Add support for decryption of OpenPGP messages without encrypted session key packets

Author: vanitasvitae

pg/src/main/java/org/bouncycastle/openpgp/PGPEncryptedDataList.java

@@ -128,6 +128,19 @@ public PGPEncryptedDataList(
         }
     }
 
+    /**
+     * Add a decryption method using a {@link PGPSessionKey}.
+     * This method can be used to decrypt messages which do not contain a SKESK or PKESK packet using a
+     * session key.
+     *
+     * @param sessionKey session key for message decryption
+     */
+    public void addSessionKeyDecryptionMethod(PGPSessionKey sessionKey)
+    {
+        PGPSessionKeyEncryptedData sessionKeyEncryptedData = new PGPSessionKeyEncryptedData(sessionKey, data);
+        methods.add(sessionKeyEncryptedData);
+    }
+
     /**
      * Gets the encryption method object at the specified index.
      *

pg/src/main/java/org/bouncycastle/openpgp/PGPSessionKeyEncryptedData.java

@@ -0,0 +1,144 @@
+package org.bouncycastle.openpgp;
+
+import org.bouncycastle.bcpg.AEADEncDataPacket;
+import org.bouncycastle.bcpg.BCPGInputStream;
+import org.bouncycastle.bcpg.InputStreamPacket;
+import org.bouncycastle.bcpg.SymmetricEncIntegrityPacket;
+import org.bouncycastle.openpgp.operator.PGPDataDecryptor;
+import org.bouncycastle.openpgp.operator.SessionKeyDataDecryptorFactory;
+import org.bouncycastle.util.io.TeeInputStream;
+
+import java.io.EOFException;
+import java.io.InputStream;
+
+public class PGPSessionKeyEncryptedData extends PGPEncryptedData
+{
+
+    private final PGPSessionKey sessionKey;
+
+    PGPSessionKeyEncryptedData(PGPSessionKey sessionKey, InputStreamPacket encData)
+    {
+        super(encData);
+        this.sessionKey = sessionKey;
+    }
+
+    public PGPSessionKey getSessionKey()
+    {
+        return sessionKey;
+    }
+
+    public InputStream getDataStream(
+            SessionKeyDataDecryptorFactory dataDecryptorFactory)
+            throws PGPException
+    {
+        if (encData instanceof AEADEncDataPacket)
+        {
+            AEADEncDataPacket aeadData = (AEADEncDataPacket) encData;
+
+            if (aeadData.getAlgorithm() != getAlgorithm())
+            {
+                throw new PGPException("session key and AEAD algorithm mismatch");
+            }
+
+            PGPDataDecryptor dataDecryptor = dataDecryptorFactory.createDataDecryptor(aeadData.getAEADAlgorithm(), aeadData.getIV(), aeadData.getChunkSize(), sessionKey.getAlgorithm(), sessionKey.getKey());
+
+            BCPGInputStream encIn = encData.getInputStream();
+
+            return new BCPGInputStream(dataDecryptor.getInputStream(encIn));
+        }
+        else
+        {
+            try
+            {
+                boolean withIntegrityPacket = encData instanceof SymmetricEncIntegrityPacket;
+                PGPDataDecryptor dataDecryptor = dataDecryptorFactory.createDataDecryptor(withIntegrityPacket, sessionKey.getAlgorithm(), sessionKey.getKey());
+
+                return getDataStream(withIntegrityPacket, dataDecryptor);
+            } catch (PGPException e)
+            {
+                throw e;
+            } catch (Exception e)
+            {
+                throw new PGPException("Exception creating cipher", e);
+            }
+        }
+    }
+
+    private InputStream getDataStream(
+            boolean withIntegrityPacket,
+            PGPDataDecryptor dataDecryptor)
+            throws PGPException
+    {
+        try
+        {
+            BCPGInputStream encIn = encData.getInputStream();
+            encIn.mark(dataDecryptor.getBlockSize() + 2); // iv + 2 octets checksum
+
+            encStream = new BCPGInputStream(dataDecryptor.getInputStream(encIn));
+
+            if (withIntegrityPacket)
+            {
+                truncStream = new TruncatedStream(encStream);
+
+                integrityCalculator = dataDecryptor.getIntegrityCalculator();
+
+                encStream = new TeeInputStream(truncStream, integrityCalculator.getOutputStream());
+            }
+
+            byte[] iv = new byte[dataDecryptor.getBlockSize()];
+            for (int i = 0; i != iv.length; i++)
+            {
+                int ch = encStream.read();
+
+                if (ch < 0)
+                {
+                    throw new EOFException("unexpected end of stream.");
+                }
+
+                iv[i] = (byte)ch;
+            }
+
+            int v1 = encStream.read();
+            int v2 = encStream.read();
+
+            if (v1 < 0 || v2 < 0)
+            {
+                throw new EOFException("unexpected end of stream.");
+            }
+
+
+            // Note: the oracle attack on "quick check" bytes is not deemed
+            // a security risk for PBE (see PGPPublicKeyEncryptedData)
+
+            boolean repeatCheckPassed = iv[iv.length - 2] == (byte)v1
+                    && iv[iv.length - 1] == (byte)v2;
+
+            // Note: some versions of PGP appear to produce 0 for the extra
+            // bytes rather than repeating the two previous bytes
+            boolean zeroesCheckPassed = v1 == 0 && v2 == 0;
+
+            if (!repeatCheckPassed && !zeroesCheckPassed)
+            {
+                encIn.reset();
+                throw new PGPDataValidationException("data check failed.");
+            }
+
+            return encStream;
+        }
+        catch (PGPException e)
+        {
+            throw e;
+        }
+        catch (Exception e)
+        {
+            throw new PGPException("Exception creating cipher", e);
+        }
+    }
+
+    @Override
+    public int getAlgorithm()
+    {
+        return sessionKey.getAlgorithm();
+    }
+
+}

pg/src/test/java/org/bouncycastle/openpgp/test/PGPSessionKeyTest.java

@@ -21,6 +21,7 @@
 import org.bouncycastle.openpgp.PGPSecretKey;
 import org.bouncycastle.openpgp.PGPSecretKeyRing;
 import org.bouncycastle.openpgp.PGPSessionKey;
+import org.bouncycastle.openpgp.PGPSessionKeyEncryptedData;
 import org.bouncycastle.openpgp.bc.BcPGPObjectFactory;
 import org.bouncycastle.openpgp.operator.PBEDataDecryptorFactory;
 import org.bouncycastle.openpgp.operator.PBESecretKeyDecryptor;
@@ -110,6 +111,8 @@ public void performTest()
         verifyJcePBEDecryptorFactoryFromSessionKeyCanDecryptDataSuccessfully();
 
         testSessionKeyFromString();
+
+        decryptMessageWithoutEskUsingSessionKey();
     }
 
     private void verifyPublicKeyDecryptionYieldsCorrectSessionData()
@@ -264,4 +267,46 @@ private void testSessionKeyFromString()
         isEquals("FCA4BEAF687F48059CACC14FB019125CD57392BAB7037C707835925CBF9F7BCD", Hex.toHexString(sessionKey.getKey()).toUpperCase());
         //isEquals(sessionKeyString, sessionKey.toString());
     }
+
+    // Message consisting only of a symmetrically encrypted integrity protected data packet wrapping a literal data packet
+    // see https://dump.sequoia-pgp.org/?data=-----BEGIN%20PGP%20MESSAGE-----%0D%0AVersion%3A%20PGPainless%0D%0A%0D%0A0j8BNtJwO2PLoRdG%2BVynivV7XpHp2Nw/S489vksUKct67CYTFpVTzB4IcJwmUGMm%0D%0Are/N1KMTznEBzy3Txa1QVBc%3D%0D%0A%3Dt%2Bpk%0D%0A-----END%20PGP%20MESSAGE-----&session_key=26BE99BC478520FBC8AB8FB84991DACE4B82CFB9B00F7D05C051D69B8CEA8A7F
+    private static final String encryptedMessageWithoutESK = "" +
+            "-----BEGIN PGP MESSAGE-----\n" +
+            "Version: PGPainless\n" +
+            "\n" +
+            "0j8BNtJwO2PLoRdG+VynivV7XpHp2Nw/S489vksUKct67CYTFpVTzB4IcJwmUGMm\n" +
+            "re/N1KMTznEBzy3Txa1QVBc=\n" +
+            "=t+pk\n" +
+            "-----END PGP MESSAGE-----";
+
+    private static final PGPSessionKey sessionKey = PGPSessionKey.fromAsciiRepresentation(
+            "9:26be99bc478520fbc8ab8fb84991dace4b82cfb9b00f7d05c051d69b8cea8a7f");
+
+    private void decryptMessageWithoutEskUsingSessionKey()
+            throws IOException, PGPException
+    {
+        ByteArrayInputStream msgIn = new ByteArrayInputStream(Strings.toByteArray(encryptedMessageWithoutESK));
+        ArmoredInputStream armorIn = new ArmoredInputStream(msgIn);
+        PGPObjectFactory objectFactory = new BcPGPObjectFactory(armorIn);
+        PGPEncryptedDataList encryptedData = (PGPEncryptedDataList) objectFactory.nextObject();
+        isEquals(0, encryptedData.size()); // there is no encrypted session key packet
+
+        encryptedData.addSessionKeyDecryptionMethod(sessionKey); // Add decryption method using a session key
+        isEquals(1, encryptedData.size());
+
+        SessionKeyDataDecryptorFactory decryptorFactory = new BcSessionKeyDataDecryptorFactory(sessionKey);
+        PGPSessionKeyEncryptedData sessionKeyEncData = (PGPSessionKeyEncryptedData) encryptedData.get(0);
+        InputStream decrypted = sessionKeyEncData.getDataStream(decryptorFactory);
+
+        objectFactory = new BcPGPObjectFactory(decrypted);
+        PGPLiteralData literalData = (PGPLiteralData) objectFactory.nextObject();
+
+        ByteArrayOutputStream out = new ByteArrayOutputStream();
+        Streams.pipeAll(literalData.getDataStream(), out);
+
+        literalData.getDataStream().close();
+        decrypted.close();
+        armorIn.close();
+        isTrue(Arrays.equals(Strings.toByteArray("Hello, World!\n"), out.toByteArray()));
+    }
 }