Fix PKESKv6 / SKESKv6 generation

Author: vanitasvitae

pg/src/main/java/org/bouncycastle/bcpg/SymmetricKeyEncSessionPacket.java

@@ -337,7 +337,20 @@ public void encode(
                 pOut.write(secKeyData);
             }
         }
-        else if (version == VERSION_5 || version == VERSION_6)
+        else if (version == VERSION_5)
+        {
+            pOut.write(encAlgorithm);
+            pOut.write(aeadAlgorithm);
+            pOut.writeObject(s2k);
+            pOut.write(iv);
+
+            if (secKeyData != null && secKeyData.length > 0)
+            {
+                pOut.write(secKeyData);
+            }
+            pOut.write(authTag);
+        }
+        else if (version == VERSION_6)
         {
             int s2kLen = s2k.getEncoded().length;
             int count = 1 + 1 + 1 + s2kLen + iv.length;

pg/src/main/java/org/bouncycastle/openpgp/PGPEncryptedDataGenerator.java

@@ -21,6 +21,7 @@
 import org.bouncycastle.openpgp.operator.PGPDataEncryptorBuilder;
 import org.bouncycastle.openpgp.operator.PGPDigestCalculator;
 import org.bouncycastle.openpgp.operator.PGPKeyEncryptionMethodGenerator;
+import org.bouncycastle.openpgp.operator.PublicKeyKeyEncryptionMethodGenerator;
 import org.bouncycastle.util.io.TeeOutputStream;
 
 /**
@@ -228,6 +229,7 @@ private OutputStream open(
         if (dataEncryptorBuilder.getAeadAlgorithm() != -1 && !isV5StyleAEAD)
         {
             sessionKey = PGPUtil.makeRandomKey(defAlgorithm, rand);
+            sessionInfo = createSessionInfo(defAlgorithm, sessionKey);
             // In OpenPGP v6, we need an additional step to derive a message key and IV from the session info.
             // Since we cannot inject the IV into the data encryptor, we append it to the message key.
             byte[] info = SymmetricEncIntegrityPacket.createAAData(
@@ -271,7 +273,7 @@ else if (directS2K)
                 {
                     //https://www.rfc-editor.org/rfc/rfc9580.html#section-3.7.2.1 Table 2
                     //AEAD(HKDF(S2K(passphrase), info), secrets, packetprefix)
-                    writeOpenPGPv6ESKPacket(method, aeadDataEncryptor.getAEADAlgorithm(), sessionKey);
+                    writeOpenPGPv6ESKPacket(method, aeadDataEncryptor.getAEADAlgorithm(), sessionInfo);
                 }
             }
             // OpenPGP v4
@@ -386,12 +388,13 @@ private void writeOpenPGPv4ESKPacket(PGPKeyEncryptionMethodGenerator m, byte[] s
         if (m instanceof PBEKeyEncryptionMethodGenerator)
         {
             PBEKeyEncryptionMethodGenerator mGen = (PBEKeyEncryptionMethodGenerator)m;
-            ContainedPacket esk = m.generate(mGen.getSessionKeyWrapperAlgorithm(defAlgorithm), sessionInfo);
+            ContainedPacket esk = mGen.generateV4(mGen.getSessionKeyWrapperAlgorithm(defAlgorithm), sessionInfo);
             pOut.writePacket(esk);
         }
-        else
+        else if (m instanceof PublicKeyKeyEncryptionMethodGenerator)
         {
-            pOut.writePacket(m.generate(defAlgorithm, sessionInfo));
+            PublicKeyKeyEncryptionMethodGenerator mGen = (PublicKeyKeyEncryptionMethodGenerator) m;
+            pOut.writePacket(mGen.generateV3(defAlgorithm, sessionInfo));
         }
     }
 
@@ -411,15 +414,16 @@ private void writeOpenPGPv5ESKPacket(PGPKeyEncryptionMethodGenerator m, byte[] s
         if (m instanceof PBEKeyEncryptionMethodGenerator)
         {
             PBEKeyEncryptionMethodGenerator mGen = (PBEKeyEncryptionMethodGenerator)m;
-            ContainedPacket esk = m.generateV5(
+            ContainedPacket esk = mGen.generateV5(
                 mGen.getSessionKeyWrapperAlgorithm(defAlgorithm),
                 dataEncryptorBuilder.getAeadAlgorithm(),
                 sessionInfo);
             pOut.writePacket(esk);
         }
-        else
+        else if (m instanceof PublicKeyKeyEncryptionMethodGenerator)
         {
-            pOut.writePacket(m.generate(defAlgorithm, sessionInfo));
+            PublicKeyKeyEncryptionMethodGenerator mGen = (PublicKeyKeyEncryptionMethodGenerator) m;
+            pOut.writePacket(mGen.generateV3(defAlgorithm, sessionInfo));
         }
     }
 
@@ -440,15 +444,16 @@ private void writeOpenPGPv6ESKPacket(PGPKeyEncryptionMethodGenerator m, int aead
         if (m instanceof PBEKeyEncryptionMethodGenerator)
         {
             PBEKeyEncryptionMethodGenerator mGen = (PBEKeyEncryptionMethodGenerator)m;
-            ContainedPacket esk = m.generateV6(
+            ContainedPacket esk = mGen.generateV6(
                 mGen.getSessionKeyWrapperAlgorithm(defAlgorithm),
                 aeadAlgorithm,
                 sessionInfo);
             pOut.writePacket(esk);
         }
-        else
+        else if (m instanceof PublicKeyKeyEncryptionMethodGenerator)
         {
-            pOut.writePacket(m.generate(defAlgorithm, sessionInfo));
+            PublicKeyKeyEncryptionMethodGenerator mGen = (PublicKeyKeyEncryptionMethodGenerator) m;
+            pOut.writePacket(mGen.generateV6(sessionInfo));
         }
     }
 

pg/src/main/java/org/bouncycastle/openpgp/operator/PBEKeyEncryptionMethodGenerator.java

@@ -160,33 +160,48 @@ public byte[] getKey(int encAlgorithm)
         return PGPUtil.makeKeyFromPassPhrase(s2kDigestCalculator, encAlgorithm, s2k, passPhrase);
     }
 
-    @Override
-    public ContainedPacket generateV5(int kekAlgorithm, int aeadAlgorithm, byte[] sessionInfo)
-        throws PGPException
+    /**
+     * Generates a version 4 Public-Key-Encrypted-Session-Key (PKESK) packet, encoding the encrypted
+     * session-key for this method.
+     * PKESKv4 packets are used by Symmetrically-Encrypted-Integrity-Protected-Data (SEIPD) packets
+     * of version 1, or by (deprecated) Symmetrically-Encrypted-Data (SED) packets.
+     * You can use PKESKv4 packets with OpenPGP v4 keys, but MUST NOT use them when producing
+     * SEIPDv2 packets (use {@link #generateV6(int, int, byte[])} instead in that case).
+     *
+     * @param encAlgorithm the {@link SymmetricKeyAlgorithmTags encryption algorithm} being used
+     * @param sessionInfo session data generated by the encrypted data generator.
+     * @return a packet encoding the provided information and the configuration of this instance.
+     *
+     * @throws PGPException if an error occurs constructing the packet.
+     */
+    public ContainedPacket generateV4(int encAlgorithm, byte[] sessionInfo)
+            throws PGPException
     {
-        return generate(kekAlgorithm, sessionInfo);
-        // TODO: Implement v5 SKESK creation properly.
-        // return generateV5ESK(kekAlgorithm, aeadAlgorithm, sessionInfo);
-    }
+        if (sessionInfo == null)
+        {
+            return SymmetricKeyEncSessionPacket.createV4Packet(encAlgorithm, s2k, null);
+        }
 
-    @Override
-    public ContainedPacket generateV6(int kekAlgorithm, int aeadAlgorithm, byte[] sessionInfo)
-        throws PGPException
-    {
-        return generateV6ESK(kekAlgorithm, aeadAlgorithm, sessionInfo);
+        byte[] key = getKey(encAlgorithm);
+        //
+        // the passed in session info has the an RSA/ElGamal checksum added to it, for PBE this is not included.
+        //
+        byte[] nSessionInfo = new byte[sessionInfo.length - 2];
+
+        System.arraycopy(sessionInfo, 0, nSessionInfo, 0, nSessionInfo.length);
+
+        return SymmetricKeyEncSessionPacket.createV4Packet(encAlgorithm, s2k, encryptSessionInfo(encAlgorithm, key, nSessionInfo));
     }
 
-    // If we use this method, roundtripping v5 AEAD is broken.
-    //  TODO: Investigate
-    private ContainedPacket generateV5ESK(int kekAlgorithm, int aeadAlgorithm, byte[] sessionInfo)
-        throws PGPException
+    public ContainedPacket generateV5(int kekAlgorithm, int aeadAlgorithm, byte[] sessionInfo)
+            throws PGPException
     {
         byte[] ikm = getKey(kekAlgorithm);
         byte[] info = new byte[]{
-            (byte)0xC3,
-            (byte)SymmetricKeyEncSessionPacket.VERSION_5,
-            (byte)kekAlgorithm,
-            (byte)aeadAlgorithm
+                (byte)0xC3,
+                (byte)SymmetricKeyEncSessionPacket.VERSION_5,
+                (byte)kekAlgorithm,
+                (byte)aeadAlgorithm
         };
 
         byte[] iv = new byte[AEADUtils.getIVLength(aeadAlgorithm)];
@@ -201,56 +216,31 @@ private ContainedPacket generateV5ESK(int kekAlgorithm, int aeadAlgorithm, byte[
         return SymmetricKeyEncSessionPacket.createV5Packet(kekAlgorithm, aeadAlgorithm, iv, s2k, esk, tag);
     }
 
-    private ContainedPacket generateV6ESK(int kekAlgorithm, int aeadAlgorithm, byte[] sessionKey)
+    public ContainedPacket generateV6(int kekAlgorithm, int aeadAlgorithm, byte[] sessionInfo)
         throws PGPException
     {
         byte[] ikm = getKey(kekAlgorithm);
         byte[] info = new byte[]{
-            (byte)0xC3,
-            (byte)SymmetricKeyEncSessionPacket.VERSION_6,
-            (byte)kekAlgorithm,
-            (byte)aeadAlgorithm
+                (byte)0xC3,
+                (byte)SymmetricKeyEncSessionPacket.VERSION_6,
+                (byte)kekAlgorithm,
+                (byte)aeadAlgorithm
         };
         byte[] kek = generateV6KEK(kekAlgorithm, ikm, info);
 
         byte[] iv = new byte[AEADUtils.getIVLength(aeadAlgorithm)];
         random.nextBytes(iv);
 
+        byte[] sk = new byte[sessionInfo.length - 3];
+        System.arraycopy(sessionInfo, 1, sk, 0, sk.length);
         int tagLen = AEADUtils.getAuthTagLength(aeadAlgorithm);
-        byte[] eskAndTag = getEskAndTag(kekAlgorithm, aeadAlgorithm, sessionKey, kek, iv, info);
+        byte[] eskAndTag = getEskAndTag(kekAlgorithm, aeadAlgorithm, sk, kek, iv, info);
         byte[] esk = Arrays.copyOfRange(eskAndTag, 0, eskAndTag.length - tagLen);
         byte[] tag = Arrays.copyOfRange(eskAndTag, esk.length, eskAndTag.length);
 
         return SymmetricKeyEncSessionPacket.createV6Packet(kekAlgorithm, aeadAlgorithm, iv, s2k, esk, tag);
     }
 
-    /**
-     * Generate a V4 SKESK packet.
-     *
-     * @param encAlgorithm the {@link SymmetricKeyAlgorithmTags encryption algorithm} being used
-     * @param sessionInfo  session data generated by the encrypted data generator.
-     * @return v4 SKESK packet
-     * @throws PGPException
-     */
-    public ContainedPacket generate(int encAlgorithm, byte[] sessionInfo)
-        throws PGPException
-    {
-        if (sessionInfo == null)
-        {
-            return SymmetricKeyEncSessionPacket.createV4Packet(encAlgorithm, s2k, null);
-        }
-
-        byte[] key = getKey(encAlgorithm);
-        //
-        // the passed in session info has the an RSA/ElGamal checksum added to it, for PBE this is not included.
-        //
-        byte[] nSessionInfo = new byte[sessionInfo.length - 2];
-
-        System.arraycopy(sessionInfo, 0, nSessionInfo, 0, nSessionInfo.length);
-
-        return SymmetricKeyEncSessionPacket.createV4Packet(encAlgorithm, s2k, encryptSessionInfo(encAlgorithm, key, nSessionInfo));
-    }
-
     protected byte[] getSessionKey(byte[] sessionInfo)
     {
         byte[] sessionKey = new byte[sessionInfo.length - 3];

pg/src/main/java/org/bouncycastle/openpgp/operator/PGPKeyEncryptionMethodGenerator.java

@@ -1,29 +1,11 @@
 package org.bouncycastle.openpgp.operator;
 
-import org.bouncycastle.bcpg.ContainedPacket;
-import org.bouncycastle.bcpg.SymmetricKeyAlgorithmTags;
 import org.bouncycastle.openpgp.PGPEncryptedDataGenerator;
-import org.bouncycastle.openpgp.PGPException;
 
 /**
  * An encryption method that can be applied to encrypt data in a {@link PGPEncryptedDataGenerator}.
  */
 public abstract class PGPKeyEncryptionMethodGenerator
 {
-    /**
-     * Generates a packet encoding the details of this encryption method.
-     *
-     * @param encAlgorithm the {@link SymmetricKeyAlgorithmTags encryption algorithm} being used
-     * @param sessionInfo session data generated by the encrypted data generator.
-     * @return a packet encoding the provided information and the configuration of this instance.
-     * @throws PGPException if an error occurs constructing the packet.
-     */
-    public abstract ContainedPacket generate(int encAlgorithm, byte[] sessionInfo)
-        throws PGPException;
 
-    public abstract ContainedPacket generateV5(int encAlgorithm, int aeadAlgorithm, byte[] sessionInfo)
-        throws PGPException;
-
-    public abstract ContainedPacket generateV6(int encAlgorithm, int aeadAlgorithm, byte[] sessionInfo)
-        throws PGPException;
 }

pg/src/main/java/org/bouncycastle/openpgp/operator/PublicKeyKeyEncryptionMethodGenerator.java

@@ -24,7 +24,7 @@ private static boolean getSessionKeyObfuscationDefault()
         return !Properties.isOverrideSetTo(SESSION_KEY_OBFUSCATION_PROPERTY, false);
     }
 
-    private PGPPublicKey pubKey;
+    private final PGPPublicKey pubKey;
 
     protected boolean sessionKeyObfuscation;
     protected boolean useWildcardRecipient;
@@ -102,7 +102,7 @@ public PublicKeyKeyEncryptionMethodGenerator setUseWildcardRecipient(boolean ena
         return this;
     }
 
-    public byte[][] processSessionInfo(
+    public byte[][] encodeEncryptedSessionInfo(
         byte[] encryptedSessionInfo)
         throws PGPException
     {
@@ -155,8 +155,8 @@ private byte[] convertToEncodedMPI(byte[] encryptedSessionInfo)
         }
     }
 
-    public ContainedPacket generate(int encAlgorithm, byte[] sessionInfo)
-        throws PGPException
+    public ContainedPacket generateV3(int encAlgorithm, byte[] sessionInfo)
+            throws PGPException
     {
         long keyId;
         if (useWildcardRecipient)
@@ -167,47 +167,72 @@ public ContainedPacket generate(int encAlgorithm, byte[] sessionInfo)
         {
             keyId = pubKey.getKeyID();
         }
-        return PublicKeyEncSessionPacket.createV3PKESKPacket(keyId, pubKey.getAlgorithm(), processSessionInfo(encryptSessionInfo(pubKey, sessionInfo)));
+        byte[] encryptedSessionInfo = encryptSessionInfoV3(pubKey, sessionInfo);
+        byte[][] encodedEncSessionInfo = encodeEncryptedSessionInfo(encryptedSessionInfo);
+        return PublicKeyEncSessionPacket.createV3PKESKPacket(keyId, pubKey.getAlgorithm(), encodedEncSessionInfo);
     }
 
-    @Override
-    public ContainedPacket generateV5(int encAlgorithm, int aeadAlgorithm, byte[] sessionInfo)
+    public ContainedPacket generateV6(byte[] sessionInfo)
         throws PGPException
     {
-        // TODO: Implement
-        return null;
+        byte[] keyFingerprint;
+        int keyVersion;
+        if (useWildcardRecipient)
+        {
+            keyFingerprint = WILDCARD_FINGERPRINT;
+            keyVersion = 0;
+        }
+        else
+        {
+            keyFingerprint = pubKey.getFingerprint();
+            keyVersion = pubKey.getVersion();
+        }
+        byte[] encryptedSessionInfo = encryptSessionInfoV6(pubKey, sessionInfo);
+        byte[][] encodedEncSessionInfo = encodeEncryptedSessionInfo(encryptedSessionInfo);
+        return PublicKeyEncSessionPacket.createV6PKESKPacket(keyVersion, keyFingerprint, pubKey.getAlgorithm(), encodedEncSessionInfo);
     }
 
-    @Override
-    public ContainedPacket generateV6(int encAlgorithm, int aeadAlgorithm, byte[] sessionInfo)
-        throws PGPException
-    {
-        // TODO: Implement
-        return null;
-    }
+    abstract protected byte[] encryptSessionInfoV3(PGPPublicKey pubKey, byte[] sessionInfo)
+        throws PGPException;
 
-    abstract protected byte[] encryptSessionInfo(PGPPublicKey pubKey, byte[] sessionInfo)
+    abstract protected byte[] encryptSessionInfoV6(PGPPublicKey pubKey, byte[] sessionInfo)
         throws PGPException;
 
-    protected static byte[] getSessionInfo(byte[] ephPubEncoding, byte[] c)
+    protected static byte[] concatECDHEphKeyWithWrappedSessionKey(byte[] ephPubEncoding, byte[] wrappedSessionKey)
         throws IOException
     {
-        byte[] VB = new MPInteger(new BigInteger(1, ephPubEncoding)).getEncoded();
+        // https://www.rfc-editor.org/rfc/rfc9580.html#section-11.5-16
+
+        byte[] mpiEncodedEphemeralKey = new MPInteger(new BigInteger(1, ephPubEncoding))
+                .getEncoded();
+        byte[] out = new byte[mpiEncodedEphemeralKey.length + 1 + wrappedSessionKey.length];
+        // eph key
+        System.arraycopy(mpiEncodedEphemeralKey, 0, out, 0, mpiEncodedEphemeralKey.length);
+        // enc session-key len
+        out[mpiEncodedEphemeralKey.length] = (byte) wrappedSessionKey.length;
+        // enc session-key
+        System.arraycopy(wrappedSessionKey, 0, out, mpiEncodedEphemeralKey.length + 1, wrappedSessionKey.length);
+
+        return out;
+    }
 
-        byte[] rv = new byte[VB.length + 1 + c.length];
-        System.arraycopy(VB, 0, rv, 0, VB.length);
-        rv[VB.length] = (byte)c.length;
-        System.arraycopy(c, 0, rv, VB.length + 1, c.length);
-        return rv;
+    private static byte[] getSessionInfo(byte[] ephPubEncoding, int symmetricKeyAlgorithm, byte[] c)
+    {
+        return getSessionInfo(ephPubEncoding, new byte[]{(byte) symmetricKeyAlgorithm}, c);
     }
 
-    protected static byte[] getSessionInfo(byte[] VB, int sysmmetricKeyAlgorithm, byte[] c)
+    protected static byte[] getSessionInfo(byte[] ephPubEncoding, byte[] optSymKeyAlgorithm, byte[] wrappedSessionKey)
     {
-        byte[] rv = new byte[VB.length + 2 + c.length];
-        System.arraycopy(VB, 0, rv, 0, VB.length);
-        rv[VB.length] = (byte)(c.length + 1);
-        rv[VB.length + 1] = (byte)sysmmetricKeyAlgorithm;
-        System.arraycopy(c, 0, rv, VB.length + 2, c.length);
-        return rv;
+        int len = ephPubEncoding.length + 1 + optSymKeyAlgorithm.length + wrappedSessionKey.length;
+        byte[] out = new byte[len];
+        // ephemeral pub key
+        System.arraycopy(ephPubEncoding, 0, out, 0, ephPubEncoding.length);
+        // len of two/one next fields
+        out[ephPubEncoding.length] = (byte) (wrappedSessionKey.length + optSymKeyAlgorithm.length);
+        // (optional) sym key alg
+        System.arraycopy(optSymKeyAlgorithm, 0, out, ephPubEncoding.length + 1, optSymKeyAlgorithm.length);
+        // wrapped session key
+        System.arraycopy(wrappedSessionKey, 0, out, ephPubEncoding.length + 1 + optSymKeyAlgorithm.length, wrappedSessionKey.length);
+        return out;
     }
 }