Fix subkey encryption

Author: vanitasvitae

pg/src/main/java/org/bouncycastle/openpgp/PGPKeyPair.java

@@ -1,6 +1,8 @@
 package org.bouncycastle.openpgp;
 
 import org.bouncycastle.bcpg.KeyIdentifier;
+import org.bouncycastle.bcpg.PublicSubkeyPacket;
+import org.bouncycastle.openpgp.operator.KeyFingerPrintCalculator;
 
 /**
  * General class to handle JCA key pairs and convert them into OpenPGP ones.
@@ -63,4 +65,17 @@ public PGPPrivateKey getPrivateKey()
     {
         return priv;
     }
+
+    public PGPKeyPair asSubkey(KeyFingerPrintCalculator fingerPrintCalculator)
+            throws PGPException
+    {
+        PublicSubkeyPacket pubSubPkt = new PublicSubkeyPacket(
+                pub.getVersion(),
+                pub.getAlgorithm(),
+                pub.getCreationTime(),
+                pub.getPublicKeyPacket().getKey());
+        return new PGPKeyPair(
+                new PGPPublicKey(pubSubPkt, fingerPrintCalculator),
+                new PGPPrivateKey(pub.getKeyID(), pubSubPkt, priv.getPrivateKeyDataPacket()));
+    }
 }

pg/src/main/java/org/bouncycastle/openpgp/api/OpenPGPV6KeyGenerator.java

@@ -19,12 +19,14 @@
 import org.bouncycastle.openpgp.PGPSignature;
 import org.bouncycastle.openpgp.PGPSignatureGenerator;
 import org.bouncycastle.openpgp.PGPSignatureSubpacketGenerator;
+import org.bouncycastle.openpgp.operator.KeyFingerPrintCalculator;
 import org.bouncycastle.openpgp.operator.PBESecretKeyEncryptor;
 import org.bouncycastle.openpgp.operator.PBESecretKeyEncryptorFactory;
 import org.bouncycastle.openpgp.operator.PGPContentSignerBuilderProvider;
 import org.bouncycastle.openpgp.operator.PGPDigestCalculatorProvider;
 import org.bouncycastle.openpgp.operator.PGPKeyPairGenerator;
 import org.bouncycastle.openpgp.operator.PGPKeyPairGeneratorProvider;
+import org.bouncycastle.openpgp.operator.bc.BcKeyFingerprintCalculator;
 import org.bouncycastle.util.Arrays;
 
 import java.io.IOException;
@@ -131,9 +133,10 @@ public OpenPGPV6KeyGenerator(
             PGPContentSignerBuilderProvider contentSignerBuilderProvider,
             PGPDigestCalculatorProvider digestCalculatorProvider,
             PBESecretKeyEncryptorFactory keyEncryptionBuilderProvider,
+            KeyFingerPrintCalculator keyFingerPrintCalculator,
             Date creationTime)
     {
-        this.impl = new Implementation(kpGenProvider, contentSignerBuilderProvider, digestCalculatorProvider, keyEncryptionBuilderProvider);
+        this.impl = new Implementation(kpGenProvider, contentSignerBuilderProvider, digestCalculatorProvider, keyEncryptionBuilderProvider, keyFingerPrintCalculator);
         this.conf = new Configuration(new Date((creationTime.getTime() / 1000) * 1000));
     }
 
@@ -696,7 +699,9 @@ public WithPrimaryKey addEncryptionSubkey(KeyPairGeneratorCallback keyGenCallbac
                                                char[] passphrase)
                 throws PGPException
         {
-            PGPKeyPair subkey = keyGenCallback.generateFrom(impl.kpGenProvider.get(PublicKeyPacket.VERSION_6, conf.keyCreationTime));
+            PGPKeyPair subkey = keyGenCallback.generateFrom(
+                    impl.kpGenProvider.get(PublicKeyPacket.VERSION_6, conf.keyCreationTime));
+            subkey = subkey.asSubkey(impl.keyFingerprintCalculator);
             PBESecretKeyEncryptor keyEncryptor = impl.keyEncryptorBuilderProvider.build(passphrase, subkey.getPublicKey().getPublicKeyPacket());
             return addEncryptionSubkey(subkey, bindingSignatureCallback, keyEncryptor);
         }
@@ -839,6 +844,7 @@ public WithPrimaryKey addSigningSubkey(KeyPairGeneratorCallback keyGenCallback,
                 throws PGPException
         {
             PGPKeyPair subkey = keyGenCallback.generateFrom(impl.kpGenProvider.get(PublicKeyPacket.VERSION_6, conf.keyCreationTime));
+            subkey = subkey.asSubkey(impl.keyFingerprintCalculator);
             PBESecretKeyEncryptor keyEncryptor = impl.keyEncryptorBuilderProvider.build(passphrase, subkey.getPublicKey().getPublicKeyPacket());
             return addSigningSubkey(subkey, bindingSignatureCallback, backSignatureCallback, keyEncryptor);
         }
@@ -1033,16 +1039,19 @@ private static class Implementation
         final PGPContentSignerBuilderProvider contentSignerBuilderProvider;
         final PGPDigestCalculatorProvider digestCalculatorProvider;
         final PBESecretKeyEncryptorFactory keyEncryptorBuilderProvider;
+        final KeyFingerPrintCalculator keyFingerprintCalculator;
 
         public Implementation(PGPKeyPairGeneratorProvider keyPairGeneratorProvider,
                               PGPContentSignerBuilderProvider contentSignerBuilderProvider,
                               PGPDigestCalculatorProvider digestCalculatorProvider,
-                              PBESecretKeyEncryptorFactory keyEncryptorBuilderProvider)
+                              PBESecretKeyEncryptorFactory keyEncryptorBuilderProvider,
+                              KeyFingerPrintCalculator keyFingerPrintCalculator)
         {
             this.kpGenProvider = keyPairGeneratorProvider;
             this.contentSignerBuilderProvider = contentSignerBuilderProvider;
             this.digestCalculatorProvider = digestCalculatorProvider;
             this.keyEncryptorBuilderProvider = keyEncryptorBuilderProvider;
+            this.keyFingerprintCalculator = keyFingerPrintCalculator;
         }
     }
 

pg/src/main/java/org/bouncycastle/openpgp/api/bc/BcOpenPGPV6KeyGenerator.java

@@ -4,6 +4,7 @@
 import org.bouncycastle.openpgp.operator.PBESecretKeyEncryptorFactory;
 import org.bouncycastle.openpgp.operator.bc.BcAEADSecretKeyEncryptorFactory;
 import org.bouncycastle.openpgp.operator.bc.BcCFBSecretKeyEncryptorFactory;
+import org.bouncycastle.openpgp.operator.bc.BcKeyFingerprintCalculator;
 import org.bouncycastle.openpgp.operator.bc.BcPGPContentSignerBuilderProvider;
 import org.bouncycastle.openpgp.operator.bc.BcPGPDigestCalculatorProvider;
 import org.bouncycastle.openpgp.operator.bc.BcPGPKeyPairGeneratorProvider;
@@ -60,6 +61,7 @@ public BcOpenPGPV6KeyGenerator(int signatureHashAlgorithm, Date creationTime, bo
                 new BcPGPContentSignerBuilderProvider(signatureHashAlgorithm),
                 new BcPGPDigestCalculatorProvider(),
                 keyEncryptorFactory(aeadProtection),
+                new BcKeyFingerprintCalculator(),
                 creationTime);
     }
 

pg/src/main/java/org/bouncycastle/openpgp/api/jcajce/JcaOpenPGPV6KeyGenerator.java

@@ -5,6 +5,7 @@
 import org.bouncycastle.openpgp.operator.PBESecretKeyEncryptorFactory;
 import org.bouncycastle.openpgp.operator.jcajce.JcaAEADSecretKeyEncryptorFactory;
 import org.bouncycastle.openpgp.operator.jcajce.JcaCFBSecretKeyEncryptorFactory;
+import org.bouncycastle.openpgp.operator.jcajce.JcaKeyFingerprintCalculator;
 import org.bouncycastle.openpgp.operator.jcajce.JcaPGPContentSignerBuilderProvider;
 import org.bouncycastle.openpgp.operator.jcajce.JcaPGPDigestCalculatorProviderBuilder;
 import org.bouncycastle.openpgp.operator.jcajce.JcaPGPKeyPairGeneratorProvider;
@@ -52,6 +53,7 @@ public JcaOpenPGPV6KeyGenerator(int signatureHashAlgorithm, Date creationTime, b
                         .setProvider(provider)
                         .build(),
                 keyEncryptorFactory(provider, aeadProtection),
+                new JcaKeyFingerprintCalculator(),
                 creationTime);
     }
 

pg/src/test/java/org/bouncycastle/openpgp/api/test/OpenPGPV6KeyGeneratorTest.java

@@ -1,5 +1,6 @@
 package org.bouncycastle.openpgp.api.test;
 
+import org.bouncycastle.bcpg.PublicKeyAlgorithmTags;
 import org.bouncycastle.bcpg.PublicKeyPacket;
 import org.bouncycastle.bcpg.PublicKeyUtils;
 import org.bouncycastle.bcpg.SecretKeyPacket;
@@ -69,14 +70,15 @@ public OpenPGPV6KeyGenerator getKeyGenerator(int signatureHashAlgorithm,
     private void performTests(APIProvider apiProvider)
             throws PGPException, IOException
     {
+        testGenerateCustomKey(apiProvider);
+
         testGenerateSignOnlyKeyBaseCase(apiProvider);
         testGenerateAEADProtectedSignOnlyKey(apiProvider);
         testGenerateCFBProtectedSignOnlyKey(apiProvider);
 
         testGenerateClassicKeyBaseCase(apiProvider);
         testGenerateProtectedTypicalKey(apiProvider);
 
-        testGenerateCustomKey(apiProvider);
     }
 
     private void testGenerateSignOnlyKeyBaseCase(APIProvider apiProvider)
@@ -268,6 +270,68 @@ private void testGenerateCustomKey(APIProvider apiProvider)
                 .addEncryptionSubkey(PGPKeyPairGenerator::generateX448KeyPair,
                         "encryption-key-passphrase".toCharArray())
                 .build();
+
+        Iterator<PGPSecretKey> keyIt = secretKey.getSecretKeys();
+        PGPSecretKey primaryKey = keyIt.next();
+        isEquals("Primary key MUST be RSA_GENERAL",
+                PublicKeyAlgorithmTags.RSA_GENERAL, primaryKey.getPublicKey().getAlgorithm());
+        isEquals("Primary key MUST be 4096 bits", 4096, primaryKey.getPublicKey().getBitStrength());
+        isEquals("Primary key creation time mismatch",
+                creationTime, primaryKey.getPublicKey().getCreationTime());
+        PGPSignature directKeySig = primaryKey.getPublicKey().getKeySignatures().next();
+        PGPSignatureSubpacketVector hashedSubpackets = directKeySig.getHashedSubPackets();
+        isEquals("Primary key key flags mismatch",
+                KeyFlags.CERTIFY_OTHER, hashedSubpackets.getKeyFlags());
+        isEquals("Primary key features mismatch",
+                Features.FEATURE_SEIPD_V2, hashedSubpackets.getFeatures().getFeatures());
+        isEquals("Primary key sig notation data mismatch",
+                "CYBER",
+                hashedSubpackets.getNotationDataOccurrences("[email protected]")[0].getNotationValue());
+
+        Iterator<String> uids = primaryKey.getUserIDs();
+        String uid = uids.next();
+        isFalse("Unexpected additional UID", uids.hasNext());
+        PGPSignature uidSig = primaryKey.getPublicKey().getSignaturesForID(uid).next();
+        isEquals("UID binding sig type mismatch",
+                PGPSignature.DEFAULT_CERTIFICATION, uidSig.getSignatureType());
+
+        PGPSecretKey signingSubkey = keyIt.next();
+        isEquals("Subkey MUST be Ed448",
+                PublicKeyAlgorithmTags.Ed448, signingSubkey.getPublicKey().getAlgorithm());
+        isEquals("Subkey creation time mismatch",
+                creationTime, signingSubkey.getPublicKey().getCreationTime());
+        PGPSignature sigSubBinding = signingSubkey.getPublicKey().getKeySignatures().next();
+        PGPSignatureSubpacketVector sigSubBindHashPkts = sigSubBinding.getHashedSubPackets();
+        isEquals("Encryption subkey key flags mismatch",
+                KeyFlags.SIGN_DATA, sigSubBindHashPkts.getKeyFlags());
+        isEquals("Subkey notation data mismatch",
+                "ZAUBER",
+                sigSubBindHashPkts.getNotationDataOccurrences("[email protected]")[0].getNotationValue());
+        isFalse("Missing embedded primary key binding signature",
+                sigSubBindHashPkts.getEmbeddedSignatures().isEmpty());
+
+        PGPSecretKey encryptionSubkey = keyIt.next();
+        isFalse("Unexpected additional subkey", keyIt.hasNext());
+        isEquals("Subkey MUST be X448",
+                PublicKeyAlgorithmTags.X448, encryptionSubkey.getPublicKey().getAlgorithm());
+        isEquals("Subkey creation time mismatch",
+                creationTime, encryptionSubkey.getPublicKey().getCreationTime());
+        PGPSignature encryptionBinding = encryptionSubkey.getPublicKey().getKeySignatures().next();
+        PGPSignatureSubpacketVector encBindHashPkts = encryptionBinding.getHashedSubPackets();
+        isEquals("Encryption subkey key flags mismatch",
+                KeyFlags.ENCRYPT_COMMS | KeyFlags.ENCRYPT_STORAGE, encBindHashPkts.getKeyFlags());
+        isTrue("Unexpected embedded primary key binding signature in encryption subkey binding",
+                encBindHashPkts.getEmbeddedSignatures().isEmpty());
+
+        BcPBESecretKeyDecryptorBuilder keyDecryptorBuilder = new BcPBESecretKeyDecryptorBuilder(
+                new BcPGPDigestCalculatorProvider());
+
+        isNotNull("Could not decrypt primary key using correct passphrase",
+                primaryKey.extractPrivateKey(keyDecryptorBuilder.build("primary-key-passphrase".toCharArray())));
+        isNotNull("Could not decrypt signing subkey using correct passphrase",
+                signingSubkey.extractPrivateKey(keyDecryptorBuilder.build("signing-key-passphrase".toCharArray())));
+        isNotNull("Could not decrypt encryption subkey using correct passphrase",
+                encryptionSubkey.extractPrivateKey(keyDecryptorBuilder.build("encryption-key-passphrase".toCharArray())));
     }
 
     private abstract static class APIProvider