#1768 Implement message decryption using SEIPDv2 and PKESKv6 packets

Author: gefeili

pg/src/main/java/org/bouncycastle/bcpg/PublicKeyEncSessionPacket.java

@@ -60,12 +60,23 @@ else if (version == VERSION_6)
                 // anon recipient
                 keyVersion = 0;
                 keyFingerprint = new byte[0];
+                keyID = 0L;
             }
             else
             {
                 keyVersion = in.read();
                 keyFingerprint = new byte[keyInfoLen - 1];
                 in.readFully(keyFingerprint);
+                // Derived key-ID from fingerprint
+                // TODO: Replace with getKeyIdentifier
+                if (keyVersion == PublicKeyPacket.VERSION_4)
+                {
+                    keyID = FingerprintUtil.keyIdFromV4Fingerprint(keyFingerprint);
+                }
+                else
+                {
+                    keyID = FingerprintUtil.keyIdFromV6Fingerprint(keyFingerprint);
+                }
             }
         }
         else

pg/src/main/java/org/bouncycastle/openpgp/PGPPublicKeyEncryptedData.java

@@ -72,13 +72,13 @@ public int getSymmetricAlgorithm(
     {
         if (keyData.getVersion() == PublicKeyEncSessionPacket.VERSION_3)
         {
-            byte[] plain = dataDecryptorFactory.recoverSessionData(keyData.getAlgorithm(), keyData.getEncSessionKey());
+            byte[] plain = dataDecryptorFactory.recoverSessionData(keyData, encData);
             // symmetric cipher algorithm is stored in first octet of session data
             return plain[0];
         }
         else if (keyData.getVersion() == PublicKeyEncSessionPacket.VERSION_6)
         {
-            // PKESK v5 stores the cipher algorithm in the SEIPD v2 packet fields.
+            // PKESK v6 stores the cipher algorithm in the SEIPD v2 packet fields.
             return ((SymmetricEncIntegrityPacket)encData).getCipherAlgorithm();
         }
         else
@@ -98,16 +98,57 @@ public PGPSessionKey getSessionKey(
         PublicKeyDataDecryptorFactory dataDecryptorFactory)
         throws PGPException
     {
-        byte[] sessionData = dataDecryptorFactory.recoverSessionData(keyData.getAlgorithm(), keyData.getEncSessionKey());
-        if (keyData.getAlgorithm() == PublicKeyAlgorithmTags.X25519 || keyData.getAlgorithm() == PublicKeyAlgorithmTags.X448)
+        byte[] sessionInfo = dataDecryptorFactory.recoverSessionData(keyData, encData);
+
+        // Confirm and discard checksum
+        if (containsChecksum(keyData.getAlgorithm()))
+        {
+            if (!confirmCheckSum(sessionInfo))
+            {
+                throw new PGPException("Key checksum failed.");
+            }
+            sessionInfo = Arrays.copyOf(sessionInfo, sessionInfo.length - 2);
+        }
+
+        byte[] sessionKey = Arrays.copyOfRange(sessionInfo, 1, sessionInfo.length);
+        int algorithm;
+
+        // OCB (LibrePGP v5 style AEAD)
+        if (encData instanceof AEADEncDataPacket)
         {
-            return new PGPSessionKey(sessionData[0] & 0xff, Arrays.copyOfRange(sessionData, 1, sessionData.length));
+            algorithm = ((AEADEncDataPacket) encData).getAlgorithm();
+        }
+
+        // SEIPD (OpenPGP v4 / OpenPGP v6)
+        else if (encData instanceof SymmetricEncIntegrityPacket)
+        {
+            SymmetricEncIntegrityPacket seipd = (SymmetricEncIntegrityPacket) encData;
+            if (seipd.getVersion() == SymmetricEncIntegrityPacket.VERSION_1)
+            {
+                algorithm = sessionInfo[0];
+            }
+            else if (seipd.getVersion() == SymmetricEncIntegrityPacket.VERSION_2)
+            {
+                algorithm = seipd.getCipherAlgorithm();
+            }
+            else
+            {
+                throw new UnsupportedPacketVersionException("Unsupported SEIPD packet version: " + seipd.getVersion());
+            }
         }
-        if (!confirmCheckSum(sessionData))
+        // SED (Legacy, no integrity protection!)
+        else
         {
-            throw new PGPKeyValidationException("key checksum failed");
+            algorithm = sessionInfo[0];
         }
-        return new PGPSessionKey(sessionData[0] & 0xff, Arrays.copyOfRange(sessionData, 1, sessionData.length - 2));
+
+        return new PGPSessionKey(algorithm & 0xff, sessionKey);
+    }
+
+    private boolean containsChecksum(int algorithm)
+    {
+        return algorithm != PublicKeyAlgorithmTags.X25519 &&
+                algorithm != PublicKeyAlgorithmTags.X448;
     }
 
     /**
@@ -169,13 +210,38 @@ private InputStream getDataStream(
                 }
                 else
                 {
-                    boolean withIntegrityPacket = encData instanceof SymmetricEncIntegrityPacket;
 
-                    PGPDataDecryptor dataDecryptor = dataDecryptorFactory.createDataDecryptor(withIntegrityPacket, sessionKey.getAlgorithm(), sessionKey.getKey());
+                    if (encData instanceof SymmetricEncIntegrityPacket)
+                    {
+                        SymmetricEncIntegrityPacket seipd = (SymmetricEncIntegrityPacket) encData;
+                        // SEIPD v1 (OpenPGP v4)
+                        if (seipd.getVersion() == SymmetricEncIntegrityPacket.VERSION_1)
+                        {
+                            PGPDataDecryptor dataDecryptor = dataDecryptorFactory.createDataDecryptor(true, sessionKey.getAlgorithm(), sessionKey.getKey());
 
-                    BCPGInputStream encIn = encData.getInputStream();
+                            BCPGInputStream encIn = encData.getInputStream();
 
-                    processSymmetricEncIntegrityPacketDataStream(withIntegrityPacket, dataDecryptor, encIn);
+                            processSymmetricEncIntegrityPacketDataStream(true, dataDecryptor, encIn);
+                        }
+                        // SEIPD v2 (OpenPGP v6 AEAD)
+                        else
+                        {
+                            PGPDataDecryptor dataDecryptor = dataDecryptorFactory.createDataDecryptor(seipd, sessionKey);
+
+                            BCPGInputStream encIn = encData.getInputStream();
+
+                            encStream = new BCPGInputStream(dataDecryptor.getInputStream(encIn));
+                        }
+                    }
+                    // SED (Symmetrically Encrypted Data without Integrity Protection; Deprecated)
+                    else
+                    {
+                        PGPDataDecryptor dataDecryptor = dataDecryptorFactory.createDataDecryptor(false, sessionKey.getAlgorithm(), sessionKey.getKey());
+
+                        BCPGInputStream encIn = encData.getInputStream();
+
+                        processSymmetricEncIntegrityPacketDataStream(false, dataDecryptor, encIn);
+                    }
 
                     //
                     // some versions of PGP appear to produce 0 for the extra

pg/src/main/java/org/bouncycastle/openpgp/operator/AbstractPublicKeyDataDecryptorFactory.java

@@ -0,0 +1,76 @@
+package org.bouncycastle.openpgp.operator;
+
+import org.bouncycastle.bcpg.InputStreamPacket;
+import org.bouncycastle.bcpg.PublicKeyAlgorithmTags;
+import org.bouncycastle.bcpg.PublicKeyEncSessionPacket;
+import org.bouncycastle.bcpg.SymmetricEncIntegrityPacket;
+import org.bouncycastle.bcpg.X25519PublicBCPGKey;
+import org.bouncycastle.bcpg.X448PublicBCPGKey;
+import org.bouncycastle.openpgp.PGPException;
+import org.bouncycastle.util.Arrays;
+
+public abstract class AbstractPublicKeyDataDecryptorFactory
+        implements PublicKeyDataDecryptorFactory
+{
+
+    @Override
+    public final byte[] recoverSessionData(PublicKeyEncSessionPacket pkesk, InputStreamPacket encData)
+            throws PGPException
+    {
+        byte[] sessionData = recoverSessionData(pkesk.getAlgorithm(), pkesk.getEncSessionKey(), pkesk.getVersion());
+        return prependSKAlgorithmToSessionData(pkesk, encData, sessionData);
+    }
+
+
+    protected byte[] prependSKAlgorithmToSessionData(PublicKeyEncSessionPacket pkesk,
+                                                   InputStreamPacket encData,
+                                                   byte[] decryptedSessionData)
+            throws PGPException
+    {
+        // V6 PKESK packets do not include the session key algorithm, so source it from the SEIPD2 instead
+        if (!containsSKAlg(pkesk.getVersion()))
+        {
+            if (!(encData instanceof SymmetricEncIntegrityPacket) ||
+                    ((SymmetricEncIntegrityPacket) encData).getVersion() != SymmetricEncIntegrityPacket.VERSION_2)
+            {
+                throw new PGPException("v6 PKESK packet MUST precede v2 SEIPD packet");
+            }
+
+            SymmetricEncIntegrityPacket seipd2 = (SymmetricEncIntegrityPacket) encData;
+            return Arrays.prepend(decryptedSessionData,
+                    (byte) (seipd2.getCipherAlgorithm() & 0xff));
+        }
+        // V3 PKESK does store the session key algorithm either encrypted or unencrypted, depending on the PK algorithm
+        else
+        {
+            switch (pkesk.getAlgorithm())
+            {
+                case PublicKeyAlgorithmTags.X25519:
+                    // X25519 does not encrypt SK algorithm
+                    return Arrays.prepend(decryptedSessionData,
+                            pkesk.getEncSessionKey()[0][X25519PublicBCPGKey.LENGTH + 1]);
+                case PublicKeyAlgorithmTags.X448:
+                    // X448 does not encrypt SK algorithm
+                    return Arrays.prepend(decryptedSessionData,
+                            pkesk.getEncSessionKey()[0][X448PublicBCPGKey.LENGTH + 1]);
+                default:
+                    // others already prepended session key algorithm to session key
+                    return decryptedSessionData;
+            }
+        }
+    }
+
+    protected boolean containsSKAlg(int pkeskVersion)
+    {
+        return pkeskVersion != PublicKeyEncSessionPacket.VERSION_6;
+    }
+
+    protected static void checkRange(int pLen, byte[] enc)
+            throws PGPException
+    {
+        if (pLen > enc.length)
+        {
+            throw new PGPException("encoded length out of range");
+        }
+    }
+}

pg/src/main/java/org/bouncycastle/openpgp/operator/PublicKeyDataDecryptorFactory.java

@@ -1,10 +1,39 @@
 package org.bouncycastle.openpgp.operator;
 
+import org.bouncycastle.bcpg.InputStreamPacket;
+import org.bouncycastle.bcpg.PublicKeyEncSessionPacket;
 import org.bouncycastle.openpgp.PGPException;
 
 public interface PublicKeyDataDecryptorFactory
     extends PGPDataDecryptorFactory
 {
-    byte[] recoverSessionData(int keyAlgorithm, byte[][] secKeyData)
+    /**
+     * Recover the plain session info by decrypting the encrypted session key.
+     * The session info ALWAYS has the symmetric algorithm ID prefixed, so the return value is:
+     * <pre>[sym-alg][session-key][checksum]?</pre>
+     *
+     * @param pkesk public-key encrypted session-key packet
+     * @param encData encrypted data (sed/seipd/oed) packet
+     * @return decrypted session info
+     * @throws PGPException
+     */
+    byte[] recoverSessionData(PublicKeyEncSessionPacket pkesk, InputStreamPacket encData)
             throws PGPException;
+
+    /**
+     * Recover the plain session info by decrypting the encrypted session key.
+     * This method returns the decrypted session info as-is (without prefixing missing cipher algorithm),
+     * so the return value is:
+     * <pre>[sym-alg]?[session-key][checksum]?</pre>
+     *
+     * @deprecated use {@link #recoverSessionData(PublicKeyEncSessionPacket, InputStreamPacket)} instead.
+     * @param keyAlgorithm public key algorithm
+     * @param secKeyData encrypted session key data
+     * @param pkeskVersion version of the PKESK packet
+     * @return decrypted session info
+     * @throws PGPException
+     */
+    byte[] recoverSessionData(int keyAlgorithm, byte[][] secKeyData, int pkeskVersion)
+            throws PGPException;
+
 }