Merge branch 'main' of gitlab.cryptoworkshop.com:root/bc-java

Author: dghgit

pg/src/main/java/org/bouncycastle/bcpg/PublicKeyEncSessionPacket.java

@@ -60,12 +60,23 @@ else if (version == VERSION_6)
                 // anon recipient
                 keyVersion = 0;
                 keyFingerprint = new byte[0];
+                keyID = 0L;
             }
             else
             {
                 keyVersion = in.read();
                 keyFingerprint = new byte[keyInfoLen - 1];
                 in.readFully(keyFingerprint);
+                // Derived key-ID from fingerprint
+                // TODO: Replace with getKeyIdentifier
+                if (keyVersion == PublicKeyPacket.VERSION_4)
+                {
+                    keyID = FingerprintUtil.keyIdFromV4Fingerprint(keyFingerprint);
+                }
+                else
+                {
+                    keyID = FingerprintUtil.keyIdFromV6Fingerprint(keyFingerprint);
+                }
             }
         }
         else

pg/src/main/java/org/bouncycastle/bcpg/SignatureSubpacketInputStream.java

@@ -12,6 +12,7 @@
 import org.bouncycastle.bcpg.sig.IssuerKeyID;
 import org.bouncycastle.bcpg.sig.KeyExpirationTime;
 import org.bouncycastle.bcpg.sig.KeyFlags;
+import org.bouncycastle.bcpg.sig.LibrePGPPreferredEncryptionModes;
 import org.bouncycastle.bcpg.sig.NotationData;
 import org.bouncycastle.bcpg.sig.PolicyURI;
 import org.bouncycastle.bcpg.sig.PreferredAEADCiphersuites;
@@ -151,6 +152,8 @@ else if (flags[StreamUtil.flag_partial])
         case PREFERRED_HASH_ALGS:
         case PREFERRED_SYM_ALGS:
             return new PreferredAlgorithms(type, isCritical, isLongLength, data);
+        case LIBREPGP_PREFERRED_ENCRYPTION_MODES:
+            return new LibrePGPPreferredEncryptionModes(isCritical, isLongLength, data);
         case PREFERRED_AEAD_ALGORITHMS:
             return new PreferredAEADCiphersuites(isCritical, isLongLength, data);
         case PREFERRED_KEY_SERV:

pg/src/main/java/org/bouncycastle/bcpg/SignatureSubpacketTags.java

@@ -30,8 +30,9 @@ public interface SignatureSubpacketTags
     int SIGNATURE_TARGET = 31;     // signature target
     int EMBEDDED_SIGNATURE = 32;   // embedded signature
     int ISSUER_FINGERPRINT = 33;   // issuer key fingerprint
-//  public static final int PREFERRED_AEAD_ALGORITHMS = 34; // RESERVED since rfc9580
-int INTENDED_RECIPIENT_FINGERPRINT = 35;   // intended recipient fingerprint
+    int LIBREPGP_PREFERRED_ENCRYPTION_MODES = 34;
+//  public static final int PREFERRED_AEAD_ALGORITHMS = 34;// RESERVED since rfc9580
+    int INTENDED_RECIPIENT_FINGERPRINT = 35;   // intended recipient fingerprint
     int ATTESTED_CERTIFICATIONS = 37;   // attested certifications (RESERVED)
     int KEY_BLOCK = 38;            // Key Block (RESERVED)
     int PREFERRED_AEAD_ALGORITHMS = 39;   // preferred AEAD algorithms

pg/src/main/java/org/bouncycastle/bcpg/SymmetricKeyEncSessionPacket.java

@@ -1,6 +1,5 @@
 package org.bouncycastle.bcpg;
 
-import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
 import java.io.EOFException;
 import java.io.IOException;
@@ -19,6 +18,7 @@ public class SymmetricKeyEncSessionPacket
 
     /**
      * Version 5 SKESK packet.
+     * LibrePGP only.
      * Used only with {@link AEADEncDataPacket AED} packets.
      */
     public static final int VERSION_5 = 5;
@@ -40,11 +40,12 @@ public class SymmetricKeyEncSessionPacket
     private byte[] authTag;          // V5, V6
 
     public SymmetricKeyEncSessionPacket(
-            BCPGInputStream in)
-            throws IOException
+        BCPGInputStream in)
+        throws IOException
     {
         this(in, false);
     }
+
     public SymmetricKeyEncSessionPacket(
         BCPGInputStream in,
         boolean newPacketFormat)
@@ -63,30 +64,28 @@ public SymmetricKeyEncSessionPacket(
         }
         else if (version == VERSION_5 || version == VERSION_6)
         {
-            // https://www.rfc-editor.org/rfc/rfc9580.html#section-5.3.2-3.2.1
-            // SymAlg + AEADAlg + S2KCount + S2K + IV
-            int next5Fields5Count = in.read();
+            int ivLen = 0;
+            if (version == VERSION_6)
+            {
+                // https://www.rfc-editor.org/rfc/rfc9580.html#section-5.3.2-3.2.1
+                // SymAlg + AEADAlg + S2KCount + S2K + IV
+                ivLen = in.read(); // next5Fields5Count
+            }
             encAlgorithm = in.read();
             aeadAlgorithm = in.read();
+            if (version == VERSION_6)
+            {
+                // https://www.rfc-editor.org/rfc/rfc9580.html#section-5.3.2-3.5.1
+                int s2kOctetCount = in.read();
+                ivLen = ivLen - 3 - s2kOctetCount;
+            }
+            else
+            {
+                ivLen = AEADUtils.getIVLength(aeadAlgorithm);
+            }
 
-            // https://www.rfc-editor.org/rfc/rfc9580.html#section-5.3.2-3.5.1
-            int s2kOctetCount = in.read();
-
-            //TODO: use this line to replace the following code?
             s2k = new S2K(in);
-//            s2kBytes = new byte[s2kOctetCount];
-//            in.readFully(s2kBytes);
-//            try
-//            {
-//                s2k = new S2K(new ByteArrayInputStream(s2kBytes));
-//            }
-//            catch (UnsupportedPacketVersionException e)
-//            {
-//
-//                // We gracefully catch the error.
-//            }
-
-            int ivLen = next5Fields5Count - 3 - s2kOctetCount;
+
             iv = new byte[ivLen]; // also called nonce
             if (in.read(iv) != iv.length)
             {
@@ -108,7 +107,6 @@ else if (version == VERSION_5 || version == VERSION_6)
         {
             throw new UnsupportedPacketVersionException("Unsupported PGP symmetric-key encrypted session key packet version encountered: " + version);
         }
-
     }
 
     /**
@@ -361,4 +359,4 @@ else if (version == VERSION_5 || version == VERSION_6)
 
         out.writePacket(hasNewPacketFormat(), SYMMETRIC_KEY_ENC_SESSION, bOut.toByteArray());
     }
-}
+}

pg/src/main/java/org/bouncycastle/bcpg/sig/LibrePGPPreferredEncryptionModes.java

@@ -0,0 +1,23 @@
+package org.bouncycastle.bcpg.sig;
+
+import org.bouncycastle.bcpg.SignatureSubpacketTags;
+
+/**
+ * This is a deprecated LibrePGP signature subpacket with encryption mode numbers to indicate which modes
+ * the key holder prefers to use with OCB Encrypted Data Packets ({@link org.bouncycastle.bcpg.AEADEncDataPacket}).
+ *  Implementations SHOULD ignore this subpacket and assume {@link org.bouncycastle.bcpg.AEADAlgorithmTags#OCB}.
+ */
+public class LibrePGPPreferredEncryptionModes
+        extends PreferredAlgorithms
+{
+
+    public LibrePGPPreferredEncryptionModes(boolean isCritical, int[] encryptionModes)
+    {
+        this(isCritical, false, intToByteArray(encryptionModes));
+    }
+
+    public LibrePGPPreferredEncryptionModes(boolean critical, boolean isLongLength, byte[] data)
+    {
+        super(SignatureSubpacketTags.LIBREPGP_PREFERRED_ENCRYPTION_MODES, critical, isLongLength, data);
+    }
+}

pg/src/main/java/org/bouncycastle/bcpg/sig/PreferredAEADCiphersuites.java

@@ -4,6 +4,9 @@
 import org.bouncycastle.bcpg.SignatureSubpacketTags;
 import org.bouncycastle.bcpg.SymmetricKeyAlgorithmTags;
 
+import java.util.ArrayList;
+import java.util.List;
+
 /**
  * Signature Subpacket containing the AEAD cipher suites (AEAD algorithm, Symmetric Key Algorithm pairs)
  * preferred by the key holder's implementation.
@@ -153,6 +156,51 @@ private static byte[] requireEven(byte[] encodedCombinations)
         return encodedCombinations;
     }
 
+    /**
+     * Return a {@link Builder} for constructing a {@link PreferredAEADCiphersuites} packet.
+     * @param isCritical true if the packet is considered critical.
+     * @return builder
+     */
+    public static Builder builder(boolean isCritical)
+    {
+        return new Builder(isCritical);
+    }
+
+    public static final class Builder
+    {
+
+        private final List<Combination> combinations = new ArrayList<>();
+        private final boolean isCritical;
+
+        private Builder(boolean isCritical)
+        {
+            this.isCritical = isCritical;
+        }
+
+        /**
+         * Add a combination of cipher- and AEAD algorithm to the list of supported ciphersuites.
+         * @see SymmetricKeyAlgorithmTags for cipher algorithms
+         * @see AEADAlgorithmTags for AEAD algorithms
+         * @param symmetricAlgorithmId symmetric cipher algorithm ID
+         * @param aeadAlgorithmId AEAD algorithm ID
+         * @return builder
+         */
+        public Builder addCombination(int symmetricAlgorithmId, int aeadAlgorithmId)
+        {
+            combinations.add(new Combination(symmetricAlgorithmId, aeadAlgorithmId));
+            return this;
+        }
+
+        /**
+         * Build a {@link PreferredAEADCiphersuites} from this builder.
+         * @return finished packet
+         */
+        public PreferredAEADCiphersuites build()
+        {
+            return new PreferredAEADCiphersuites(isCritical, combinations.toArray(new Combination[0]));
+        }
+    }
+
     /**
      * Algorithm combination of a {@link SymmetricKeyAlgorithmTags} and a {@link AEADAlgorithmTags}.
      */

pg/src/main/java/org/bouncycastle/bcpg/sig/PreferredAlgorithms.java

@@ -27,7 +27,7 @@
 public class PreferredAlgorithms 
     extends SignatureSubpacket
 {    
-    private static byte[] intToByteArray(
+    protected static byte[] intToByteArray(
         int[]    v)
     {
         byte[]    data = new byte[v.length];

pg/src/main/java/org/bouncycastle/openpgp/PGPPublicKey.java

@@ -70,7 +70,7 @@ else if (publicPk.getVersion() == PublicKeyPacket.VERSION_4)
         {
             this.keyID = Pack.bigEndianToLong(fingerprint, fingerprint.length - 8);
         }
-        else if (publicPk.getVersion() == PublicKeyPacket.VERSION_6)
+        else if (publicPk.getVersion() == PublicKeyPacket.LIBREPGP_5 || publicPk.getVersion() ==  PublicKeyPacket.VERSION_6)
         {
             this.keyID = Pack.bigEndianToLong(fingerprint, 0);
         }

pg/src/main/java/org/bouncycastle/openpgp/PGPPublicKeyEncryptedData.java

@@ -84,13 +84,13 @@ public int getSymmetricAlgorithm(
     {
         if (keyData.getVersion() == PublicKeyEncSessionPacket.VERSION_3)
         {
-            byte[] plain = dataDecryptorFactory.recoverSessionData(keyData.getAlgorithm(), keyData.getEncSessionKey());
+            byte[] plain = dataDecryptorFactory.recoverSessionData(keyData, encData);
             // symmetric cipher algorithm is stored in first octet of session data
             return plain[0];
         }
         else if (keyData.getVersion() == PublicKeyEncSessionPacket.VERSION_6)
         {
-            // PKESK v5 stores the cipher algorithm in the SEIPD v2 packet fields.
+            // PKESK v6 stores the cipher algorithm in the SEIPD v2 packet fields.
             return ((SymmetricEncIntegrityPacket)encData).getCipherAlgorithm();
         }
         else
@@ -110,16 +110,57 @@ public PGPSessionKey getSessionKey(
         PublicKeyDataDecryptorFactory dataDecryptorFactory)
         throws PGPException
     {
-        byte[] sessionData = dataDecryptorFactory.recoverSessionData(keyData.getAlgorithm(), keyData.getEncSessionKey());
-        if (keyData.getAlgorithm() == PublicKeyAlgorithmTags.X25519 || keyData.getAlgorithm() == PublicKeyAlgorithmTags.X448)
+        byte[] sessionInfo = dataDecryptorFactory.recoverSessionData(keyData, encData);
+
+        // Confirm and discard checksum
+        if (containsChecksum(keyData.getAlgorithm()))
+        {
+            if (!confirmCheckSum(sessionInfo))
+            {
+                throw new PGPException("Key checksum failed.");
+            }
+            sessionInfo = Arrays.copyOf(sessionInfo, sessionInfo.length - 2);
+        }
+
+        byte[] sessionKey = Arrays.copyOfRange(sessionInfo, 1, sessionInfo.length);
+        int algorithm;
+
+        // OCB (LibrePGP v5 style AEAD)
+        if (encData instanceof AEADEncDataPacket)
         {
-            return new PGPSessionKey(sessionData[0] & 0xff, Arrays.copyOfRange(sessionData, 1, sessionData.length));
+            algorithm = ((AEADEncDataPacket) encData).getAlgorithm();
+        }
+
+        // SEIPD (OpenPGP v4 / OpenPGP v6)
+        else if (encData instanceof SymmetricEncIntegrityPacket)
+        {
+            SymmetricEncIntegrityPacket seipd = (SymmetricEncIntegrityPacket) encData;
+            if (seipd.getVersion() == SymmetricEncIntegrityPacket.VERSION_1)
+            {
+                algorithm = sessionInfo[0];
+            }
+            else if (seipd.getVersion() == SymmetricEncIntegrityPacket.VERSION_2)
+            {
+                algorithm = seipd.getCipherAlgorithm();
+            }
+            else
+            {
+                throw new UnsupportedPacketVersionException("Unsupported SEIPD packet version: " + seipd.getVersion());
+            }
         }
-        if (!confirmCheckSum(sessionData))
+        // SED (Legacy, no integrity protection!)
+        else
         {
-            throw new PGPKeyValidationException("key checksum failed");
+            algorithm = sessionInfo[0];
         }
-        return new PGPSessionKey(sessionData[0] & 0xff, Arrays.copyOfRange(sessionData, 1, sessionData.length - 2));
+
+        return new PGPSessionKey(algorithm & 0xff, sessionKey);
+    }
+
+    private boolean containsChecksum(int algorithm)
+    {
+        return algorithm != PublicKeyAlgorithmTags.X25519 &&
+                algorithm != PublicKeyAlgorithmTags.X448;
     }
 
     /**
@@ -181,13 +222,38 @@ private InputStream getDataStream(
                 }
                 else
                 {
-                    boolean withIntegrityPacket = encData instanceof SymmetricEncIntegrityPacket;
 
-                    PGPDataDecryptor dataDecryptor = dataDecryptorFactory.createDataDecryptor(withIntegrityPacket, sessionKey.getAlgorithm(), sessionKey.getKey());
+                    if (encData instanceof SymmetricEncIntegrityPacket)
+                    {
+                        SymmetricEncIntegrityPacket seipd = (SymmetricEncIntegrityPacket) encData;
+                        // SEIPD v1 (OpenPGP v4)
+                        if (seipd.getVersion() == SymmetricEncIntegrityPacket.VERSION_1)
+                        {
+                            PGPDataDecryptor dataDecryptor = dataDecryptorFactory.createDataDecryptor(true, sessionKey.getAlgorithm(), sessionKey.getKey());
 
-                    BCPGInputStream encIn = encData.getInputStream();
+                            BCPGInputStream encIn = encData.getInputStream();
 
-                    processSymmetricEncIntegrityPacketDataStream(withIntegrityPacket, dataDecryptor, encIn);
+                            processSymmetricEncIntegrityPacketDataStream(true, dataDecryptor, encIn);
+                        }
+                        // SEIPD v2 (OpenPGP v6 AEAD)
+                        else
+                        {
+                            PGPDataDecryptor dataDecryptor = dataDecryptorFactory.createDataDecryptor(seipd, sessionKey);
+
+                            BCPGInputStream encIn = encData.getInputStream();
+
+                            encStream = new BCPGInputStream(dataDecryptor.getInputStream(encIn));
+                        }
+                    }
+                    // SED (Symmetrically Encrypted Data without Integrity Protection; Deprecated)
+                    else
+                    {
+                        PGPDataDecryptor dataDecryptor = dataDecryptorFactory.createDataDecryptor(false, sessionKey.getAlgorithm(), sessionKey.getKey());
+
+                        BCPGInputStream encIn = encData.getInputStream();
+
+                        processSymmetricEncIntegrityPacketDataStream(false, dataDecryptor, encIn);
+                    }
 
                     //
                     // some versions of PGP appear to produce 0 for the extra