Add encryption API

2024-11-17 18:02:05 +01:00 · 2018-06-05 01:30:58 +02:00 · 2018-06-05 01:30:58 +02:00 · afce16e51e
commit afce16e51e
parent 4844bf697c
6 changed files with 222 additions and 73 deletions
--- a/src/main/java/de/vanitasvitae/crypto/pgpainless/Main.java
+++ b/src/main/java/de/vanitasvitae/crypto/pgpainless/Main.java
@ -1,25 +0,0 @@
-package de.vanitasvitae.crypto.pgpainless;
-
-import java.io.IOException;
-import java.security.InvalidAlgorithmParameterException;
-import java.security.NoSuchAlgorithmException;
-import java.security.NoSuchProviderException;
-import java.security.Security;
-
-import org.bouncycastle.jce.provider.BouncyCastleProvider;
-import org.bouncycastle.openpgp.PGPException;
-import org.bouncycastle.openpgp.PGPSecretKeyRing;
-
-public class Main {
-
-    public static void main(String[] args)
-            throws NoSuchAlgorithmException, PGPException, NoSuchProviderException, IOException,
-            InvalidAlgorithmParameterException {
-        Security.addProvider(new BouncyCastleProvider());
-
-        PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing()
-                .simpleEcKeyRing("elliptic@cur.ve");
-
-        //System.out.println(Base64.getEncoder().encodeToString(secretKeys.getEncoded()));
-    }
-}
--- a/src/main/java/de/vanitasvitae/crypto/pgpainless/PGPainless.java
+++ b/src/main/java/de/vanitasvitae/crypto/pgpainless/PGPainless.java
@ -1,8 +1,14 @@
 package de.vanitasvitae.crypto.pgpainless;

+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+
 import de.vanitasvitae.crypto.pgpainless.decryption_verification.DecryptionBuilder;
 import de.vanitasvitae.crypto.pgpainless.encryption_signing.EncryptionBuilder;
 import de.vanitasvitae.crypto.pgpainless.key.generation.KeyRingBuilder;
+import org.bouncycastle.bcpg.ArmoredInputStream;
+import org.bouncycastle.openpgp.PGPPublicKeyRing;
+import org.bouncycastle.openpgp.operator.bc.BcKeyFingerprintCalculator;

 public class PGPainless {

@ -18,4 +24,7 @@ public class PGPainless {
        return new DecryptionBuilder();
    }

+    public static PGPPublicKeyRing publicKeyRingFromBytes(byte[] bytes) throws IOException {
+        return new PGPPublicKeyRing(new ArmoredInputStream(new ByteArrayInputStream(bytes)), new BcKeyFingerprintCalculator());
+    }
 }
--- a/src/main/java/de/vanitasvitae/crypto/pgpainless/encryption_signing/EncryptionBuilder.java
+++ b/src/main/java/de/vanitasvitae/crypto/pgpainless/encryption_signing/EncryptionBuilder.java
@ -1,5 +1,6 @@
 package de.vanitasvitae.crypto.pgpainless.encryption_signing;

+import java.io.IOException;
 import java.io.OutputStream;
 import java.util.HashSet;
 import java.util.Iterator;
@ -10,6 +11,8 @@ import de.vanitasvitae.crypto.pgpainless.SecretKeyNotFoundException;
 import de.vanitasvitae.crypto.pgpainless.algorithm.CompressionAlgorithm;
 import de.vanitasvitae.crypto.pgpainless.algorithm.HashAlgorithm;
 import de.vanitasvitae.crypto.pgpainless.algorithm.SymmetricKeyAlgorithm;
+import org.bouncycastle.openpgp.PGPException;
+import org.bouncycastle.openpgp.PGPPrivateKey;
 import org.bouncycastle.openpgp.PGPPublicKey;
 import org.bouncycastle.openpgp.PGPPublicKeyRing;
 import org.bouncycastle.openpgp.PGPPublicKeyRingCollection;
@ -22,9 +25,10 @@ public class EncryptionBuilder implements EncryptionBuilderInterface {
    private OutputStream outputStream;
    private final Set<PGPPublicKey> encryptionKeys = new HashSet<>();
    private final Set<PGPSecretKey> signingKeys = new HashSet<>();
-    private SymmetricKeyAlgorithm symmetricKeyAlgorithm;
-    private HashAlgorithm hashAlgorithm;
-    private CompressionAlgorithm compressionAlgorithm;
+    private SecretKeyRingDecryptor signingKeysDecryptor;
+    private SymmetricKeyAlgorithm symmetricKeyAlgorithm = SymmetricKeyAlgorithm.AES_128;
+    private HashAlgorithm hashAlgorithm = HashAlgorithm.SHA256;
+    private CompressionAlgorithm compressionAlgorithm = CompressionAlgorithm.UNCOMPRESSED;
    private boolean asciiArmor = false;

    @Override
@ -115,19 +119,21 @@ public class EncryptionBuilder implements EncryptionBuilderInterface {
    class SignWithImpl implements SignWith {

        @Override
-        public Armor signWith(PGPSecretKey key) {
+        public Armor signWith(PGPSecretKey key, SecretKeyRingDecryptor decryptor) {
            EncryptionBuilder.this.signingKeys.add(key);
+            EncryptionBuilder.this.signingKeysDecryptor = decryptor;
            return new ArmorImpl();
        }

        @Override
-        public Armor signWith(Set<PGPSecretKey> keys) {
+        public Armor signWith(Set<PGPSecretKey> keys, SecretKeyRingDecryptor decryptor) {
            EncryptionBuilder.this.signingKeys.addAll(keys);
+            EncryptionBuilder.this.signingKeysDecryptor = decryptor;
            return new ArmorImpl();
        }

        @Override
-        public Armor signWith(Set<Long> keyIds, Set<PGPSecretKeyRing> keyRings)
+        public Armor signWith(Set<Long> keyIds, Set<PGPSecretKeyRing> keyRings, SecretKeyRingDecryptor decryptor)
                throws SecretKeyNotFoundException {
            Set<PGPSecretKey> keys = new HashSet<>();

@ -148,11 +154,11 @@ public class EncryptionBuilder implements EncryptionBuilderInterface {

                keys.add(key);
            }
-            return signWith(keys);
+            return signWith(keys, decryptor);
        }

        @Override
-        public Armor signWith(Set<Long> keyIds, PGPSecretKeyRingCollection keys)
+        public Armor signWith(Set<Long> keyIds, PGPSecretKeyRingCollection keys, SecretKeyRingDecryptor decryptor)
                throws SecretKeyNotFoundException {

            Set<PGPSecretKeyRing> rings = new HashSet<>();
@ -160,7 +166,7 @@ public class EncryptionBuilder implements EncryptionBuilderInterface {
            for (Iterator<PGPSecretKeyRing> i = keys.getKeyRings(); i.hasNext();) {
                rings.add(i.next());
            }
-            return signWith(keyIds, rings);
+            return signWith(keyIds, rings, decryptor);
        }

        @Override
@ -172,22 +178,28 @@ public class EncryptionBuilder implements EncryptionBuilderInterface {
    class ArmorImpl implements Armor {

        @Override
-        public OutputStream asciiArmor() {
+        public OutputStream asciiArmor() throws IOException, PGPException {
            EncryptionBuilder.this.asciiArmor = true;
            return build();
        }

        @Override
-        public OutputStream noArmor() {
+        public OutputStream noArmor() throws IOException, PGPException {
            EncryptionBuilder.this.asciiArmor = false;
            return build();
        }

-        private OutputStream build() {
+        private OutputStream build() throws IOException, PGPException {
+
+            Set<PGPPrivateKey> privateKeys = new HashSet<>();
+            for (PGPSecretKey secretKey : signingKeys) {
+                privateKeys.add(secretKey.extractPrivateKey(signingKeysDecryptor.getDecryptor(secretKey.getKeyID())));
+            }
+
            return EncryptionStream.create(
                    EncryptionBuilder.this.outputStream,
                    EncryptionBuilder.this.encryptionKeys,
-                    EncryptionBuilder.this.signingKeys,
+                    privateKeys,
                    EncryptionBuilder.this.symmetricKeyAlgorithm,
                    EncryptionBuilder.this.hashAlgorithm,
                    EncryptionBuilder.this.compressionAlgorithm,
--- a/src/main/java/de/vanitasvitae/crypto/pgpainless/encryption_signing/EncryptionBuilderInterface.java
+++ b/src/main/java/de/vanitasvitae/crypto/pgpainless/encryption_signing/EncryptionBuilderInterface.java
@ -1,5 +1,6 @@
 package de.vanitasvitae.crypto.pgpainless.encryption_signing;

+import java.io.IOException;
 import java.io.InputStream;
 import java.io.OutputStream;
 import java.util.Set;
@ -9,6 +10,7 @@ import de.vanitasvitae.crypto.pgpainless.SecretKeyNotFoundException;
 import de.vanitasvitae.crypto.pgpainless.algorithm.CompressionAlgorithm;
 import de.vanitasvitae.crypto.pgpainless.algorithm.HashAlgorithm;
 import de.vanitasvitae.crypto.pgpainless.algorithm.SymmetricKeyAlgorithm;
+import org.bouncycastle.openpgp.PGPException;
 import org.bouncycastle.openpgp.PGPPublicKey;
 import org.bouncycastle.openpgp.PGPPublicKeyRing;
 import org.bouncycastle.openpgp.PGPPublicKeyRingCollection;
@ -48,13 +50,15 @@ public interface EncryptionBuilderInterface {

    interface SignWith {

-        Armor signWith(PGPSecretKey key);
+        Armor signWith(PGPSecretKey key, SecretKeyRingDecryptor decryptor);

-        Armor signWith(Set<PGPSecretKey> keys);
+        Armor signWith(Set<PGPSecretKey> keys, SecretKeyRingDecryptor decryptor);

-        Armor signWith(Set<Long> keyIds, Set<PGPSecretKeyRing> keyRings) throws SecretKeyNotFoundException;
+        Armor signWith(Set<Long> keyIds, Set<PGPSecretKeyRing> keyRings, SecretKeyRingDecryptor decryptor)
+                throws SecretKeyNotFoundException;

-        Armor signWith(Set<Long> keyIds, PGPSecretKeyRingCollection keys) throws SecretKeyNotFoundException;
+        Armor signWith(Set<Long> keyIds, PGPSecretKeyRingCollection keys, SecretKeyRingDecryptor decryptor)
+                throws SecretKeyNotFoundException;

        Armor doNotSign();

@ -62,9 +66,9 @@ public interface EncryptionBuilderInterface {

    interface Armor {

-        OutputStream asciiArmor();
+        OutputStream asciiArmor() throws IOException, PGPException;

-        OutputStream noArmor();
+        OutputStream noArmor() throws IOException, PGPException;

    }

--- a/src/main/java/de/vanitasvitae/crypto/pgpainless/encryption_signing/EncryptionStream.java
+++ b/src/main/java/de/vanitasvitae/crypto/pgpainless/encryption_signing/EncryptionStream.java
@ -2,57 +2,134 @@ package de.vanitasvitae.crypto.pgpainless.encryption_signing;

 import java.io.IOException;
 import java.io.OutputStream;
+import java.util.ArrayList;
+import java.util.Date;
+import java.util.List;
 import java.util.Set;

 import de.vanitasvitae.crypto.pgpainless.algorithm.CompressionAlgorithm;
 import de.vanitasvitae.crypto.pgpainless.algorithm.HashAlgorithm;
 import de.vanitasvitae.crypto.pgpainless.algorithm.SymmetricKeyAlgorithm;
+import org.bouncycastle.bcpg.ArmoredOutputStream;
+import org.bouncycastle.bcpg.BCPGOutputStream;
+import org.bouncycastle.openpgp.PGPCompressedDataGenerator;
+import org.bouncycastle.openpgp.PGPEncryptedDataGenerator;
+import org.bouncycastle.openpgp.PGPException;
+import org.bouncycastle.openpgp.PGPLiteralData;
+import org.bouncycastle.openpgp.PGPLiteralDataGenerator;
+import org.bouncycastle.openpgp.PGPPrivateKey;
 import org.bouncycastle.openpgp.PGPPublicKey;
-import org.bouncycastle.openpgp.PGPSecretKey;
+import org.bouncycastle.openpgp.PGPSignature;
+import org.bouncycastle.openpgp.PGPSignatureGenerator;
+import org.bouncycastle.openpgp.operator.bc.BcPGPContentSignerBuilder;
+import org.bouncycastle.openpgp.operator.bc.BcPGPDataEncryptorBuilder;
+import org.bouncycastle.openpgp.operator.bc.BcPublicKeyKeyEncryptionMethodGenerator;

+/**
+ * This class is based upon Jens Neuhalfen's Bouncy-GPG PGPEncryptingStream.
+ * @see <a href="https://github.com/neuhalje/bouncy-gpg/blob/master/src/main/java/name/neuhalfen/projects/crypto/bouncycastle/openpgp/encrypting/PGPEncryptingStream.java">Source</a>
+ */
 public class EncryptionStream extends OutputStream {

-    private final OutputStream outputStream;
-    private final Set<PGPPublicKey> encryptionKeys;
-    private final Set<PGPSecretKey> signingKeys;
-    private final SymmetricKeyAlgorithm symmetricKeyAlgorithm;
-    private final HashAlgorithm hashAlgorithm;
-    private final CompressionAlgorithm compressionAlgorithm;
-    private final boolean asciiArmor;
+    private static final int BUFFER_SIZE = 1 << 8;

-    private EncryptionStream(OutputStream outputStream,
+    private List<PGPSignatureGenerator> signatureGenerators = new ArrayList<>();
+    private boolean closed = false;
+
+    // ASCII Armor
+    private ArmoredOutputStream armorOutputStream = null;
+
+    // Public Key Encryption of Symmetric Session Key
+    private OutputStream publicKeyEncryptedStream = null;
+
+    // Data Compression
+    private PGPCompressedDataGenerator compressedDataGenerator;
+    private BCPGOutputStream basicCompressionStream;
+
+    // Literal Data
+    private PGPLiteralDataGenerator literalDataGenerator;
+    private OutputStream literalDataStream;
+
+    private EncryptionStream(OutputStream targetOutputStream,
                            Set<PGPPublicKey> encryptionKeys,
-                            Set<PGPSecretKey> signingKeys,
+                            Set<PGPPrivateKey> signingKeys,
                            SymmetricKeyAlgorithm symmetricKeyAlgorithm,
                            HashAlgorithm hashAlgorithm,
                            CompressionAlgorithm compressionAlgorithm,
-                            boolean asciiArmor) {
-        this.outputStream = outputStream;
-        this.encryptionKeys = encryptionKeys;
-        this.signingKeys = signingKeys;
-        this.symmetricKeyAlgorithm = symmetricKeyAlgorithm;
-        this.hashAlgorithm = hashAlgorithm;
-        this.compressionAlgorithm = compressionAlgorithm;
-        this.asciiArmor = asciiArmor;
+                            boolean asciiArmor)
+            throws IOException, PGPException {
+
+        // Currently outermost Stream
+        OutputStream outerMostStream;
+        if (asciiArmor) {
+            armorOutputStream = new ArmoredOutputStream(targetOutputStream);
+            outerMostStream = armorOutputStream;
+        } else {
+            outerMostStream = targetOutputStream;
+        }
+
+        // If we want to encrypt
+        if (!encryptionKeys.isEmpty()) {
+            BcPGPDataEncryptorBuilder dataEncryptorBuilder =
+                    new BcPGPDataEncryptorBuilder(symmetricKeyAlgorithm.getAlgorithmId());
+
+            dataEncryptorBuilder.setWithIntegrityPacket(true);
+
+            PGPEncryptedDataGenerator encryptedDataGenerator =
+                    new PGPEncryptedDataGenerator(dataEncryptorBuilder);
+
+            for (PGPPublicKey key : encryptionKeys) {
+                encryptedDataGenerator.addMethod(new BcPublicKeyKeyEncryptionMethodGenerator(key));
+            }
+
+            publicKeyEncryptedStream = encryptedDataGenerator.open(outerMostStream, new byte[BUFFER_SIZE]);
+            outerMostStream = publicKeyEncryptedStream;
+        }
+
+        // If we want to sign, prepare for signing
+        if (!signingKeys.isEmpty()) {
+            for (PGPPrivateKey privateKey : signingKeys) {
+
+                BcPGPContentSignerBuilder contentSignerBuilder = new BcPGPContentSignerBuilder(
+                        privateKey.getPublicKeyPacket().getAlgorithm(), hashAlgorithm.getAlgorithmId());
+
+                PGPSignatureGenerator signatureGenerator = new PGPSignatureGenerator(contentSignerBuilder);
+                signatureGenerator.init(PGPSignature.BINARY_DOCUMENT, privateKey);
+                signatureGenerators.add(signatureGenerator);
+            }
+        }
+
+        // Compression
+        compressedDataGenerator = new PGPCompressedDataGenerator(
+                compressionAlgorithm.getAlgorithmId());
+        basicCompressionStream = new BCPGOutputStream(compressedDataGenerator.open(outerMostStream));
+
+        // If we want to sign, sign!
+        for (PGPSignatureGenerator signatureGenerator : signatureGenerators) {
+            signatureGenerator.generateOnePassVersion(false).encode(basicCompressionStream);
+        }
+
+        literalDataGenerator = new PGPLiteralDataGenerator();
+        literalDataStream = literalDataGenerator.open(basicCompressionStream,
+                PGPLiteralData.BINARY, PGPLiteralData.CONSOLE, new Date(), new byte[BUFFER_SIZE]);
    }

-    public static EncryptionStream create(OutputStream outputStream,
-                                          Set<PGPPublicKey> encryptionKeys,
-                                          Set<PGPSecretKey> signingKeys,
-                                          SymmetricKeyAlgorithm symmetricKeyAlgorithm,
-                                          HashAlgorithm hashAlgorithm,
-                                          CompressionAlgorithm compressionAlgorithm,
-                                          boolean asciiArmor) {
+    static EncryptionStream create(OutputStream outputStream,
+                                   Set<PGPPublicKey> encryptionKeys,
+                                   Set<PGPPrivateKey> signingKeys,
+                                   SymmetricKeyAlgorithm symmetricKeyAlgorithm,
+                                   HashAlgorithm hashAlgorithm,
+                                   CompressionAlgorithm compressionAlgorithm,
+                                   boolean asciiArmor)
+            throws IOException, PGPException {

-        requireNonNull(outputStream, "outputStream");
+        requireNonNull(outputStream, "targetOutputStream");
        requireNonNull(encryptionKeys, "encryptionKeys");
        requireNonNull(signingKeys, "signingKeys");
        requireNonNull(symmetricKeyAlgorithm, "symmetricKeyAlgorithm");
        requireNonNull(hashAlgorithm, "hashAlgorithm");
        requireNonNull(compressionAlgorithm, "compressionAlgorithm");

-
-
        return new EncryptionStream(outputStream,
                encryptionKeys,
                signingKeys,
@ -63,8 +140,68 @@ public class EncryptionStream extends OutputStream {
    }

    @Override
-    public void write(int i) throws IOException {
+    public void write(int data) throws IOException {
+        literalDataStream.write(data);

+        for (PGPSignatureGenerator signatureGenerator : signatureGenerators) {
+            byte asByte = (byte) (data & 0xff);
+            signatureGenerator.update(asByte);
+        }
+    }
+
+    @Override
+    public void write(byte[] buffer) throws IOException {
+        write(buffer, 0, buffer.length);
+    }
+
+
+    @Override
+    public void write(byte[] buffer, int off, int len) throws IOException {
+        literalDataStream.write(buffer, 0, len);
+        for (PGPSignatureGenerator signatureGenerator : signatureGenerators) {
+            signatureGenerator.update(buffer, 0, len);
+        }
+    }
+
+    @Override
+    public void flush() throws IOException {
+        literalDataStream.flush();
+    }
+
+    @Override
+    public void close() throws IOException {
+        if (!closed) {
+
+            // Literal Data
+            literalDataStream.flush();
+            literalDataStream.close();
+            literalDataGenerator.close();
+
+            // Signing
+            for (PGPSignatureGenerator signatureGenerator : signatureGenerators) {
+                try {
+                    signatureGenerator.generate().encode(basicCompressionStream);
+                } catch (PGPException e) {
+                    throw new IOException(e);
+                }
+            }
+
+            // Compressed Data
+            compressedDataGenerator.close();
+
+            // Public Key Encryption
+            if (publicKeyEncryptedStream != null) {
+                publicKeyEncryptedStream.flush();
+                publicKeyEncryptedStream.close();
+            }
+
+            // Armor
+            if (armorOutputStream != null) {
+                armorOutputStream.flush();
+                armorOutputStream.close();
+            }
+            closed = true;
+        }
    }

    private static void requireNonNull(Object o, String name) {
--- a/src/main/java/de/vanitasvitae/crypto/pgpainless/encryption_signing/SecretKeyRingDecryptor.java
+++ b/src/main/java/de/vanitasvitae/crypto/pgpainless/encryption_signing/SecretKeyRingDecryptor.java
@ -0,0 +1,12 @@
+package de.vanitasvitae.crypto.pgpainless.encryption_signing;
+
+import org.bouncycastle.openpgp.operator.PBESecretKeyDecryptor;
+import org.bouncycastle.openpgp.operator.PBESecretKeyEncryptor;
+
+public interface SecretKeyRingDecryptor {
+
+   PBESecretKeyDecryptor getDecryptor(Long keyId);
+
+   PBESecretKeyEncryptor getEncryptor(Long keyId);
+
+}