1
0
Fork 0
mirror of https://github.com/pgpainless/pgpainless.git synced 2024-11-18 02:12:06 +01:00

Initial implementation of 'change-key-password' command of SOP-07

This commit is contained in:
Paul Schaub 2023-07-12 00:40:59 +02:00
parent 37bbe8bb39
commit d3fe850c95
Signed by: vanitasvitae
GPG key ID: 62BEE9264BF17311
5 changed files with 193 additions and 84 deletions

View file

@ -4,8 +4,21 @@
package org.pgpainless.key.modification.secretkeyring; package org.pgpainless.key.modification.secretkeyring;
import org.bouncycastle.bcpg.S2K; import static org.pgpainless.key.util.KeyRingUtils.changePassphrase;
import org.bouncycastle.bcpg.SecretKeyPacket; import static org.pgpainless.util.CollectionUtils.concat;
import java.io.IOException;
import java.security.InvalidAlgorithmParameterException;
import java.security.NoSuchAlgorithmException;
import java.util.Collections;
import java.util.Date;
import java.util.List;
import java.util.Map;
import java.util.NoSuchElementException;
import java.util.Set;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import org.bouncycastle.bcpg.sig.KeyExpirationTime; import org.bouncycastle.bcpg.sig.KeyExpirationTime;
import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPException;
import org.bouncycastle.openpgp.PGPKeyPair; import org.bouncycastle.openpgp.PGPKeyPair;
@ -14,8 +27,6 @@ import org.bouncycastle.openpgp.PGPPublicKeyRing;
import org.bouncycastle.openpgp.PGPSecretKey; import org.bouncycastle.openpgp.PGPSecretKey;
import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.PGPSecretKeyRing;
import org.bouncycastle.openpgp.PGPSignature; import org.bouncycastle.openpgp.PGPSignature;
import org.bouncycastle.openpgp.operator.PBESecretKeyDecryptor;
import org.bouncycastle.openpgp.operator.PBESecretKeyEncryptor;
import org.pgpainless.PGPainless; import org.pgpainless.PGPainless;
import org.pgpainless.algorithm.AlgorithmSuite; import org.pgpainless.algorithm.AlgorithmSuite;
import org.pgpainless.algorithm.CompressionAlgorithm; import org.pgpainless.algorithm.CompressionAlgorithm;
@ -35,7 +46,6 @@ import org.pgpainless.key.protection.KeyRingProtectionSettings;
import org.pgpainless.key.protection.PasswordBasedSecretKeyRingProtector; import org.pgpainless.key.protection.PasswordBasedSecretKeyRingProtector;
import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.key.protection.SecretKeyRingProtector;
import org.pgpainless.key.protection.UnprotectedKeysProtector; import org.pgpainless.key.protection.UnprotectedKeysProtector;
import org.pgpainless.key.protection.fixes.S2KUsageFix;
import org.pgpainless.key.protection.passphrase_provider.SolitaryPassphraseProvider; import org.pgpainless.key.protection.passphrase_provider.SolitaryPassphraseProvider;
import org.pgpainless.key.util.KeyRingUtils; import org.pgpainless.key.util.KeyRingUtils;
import org.pgpainless.key.util.RevocationAttributes; import org.pgpainless.key.util.RevocationAttributes;
@ -52,22 +62,6 @@ import org.pgpainless.signature.subpackets.SignatureSubpacketsUtil;
import org.pgpainless.util.Passphrase; import org.pgpainless.util.Passphrase;
import org.pgpainless.util.selection.userid.SelectUserId; import org.pgpainless.util.selection.userid.SelectUserId;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import java.io.IOException;
import java.security.InvalidAlgorithmParameterException;
import java.security.NoSuchAlgorithmException;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.NoSuchElementException;
import java.util.Set;
import static org.pgpainless.util.CollectionUtils.concat;
public class SecretKeyRingEditor implements SecretKeyRingEditorInterface { public class SecretKeyRingEditor implements SecretKeyRingEditorInterface {
private PGPSecretKeyRing secretKeyRing; private PGPSecretKeyRing secretKeyRing;
@ -813,67 +807,4 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface {
} }
} }
private PGPSecretKeyRing changePassphrase(Long keyId,
PGPSecretKeyRing secretKeys,
SecretKeyRingProtector oldProtector,
SecretKeyRingProtector newProtector)
throws PGPException {
List<PGPSecretKey> secretKeyList = new ArrayList<>();
if (keyId == null) {
// change passphrase of whole key ring
Iterator<PGPSecretKey> secretKeyIterator = secretKeys.getSecretKeys();
while (secretKeyIterator.hasNext()) {
PGPSecretKey secretKey = secretKeyIterator.next();
secretKey = reencryptPrivateKey(secretKey, oldProtector, newProtector);
secretKeyList.add(secretKey);
}
} else {
// change passphrase of selected subkey only
Iterator<PGPSecretKey> secretKeyIterator = secretKeys.getSecretKeys();
while (secretKeyIterator.hasNext()) {
PGPSecretKey secretKey = secretKeyIterator.next();
if (secretKey.getPublicKey().getKeyID() == keyId) {
// Re-encrypt only the selected subkey
secretKey = reencryptPrivateKey(secretKey, oldProtector, newProtector);
}
secretKeyList.add(secretKey);
}
}
PGPSecretKeyRing newRing = new PGPSecretKeyRing(secretKeyList);
newRing = s2kUsageFixIfNecessary(newRing, newProtector);
return newRing;
}
private PGPSecretKeyRing s2kUsageFixIfNecessary(PGPSecretKeyRing secretKeys, SecretKeyRingProtector protector)
throws PGPException {
boolean hasS2KUsageChecksum = false;
for (PGPSecretKey secKey : secretKeys) {
if (secKey.getS2KUsage() == SecretKeyPacket.USAGE_CHECKSUM) {
hasS2KUsageChecksum = true;
break;
}
}
if (hasS2KUsageChecksum) {
secretKeys = S2KUsageFix.replaceUsageChecksumWithUsageSha1(
secretKeys, protector, true);
}
return secretKeys;
}
private static PGPSecretKey reencryptPrivateKey(
PGPSecretKey secretKey,
SecretKeyRingProtector oldProtector,
SecretKeyRingProtector newProtector)
throws PGPException {
S2K s2k = secretKey.getS2K();
// If the key uses GNU_DUMMY_S2K, we leave it as is and skip this block
if (s2k == null || s2k.getType() != S2K.GNU_DUMMY_S2K) {
long secretKeyId = secretKey.getKeyID();
PBESecretKeyDecryptor decryptor = oldProtector.getDecryptor(secretKeyId);
PBESecretKeyEncryptor encryptor = newProtector.getEncryptor(secretKeyId);
secretKey = PGPSecretKey.copyWithNewPassword(secretKey, decryptor, encryptor);
}
return secretKey;
}
} }

View file

@ -14,6 +14,8 @@ import java.util.NoSuchElementException;
import javax.annotation.Nonnull; import javax.annotation.Nonnull;
import javax.annotation.Nullable; import javax.annotation.Nullable;
import org.bouncycastle.bcpg.S2K;
import org.bouncycastle.bcpg.SecretKeyPacket;
import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPException;
import org.bouncycastle.openpgp.PGPKeyRing; import org.bouncycastle.openpgp.PGPKeyRing;
import org.bouncycastle.openpgp.PGPPrivateKey; import org.bouncycastle.openpgp.PGPPrivateKey;
@ -25,11 +27,14 @@ import org.bouncycastle.openpgp.PGPSecretKeyRing;
import org.bouncycastle.openpgp.PGPSecretKeyRingCollection; import org.bouncycastle.openpgp.PGPSecretKeyRingCollection;
import org.bouncycastle.openpgp.PGPSignature; import org.bouncycastle.openpgp.PGPSignature;
import org.bouncycastle.openpgp.PGPUserAttributeSubpacketVector; import org.bouncycastle.openpgp.PGPUserAttributeSubpacketVector;
import org.bouncycastle.openpgp.operator.PBESecretKeyDecryptor;
import org.bouncycastle.openpgp.operator.PBESecretKeyEncryptor;
import org.bouncycastle.util.Strings; import org.bouncycastle.util.Strings;
import org.pgpainless.PGPainless; import org.pgpainless.PGPainless;
import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.implementation.ImplementationFactory;
import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.key.protection.SecretKeyRingProtector;
import org.pgpainless.key.protection.UnlockSecretKey; import org.pgpainless.key.protection.UnlockSecretKey;
import org.pgpainless.key.protection.fixes.S2KUsageFix;
import org.slf4j.Logger; import org.slf4j.Logger;
import org.slf4j.LoggerFactory; import org.slf4j.LoggerFactory;
@ -515,4 +520,70 @@ public final class KeyRingUtils {
} }
return userIds; return userIds;
} }
public static PGPSecretKeyRing changePassphrase(Long keyId,
PGPSecretKeyRing secretKeys,
SecretKeyRingProtector oldProtector,
SecretKeyRingProtector newProtector)
throws PGPException {
List<PGPSecretKey> secretKeyList = new ArrayList<>();
if (keyId == null) {
// change passphrase of whole key ring
Iterator<PGPSecretKey> secretKeyIterator = secretKeys.getSecretKeys();
while (secretKeyIterator.hasNext()) {
PGPSecretKey secretKey = secretKeyIterator.next();
secretKey = KeyRingUtils.reencryptPrivateKey(secretKey, oldProtector, newProtector);
secretKeyList.add(secretKey);
}
} else {
// change passphrase of selected subkey only
Iterator<PGPSecretKey> secretKeyIterator = secretKeys.getSecretKeys();
while (secretKeyIterator.hasNext()) {
PGPSecretKey secretKey = secretKeyIterator.next();
if (secretKey.getPublicKey().getKeyID() == keyId) {
// Re-encrypt only the selected subkey
secretKey = KeyRingUtils.reencryptPrivateKey(secretKey, oldProtector, newProtector);
}
secretKeyList.add(secretKey);
}
}
PGPSecretKeyRing newRing = new PGPSecretKeyRing(secretKeyList);
newRing = s2kUsageFixIfNecessary(newRing, newProtector);
return newRing;
}
public static PGPSecretKey reencryptPrivateKey(
PGPSecretKey secretKey,
SecretKeyRingProtector oldProtector,
SecretKeyRingProtector newProtector)
throws PGPException {
S2K s2k = secretKey.getS2K();
// If the key uses GNU_DUMMY_S2K, we leave it as is and skip this block
if (s2k == null || s2k.getType() != S2K.GNU_DUMMY_S2K) {
long secretKeyId = secretKey.getKeyID();
PBESecretKeyDecryptor decryptor = oldProtector.getDecryptor(secretKeyId);
PBESecretKeyEncryptor encryptor = newProtector.getEncryptor(secretKeyId);
secretKey = PGPSecretKey.copyWithNewPassword(secretKey, decryptor, encryptor);
}
return secretKey;
}
public static PGPSecretKeyRing s2kUsageFixIfNecessary(PGPSecretKeyRing secretKeys, SecretKeyRingProtector protector)
throws PGPException {
boolean hasS2KUsageChecksum = false;
for (PGPSecretKey secKey : secretKeys) {
if (secKey.getS2KUsage() == SecretKeyPacket.USAGE_CHECKSUM) {
hasS2KUsageChecksum = true;
break;
}
}
if (hasS2KUsageChecksum) {
secretKeys = S2KUsageFix.replaceUsageChecksumWithUsageSha1(
secretKeys, protector, true);
}
return secretKeys;
}
} }

View file

@ -0,0 +1,91 @@
// SPDX-FileCopyrightText: 2023 Paul Schaub <vanitasvitae@fsfe.org>
//
// SPDX-License-Identifier: Apache-2.0
package org.pgpainless.sop;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.util.ArrayList;
import java.util.List;
import org.bouncycastle.bcpg.ArmoredOutputStream;
import org.bouncycastle.openpgp.PGPException;
import org.bouncycastle.openpgp.PGPSecretKeyRing;
import org.bouncycastle.openpgp.PGPSecretKeyRingCollection;
import org.pgpainless.PGPainless;
import org.pgpainless.exception.MissingPassphraseException;
import org.pgpainless.key.OpenPgpFingerprint;
import org.pgpainless.key.protection.SecretKeyRingProtector;
import org.pgpainless.key.util.KeyRingUtils;
import org.pgpainless.util.ArmoredOutputStreamFactory;
import org.pgpainless.util.Passphrase;
import sop.Ready;
import sop.exception.SOPGPException;
import sop.operation.ChangeKeyPassword;
public class ChangeKeyPasswordImpl implements ChangeKeyPassword {
private final MatchMakingSecretKeyRingProtector oldProtector = new MatchMakingSecretKeyRingProtector();
private Passphrase newPassphrase = Passphrase.emptyPassphrase();
private boolean armor = true;
@Override
public ChangeKeyPassword noArmor() {
armor = false;
return this;
}
@Override
public ChangeKeyPassword oldKeyPassphrase(String oldPassphrase) {
oldProtector.addPassphrase(Passphrase.fromPassword(oldPassphrase));
return this;
}
@Override
public ChangeKeyPassword newKeyPassphrase(String newPassphrase) {
this.newPassphrase = Passphrase.fromPassword(newPassphrase);
return this;
}
@Override
public Ready keys(InputStream inputStream) throws SOPGPException.KeyIsProtected {
SecretKeyRingProtector newProtector = SecretKeyRingProtector.unlockAnyKeyWith(newPassphrase);
PGPSecretKeyRingCollection secretKeyRingCollection;
try {
secretKeyRingCollection = PGPainless.readKeyRing().secretKeyRingCollection(inputStream);
} catch (IOException e) {
throw new SOPGPException.BadData(e);
}
List<PGPSecretKeyRing> updatedSecretKeys = new ArrayList<>();
for (PGPSecretKeyRing secretKeys : secretKeyRingCollection) {
oldProtector.addSecretKey(secretKeys);
try {
PGPSecretKeyRing changed = KeyRingUtils.changePassphrase(null, secretKeys, oldProtector, newProtector);
updatedSecretKeys.add(changed);
} catch (MissingPassphraseException e) {
throw new SOPGPException.KeyIsProtected("Cannot unlock key " + OpenPgpFingerprint.of(secretKeys), e);
} catch (PGPException e) {
if (e.getMessage().contains("Exception decrypting key")) {
throw new SOPGPException.KeyIsProtected("Cannot unlock key " + OpenPgpFingerprint.of(secretKeys), e);
}
throw new RuntimeException("Cannot change passphrase of key " + OpenPgpFingerprint.of(secretKeys), e);
}
}
final PGPSecretKeyRingCollection changedSecretKeyCollection = new PGPSecretKeyRingCollection(updatedSecretKeys);
return new Ready() {
@Override
public void writeTo(OutputStream outputStream) throws IOException {
if (armor) {
ArmoredOutputStream armorOut = ArmoredOutputStreamFactory.get(outputStream);
changedSecretKeyCollection.encode(armorOut);
armorOut.close();
} else {
changedSecretKeyCollection.encode(outputStream);
}
}
};
}
}

View file

@ -7,6 +7,7 @@ package org.pgpainless.sop;
import org.pgpainless.util.ArmoredOutputStreamFactory; import org.pgpainless.util.ArmoredOutputStreamFactory;
import sop.SOP; import sop.SOP;
import sop.operation.Armor; import sop.operation.Armor;
import sop.operation.ChangeKeyPassword;
import sop.operation.Dearmor; import sop.operation.Dearmor;
import sop.operation.Decrypt; import sop.operation.Decrypt;
import sop.operation.DetachedSign; import sop.operation.DetachedSign;
@ -108,6 +109,11 @@ public class SOPImpl implements SOP {
return new RevokeKeyImpl(); return new RevokeKeyImpl();
} }
@Override
public ChangeKeyPassword changeKeyPassword() {
return new ChangeKeyPasswordImpl();
}
@Override @Override
public InlineDetach inlineDetach() { public InlineDetach inlineDetach() {
return new InlineDetachImpl(); return new InlineDetachImpl();

View file

@ -0,0 +1,10 @@
// SPDX-FileCopyrightText: 2023 Paul Schaub <vanitasvitae@fsfe.org>
//
// SPDX-License-Identifier: Apache-2.0
package sop.testsuite.pgpainless.operation;
import sop.testsuite.operation.ChangeKeyPasswordTest;
public class PGPainlessChangeKeyPasswordTest extends ChangeKeyPasswordTest {
}