Rename SXprUtilities to SXprReader

Add SXprWriter to help writing canonical S expression
Fix decoding AES-OCB encrypted S expression keys

Author: filipnavara

crypto/src/openpgp/PgpSecretKey.cs

@@ -2,6 +2,7 @@
 using System.Collections;
 using System.Diagnostics;
 using System.IO;
+using crypto.openpgp;
 using Org.BouncyCastle.Asn1;
 using Org.BouncyCastle.Asn1.Misc;
 using Org.BouncyCastle.Asn1.X9;
@@ -1116,60 +1117,6 @@ public static PgpSecretKey ParseSecretKeyFromSExprRaw(Stream inputStream, byte[]
             return DoParseSecretKeyFromSExpr(inputStream, rawPassPhrase, false, pubKey);
         }
 
-        internal static PgpSecretKey DoParseSecretKeyFromSExpr(Stream inputStream, byte[] rawPassPhrase, bool clearPassPhrase, PgpPublicKey pubKey)
-        {
-            SXprUtilities reader = new SXprUtilities(inputStream);
-
-            reader.SkipOpenParenthesis();
-
-            string type = reader.ReadString();
-            if (type.Equals("protected-private-key"))
-            {
-                reader.SkipOpenParenthesis();
-
-                string curveName;
-
-                string keyType = reader.ReadString();
-                if (keyType.Equals("ecc"))
-                {
-                    reader.SkipOpenParenthesis();
-
-                    string curveID = reader.ReadString();
-                    curveName = reader.ReadString();
-
-                    reader.SkipCloseParenthesis();
-                }
-                else
-                {
-                    throw new PgpException("no curve details found");
-                }
-
-                byte[] qVal;
-
-                reader.SkipOpenParenthesis();
-
-                type = reader.ReadString();
-                if (type.Equals("q"))
-                {
-                    qVal = reader.ReadBytes();
-                }
-                else
-                {
-                    throw new PgpException("no q value found");
-                }
-
-                reader.SkipCloseParenthesis();
-
-                byte[] dValue = GetDValue(reader, rawPassPhrase, clearPassPhrase, curveName);
-                // TODO: check SHA-1 hash.
-
-                return new PgpSecretKey(new SecretKeyPacket(pubKey.PublicKeyPacket, SymmetricKeyAlgorithmTag.Null, null, null,
-                    new ECSecretBcpgKey(new BigInteger(1, dValue)).GetEncoded()), pubKey);
-            }
-
-            throw new PgpException("unknown key type found");
-        }
-
         /// <summary>
         /// Parse a secret key from one of the GPG S expression keys.
         /// </summary>
@@ -1179,7 +1126,7 @@ internal static PgpSecretKey DoParseSecretKeyFromSExpr(Stream inputStream, byte[
         /// </remarks>
         public static PgpSecretKey ParseSecretKeyFromSExpr(Stream inputStream, char[] passPhrase)
         {
-            return DoParseSecretKeyFromSExpr(new SXprUtilities(inputStream), PgpUtilities.EncodePassPhrase(passPhrase, false), true);
+            return DoParseSecretKeyFromSExpr(inputStream, PgpUtilities.EncodePassPhrase(passPhrase, false), true, null);
         }
 
         /// <summary>
@@ -1190,7 +1137,7 @@ public static PgpSecretKey ParseSecretKeyFromSExpr(Stream inputStream, char[] pa
         /// </remarks>
         public static PgpSecretKey ParseSecretKeyFromSExprUtf8(Stream inputStream, char[] passPhrase)
         {
-            return DoParseSecretKeyFromSExpr(new SXprUtilities(inputStream), PgpUtilities.EncodePassPhrase(passPhrase, true), true);
+            return DoParseSecretKeyFromSExpr(inputStream, PgpUtilities.EncodePassPhrase(passPhrase, true), true, null);
         }
 
         /// <summary>
@@ -1201,14 +1148,16 @@ public static PgpSecretKey ParseSecretKeyFromSExprUtf8(Stream inputStream, char[
         /// </remarks>
         public static PgpSecretKey ParseSecretKeyFromSExprRaw(Stream inputStream, byte[] rawPassPhrase)
         {
-            return DoParseSecretKeyFromSExpr(new SXprUtilities(inputStream), rawPassPhrase, false);
+            return DoParseSecretKeyFromSExpr(inputStream, rawPassPhrase, false, null);
         }
 
         /// <summary>
         /// Parse a secret key from one of the GPG S expression keys.
         /// </summary>
-        internal static PgpSecretKey DoParseSecretKeyFromSExpr(SXprUtilities reader, byte[] rawPassPhrase, bool clearPassPhrase)
+        internal static PgpSecretKey DoParseSecretKeyFromSExpr(Stream inputStream, byte[] rawPassPhrase, bool clearPassPhrase, PgpPublicKey pubKey)
         {
+            SXprReader reader = new SXprReader(inputStream);
+
             reader.SkipOpenParenthesis();
 
             string type = reader.ReadString();
@@ -1272,28 +1221,87 @@ internal static PgpSecretKey DoParseSecretKeyFromSExpr(SXprUtilities reader, byt
                     throw new PgpException("no q value found");
                 }
 
-                PublicKeyPacket pubPacket = new PublicKeyPacket(
-                    flags == "eddsa" ? PublicKeyAlgorithmTag.EdDsa : PublicKeyAlgorithmTag.ECDsa, DateTime.UtcNow,
-                    new ECDsaPublicBcpgKey(curveOid, new BigInteger(1, qVal)));
+                if (pubKey == null)
+                {
+                    PublicKeyPacket pubPacket = new PublicKeyPacket(
+                        flags == "eddsa" ? PublicKeyAlgorithmTag.EdDsa : PublicKeyAlgorithmTag.ECDsa, DateTime.UtcNow,
+                        new ECDsaPublicBcpgKey(curveOid, new BigInteger(1, qVal)));
+                    pubKey = new PgpPublicKey(pubPacket);
+                }
 
                 reader.SkipCloseParenthesis();
 
-                byte[] dValue = GetDValue(reader, rawPassPhrase, clearPassPhrase, curveName);
-                // TODO: check SHA-1 hash.
+                byte[] dValue = GetDValue(reader, pubKey.PublicKeyPacket, rawPassPhrase, clearPassPhrase, curveName);
 
-                return new PgpSecretKey(new SecretKeyPacket(pubPacket, SymmetricKeyAlgorithmTag.Null, null, null,
-                    new ECSecretBcpgKey(new BigInteger(1, dValue)).GetEncoded()), new PgpPublicKey(pubPacket));
+                return new PgpSecretKey(new SecretKeyPacket(pubKey.PublicKeyPacket, SymmetricKeyAlgorithmTag.Null, null, null,
+                    new ECSecretBcpgKey(new BigInteger(1, dValue)).GetEncoded()), pubKey);
             }
 
             throw new PgpException("unknown key type found");
         }
 
-        private static byte[] GetDValue(SXprUtilities reader, byte[] rawPassPhrase, bool clearPassPhrase, string curveName)
+        private static void WriteSExprPublicKey(SXprWriter writer, PublicKeyPacket pubPacket, string curveName, string protectedAt)
+        {
+            writer.StartList();
+            switch (pubPacket.Algorithm)
+            {
+                case PublicKeyAlgorithmTag.ECDsa:
+                case PublicKeyAlgorithmTag.EdDsa:
+                    writer.WriteString("ecc");
+                    writer.StartList();
+                    writer.WriteString("curve");
+                    writer.WriteString(curveName);
+                    writer.EndList();
+                    if (pubPacket.Algorithm == PublicKeyAlgorithmTag.EdDsa)
+                    {
+                        writer.StartList();
+                        writer.WriteString("flags");
+                        writer.WriteString("eddsa");
+                        writer.EndList();
+                    }
+                    writer.StartList();
+                    writer.WriteString("q");
+                    writer.WriteBytes(((ECDsaPublicBcpgKey)pubPacket.Key).EncodedPoint.ToByteArrayUnsigned());
+                    writer.EndList();
+                    break;
+
+                case PublicKeyAlgorithmTag.RsaEncrypt:
+                case PublicKeyAlgorithmTag.RsaSign:
+                case PublicKeyAlgorithmTag.RsaGeneral:
+                    RsaPublicBcpgKey rsaK = (RsaPublicBcpgKey)pubPacket.Key;
+                    writer.WriteString("rsa");
+                    writer.StartList();
+                    writer.WriteString("n");
+                    writer.WriteBytes(rsaK.Modulus.ToByteArrayUnsigned());
+                    writer.EndList();
+                    writer.StartList();
+                    writer.WriteString("e");
+                    writer.WriteBytes(rsaK.PublicExponent.ToByteArrayUnsigned());
+                    writer.EndList();
+                    break;
+
+                // TODO: DSA, etc.
+                default:
+                    throw new PgpException("unsupported algorithm in S expression");
+            }
+
+            if (protectedAt != null)
+            {
+                writer.StartList();
+                writer.WriteString("protected-at");
+                writer.WriteString(protectedAt);
+                writer.EndList();
+            }
+            writer.EndList();
+        }
+
+        private static byte[] GetDValue(SXprReader reader, PublicKeyPacket publicKey, byte[] rawPassPhrase, bool clearPassPhrase, string curveName)
         {
             string type;
             reader.SkipOpenParenthesis();
 
             string protection;
+            string protectedAt = null;
             S2k s2k;
             byte[] iv;
             byte[] secKeyData;
@@ -1312,26 +1320,42 @@ private static byte[] GetDValue(SXprUtilities reader, byte[] rawPassPhrase, bool
                 reader.SkipCloseParenthesis();
 
                 secKeyData = reader.ReadBytes();
+
+                reader.SkipCloseParenthesis();
+
+                reader.SkipOpenParenthesis();
+
+                if (reader.ReadString().Equals("protected-at"))
+                {
+                    protectedAt = reader.ReadString();
+                }
             }
             else
             {
                 throw new PgpException("protected block not found");
             }
 
-            // Valid values of protection: openpgp-s2k3-sha1-aes-cbc, openpgp-s2k3-ocb-aes, openpgp-native
             byte[] data;
             KeyParameter key;
 
             switch (protection)
             {
+                case "openpgp-s2k3-sha1-aes256-cbc":
                 case "openpgp-s2k3-sha1-aes-cbc":
-                    key = PgpUtilities.DoMakeKeyFromPassPhrase(SymmetricKeyAlgorithmTag.Aes128, s2k, rawPassPhrase, clearPassPhrase);
-                    data = RecoverKeyData(SymmetricKeyAlgorithmTag.Aes128, "/CBC/NoPadding", key, iv, secKeyData, 0, secKeyData.Length);
+                    SymmetricKeyAlgorithmTag symmAlg = 
+                        protection.Equals("openpgp-s2k3-sha1-aes256-cbc") ? SymmetricKeyAlgorithmTag.Aes256 : SymmetricKeyAlgorithmTag.Aes128;
+                    key = PgpUtilities.DoMakeKeyFromPassPhrase(symmAlg, s2k, rawPassPhrase, clearPassPhrase);
+                    data = RecoverKeyData(symmAlg, "/CBC/NoPadding", key, iv, secKeyData, 0, secKeyData.Length);
+                    // TODO: check SHA-1 hash.
                     break;
 
                 case "openpgp-s2k3-ocb-aes":
+                    MemoryStream aad = new MemoryStream();
+                    WriteSExprPublicKey(new SXprWriter(aad), publicKey, curveName, protectedAt);
                     key = PgpUtilities.DoMakeKeyFromPassPhrase(SymmetricKeyAlgorithmTag.Aes128, s2k, rawPassPhrase, clearPassPhrase);
-                    data = RecoverKeyData(SymmetricKeyAlgorithmTag.Aes128, "/OCB/NoPadding", key, iv, secKeyData, 0, secKeyData.Length);
+                    IBufferedCipher c = CipherUtilities.GetCipher("AES/OCB");
+                    c.Init(false, new AeadParameters(key, 128, iv, aad.ToArray()));
+                    data = c.DoFinal(secKeyData, 0, secKeyData.Length);
                     break;
 
                 case "openpgp-native":
@@ -1344,7 +1368,7 @@ private static byte[] GetDValue(SXprUtilities reader, byte[] rawPassPhrase, bool
             //
             Stream keyIn = new MemoryStream(data, false);
 
-            reader = new SXprUtilities(keyIn);
+            reader = new SXprReader(keyIn);
             reader.SkipOpenParenthesis();
             reader.SkipOpenParenthesis();
             reader.SkipOpenParenthesis();

crypto/src/openpgp/SXprUtilities.cs renamed to crypto/src/openpgp/SXprReader.cs

@@ -7,19 +7,19 @@
 namespace Org.BouncyCastle.Bcpg.OpenPgp
 {
     /**
-     * Utility functions for looking a S-expression keys. This class will move when it finds a better home!
+     * Reader for S-expression keys. This class will move when it finds a better home!
      * <p>
      * Format documented here:
      * http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob;f=agent/keyformat.txt;h=42c4b1f06faf1bbe71ffadc2fee0fad6bec91a97;hb=refs/heads/master
      * http://people.csail.mit.edu/rivest/Sexp.txt
      * </p>
      */
-    class SXprUtilities
+    class SXprReader
     {
         Stream stream;
         int peekedByte;
 
-        internal SXprUtilities(Stream stream)
+        public SXprReader(Stream stream)
         {
             this.stream = stream;
             this.peekedByte = -1;
@@ -211,7 +211,7 @@ public S2k ParseS2k()
             return new MyS2k(HashAlgorithmTag.Sha1, iv, iterationCount);
         }
 
-        private void SkipWhitespace()
+        public void SkipWhitespace()
         {
             int ch = ReadByte();
             while (ch == ' ' || ch == '\r' || ch == '\n')

crypto/src/openpgp/SXprWriter.cs

@@ -0,0 +1,50 @@
+using System;
+using System.IO;
+using System.Text;
+
+namespace crypto.openpgp
+{
+    /**
+     * Writer for S-expression keys
+     * <p>
+     * Format documented here:
+     * http://people.csail.mit.edu/rivest/Sexp.txt
+     * 
+     * Only canonical S expression format is used.
+     * </p>
+     */
+    class SXprWriter
+    {
+        Stream output;
+
+        public SXprWriter(Stream output)
+        {
+            this.output = output;
+        }
+
+        public void StartList()
+        {
+            output.WriteByte((byte)'(');
+        }
+
+        public void EndList()
+        {
+            output.WriteByte((byte)')');
+        }
+
+        public void WriteString(string s)
+        {
+            byte[] stringBytes = Encoding.UTF8.GetBytes(s);
+            byte[] lengthBytes = Encoding.UTF8.GetBytes(stringBytes.Length + ":");
+            output.Write(lengthBytes, 0, lengthBytes.Length);
+            output.Write(stringBytes, 0, stringBytes.Length);
+        }
+
+        public void WriteBytes(byte[] b)
+        {
+            byte[] lengthBytes = Encoding.UTF8.GetBytes(b.Length + ":");
+            output.Write(lengthBytes, 0, lengthBytes.Length);
+            output.Write(b, 0, b.Length);
+        }
+    }
+}

crypto/test/src/openpgp/test/PgpEdDsaTest.cs

@@ -184,8 +184,7 @@ public override void PerformTest()
             //
             // sExpr
             //
-            // TODO: Fails the OCB MAC check when decoding key but works otherwise
-            /*byte[] msg = Encoding.ASCII.GetBytes("hello world!");
+            byte[] msg = Encoding.ASCII.GetBytes("hello world!");
 
             PgpSecretKey key = PgpSecretKey.ParseSecretKeyFromSExpr(new MemoryStream(sExprKey, false), "test".ToCharArray());
 
@@ -200,7 +199,7 @@ public override void PerformTest()
             if (!sig.Verify())
             {
                 Fail("signature failed to verify!");
-            }*/
+            }
         }
 
         private static object First(IEnumerable e)