1
0
Fork 0
mirror of https://github.com/pgpainless/pgpainless.git synced 2025-01-09 11:48:00 +01:00

WIP: Explore Hardware Decryption

This commit is contained in:
Paul Schaub 2022-09-21 15:03:45 +02:00
parent 7da34c8329
commit d39d062a0d
3 changed files with 72 additions and 0 deletions

View file

@ -48,6 +48,7 @@ public class ConsumerOptions {
// Session key for decryption without passphrase/key // Session key for decryption without passphrase/key
private SessionKey sessionKey = null; private SessionKey sessionKey = null;
private HardwareSecurity.DecryptionCallback hardwareDecryptionCallback = null;
private final Map<PGPSecretKeyRing, SecretKeyRingProtector> decryptionKeys = new HashMap<>(); private final Map<PGPSecretKeyRing, SecretKeyRingProtector> decryptionKeys = new HashMap<>();
private final Set<Passphrase> decryptionPassphrases = new HashSet<>(); private final Set<Passphrase> decryptionPassphrases = new HashSet<>();
@ -238,6 +239,11 @@ public class ConsumerOptions {
return this; return this;
} }
public ConsumerOptions setHardwareDecryptionCallback(HardwareSecurity.DecryptionCallback callback) {
this.hardwareDecryptionCallback = callback;
return this;
}
public @Nonnull Set<PGPSecretKeyRing> getDecryptionKeys() { public @Nonnull Set<PGPSecretKeyRing> getDecryptionKeys() {
return Collections.unmodifiableSet(decryptionKeys.keySet()); return Collections.unmodifiableSet(decryptionKeys.keySet());
} }

View file

@ -0,0 +1,27 @@
package org.pgpainless.decryption_verification;
import org.bouncycastle.openpgp.PGPPublicKeyEncryptedData;
import org.pgpainless.util.SessionKey;
public class HardwareSecurity {
public interface DecryptionCallback {
/**
* Delegate decryption of a Public-Key-Encrypted-Session-Key (PKESK) to an external API for dealing with
* hardware security modules such as smartcards or TPMs.
*
* If decryption fails for some reason, a subclass of the {@link HardwareSecurityException} is thrown.
*
* @param pkesk public-key-encrypted session key
* @return decrypted session key
* @throws HardwareSecurityException exception
*/
SessionKey decryptSessionKey(PGPPublicKeyEncryptedData pkesk) throws HardwareSecurityException;
}
public static class HardwareSecurityException extends Exception {
}
}

View file

@ -0,0 +1,39 @@
package org.pgpainless.decryption_verification;
import org.bouncycastle.openpgp.PGPException;
import org.bouncycastle.openpgp.PGPPublicKeyEncryptedData;
import org.junit.jupiter.api.Test;
import org.pgpainless.PGPainless;
import org.pgpainless.util.SessionKey;
import java.io.ByteArrayInputStream;
import java.io.IOException;
public class HardwareSecurityCallbackTest {
@Test
public void test() throws PGPException, IOException {
PGPainless.decryptAndOrVerify()
.onInputStream(new ByteArrayInputStream(new byte[0]))
.withOptions(ConsumerOptions.get()
.setHardwareDecryptionCallback(new HardwareSecurity.DecryptionCallback() {
@Override
public SessionKey decryptSessionKey(PGPPublicKeyEncryptedData pkesk) throws HardwareSecurity.HardwareSecurityException {
/*
pkesk.getSessionKey(new PublicKeyDataDecryptorFactory() {
@Override
public byte[] recoverSessionData(int keyAlgorithm, byte[][] secKeyData) throws PGPException {
return new byte[0];
}
@Override
public PGPDataDecryptor createDataDecryptor(boolean withIntegrityPacket, int encAlgorithm, byte[] key) throws PGPException {
return null;
}
});
*/
return null;
}
}));
}
}