mirror of
https://codeberg.org/PGPainless/sop-java.git
synced 2024-12-22 04:57:56 +01:00
Initial implementation of 'change-key-password' command of SOP-07
This commit is contained in:
parent
618d123a7b
commit
7e1377a28c
9 changed files with 317 additions and 0 deletions
|
@ -8,6 +8,7 @@ import sop.Ready;
|
|||
import sop.SOP;
|
||||
import sop.exception.SOPGPException;
|
||||
import sop.external.operation.ArmorExternal;
|
||||
import sop.external.operation.ChangeKeyPasswordExternal;
|
||||
import sop.external.operation.DearmorExternal;
|
||||
import sop.external.operation.DecryptExternal;
|
||||
import sop.external.operation.DetachedSignExternal;
|
||||
|
@ -22,6 +23,7 @@ import sop.external.operation.ListProfilesExternal;
|
|||
import sop.external.operation.RevokeKeyExternal;
|
||||
import sop.external.operation.VersionExternal;
|
||||
import sop.operation.Armor;
|
||||
import sop.operation.ChangeKeyPassword;
|
||||
import sop.operation.Dearmor;
|
||||
import sop.operation.Decrypt;
|
||||
import sop.operation.DetachedSign;
|
||||
|
@ -168,6 +170,11 @@ public class ExternalSOP implements SOP {
|
|||
return new RevokeKeyExternal(binaryName, properties);
|
||||
}
|
||||
|
||||
@Override
|
||||
public ChangeKeyPassword changeKeyPassword() {
|
||||
return new ChangeKeyPasswordExternal(binaryName, properties);
|
||||
}
|
||||
|
||||
@Override
|
||||
public Dearmor dearmor() {
|
||||
return new DearmorExternal(binaryName, properties);
|
||||
|
|
57
external-sop/src/main/java/sop/external/operation/ChangeKeyPasswordExternal.java
vendored
Normal file
57
external-sop/src/main/java/sop/external/operation/ChangeKeyPasswordExternal.java
vendored
Normal file
|
@ -0,0 +1,57 @@
|
|||
// SPDX-FileCopyrightText: 2023 Paul Schaub <vanitasvitae@fsfe.org>
|
||||
//
|
||||
// SPDX-License-Identifier: Apache-2.0
|
||||
|
||||
package sop.external.operation;
|
||||
|
||||
import sop.Ready;
|
||||
import sop.exception.SOPGPException;
|
||||
import sop.external.ExternalSOP;
|
||||
import sop.operation.ChangeKeyPassword;
|
||||
|
||||
import java.io.InputStream;
|
||||
import java.util.ArrayList;
|
||||
import java.util.List;
|
||||
import java.util.Properties;
|
||||
|
||||
public class ChangeKeyPasswordExternal implements ChangeKeyPassword {
|
||||
private final List<String> commandList = new ArrayList<>();
|
||||
private final List<String> envList;
|
||||
|
||||
private int keyPasswordCounter = 0;
|
||||
|
||||
public ChangeKeyPasswordExternal(String binary, Properties environment) {
|
||||
this.commandList.add(binary);
|
||||
this.commandList.add("decrypt");
|
||||
this.envList = ExternalSOP.propertiesToEnv(environment);
|
||||
}
|
||||
|
||||
@Override
|
||||
public ChangeKeyPassword noArmor() {
|
||||
this.commandList.add("--no-armor");
|
||||
return this;
|
||||
}
|
||||
|
||||
@Override
|
||||
public ChangeKeyPassword oldKeyPassphrase(String oldPassphrase) {
|
||||
this.commandList.add("--old-key-password=@ENV:KEY_PASSWORD_" + keyPasswordCounter);
|
||||
this.envList.add("KEY_PASSWORD_" + keyPasswordCounter + "=" + oldPassphrase);
|
||||
keyPasswordCounter++;
|
||||
|
||||
return this;
|
||||
}
|
||||
|
||||
@Override
|
||||
public ChangeKeyPassword newKeyPassphrase(String newPassphrase) {
|
||||
this.commandList.add("--new-key-password=@ENV:KEY_PASSWORD_" + keyPasswordCounter);
|
||||
this.envList.add("KEY_PASSWORD_" + keyPasswordCounter + "=" + newPassphrase);
|
||||
keyPasswordCounter++;
|
||||
|
||||
return this;
|
||||
}
|
||||
|
||||
@Override
|
||||
public Ready keys(InputStream inputStream) throws SOPGPException.KeyIsProtected, SOPGPException.BadData {
|
||||
return ExternalSOP.executeTransformingOperation(Runtime.getRuntime(), commandList, envList, inputStream);
|
||||
}
|
||||
}
|
|
@ -4,8 +4,10 @@
|
|||
|
||||
package sop.testsuite.external.operation;
|
||||
|
||||
import org.junit.jupiter.api.condition.EnabledIf;
|
||||
import sop.testsuite.operation.RevokeKeyTest;
|
||||
|
||||
@EnabledIf("sop.testsuite.operation.AbstractSOPTest#hasBackends")
|
||||
public class ExternalRevokeKeyTest extends RevokeKeyTest {
|
||||
|
||||
}
|
||||
|
|
|
@ -8,6 +8,7 @@ import picocli.AutoComplete;
|
|||
import picocli.CommandLine;
|
||||
import sop.SOP;
|
||||
import sop.cli.picocli.commands.ArmorCmd;
|
||||
import sop.cli.picocli.commands.ChangeKeyPasswordCmd;
|
||||
import sop.cli.picocli.commands.DearmorCmd;
|
||||
import sop.cli.picocli.commands.DecryptCmd;
|
||||
import sop.cli.picocli.commands.InlineDetachCmd;
|
||||
|
@ -45,6 +46,7 @@ import java.util.ResourceBundle;
|
|||
InlineVerifyCmd.class,
|
||||
ListProfilesCmd.class,
|
||||
RevokeKeyCmd.class,
|
||||
ChangeKeyPasswordCmd.class,
|
||||
VersionCmd.class,
|
||||
AutoComplete.GenerateCompletion.class
|
||||
}
|
||||
|
|
|
@ -0,0 +1,54 @@
|
|||
// SPDX-FileCopyrightText: 2023 Paul Schaub <vanitasvitae@fsfe.org>
|
||||
//
|
||||
// SPDX-License-Identifier: Apache-2.0
|
||||
|
||||
package sop.cli.picocli.commands;
|
||||
|
||||
import picocli.CommandLine;
|
||||
import sop.cli.picocli.SopCLI;
|
||||
import sop.exception.SOPGPException;
|
||||
import sop.operation.ChangeKeyPassword;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.util.ArrayList;
|
||||
import java.util.List;
|
||||
|
||||
@CommandLine.Command(name = "change-key-password",
|
||||
resourceBundle = "msg_dearmor", // TODO
|
||||
exitCodeOnInvalidInput = SOPGPException.UnsupportedOption.EXIT_CODE)
|
||||
public class ChangeKeyPasswordCmd extends AbstractSopCmd {
|
||||
|
||||
@CommandLine.Option(names = "--no-armor",
|
||||
negatable = true)
|
||||
boolean armor = true;
|
||||
|
||||
@CommandLine.Option(names = {"--old-key-password"})
|
||||
List<String> oldKeyPasswords = new ArrayList<>();
|
||||
|
||||
@CommandLine.Option(names = {"--new-key-password"}, arity = "0..1")
|
||||
String newKeyPassword = null;
|
||||
|
||||
@Override
|
||||
public void run() {
|
||||
ChangeKeyPassword changeKeyPassword = throwIfUnsupportedSubcommand(
|
||||
SopCLI.getSop().changeKeyPassword(), "change-key-password");
|
||||
|
||||
if (!armor) {
|
||||
changeKeyPassword.noArmor();
|
||||
}
|
||||
|
||||
for (String oldKeyPassword : oldKeyPasswords) {
|
||||
changeKeyPassword.oldKeyPassphrase(oldKeyPassword);
|
||||
}
|
||||
|
||||
if (newKeyPassword != null) {
|
||||
changeKeyPassword.newKeyPassphrase(newKeyPassword);
|
||||
}
|
||||
|
||||
try {
|
||||
changeKeyPassword.keys(System.in).writeTo(System.out);
|
||||
} catch (IOException e) {
|
||||
throw new RuntimeException(e);
|
||||
}
|
||||
}
|
||||
}
|
|
@ -16,6 +16,7 @@ import org.junit.jupiter.api.Test;
|
|||
import sop.SOP;
|
||||
import sop.exception.SOPGPException;
|
||||
import sop.operation.Armor;
|
||||
import sop.operation.ChangeKeyPassword;
|
||||
import sop.operation.Dearmor;
|
||||
import sop.operation.Decrypt;
|
||||
import sop.operation.InlineDetach;
|
||||
|
@ -107,6 +108,11 @@ public class SOPTest {
|
|||
return null;
|
||||
}
|
||||
|
||||
@Override
|
||||
public ChangeKeyPassword changeKeyPassword() {
|
||||
return null;
|
||||
}
|
||||
|
||||
@Override
|
||||
public InlineDetach inlineDetach() {
|
||||
return null;
|
||||
|
|
|
@ -5,6 +5,7 @@
|
|||
package sop;
|
||||
|
||||
import sop.operation.Armor;
|
||||
import sop.operation.ChangeKeyPassword;
|
||||
import sop.operation.Dearmor;
|
||||
import sop.operation.Decrypt;
|
||||
import sop.operation.Encrypt;
|
||||
|
@ -166,4 +167,11 @@ public interface SOP {
|
|||
* @return builder instance
|
||||
*/
|
||||
RevokeKey revokeKey();
|
||||
|
||||
/**
|
||||
* Update a key's password.
|
||||
*
|
||||
* @return builder instance
|
||||
*/
|
||||
ChangeKeyPassword changeKeyPassword();
|
||||
}
|
||||
|
|
83
sop-java/src/main/java/sop/operation/ChangeKeyPassword.java
Normal file
83
sop-java/src/main/java/sop/operation/ChangeKeyPassword.java
Normal file
|
@ -0,0 +1,83 @@
|
|||
// SPDX-FileCopyrightText: 2023 Paul Schaub <vanitasvitae@fsfe.org>
|
||||
//
|
||||
// SPDX-License-Identifier: Apache-2.0
|
||||
|
||||
package sop.operation;
|
||||
|
||||
import sop.Ready;
|
||||
import sop.exception.SOPGPException;
|
||||
import sop.util.UTF8Util;
|
||||
|
||||
import java.io.ByteArrayInputStream;
|
||||
import java.io.InputStream;
|
||||
import java.nio.charset.CharacterCodingException;
|
||||
|
||||
public interface ChangeKeyPassword {
|
||||
|
||||
/**
|
||||
* Disable ASCII armoring of the output.
|
||||
*
|
||||
* @return builder instance
|
||||
*/
|
||||
ChangeKeyPassword noArmor();
|
||||
|
||||
default ChangeKeyPassword oldKeyPassphrase(byte[] password) {
|
||||
try {
|
||||
return oldKeyPassphrase(UTF8Util.decodeUTF8(password));
|
||||
} catch (CharacterCodingException e) {
|
||||
throw new SOPGPException.PasswordNotHumanReadable("Password MUST be a valid UTF8 string.");
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Provide a passphrase to unlock the secret key.
|
||||
* This method can be provided multiple times to provide separate passphrases that are tried as a
|
||||
* means to unlock any secret key material encountered.
|
||||
*
|
||||
* @param oldPassphrase old passphrase
|
||||
* @return builder instance
|
||||
*/
|
||||
ChangeKeyPassword oldKeyPassphrase(String oldPassphrase);
|
||||
|
||||
/**
|
||||
* Provide a passphrase to re-lock the secret key with.
|
||||
* This method can only be used once, and all key material encountered will be encrypted with the given passphrase.
|
||||
* If this method is not called, the key material will not be protected.
|
||||
*
|
||||
* @param newPassphrase new passphrase
|
||||
* @return builder instance
|
||||
*/
|
||||
default ChangeKeyPassword newKeyPassphrase(byte[] newPassphrase) {
|
||||
try {
|
||||
return newKeyPassphrase(UTF8Util.decodeUTF8(newPassphrase));
|
||||
} catch (CharacterCodingException e) {
|
||||
throw new SOPGPException.PasswordNotHumanReadable("Password MUST be a valid UTF8 string.");
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Provide a passphrase to re-lock the secret key with.
|
||||
* This method can only be used once, and all key material encountered will be encrypted with the given passphrase.
|
||||
* If this method is not called, the key material will not be protected.
|
||||
*
|
||||
* @param newPassphrase new passphrase
|
||||
* @return builder instance
|
||||
*/
|
||||
ChangeKeyPassword newKeyPassphrase(String newPassphrase);
|
||||
|
||||
default Ready keys(byte[] keys) throws SOPGPException.KeyIsProtected, SOPGPException.BadData {
|
||||
return keys(new ByteArrayInputStream(keys));
|
||||
}
|
||||
|
||||
/**
|
||||
* Provide the key material.
|
||||
*
|
||||
* @param inputStream input stream of secret key material
|
||||
* @return ready
|
||||
*
|
||||
* @throws sop.exception.SOPGPException.KeyIsProtected if any (sub-) key encountered cannot be unlocked.
|
||||
* @throws sop.exception.SOPGPException.BadData if the key material is malformed
|
||||
*/
|
||||
Ready keys(InputStream inputStream) throws SOPGPException.KeyIsProtected, SOPGPException.BadData;
|
||||
|
||||
}
|
|
@ -0,0 +1,98 @@
|
|||
// SPDX-FileCopyrightText: 2023 Paul Schaub <vanitasvitae@fsfe.org>
|
||||
//
|
||||
// SPDX-License-Identifier: Apache-2.0
|
||||
|
||||
package sop.testsuite.operation;
|
||||
|
||||
import org.junit.jupiter.api.condition.EnabledIf;
|
||||
import org.junit.jupiter.params.ParameterizedTest;
|
||||
import org.junit.jupiter.params.provider.Arguments;
|
||||
import org.junit.jupiter.params.provider.MethodSource;
|
||||
import sop.SOP;
|
||||
import sop.exception.SOPGPException;
|
||||
import sop.util.UTF8Util;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.nio.charset.StandardCharsets;
|
||||
import java.util.stream.Stream;
|
||||
|
||||
import static org.junit.jupiter.api.Assertions.assertArrayEquals;
|
||||
import static org.junit.jupiter.api.Assertions.assertThrows;
|
||||
|
||||
@EnabledIf("sop.testsuite.operation.AbstractSOPTest#hasBackends")
|
||||
public class ChangeKeyPasswordTest extends AbstractSOPTest {
|
||||
|
||||
static Stream<Arguments> provideInstances() {
|
||||
return AbstractSOPTest.provideBackends();
|
||||
}
|
||||
|
||||
@ParameterizedTest
|
||||
@MethodSource("provideInstances")
|
||||
public void changePasswordFromUnprotectedToProtected(SOP sop) throws IOException {
|
||||
byte[] unprotectedKey = sop.generateKey().generate().getBytes();
|
||||
byte[] password = "sw0rdf1sh".getBytes(UTF8Util.UTF8);
|
||||
byte[] protectedKey = sop.changeKeyPassword().newKeyPassphrase(password).keys(unprotectedKey).getBytes();
|
||||
|
||||
sop.sign().withKeyPassword(password).key(protectedKey).data("Test123".getBytes(StandardCharsets.UTF_8));
|
||||
}
|
||||
|
||||
@ParameterizedTest
|
||||
@MethodSource("provideInstances")
|
||||
public void changePasswordFromUnprotectedToUnprotected(SOP sop) throws IOException {
|
||||
byte[] unprotectedKey = sop.generateKey().noArmor().generate().getBytes();
|
||||
byte[] stillUnprotectedKey = sop.changeKeyPassword().noArmor().keys(unprotectedKey).getBytes();
|
||||
|
||||
assertArrayEquals(unprotectedKey, stillUnprotectedKey);
|
||||
}
|
||||
|
||||
@ParameterizedTest
|
||||
@MethodSource("provideInstances")
|
||||
public void changePasswordFromProtectedToUnprotected(SOP sop) throws IOException {
|
||||
byte[] password = "sw0rdf1sh".getBytes(UTF8Util.UTF8);
|
||||
byte[] protectedKey = sop.generateKey().withKeyPassword(password).generate().getBytes();
|
||||
byte[] unprotectedKey = sop.changeKeyPassword()
|
||||
.oldKeyPassphrase(password)
|
||||
.keys(protectedKey).getBytes();
|
||||
|
||||
sop.sign().key(unprotectedKey).data("Test123".getBytes(StandardCharsets.UTF_8));
|
||||
}
|
||||
|
||||
@ParameterizedTest
|
||||
@MethodSource("provideInstances")
|
||||
public void changePasswordFromProtectedToDifferentProtected(SOP sop) throws IOException {
|
||||
byte[] oldPassword = "sw0rdf1sh".getBytes(UTF8Util.UTF8);
|
||||
byte[] newPassword = "0r4ng3".getBytes(UTF8Util.UTF8);
|
||||
byte[] protectedKey = sop.generateKey().withKeyPassword(oldPassword).generate().getBytes();
|
||||
byte[] reprotectedKey = sop.changeKeyPassword()
|
||||
.oldKeyPassphrase(oldPassword)
|
||||
.newKeyPassphrase(newPassword)
|
||||
.keys(protectedKey).getBytes();
|
||||
|
||||
sop.sign().key(reprotectedKey).withKeyPassword(newPassword).data("Test123".getBytes(StandardCharsets.UTF_8));
|
||||
}
|
||||
|
||||
|
||||
@ParameterizedTest
|
||||
@MethodSource("provideInstances")
|
||||
public void changePasswordWithWrongOldPasswordFails(SOP sop) throws IOException {
|
||||
byte[] oldPassword = "sw0rdf1sh".getBytes(UTF8Util.UTF8);
|
||||
byte[] newPassword = "monkey123".getBytes(UTF8Util.UTF8);
|
||||
byte[] wrongPassword = "0r4ng3".getBytes(UTF8Util.UTF8);
|
||||
|
||||
byte[] protectedKey = sop.generateKey().withKeyPassword(oldPassword).generate().getBytes();
|
||||
assertThrows(SOPGPException.KeyIsProtected.class, () -> sop.changeKeyPassword()
|
||||
.oldKeyPassphrase(wrongPassword)
|
||||
.newKeyPassphrase(newPassword)
|
||||
.keys(protectedKey).getBytes());
|
||||
}
|
||||
|
||||
@ParameterizedTest
|
||||
@MethodSource("provideInstances")
|
||||
public void nonUtf8PasswordsFail(SOP sop) {
|
||||
assertThrows(SOPGPException.PasswordNotHumanReadable.class, () ->
|
||||
sop.changeKeyPassword().oldKeyPassphrase(new byte[] {(byte) 0xff, (byte) 0xfe}));
|
||||
assertThrows(SOPGPException.PasswordNotHumanReadable.class, () ->
|
||||
sop.changeKeyPassword().newKeyPassphrase(new byte[] {(byte) 0xff, (byte) 0xfe}));
|
||||
|
||||
}
|
||||
}
|
Loading…
Reference in a new issue