Move checksum from PGPEncryptedDataGenerator to PublicKeyKeyEncryptionMethodGenerator

Author: gefeili

pg/src/main/java/org/bouncycastle/openpgp/PGPEncryptedDataGenerator.java

@@ -139,42 +139,6 @@ public void addMethod(PGPKeyEncryptionMethodGenerator method)
         methods.add(method);
     }
 
-    /**
-     * Write a checksum into the last two bytes of the array.
-     *
-     * @param sessionInfo byte array
-     */
-    private void addCheckSum(
-        byte[] sessionInfo)
-    {
-        int check = 0;
-
-        for (int i = 1; i != sessionInfo.length - 2; i++)
-        {
-            check += sessionInfo[i] & 0xff;
-        }
-
-        sessionInfo[sessionInfo.length - 2] = (byte)(check >> 8);
-        sessionInfo[sessionInfo.length - 1] = (byte)(check);
-    }
-
-    /**
-     * Create a session info array containing of the algorithm-id followed by the key and a two-byte checksum.
-     *
-     * @param algorithm symmetric algorithm
-     * @param keyBytes  bytes of the key
-     * @return array of algorithm, key and checksum
-     */
-    private byte[] createSessionInfo(
-        int algorithm,
-        byte[] keyBytes)
-    {
-        byte[] sessionInfo = new byte[keyBytes.length + 3];
-        sessionInfo[0] = (byte)algorithm;
-        System.arraycopy(keyBytes, 0, sessionInfo, 1, keyBytes.length);
-        addCheckSum(sessionInfo);
-        return sessionInfo;
-    }
 
     /**
      * Create an OutputStream based on the configured methods.
@@ -226,7 +190,6 @@ private OutputStream open(
         if (dataEncryptorBuilder.getAeadAlgorithm() != -1 && !isV5StyleAEAD)
         {
             sessionKey = PGPUtil.makeRandomKey(defAlgorithm, rand);
-            sessionInfo = createSessionInfo(defAlgorithm, sessionKey);
             // In OpenPGP v6, we need an additional step to derive a message key and IV from the session info.
             // Since we cannot inject the IV into the data encryptor, we append it to the message key.
             byte[] info = SymmetricEncIntegrityPacket.createAAData(
@@ -246,8 +209,6 @@ else if (directS2K)
         else
         {
             sessionKey = PGPUtil.makeRandomKey(defAlgorithm, rand);
-            // prepend algorithm, append checksum
-            sessionInfo = createSessionInfo(defAlgorithm, sessionKey);
             messageKey = sessionKey;
         }
 
@@ -257,7 +218,7 @@ else if (directS2K)
         for (int i = 0; i < methods.size(); i++)
         {
             PGPKeyEncryptionMethodGenerator method = methods.get(i);
-            pOut.writePacket(method.generate(dataEncryptorBuilder, sessionInfo));
+            pOut.writePacket(method.generate(dataEncryptorBuilder, sessionKey));
         }
         try
         {

pg/src/main/java/org/bouncycastle/openpgp/operator/PBEKeyEncryptionMethodGenerator.java

@@ -180,7 +180,7 @@ public byte[] getKey(int encAlgorithm)
      * version 2 only.
      * A SKESKv6 packet MUST NOT precede a SEIPDv1, OED or SED packet.
      *
-     * @param sessionInfo session data generated by the encrypted data generator.
+     * @param sessionKey session data generated by the encrypted data generator.
      * @return a packet encoding the provided information and the configuration of this instance.
      * @throws PGPException if an error occurs constructing the packet.
      * @see <a href="https://www.rfc-editor.org/rfc/rfc9580.html#name-version-4-symmetric-key-enc">
@@ -190,26 +190,21 @@ public byte[] getKey(int encAlgorithm)
      * @see <a href="https://www.rfc-editor.org/rfc/rfc9580.html#name-version-6-symmetric-key-enc">
      * RFC9580 - Symmetric-Key Encrypted Session-Key Packet version 6</a>
      */
-    public ContainedPacket generate(PGPDataEncryptorBuilder dataEncryptorBuilder, byte[] sessionInfo)
+    public ContainedPacket generate(PGPDataEncryptorBuilder dataEncryptorBuilder, byte[] sessionKey)
         throws PGPException
     {
         int kekAlgorithm = getSessionKeyWrapperAlgorithm(dataEncryptorBuilder.getAlgorithm());
         if (dataEncryptorBuilder.getAeadAlgorithm() <= 0)
         {
-            if (sessionInfo == null)
+            if (sessionKey == null)
             {
                 return SymmetricKeyEncSessionPacket.createV4Packet(kekAlgorithm, s2k, null);
             }
 
             byte[] key = getKey(kekAlgorithm);
-            //
-            // the passed in session info has the an RSA/ElGamal checksum added to it, for PBE this is not included.
-            //
-            byte[] nSessionInfo = new byte[sessionInfo.length - 2];
 
-            System.arraycopy(sessionInfo, 0, nSessionInfo, 0, nSessionInfo.length);
-
-            return SymmetricKeyEncSessionPacket.createV4Packet(kekAlgorithm, s2k, encryptSessionInfo(kekAlgorithm, key, nSessionInfo));
+            return SymmetricKeyEncSessionPacket.createV4Packet(kekAlgorithm, s2k, encryptSessionInfo(kekAlgorithm, key,
+                Arrays.prepend(sessionKey, (byte)dataEncryptorBuilder.getAlgorithm())));
         }
         else
         {
@@ -232,7 +227,6 @@ public ContainedPacket generate(PGPDataEncryptorBuilder dataEncryptorBuilder, by
             random.nextBytes(iv);
 
             int tagLen = AEADUtils.getAuthTagLength(aeadAlgorithm);
-            byte[] sessionKey = getSessionKey(sessionInfo);
             byte[] eskAndTag = getEskAndTag(kekAlgorithm, aeadAlgorithm, sessionKey, ikm, iv, info);
             byte[] esk = Arrays.copyOfRange(eskAndTag, 0, eskAndTag.length - tagLen);
             byte[] tag = Arrays.copyOfRange(eskAndTag, esk.length, eskAndTag.length);
@@ -248,13 +242,6 @@ public ContainedPacket generate(PGPDataEncryptorBuilder dataEncryptorBuilder, by
         }
     }
 
-    protected byte[] getSessionKey(byte[] sessionInfo)
-    {
-        byte[] sessionKey = new byte[sessionInfo.length - 3];
-        System.arraycopy(sessionInfo, 1, sessionKey, 0, sessionKey.length);
-        return sessionKey;
-    }
-
     abstract protected byte[] encryptSessionInfo(int encAlgorithm, byte[] key, byte[] sessionInfo)
         throws PGPException;
 

pg/src/main/java/org/bouncycastle/openpgp/operator/PGPKeyEncryptionMethodGenerator.java

@@ -10,6 +10,6 @@
 public interface PGPKeyEncryptionMethodGenerator
 {
 
-    ContainedPacket generate(PGPDataEncryptorBuilder dataEncryptorBuilder, byte[] sessionInfo)
+    ContainedPacket generate(PGPDataEncryptorBuilder dataEncryptorBuilder, byte[] sessionKey)
         throws PGPException;
 }

pg/src/main/java/org/bouncycastle/openpgp/operator/PublicKeyKeyEncryptionMethodGenerator.java

@@ -176,15 +176,15 @@ private byte[] convertToEncodedMPI(byte[] encryptedSessionInfo)
      * of version 2 only.
      * PKESKv6 packets are used with keys that support {@link org.bouncycastle.bcpg.sig.Features#FEATURE_SEIPD_V2}.
      *
-     * @param sessionInfo session-key algorithm id + session-key + checksum
+     * @param sessionKey session-key algorithm id + session-key + checksum
      * @return PKESKv6 or v3 packet
      * @throws PGPException if the PKESK packet cannot be generated
      * @see <a href="https://www.rfc-editor.org/rfc/rfc9580.html#name-version-6-public-key-encryp">
      * RFC9580 - Version 6 Public Key Encrypted Session Key Packet</a>
      * @see <a href="https://www.rfc-editor.org/rfc/rfc9580.html#name-version-3-public-key-encryp">
      * RFC9580 - Version 3 Public Key Encrypted Session Key Packet</a>
      */
-    public ContainedPacket generate(PGPDataEncryptorBuilder dataEncryptorBuilder, byte[] sessionInfo)
+    public ContainedPacket generate(PGPDataEncryptorBuilder dataEncryptorBuilder, byte[] sessionKey)
         throws PGPException
     {
         if (dataEncryptorBuilder.getAeadAlgorithm() <= 0 || dataEncryptorBuilder.isV5StyleAEAD())
@@ -198,7 +198,7 @@ public ContainedPacket generate(PGPDataEncryptorBuilder dataEncryptorBuilder, by
             {
                 keyId = pubKey.getKeyID();
             }
-            byte[] encryptedSessionInfo = encryptSessionInfo(pubKey, sessionInfo, sessionInfo, sessionInfo[0]);
+            byte[] encryptedSessionInfo = encryptSessionInfo(pubKey, sessionKey, (byte)dataEncryptorBuilder.getAlgorithm());
             byte[][] encodedEncSessionInfo = encodeEncryptedSessionInfo(encryptedSessionInfo);
             return PublicKeyEncSessionPacket.createV3PKESKPacket(keyId, pubKey.getAlgorithm(), encodedEncSessionInfo);
         }
@@ -217,28 +217,59 @@ public ContainedPacket generate(PGPDataEncryptorBuilder dataEncryptorBuilder, by
                 keyVersion = pubKey.getVersion();
             }
             // In V6, do not include the symmetric-key algorithm in the session-info
-            byte[] sessionInfoWithoutAlgId = new byte[sessionInfo.length - 1];
-            System.arraycopy(sessionInfo, 1, sessionInfoWithoutAlgId, 0, sessionInfoWithoutAlgId.length);
 
-            byte[] encryptedSessionInfo = encryptSessionInfo(pubKey, sessionInfo, sessionInfoWithoutAlgId, (byte)0);
+            byte[] encryptedSessionInfo = encryptSessionInfo(pubKey, sessionKey, (byte)0);
             byte[][] encodedEncSessionInfo = encodeEncryptedSessionInfo(encryptedSessionInfo);
             return PublicKeyEncSessionPacket.createV6PKESKPacket(keyVersion, keyFingerprint, pubKey.getAlgorithm(), encodedEncSessionInfo);
         }
     }
 
+    protected byte[] createSessionInfo(
+        int algorithm,
+        byte[] keyBytes)
+    {
+        byte[] sessionInfo;
+        if (algorithm != 0)
+        {
+            sessionInfo = new byte[keyBytes.length + 3];
+            sessionInfo[0] = (byte)algorithm;
+            System.arraycopy(keyBytes, 0, sessionInfo, 1, keyBytes.length);
+            addCheckSum(sessionInfo, 1);
+        }
+        else
+        {
+            sessionInfo = new byte[keyBytes.length + 2];
+            System.arraycopy(keyBytes, 0, sessionInfo, 0, keyBytes.length);
+            addCheckSum(sessionInfo, 0);
+        }
+        return sessionInfo;
+    }
+
+    protected void addCheckSum(byte[] sessionInfo, int pos)
+    {
+        int check = 0;
+
+        for (int i = pos; i != sessionInfo.length - 2; i++)
+        {
+            check += sessionInfo[i] & 0xff;
+        }
+
+        sessionInfo[sessionInfo.length - 2] = (byte)(check >> 8);
+        sessionInfo[sessionInfo.length - 1] = (byte)(check);
+    }
+
     /**
      * Encrypt a session key using the recipients public key.
      *
      * @param pubKey               recipients public key
-     * @param fullSessionInfo      full session info (sym-alg-id + session-key + 2 octet checksum)
-     * @param sessionInfoToEncrypt for v3: full session info; for v6: just the session-key
+//     * @param fullSessionInfo      full session info (sym-alg-id + session-key + 2 octet checksum)
+//     * @param sessionInfoToEncrypt for v3: full session info; for v6: just the session-key
      * @param optSymAlgId          for v3: session key algorithm ID; for v6: empty array
      * @return encrypted session info
      * @throws PGPException
      */
     protected abstract byte[] encryptSessionInfo(PGPPublicKey pubKey,
-                                                 byte[] fullSessionInfo,
-                                                 byte[] sessionInfoToEncrypt,
+                                                 byte[] sessionKey,
                                                  byte optSymAlgId)
         throws PGPException;
 

pg/src/main/java/org/bouncycastle/openpgp/operator/bc/BcPublicKeyKeyEncryptionMethodGenerator.java

@@ -75,7 +75,7 @@ public BcPublicKeyKeyEncryptionMethodGenerator setSecureRandom(SecureRandom rand
     }
 
     @Override
-    protected byte[] encryptSessionInfo(PGPPublicKey pubKey, byte[] fullSessionInfo, byte[] sessionInfoToEncrypt, byte optSymAlgId)
+    protected byte[] encryptSessionInfo(PGPPublicKey pubKey, byte[] sessionKey, byte optSymAlgId)
         throws PGPException
     {
         try
@@ -87,6 +87,7 @@ protected byte[] encryptSessionInfo(PGPPublicKey pubKey, byte[] fullSessionInfo,
             if (pubKey.getAlgorithm() == PublicKeyAlgorithmTags.ECDH)
             {
                 ECDHPublicBCPGKey ecPubKey = (ECDHPublicBCPGKey)pubKeyPacket.getKey();
+                byte[] sessionInfo = createSessionInfo(optSymAlgId, sessionKey);
                 byte[] userKeyingMaterial = RFC6637Utils.createUserKeyingMaterial(pubKeyPacket, new BcKeyFingerprintCalculator());
 
                 // Legacy X25519
@@ -99,7 +100,7 @@ protected byte[] encryptSessionInfo(PGPPublicKey pubKey, byte[] fullSessionInfo,
                     byte[] ephPubEncoding = new byte[1 + X25519PublicKeyParameters.KEY_SIZE];
                     ephPubEncoding[0] = X_HDR;
                     ((X25519PublicKeyParameters)ephKp.getPublic()).encode(ephPubEncoding, 1);
-                    return encryptSessionInfoWithECDHKey(sessionInfoToEncrypt, secret, userKeyingMaterial, ephPubEncoding, ecPubKey.getHashAlgorithm(), ecPubKey.getSymmetricKeyAlgorithm());
+                    return encryptSessionInfoWithECDHKey(sessionInfo, secret, userKeyingMaterial, ephPubEncoding, ecPubKey.getHashAlgorithm(), ecPubKey.getSymmetricKeyAlgorithm());
                 }
 
                 // LegacyX448
@@ -112,7 +113,7 @@ else if (ecPubKey.getCurveOID().equals(EdECObjectIdentifiers.id_X448))
                     byte[] ephPubEncoding = new byte[1 + X448PublicKeyParameters.KEY_SIZE];
                     ephPubEncoding[0] = X_HDR;
                     ((X448PublicKeyParameters)ephKp.getPublic()).encode(ephPubEncoding, 1);
-                    return encryptSessionInfoWithECDHKey(sessionInfoToEncrypt, secret, userKeyingMaterial, ephPubEncoding, ecPubKey.getHashAlgorithm(), ecPubKey.getSymmetricKeyAlgorithm());
+                    return encryptSessionInfoWithECDHKey(sessionInfo, secret, userKeyingMaterial, ephPubEncoding, ecPubKey.getHashAlgorithm(), ecPubKey.getSymmetricKeyAlgorithm());
                 }
 
                 // Other ECDH curves
@@ -128,14 +129,14 @@ else if (ecPubKey.getCurveOID().equals(EdECObjectIdentifiers.id_X448))
 
                     byte[] ephPubEncoding = ((ECPublicKeyParameters)ephKp.getPublic()).getQ().getEncoded(false);
 
-                    return encryptSessionInfoWithECDHKey(sessionInfoToEncrypt, secret, userKeyingMaterial, ephPubEncoding, ecPubKey.getHashAlgorithm(), ecPubKey.getSymmetricKeyAlgorithm());
+                    return encryptSessionInfoWithECDHKey(sessionInfo, secret, userKeyingMaterial, ephPubEncoding, ecPubKey.getHashAlgorithm(), ecPubKey.getSymmetricKeyAlgorithm());
                 }
             }
 
             // X25519
             else if (pubKey.getAlgorithm() == PublicKeyAlgorithmTags.X25519)
             {
-                return encryptSessionInfoWithX25519X448Key(pubKeyPacket, fullSessionInfo, HashAlgorithmTags.SHA256, SymmetricKeyAlgorithmTags.AES_128, "X25519",
+                return encryptSessionInfoWithX25519X448Key(pubKeyPacket, sessionKey, HashAlgorithmTags.SHA256, SymmetricKeyAlgorithmTags.AES_128, "X25519",
                     new X25519KeyPairGenerator(), new X25519KeyGenerationParameters(random), new X25519Agreement(), cryptoPublicKey, X25519PublicKeyParameters.KEY_SIZE,
                     new EphPubEncodingOperation()
                     {
@@ -151,7 +152,7 @@ public void getEphPubEncoding(AsymmetricKeyParameter publicKey, byte[] ephPubEnc
             // X448
             else if (pubKey.getAlgorithm() == PublicKeyAlgorithmTags.X448)
             {
-                return encryptSessionInfoWithX25519X448Key(pubKeyPacket, fullSessionInfo, HashAlgorithmTags.SHA512, SymmetricKeyAlgorithmTags.AES_256, "X448",
+                return encryptSessionInfoWithX25519X448Key(pubKeyPacket, sessionKey, HashAlgorithmTags.SHA512, SymmetricKeyAlgorithmTags.AES_256, "X448",
                     new X448KeyPairGenerator(), new X448KeyGenerationParameters(random), new X448Agreement(), cryptoPublicKey, X448PublicKeyParameters.KEY_SIZE,
                     new EphPubEncodingOperation()
                     {
@@ -170,8 +171,9 @@ public void getEphPubEncoding(AsymmetricKeyParameter publicKey, byte[] ephPubEnc
                 AsymmetricBlockCipher c = BcImplProvider.createPublicKeyCipher(pubKey.getAlgorithm());
 
                 c.init(true, new ParametersWithRandom(cryptoPublicKey, random));
+                byte[] sessionInfo = createSessionInfo(optSymAlgId, sessionKey);
 
-                return c.processBlock(sessionInfoToEncrypt, 0, sessionInfoToEncrypt.length);
+                return c.processBlock(sessionInfo, 0, sessionInfo.length);
             }
         }
         catch (Exception e)
@@ -224,7 +226,7 @@ private byte[] encryptSessionInfoWithECDHKey(byte[] sessionInfo,
     }
 
     private byte[] encryptSessionInfoWithX25519X448Key(PublicKeyPacket pubKeyPacket,
-                                                       byte[] sessionInfo,
+                                                       byte[] sessionKey,
                                                        int hashAlgorithm,
                                                        int symmetricKeyAlgorithm,
                                                        String algorithmName,
@@ -244,9 +246,6 @@ private byte[] encryptSessionInfoWithX25519X448Key(PublicKeyPacket pubKeyPacket,
         KeyParameter key = new KeyParameter(RFC6637KDFCalculator.createKey(hashAlgorithm, symmetricKeyAlgorithm,
             Arrays.concatenate(ephPubEncoding, pubKeyPacket.getKey().getEncoded(), secret), "OpenPGP " + algorithmName));
 
-        //No checksum and padding
-        byte[] sessionKey = new byte[sessionInfo.length - 3];
-        System.arraycopy(sessionInfo, 1, sessionKey, 0, sessionKey.length);
         if (optSymAlgId == 0)
         {
             return getSessionInfo(ephPubEncoding, getWrapper(symmetricKeyAlgorithm, key, sessionKey));