1
0
Fork 0
mirror of https://github.com/pgpainless/pgpainless.git synced 2024-12-23 11:27:57 +01:00

Change HardwareSecurity DecryptionCallback to emit key-id

This commit is contained in:
Paul Schaub 2022-10-10 18:01:30 +02:00
parent 529c64cf43
commit 228918f96b
5 changed files with 51 additions and 36 deletions

View file

@ -49,7 +49,7 @@ public class ConsumerOptions {
// Session key for decryption without passphrase/key // Session key for decryption without passphrase/key
private SessionKey sessionKey = null; private SessionKey sessionKey = null;
private Map<Set<Long>, PublicKeyDataDecryptorFactory> customPublicKeyDataDecryptorFactories = new HashMap<>(); private Map<Long, PublicKeyDataDecryptorFactory> customPublicKeyDataDecryptorFactories = new HashMap<>();
private final Map<PGPSecretKeyRing, SecretKeyRingProtector> decryptionKeys = new HashMap<>(); private final Map<PGPSecretKeyRing, SecretKeyRingProtector> decryptionKeys = new HashMap<>();
private final Set<Passphrase> decryptionPassphrases = new HashSet<>(); private final Set<Passphrase> decryptionPassphrases = new HashSet<>();
@ -245,20 +245,15 @@ public class ConsumerOptions {
* hardware-backed secret keys. * hardware-backed secret keys.
* (See e.g. {@link org.pgpainless.decryption_verification.HardwareSecurity.HardwareDataDecryptorFactory}). * (See e.g. {@link org.pgpainless.decryption_verification.HardwareSecurity.HardwareDataDecryptorFactory}).
* *
* The set of key-ids determines, whether the decryptor factory shall be consulted to decrypt a given session key. * @param factory decryptor factory
* See for example {@link HardwareSecurity#getIdsOfHardwareBackedKeys(PGPSecretKeyRing)}.
*
* @param keyIds set of key-ids for which the factory shall be consulted
* @param decryptorFactory decryptor factory
* @return options * @return options
*/ */
public ConsumerOptions addCustomDecryptorFactory( public ConsumerOptions addCustomDecryptorFactory(@Nonnull CustomPublicKeyDataDecryptorFactory factory) {
@Nonnull Set<Long> keyIds, @Nonnull PublicKeyDataDecryptorFactory decryptorFactory) { this.customPublicKeyDataDecryptorFactories.put(factory.getKeyId(), factory);
this.customPublicKeyDataDecryptorFactories.put(keyIds, decryptorFactory);
return this; return this;
} }
Map<Set<Long>, PublicKeyDataDecryptorFactory> getCustomDecryptorFactories() { Map<Long, PublicKeyDataDecryptorFactory> getCustomDecryptorFactories() {
return new HashMap<>(customPublicKeyDataDecryptorFactories); return new HashMap<>(customPublicKeyDataDecryptorFactories);
} }

View file

@ -0,0 +1,13 @@
// SPDX-FileCopyrightText: 2022 Paul Schaub <vanitasvitae@fsfe.org>
//
// SPDX-License-Identifier: Apache-2.0
package org.pgpainless.decryption_verification;
import org.bouncycastle.openpgp.operator.PublicKeyDataDecryptorFactory;
public interface CustomPublicKeyDataDecryptorFactory extends PublicKeyDataDecryptorFactory {
long getKeyId();
}

View file

@ -409,30 +409,28 @@ public final class DecryptionStreamFactory {
} }
// Try custom PublicKeyDataDecryptorFactories (e.g. hardware-backed). // Try custom PublicKeyDataDecryptorFactories (e.g. hardware-backed).
Map<Set<Long>, PublicKeyDataDecryptorFactory> customFactories = options.getCustomDecryptorFactories(); Map<Long, PublicKeyDataDecryptorFactory> customFactories = options.getCustomDecryptorFactories();
for (PGPPublicKeyEncryptedData publicKeyEncryptedData : publicKeyProtected) { for (PGPPublicKeyEncryptedData publicKeyEncryptedData : publicKeyProtected) {
Long keyId = publicKeyEncryptedData.getKeyID(); Long keyId = publicKeyEncryptedData.getKeyID();
for (Set<Long> keyIds : customFactories.keySet()) { if (!customFactories.containsKey(keyId)) {
if (!keyIds.contains(keyId)) { continue;
continue; }
}
PublicKeyDataDecryptorFactory decryptorFactory = customFactories.get(keyIds); PublicKeyDataDecryptorFactory decryptorFactory = customFactories.get(keyId);
try { try {
InputStream decryptedDataStream = publicKeyEncryptedData.getDataStream(decryptorFactory); InputStream decryptedDataStream = publicKeyEncryptedData.getDataStream(decryptorFactory);
PGPSessionKey pgpSessionKey = publicKeyEncryptedData.getSessionKey(decryptorFactory); PGPSessionKey pgpSessionKey = publicKeyEncryptedData.getSessionKey(decryptorFactory);
SessionKey sessionKey = new SessionKey(pgpSessionKey); SessionKey sessionKey = new SessionKey(pgpSessionKey);
resultBuilder.setSessionKey(sessionKey); resultBuilder.setSessionKey(sessionKey);
throwIfAlgorithmIsRejected(sessionKey.getAlgorithm()); throwIfAlgorithmIsRejected(sessionKey.getAlgorithm());
integrityProtectedEncryptedInputStream = integrityProtectedEncryptedInputStream =
new IntegrityProtectedInputStream(decryptedDataStream, publicKeyEncryptedData, options); new IntegrityProtectedInputStream(decryptedDataStream, publicKeyEncryptedData, options);
return integrityProtectedEncryptedInputStream; return integrityProtectedEncryptedInputStream;
} catch (PGPException e) { } catch (PGPException e) {
LOGGER.debug("Decryption with custom PublicKeyDataDecryptorFactory failed", e); LOGGER.debug("Decryption with custom PublicKeyDataDecryptorFactory failed", e);
}
} }
} }

View file

@ -28,13 +28,14 @@ public class HardwareSecurity {
* *
* If decryption fails for some reason, a subclass of the {@link HardwareSecurityException} is thrown. * If decryption fails for some reason, a subclass of the {@link HardwareSecurityException} is thrown.
* *
* @param keyId id of the key
* @param keyAlgorithm algorithm * @param keyAlgorithm algorithm
* @param sessionKeyData encrypted session key * @param sessionKeyData encrypted session key
* *
* @return decrypted session key * @return decrypted session key
* @throws HardwareSecurityException exception * @throws HardwareSecurityException exception
*/ */
byte[] decryptSessionKey(int keyAlgorithm, byte[] sessionKeyData) byte[] decryptSessionKey(long keyId, int keyAlgorithm, byte[] sessionKeyData)
throws HardwareSecurityException; throws HardwareSecurityException;
} }
@ -67,20 +68,22 @@ public class HardwareSecurity {
* to a {@link DecryptionCallback}. * to a {@link DecryptionCallback}.
* Users can provide such a callback to delegate decryption of messages to hardware security SDKs. * Users can provide such a callback to delegate decryption of messages to hardware security SDKs.
*/ */
public static class HardwareDataDecryptorFactory implements PublicKeyDataDecryptorFactory { public static class HardwareDataDecryptorFactory implements CustomPublicKeyDataDecryptorFactory {
private final DecryptionCallback callback; private final DecryptionCallback callback;
// luckily we can instantiate the BcPublicKeyDataDecryptorFactory with null as argument. // luckily we can instantiate the BcPublicKeyDataDecryptorFactory with null as argument.
private final PublicKeyDataDecryptorFactory factory = private final PublicKeyDataDecryptorFactory factory =
new BcPublicKeyDataDecryptorFactory(null); new BcPublicKeyDataDecryptorFactory(null);
private long keyId;
/** /**
* Create a new {@link HardwareDataDecryptorFactory}. * Create a new {@link HardwareDataDecryptorFactory}.
* *
* @param callback decryption callback * @param callback decryption callback
*/ */
public HardwareDataDecryptorFactory(DecryptionCallback callback) { public HardwareDataDecryptorFactory(long keyId, DecryptionCallback callback) {
this.callback = callback; this.callback = callback;
this.keyId = keyId;
} }
@Override @Override
@ -88,7 +91,7 @@ public class HardwareSecurity {
throws PGPException { throws PGPException {
try { try {
// delegate decryption to the callback // delegate decryption to the callback
return callback.decryptSessionKey(keyAlgorithm, secKeyData[0]); return callback.decryptSessionKey(keyId, keyAlgorithm, secKeyData[0]);
} catch (HardwareSecurityException e) { } catch (HardwareSecurityException e) {
throw new PGPException("Hardware-backed decryption failed.", e); throw new PGPException("Hardware-backed decryption failed.", e);
} }
@ -99,10 +102,16 @@ public class HardwareSecurity {
throws PGPException { throws PGPException {
return factory.createDataDecryptor(withIntegrityPacket, encAlgorithm, key); return factory.createDataDecryptor(withIntegrityPacket, encAlgorithm, key);
} }
@Override
public long getKeyId() {
return keyId;
}
} }
public static class HardwareSecurityException public static class HardwareSecurityException
extends Exception { extends Exception {
} }
} }

View file

@ -29,7 +29,6 @@ import java.io.IOException;
import java.nio.charset.StandardCharsets; import java.nio.charset.StandardCharsets;
import java.security.InvalidAlgorithmParameterException; import java.security.InvalidAlgorithmParameterException;
import java.security.NoSuchAlgorithmException; import java.security.NoSuchAlgorithmException;
import java.util.Collections;
import static org.junit.jupiter.api.Assertions.assertEquals; import static org.junit.jupiter.api.Assertions.assertEquals;
@ -55,7 +54,7 @@ public class CustomPublicKeyDataDecryptorFactoryTest {
HardwareSecurity.DecryptionCallback hardwareDecryptionCallback = new HardwareSecurity.DecryptionCallback() { HardwareSecurity.DecryptionCallback hardwareDecryptionCallback = new HardwareSecurity.DecryptionCallback() {
@Override @Override
public byte[] decryptSessionKey(int keyAlgorithm, byte[] sessionKeyData) public byte[] decryptSessionKey(long keyId, int keyAlgorithm, byte[] sessionKeyData)
throws HardwareSecurity.HardwareSecurityException { throws HardwareSecurity.HardwareSecurityException {
// Emulate hardware decryption. // Emulate hardware decryption.
try { try {
@ -74,8 +73,9 @@ public class CustomPublicKeyDataDecryptorFactoryTest {
.onInputStream(new ByteArrayInputStream(ciphertextOut.toByteArray())) .onInputStream(new ByteArrayInputStream(ciphertextOut.toByteArray()))
.withOptions(ConsumerOptions.get() .withOptions(ConsumerOptions.get()
.addCustomDecryptorFactory( .addCustomDecryptorFactory(
Collections.singleton(encryptionKey.getKeyID()), new HardwareSecurity.HardwareDataDecryptorFactory(
new HardwareSecurity.HardwareDataDecryptorFactory(hardwareDecryptionCallback))); encryptionKey.getKeyID(),
hardwareDecryptionCallback)));
ByteArrayOutputStream decryptedOut = new ByteArrayOutputStream(); ByteArrayOutputStream decryptedOut = new ByteArrayOutputStream();
Streams.pipeAll(decryptionStream, decryptedOut); Streams.pipeAll(decryptionStream, decryptedOut);