Merge pull request #55 from wiktor-k/wiktor-k/with-passwords

Allow using symmetric keys for encryption and decryption

Author: wiktor-k

NEXT.md

@@ -4,6 +4,8 @@ v0.1.29
 
 New:
   - `Cert.generate` has a new `profile` parameter. The default is `Profile.RFC4880` which generates widely compatible certificates. The new option - `Profile.RFC9580` - generates newer, v6 certificates. Thanks to @jap for the contribution! [#47]
+  - `encrypt` and `encrypt_file` can use symmetric encryption via the `passwords` argument
+  - `decrypt` and `decrypt_file` can use symmetric encryption via the `passwords` argument
 
 Changed:
 

README.md

@@ -202,6 +202,16 @@ print(f"Encrypted data: {encrypted}")
 
 The `signer` argument is optional and when omitted the function will return an unsigned (but encrypted) message.
 
+Encryption to symmetric keys is available via the `passwords` optional argument:
+
+```python
+from pysequoia import encrypt
+
+content = "content to encrypt".encode("utf8")
+encrypted = encrypt(passwords = ["sekrit"], bytes = content).decode("utf8")
+print(f"Encrypted data: {encrypted}")
+```
+
 ### encrypt_file
 
 Encrypts data from a file and writes the encrypted output to another file:
@@ -269,7 +279,7 @@ def get_certs(key_ids):
 
 decrypted = decrypt(decryptor = receiver.secrets.decryptor("hunter22"), bytes = encrypted, store = get_certs)
 
-assert content == decrypted.bytes.decode("utf8");
+assert content == decrypted.bytes.decode("utf8")
 
 # let's check the valid signature's certificate and signing subkey fingerprints
 assert decrypted.valid_sigs[0].certificate == sender.fingerprint
@@ -278,6 +288,20 @@ assert decrypted.valid_sigs[0].signing_key == sender.fingerprint
 
 Here, the same remarks as to [`verify`](#verify) also apply.
 
+Decryption using symmetric keys is available via the `passwords` optional argument:
+
+```python
+from pysequoia import encrypt
+
+content = "content to encrypt"
+encrypted = encrypt(passwords = ["sekrit"], bytes = content.encode("utf8")).decode("utf8")
+print(f"Encrypted data: {encrypted}")
+decrypted = decrypt(passwords = ["sekrit"], bytes = encrypted.encode("utf-8"))
+print(f"Decrypted bytes: {decrypted.bytes}")
+
+assert content == decrypted.bytes.decode("utf8")
+```
+
 ### decrypt_file
 
 Decrypts data from a file and writes the decrypted output to another file:

src/decrypt.rs

@@ -3,7 +3,7 @@ use std::sync::{Arc, Mutex};
 
 use anyhow::Context;
 use pyo3::prelude::*;
-use sequoia_openpgp::crypto::{Decryptor, SessionKey};
+use sequoia_openpgp::crypto::{Decryptor, Password, SessionKey};
 use sequoia_openpgp::packet::{PKESK, SKESK};
 use sequoia_openpgp::parse::{stream::*, Parse};
 use sequoia_openpgp::policy::StandardPolicy as P;
@@ -14,24 +14,30 @@ use crate::verify::PyVerifier;
 use crate::{Decrypted, ValidSig};
 
 #[pyclass(from_py_object)]
-#[derive(Clone)]
+#[derive(Clone, Default)]
 pub struct PyDecryptor {
-    inner: Arc<Mutex<Box<dyn Decryptor + Send + Sync + 'static>>>,
+    inner: Option<Arc<Mutex<Box<dyn Decryptor + Send + Sync + 'static>>>>,
     verifier: Option<PyVerifier>,
+    passwords: Vec<Password>,
 }
 
 impl PyDecryptor {
     pub fn new(inner: Box<dyn Decryptor + Send + Sync + 'static>) -> Self {
         Self {
-            inner: Arc::new(Mutex::new(inner)),
+            inner: Some(Arc::new(Mutex::new(inner))),
             verifier: None,
+            passwords: Vec::new(),
         }
     }
 
     pub fn set_verifier(&mut self, verifier: impl Into<Option<PyVerifier>>) {
         self.verifier = verifier.into();
     }
 
+    pub fn set_passwords(&mut self, passwords: Vec<String>) {
+        self.passwords = passwords.into_iter().map(Into::into).collect();
+    }
+
     pub fn valid_sigs(self) -> Vec<ValidSig> {
         if let Some(verifier) = self.verifier {
             verifier.valid_sigs()
@@ -42,15 +48,25 @@ impl PyDecryptor {
 }
 
 #[pyfunction]
-#[pyo3(signature = (decryptor, bytes, store=None))]
+#[pyo3(signature = (bytes, decryptor=None, store=None, passwords=vec![]))]
 pub fn decrypt(
-    mut decryptor: PyDecryptor,
     bytes: &[u8],
+    decryptor: Option<PyDecryptor>,
     store: Option<Py<PyAny>>,
+    passwords: Vec<String>,
 ) -> PyResult<Decrypted> {
+    if decryptor.is_none() && passwords.is_empty() {
+        return Err(anyhow::anyhow!(
+            "Either `decryptor` or `passwords` parameter should be given and non-empty."
+        )
+        .into());
+    }
+    let mut decryptor = decryptor.unwrap_or_default();
+    decryptor.set_passwords(passwords);
     if let Some(store) = store {
         decryptor.set_verifier(PyVerifier::from_callback(store));
     }
+
     let policy = &P::new();
 
     let mut decryptor =
@@ -66,13 +82,22 @@ pub fn decrypt(
 }
 
 #[pyfunction]
-#[pyo3(signature = (decryptor, input, output, store=None))]
+#[pyo3(signature = (input, output, decryptor=None, store=None, passwords=vec![]))]
 pub fn decrypt_file(
-    mut decryptor: PyDecryptor,
     input: PathBuf,
     output: PathBuf,
+    decryptor: Option<PyDecryptor>,
     store: Option<Py<PyAny>>,
+    passwords: Vec<String>,
 ) -> PyResult<Decrypted> {
+    if decryptor.is_none() && passwords.is_empty() {
+        return Err(anyhow::anyhow!(
+            "Either `decryptor` or `passwords` parameter should be given and non-empty."
+        )
+        .into());
+    }
+    let mut decryptor = decryptor.unwrap_or_default();
+    decryptor.set_passwords(passwords);
     if let Some(store) = store {
         decryptor.set_verifier(PyVerifier::from_callback(store));
     }
@@ -113,19 +138,31 @@ impl DecryptionHelper for PyDecryptor {
     fn decrypt(
         &mut self,
         pkesks: &[PKESK],
-        _skesks: &[SKESK],
+        skesks: &[SKESK],
         sym_algo: Option<SymmetricAlgorithm>,
         decrypt: &mut dyn FnMut(Option<SymmetricAlgorithm>, &SessionKey) -> bool,
     ) -> sequoia_openpgp::Result<Option<cert::Cert>> {
-        let pair = &mut *self.inner.lock().unwrap();
-
-        for pkesk in pkesks.iter() {
-            if pkesk
-                .decrypt(pair, sym_algo)
-                .map(|(algo, session_key)| decrypt(algo, &session_key))
-                .is_some()
-            {
-                return Ok(None);
+        for skesk in skesks.iter() {
+            for password in self.passwords.iter() {
+                if let Ok((algo, session_key)) = skesk.decrypt(password) {
+                    if decrypt(algo, &session_key) {
+                        return Ok(None);
+                    }
+                }
+            }
+        }
+
+        if let Some(inner) = &mut self.inner {
+            let pair = &mut *inner.lock().unwrap();
+
+            for pkesk in pkesks.iter() {
+                if pkesk
+                    .decrypt(pair, sym_algo)
+                    .map(|(algo, session_key)| decrypt(algo, &session_key))
+                    .is_some()
+                {
+                    return Ok(None);
+                }
             }
         }
 

src/encrypt.rs

@@ -1,4 +1,5 @@
 use std::borrow::Cow;
+use std::fs::File;
 use std::io::Write;
 use std::path::PathBuf;
 
@@ -69,13 +70,21 @@ fn resolve_recipient_keys(recipients: &[PyRef<Cert>]) -> PyResult<Vec<RecipientK
 }
 
 #[pyfunction]
-#[pyo3(signature = (recipients, bytes, signer=None, *, armor=true))]
+#[pyo3(signature = (bytes, recipients=vec![], signer=None, passwords=vec![], *, armor=true))]
 pub fn encrypt(
-    recipients: Vec<PyRef<Cert>>,
     bytes: &[u8],
+    recipients: Vec<PyRef<Cert>>,
     signer: Option<PySigner>,
+    passwords: Vec<String>,
     armor: bool,
 ) -> PyResult<Cow<'static, [u8]>> {
+    if recipients.is_empty() && passwords.is_empty() {
+        return Err(anyhow::anyhow!(
+            "Either `recipients` or `passwords` parameter should be given and non-empty."
+        )
+        .into());
+    }
+
     let recipient_keys = resolve_recipient_keys(&recipients)?;
 
     let mut sink = vec![];
@@ -88,14 +97,15 @@ pub fn encrypt(
         message
     };
 
-    let mut message = Encryptor::for_recipients(
+    let encryptor = Encryptor::for_recipients(
         message,
         recipient_keys
             .iter()
             .map(|(features, key)| Recipient::new(features.clone(), key.key_handle(), key)),
     )
-    .build()
-    .context("Failed to create encryptor")?;
+    .add_passwords(passwords);
+
+    let mut message = encryptor.build().context("Failed to create encryptor")?;
 
     if let Some(signer) = signer {
         message = Signer::new(message, signer)?.build()?;
@@ -112,17 +122,24 @@ pub fn encrypt(
 }
 
 #[pyfunction]
-#[pyo3(signature = (recipients, input, output, signer=None, *, armor=true))]
+#[pyo3(signature = (input, output, recipients=vec![], signer=None, passwords=vec![], *, armor=true))]
 pub fn encrypt_file(
-    recipients: Vec<PyRef<Cert>>,
     input: PathBuf,
     output: PathBuf,
+    recipients: Vec<PyRef<Cert>>,
     signer: Option<PySigner>,
+    passwords: Vec<String>,
     armor: bool,
 ) -> PyResult<()> {
+    if recipients.is_empty() && passwords.is_empty() {
+        return Err(anyhow::anyhow!(
+            "Either `recipients` or `passwords` parameter should be given and non-empty."
+        )
+        .into());
+    }
     let recipient_keys = resolve_recipient_keys(&recipients)?;
 
-    let mut sink = std::fs::File::create(&output).context("Failed to create output file")?;
+    let mut sink = File::create(&output).context("Failed to create output file")?;
 
     let message = Message::new(&mut sink);
 
@@ -138,6 +155,7 @@ pub fn encrypt_file(
             .iter()
             .map(|(features, key)| Recipient::new(features.clone(), key.key_handle(), key)),
     )
+    .add_passwords(passwords)
     .build()
     .context("Failed to create encryptor")?;
 
@@ -148,7 +166,7 @@ pub fn encrypt_file(
         .build()
         .context("Failed to create literal writer")?;
 
-    let mut input_file = std::fs::File::open(&input).context("Failed to open input file")?;
+    let mut input_file = File::open(&input).context("Failed to open input file")?;
     std::io::copy(&mut input_file, &mut message)?;
 
     message.finalize()?;