Refactor in PGPKeyEncryptionMethodGenerator

Author: gefeili

pg/src/main/java/org/bouncycastle/openpgp/PGPEncryptedDataGenerator.java

@@ -12,9 +12,11 @@
 import org.bouncycastle.bcpg.ContainedPacket;
 import org.bouncycastle.bcpg.HashAlgorithmTags;
 import org.bouncycastle.bcpg.PacketTags;
+import org.bouncycastle.bcpg.PublicKeyEncSessionPacket;
 import org.bouncycastle.bcpg.SymmetricEncDataPacket;
 import org.bouncycastle.bcpg.SymmetricEncIntegrityPacket;
 import org.bouncycastle.bcpg.SymmetricKeyAlgorithmTags;
+import org.bouncycastle.bcpg.SymmetricKeyEncSessionPacket;
 import org.bouncycastle.openpgp.operator.PBEKeyEncryptionMethodGenerator;
 import org.bouncycastle.openpgp.operator.PGPAEADDataEncryptor;
 import org.bouncycastle.openpgp.operator.PGPDataEncryptor;
@@ -284,7 +286,7 @@ else if (directS2K)
                     for (int i = 0; i < methods.size(); i++)
                     {
                         PGPKeyEncryptionMethodGenerator method = methods.get(i);
-                        writeOpenPGPv6ESKPacket(method, aeadDataEncryptor.getAEADAlgorithm(), sessionInfo);
+                        writeOpenPGPv6ESKPacket(method, sessionInfo);
                     }
                     encOut = SymmetricEncIntegrityPacket.createVersion2Packet(
                         dataEncryptorBuilder.getAlgorithm(),
@@ -382,13 +384,14 @@ private void writeOpenPGPv4ESKPacket(PGPKeyEncryptionMethodGenerator m, byte[] s
         if (m instanceof PBEKeyEncryptionMethodGenerator)
         {
             PBEKeyEncryptionMethodGenerator mGen = (PBEKeyEncryptionMethodGenerator)m;
-            ContainedPacket esk = mGen.generateV4(mGen.getSessionKeyWrapperAlgorithm(defAlgorithm), sessionInfo);
+            ContainedPacket esk = mGen.setKekAlgorithm(mGen.getSessionKeyWrapperAlgorithm(defAlgorithm))
+                .generate(SymmetricKeyEncSessionPacket.VERSION_4, sessionInfo);
             pOut.writePacket(esk);
         }
         else if (m instanceof PublicKeyKeyEncryptionMethodGenerator)
         {
             PublicKeyKeyEncryptionMethodGenerator mGen = (PublicKeyKeyEncryptionMethodGenerator)m;
-            pOut.writePacket(mGen.generateV3(sessionInfo));
+            pOut.writePacket(mGen.generate(PublicKeyEncSessionPacket.VERSION_3, sessionInfo));
         }
     }
 
@@ -408,16 +411,15 @@ private void writeOpenPGPv5ESKPacket(PGPKeyEncryptionMethodGenerator m, byte[] s
         if (m instanceof PBEKeyEncryptionMethodGenerator)
         {
             PBEKeyEncryptionMethodGenerator mGen = (PBEKeyEncryptionMethodGenerator)m;
-            ContainedPacket esk = mGen.generateV5(
-                mGen.getSessionKeyWrapperAlgorithm(defAlgorithm),
-                dataEncryptorBuilder.getAeadAlgorithm(),
-                sessionInfo);
+            ContainedPacket esk = mGen.setKekAlgorithm(mGen.getSessionKeyWrapperAlgorithm(defAlgorithm))
+                .setAEADAlgorithm(dataEncryptorBuilder.getAeadAlgorithm())
+                .generate(SymmetricKeyEncSessionPacket.VERSION_5, sessionInfo);
             pOut.writePacket(esk);
         }
         else if (m instanceof PublicKeyKeyEncryptionMethodGenerator)
         {
             PublicKeyKeyEncryptionMethodGenerator mGen = (PublicKeyKeyEncryptionMethodGenerator)m;
-            pOut.writePacket(mGen.generateV3(sessionInfo));
+            pOut.writePacket(mGen.generate(PublicKeyEncSessionPacket.VERSION_3, sessionInfo));
         }
     }
 
@@ -427,27 +429,25 @@ else if (m instanceof PublicKeyKeyEncryptionMethodGenerator)
      * depending on the method generator. This method is used by what can be referred to as OpenPGP v6.
      *
      * @param m             session key encryption method generator.
-     * @param aeadAlgorithm AEAD encryption algorithm
      * @param sessionInfo   session info
      * @throws IOException
      * @throws PGPException
      */
-    private void writeOpenPGPv6ESKPacket(PGPKeyEncryptionMethodGenerator m, int aeadAlgorithm, byte[] sessionInfo)
+    private void writeOpenPGPv6ESKPacket(PGPKeyEncryptionMethodGenerator m, byte[] sessionInfo)
         throws IOException, PGPException
     {
         if (m instanceof PBEKeyEncryptionMethodGenerator)
         {
             PBEKeyEncryptionMethodGenerator mGen = (PBEKeyEncryptionMethodGenerator)m;
-            ContainedPacket esk = mGen.generateV6(
-                mGen.getSessionKeyWrapperAlgorithm(defAlgorithm),
-                aeadAlgorithm,
-                sessionInfo);
+            ContainedPacket esk = mGen.setKekAlgorithm(mGen.getSessionKeyWrapperAlgorithm(defAlgorithm))
+                .setAEADAlgorithm(dataEncryptorBuilder.getAeadAlgorithm())
+                .generate(SymmetricKeyEncSessionPacket.VERSION_6, sessionInfo);
             pOut.writePacket(esk);
         }
         else if (m instanceof PublicKeyKeyEncryptionMethodGenerator)
         {
             PublicKeyKeyEncryptionMethodGenerator mGen = (PublicKeyKeyEncryptionMethodGenerator)m;
-            pOut.writePacket(mGen.generateV6(sessionInfo));
+            pOut.writePacket(mGen.generate(PublicKeyEncSessionPacket.VERSION_6, sessionInfo));
         }
     }
 

pg/src/main/java/org/bouncycastle/openpgp/operator/PBEKeyEncryptionMethodGenerator.java

@@ -30,6 +30,8 @@ public abstract class PBEKeyEncryptionMethodGenerator
     private SecureRandom random;
     private int s2kCount;
     private int wrapAlg = -1;
+    private int kekAlgorithm;
+    private int aeadAlgorithm;
 
     /**
      * Construct a PBE key generator using the default iteration count (<code>0x60</code> == 65536
@@ -115,6 +117,18 @@ public PBEKeyEncryptionMethodGenerator setSessionKeyWrapperAlgorithm(int wrapAlg
         return this;
     }
 
+    public PBEKeyEncryptionMethodGenerator setKekAlgorithm(int kekAlgorithm)
+    {
+        this.kekAlgorithm = kekAlgorithm;
+        return this;
+    }
+
+    public PBEKeyEncryptionMethodGenerator setAEADAlgorithm(int aeadAlgorithm)
+    {
+        this.aeadAlgorithm = aeadAlgorithm;
+        return this;
+    }
+
     /**
      * Return the key wrapping algorithm this PBE key method is associated with.
      *
@@ -160,6 +174,62 @@ public byte[] getKey(int encAlgorithm)
         return PGPUtil.makeKeyFromPassPhrase(s2kDigestCalculator, encAlgorithm, s2k, passPhrase);
     }
 
+    public ContainedPacket generate(int version, byte[] sessionInfo)
+        throws PGPException
+    {
+        if (version == SymmetricKeyEncSessionPacket.VERSION_4)
+        {
+            if (sessionInfo == null)
+            {
+                return SymmetricKeyEncSessionPacket.createV4Packet(kekAlgorithm, s2k, null);
+            }
+
+            byte[] key = getKey(kekAlgorithm);
+            //
+            // the passed in session info has the an RSA/ElGamal checksum added to it, for PBE this is not included.
+            //
+            byte[] nSessionInfo = new byte[sessionInfo.length - 2];
+
+            System.arraycopy(sessionInfo, 0, nSessionInfo, 0, nSessionInfo.length);
+
+            return SymmetricKeyEncSessionPacket.createV4Packet(kekAlgorithm, s2k, encryptSessionInfo(kekAlgorithm, key, nSessionInfo));
+        }
+        else if (version == SymmetricKeyEncSessionPacket.VERSION_5 || version == SymmetricKeyEncSessionPacket.VERSION_6)
+        {
+            byte[] ikm = getKey(kekAlgorithm);
+            byte[] info = new byte[]{
+                (byte)0xC3,
+                (byte)version,
+                (byte)kekAlgorithm,
+                (byte)aeadAlgorithm
+            };
+
+            if (version == 6)
+            {
+                ikm = generateV6KEK(kekAlgorithm, ikm, info); // ikm is kek
+            }
+
+            byte[] iv = new byte[AEADUtils.getIVLength(aeadAlgorithm)];
+            random.nextBytes(iv);
+
+            int tagLen = AEADUtils.getAuthTagLength(aeadAlgorithm);
+            byte[] sessionKey = getSessionKey(sessionInfo);
+            byte[] eskAndTag = getEskAndTag(kekAlgorithm, aeadAlgorithm, sessionKey, ikm, iv, info);
+            byte[] esk = Arrays.copyOfRange(eskAndTag, 0, eskAndTag.length - tagLen);
+            byte[] tag = Arrays.copyOfRange(eskAndTag, esk.length, eskAndTag.length);
+
+            if (version == SymmetricKeyEncSessionPacket.VERSION_5)
+            {
+                return SymmetricKeyEncSessionPacket.createV5Packet(kekAlgorithm, aeadAlgorithm, iv, s2k, esk, tag);
+            }
+            else
+            {
+                return SymmetricKeyEncSessionPacket.createV6Packet(kekAlgorithm, aeadAlgorithm, iv, s2k, esk, tag);
+            }
+        }
+        throw new PGPException("Unexpected version number");
+    }
+
     /**
      * Generates a version 4 Symmetric-Key-Encrypted-Session-Key (SKESK) packet, encoding the encrypted
      * session-key for this method.
@@ -169,16 +239,15 @@ public byte[] getKey(int encAlgorithm)
      * instead in that case).
      *
      * @param kekAlgorithm the {@link SymmetricKeyAlgorithmTags encryption algorithm} being used to
-     *                    wrap the session key
-     * @param sessionInfo session data generated by the encrypted data generator.
+     *                     wrap the session key
+     * @param sessionInfo  session data generated by the encrypted data generator.
      * @return a packet encoding the provided information and the configuration of this instance.
-     *
      * @throws PGPException if an error occurs constructing the packet.
      * @see <a href="https://www.rfc-editor.org/rfc/rfc9580.html#name-version-4-symmetric-key-enc">
-     *     RFC9580 - Symmetric-Key Encrypted Session-Key Packet version 4</a>
+     * RFC9580 - Symmetric-Key Encrypted Session-Key Packet version 4</a>
      */
     public ContainedPacket generateV4(int kekAlgorithm, byte[] sessionInfo)
-            throws PGPException
+        throws PGPException
     {
         if (sessionInfo == null)
         {
@@ -202,25 +271,24 @@ public ContainedPacket generateV4(int kekAlgorithm, byte[] sessionInfo)
      * SKESKv5 packets are used with {@link org.bouncycastle.bcpg.AEADEncDataPacket OCB-Encrypted Data (OED) packets}
      * only.
      *
-     * @param kekAlgorithm the {@link SymmetricKeyAlgorithmTags encryption algorithm} being used to
-     *                    wrap the session key
+     * @param kekAlgorithm  the {@link SymmetricKeyAlgorithmTags encryption algorithm} being used to
+     *                      wrap the session key
      * @param aeadAlgorithm AEAD algorithm ID (MUST be {@link org.bouncycastle.bcpg.AEADAlgorithmTags#OCB})
-     * @param sessionInfo session data generated by the encrypted data generator.
+     * @param sessionInfo   session data generated by the encrypted data generator.
      * @return a packet encoding the provided information and the configuration of this instance.
-     *
      * @throws PGPException if an error occurs constructing the packet.
      * @see <a href="https://www.ietf.org/archive/id/draft-koch-librepgp-02.html#section-5.3-8">
-     *     LibrePGP - Symmetric-Key Encrypted Session-Key Packet version 5</a>
+     * LibrePGP - Symmetric-Key Encrypted Session-Key Packet version 5</a>
      */
     public ContainedPacket generateV5(int kekAlgorithm, int aeadAlgorithm, byte[] sessionInfo)
-            throws PGPException
+        throws PGPException
     {
         byte[] ikm = getKey(kekAlgorithm);
         byte[] info = new byte[]{
-                (byte)0xC3,
-                (byte)SymmetricKeyEncSessionPacket.VERSION_5,
-                (byte)kekAlgorithm,
-                (byte)aeadAlgorithm
+            (byte)0xC3,
+            (byte)SymmetricKeyEncSessionPacket.VERSION_5,
+            (byte)kekAlgorithm,
+            (byte)aeadAlgorithm
         };
 
         byte[] iv = new byte[AEADUtils.getIVLength(aeadAlgorithm)];
@@ -242,25 +310,24 @@ public ContainedPacket generateV5(int kekAlgorithm, int aeadAlgorithm, byte[] se
      * version 2 only.
      * A SKESKv6 packet MUST NOT precede a SEIPDv1, OED or SED packet.
      *
-     * @param kekAlgorithm the {@link SymmetricKeyAlgorithmTags encryption algorithm} being used to
-     *                     wrap the session key
+     * @param kekAlgorithm  the {@link SymmetricKeyAlgorithmTags encryption algorithm} being used to
+     *                      wrap the session key
      * @param aeadAlgorithm AEAD algorithm ID
-     * @param sessionInfo session data generated by the encrypted data generator.
+     * @param sessionInfo   session data generated by the encrypted data generator.
      * @return a packet encoding the provided information and the configuration of this instance.
-     *
      * @throws PGPException if an error occurs constructing the packet.
      * @see <a href="https://www.rfc-editor.org/rfc/rfc9580.html#name-version-6-symmetric-key-enc">
-     *     RFC9580 - Symmetric-Key Encrypted Session-Key Packet version 6</a>
+     * RFC9580 - Symmetric-Key Encrypted Session-Key Packet version 6</a>
      */
     public ContainedPacket generateV6(int kekAlgorithm, int aeadAlgorithm, byte[] sessionInfo)
         throws PGPException
     {
         byte[] ikm = getKey(kekAlgorithm);
         byte[] info = new byte[]{
-                (byte)0xC3,
-                (byte)SymmetricKeyEncSessionPacket.VERSION_6,
-                (byte)kekAlgorithm,
-                (byte)aeadAlgorithm
+            (byte)0xC3,
+            (byte)SymmetricKeyEncSessionPacket.VERSION_6,
+            (byte)kekAlgorithm,
+            (byte)aeadAlgorithm
         };
         byte[] kek = generateV6KEK(kekAlgorithm, ikm, info);
 

pg/src/main/java/org/bouncycastle/openpgp/operator/PGPKeyEncryptionMethodGenerator.java

@@ -1,11 +1,14 @@
 package org.bouncycastle.openpgp.operator;
 
+import org.bouncycastle.bcpg.ContainedPacket;
 import org.bouncycastle.openpgp.PGPEncryptedDataGenerator;
+import org.bouncycastle.openpgp.PGPException;
 
 /**
  * An encryption method that can be applied to encrypt data in a {@link PGPEncryptedDataGenerator}.
  */
 public interface PGPKeyEncryptionMethodGenerator
 {
-
+    ContainedPacket generate(int version, byte[] sessionInfo)
+        throws PGPException;
 }

pg/src/main/java/org/bouncycastle/openpgp/operator/PublicKeyKeyEncryptionMethodGenerator.java

@@ -164,6 +164,49 @@ private byte[] convertToEncodedMPI(byte[] encryptedSessionInfo)
         }
     }
 
+    public ContainedPacket generate(int version, byte[] sessionInfo)
+        throws PGPException
+    {
+        if (version == PublicKeyEncSessionPacket.VERSION_3)
+        {
+            long keyId;
+            if (useWildcardRecipient)
+            {
+                keyId = WILDCARD_KEYID;
+            }
+            else
+            {
+                keyId = pubKey.getKeyID();
+            }
+            byte[] encryptedSessionInfo = encryptSessionInfo(pubKey, sessionInfo, sessionInfo, sessionInfo[0]);
+            byte[][] encodedEncSessionInfo = encodeEncryptedSessionInfo(encryptedSessionInfo);
+            return PublicKeyEncSessionPacket.createV3PKESKPacket(keyId, pubKey.getAlgorithm(), encodedEncSessionInfo);
+        }
+        else if (version == PublicKeyEncSessionPacket.VERSION_6)
+        {
+            byte[] keyFingerprint;
+            int keyVersion;
+            if (useWildcardRecipient)
+            {
+                keyFingerprint = WILDCARD_FINGERPRINT;
+                keyVersion = 0;
+            }
+            else
+            {
+                keyFingerprint = pubKey.getFingerprint();
+                keyVersion = pubKey.getVersion();
+            }
+            // In V6, do not include the symmetric-key algorithm in the session-info
+            byte[] sessionInfoWithoutAlgId = new byte[sessionInfo.length - 1];
+            System.arraycopy(sessionInfo, 1, sessionInfoWithoutAlgId, 0, sessionInfoWithoutAlgId.length);
+
+            byte[] encryptedSessionInfo = encryptSessionInfo(pubKey, sessionInfo, sessionInfoWithoutAlgId, (byte)0);
+            byte[][] encodedEncSessionInfo = encodeEncryptedSessionInfo(encryptedSessionInfo);
+            return PublicKeyEncSessionPacket.createV6PKESKPacket(keyVersion, keyFingerprint, pubKey.getAlgorithm(), encodedEncSessionInfo);
+        }
+        throw new PGPException("Unexpected version number");
+    }
+
     /**
      * Generate a Public-Key Encrypted Session-Key (PKESK) packet of version 3.
      * PKESKv3 packets are used with Symmetrically-Encrypted-Integrity-Protected Data (SEIPD) packets of