1
0
Fork 0
mirror of https://github.com/pgpainless/pgpainless.git synced 2024-11-23 04:42:06 +01:00

Implement adding subkeys to keyrings

This commit is contained in:
Paul Schaub 2020-11-10 17:25:35 +01:00
parent d168c61bf3
commit b4967db1a2
Signed by: vanitasvitae
GPG key ID: 62BEE9264BF17311
5 changed files with 222 additions and 58 deletions

View file

@ -357,23 +357,23 @@ public class KeyRingBuilder implements KeyRingBuilderInterface {
.build() .build()
.get(HashAlgorithm.SHA1.getAlgorithmId()); .get(HashAlgorithm.SHA1.getAlgorithmId());
} }
private PGPKeyPair generateKeyPair(KeySpec spec)
throws NoSuchAlgorithmException, PGPException,
InvalidAlgorithmParameterException {
KeyType type = spec.getKeyType();
KeyPairGenerator certKeyGenerator = KeyPairGenerator.getInstance(type.getName(), ProviderFactory.getProvider());
certKeyGenerator.initialize(type.getAlgorithmSpec());
// Create raw Key Pair
KeyPair keyPair = certKeyGenerator.generateKeyPair();
// Form PGP key pair
PGPKeyPair pgpKeyPair = new JcaPGPKeyPair(type.getAlgorithm().getAlgorithmId(),
keyPair, new Date());
return pgpKeyPair;
}
} }
} }
public static PGPKeyPair generateKeyPair(KeySpec spec)
throws NoSuchAlgorithmException, PGPException,
InvalidAlgorithmParameterException {
KeyType type = spec.getKeyType();
KeyPairGenerator certKeyGenerator = KeyPairGenerator.getInstance(type.getName(), ProviderFactory.getProvider());
certKeyGenerator.initialize(type.getAlgorithmSpec());
// Create raw Key Pair
KeyPair keyPair = certKeyGenerator.generateKeyPair();
// Form PGP key pair
PGPKeyPair pgpKeyPair = new JcaPGPKeyPair(type.getAlgorithm().getAlgorithmId(),
keyPair, new Date());
return pgpKeyPair;
}
} }

View file

@ -15,6 +15,8 @@
*/ */
package org.pgpainless.key.modification; package org.pgpainless.key.modification;
import java.security.InvalidAlgorithmParameterException;
import java.security.NoSuchAlgorithmException;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.Collections; import java.util.Collections;
import java.util.Iterator; import java.util.Iterator;
@ -25,6 +27,8 @@ import javax.annotation.Nonnull;
import javax.annotation.Nullable; import javax.annotation.Nullable;
import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPException;
import org.bouncycastle.openpgp.PGPKeyPair;
import org.bouncycastle.openpgp.PGPKeyRingGenerator;
import org.bouncycastle.openpgp.PGPPrivateKey; import org.bouncycastle.openpgp.PGPPrivateKey;
import org.bouncycastle.openpgp.PGPPublicKey; import org.bouncycastle.openpgp.PGPPublicKey;
import org.bouncycastle.openpgp.PGPPublicKeyRing; import org.bouncycastle.openpgp.PGPPublicKeyRing;
@ -34,12 +38,16 @@ import org.bouncycastle.openpgp.PGPSignature;
import org.bouncycastle.openpgp.PGPSignatureGenerator; import org.bouncycastle.openpgp.PGPSignatureGenerator;
import org.bouncycastle.openpgp.operator.PBESecretKeyDecryptor; import org.bouncycastle.openpgp.operator.PBESecretKeyDecryptor;
import org.bouncycastle.openpgp.operator.PBESecretKeyEncryptor; import org.bouncycastle.openpgp.operator.PBESecretKeyEncryptor;
import org.bouncycastle.openpgp.operator.PGPContentSignerBuilder;
import org.bouncycastle.openpgp.operator.PGPDigestCalculator; import org.bouncycastle.openpgp.operator.PGPDigestCalculator;
import org.bouncycastle.openpgp.operator.bc.BcPBESecretKeyEncryptorBuilder;
import org.bouncycastle.openpgp.operator.bc.BcPGPContentSignerBuilder; import org.bouncycastle.openpgp.operator.bc.BcPGPContentSignerBuilder;
import org.bouncycastle.openpgp.operator.bc.BcPGPDigestCalculatorProvider; import org.bouncycastle.openpgp.operator.bc.BcPGPDigestCalculatorProvider;
import org.pgpainless.algorithm.HashAlgorithm; import org.pgpainless.algorithm.HashAlgorithm;
import org.pgpainless.algorithm.SignatureType; import org.pgpainless.algorithm.SignatureType;
import org.pgpainless.algorithm.SymmetricKeyAlgorithm;
import org.pgpainless.key.OpenPgpV4Fingerprint; import org.pgpainless.key.OpenPgpV4Fingerprint;
import org.pgpainless.key.generation.KeyRingBuilder;
import org.pgpainless.key.generation.KeySpec; import org.pgpainless.key.generation.KeySpec;
import org.pgpainless.key.protection.KeyRingProtectionSettings; import org.pgpainless.key.protection.KeyRingProtectionSettings;
import org.pgpainless.key.protection.PassphraseMapKeyRingProtector; import org.pgpainless.key.protection.PassphraseMapKeyRingProtector;
@ -186,17 +194,71 @@ public class KeyRingEditor implements KeyRingEditorInterface {
} }
@Override @Override
public KeyRingEditorInterface addSubKey(KeySpec keySpec, SecretKeyRingProtector protector) { public KeyRingEditorInterface addSubKey(@Nonnull KeySpec keySpec,
throw new NotYetImplementedException(); @Nonnull Passphrase subKeyPassphrase,
SecretKeyRingProtector secretKeyRingProtector)
throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException {
PGPSecretKey secretSubKey = generateSubKey(keySpec, subKeyPassphrase);
SecretKeyRingProtector subKeyProtector = PasswordBasedSecretKeyRingProtector
.forKey(secretSubKey, subKeyPassphrase);
return addSubKey(secretSubKey, subKeyProtector, secretKeyRingProtector);
} }
@Override @Override
public KeyRingEditorInterface deleteSubKey(OpenPgpV4Fingerprint fingerprint, SecretKeyRingProtector protector) { public KeyRingEditorInterface addSubKey(PGPSecretKey secretSubKey,
SecretKeyRingProtector subKeyProtector,
SecretKeyRingProtector keyRingProtector)
throws PGPException {
PGPPublicKey primaryKey = secretKeyRing.getSecretKey().getPublicKey();
PBESecretKeyDecryptor ringDecryptor = keyRingProtector.getDecryptor(primaryKey.getKeyID());
PBESecretKeyEncryptor subKeyEncryptor = subKeyProtector.getEncryptor(secretSubKey.getKeyID());
PGPDigestCalculator digestCalculator = new BcPGPDigestCalculatorProvider()
.get(defaultDigestHashAlgorithm.getAlgorithmId());
PGPContentSignerBuilder contentSignerBuilder = new BcPGPContentSignerBuilder(
primaryKey.getAlgorithm(), HashAlgorithm.SHA256.getAlgorithmId());
PGPPrivateKey privateSubKey = unlockSecretKey(secretSubKey, subKeyProtector);
PGPKeyPair subKeyPair = new PGPKeyPair(secretSubKey.getPublicKey(), privateSubKey);
PGPKeyRingGenerator keyRingGenerator = new PGPKeyRingGenerator(
secretKeyRing, ringDecryptor, digestCalculator, contentSignerBuilder, subKeyEncryptor);
keyRingGenerator.addSubKey(subKeyPair);
secretKeyRing = keyRingGenerator.generateSecretKeyRing();
return this;
}
private PGPSecretKey generateSubKey(@Nonnull KeySpec keySpec,
@Nonnull Passphrase subKeyPassphrase)
throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException {
PGPDigestCalculator checksumCalculator = new BcPGPDigestCalculatorProvider()
.get(defaultDigestHashAlgorithm.getAlgorithmId());
PBESecretKeyEncryptor subKeyEncryptor = subKeyPassphrase.isEmpty() ? null :
new BcPBESecretKeyEncryptorBuilder(SymmetricKeyAlgorithm.AES_256.getAlgorithmId())
.build(subKeyPassphrase.getChars());
PGPKeyPair keyPair = KeyRingBuilder.generateKeyPair(keySpec);
PGPSecretKey secretKey = new PGPSecretKey(keyPair.getPrivateKey(), keyPair.getPublicKey(),
checksumCalculator, false, subKeyEncryptor);
return secretKey;
}
@Override
public KeyRingEditorInterface deleteSubKey(OpenPgpV4Fingerprint fingerprint,
SecretKeyRingProtector protector) {
return deleteSubKey(fingerprint.getKeyId(), protector); return deleteSubKey(fingerprint.getKeyId(), protector);
} }
@Override @Override
public KeyRingEditorInterface deleteSubKey(long subKeyId, SecretKeyRingProtector protector) { public KeyRingEditorInterface deleteSubKey(long subKeyId,
SecretKeyRingProtector protector) {
if (secretKeyRing.getSecretKey().getKeyID() == subKeyId) { if (secretKeyRing.getSecretKey().getKeyID() == subKeyId) {
throw new IllegalArgumentException("You cannot delete the primary key of this key ring."); throw new IllegalArgumentException("You cannot delete the primary key of this key ring.");
} }
@ -309,48 +371,48 @@ public class KeyRingEditor implements KeyRingEditorInterface {
return KeyRingEditor.this; return KeyRingEditor.this;
} }
}
private PGPSecretKeyRing changePassphrase(Long keyId, private PGPSecretKeyRing changePassphrase(Long keyId,
PGPSecretKeyRing secretKeys, PGPSecretKeyRing secretKeys,
SecretKeyRingProtector oldProtector, SecretKeyRingProtector oldProtector,
SecretKeyRingProtector newProtector) throws PGPException { SecretKeyRingProtector newProtector) throws PGPException {
if (keyId == null) { if (keyId == null) {
// change passphrase of whole key ring // change passphrase of whole key ring
List<PGPSecretKey> newlyEncryptedSecretKeys = new ArrayList<>(); List<PGPSecretKey> newlyEncryptedSecretKeys = new ArrayList<>();
Iterator<PGPSecretKey> secretKeyIterator = secretKeys.getSecretKeys(); Iterator<PGPSecretKey> secretKeyIterator = secretKeys.getSecretKeys();
while (secretKeyIterator.hasNext()) { while (secretKeyIterator.hasNext()) {
PGPSecretKey secretKey = secretKeyIterator.next(); PGPSecretKey secretKey = secretKeyIterator.next();
PGPPrivateKey privateKey = unlockSecretKey(secretKey, oldProtector);
secretKey = lockPrivateKey(privateKey, secretKey.getPublicKey(), newProtector);
newlyEncryptedSecretKeys.add(secretKey);
}
return new PGPSecretKeyRing(newlyEncryptedSecretKeys);
} else {
// change passphrase of selected subkey only
List<PGPSecretKey> secretKeyList = new ArrayList<>();
Iterator<PGPSecretKey> secretKeyIterator = secretKeys.getSecretKeys();
while (secretKeyIterator.hasNext()) {
PGPSecretKey secretKey = secretKeyIterator.next();
if (secretKey.getPublicKey().getKeyID() == keyId) {
// Re-encrypt only the selected subkey
PGPPrivateKey privateKey = unlockSecretKey(secretKey, oldProtector); PGPPrivateKey privateKey = unlockSecretKey(secretKey, oldProtector);
secretKey = lockPrivateKey(privateKey, secretKey.getPublicKey(), newProtector); secretKey = lockPrivateKey(privateKey, secretKey.getPublicKey(), newProtector);
newlyEncryptedSecretKeys.add(secretKey);
} }
return new PGPSecretKeyRing(newlyEncryptedSecretKeys);
} else {
// change passphrase of selected subkey only
List<PGPSecretKey> secretKeyList = new ArrayList<>();
Iterator<PGPSecretKey> secretKeyIterator = secretKeys.getSecretKeys();
while (secretKeyIterator.hasNext()) {
PGPSecretKey secretKey = secretKeyIterator.next();
if (secretKey.getPublicKey().getKeyID() == keyId) { secretKeyList.add(secretKey);
// Re-encrypt only the selected subkey
PGPPrivateKey privateKey = unlockSecretKey(secretKey, oldProtector);
secretKey = lockPrivateKey(privateKey, secretKey.getPublicKey(), newProtector);
}
secretKeyList.add(secretKey);
}
return new PGPSecretKeyRing(secretKeyList);
} }
} return new PGPSecretKeyRing(secretKeyList);
// TODO: Move to utility class
private PGPSecretKey lockPrivateKey(PGPPrivateKey privateKey, PGPPublicKey publicKey, SecretKeyRingProtector protector) throws PGPException {
PGPDigestCalculator checksumCalculator = new BcPGPDigestCalculatorProvider()
.get(defaultDigestHashAlgorithm.getAlgorithmId());
PBESecretKeyEncryptor encryptor = protector.getEncryptor(publicKey.getKeyID());
PGPSecretKey secretKey = new PGPSecretKey(privateKey, publicKey, checksumCalculator, publicKey.isMasterKey(), encryptor);
return secretKey;
} }
} }
// TODO: Move to utility class
private PGPSecretKey lockPrivateKey(PGPPrivateKey privateKey, PGPPublicKey publicKey, SecretKeyRingProtector protector) throws PGPException {
PGPDigestCalculator checksumCalculator = new BcPGPDigestCalculatorProvider()
.get(defaultDigestHashAlgorithm.getAlgorithmId());
PBESecretKeyEncryptor encryptor = protector.getEncryptor(publicKey.getKeyID());
PGPSecretKey secretKey = new PGPSecretKey(privateKey, publicKey, checksumCalculator, publicKey.isMasterKey(), encryptor);
return secretKey;
}
} }

View file

@ -15,10 +15,13 @@
*/ */
package org.pgpainless.key.modification; package org.pgpainless.key.modification;
import java.security.InvalidAlgorithmParameterException;
import java.security.NoSuchAlgorithmException;
import javax.annotation.Nonnull; import javax.annotation.Nonnull;
import javax.annotation.Nullable; import javax.annotation.Nullable;
import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPException;
import org.bouncycastle.openpgp.PGPSecretKey;
import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.PGPSecretKeyRing;
import org.pgpainless.key.OpenPgpV4Fingerprint; import org.pgpainless.key.OpenPgpV4Fingerprint;
import org.pgpainless.key.generation.KeySpec; import org.pgpainless.key.generation.KeySpec;
@ -63,7 +66,13 @@ public interface KeyRingEditorInterface {
* @param keySpec key specification * @param keySpec key specification
* @return the builder * @return the builder
*/ */
KeyRingEditorInterface addSubKey(KeySpec keySpec, SecretKeyRingProtector secretKeyRingProtector); KeyRingEditorInterface addSubKey(@Nonnull KeySpec keySpec,
@Nonnull Passphrase subKeyPassphrase,
SecretKeyRingProtector secretKeyRingProtector)
throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException;
KeyRingEditorInterface addSubKey(PGPSecretKey subKey, SecretKeyRingProtector subKeyProtector, SecretKeyRingProtector keyRingProtector)
throws PGPException;
/** /**
* Delete a subkey from the key ring. * Delete a subkey from the key ring.

View file

@ -20,6 +20,7 @@ import javax.annotation.Nullable;
import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPException;
import org.bouncycastle.openpgp.PGPKeyRing; import org.bouncycastle.openpgp.PGPKeyRing;
import org.bouncycastle.openpgp.PGPSecretKey;
import org.bouncycastle.openpgp.operator.PBESecretKeyDecryptor; import org.bouncycastle.openpgp.operator.PBESecretKeyDecryptor;
import org.bouncycastle.openpgp.operator.PBESecretKeyEncryptor; import org.bouncycastle.openpgp.operator.PBESecretKeyEncryptor;
import org.bouncycastle.openpgp.operator.PGPDigestCalculatorProvider; import org.bouncycastle.openpgp.operator.PGPDigestCalculatorProvider;
@ -68,6 +69,21 @@ public class PasswordBasedSecretKeyRingProtector implements SecretKeyRingProtect
return new PasswordBasedSecretKeyRingProtector(protectionSettings, passphraseProvider); return new PasswordBasedSecretKeyRingProtector(protectionSettings, passphraseProvider);
} }
public static PasswordBasedSecretKeyRingProtector forKey(PGPSecretKey key, Passphrase passphrase) {
KeyRingProtectionSettings protectionSettings = KeyRingProtectionSettings.secureDefaultSettings();
SecretKeyPassphraseProvider passphraseProvider = new SecretKeyPassphraseProvider() {
@Override
@Nullable
public Passphrase getPassphraseFor(Long keyId) {
if (key.getKeyID() == keyId) {
return passphrase;
}
return null;
}
};
return new PasswordBasedSecretKeyRingProtector(protectionSettings, passphraseProvider);
}
@Override @Override
@Nullable @Nullable
public PBESecretKeyDecryptor getDecryptor(Long keyId) { public PBESecretKeyDecryptor getDecryptor(Long keyId) {

View file

@ -0,0 +1,77 @@
/*
* Copyright 2020 Paul Schaub.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.pgpainless.key.modification;
import static org.junit.Assert.assertNotEquals;
import java.io.IOException;
import java.security.InvalidAlgorithmParameterException;
import java.security.NoSuchAlgorithmException;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import org.bouncycastle.openpgp.PGPException;
import org.bouncycastle.openpgp.PGPPrivateKey;
import org.bouncycastle.openpgp.PGPPublicKey;
import org.bouncycastle.openpgp.PGPSecretKey;
import org.bouncycastle.openpgp.PGPSecretKeyRing;
import org.junit.Test;
import org.pgpainless.PGPainless;
import org.pgpainless.algorithm.KeyFlag;
import org.pgpainless.key.TestKeys;
import org.pgpainless.key.generation.KeySpec;
import org.pgpainless.key.generation.type.ECDSA;
import org.pgpainless.key.generation.type.curve.EllipticCurve;
import org.pgpainless.key.protection.PasswordBasedSecretKeyRingProtector;
import org.pgpainless.util.Passphrase;
public class AddSubKeyTest {
@Test
public void testAddSubKey() throws IOException, PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException {
PGPSecretKeyRing secretKeys = TestKeys.getCryptieSecretKeyRing();
List<Long> keyIdsBefore = new ArrayList<>();
for (Iterator<PGPPublicKey> it = secretKeys.getPublicKeys(); it.hasNext(); ) {
keyIdsBefore.add(it.next().getKeyID());
}
secretKeys = PGPainless.modifyKeyRing(secretKeys)
.addSubKey(
KeySpec.getBuilder(ECDSA.fromCurve(EllipticCurve._P256))
.withKeyFlags(KeyFlag.SIGN_DATA)
.withDefaultAlgorithms(),
Passphrase.fromPassword("subKeyPassphrase"),
PasswordBasedSecretKeyRingProtector.forKey(secretKeys, Passphrase.fromPassword("password123")))
.done();
List<Long> keyIdsAfter = new ArrayList<>();
for (Iterator<PGPPublicKey> it = secretKeys.getPublicKeys(); it.hasNext(); ) {
keyIdsAfter.add(it.next().getKeyID());
}
assertNotEquals(keyIdsAfter, keyIdsBefore);
keyIdsAfter.removeAll(keyIdsBefore);
long subKeyId = keyIdsAfter.get(0);
PGPSecretKey subKey = secretKeys.getSecretKey(subKeyId);
PGPPrivateKey privateKey = subKey.extractPrivateKey(
PasswordBasedSecretKeyRingProtector
.forKey(subKey, Passphrase.fromPassword("subKeyPassphrase"))
.getDecryptor(subKeyId));
}
}