpainless.algorithm.AlgorithmSuite;
|
|
|
|
import org.pgpainless.algorithm.CompressionAlgorithm;
|
|
|
|
import org.pgpainless.algorithm.Feature;
|
2021-11-20 16:07:27 +01:00
|
|
|
import org.pgpainless.algorithm.HashAlgorithm;
|
2021-11-08 21:25:02 +01:00
|
|
|
import org.pgpainless.algorithm.KeyFlag;
|
|
|
|
import org.pgpainless.algorithm.PublicKeyAlgorithm;
|
2020-10-23 16:44:21 +02:00
|
|
|
import org.pgpainless.algorithm.SignatureType;
|
2021-11-21 22:25:45 +01:00
|
|
|
import org.pgpainless.algorithm.SymmetricKeyAlgorithm;
|
2021-11-20 16:07:27 +01:00
|
|
|
import org.pgpainless.algorithm.negotiation.HashAlgorithmNegotiator;
|
2020-12-27 01:56:18 +01:00
|
|
|
import org.pgpainless.implementation.ImplementationFactory;
|
2020-11-10 17:25:35 +01:00
|
|
|
import org.pgpainless.key.generation.KeyRingBuilder;
|
2020-10-22 01:20:43 +02:00
|
|
|
import org.pgpainless.key.generation.KeySpec;
|
2021-11-12 15:07:09 +01:00
|
|
|
import org.pgpainless.key.info.KeyRingInfo;
|
2021-05-14 18:55:26 +02:00
|
|
|
import org.pgpainless.key.protection.CachingSecretKeyRingProtector;
|
2021-05-28 23:14:20 +02:00
|
|
|
import org.pgpainless.key.protection.KeyRingProtectionSettings;
|
2020-10-25 20:43:09 +01:00
|
|
|
import org.pgpainless.key.protection.PasswordBasedSecretKeyRingProtector;
|
2020-10-23 16:44:21 +02:00
|
|
|
import org.pgpainless.key.protection.SecretKeyRingProtector;
|
2020-10-25 20:43:09 +01:00
|
|
|
import org.pgpainless.key.protection.UnprotectedKeysProtector;
|
2021-09-10 20:14:12 +02:00
|
|
|
import org.pgpainless.key.protection.fixes.S2KUsageFix;
|
2020-10-25 20:43:09 +01:00
|
|
|
import org.pgpainless.key.protection.passphrase_provider.SolitaryPassphraseProvider;
|
2020-11-13 14:32:29 +01:00
|
|
|
import org.pgpainless.key.util.KeyRingUtils;
|
2020-11-20 12:01:39 +01:00
|
|
|
import org.pgpainless.key.util.RevocationAttributes;
|
2022-05-11 12:27:11 +02:00
|
|
|
import org.pgpainless.signature.builder.DirectKeySelfSignatureBuilder;
|
2022-09-03 12:19:34 +02:00
|
|
|
import org.pgpainless.signature.builder.PrimaryKeyBindingSignatureBuilder;
|
2021-11-16 15:18:51 +01:00
|
|
|
import org.pgpainless.signature.builder.RevocationSignatureBuilder;
|
2021-11-08 15:57:35 +01:00
|
|
|
import org.pgpainless.signature.builder.SelfSignatureBuilder;
|
2022-09-03 12:19:34 +02:00
|
|
|
import org.pgpainless.signature.builder.SubkeyBindingSignatureBuilder;
|
2021-11-16 15:18:51 +01:00
|
|
|
import org.pgpainless.signature.subpackets.RevocationSignatureSubpackets;
|
2021-11-08 15:57:35 +01:00
|
|
|
import org.pgpainless.signature.subpackets.SelfSignatureSubpackets;
|
2021-11-20 16:07:27 +01:00
|
|
|
import org.pgpainless.signature.subpackets.SignatureSubpackets;
|
|
|
|
import org.pgpainless.signature.subpackets.SignatureSubpacketsHelper;
|
2021-11-08 21:25:02 +01:00
|
|
|
import org.pgpainless.signature.subpackets.SignatureSubpacketsUtil;
|
2021-05-28 23:14:20 +02:00
|
|
|
import org.pgpainless.util.Passphrase;
|
2021-11-24 15:07:54 +01:00
|
|
|
import org.pgpainless.util.selection.userid.SelectUserId;
|
2020-10-22 01:20:43 +02:00
|
|
|
|
2022-09-03 12:19:34 +02:00
|
|
|
import javax.annotation.Nonnull;
|
|
|
|
import javax.annotation.Nullable;
|
|
|
|
import java.io.IOException;
|
|
|
|
import java.security.InvalidAlgorithmParameterException;
|
|
|
|
import java.security.NoSuchAlgorithmException;
|
|
|
|
import java.util.ArrayList;
|
|
|
|
import java.util.Collections;
|
|
|
|
import java.util.Date;
|
|
|
|
import java.util.Iterator;
|
|
|
|
import java.util.List;
|
|
|
|
import java.util.Map;
|
|
|
|
import java.util.NoSuchElementException;
|
|
|
|
import java.util.Set;
|
|
|
|
|
|
|
|
import static org.pgpainless.util.CollectionUtils.concat;
|
|
|
|
|
2020-11-19 17:51:57 +01:00
|
|
|
public class SecretKeyRingEditor implements SecretKeyRingEditorInterface {
|
2020-10-22 01:20:43 +02:00
|
|
|
|
|
|
|
private PGPSecretKeyRing secretKeyRing;
|
2022-09-03 12:19:34 +02:00
|
|
|
private final Date referenceTime;
|
2020-10-22 01:20:43 +02:00
|
|
|
|
2023-05-03 16:03:50 +02:00
|
|
|
public SecretKeyRingEditor(@Nonnull PGPSecretKeyRing secretKeyRing) {
|
|
|
|
this(secretKeyRing, new Date());
|
2022-09-03 12:19:34 +02:00
|
|
|
}
|
|
|
|
|
2023-05-03 16:03:50 +02:00
|
|
|
public SecretKeyRingEditor(@Nonnull PGPSecretKeyRing secretKeyRing,
|
|
|
|
@Nonnull Date referenceTime) {
|
2020-10-22 01:20:43 +02:00
|
|
|
this.secretKeyRing = secretKeyRing;
|
2022-09-03 12:19:34 +02:00
|
|
|
this.referenceTime = referenceTime;
|
2020-10-22 01:20:43 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
@Override
|
2021-11-16 15:18:51 +01:00
|
|
|
public SecretKeyRingEditorInterface addUserId(
|
2021-11-27 14:50:04 +01:00
|
|
|
@Nonnull CharSequence userId,
|
|
|
|
@Nonnull SecretKeyRingProtector secretKeyRingProtector)
|
2021-11-16 15:18:51 +01:00
|
|
|
throws PGPException {
|
2021-11-08 15:57:35 +01:00
|
|
|
return addUserId(userId, null, secretKeyRingProtector);
|
|
|
|
}
|
|
|
|
|
2021-11-16 15:18:51 +01:00
|
|
|
@Override
|
2021-11-08 15:57:35 +01:00
|
|
|
public SecretKeyRingEditorInterface addUserId(
|
2021-11-27 14:50:04 +01:00
|
|
|
@Nonnull CharSequence userId,
|
2021-11-08 15:57:35 +01:00
|
|
|
@Nullable SelfSignatureSubpackets.Callback signatureSubpacketCallback,
|
2021-11-27 14:50:04 +01:00
|
|
|
@Nonnull SecretKeyRingProtector protector)
|
|
|
|
throws PGPException {
|
|
|
|
String sanitizeUserId = sanitizeUserId(userId);
|
2020-10-23 16:44:21 +02:00
|
|
|
|
2021-11-20 16:07:27 +01:00
|
|
|
// user-id certifications live on the primary key
|
|
|
|
PGPSecretKey primaryKey = secretKeyRing.getSecretKey();
|
2020-11-03 19:29:15 +01:00
|
|
|
|
2021-11-20 16:07:27 +01:00
|
|
|
// retain key flags from previous signature
|
2022-09-03 12:19:34 +02:00
|
|
|
KeyRingInfo info = PGPainless.inspectKeyRing(secretKeyRing, referenceTime);
|
2021-12-20 12:46:31 +01:00
|
|
|
if (info.isHardRevoked(userId.toString())) {
|
|
|
|
throw new IllegalArgumentException("User-ID " + userId + " is hard revoked and cannot be re-certified.");
|
|
|
|
}
|
2021-11-12 15:07:09 +01:00
|
|
|
List<KeyFlag> keyFlags = info.getKeyFlagsOf(info.getKeyId());
|
2021-11-20 16:07:27 +01:00
|
|
|
|
2021-11-21 22:25:45 +01:00
|
|
|
Set<HashAlgorithm> hashAlgorithmPreferences;
|
|
|
|
Set<SymmetricKeyAlgorithm> symmetricKeyAlgorithmPreferences;
|
|
|
|
Set<CompressionAlgorithm> compressionAlgorithmPreferences;
|
|
|
|
try {
|
|
|
|
hashAlgorithmPreferences = info.getPreferredHashAlgorithms();
|
|
|
|
symmetricKeyAlgorithmPreferences = info.getPreferredSymmetricKeyAlgorithms();
|
|
|
|
compressionAlgorithmPreferences = info.getPreferredCompressionAlgorithms();
|
|
|
|
} catch (IllegalStateException e) {
|
|
|
|
// missing user-id sig
|
|
|
|
AlgorithmSuite algorithmSuite = AlgorithmSuite.getDefaultAlgorithmSuite();
|
|
|
|
hashAlgorithmPreferences = algorithmSuite.getHashAlgorithms();
|
|
|
|
symmetricKeyAlgorithmPreferences = algorithmSuite.getSymmetricKeyAlgorithms();
|
|
|
|
compressionAlgorithmPreferences = algorithmSuite.getCompressionAlgorithms();
|
|
|
|
}
|
|
|
|
|
2021-11-20 20:19:22 +01:00
|
|
|
SelfSignatureBuilder builder = new SelfSignatureBuilder(primaryKey, protector);
|
2023-05-03 17:14:18 +02:00
|
|
|
builder.getHashedSubpackets().setSignatureCreationTime(referenceTime);
|
2021-11-08 15:57:35 +01:00
|
|
|
builder.setSignatureType(SignatureType.POSITIVE_CERTIFICATION);
|
2021-11-21 22:25:45 +01:00
|
|
|
|
|
|
|
// Retain signature subpackets of previous signatures
|
2021-11-20 20:19:22 +01:00
|
|
|
builder.getHashedSubpackets().setKeyFlags(keyFlags);
|
2021-11-21 22:25:45 +01:00
|
|
|
builder.getHashedSubpackets().setPreferredHashAlgorithms(hashAlgorithmPreferences);
|
|
|
|
builder.getHashedSubpackets().setPreferredSymmetricKeyAlgorithms(symmetricKeyAlgorithmPreferences);
|
|
|
|
builder.getHashedSubpackets().setPreferredCompressionAlgorithms(compressionAlgorithmPreferences);
|
|
|
|
builder.getHashedSubpackets().setFeatures(Feature.MODIFICATION_DETECTION);
|
|
|
|
|
2021-11-20 20:19:22 +01:00
|
|
|
builder.applyCallback(signatureSubpacketCallback);
|
|
|
|
|
2021-11-27 14:50:04 +01:00
|
|
|
PGPSignature signature = builder.build(primaryKey.getPublicKey(), sanitizeUserId);
|
|
|
|
secretKeyRing = KeyRingUtils.injectCertification(secretKeyRing, sanitizeUserId, signature);
|
2020-10-25 19:54:03 +01:00
|
|
|
|
2020-11-03 19:29:15 +01:00
|
|
|
return this;
|
|
|
|
}
|
|
|
|
|
2021-11-27 14:50:04 +01:00
|
|
|
@Override
|
|
|
|
public SecretKeyRingEditorInterface addPrimaryUserId(
|
|
|
|
@Nonnull CharSequence userId, @Nonnull SecretKeyRingProtector protector)
|
|
|
|
throws PGPException {
|
2021-12-20 12:46:31 +01:00
|
|
|
|
|
|
|
// Determine previous key expiration date
|
|
|
|
PGPPublicKey primaryKey = secretKeyRing.getSecretKey().getPublicKey();
|
2022-09-03 12:19:34 +02:00
|
|
|
KeyRingInfo info = PGPainless.inspectKeyRing(secretKeyRing, referenceTime);
|
2021-12-20 12:46:31 +01:00
|
|
|
String primaryUserId = info.getPrimaryUserId();
|
|
|
|
PGPSignature signature = primaryUserId == null ?
|
|
|
|
info.getLatestDirectKeySelfSignature() : info.getLatestUserIdCertification(primaryUserId);
|
|
|
|
final Date previousKeyExpiration = signature == null ? null :
|
2023-06-20 17:30:19 +02:00
|
|
|
SignatureSubpacketsUtil.getKeyExpirationTimeAsDate(signature, primaryKey);
|
2021-12-20 12:46:31 +01:00
|
|
|
|
|
|
|
// Add new primary user-id signature
|
|
|
|
addUserId(
|
2021-11-27 14:50:04 +01:00
|
|
|
userId,
|
|
|
|
new SelfSignatureSubpackets.Callback() {
|
|
|
|
@Override
|
|
|
|
public void modifyHashedSubpackets(SelfSignatureSubpackets hashedSubpackets) {
|
|
|
|
hashedSubpackets.setPrimaryUserId();
|
2021-12-20 12:46:31 +01:00
|
|
|
if (previousKeyExpiration != null) {
|
|
|
|
hashedSubpackets.setKeyExpirationTime(primaryKey, previousKeyExpiration);
|
|
|
|
} else {
|
|
|
|
hashedSubpackets.setKeyExpirationTime(null);
|
|
|
|
}
|
2021-11-27 14:50:04 +01:00
|
|
|
}
|
|
|
|
},
|
|
|
|
protector);
|
2021-12-20 12:46:31 +01:00
|
|
|
|
|
|
|
// unmark previous primary user-ids to be non-primary
|
2022-09-03 12:19:34 +02:00
|
|
|
info = PGPainless.inspectKeyRing(secretKeyRing, referenceTime);
|
2021-12-22 12:42:31 +01:00
|
|
|
for (String otherUserId : info.getValidAndExpiredUserIds()) {
|
2021-12-20 12:46:31 +01:00
|
|
|
if (userId.toString().equals(otherUserId)) {
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
|
|
|
|
// We need to unmark this user-id as primary
|
2023-05-03 17:13:29 +02:00
|
|
|
PGPSignature userIdCertification = info.getLatestUserIdCertification(otherUserId);
|
|
|
|
assert (userIdCertification != null);
|
|
|
|
|
|
|
|
if (userIdCertification.getHashedSubPackets().isPrimaryUserID()) {
|
2021-12-20 12:46:31 +01:00
|
|
|
addUserId(otherUserId, new SelfSignatureSubpackets.Callback() {
|
|
|
|
@Override
|
|
|
|
public void modifyHashedSubpackets(SelfSignatureSubpackets hashedSubpackets) {
|
|
|
|
hashedSubpackets.setPrimaryUserId(null);
|
|
|
|
hashedSubpackets.setKeyExpirationTime(null); // non-primary
|
|
|
|
}
|
|
|
|
}, protector);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return this;
|
2021-11-27 14:50:04 +01:00
|
|
|
}
|
|
|
|
|
2021-12-27 13:35:58 +01:00
|
|
|
@Override
|
|
|
|
public SecretKeyRingEditorInterface removeUserId(
|
|
|
|
SelectUserId userIdSelector,
|
|
|
|
SecretKeyRingProtector protector)
|
|
|
|
throws PGPException {
|
|
|
|
RevocationAttributes revocationAttributes = RevocationAttributes.createCertificateRevocation()
|
|
|
|
.withReason(RevocationAttributes.Reason.USER_ID_NO_LONGER_VALID)
|
|
|
|
.withoutDescription();
|
|
|
|
return revokeUserIds(userIdSelector,
|
|
|
|
protector,
|
|
|
|
revocationAttributes);
|
|
|
|
}
|
|
|
|
|
|
|
|
@Override
|
|
|
|
public SecretKeyRingEditorInterface removeUserId(
|
|
|
|
CharSequence userId,
|
2022-07-15 14:00:41 +02:00
|
|
|
SecretKeyRingProtector protector)
|
|
|
|
throws PGPException {
|
2021-12-27 13:35:58 +01:00
|
|
|
return removeUserId(
|
|
|
|
SelectUserId.exactMatch(userId.toString()),
|
|
|
|
protector);
|
|
|
|
}
|
|
|
|
|
2022-07-15 14:00:41 +02:00
|
|
|
@Override
|
|
|
|
public SecretKeyRingEditorInterface replaceUserId(@Nonnull CharSequence oldUserId,
|
|
|
|
@Nonnull CharSequence newUserId,
|
|
|
|
@Nonnull SecretKeyRingProtector protector)
|
|
|
|
throws PGPException {
|
|
|
|
String oldUID = oldUserId.toString().trim();
|
|
|
|
String newUID = newUserId.toString().trim();
|
|
|
|
if (oldUID.isEmpty()) {
|
|
|
|
throw new IllegalArgumentException("Old user-id cannot be empty.");
|
|
|
|
}
|
|
|
|
|
|
|
|
if (newUID.isEmpty()) {
|
|
|
|
throw new IllegalArgumentException("New user-id cannot be empty.");
|
|
|
|
}
|
|
|
|
|
2022-09-03 12:19:34 +02:00
|
|
|
KeyRingInfo info = PGPainless.inspectKeyRing(secretKeyRing, referenceTime);
|
2022-07-15 14:00:41 +02:00
|
|
|
if (!info.isUserIdValid(oldUID)) {
|
|
|
|
throw new NoSuchElementException("Key does not carry user-id '" + oldUID + "', or it is not valid.");
|
|
|
|
}
|
|
|
|
|
|
|
|
PGPSignature oldCertification = info.getLatestUserIdCertification(oldUID);
|
|
|
|
if (oldCertification == null) {
|
|
|
|
throw new AssertionError("Certification for old user-id MUST NOT be null.");
|
|
|
|
}
|
|
|
|
|
|
|
|
// Bind new user-id
|
|
|
|
addUserId(newUserId, new SelfSignatureSubpackets.Callback() {
|
|
|
|
@Override
|
|
|
|
public void modifyHashedSubpackets(SelfSignatureSubpackets hashedSubpackets) {
|
|
|
|
SignatureSubpacketsHelper.applyFrom(oldCertification.getHashedSubPackets(), (SignatureSubpackets) hashedSubpackets);
|
|
|
|
// Primary user-id
|
|
|
|
if (oldUID.equals(info.getPrimaryUserId())) {
|
|
|
|
// Implicit primary user-id
|
|
|
|
if (!oldCertification.getHashedSubPackets().isPrimaryUserID()) {
|
|
|
|
hashedSubpackets.setPrimaryUserId();
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
@Override
|
|
|
|
public void modifyUnhashedSubpackets(SelfSignatureSubpackets unhashedSubpackets) {
|
|
|
|
SignatureSubpacketsHelper.applyFrom(oldCertification.getUnhashedSubPackets(), (SignatureSubpackets) unhashedSubpackets);
|
|
|
|
}
|
|
|
|
}, protector);
|
|
|
|
|
|
|
|
return revokeUserId(oldUID, protector);
|
|
|
|
}
|
|
|
|
|
2020-10-25 20:43:09 +01:00
|
|
|
// TODO: Move to utility class?
|
2021-11-27 14:50:04 +01:00
|
|
|
private String sanitizeUserId(@Nonnull CharSequence userId) {
|
2020-10-23 16:44:21 +02:00
|
|
|
// TODO: Further research how to sanitize user IDs.
|
|
|
|
// eg. what about newlines?
|
2021-11-27 14:50:04 +01:00
|
|
|
return userId.toString().trim();
|
2020-10-23 16:44:21 +02:00
|
|
|
}
|
|
|
|
|
2020-10-22 01:20:43 +02:00
|
|
|
@Override
|
2021-11-21 22:25:45 +01:00
|
|
|
public SecretKeyRingEditorInterface addSubKey(
|
|
|
|
@Nonnull KeySpec keySpec,
|
|
|
|
@Nonnull Passphrase subKeyPassphrase,
|
2021-11-27 14:50:04 +01:00
|
|
|
@Nonnull SecretKeyRingProtector secretKeyRingProtector)
|
2021-11-20 16:07:27 +01:00
|
|
|
throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException, IOException {
|
|
|
|
PGPKeyPair keyPair = KeyRingBuilder.generateKeyPair(keySpec);
|
2020-11-10 17:25:35 +01:00
|
|
|
|
2021-11-20 16:07:27 +01:00
|
|
|
SecretKeyRingProtector subKeyProtector = PasswordBasedSecretKeyRingProtector
|
|
|
|
.forKeyId(keyPair.getKeyID(), subKeyPassphrase);
|
2020-11-10 17:25:35 +01:00
|
|
|
|
2021-11-20 16:07:27 +01:00
|
|
|
SelfSignatureSubpackets.Callback callback = new SelfSignatureSubpackets.Callback() {
|
|
|
|
@Override
|
|
|
|
public void modifyHashedSubpackets(SelfSignatureSubpackets hashedSubpackets) {
|
|
|
|
SignatureSubpacketsHelper.applyFrom(keySpec.getSubpackets(), (SignatureSubpackets) hashedSubpackets);
|
|
|
|
}
|
|
|
|
};
|
2020-11-10 17:25:35 +01:00
|
|
|
|
2021-11-20 16:07:27 +01:00
|
|
|
List<KeyFlag> keyFlags = KeyFlag.fromBitmask(keySpec.getSubpackets().getKeyFlags());
|
|
|
|
KeyFlag firstFlag = keyFlags.remove(0);
|
|
|
|
KeyFlag[] otherFlags = keyFlags.toArray(new KeyFlag[0]);
|
2020-11-10 17:25:35 +01:00
|
|
|
|
2021-11-20 16:07:27 +01:00
|
|
|
return addSubKey(keyPair, callback, subKeyProtector, secretKeyRingProtector, firstFlag, otherFlags);
|
2020-11-10 17:25:35 +01:00
|
|
|
}
|
|
|
|
|
2021-11-08 21:25:02 +01:00
|
|
|
@Override
|
2021-11-21 22:25:45 +01:00
|
|
|
public SecretKeyRingEditorInterface addSubKey(
|
|
|
|
@Nonnull KeySpec keySpec,
|
|
|
|
@Nullable Passphrase subkeyPassphrase,
|
|
|
|
@Nullable SelfSignatureSubpackets.Callback subpacketsCallback,
|
2021-11-27 14:50:04 +01:00
|
|
|
@Nonnull SecretKeyRingProtector secretKeyRingProtector)
|
2021-11-21 22:25:45 +01:00
|
|
|
throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException {
|
|
|
|
PGPKeyPair keyPair = KeyRingBuilder.generateKeyPair(keySpec);
|
|
|
|
|
|
|
|
SecretKeyRingProtector subKeyProtector = PasswordBasedSecretKeyRingProtector
|
|
|
|
.forKeyId(keyPair.getKeyID(), subkeyPassphrase);
|
|
|
|
|
|
|
|
List<KeyFlag> keyFlags = KeyFlag.fromBitmask(keySpec.getSubpackets().getKeyFlags());
|
|
|
|
KeyFlag firstFlag = keyFlags.remove(0);
|
|
|
|
KeyFlag[] otherFlags = keyFlags.toArray(new KeyFlag[0]);
|
|
|
|
|
|
|
|
return addSubKey(keyPair, subpacketsCallback, subKeyProtector, secretKeyRingProtector, firstFlag, otherFlags);
|
|
|
|
}
|
|
|
|
|
|
|
|
@Override
|
|
|
|
public SecretKeyRingEditorInterface addSubKey(
|
2021-11-27 14:50:04 +01:00
|
|
|
@Nonnull PGPKeyPair subkey,
|
2021-11-21 22:25:45 +01:00
|
|
|
@Nullable SelfSignatureSubpackets.Callback bindingSignatureCallback,
|
2021-11-27 14:50:04 +01:00
|
|
|
@Nonnull SecretKeyRingProtector subkeyProtector,
|
|
|
|
@Nonnull SecretKeyRingProtector primaryKeyProtector,
|
|
|
|
@Nonnull KeyFlag keyFlag,
|
2021-11-21 22:25:45 +01:00
|
|
|
KeyFlag... additionalKeyFlags)
|
2022-09-29 13:02:22 +02:00
|
|
|
throws PGPException, IOException {
|
2021-11-08 21:25:02 +01:00
|
|
|
KeyFlag[] flags = concat(keyFlag, additionalKeyFlags);
|
2022-03-22 15:09:09 +01:00
|
|
|
PublicKeyAlgorithm subkeyAlgorithm = PublicKeyAlgorithm.requireFromId(subkey.getPublicKey().getAlgorithm());
|
2021-11-08 22:45:08 +01:00
|
|
|
SignatureSubpacketsUtil.assureKeyCanCarryFlags(subkeyAlgorithm);
|
2021-11-08 21:25:02 +01:00
|
|
|
|
2021-12-02 14:18:21 +01:00
|
|
|
// check key against public key algorithm policy
|
2022-03-22 15:09:09 +01:00
|
|
|
PublicKeyAlgorithm publicKeyAlgorithm = PublicKeyAlgorithm.requireFromId(subkey.getPublicKey().getAlgorithm());
|
2022-01-10 14:38:58 +01:00
|
|
|
int bitStrength = subkey.getPublicKey().getBitStrength();
|
2021-12-02 14:18:21 +01:00
|
|
|
if (!PGPainless.getPolicy().getPublicKeyAlgorithmPolicy().isAcceptable(publicKeyAlgorithm, bitStrength)) {
|
|
|
|
throw new IllegalArgumentException("Public key algorithm policy violation: " +
|
|
|
|
publicKeyAlgorithm + " with bit strength " + bitStrength + " is not acceptable.");
|
|
|
|
}
|
|
|
|
|
2021-11-08 21:25:02 +01:00
|
|
|
PGPSecretKey primaryKey = secretKeyRing.getSecretKey();
|
2022-09-03 12:19:34 +02:00
|
|
|
KeyRingInfo info = PGPainless.inspectKeyRing(secretKeyRing, referenceTime);
|
2021-11-20 16:07:27 +01:00
|
|
|
HashAlgorithm hashAlgorithm = HashAlgorithmNegotiator
|
|
|
|
.negotiateSignatureHashAlgorithm(PGPainless.getPolicy())
|
|
|
|
.negotiateHashAlgorithm(info.getPreferredHashAlgorithms());
|
|
|
|
|
2022-09-03 12:19:34 +02:00
|
|
|
PGPSecretKey secretSubkey = new PGPSecretKey(subkey.getPrivateKey(), subkey.getPublicKey(), ImplementationFactory.getInstance()
|
|
|
|
.getV4FingerprintCalculator(), false, subkeyProtector.getEncryptor(subkey.getKeyID()));
|
2021-11-08 21:25:02 +01:00
|
|
|
|
2022-09-03 12:19:34 +02:00
|
|
|
SubkeyBindingSignatureBuilder skBindingBuilder = new SubkeyBindingSignatureBuilder(primaryKey, primaryKeyProtector, hashAlgorithm);
|
2023-05-03 17:14:18 +02:00
|
|
|
skBindingBuilder.getHashedSubpackets().setSignatureCreationTime(referenceTime);
|
2022-09-03 12:19:34 +02:00
|
|
|
skBindingBuilder.getHashedSubpackets().setKeyFlags(flags);
|
2021-11-08 21:25:02 +01:00
|
|
|
|
2022-09-03 12:19:34 +02:00
|
|
|
if (subkeyAlgorithm.isSigningCapable()) {
|
|
|
|
PrimaryKeyBindingSignatureBuilder pkBindingBuilder = new PrimaryKeyBindingSignatureBuilder(secretSubkey, subkeyProtector, hashAlgorithm);
|
2023-05-03 17:14:18 +02:00
|
|
|
pkBindingBuilder.getHashedSubpackets().setSignatureCreationTime(referenceTime);
|
2022-09-03 12:19:34 +02:00
|
|
|
PGPSignature pkBinding = pkBindingBuilder.build(primaryKey.getPublicKey());
|
|
|
|
skBindingBuilder.getHashedSubpackets().addEmbeddedSignature(pkBinding);
|
|
|
|
}
|
2021-11-08 21:25:02 +01:00
|
|
|
|
2022-09-03 12:19:34 +02:00
|
|
|
skBindingBuilder.applyCallback(bindingSignatureCallback);
|
|
|
|
PGPSignature skBinding = skBindingBuilder.build(secretSubkey.getPublicKey());
|
2021-11-08 21:25:02 +01:00
|
|
|
|
2022-09-03 12:19:34 +02:00
|
|
|
secretSubkey = KeyRingUtils.secretKeyPlusSignature(secretSubkey, skBinding);
|
|
|
|
secretKeyRing = KeyRingUtils.keysPlusSecretKey(secretKeyRing, secretSubkey);
|
2021-11-20 16:07:27 +01:00
|
|
|
return this;
|
2020-11-10 17:25:35 +01:00
|
|
|
}
|
|
|
|
|
2020-11-22 21:25:52 +01:00
|
|
|
@Override
|
2021-11-27 14:50:04 +01:00
|
|
|
public SecretKeyRingEditorInterface revoke(@Nonnull SecretKeyRingProtector secretKeyRingProtector,
|
2021-11-16 15:18:51 +01:00
|
|
|
@Nullable RevocationAttributes revocationAttributes)
|
2020-11-22 21:25:52 +01:00
|
|
|
throws PGPException {
|
2021-11-16 15:18:51 +01:00
|
|
|
RevocationSignatureSubpackets.Callback callback = callbackFromRevocationAttributes(revocationAttributes);
|
|
|
|
return revoke(secretKeyRingProtector, callback);
|
2020-11-22 21:25:52 +01:00
|
|
|
}
|
|
|
|
|
2020-10-22 01:20:43 +02:00
|
|
|
@Override
|
2021-11-27 14:50:04 +01:00
|
|
|
public SecretKeyRingEditorInterface revoke(@Nonnull SecretKeyRingProtector secretKeyRingProtector,
|
2021-11-16 15:18:51 +01:00
|
|
|
@Nullable RevocationSignatureSubpackets.Callback subpacketsCallback)
|
2020-11-13 14:32:29 +01:00
|
|
|
throws PGPException {
|
2021-11-16 15:18:51 +01:00
|
|
|
return revokeSubKey(secretKeyRing.getSecretKey().getKeyID(), secretKeyRingProtector, subpacketsCallback);
|
2020-11-13 16:59:55 +01:00
|
|
|
}
|
2020-11-13 14:32:29 +01:00
|
|
|
|
2020-11-13 16:59:55 +01:00
|
|
|
@Override
|
2020-11-20 12:19:45 +01:00
|
|
|
public SecretKeyRingEditorInterface revokeSubKey(long subKeyId,
|
|
|
|
SecretKeyRingProtector protector,
|
|
|
|
RevocationAttributes revocationAttributes)
|
|
|
|
throws PGPException {
|
2021-11-16 15:18:51 +01:00
|
|
|
RevocationSignatureSubpackets.Callback callback = callbackFromRevocationAttributes(revocationAttributes);
|
|
|
|
return revokeSubKey(subKeyId, protector, callback);
|
|
|
|
}
|
2020-11-13 14:32:29 +01:00
|
|
|
|
2021-11-16 15:18:51 +01:00
|
|
|
@Override
|
|
|
|
public SecretKeyRingEditorInterface revokeSubKey(long keyID,
|
2021-11-27 14:50:04 +01:00
|
|
|
@Nonnull SecretKeyRingProtector secretKeyRingProtector,
|
2021-11-16 15:18:51 +01:00
|
|
|
@Nullable RevocationSignatureSubpackets.Callback subpacketsCallback)
|
|
|
|
throws PGPException {
|
2021-11-20 16:07:27 +01:00
|
|
|
// retrieve subkey to be revoked
|
2021-11-16 15:18:51 +01:00
|
|
|
PGPPublicKey revokeeSubKey = KeyRingUtils.requirePublicKeyFrom(secretKeyRing, keyID);
|
2021-11-20 16:07:27 +01:00
|
|
|
// create revocation
|
2021-11-16 15:18:51 +01:00
|
|
|
PGPSignature subKeyRevocation = generateRevocation(secretKeyRingProtector, revokeeSubKey,
|
|
|
|
subpacketsCallback);
|
2021-11-20 16:07:27 +01:00
|
|
|
// inject revocation sig into key ring
|
|
|
|
secretKeyRing = KeyRingUtils.injectCertification(secretKeyRing, revokeeSubKey, subKeyRevocation);
|
2020-11-13 16:59:55 +01:00
|
|
|
return this;
|
|
|
|
}
|
|
|
|
|
2021-11-16 15:18:51 +01:00
|
|
|
@Override
|
2023-06-20 16:41:46 +02:00
|
|
|
public PGPSignature createRevocation(@Nonnull SecretKeyRingProtector secretKeyRingProtector,
|
|
|
|
@Nullable RevocationAttributes revocationAttributes)
|
2021-11-16 15:18:51 +01:00
|
|
|
throws PGPException {
|
|
|
|
PGPPublicKey revokeeSubKey = secretKeyRing.getPublicKey();
|
|
|
|
PGPSignature revocationCertificate = generateRevocation(
|
|
|
|
secretKeyRingProtector, revokeeSubKey, callbackFromRevocationAttributes(revocationAttributes));
|
|
|
|
return revocationCertificate;
|
|
|
|
}
|
|
|
|
|
|
|
|
@Override
|
2023-06-20 16:41:46 +02:00
|
|
|
public PGPSignature createRevocation(
|
2021-11-16 15:18:51 +01:00
|
|
|
long subkeyId,
|
2021-11-27 14:50:04 +01:00
|
|
|
@Nonnull SecretKeyRingProtector secretKeyRingProtector,
|
|
|
|
@Nullable RevocationAttributes revocationAttributes)
|
2021-11-16 15:18:51 +01:00
|
|
|
throws PGPException {
|
|
|
|
PGPPublicKey revokeeSubkey = KeyRingUtils.requirePublicKeyFrom(secretKeyRing, subkeyId);
|
|
|
|
RevocationSignatureSubpackets.Callback callback = callbackFromRevocationAttributes(revocationAttributes);
|
|
|
|
return generateRevocation(secretKeyRingProtector, revokeeSubkey, callback);
|
|
|
|
}
|
|
|
|
|
2021-11-20 16:07:27 +01:00
|
|
|
@Override
|
2023-06-20 16:41:46 +02:00
|
|
|
public PGPSignature createRevocation(
|
2021-11-20 16:07:27 +01:00
|
|
|
long subkeyId,
|
2021-11-27 14:50:04 +01:00
|
|
|
@Nonnull SecretKeyRingProtector secretKeyRingProtector,
|
2021-11-20 16:07:27 +01:00
|
|
|
@Nullable RevocationSignatureSubpackets.Callback certificateSubpacketsCallback)
|
|
|
|
throws PGPException {
|
|
|
|
PGPPublicKey revokeeSubkey = KeyRingUtils.requirePublicKeyFrom(secretKeyRing, subkeyId);
|
|
|
|
return generateRevocation(secretKeyRingProtector, revokeeSubkey, certificateSubpacketsCallback);
|
|
|
|
}
|
|
|
|
|
2021-11-27 14:50:04 +01:00
|
|
|
private PGPSignature generateRevocation(@Nonnull SecretKeyRingProtector protector,
|
|
|
|
@Nonnull PGPPublicKey revokeeSubKey,
|
2021-11-16 15:18:51 +01:00
|
|
|
@Nullable RevocationSignatureSubpackets.Callback callback)
|
|
|
|
throws PGPException {
|
|
|
|
PGPSecretKey primaryKey = secretKeyRing.getSecretKey();
|
|
|
|
SignatureType signatureType = revokeeSubKey.isMasterKey() ?
|
|
|
|
SignatureType.KEY_REVOCATION : SignatureType.SUBKEY_REVOCATION;
|
|
|
|
|
|
|
|
RevocationSignatureBuilder signatureBuilder =
|
|
|
|
new RevocationSignatureBuilder(signatureType, primaryKey, protector);
|
|
|
|
signatureBuilder.applyCallback(callback);
|
|
|
|
PGPSignature revocation = signatureBuilder.build(revokeeSubKey);
|
|
|
|
return revocation;
|
|
|
|
}
|
|
|
|
|
|
|
|
private static RevocationSignatureSubpackets.Callback callbackFromRevocationAttributes(
|
2021-11-27 14:50:04 +01:00
|
|
|
@Nullable RevocationAttributes attributes) {
|
2021-11-16 15:18:51 +01:00
|
|
|
return new RevocationSignatureSubpackets.Callback() {
|
|
|
|
@Override
|
|
|
|
public void modifyHashedSubpackets(RevocationSignatureSubpackets hashedSubpackets) {
|
|
|
|
if (attributes != null) {
|
|
|
|
hashedSubpackets.setRevocationReason(attributes);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
};
|
|
|
|
}
|
|
|
|
|
2021-01-22 18:28:48 +01:00
|
|
|
@Override
|
2021-11-27 14:50:04 +01:00
|
|
|
public SecretKeyRingEditorInterface revokeUserId(
|
|
|
|
@Nonnull CharSequence userId,
|
|
|
|
@Nonnull SecretKeyRingProtector secretKeyRingProtector,
|
|
|
|
@Nullable RevocationAttributes revocationAttributes)
|
2021-11-16 15:35:17 +01:00
|
|
|
throws PGPException {
|
|
|
|
if (revocationAttributes != null) {
|
|
|
|
RevocationAttributes.Reason reason = revocationAttributes.getReason();
|
|
|
|
if (reason != RevocationAttributes.Reason.NO_REASON
|
|
|
|
&& reason != RevocationAttributes.Reason.USER_ID_NO_LONGER_VALID) {
|
|
|
|
throw new IllegalArgumentException("Revocation reason must either be NO_REASON or USER_ID_NO_LONGER_VALID");
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
RevocationSignatureSubpackets.Callback callback = new RevocationSignatureSubpackets.Callback() {
|
|
|
|
@Override
|
|
|
|
public void modifyHashedSubpackets(RevocationSignatureSubpackets hashedSubpackets) {
|
|
|
|
if (revocationAttributes != null) {
|
|
|
|
hashedSubpackets.setRevocationReason(false, revocationAttributes);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
};
|
|
|
|
|
|
|
|
return revokeUserId(userId, secretKeyRingProtector, callback);
|
|
|
|
}
|
|
|
|
|
|
|
|
@Override
|
|
|
|
public SecretKeyRingEditorInterface revokeUserId(
|
2021-11-27 14:50:04 +01:00
|
|
|
@Nonnull CharSequence userId,
|
|
|
|
@Nonnull SecretKeyRingProtector secretKeyRingProtector,
|
2021-11-16 15:35:17 +01:00
|
|
|
@Nullable RevocationSignatureSubpackets.Callback subpacketCallback)
|
2021-01-22 18:28:48 +01:00
|
|
|
throws PGPException {
|
2021-11-27 14:50:04 +01:00
|
|
|
String sanitized = sanitizeUserId(userId);
|
|
|
|
return revokeUserIds(
|
|
|
|
SelectUserId.exactMatch(sanitized),
|
|
|
|
secretKeyRingProtector,
|
|
|
|
subpacketCallback);
|
|
|
|
}
|
|
|
|
|
|
|
|
@Override
|
|
|
|
public SecretKeyRingEditorInterface revokeUserIds(
|
|
|
|
@Nonnull SelectUserId userIdSelector,
|
|
|
|
@Nonnull SecretKeyRingProtector secretKeyRingProtector,
|
|
|
|
@Nullable RevocationAttributes revocationAttributes)
|
|
|
|
throws PGPException {
|
|
|
|
|
|
|
|
return revokeUserIds(
|
|
|
|
userIdSelector,
|
|
|
|
secretKeyRingProtector,
|
|
|
|
new RevocationSignatureSubpackets.Callback() {
|
|
|
|
@Override
|
|
|
|
public void modifyHashedSubpackets(RevocationSignatureSubpackets hashedSubpackets) {
|
|
|
|
hashedSubpackets.setRevocationReason(revocationAttributes);
|
|
|
|
}
|
|
|
|
});
|
2021-01-22 18:28:48 +01:00
|
|
|
}
|
|
|
|
|
2021-11-24 15:07:54 +01:00
|
|
|
@Override
|
2021-11-27 14:50:04 +01:00
|
|
|
public SecretKeyRingEditorInterface revokeUserIds(
|
|
|
|
@Nonnull SelectUserId userIdSelector,
|
|
|
|
@Nonnull SecretKeyRingProtector secretKeyRingProtector,
|
|
|
|
@Nullable RevocationSignatureSubpackets.Callback subpacketsCallback)
|
|
|
|
throws PGPException {
|
2021-11-24 15:07:54 +01:00
|
|
|
List<String> selected = userIdSelector.selectUserIds(secretKeyRing);
|
|
|
|
if (selected.isEmpty()) {
|
|
|
|
throw new NoSuchElementException("No matching user-ids found on the key.");
|
|
|
|
}
|
|
|
|
|
|
|
|
for (String userId : selected) {
|
|
|
|
doRevokeUserId(userId, secretKeyRingProtector, subpacketsCallback);
|
|
|
|
}
|
|
|
|
|
|
|
|
return this;
|
|
|
|
}
|
|
|
|
|
2021-11-27 14:50:04 +01:00
|
|
|
private SecretKeyRingEditorInterface doRevokeUserId(
|
|
|
|
@Nonnull String userId,
|
|
|
|
@Nonnull SecretKeyRingProtector protector,
|
|
|
|
@Nullable RevocationSignatureSubpackets.Callback callback)
|
2021-11-16 15:18:51 +01:00
|
|
|
throws PGPException {
|
2021-05-28 23:14:20 +02:00
|
|
|
PGPSecretKey primarySecretKey = secretKeyRing.getSecretKey();
|
2021-11-16 15:35:17 +01:00
|
|
|
RevocationSignatureBuilder signatureBuilder = new RevocationSignatureBuilder(
|
|
|
|
SignatureType.CERTIFICATION_REVOCATION,
|
|
|
|
primarySecretKey,
|
|
|
|
protector);
|
2022-09-03 12:19:34 +02:00
|
|
|
if (referenceTime != null) {
|
|
|
|
signatureBuilder.getHashedSubpackets().setSignatureCreationTime(referenceTime);
|
|
|
|
}
|
2021-01-22 18:28:48 +01:00
|
|
|
|
2021-11-16 15:35:17 +01:00
|
|
|
signatureBuilder.applyCallback(callback);
|
2021-01-22 18:28:48 +01:00
|
|
|
|
2021-11-16 15:35:17 +01:00
|
|
|
PGPSignature revocationSignature = signatureBuilder.build(userId);
|
2021-11-20 16:07:27 +01:00
|
|
|
secretKeyRing = KeyRingUtils.injectCertification(secretKeyRing, userId, revocationSignature);
|
2021-01-22 18:28:48 +01:00
|
|
|
return this;
|
|
|
|
}
|
|
|
|
|
2021-01-18 17:09:57 +01:00
|
|
|
@Override
|
2021-11-27 14:50:04 +01:00
|
|
|
public SecretKeyRingEditorInterface setExpirationDate(
|
|
|
|
@Nullable Date expiration,
|
|
|
|
@Nonnull SecretKeyRingProtector secretKeyRingProtector)
|
2021-01-18 17:09:57 +01:00
|
|
|
throws PGPException {
|
2020-11-27 13:00:06 +01:00
|
|
|
|
2021-01-18 17:09:57 +01:00
|
|
|
PGPSecretKey primaryKey = secretKeyRing.getSecretKey();
|
|
|
|
if (!primaryKey.isMasterKey()) {
|
|
|
|
throw new IllegalArgumentException("Key Ring does not appear to contain a primary secret key.");
|
2020-11-27 13:00:06 +01:00
|
|
|
}
|
|
|
|
|
2021-12-20 12:46:31 +01:00
|
|
|
// reissue direct key sig
|
|
|
|
PGPSignature prevDirectKeySig = getPreviousDirectKeySignature();
|
|
|
|
if (prevDirectKeySig != null) {
|
|
|
|
PGPSignature directKeySig = reissueDirectKeySignature(expiration, secretKeyRingProtector, prevDirectKeySig);
|
|
|
|
secretKeyRing = KeyRingUtils.injectCertification(secretKeyRing, primaryKey.getPublicKey(), directKeySig);
|
2021-01-18 17:09:57 +01:00
|
|
|
}
|
2020-11-27 13:00:06 +01:00
|
|
|
|
2021-12-20 12:46:31 +01:00
|
|
|
// reissue primary user-id sig
|
2022-09-03 12:19:34 +02:00
|
|
|
String primaryUserId = PGPainless.inspectKeyRing(secretKeyRing, referenceTime).getPossiblyExpiredPrimaryUserId();
|
2021-12-20 12:46:31 +01:00
|
|
|
if (primaryUserId != null) {
|
|
|
|
PGPSignature prevUserIdSig = getPreviousUserIdSignatures(primaryUserId);
|
|
|
|
PGPSignature userIdSig = reissuePrimaryUserIdSig(expiration, secretKeyRingProtector, primaryUserId, prevUserIdSig);
|
|
|
|
secretKeyRing = KeyRingUtils.injectCertification(secretKeyRing, primaryUserId, userIdSig);
|
2020-11-27 13:00:06 +01:00
|
|
|
}
|
|
|
|
|
2022-09-03 12:19:34 +02:00
|
|
|
KeyRingInfo info = PGPainless.inspectKeyRing(secretKeyRing, referenceTime);
|
2021-12-20 12:46:31 +01:00
|
|
|
for (String userId : info.getValidUserIds()) {
|
|
|
|
if (userId.equals(primaryUserId)) {
|
|
|
|
continue;
|
|
|
|
}
|
2020-11-27 13:00:06 +01:00
|
|
|
|
2021-12-20 12:46:31 +01:00
|
|
|
PGPSignature prevUserIdSig = info.getLatestUserIdCertification(userId);
|
|
|
|
if (prevUserIdSig == null) {
|
|
|
|
throw new AssertionError("A valid user-id shall never have no user-id signature.");
|
|
|
|
}
|
2021-01-18 17:09:57 +01:00
|
|
|
|
2021-12-20 12:46:31 +01:00
|
|
|
if (prevUserIdSig.getHashedSubPackets().isPrimaryUserID()) {
|
2023-05-03 17:13:29 +02:00
|
|
|
assert (primaryUserId != null);
|
2021-12-20 12:46:31 +01:00
|
|
|
PGPSignature userIdSig = reissueNonPrimaryUserId(secretKeyRingProtector, userId, prevUserIdSig);
|
|
|
|
secretKeyRing = KeyRingUtils.injectCertification(secretKeyRing, primaryUserId, userIdSig);
|
|
|
|
}
|
2020-11-27 13:00:06 +01:00
|
|
|
}
|
|
|
|
|
2021-12-20 12:46:31 +01:00
|
|
|
return this;
|
|
|
|
}
|
2021-01-18 17:09:57 +01:00
|
|
|
|
2023-06-20 17:30:19 +02:00
|
|
|
@Override
|
|
|
|
public PGPPublicKeyRing createMinimalRevocationCertificate(
|
|
|
|
@Nonnull SecretKeyRingProtector secretKeyRingProtector,
|
|
|
|
@Nullable RevocationAttributes keyRevocationAttributes)
|
|
|
|
throws PGPException {
|
|
|
|
// Check reason
|
|
|
|
if (keyRevocationAttributes != null && !RevocationAttributes.Reason.isKeyRevocation(keyRevocationAttributes.getReason())) {
|
|
|
|
throw new IllegalArgumentException("Revocation reason MUST be applicable to a key revocation.");
|
|
|
|
}
|
|
|
|
|
|
|
|
PGPSignature revocation = createRevocation(secretKeyRingProtector, keyRevocationAttributes);
|
|
|
|
PGPPublicKey primaryKey = secretKeyRing.getSecretKey().getPublicKey();
|
|
|
|
primaryKey = KeyRingUtils.getStrippedDownPublicKey(primaryKey);
|
|
|
|
primaryKey = PGPPublicKey.addCertification(primaryKey, revocation);
|
|
|
|
return new PGPPublicKeyRing(Collections.singletonList(primaryKey));
|
|
|
|
}
|
|
|
|
|
2021-12-20 12:46:31 +01:00
|
|
|
private PGPSignature reissueNonPrimaryUserId(
|
|
|
|
SecretKeyRingProtector secretKeyRingProtector,
|
|
|
|
String userId,
|
|
|
|
PGPSignature prevUserIdSig)
|
|
|
|
throws PGPException {
|
|
|
|
SelfSignatureBuilder builder = new SelfSignatureBuilder(secretKeyRing.getSecretKey(), secretKeyRingProtector, prevUserIdSig);
|
2022-09-03 12:19:34 +02:00
|
|
|
if (referenceTime != null) {
|
|
|
|
builder.getHashedSubpackets().setSignatureCreationTime(referenceTime);
|
|
|
|
}
|
2021-12-20 12:46:31 +01:00
|
|
|
builder.applyCallback(new SelfSignatureSubpackets.Callback() {
|
|
|
|
@Override
|
|
|
|
public void modifyHashedSubpackets(SelfSignatureSubpackets hashedSubpackets) {
|
|
|
|
// unmark as primary
|
|
|
|
hashedSubpackets.setPrimaryUserId(null);
|
|
|
|
}
|
|
|
|
});
|
|
|
|
return builder.build(secretKeyRing.getPublicKey(), userId);
|
|
|
|
}
|
2021-01-18 17:09:57 +01:00
|
|
|
|
2021-12-20 12:46:31 +01:00
|
|
|
private PGPSignature reissuePrimaryUserIdSig(
|
|
|
|
@Nullable Date expiration,
|
|
|
|
@Nonnull SecretKeyRingProtector secretKeyRingProtector,
|
|
|
|
@Nonnull String primaryUserId,
|
|
|
|
@Nonnull PGPSignature prevUserIdSig)
|
|
|
|
throws PGPException {
|
|
|
|
PGPSecretKey primaryKey = secretKeyRing.getSecretKey();
|
|
|
|
PGPPublicKey publicKey = primaryKey.getPublicKey();
|
2021-01-18 17:09:57 +01:00
|
|
|
|
2021-12-20 12:46:31 +01:00
|
|
|
SelfSignatureBuilder builder = new SelfSignatureBuilder(primaryKey, secretKeyRingProtector, prevUserIdSig);
|
2022-09-03 12:19:34 +02:00
|
|
|
if (referenceTime != null) {
|
|
|
|
builder.getHashedSubpackets().setSignatureCreationTime(referenceTime);
|
|
|
|
}
|
2021-12-20 12:46:31 +01:00
|
|
|
builder.applyCallback(new SelfSignatureSubpackets.Callback() {
|
|
|
|
@Override
|
|
|
|
public void modifyHashedSubpackets(SelfSignatureSubpackets hashedSubpackets) {
|
|
|
|
if (expiration != null) {
|
|
|
|
hashedSubpackets.setKeyExpirationTime(true, publicKey.getCreationTime(), expiration);
|
|
|
|
} else {
|
|
|
|
hashedSubpackets.setKeyExpirationTime(new KeyExpirationTime(true, 0));
|
|
|
|
}
|
|
|
|
hashedSubpackets.setPrimaryUserId();
|
|
|
|
}
|
|
|
|
});
|
|
|
|
return builder.build(publicKey, primaryUserId);
|
|
|
|
}
|
2021-01-18 17:09:57 +01:00
|
|
|
|
2021-12-20 12:46:31 +01:00
|
|
|
private PGPSignature reissueDirectKeySignature(
|
|
|
|
Date expiration,
|
|
|
|
SecretKeyRingProtector secretKeyRingProtector,
|
|
|
|
PGPSignature prevDirectKeySig)
|
|
|
|
throws PGPException {
|
|
|
|
PGPSecretKey primaryKey = secretKeyRing.getSecretKey();
|
|
|
|
PGPPublicKey publicKey = primaryKey.getPublicKey();
|
|
|
|
final Date keyCreationTime = publicKey.getCreationTime();
|
2020-11-27 13:00:06 +01:00
|
|
|
|
2022-05-11 12:27:11 +02:00
|
|
|
DirectKeySelfSignatureBuilder builder = new DirectKeySelfSignatureBuilder(primaryKey, secretKeyRingProtector, prevDirectKeySig);
|
2022-09-03 12:19:34 +02:00
|
|
|
if (referenceTime != null) {
|
|
|
|
builder.getHashedSubpackets().setSignatureCreationTime(referenceTime);
|
|
|
|
}
|
2022-05-11 12:27:11 +02:00
|
|
|
builder.applyCallback(new SelfSignatureSubpackets.Callback() {
|
2021-12-20 12:46:31 +01:00
|
|
|
@Override
|
2022-05-11 12:27:11 +02:00
|
|
|
public void modifyHashedSubpackets(SelfSignatureSubpackets hashedSubpackets) {
|
2021-12-20 12:46:31 +01:00
|
|
|
if (expiration != null) {
|
|
|
|
hashedSubpackets.setKeyExpirationTime(keyCreationTime, expiration);
|
|
|
|
} else {
|
|
|
|
hashedSubpackets.setKeyExpirationTime(null);
|
|
|
|
}
|
2021-01-18 17:09:57 +01:00
|
|
|
}
|
2021-12-20 12:46:31 +01:00
|
|
|
});
|
2020-11-27 13:00:06 +01:00
|
|
|
|
2021-12-20 12:46:31 +01:00
|
|
|
return builder.build(publicKey);
|
2021-01-18 17:09:57 +01:00
|
|
|
}
|
2020-11-27 13:00:06 +01:00
|
|
|
|
2021-12-20 12:46:31 +01:00
|
|
|
private PGPSignature getPreviousDirectKeySignature() {
|
2022-09-03 12:19:34 +02:00
|
|
|
KeyRingInfo info = PGPainless.inspectKeyRing(secretKeyRing, referenceTime);
|
2021-12-20 12:46:31 +01:00
|
|
|
return info.getLatestDirectKeySelfSignature();
|
|
|
|
}
|
2020-11-27 13:00:06 +01:00
|
|
|
|
2021-12-20 12:46:31 +01:00
|
|
|
private PGPSignature getPreviousUserIdSignatures(String userId) {
|
2022-09-03 12:19:34 +02:00
|
|
|
KeyRingInfo info = PGPainless.inspectKeyRing(secretKeyRing, referenceTime);
|
2021-12-20 12:46:31 +01:00
|
|
|
return info.getLatestUserIdCertification(userId);
|
2020-11-27 13:00:06 +01:00
|
|
|
}
|
|
|
|
|
2020-11-20 12:01:39 +01:00
|
|
|
@Override
|
2021-11-16 15:18:51 +01:00
|
|
|
public WithKeyRingEncryptionSettings changePassphraseFromOldPassphrase(
|
|
|
|
@Nullable Passphrase oldPassphrase,
|
|
|
|
@Nonnull KeyRingProtectionSettings oldProtectionSettings) {
|
2020-10-25 20:43:09 +01:00
|
|
|
SecretKeyRingProtector protector = new PasswordBasedSecretKeyRingProtector(
|
|
|
|
oldProtectionSettings,
|
|
|
|
new SolitaryPassphraseProvider(oldPassphrase));
|
|
|
|
|
|
|
|
return new WithKeyRingEncryptionSettingsImpl(null, protector);
|
2020-10-23 16:44:21 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
@Override
|
2021-11-16 15:18:51 +01:00
|
|
|
public WithKeyRingEncryptionSettings changeSubKeyPassphraseFromOldPassphrase(
|
|
|
|
@Nonnull Long keyId,
|
|
|
|
@Nullable Passphrase oldPassphrase,
|
|
|
|
@Nonnull KeyRingProtectionSettings oldProtectionSettings) {
|
2020-10-25 20:43:09 +01:00
|
|
|
Map<Long, Passphrase> passphraseMap = Collections.singletonMap(keyId, oldPassphrase);
|
2021-05-14 18:55:26 +02:00
|
|
|
SecretKeyRingProtector protector = new CachingSecretKeyRingProtector(
|
2020-10-25 20:43:09 +01:00
|
|
|
passphraseMap, oldProtectionSettings, null);
|
|
|
|
|
|
|
|
return new WithKeyRingEncryptionSettingsImpl(keyId, protector);
|
2020-10-23 16:44:21 +02:00
|
|
|
}
|
|
|
|
|
2020-10-22 01:20:43 +02:00
|
|
|
@Override
|
|
|
|
public PGPSecretKeyRing done() {
|
|
|
|
return secretKeyRing;
|
|
|
|
}
|
2020-10-23 16:44:21 +02:00
|
|
|
|
2020-10-25 20:43:09 +01:00
|
|
|
private final class WithKeyRingEncryptionSettingsImpl implements WithKeyRingEncryptionSettings {
|
|
|
|
|
|
|
|
private final Long keyId;
|
|
|
|
// Protector to unlock the key with the old passphrase
|
|
|
|
private final SecretKeyRingProtector oldProtector;
|
|
|
|
|
2020-10-29 15:15:13 +01:00
|
|
|
/**
|
|
|
|
* Builder for selecting protection settings.
|
|
|
|
*
|
|
|
|
* If the keyId is null, the whole keyRing will get the same new passphrase.
|
|
|
|
*
|
|
|
|
* @param keyId id of the subkey whose passphrase will be changed, or null.
|
|
|
|
* @param oldProtector protector do unlock the key/ring.
|
|
|
|
*/
|
2020-10-25 20:43:09 +01:00
|
|
|
private WithKeyRingEncryptionSettingsImpl(Long keyId, SecretKeyRingProtector oldProtector) {
|
|
|
|
this.keyId = keyId;
|
|
|
|
this.oldProtector = oldProtector;
|
|
|
|
}
|
2020-10-23 16:44:21 +02:00
|
|
|
|
|
|
|
@Override
|
|
|
|
public WithPassphrase withSecureDefaultSettings() {
|
|
|
|
return withCustomSettings(KeyRingProtectionSettings.secureDefaultSettings());
|
|
|
|
}
|
|
|
|
|
|
|
|
@Override
|
|
|
|
public WithPassphrase withCustomSettings(KeyRingProtectionSettings settings) {
|
2020-10-25 20:43:09 +01:00
|
|
|
return new WithPassphraseImpl(keyId, oldProtector, settings);
|
2020-10-23 16:44:21 +02:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2020-10-25 20:43:09 +01:00
|
|
|
private final class WithPassphraseImpl implements WithPassphrase {
|
|
|
|
|
|
|
|
private final SecretKeyRingProtector oldProtector;
|
|
|
|
private final KeyRingProtectionSettings newProtectionSettings;
|
|
|
|
private final Long keyId;
|
|
|
|
|
2021-11-16 15:18:51 +01:00
|
|
|
private WithPassphraseImpl(
|
|
|
|
Long keyId,
|
|
|
|
SecretKeyRingProtector oldProtector,
|
|
|
|
KeyRingProtectionSettings newProtectionSettings) {
|
2020-10-25 20:43:09 +01:00
|
|
|
this.keyId = keyId;
|
|
|
|
this.oldProtector = oldProtector;
|
|
|
|
this.newProtectionSettings = newProtectionSettings;
|
|
|
|
}
|
2020-10-23 16:44:21 +02:00
|
|
|
|
|
|
|
@Override
|
2021-11-16 15:18:51 +01:00
|
|
|
public SecretKeyRingEditorInterface toNewPassphrase(Passphrase passphrase)
|
|
|
|
throws PGPException {
|
2020-10-25 20:43:09 +01:00
|
|
|
SecretKeyRingProtector newProtector = new PasswordBasedSecretKeyRingProtector(
|
|
|
|
newProtectionSettings, new SolitaryPassphraseProvider(passphrase));
|
|
|
|
|
2021-11-16 15:18:51 +01:00
|
|
|
PGPSecretKeyRing secretKeys = changePassphrase(
|
|
|
|
keyId, SecretKeyRingEditor.this.secretKeyRing, oldProtector, newProtector);
|
2020-11-19 17:51:57 +01:00
|
|
|
SecretKeyRingEditor.this.secretKeyRing = secretKeys;
|
2020-10-25 20:43:09 +01:00
|
|
|
|
2020-11-19 17:51:57 +01:00
|
|
|
return SecretKeyRingEditor.this;
|
2020-10-23 16:44:21 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
@Override
|
2021-11-16 15:18:51 +01:00
|
|
|
public SecretKeyRingEditorInterface toNoPassphrase()
|
|
|
|
throws PGPException {
|
2020-10-25 20:43:09 +01:00
|
|
|
SecretKeyRingProtector newProtector = new UnprotectedKeysProtector();
|
|
|
|
|
2021-11-16 15:18:51 +01:00
|
|
|
PGPSecretKeyRing secretKeys = changePassphrase(
|
|
|
|
keyId, SecretKeyRingEditor.this.secretKeyRing, oldProtector, newProtector);
|
2020-11-19 17:51:57 +01:00
|
|
|
SecretKeyRingEditor.this.secretKeyRing = secretKeys;
|
2020-10-25 20:43:09 +01:00
|
|
|
|
2020-11-19 17:51:57 +01:00
|
|
|
return SecretKeyRingEditor.this;
|
2020-10-23 16:44:21 +02:00
|
|
|
}
|
2020-11-10 17:25:35 +01:00
|
|
|
}
|
2020-10-25 20:43:09 +01:00
|
|
|
|
2020-11-10 17:25:35 +01:00
|
|
|
private PGPSecretKeyRing changePassphrase(Long keyId,
|
|
|
|
PGPSecretKeyRing secretKeys,
|
|
|
|
SecretKeyRingProtector oldProtector,
|
2021-11-16 15:18:51 +01:00
|
|
|
SecretKeyRingProtector newProtector)
|
|
|
|
throws PGPException {
|
2021-09-10 20:14:12 +02:00
|
|
|
List<PGPSecretKey> secretKeyList = new ArrayList<>();
|
2020-11-10 17:25:35 +01:00
|
|
|
if (keyId == null) {
|
|
|
|
// change passphrase of whole key ring
|
|
|
|
Iterator<PGPSecretKey> secretKeyIterator = secretKeys.getSecretKeys();
|
|
|
|
while (secretKeyIterator.hasNext()) {
|
|
|
|
PGPSecretKey secretKey = secretKeyIterator.next();
|
2021-07-19 14:52:59 +02:00
|
|
|
secretKey = reencryptPrivateKey(secretKey, oldProtector, newProtector);
|
2021-09-10 20:14:12 +02:00
|
|
|
secretKeyList.add(secretKey);
|
2020-11-10 17:25:35 +01:00
|
|
|
}
|
|
|
|
} else {
|
|
|
|
// change passphrase of selected subkey only
|
|
|
|
Iterator<PGPSecretKey> secretKeyIterator = secretKeys.getSecretKeys();
|
|
|
|
while (secretKeyIterator.hasNext()) {
|
|
|
|
PGPSecretKey secretKey = secretKeyIterator.next();
|
|
|
|
if (secretKey.getPublicKey().getKeyID() == keyId) {
|
|
|
|
// Re-encrypt only the selected subkey
|
2021-07-19 14:52:59 +02:00
|
|
|
secretKey = reencryptPrivateKey(secretKey, oldProtector, newProtector);
|
2020-10-25 20:43:09 +01:00
|
|
|
}
|
2020-11-10 17:25:35 +01:00
|
|
|
secretKeyList.add(secretKey);
|
2020-10-25 20:43:09 +01:00
|
|
|
}
|
|
|
|
}
|
2021-09-10 20:14:12 +02:00
|
|
|
|
|
|
|
PGPSecretKeyRing newRing = new PGPSecretKeyRing(secretKeyList);
|
|
|
|
newRing = s2kUsageFixIfNecessary(newRing, newProtector);
|
|
|
|
return newRing;
|
|
|
|
}
|
|
|
|
|
2021-11-16 15:18:51 +01:00
|
|
|
private PGPSecretKeyRing s2kUsageFixIfNecessary(PGPSecretKeyRing secretKeys, SecretKeyRingProtector protector)
|
|
|
|
throws PGPException {
|
2021-09-10 20:14:12 +02:00
|
|
|
boolean hasS2KUsageChecksum = false;
|
|
|
|
for (PGPSecretKey secKey : secretKeys) {
|
|
|
|
if (secKey.getS2KUsage() == SecretKeyPacket.USAGE_CHECKSUM) {
|
|
|
|
hasS2KUsageChecksum = true;
|
2021-09-10 21:04:36 +02:00
|
|
|
break;
|
2021-09-10 20:14:12 +02:00
|
|
|
}
|
|
|
|
}
|
|
|
|
if (hasS2KUsageChecksum) {
|
2021-11-16 15:18:51 +01:00
|
|
|
secretKeys = S2KUsageFix.replaceUsageChecksumWithUsageSha1(
|
|
|
|
secretKeys, protector, true);
|
2021-09-10 20:14:12 +02:00
|
|
|
}
|
|
|
|
return secretKeys;
|
2020-11-10 17:25:35 +01:00
|
|
|
}
|
2020-10-25 20:43:09 +01:00
|
|
|
|
2021-11-16 15:18:51 +01:00
|
|
|
private static PGPSecretKey reencryptPrivateKey(
|
|
|
|
PGPSecretKey secretKey,
|
|
|
|
SecretKeyRingProtector oldProtector,
|
|
|
|
SecretKeyRingProtector newProtector)
|
|
|
|
throws PGPException {
|
2021-07-19 14:52:59 +02:00
|
|
|
S2K s2k = secretKey.getS2K();
|
|
|
|
// If the key uses GNU_DUMMY_S2K, we leave it as is and skip this block
|
|
|
|
if (s2k == null || s2k.getType() != S2K.GNU_DUMMY_S2K) {
|
|
|
|
long secretKeyId = secretKey.getKeyID();
|
|
|
|
PBESecretKeyDecryptor decryptor = oldProtector.getDecryptor(secretKeyId);
|
|
|
|
PBESecretKeyEncryptor encryptor = newProtector.getEncryptor(secretKeyId);
|
|
|
|
secretKey = PGPSecretKey.copyWithNewPassword(secretKey, decryptor, encryptor);
|
|
|
|
}
|
2020-11-10 17:25:35 +01:00
|
|
|
return secretKey;
|
2020-10-23 16:44:21 +02:00
|
|
|
}
|
2020-10-22 01:20:43 +02:00
|
|
|
}
|