From bf9bf94fb0bd4ec88bdee7157765cfc826dc1f1d Mon Sep 17 00:00:00 2001
From: Paul Schaub <vanitasvitae@fsfe.org>
Date: Fri, 21 Jul 2023 16:38:34 +0200
Subject: [PATCH] Integrate WoT by adding
 EncryptionOptions.addAuthenticatableRecipients() method

---
 .../authentication/CertificateAuthority.java  | 17 +++++++++++
 .../encryption_signing/EncryptionOptions.java | 28 +++++++++++++++++++
 2 files changed, 45 insertions(+)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/authentication/CertificateAuthority.java b/pgpainless-core/src/main/java/org/pgpainless/authentication/CertificateAuthority.java
index 7f48c9c6..5c7f60cd 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/authentication/CertificateAuthority.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/authentication/CertificateAuthority.java
@@ -8,6 +8,7 @@ import org.pgpainless.key.OpenPgpFingerprint;
 
 import javax.annotation.Nonnull;
 import java.util.Date;
+import java.util.List;
 
 public interface CertificateAuthority {
 
@@ -30,4 +31,20 @@ public interface CertificateAuthority {
                                          boolean email,
                                          @Nonnull Date referenceTime,
                                          int targetAmount);
+
+    /**
+     * Identify certificates, which carry a trustworthy binding to the given userId.
+     *
+     * @param userId userId
+     * @param email if true, the user-ID will be treated as an email address and all user-IDs containing
+     *             the email address will be matched.
+     * @param referenceTime reference time at which the binding shall be evaluated
+     * @param targetAmount target trust amount (120 = fully authenticated, 240 = doubly authenticated,
+     *                     60 = partially authenticated...)
+     * @return list of identified bindings
+     */
+    List<CertificateAuthenticity> identify(@Nonnull String userId,
+                                           boolean email,
+                                           @Nonnull Date referenceTime,
+                                           int targetAmount);
 }
diff --git a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionOptions.java b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionOptions.java
index 248a8ce4..44122bdc 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionOptions.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionOptions.java
@@ -23,6 +23,8 @@ import org.bouncycastle.openpgp.operator.PGPKeyEncryptionMethodGenerator;
 import org.bouncycastle.openpgp.operator.PublicKeyKeyEncryptionMethodGenerator;
 import org.pgpainless.algorithm.EncryptionPurpose;
 import org.pgpainless.algorithm.SymmetricKeyAlgorithm;
+import org.pgpainless.authentication.CertificateAuthenticity;
+import org.pgpainless.authentication.CertificateAuthority;
 import org.pgpainless.exception.KeyException;
 import org.pgpainless.implementation.ImplementationFactory;
 import org.pgpainless.key.OpenPgpFingerprint;
@@ -113,6 +115,32 @@ public class EncryptionOptions {
         return new EncryptionOptions(EncryptionPurpose.STORAGE);
     }
 
+    /**
+     * Identify authenticatable certificates for the given user-ID by querying the {@link CertificateAuthority} for
+     * identifiable bindings.
+     * Add all acceptable bindings, whose trust amount is larger or equal to the target amount to the list of recipients.
+     * @param userId userId
+     * @param email if true, treat the user-ID as an email address and match all user-IDs containing the mail address
+     * @param authority certificate authority
+     * @param targetAmount target amount (120 = fully authenticated, 240 = doubly authenticated,
+     *                    60 = partially authenticated...)
+     * @return encryption options
+     */
+    public EncryptionOptions addAuthenticatableRecipients(String userId, boolean email, CertificateAuthority authority, int targetAmount) {
+        List<CertificateAuthenticity> identifiedCertificates = authority.identify(userId, email, new Date(), targetAmount);
+        boolean foundAcceptable = false;
+        for (CertificateAuthenticity candidate : identifiedCertificates) {
+            if (candidate.isAuthenticated()) {
+                addRecipient(candidate.getCertificate());
+                foundAcceptable = true;
+            }
+        }
+        if (!foundAcceptable) {
+            throw new IllegalArgumentException("Could not identify any trust-worthy certificates for '" + userId + "' and target trust amount " + targetAmount);
+        }
+        return this;
+    }
+
     /**
      * Add all key rings in the provided {@link Iterable} (e.g. {@link PGPPublicKeyRingCollection}) as recipients.
      *