Switch new PGP backend to use PGPainless (#1522)

* crypto-pgpainless: init * crypto-pgpainless: add an opinionated CryptoHandler impl * app: migrate to crypto-pgpainless * crypto-pgp: remove * github: remove now unused instrumentation tests job * crypto-common: fixup package names * wip(crypto-pgpainless): add `PGPKeyPair` and `PGPKeyManager` Signed-off-by: Aditya Wasan <adityawasan55@gmail.com> (cherry picked from commit 02d07e9e797a8600cc8c534a731dfffcc44cfdde) * crypto-pgpainless: use hex-encoded key IDs * crypto-pgpainless: replace legacy Gopenpgp-generated key file * crypto-pgpainless: fix CryptoConstants source set * crypto-pgpainless: fix tests * crypto-pgpainless: reinstate PGPKeyManager tests Co-authored-by: Aditya Wasan <adityawasan55@gmail.com>
author: Harsh Shandilya <me@msfjarvis.dev> 2021-10-23 17:02:50 +0530
committer: GitHub <noreply@github.com> 2021-10-23 17:02:50 +0530
commit: aac74ae4515aa1d746f46287029441f5a945c98e (patch)
tree: 9d23e06592ecd884d6b58dd089692d9e4224a3f9 /crypto-pgpainless/src/main
parent: 21c8653e6815ca34574e783a5ce7ac783b188228 (diff)
3 files changed, 212 insertions, 0 deletions
diff --git a/crypto-pgpainless/src/main/kotlin/dev/msfjarvis/aps/crypto/PGPKeyManager.kt b/crypto-pgpainless/src/main/kotlin/dev/msfjarvis/aps/crypto/PGPKeyManager.kt
new file mode 100644
index 00000000..fd886843
--- /dev/null
+++ b/crypto-pgpainless/src/main/kotlin/dev/msfjarvis/aps/crypto/PGPKeyManager.kt
@@ -0,0 +1,112 @@
+/*
+ * Copyright © 2014-2021 The Android Password Store Authors. All Rights Reserved.
+ * SPDX-License-Identifier: GPL-3.0-only
+ */
+
+package dev.msfjarvis.aps.crypto
+
+import androidx.annotation.VisibleForTesting
+import com.github.michaelbull.result.Result
+import com.github.michaelbull.result.runCatching
+import java.io.File
+import kotlinx.coroutines.CoroutineDispatcher
+import kotlinx.coroutines.withContext
+import org.pgpainless.PGPainless
+
+public class PGPKeyManager(
+  filesDir: String,
+  private val dispatcher: CoroutineDispatcher,
+) : KeyManager<PGPKeyPair> {
+
+  private val keyDir = File(filesDir, KEY_DIR_NAME)
+
+  override suspend fun addKey(key: PGPKeyPair, replace: Boolean): Result<PGPKeyPair, Throwable> =
+    withContext(dispatcher) {
+      runCatching {
+        if (!keyDirExists()) throw KeyManagerException.KeyDirectoryUnavailableException
+        val keyFile = File(keyDir, "${key.getKeyId()}.$KEY_EXTENSION")
+        if (keyFile.exists()) {
+          // Check for replace flag first and if it is false, throw an error
+          if (!replace) throw KeyManagerException.KeyAlreadyExistsException(key.getKeyId())
+          if (!keyFile.delete()) throw KeyManagerException.KeyDeletionFailedException
+        }
+
+        keyFile.writeBytes(key.getPrivateKey())
+
+        key
+      }
+    }
+
+  override suspend fun removeKey(key: PGPKeyPair): Result<PGPKeyPair, Throwable> =
+    withContext(dispatcher) {
+      runCatching {
+        if (!keyDirExists()) throw KeyManagerException.KeyDirectoryUnavailableException
+        val keyFile = File(keyDir, "${key.getKeyId()}.$KEY_EXTENSION")
+        if (keyFile.exists()) {
+          if (!keyFile.delete()) throw KeyManagerException.KeyDeletionFailedException
+        }
+
+        key
+      }
+    }
+
+  override suspend fun getKeyById(id: String): Result<PGPKeyPair, Throwable> =
+    withContext(dispatcher) {
+      runCatching {
+        if (!keyDirExists()) throw KeyManagerException.KeyDirectoryUnavailableException
+        val keys = keyDir.listFiles()
+        if (keys.isNullOrEmpty()) throw KeyManagerException.NoKeysAvailableException
+
+        for (keyFile in keys) {
+          val secretKeyRing = PGPainless.readKeyRing().secretKeyRing(keyFile.inputStream())
+          val secretKey = secretKeyRing.secretKey
+          val keyPair = PGPKeyPair(secretKey)
+          if (keyPair.getKeyId() == id) return@runCatching keyPair
+        }
+
+        throw KeyManagerException.KeyNotFoundException(id)
+      }
+    }
+
+  override suspend fun getAllKeys(): Result<List<PGPKeyPair>, Throwable> =
+    withContext(dispatcher) {
+      runCatching {
+        if (!keyDirExists()) throw KeyManagerException.KeyDirectoryUnavailableException
+        val keys = keyDir.listFiles()
+        if (keys.isNullOrEmpty()) return@runCatching listOf()
+
+        keys
+          .map { keyFile ->
+            val secretKeyRing = PGPainless.readKeyRing().secretKeyRing(keyFile.inputStream())
+            val secretKey = secretKeyRing.secretKey
+
+            PGPKeyPair(secretKey)
+          }
+          .toList()
+      }
+    }
+
+  override fun canHandle(fileName: String): Boolean {
+    // TODO: This is a temp hack for now and in future it should check that the GPGKeyManager can
+    // decrypt the file
+    return fileName.endsWith(KEY_EXTENSION)
+  }
+
+  private fun keyDirExists(): Boolean {
+    return keyDir.exists() || keyDir.mkdirs()
+  }
+
+  public companion object {
+
+    @VisibleForTesting(otherwise = VisibleForTesting.PRIVATE)
+    internal const val KEY_DIR_NAME: String = "keys"
+    @VisibleForTesting(otherwise = VisibleForTesting.PRIVATE)
+    internal const val KEY_EXTENSION: String = "key"
+
+    @JvmStatic
+    public fun makeKey(armoredKey: String): PGPKeyPair {
+      val secretKey = PGPainless.readKeyRing().secretKeyRing(armoredKey).secretKey
+      return PGPKeyPair(secretKey)
+    }
+  }
+}
diff --git a/crypto-pgpainless/src/main/kotlin/dev/msfjarvis/aps/crypto/PGPKeyPair.kt b/crypto-pgpainless/src/main/kotlin/dev/msfjarvis/aps/crypto/PGPKeyPair.kt
new file mode 100644
index 00000000..03bcf515
--- /dev/null
+++ b/crypto-pgpainless/src/main/kotlin/dev/msfjarvis/aps/crypto/PGPKeyPair.kt
@@ -0,0 +1,31 @@
+/*
+ * Copyright © 2014-2021 The Android Password Store Authors. All Rights Reserved.
+ * SPDX-License-Identifier: GPL-3.0-only
+ */
+
+package dev.msfjarvis.aps.crypto
+
+import org.bouncycastle.openpgp.PGPSecretKey
+
+public class PGPKeyPair(private val secretKey: PGPSecretKey) : KeyPair {
+
+  init {
+    if (secretKey.isPrivateKeyEmpty) throw KeyPairException.PrivateKeyUnavailableException
+  }
+
+  override fun getPrivateKey(): ByteArray {
+    return secretKey.encoded
+  }
+  override fun getPublicKey(): ByteArray {
+    return secretKey.publicKey.encoded
+  }
+  override fun getKeyId(): String {
+    var keyId = secretKey.keyID.toString(radix = 16)
+    if (keyId.length < KEY_ID_LENGTH) keyId = "0$keyId"
+    return keyId
+  }
+
+  private companion object {
+    private const val KEY_ID_LENGTH = 16
+  }
+}
diff --git a/crypto-pgpainless/src/main/kotlin/dev/msfjarvis/aps/crypto/PGPainlessCryptoHandler.kt b/crypto-pgpainless/src/main/kotlin/dev/msfjarvis/aps/crypto/PGPainlessCryptoHandler.kt
new file mode 100644
index 00000000..3276b995
--- /dev/null
+++ b/crypto-pgpainless/src/main/kotlin/dev/msfjarvis/aps/crypto/PGPainlessCryptoHandler.kt
@@ -0,0 +1,69 @@
+/*
+ * Copyright © 2014-2021 The Android Password Store Authors. All Rights Reserved.
+ * SPDX-License-Identifier: GPL-3.0-only
+ */
+
+package dev.msfjarvis.aps.crypto
+
+import java.io.ByteArrayInputStream
+import java.io.InputStream
+import java.io.OutputStream
+import javax.inject.Inject
+import org.bouncycastle.bcpg.ArmoredInputStream
+import org.bouncycastle.openpgp.PGPSecretKeyRingCollection
+import org.pgpainless.PGPainless
+import org.pgpainless.decryption_verification.ConsumerOptions
+import org.pgpainless.encryption_signing.EncryptionOptions
+import org.pgpainless.encryption_signing.ProducerOptions
+import org.pgpainless.key.protection.PasswordBasedSecretKeyRingProtector
+import org.pgpainless.util.Passphrase
+
+public class PGPainlessCryptoHandler @Inject constructor() : CryptoHandler {
+
+  public override fun decrypt(
+    privateKey: String,
+    password: String,
+    ciphertextStream: InputStream,
+    outputStream: OutputStream,
+  ) {
+    val pgpSecretKeyRing = PGPainless.readKeyRing().secretKeyRing(privateKey)
+    val keyringCollection = PGPSecretKeyRingCollection(listOf(pgpSecretKeyRing))
+    val protector =
+      PasswordBasedSecretKeyRingProtector.forKey(
+        pgpSecretKeyRing,
+        Passphrase.fromPassword(password)
+      )
+    PGPainless.decryptAndOrVerify()
+      .onInputStream(ciphertextStream)
+      .withOptions(
+        ConsumerOptions()
+          .addDecryptionKeys(keyringCollection, protector)
+          .addDecryptionPassphrase(Passphrase.fromPassword(password))
+      )
+      .use { decryptionStream -> decryptionStream.copyTo(outputStream) }
+  }
+
+  public override fun encrypt(
+    pubKeys: List<String>,
+    plaintextStream: InputStream,
+    outputStream: OutputStream,
+  ) {
+    val pubKeysStream = ByteArrayInputStream(pubKeys.joinToString("\n").toByteArray())
+    val publicKeyRingCollection =
+      pubKeysStream.use {
+        ArmoredInputStream(it).use { armoredInputStream ->
+          PGPainless.readKeyRing().publicKeyRingCollection(armoredInputStream)
+        }
+      }
+    val encOpt = EncryptionOptions().apply { publicKeyRingCollection.forEach { addRecipient(it) } }
+    val prodOpt = ProducerOptions.encrypt(encOpt).setAsciiArmor(true)
+    PGPainless.encryptAndOrSign().onOutputStream(outputStream).withOptions(prodOpt).use {
+      encryptionStream ->
+      plaintextStream.copyTo(encryptionStream)
+    }
+  }
+
+  public override fun canHandle(fileName: String): Boolean {
+    return fileName.split('.').lastOrNull() == "gpg"
+  }
+}
author	Harsh Shandilya <me@msfjarvis.dev>	2021-10-23 17:02:50 +0530
committer	GitHub <noreply@github.com>	2021-10-23 17:02:50 +0530
commit	aac74ae4515aa1d746f46287029441f5a945c98e (patch)
tree	9d23e06592ecd884d6b58dd089692d9e4224a3f9 /crypto-pgpainless/src/main
parent	21c8653e6815ca34574e783a5ce7ac783b188228 (diff)