kumi/Android-Password-Store
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 2

fix(pgpainless): add metadata test to decryption step

Browse source
This commit is contained in:
Harsh Shandilya 2023-06-19 21:50:38 +05:30
parent e8a9944522
commit e0a0ca9be0
No known key found for this signature in database
1 changed files with 21 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

34
crypto-pgpainless/src/main/kotlin/app/passwordstore/crypto/PGPainlessCryptoHandler.kt
View file

@ -19,6 +19,7 @@ import org.bouncycastle.openpgp.PGPPublicKeyRing
import org.bouncycastle.openpgp.PGPPublicKeyRingCollection import org.bouncycastle.openpgp.PGPPublicKeyRingCollection
import org.bouncycastle.openpgp.PGPSecretKeyRing import org.bouncycastle.openpgp.PGPSecretKeyRing
import org.bouncycastle.openpgp.PGPSecretKeyRingCollection import org.bouncycastle.openpgp.PGPSecretKeyRingCollection
import org.bouncycastle.util.io.Streams
import org.pgpainless.PGPainless import org.pgpainless.PGPainless
import org.pgpainless.decryption_verification.ConsumerOptions import org.pgpainless.decryption_verification.ConsumerOptions
import org.pgpainless.encryption_signing.EncryptionOptions import org.pgpainless.encryption_signing.EncryptionOptions
@ -53,14 +54,21 @@ public class PGPainlessCryptoHandler @Inject constructor() :
.map { key -> PGPainless.readKeyRing().secretKeyRing(key.contents) } .map { key -> PGPainless.readKeyRing().secretKeyRing(key.contents) }
.run(::PGPSecretKeyRingCollection) .run(::PGPSecretKeyRingCollection)
val protector = SecretKeyRingProtector.unlockAnyKeyWith(Passphrase.fromPassword(passphrase)) val protector = SecretKeyRingProtector.unlockAnyKeyWith(Passphrase.fromPassword(passphrase))
PGPainless.decryptAndOrVerify() val decryptionStream =
.onInputStream(ciphertextStream) PGPainless.decryptAndOrVerify()
.withOptions( .onInputStream(ciphertextStream)
ConsumerOptions() .withOptions(
.addDecryptionKeys(keyringCollection, protector) ConsumerOptions()
.addDecryptionPassphrase(Passphrase.fromPassword(passphrase)) .addDecryptionKeys(keyringCollection, protector)
) .addDecryptionPassphrase(Passphrase.fromPassword(passphrase))
.use { decryptionStream -> decryptionStream.copyTo(outputStream) } )
Streams.pipeAll(decryptionStream, outputStream)
decryptionStream.close()
keyringCollection.forEach { keyRing ->
check(decryptionStream.metadata.isEncryptedFor(keyRing)) {
"Stream should be encrypted for ${keyRing.secretKey.keyID} but wasn't"
}
}
return@runCatching return@runCatching
} }
.mapError { error -> .mapError { error ->
@ -106,12 +114,12 @@ public class PGPainlessCryptoHandler @Inject constructor() :
val producerOptions = val producerOptions =
ProducerOptions.encrypt(encryptionOptions) ProducerOptions.encrypt(encryptionOptions)
.setAsciiArmor(options.isOptionEnabled(PGPEncryptOptions.ASCII_ARMOR)) .setAsciiArmor(options.isOptionEnabled(PGPEncryptOptions.ASCII_ARMOR))
val encryptor = val encryptionStream =
PGPainless.encryptAndOrSign().onOutputStream(outputStream).withOptions(producerOptions) PGPainless.encryptAndOrSign().onOutputStream(outputStream).withOptions(producerOptions)
plaintextStream.copyTo(encryptor) Streams.pipeAll(plaintextStream, encryptionStream)
encryptor.close() encryptionStream.close()
val result = encryptor.result val result = encryptionStream.result
publicKeyRingCollection.keyRings.forEach { keyRing -> publicKeyRingCollection.forEach { keyRing ->
require(result.isEncryptedFor(keyRing)) { require(result.isEncryptedFor(keyRing)) {
"Stream should be encrypted for ${keyRing.publicKey.keyID} but wasn't" "Stream should be encrypted for ${keyRing.publicKey.keyID} but wasn't"
} }