Merge branch '1913-openpgp-v6-null-pointer' into 'main'

1913 openpgp v6 null pointer

See merge request root/bc-java!43

Author: dghgit

pg/src/main/java/org/bouncycastle/openpgp/PGPEncryptedDataGenerator.java

@@ -88,7 +88,7 @@ public class PGPEncryptedDataGenerator
     private SecureRandom rand;
     // If true, force generation of a session key, even if we only have a single password-based encryption method
     //  and could therefore use the S2K output as session key directly.
-    private boolean forceSessionKey = false;
+    private boolean forceSessionKey = true;
 
     /**
      * Base constructor.
@@ -121,7 +121,9 @@ public PGPEncryptedDataGenerator(PGPDataEncryptorBuilder encryptorBuilder, boole
      * Some versions of PGP always expect a session key, this will force use
      * of a session key even if a single PBE encryptor is provided.
      *
-     * @param forceSessionKey true if a session key should always be used, default is false.
+     * @param forceSessionKey true if a session key should always be used, default is true.
+     * @see <a href="https://www.rfc-editor.org/rfc/rfc9580.html#section-5.3.1-4">
+     * RFC9580 - Description of the optional encrypted session key field</a>
      */
     public void setForceSessionKey(boolean forceSessionKey)
     {
@@ -217,40 +219,38 @@ private OutputStream open(
         pOut = new BCPGOutputStream(out, !useOldFormat);
 
         byte[] sessionKey;  // session key, either protected by - or directly derived from session key encryption mechanism.
-        byte[] sessionInfo; // sessionKey with prepended alg-id, appended checksum
-
+        byte[] sessionInfo = null; // sessionKey with prepended alg-id, appended checksum, null indicates direct use of S2K output as sessionKey/messageKey
         byte[] messageKey;          // key used to encrypt the message. In OpenPGP v6 this is derived from sessionKey + salt.
 
         boolean directS2K = !forceSessionKey && methods.size() == 1 &&
-            methods.get(0) instanceof PBEKeyEncryptionMethodGenerator;
-        if (directS2K)
-        {
-            sessionKey = ((PBEKeyEncryptionMethodGenerator)methods.get(0)).getKey(defAlgorithm);
-            sessionInfo = null; // null indicates direct use of S2K output as sessionKey/messageKey
-        }
-        else
-        {
-            sessionKey = PGPUtil.makeRandomKey(defAlgorithm, rand);
-            // prepend algorithm, append checksum
-            sessionInfo = createSessionInfo(defAlgorithm, sessionKey);
-        }
-        messageKey = sessionKey;
-
-        // In OpenPGP v6, we need an additional step to derive a message key and IV from the session info.
-        // Since we cannot inject the IV into the data encryptor, we append it to the message key.
-        boolean isV5StyleAEAD = dataEncryptorBuilder.isV5StyleAEAD();
+            methods.get(0) instanceof PBEKeyEncryptionMethodGenerator; // not public key
+        boolean isV5StyleAEAD = dataEncryptorBuilder.isV5StyleAEAD(); //v5
         if (dataEncryptorBuilder.getAeadAlgorithm() != -1 && !isV5StyleAEAD)
         {
+            sessionKey = PGPUtil.makeRandomKey(defAlgorithm, rand);
+            // In OpenPGP v6, we need an additional step to derive a message key and IV from the session info.
+            // Since we cannot inject the IV into the data encryptor, we append it to the message key.
             byte[] info = SymmetricEncIntegrityPacket.createAAData(
                 SymmetricEncIntegrityPacket.VERSION_2,
                 defAlgorithm,
                 dataEncryptorBuilder.getAeadAlgorithm(),
                 dataEncryptorBuilder.getChunkSize());
-
             // messageKey = key and IV, will be separated in the data encryptor
             messageKey = AEADUtil.deriveMessageKeyAndIv(
                 dataEncryptorBuilder.getAeadAlgorithm(), defAlgorithm, sessionKey, salt, info);
         }
+        else if (directS2K)
+        {
+            sessionKey = ((PBEKeyEncryptionMethodGenerator)methods.get(0)).getKey(defAlgorithm);
+            messageKey = sessionKey;
+        }
+        else
+        {
+            sessionKey = PGPUtil.makeRandomKey(defAlgorithm, rand);
+            // prepend algorithm, append checksum
+            sessionInfo = createSessionInfo(defAlgorithm, sessionKey);
+            messageKey = sessionKey;
+        }
 
         PGPDataEncryptor dataEncryptor = dataEncryptorBuilder.build(messageKey);
         digestCalc = dataEncryptor.getIntegrityCalculator();
@@ -269,7 +269,9 @@ private OutputStream open(
                 }
                 else // data is encrypted by v2 SEIPD (AEAD), so write v6 SKESK packet
                 {
-                    writeOpenPGPv6ESKPacket(method, aeadDataEncryptor.getAEADAlgorithm(), sessionInfo);
+                    //https://www.rfc-editor.org/rfc/rfc9580.html#section-3.7.2.1 Table 2
+                    //AEAD(HKDF(S2K(passphrase), info), secrets, packetprefix)
+                    writeOpenPGPv6ESKPacket(method, aeadDataEncryptor.getAEADAlgorithm(), sessionKey);
                 }
             }
             // OpenPGP v4
@@ -320,7 +322,7 @@ private OutputStream open(
             {
                 if (digestCalc != null)
                 {
-                    encOut =  SymmetricEncIntegrityPacket.createVersion1Packet();
+                    encOut = SymmetricEncIntegrityPacket.createVersion1Packet();
                     if (useOldFormat)
                     {
                         throw new PGPException("symmetric-enc-integrity packets not supported in old PGP format");

pg/src/main/java/org/bouncycastle/openpgp/operator/PBEKeyEncryptionMethodGenerator.java

@@ -162,7 +162,7 @@ public byte[] getKey(int encAlgorithm)
 
     @Override
     public ContainedPacket generateV5(int kekAlgorithm, int aeadAlgorithm, byte[] sessionInfo)
-            throws PGPException
+        throws PGPException
     {
         return generate(kekAlgorithm, sessionInfo);
         // TODO: Implement v5 SKESK creation properly.
@@ -179,44 +179,45 @@ public ContainedPacket generateV6(int kekAlgorithm, int aeadAlgorithm, byte[] se
     // If we use this method, roundtripping v5 AEAD is broken.
     //  TODO: Investigate
     private ContainedPacket generateV5ESK(int kekAlgorithm, int aeadAlgorithm, byte[] sessionInfo)
-            throws PGPException
+        throws PGPException
     {
         byte[] ikm = getKey(kekAlgorithm);
-        byte[] info = new byte[] {
-                (byte) 0xC3,
-                (byte) SymmetricKeyEncSessionPacket.VERSION_5,
-                (byte) kekAlgorithm,
-                (byte) aeadAlgorithm
+        byte[] info = new byte[]{
+            (byte)0xC3,
+            (byte)SymmetricKeyEncSessionPacket.VERSION_5,
+            (byte)kekAlgorithm,
+            (byte)aeadAlgorithm
         };
 
         byte[] iv = new byte[AEADUtils.getIVLength(aeadAlgorithm)];
         random.nextBytes(iv);
 
         int tagLen = AEADUtils.getAuthTagLength(aeadAlgorithm);
-        byte[] eskAndTag = getEskAndTag(kekAlgorithm, aeadAlgorithm, sessionInfo, ikm, iv, info);
+        byte[] sessionKey = getSessionKey(sessionInfo);
+        byte[] eskAndTag = getEskAndTag(kekAlgorithm, aeadAlgorithm, sessionKey, ikm, iv, info);
         byte[] esk = Arrays.copyOfRange(eskAndTag, 0, eskAndTag.length - tagLen);
         byte[] tag = Arrays.copyOfRange(eskAndTag, esk.length, eskAndTag.length);
 
         return SymmetricKeyEncSessionPacket.createV5Packet(kekAlgorithm, aeadAlgorithm, iv, s2k, esk, tag);
     }
 
-    private ContainedPacket generateV6ESK(int kekAlgorithm, int aeadAlgorithm, byte[] sessionInfo)
-            throws PGPException
+    private ContainedPacket generateV6ESK(int kekAlgorithm, int aeadAlgorithm, byte[] sessionKey)
+        throws PGPException
     {
         byte[] ikm = getKey(kekAlgorithm);
-        byte[] info = new byte[] {
-                (byte) 0xC3,
-                (byte) SymmetricKeyEncSessionPacket.VERSION_6,
-                (byte) kekAlgorithm,
-                (byte) aeadAlgorithm
+        byte[] info = new byte[]{
+            (byte)0xC3,
+            (byte)SymmetricKeyEncSessionPacket.VERSION_6,
+            (byte)kekAlgorithm,
+            (byte)aeadAlgorithm
         };
         byte[] kek = generateV6KEK(kekAlgorithm, ikm, info);
 
         byte[] iv = new byte[AEADUtils.getIVLength(aeadAlgorithm)];
         random.nextBytes(iv);
 
         int tagLen = AEADUtils.getAuthTagLength(aeadAlgorithm);
-        byte[] eskAndTag = getEskAndTag(kekAlgorithm, aeadAlgorithm, sessionInfo, kek, iv, info);
+        byte[] eskAndTag = getEskAndTag(kekAlgorithm, aeadAlgorithm, sessionKey, kek, iv, info);
         byte[] esk = Arrays.copyOfRange(eskAndTag, 0, eskAndTag.length - tagLen);
         byte[] tag = Arrays.copyOfRange(eskAndTag, esk.length, eskAndTag.length);
 
@@ -227,7 +228,7 @@ private ContainedPacket generateV6ESK(int kekAlgorithm, int aeadAlgorithm, byte[
      * Generate a V4 SKESK packet.
      *
      * @param encAlgorithm the {@link SymmetricKeyAlgorithmTags encryption algorithm} being used
-     * @param sessionInfo session data generated by the encrypted data generator.
+     * @param sessionInfo  session data generated by the encrypted data generator.
      * @return v4 SKESK packet
      * @throws PGPException
      */
@@ -250,10 +251,17 @@ public ContainedPacket generate(int encAlgorithm, byte[] sessionInfo)
         return SymmetricKeyEncSessionPacket.createV4Packet(encAlgorithm, s2k, encryptSessionInfo(encAlgorithm, key, nSessionInfo));
     }
 
+    protected byte[] getSessionKey(byte[] sessionInfo)
+    {
+        byte[] sessionKey = new byte[sessionInfo.length - 3];
+        System.arraycopy(sessionInfo, 1, sessionKey, 0, sessionKey.length);
+        return sessionKey;
+    }
+
     abstract protected byte[] encryptSessionInfo(int encAlgorithm, byte[] key, byte[] sessionInfo)
         throws PGPException;
 
-    abstract protected byte[] getEskAndTag(int kekAlgorithm, int aeadAlgorithm, byte[] sessionInfo, byte[] key, byte[] iv, byte[] info)
+    abstract protected byte[] getEskAndTag(int kekAlgorithm, int aeadAlgorithm, byte[] sessionKey, byte[] key, byte[] iv, byte[] info)
         throws PGPException;
 
     abstract protected byte[] generateV6KEK(int kekAlgorithm, byte[] ikm, byte[] info)

pg/src/main/java/org/bouncycastle/openpgp/operator/bc/BcPBEKeyEncryptionMethodGenerator.java

@@ -113,12 +113,9 @@ protected byte[] generateV6KEK(int kekAlgorithm, byte[] ikm, byte[] info)
         return BcAEADUtil.generateHKDFBytes(ikm, null, info, SymmetricKeyUtils.getKeyLengthInOctets(kekAlgorithm));
     }
 
-    protected byte[] getEskAndTag(int kekAlgorithm, int aeadAlgorithm, byte[] sessionInfo, byte[] key, byte[] iv, byte[] info)
+    protected byte[] getEskAndTag(int kekAlgorithm, int aeadAlgorithm, byte[] sessionKey, byte[] key, byte[] iv, byte[] info)
         throws PGPException
     {
-        byte[] sessionKey = new byte[sessionInfo.length - 3];
-        System.arraycopy(sessionInfo, 1, sessionKey, 0, sessionKey.length);
-
         AEADCipher aeadCipher = BcAEADUtil.createAEADCipher(kekAlgorithm, aeadAlgorithm);
         aeadCipher.init(true, new AEADParameters(new KeyParameter(key), 128, iv, info));
         int outLen = aeadCipher.getOutputSize(sessionKey.length);

pg/src/main/java/org/bouncycastle/openpgp/operator/jcajce/JcePBEKeyEncryptionMethodGenerator.java

@@ -156,12 +156,9 @@ protected byte[] generateV6KEK(int kekAlgorithm, byte[] ikm, byte[] info)
          return JceAEADUtil.generateHKDFBytes(ikm, null, info, SymmetricKeyUtils.getKeyLengthInOctets(kekAlgorithm));
      }
 
-     protected byte[] getEskAndTag(int kekAlgorithm, int aeadAlgorithm, byte[] sessionInfo, byte[] key, byte[] iv, byte[] info)
+     protected byte[] getEskAndTag(int kekAlgorithm, int aeadAlgorithm, byte[] sessionKey, byte[] key, byte[] iv, byte[] info)
          throws PGPException
      {
-         byte[] sessionKey = new byte[sessionInfo.length - 3];
-         System.arraycopy(sessionInfo, 1, sessionKey, 0, sessionKey.length);
-
          AEADCipher aeadCipher = BcAEADUtil.createAEADCipher(kekAlgorithm, aeadAlgorithm);
          aeadCipher.init(true, new AEADParameters(new KeyParameter(key), 128, iv, info));
          int outLen = aeadCipher.getOutputSize(sessionKey.length);

pg/src/test/java/org/bouncycastle/openpgp/test/PGPAeadTest.java

@@ -44,12 +44,9 @@
 import org.bouncycastle.openpgp.operator.jcajce.JcePBEDataDecryptorFactoryBuilder;
 import org.bouncycastle.openpgp.operator.jcajce.JcePBEKeyEncryptionMethodGenerator;
 import org.bouncycastle.openpgp.operator.jcajce.JcePGPDataEncryptorBuilder;
-import org.bouncycastle.test.DumpUtil;
 import org.bouncycastle.util.Arrays;
 import org.bouncycastle.util.Exceptions;
-import org.bouncycastle.util.Pack;
 import org.bouncycastle.util.Strings;
-import org.bouncycastle.util.encoders.Hex;
 import org.bouncycastle.util.io.Streams;
 import org.bouncycastle.util.test.SimpleTest;
 
@@ -429,7 +426,7 @@ private void testJceDecryption(String armoredMessage, char[] password, byte[] ex
     public static void printHex(byte[] bytes)
     {
         // -DM System.out.println
-        System.out.println(DumpUtil.hexdump(bytes));
+        //System.out.println(DumpUtil.hexdump(bytes));
     }
 
     private static String algNames(int aeadAlg, int symAlg)