mirror of
https://github.com/pgpainless/pgpainless.git
synced 2024-12-22 19:08:00 +01:00
Initial implementation of 'change-key-password' command of SOP-07
This commit is contained in:
parent
37bbe8bb39
commit
d3fe850c95
5 changed files with 193 additions and 84 deletions
|
@ -4,8 +4,21 @@
|
|||
|
||||
package org.pgpainless.key.modification.secretkeyring;
|
||||
|
||||
import org.bouncycastle.bcpg.S2K;
|
||||
import org.bouncycastle.bcpg.SecretKeyPacket;
|
||||
import static org.pgpainless.key.util.KeyRingUtils.changePassphrase;
|
||||
import static org.pgpainless.util.CollectionUtils.concat;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.security.InvalidAlgorithmParameterException;
|
||||
import java.security.NoSuchAlgorithmException;
|
||||
import java.util.Collections;
|
||||
import java.util.Date;
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
import java.util.NoSuchElementException;
|
||||
import java.util.Set;
|
||||
import javax.annotation.Nonnull;
|
||||
import javax.annotation.Nullable;
|
||||
|
||||
import org.bouncycastle.bcpg.sig.KeyExpirationTime;
|
||||
import org.bouncycastle.openpgp.PGPException;
|
||||
import org.bouncycastle.openpgp.PGPKeyPair;
|
||||
|
@ -14,8 +27,6 @@ import org.bouncycastle.openpgp.PGPPublicKeyRing;
|
|||
import org.bouncycastle.openpgp.PGPSecretKey;
|
||||
import org.bouncycastle.openpgp.PGPSecretKeyRing;
|
||||
import org.bouncycastle.openpgp.PGPSignature;
|
||||
import org.bouncycastle.openpgp.operator.PBESecretKeyDecryptor;
|
||||
import org.bouncycastle.openpgp.operator.PBESecretKeyEncryptor;
|
||||
import org.pgpainless.PGPainless;
|
||||
import org.pgpainless.algorithm.AlgorithmSuite;
|
||||
import org.pgpainless.algorithm.CompressionAlgorithm;
|
||||
|
@ -35,7 +46,6 @@ import org.pgpainless.key.protection.KeyRingProtectionSettings;
|
|||
import org.pgpainless.key.protection.PasswordBasedSecretKeyRingProtector;
|
||||
import org.pgpainless.key.protection.SecretKeyRingProtector;
|
||||
import org.pgpainless.key.protection.UnprotectedKeysProtector;
|
||||
import org.pgpainless.key.protection.fixes.S2KUsageFix;
|
||||
import org.pgpainless.key.protection.passphrase_provider.SolitaryPassphraseProvider;
|
||||
import org.pgpainless.key.util.KeyRingUtils;
|
||||
import org.pgpainless.key.util.RevocationAttributes;
|
||||
|
@ -52,22 +62,6 @@ import org.pgpainless.signature.subpackets.SignatureSubpacketsUtil;
|
|||
import org.pgpainless.util.Passphrase;
|
||||
import org.pgpainless.util.selection.userid.SelectUserId;
|
||||
|
||||
import javax.annotation.Nonnull;
|
||||
import javax.annotation.Nullable;
|
||||
import java.io.IOException;
|
||||
import java.security.InvalidAlgorithmParameterException;
|
||||
import java.security.NoSuchAlgorithmException;
|
||||
import java.util.ArrayList;
|
||||
import java.util.Collections;
|
||||
import java.util.Date;
|
||||
import java.util.Iterator;
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
import java.util.NoSuchElementException;
|
||||
import java.util.Set;
|
||||
|
||||
import static org.pgpainless.util.CollectionUtils.concat;
|
||||
|
||||
public class SecretKeyRingEditor implements SecretKeyRingEditorInterface {
|
||||
|
||||
private PGPSecretKeyRing secretKeyRing;
|
||||
|
@ -813,67 +807,4 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface {
|
|||
}
|
||||
}
|
||||
|
||||
private PGPSecretKeyRing changePassphrase(Long keyId,
|
||||
PGPSecretKeyRing secretKeys,
|
||||
SecretKeyRingProtector oldProtector,
|
||||
SecretKeyRingProtector newProtector)
|
||||
throws PGPException {
|
||||
List<PGPSecretKey> secretKeyList = new ArrayList<>();
|
||||
if (keyId == null) {
|
||||
// change passphrase of whole key ring
|
||||
Iterator<PGPSecretKey> secretKeyIterator = secretKeys.getSecretKeys();
|
||||
while (secretKeyIterator.hasNext()) {
|
||||
PGPSecretKey secretKey = secretKeyIterator.next();
|
||||
secretKey = reencryptPrivateKey(secretKey, oldProtector, newProtector);
|
||||
secretKeyList.add(secretKey);
|
||||
}
|
||||
} else {
|
||||
// change passphrase of selected subkey only
|
||||
Iterator<PGPSecretKey> secretKeyIterator = secretKeys.getSecretKeys();
|
||||
while (secretKeyIterator.hasNext()) {
|
||||
PGPSecretKey secretKey = secretKeyIterator.next();
|
||||
if (secretKey.getPublicKey().getKeyID() == keyId) {
|
||||
// Re-encrypt only the selected subkey
|
||||
secretKey = reencryptPrivateKey(secretKey, oldProtector, newProtector);
|
||||
}
|
||||
secretKeyList.add(secretKey);
|
||||
}
|
||||
}
|
||||
|
||||
PGPSecretKeyRing newRing = new PGPSecretKeyRing(secretKeyList);
|
||||
newRing = s2kUsageFixIfNecessary(newRing, newProtector);
|
||||
return newRing;
|
||||
}
|
||||
|
||||
private PGPSecretKeyRing s2kUsageFixIfNecessary(PGPSecretKeyRing secretKeys, SecretKeyRingProtector protector)
|
||||
throws PGPException {
|
||||
boolean hasS2KUsageChecksum = false;
|
||||
for (PGPSecretKey secKey : secretKeys) {
|
||||
if (secKey.getS2KUsage() == SecretKeyPacket.USAGE_CHECKSUM) {
|
||||
hasS2KUsageChecksum = true;
|
||||
break;
|
||||
}
|
||||
}
|
||||
if (hasS2KUsageChecksum) {
|
||||
secretKeys = S2KUsageFix.replaceUsageChecksumWithUsageSha1(
|
||||
secretKeys, protector, true);
|
||||
}
|
||||
return secretKeys;
|
||||
}
|
||||
|
||||
private static PGPSecretKey reencryptPrivateKey(
|
||||
PGPSecretKey secretKey,
|
||||
SecretKeyRingProtector oldProtector,
|
||||
SecretKeyRingProtector newProtector)
|
||||
throws PGPException {
|
||||
S2K s2k = secretKey.getS2K();
|
||||
// If the key uses GNU_DUMMY_S2K, we leave it as is and skip this block
|
||||
if (s2k == null || s2k.getType() != S2K.GNU_DUMMY_S2K) {
|
||||
long secretKeyId = secretKey.getKeyID();
|
||||
PBESecretKeyDecryptor decryptor = oldProtector.getDecryptor(secretKeyId);
|
||||
PBESecretKeyEncryptor encryptor = newProtector.getEncryptor(secretKeyId);
|
||||
secretKey = PGPSecretKey.copyWithNewPassword(secretKey, decryptor, encryptor);
|
||||
}
|
||||
return secretKey;
|
||||
}
|
||||
}
|
||||
|
|
|
@ -14,6 +14,8 @@ import java.util.NoSuchElementException;
|
|||
import javax.annotation.Nonnull;
|
||||
import javax.annotation.Nullable;
|
||||
|
||||
import org.bouncycastle.bcpg.S2K;
|
||||
import org.bouncycastle.bcpg.SecretKeyPacket;
|
||||
import org.bouncycastle.openpgp.PGPException;
|
||||
import org.bouncycastle.openpgp.PGPKeyRing;
|
||||
import org.bouncycastle.openpgp.PGPPrivateKey;
|
||||
|
@ -25,11 +27,14 @@ import org.bouncycastle.openpgp.PGPSecretKeyRing;
|
|||
import org.bouncycastle.openpgp.PGPSecretKeyRingCollection;
|
||||
import org.bouncycastle.openpgp.PGPSignature;
|
||||
import org.bouncycastle.openpgp.PGPUserAttributeSubpacketVector;
|
||||
import org.bouncycastle.openpgp.operator.PBESecretKeyDecryptor;
|
||||
import org.bouncycastle.openpgp.operator.PBESecretKeyEncryptor;
|
||||
import org.bouncycastle.util.Strings;
|
||||
import org.pgpainless.PGPainless;
|
||||
import org.pgpainless.implementation.ImplementationFactory;
|
||||
import org.pgpainless.key.protection.SecretKeyRingProtector;
|
||||
import org.pgpainless.key.protection.UnlockSecretKey;
|
||||
import org.pgpainless.key.protection.fixes.S2KUsageFix;
|
||||
import org.slf4j.Logger;
|
||||
import org.slf4j.LoggerFactory;
|
||||
|
||||
|
@ -515,4 +520,70 @@ public final class KeyRingUtils {
|
|||
}
|
||||
return userIds;
|
||||
}
|
||||
|
||||
public static PGPSecretKeyRing changePassphrase(Long keyId,
|
||||
PGPSecretKeyRing secretKeys,
|
||||
SecretKeyRingProtector oldProtector,
|
||||
SecretKeyRingProtector newProtector)
|
||||
throws PGPException {
|
||||
List<PGPSecretKey> secretKeyList = new ArrayList<>();
|
||||
if (keyId == null) {
|
||||
// change passphrase of whole key ring
|
||||
Iterator<PGPSecretKey> secretKeyIterator = secretKeys.getSecretKeys();
|
||||
while (secretKeyIterator.hasNext()) {
|
||||
PGPSecretKey secretKey = secretKeyIterator.next();
|
||||
secretKey = KeyRingUtils.reencryptPrivateKey(secretKey, oldProtector, newProtector);
|
||||
secretKeyList.add(secretKey);
|
||||
}
|
||||
} else {
|
||||
// change passphrase of selected subkey only
|
||||
Iterator<PGPSecretKey> secretKeyIterator = secretKeys.getSecretKeys();
|
||||
while (secretKeyIterator.hasNext()) {
|
||||
PGPSecretKey secretKey = secretKeyIterator.next();
|
||||
if (secretKey.getPublicKey().getKeyID() == keyId) {
|
||||
// Re-encrypt only the selected subkey
|
||||
secretKey = KeyRingUtils.reencryptPrivateKey(secretKey, oldProtector, newProtector);
|
||||
}
|
||||
secretKeyList.add(secretKey);
|
||||
}
|
||||
}
|
||||
|
||||
PGPSecretKeyRing newRing = new PGPSecretKeyRing(secretKeyList);
|
||||
newRing = s2kUsageFixIfNecessary(newRing, newProtector);
|
||||
return newRing;
|
||||
}
|
||||
|
||||
|
||||
public static PGPSecretKey reencryptPrivateKey(
|
||||
PGPSecretKey secretKey,
|
||||
SecretKeyRingProtector oldProtector,
|
||||
SecretKeyRingProtector newProtector)
|
||||
throws PGPException {
|
||||
S2K s2k = secretKey.getS2K();
|
||||
// If the key uses GNU_DUMMY_S2K, we leave it as is and skip this block
|
||||
if (s2k == null || s2k.getType() != S2K.GNU_DUMMY_S2K) {
|
||||
long secretKeyId = secretKey.getKeyID();
|
||||
PBESecretKeyDecryptor decryptor = oldProtector.getDecryptor(secretKeyId);
|
||||
PBESecretKeyEncryptor encryptor = newProtector.getEncryptor(secretKeyId);
|
||||
secretKey = PGPSecretKey.copyWithNewPassword(secretKey, decryptor, encryptor);
|
||||
}
|
||||
return secretKey;
|
||||
}
|
||||
|
||||
|
||||
public static PGPSecretKeyRing s2kUsageFixIfNecessary(PGPSecretKeyRing secretKeys, SecretKeyRingProtector protector)
|
||||
throws PGPException {
|
||||
boolean hasS2KUsageChecksum = false;
|
||||
for (PGPSecretKey secKey : secretKeys) {
|
||||
if (secKey.getS2KUsage() == SecretKeyPacket.USAGE_CHECKSUM) {
|
||||
hasS2KUsageChecksum = true;
|
||||
break;
|
||||
}
|
||||
}
|
||||
if (hasS2KUsageChecksum) {
|
||||
secretKeys = S2KUsageFix.replaceUsageChecksumWithUsageSha1(
|
||||
secretKeys, protector, true);
|
||||
}
|
||||
return secretKeys;
|
||||
}
|
||||
}
|
||||
|
|
|
@ -0,0 +1,91 @@
|
|||
// SPDX-FileCopyrightText: 2023 Paul Schaub <vanitasvitae@fsfe.org>
|
||||
//
|
||||
// SPDX-License-Identifier: Apache-2.0
|
||||
|
||||
package org.pgpainless.sop;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.io.InputStream;
|
||||
import java.io.OutputStream;
|
||||
import java.util.ArrayList;
|
||||
import java.util.List;
|
||||
|
||||
import org.bouncycastle.bcpg.ArmoredOutputStream;
|
||||
import org.bouncycastle.openpgp.PGPException;
|
||||
import org.bouncycastle.openpgp.PGPSecretKeyRing;
|
||||
import org.bouncycastle.openpgp.PGPSecretKeyRingCollection;
|
||||
import org.pgpainless.PGPainless;
|
||||
import org.pgpainless.exception.MissingPassphraseException;
|
||||
import org.pgpainless.key.OpenPgpFingerprint;
|
||||
import org.pgpainless.key.protection.SecretKeyRingProtector;
|
||||
import org.pgpainless.key.util.KeyRingUtils;
|
||||
import org.pgpainless.util.ArmoredOutputStreamFactory;
|
||||
import org.pgpainless.util.Passphrase;
|
||||
import sop.Ready;
|
||||
import sop.exception.SOPGPException;
|
||||
import sop.operation.ChangeKeyPassword;
|
||||
|
||||
public class ChangeKeyPasswordImpl implements ChangeKeyPassword {
|
||||
|
||||
private final MatchMakingSecretKeyRingProtector oldProtector = new MatchMakingSecretKeyRingProtector();
|
||||
private Passphrase newPassphrase = Passphrase.emptyPassphrase();
|
||||
private boolean armor = true;
|
||||
|
||||
@Override
|
||||
public ChangeKeyPassword noArmor() {
|
||||
armor = false;
|
||||
return this;
|
||||
}
|
||||
|
||||
@Override
|
||||
public ChangeKeyPassword oldKeyPassphrase(String oldPassphrase) {
|
||||
oldProtector.addPassphrase(Passphrase.fromPassword(oldPassphrase));
|
||||
return this;
|
||||
}
|
||||
|
||||
@Override
|
||||
public ChangeKeyPassword newKeyPassphrase(String newPassphrase) {
|
||||
this.newPassphrase = Passphrase.fromPassword(newPassphrase);
|
||||
return this;
|
||||
}
|
||||
|
||||
@Override
|
||||
public Ready keys(InputStream inputStream) throws SOPGPException.KeyIsProtected {
|
||||
SecretKeyRingProtector newProtector = SecretKeyRingProtector.unlockAnyKeyWith(newPassphrase);
|
||||
PGPSecretKeyRingCollection secretKeyRingCollection;
|
||||
try {
|
||||
secretKeyRingCollection = PGPainless.readKeyRing().secretKeyRingCollection(inputStream);
|
||||
} catch (IOException e) {
|
||||
throw new SOPGPException.BadData(e);
|
||||
}
|
||||
|
||||
List<PGPSecretKeyRing> updatedSecretKeys = new ArrayList<>();
|
||||
for (PGPSecretKeyRing secretKeys : secretKeyRingCollection) {
|
||||
oldProtector.addSecretKey(secretKeys);
|
||||
try {
|
||||
PGPSecretKeyRing changed = KeyRingUtils.changePassphrase(null, secretKeys, oldProtector, newProtector);
|
||||
updatedSecretKeys.add(changed);
|
||||
} catch (MissingPassphraseException e) {
|
||||
throw new SOPGPException.KeyIsProtected("Cannot unlock key " + OpenPgpFingerprint.of(secretKeys), e);
|
||||
} catch (PGPException e) {
|
||||
if (e.getMessage().contains("Exception decrypting key")) {
|
||||
throw new SOPGPException.KeyIsProtected("Cannot unlock key " + OpenPgpFingerprint.of(secretKeys), e);
|
||||
}
|
||||
throw new RuntimeException("Cannot change passphrase of key " + OpenPgpFingerprint.of(secretKeys), e);
|
||||
}
|
||||
}
|
||||
final PGPSecretKeyRingCollection changedSecretKeyCollection = new PGPSecretKeyRingCollection(updatedSecretKeys);
|
||||
return new Ready() {
|
||||
@Override
|
||||
public void writeTo(OutputStream outputStream) throws IOException {
|
||||
if (armor) {
|
||||
ArmoredOutputStream armorOut = ArmoredOutputStreamFactory.get(outputStream);
|
||||
changedSecretKeyCollection.encode(armorOut);
|
||||
armorOut.close();
|
||||
} else {
|
||||
changedSecretKeyCollection.encode(outputStream);
|
||||
}
|
||||
}
|
||||
};
|
||||
}
|
||||
}
|
|
@ -7,6 +7,7 @@ package org.pgpainless.sop;
|
|||
import org.pgpainless.util.ArmoredOutputStreamFactory;
|
||||
import sop.SOP;
|
||||
import sop.operation.Armor;
|
||||
import sop.operation.ChangeKeyPassword;
|
||||
import sop.operation.Dearmor;
|
||||
import sop.operation.Decrypt;
|
||||
import sop.operation.DetachedSign;
|
||||
|
@ -108,6 +109,11 @@ public class SOPImpl implements SOP {
|
|||
return new RevokeKeyImpl();
|
||||
}
|
||||
|
||||
@Override
|
||||
public ChangeKeyPassword changeKeyPassword() {
|
||||
return new ChangeKeyPasswordImpl();
|
||||
}
|
||||
|
||||
@Override
|
||||
public InlineDetach inlineDetach() {
|
||||
return new InlineDetachImpl();
|
||||
|
|
|
@ -0,0 +1,10 @@
|
|||
// SPDX-FileCopyrightText: 2023 Paul Schaub <vanitasvitae@fsfe.org>
|
||||
//
|
||||
// SPDX-License-Identifier: Apache-2.0
|
||||
|
||||
package sop.testsuite.pgpainless.operation;
|
||||
|
||||
import sop.testsuite.operation.ChangeKeyPasswordTest;
|
||||
|
||||
public class PGPainlessChangeKeyPasswordTest extends ChangeKeyPasswordTest {
|
||||
}
|
Loading…
Reference in a new issue