Migrated code to use PGPainless 2.0.1

Author: DenBond7

FlowCrypt/src/main/java/com/flowcrypt/email/FlowCryptApplication.kt

@@ -42,6 +42,7 @@ import org.acra.data.StringFormat
 import org.acra.ktx.initAcra
 import org.acra.sender.HttpSender
 import org.pgpainless.PGPainless
+import org.pgpainless.policy.Policy
 import org.pgpainless.policy.Policy.HashAlgorithmPolicy
 import java.util.Calendar
 import java.util.concurrent.TimeUnit
@@ -84,10 +85,12 @@ class FlowCryptApplication : Application(), Configuration.Provider {
   }
 
   private fun setupPGPainless() {
-    enableDeprecatedSHA1ForPGPainlessPolicy()
-
-    //https://github.com/FlowCrypt/flowcrypt-android/issues/2111
-    PGPainless.getPolicy().enableKeyParameterValidation = true
+    PGPainless.setInstance(
+      PGPainless(algorithmPolicy = generatePGPainlessPolicy().apply {
+        //https://github.com/FlowCrypt/flowcrypt-android/issues/2111
+        PGPainless.getInstance().algorithmPolicy.enableKeyParameterValidation = true
+      })
+    )
   }
 
   private fun setupGlobalSettingsForJavaMail() {
@@ -106,21 +109,25 @@ class FlowCryptApplication : Application(), Configuration.Provider {
    * More details here https://github.com/FlowCrypt/flowcrypt-android/issues/1478 and here
    * https://github.com/pgpainless/pgpainless/issues/158
    */
-  private fun enableDeprecatedSHA1ForPGPainlessPolicy() {
-    @Suppress("KotlinConstantConditions")
-    if (BuildConfig.FLAVOR == Constants.FLAVOR_NAME_ENTERPRISE) {
-      PGPainless.getPolicy().dataSignatureHashAlgorithmPolicy =
-        HashAlgorithmPolicy.static2022SignatureHashAlgorithmPolicy()
-
-      PGPainless.getPolicy().certificationSignatureHashAlgorithmPolicy =
-        HashAlgorithmPolicy.static2022SignatureHashAlgorithmPolicy()
-    } else {
-      PGPainless.getPolicy().dataSignatureHashAlgorithmPolicy =
-        HashAlgorithmPolicy.static2022RevocationSignatureHashAlgorithmPolicy()
-
-      PGPainless.getPolicy().certificationSignatureHashAlgorithmPolicy =
-        HashAlgorithmPolicy.static2022RevocationSignatureHashAlgorithmPolicy()
-    }
+  @Suppress("KotlinConstantConditions")
+  private fun generatePGPainlessPolicy(): Policy {
+    val isEnterpriseBuild = BuildConfig.FLAVOR == Constants.FLAVOR_NAME_ENTERPRISE
+    return Policy.Builder(PGPainless.getInstance().algorithmPolicy)
+      .withDataSignatureHashAlgorithmPolicy(
+        if (isEnterpriseBuild) {
+          HashAlgorithmPolicy.static2022SignatureHashAlgorithmPolicy()
+        } else {
+          HashAlgorithmPolicy.static2022RevocationSignatureHashAlgorithmPolicy()
+        }
+      )
+      .withCertificationSignatureHashAlgorithmPolicy(
+        if (isEnterpriseBuild) {
+          HashAlgorithmPolicy.static2022SignatureHashAlgorithmPolicy()
+        } else {
+          HashAlgorithmPolicy.static2022RevocationSignatureHashAlgorithmPolicy()
+        }
+      )
+      .build()
   }
 
   private fun setupKeysStorage() {
@@ -134,6 +141,7 @@ class FlowCryptApplication : Application(), Configuration.Provider {
     }
   }
 
+  @Suppress("KotlinConstantConditions")
   private fun initACRA() {
     if (GeneralUtil.isDebugBuild()) {
       val isAcraEnabled = SharedPreferencesHelper.getBoolean(

FlowCrypt/src/main/java/com/flowcrypt/email/extensions/org/bouncycastle/openpgp/OpenPGPCertificateExt.kt

@@ -0,0 +1,18 @@
+/*
+ * © 2016-present FlowCrypt a.s. Limitations apply. Contact human@flowcrypt.com
+ * Contributors: denbond7
+ */
+
+package com.flowcrypt.email.extensions.org.bouncycastle.openpgp
+
+import com.flowcrypt.email.security.SecurityUtils
+import org.bouncycastle.openpgp.api.OpenPGPCertificate
+import org.pgpainless.bouncycastle.extensions.encode
+import java.io.IOException
+
+/**
+ * @author Denys Bondarenko
+ */
+@Throws(IOException::class)
+fun OpenPGPCertificate.armor(hideArmorMeta: Boolean = false): String =
+  SecurityUtils.armor(hideArmorMeta) { this.encode(it) }

FlowCrypt/src/main/java/com/flowcrypt/email/extensions/org/bouncycastle/openpgp/PGPKeyRingExt.kt

@@ -39,7 +39,8 @@ import java.time.Instant
 @WorkerThread
 fun PGPKeyRing.toPgpKeyRingDetails(hideArmorMeta: Boolean = false): PgpKeyRingDetails {
   if (containsHashAlgorithmWithSHA1()) {
-    val sigHashAlgoPolicy = PGPainless.getPolicy().certificationSignatureHashAlgorithmPolicy
+    val sigHashAlgoPolicy =
+      PGPainless.getInstance().algorithmPolicy.certificationSignatureHashAlgorithmPolicy
     if (!sigHashAlgoPolicy.isAcceptable(HashAlgorithm.SHA1)) {
       throw PGPException("Unsupported signature(HashAlgorithm = SHA1)")
     }
@@ -50,7 +51,11 @@ fun PGPKeyRing.toPgpKeyRingDetails(hideArmorMeta: Boolean = false): PgpKeyRingDe
   val algo = Algo(
     algorithm = keyRingInfo.algorithm.name,
     algorithmId = keyRingInfo.algorithm.algorithmId,
-    bits = if (keyRingInfo.publicKey.bitStrength != -1) keyRingInfo.publicKey.bitStrength else 0,
+    bits = if (keyRingInfo.primaryKey.pgpPublicKey.bitStrength != -1) {
+      keyRingInfo.primaryKey.pgpPublicKey.bitStrength
+    } else {
+      0
+    },
     curve = runCatching { publicKey.getCurveName() }.getOrNull()
   )
 
@@ -85,11 +90,13 @@ fun PGPKeyRing.toPgpKeyRingDetails(hideArmorMeta: Boolean = false): PgpKeyRingDe
     lastModified = keyRingInfo.lastModified.time,
     expiration = keyRingInfo.primaryKeyExpirationDate?.time,
     algo = algo,
-    primaryKeyId = keyRingInfo.keyId,
+    primaryKeyId = keyRingInfo.keyIdentifier.keyId,
     possibilities = mutableSetOf<Int>().apply {
       addAll(
-        keyRingInfo.publicKeys.flatMap { keyRingInfo.getKeyFlagsOf(it.keyID) }.toSet()
-          .map { it.flag })
+        keyRingInfo.publicKeys.flatMap { openPGPComponentKey ->
+          keyRingInfo.getKeyFlagsOf(openPGPComponentKey.keyIdentifier)
+        }.toSet().map { it.flag }
+      )
     }
   )
 }

FlowCrypt/src/main/java/com/flowcrypt/email/extensions/org/pgpainless/key/info/KeyRingInfoExt.kt

@@ -1,6 +1,6 @@
 /*
  * © 2016-present FlowCrypt a.s. Limitations apply. Contact human@flowcrypt.com
- * Contributors: DenBond7
+ * Contributors: denbond7
  */
 
 package com.flowcrypt.email.extensions.org.pgpainless.key.info
@@ -12,6 +12,7 @@ import android.graphics.drawable.LayerDrawable
 import android.view.Gravity
 import androidx.core.content.ContextCompat
 import com.flowcrypt.email.R
+import org.bouncycastle.bcpg.KeyIdentifier
 import org.bouncycastle.openpgp.PGPPublicKey
 import org.pgpainless.algorithm.KeyFlag
 import org.pgpainless.key.info.KeyRingInfo
@@ -21,15 +22,15 @@ import org.pgpainless.key.info.KeyRingInfo
  */
 val KeyRingInfo.usableForEncryption: Boolean
   get() {
-    return !publicKey.hasRevocation()
+    return !primaryKey.pgpPublicKey.hasRevocation()
         && !isExpired
         && isUsableForEncryption
         && primaryUserId?.isNotEmpty() == true
   }
 
 val KeyRingInfo.usableForSigning: Boolean
   get() {
-    return !publicKey.hasRevocation()
+    return !primaryKey.pgpPublicKey.hasRevocation()
         && !isExpired
         && isSigningCapable
         && primaryUserId?.isNotEmpty() == true
@@ -52,20 +53,20 @@ val KeyRingInfo.isPartiallyEncrypted: Boolean
 
 val KeyRingInfo.isRevoked: Boolean
   get() {
-    return publicKey.hasRevocation()
+    return primaryKey.pgpPublicKey.hasRevocation()
   }
 
 fun KeyRingInfo.getPrimaryKey(): PGPPublicKey? {
-  return publicKeys.firstOrNull { it.isMasterKey }
+  return primaryKey.pgpPublicKey
 }
 
 fun KeyRingInfo.getPubKeysWithoutPrimary(): Collection<PGPPublicKey> {
-  val primaryKey = getPrimaryKey() ?: return publicKeys
-  return publicKeys - setOf(primaryKey)
+  val primaryKey = getPrimaryKey() ?: return publicKeys.map { it.pgpPublicKey }
+  return publicKeys.map { it.pgpPublicKey } - setOf(primaryKey)
 }
 
 fun KeyRingInfo.generateKeyCapabilitiesDrawable(context: Context, keyId: Long): Drawable? {
-  val keyFlags = getKeyFlagsOf(keyId)
+  val keyFlags = getKeyFlagsOf(KeyIdentifier(keyId))
   val drawables = listOf(
     KeyFlag.CERTIFY_OTHER to R.drawable.ic_possibility_cert,
     KeyFlag.ENCRYPT_COMMS to R.drawable.ic_possibility_encryption,
@@ -117,7 +118,7 @@ fun KeyRingInfo.getStatusIcon(): Int {
 
 fun KeyRingInfo.getStatusText(context: Context): String {
   return when {
-    publicKey.hasRevocation() -> context.getString(R.string.revoked)
+    primaryKey.pgpPublicKey.hasRevocation() -> context.getString(R.string.revoked)
     isExpired -> context.getString(R.string.expired)
     isPartiallyEncrypted -> context.getString(R.string.not_valid)
     else -> context.getString(R.string.valid)

FlowCrypt/src/main/java/com/flowcrypt/email/jetpack/viewmodel/EditPrivateKeyViewModel.kt

@@ -60,7 +60,7 @@ class EditPrivateKeyViewModel(val fingerprint: String, application: Application)
           roomDatabase.keysDao().getKeyByAccountAndFingerprint(account.email, fingerprint)
             ?: throw IllegalStateException("Private key with fingerprint = $fingerprint not found")
 
-        val pgpKeyRingDetails = modifiedPgpSecretKeyRing.toPgpKeyRingDetails()
+        val pgpKeyRingDetails = modifiedPgpSecretKeyRing.pgpSecretKeyRing.toPgpKeyRingDetails()
         val encryptedPrvKey =
           KeyStoreCryptoManager.encryptSuspend(pgpKeyRingDetails.privateKey).toByteArray()
         roomDatabase.keysDao().updateSuspend(entity.copy(privateKey = encryptedPrvKey))
@@ -88,4 +88,4 @@ class EditPrivateKeyViewModel(val fingerprint: String, application: Application)
         return@withContext Result.exception(e)
       }
     }
-}
+}

FlowCrypt/src/main/java/com/flowcrypt/email/security/KeysStorageImpl.kt

@@ -23,6 +23,7 @@ import com.flowcrypt.email.security.pgp.PgpDecryptAndOrVerify
 import com.flowcrypt.email.security.pgp.PgpKey
 import com.flowcrypt.email.util.exception.DecryptionException
 import kotlinx.coroutines.flow.Flow
+import org.bouncycastle.bcpg.KeyIdentifier
 import org.bouncycastle.openpgp.PGPException
 import org.bouncycastle.openpgp.PGPSecretKeyRing
 import org.bouncycastle.openpgp.operator.bc.BcKeyFingerprintCalculator
@@ -161,12 +162,20 @@ class KeysStorageImpl private constructor(context: Context) : KeysStorage {
   override fun getSecretKeyRingProtector(): SecretKeyRingProtector {
     val availablePGPSecretKeyRings = getPGPSecretKeyRings()
     val passphraseProvider = object : SecretKeyPassphraseProvider {
-      override fun getPassphraseFor(keyId: Long?): Passphrase? {
-        return keyId?.let { doGetPassphrase(keyId, true) }
+      override fun getPassphraseFor(keyId: Long): Passphrase? {
+        return doGetPassphrase(keyId, true)
       }
 
-      override fun hasPassphrase(keyId: Long?): Boolean {
-        return keyId != null && doGetPassphrase(keyId, false) != null
+      override fun getPassphraseFor(keyIdentifier: KeyIdentifier): Passphrase? {
+        return getPassphraseFor(keyIdentifier.keyId)
+      }
+
+      override fun hasPassphrase(keyId: Long): Boolean {
+        return doGetPassphrase(keyId, false) != null
+      }
+
+      override fun hasPassphrase(keyIdentifier: KeyIdentifier): Boolean {
+        return hasPassphrase(keyIdentifier.keyId)
       }
 
       private fun doGetPassphrase(keyId: Long, throwException: Boolean): Passphrase? {

FlowCrypt/src/main/java/com/flowcrypt/email/security/SecurityUtils.kt

@@ -1,8 +1,6 @@
 /*
  * © 2016-present FlowCrypt a.s. Limitations apply. Contact human@flowcrypt.com
- * Contributors:
- *   DenBond7
- *   Ivan Pizhenko
+ * Contributors: denbond7
  */
 
 package com.flowcrypt.email.security
@@ -153,7 +151,12 @@ class SecurityUtils {
       if (matchingKeyRingInfoList.isEmpty()) {
         throw NoKeyAvailableException(context = context, email = senderEmail)
       }
-      return matchingKeyRingInfoList.map { PGPPublicKeyRing(it.publicKeys).armor() }
+
+      return matchingKeyRingInfoList.map { keyRingInfo ->
+        PGPPublicKeyRing(keyRingInfo.publicKeys.map { openPGPComponentKey ->
+          openPGPComponentKey.pgpPublicKey
+        }).armor()
+      }
     }
 
     /**

FlowCrypt/src/main/java/com/flowcrypt/email/security/pgp/PgpDecryptAndOrVerify.kt

@@ -1,6 +1,6 @@
 /*
  * © 2016-present FlowCrypt a.s. Limitations apply. Contact human@flowcrypt.com
- * Contributors: DenBond7
+ * Contributors: denbond7
  */
 
 package com.flowcrypt.email.security.pgp
@@ -107,14 +107,14 @@ object PgpDecryptAndOrVerify {
     return PGPainless.decryptAndOrVerify()
       .onInputStream(srcInputStream)
       .withOptions(
-        ConsumerOptions()
+        ConsumerOptions.get()
           .setMissingKeyPassphraseStrategy(MissingKeyPassphraseStrategy.THROW_EXCEPTION)
           .setIgnoreMDCErrors(ignoreMdcErrors)
           .apply {
             if (secretKeys != null && protector != null) {
               addDecryptionKeys(secretKeys, protector)
             }
-            passphrase?.let { addDecryptionPassphrase(it) }
+            passphrase?.let { addMessagePassphrase(it) }
             publicKeys?.let { addVerificationCerts(it) }
           }
       )

FlowCrypt/src/main/java/com/flowcrypt/email/security/pgp/PgpEncryptAndOrSign.kt

@@ -11,6 +11,7 @@ import org.bouncycastle.openpgp.PGPPublicKeyRingCollection
 import org.bouncycastle.openpgp.PGPSecretKeyRingCollection
 import org.pgpainless.PGPainless
 import org.pgpainless.algorithm.DocumentSignatureType
+import org.pgpainless.bouncycastle.extensions.toOpenPGPCertificate
 import org.pgpainless.encryption_signing.EncryptionOptions
 import org.pgpainless.encryption_signing.EncryptionResult
 import org.pgpainless.encryption_signing.EncryptionStream
@@ -75,7 +76,10 @@ object PgpEncryptAndOrSign {
       val prvKeysStream = ByteArrayInputStream(prvKeys.joinToString(separator = "\n").toByteArray())
       pgpSecretKeyRingCollection = prvKeysStream.use {
         ArmoredInputStream(it).use { armoredInputStream ->
-          PGPainless.readKeyRing().secretKeyRingCollection(armoredInputStream)
+          PGPSecretKeyRingCollection(
+            PGPainless.getInstance().readKey().parseKeys(armoredInputStream)
+              .map { openPGPKey -> openPGPKey.pgpSecretKeyRing }
+          )
         }
       }
     }
@@ -171,33 +175,34 @@ object PgpEncryptAndOrSign {
     fileName: String? = null,
     generateDetachedSignatures: Boolean = false,
   ): EncryptionStream {
-    val encOpt = EncryptionOptions().apply {
+    val api = PGPainless.getInstance()
+    val encOpt = EncryptionOptions.get().apply {
       passphrase?.let { addMessagePassphrase(passphrase) }
       pgpPublicKeyRingCollection?.forEach {
-        addRecipient(it)
+        addRecipient(it.toOpenPGPCertificate(api.implementation))
       }
 
       protectedPgpPublicKeyRingCollection?.forEach {
-        addHiddenRecipient(it)
+        addHiddenRecipient(it.toOpenPGPCertificate(api.implementation))
       }
     }
 
     val producerOptions: ProducerOptions =
       if (passphrase == null && pgpSecretKeyRingCollection?.any() == true) {
-        ProducerOptions.signAndEncrypt(encOpt, SigningOptions().apply {
+        ProducerOptions.signAndEncrypt(encOpt, SigningOptions.get().apply {
           pgpSecretKeyRingCollection.forEach { pgpSecretKeyRing ->
             secretKeyRingProtector?.let { protector ->
               if (generateDetachedSignatures) {
                 addDetachedSignature(
-                  protector,
-                  pgpSecretKeyRing,
-                  DocumentSignatureType.BINARY_DOCUMENT
+                  signingKeyProtector = protector,
+                  signingKey = api.toKey(pgpSecretKeyRing),
+                  signatureType = DocumentSignatureType.BINARY_DOCUMENT
                 )
               } else {
                 addInlineSignature(
-                  protector,
-                  pgpSecretKeyRing,
-                  DocumentSignatureType.BINARY_DOCUMENT
+                  signingKeyProtector = protector,
+                  signingKey = api.toKey(pgpSecretKeyRing),
+                  signatureType = DocumentSignatureType.BINARY_DOCUMENT
                 )
               }
             }
@@ -212,7 +217,7 @@ object PgpEncryptAndOrSign {
 
     fileName?.let { producerOptions.setFileName(it) }
 
-    return PGPainless.encryptAndOrSign()
+    return api.generateMessage()
       .onOutputStream(destOutputStream)
       .withOptions(producerOptions)
   }