summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorHarsh Shandilya <me@msfjarvis.dev>2023-06-19 21:50:38 +0530
committerHarsh Shandilya <me@msfjarvis.dev>2023-06-19 21:50:38 +0530
commite0a0ca9be04592a1d738bb946844e67b7e14e2ac (patch)
tree3d50ed430f44c360134adaf9a1889228c07fbe0e
parente8a9944522e6948662075f3818fba64f0f635ecf (diff)
fix(pgpainless): add metadata test to decryption step
-rw-r--r--crypto-pgpainless/src/main/kotlin/app/passwordstore/crypto/PGPainlessCryptoHandler.kt34
1 files changed, 21 insertions, 13 deletions
diff --git a/crypto-pgpainless/src/main/kotlin/app/passwordstore/crypto/PGPainlessCryptoHandler.kt b/crypto-pgpainless/src/main/kotlin/app/passwordstore/crypto/PGPainlessCryptoHandler.kt
index cf29931b..a7087acf 100644
--- a/crypto-pgpainless/src/main/kotlin/app/passwordstore/crypto/PGPainlessCryptoHandler.kt
+++ b/crypto-pgpainless/src/main/kotlin/app/passwordstore/crypto/PGPainlessCryptoHandler.kt
@@ -19,6 +19,7 @@ import org.bouncycastle.openpgp.PGPPublicKeyRing
import org.bouncycastle.openpgp.PGPPublicKeyRingCollection
import org.bouncycastle.openpgp.PGPSecretKeyRing
import org.bouncycastle.openpgp.PGPSecretKeyRingCollection
+import org.bouncycastle.util.io.Streams
import org.pgpainless.PGPainless
import org.pgpainless.decryption_verification.ConsumerOptions
import org.pgpainless.encryption_signing.EncryptionOptions
@@ -53,14 +54,21 @@ public class PGPainlessCryptoHandler @Inject constructor() :
.map { key -> PGPainless.readKeyRing().secretKeyRing(key.contents) }
.run(::PGPSecretKeyRingCollection)
val protector = SecretKeyRingProtector.unlockAnyKeyWith(Passphrase.fromPassword(passphrase))
- PGPainless.decryptAndOrVerify()
- .onInputStream(ciphertextStream)
- .withOptions(
- ConsumerOptions()
- .addDecryptionKeys(keyringCollection, protector)
- .addDecryptionPassphrase(Passphrase.fromPassword(passphrase))
- )
- .use { decryptionStream -> decryptionStream.copyTo(outputStream) }
+ val decryptionStream =
+ PGPainless.decryptAndOrVerify()
+ .onInputStream(ciphertextStream)
+ .withOptions(
+ ConsumerOptions()
+ .addDecryptionKeys(keyringCollection, protector)
+ .addDecryptionPassphrase(Passphrase.fromPassword(passphrase))
+ )
+ Streams.pipeAll(decryptionStream, outputStream)
+ decryptionStream.close()
+ keyringCollection.forEach { keyRing ->
+ check(decryptionStream.metadata.isEncryptedFor(keyRing)) {
+ "Stream should be encrypted for ${keyRing.secretKey.keyID} but wasn't"
+ }
+ }
return@runCatching
}
.mapError { error ->
@@ -106,12 +114,12 @@ public class PGPainlessCryptoHandler @Inject constructor() :
val producerOptions =
ProducerOptions.encrypt(encryptionOptions)
.setAsciiArmor(options.isOptionEnabled(PGPEncryptOptions.ASCII_ARMOR))
- val encryptor =
+ val encryptionStream =
PGPainless.encryptAndOrSign().onOutputStream(outputStream).withOptions(producerOptions)
- plaintextStream.copyTo(encryptor)
- encryptor.close()
- val result = encryptor.result
- publicKeyRingCollection.keyRings.forEach { keyRing ->
+ Streams.pipeAll(plaintextStream, encryptionStream)
+ encryptionStream.close()
+ val result = encryptionStream.result
+ publicKeyRingCollection.forEach { keyRing ->
require(result.isEncryptedFor(keyRing)) {
"Stream should be encrypted for ${keyRing.publicKey.keyID} but wasn't"
}