diff options
Diffstat (limited to 'OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/PgpDecryptVerify.java')
| -rw-r--r-- | OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/PgpDecryptVerify.java | 112 |
1 files changed, 88 insertions, 24 deletions
diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/PgpDecryptVerify.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/PgpDecryptVerify.java index 4e4e8c4e0..769a48a8e 100644 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/PgpDecryptVerify.java +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/PgpDecryptVerify.java @@ -206,14 +206,14 @@ public class PgpDecryptVerify { // else: ascii armored encryption! go on... } - return decryptVerify(in); + return decryptVerify(in, 0); } catch (PGPException e) { OperationLog log = new OperationLog(); - // log.add(LogLevel.ERROR, LogType.MSG_DC_ERROR_PGP_EXCEPTION); + log.add(LogLevel.ERROR, LogType.MSG_DC_ERROR_PGP_EXCEPTION, 1); return new DecryptVerifyResult(DecryptVerifyResult.RESULT_ERROR, log); } catch (IOException e) { OperationLog log = new OperationLog(); - // log.add(LogLevel.ERROR, LogType.MSG_DC_ERROR_IO); + log.add(LogLevel.ERROR, LogType.MSG_DC_ERROR_IO, 1); return new DecryptVerifyResult(DecryptVerifyResult.RESULT_ERROR, log); } } @@ -221,10 +221,13 @@ public class PgpDecryptVerify { /** * Decrypt and/or verifies binary or ascii armored pgp */ - private DecryptVerifyResult decryptVerify(InputStream in) throws IOException, PGPException { + private DecryptVerifyResult decryptVerify(InputStream in, int indent) throws IOException, PGPException { OperationLog log = new OperationLog(); + log.add(LogLevel.START, LogType.MSG_DC, indent); + indent += 1; + PGPObjectFactory pgpF = new PGPObjectFactory(in, new JcaKeyFingerprintCalculator()); PGPEncryptedDataList enc; Object o = pgpF.nextObject(); @@ -239,7 +242,7 @@ public class PgpDecryptVerify { } if (enc == null) { - // log.add(LogLevel.ERROR, LogType.MSG_DC_ERROR_INVALID_DATA) + log.add(LogLevel.ERROR, LogType.MSG_DC_ERROR_INVALID_SIGLIST, indent); return new DecryptVerifyResult(DecryptVerifyResult.RESULT_ERROR, log); } @@ -252,35 +255,44 @@ public class PgpDecryptVerify { Iterator<?> it = enc.getEncryptedDataObjects(); boolean asymmetricPacketFound = false; boolean symmetricPacketFound = false; + boolean anyPacketFound = false; + // go through all objects and find one we can decrypt while (it.hasNext()) { Object obj = it.next(); if (obj instanceof PGPPublicKeyEncryptedData) { + anyPacketFound = true; + currentProgress += 2; updateProgress(R.string.progress_finding_key, currentProgress, 100); PGPPublicKeyEncryptedData encData = (PGPPublicKeyEncryptedData) obj; - long subKeyId = encData.getKeyID(); + log.add(LogLevel.DEBUG, LogType.MSG_DC_ASYM, indent, + PgpKeyHelper.convertKeyIdToHex(subKeyId)); + CanonicalizedSecretKeyRing secretKeyRing; try { // get actual keyring object based on master key id secretKeyRing = mProviderHelper.getCanonicalizedSecretKeyRing( - KeyRings.buildUnifiedKeyRingsFindBySubkeyUri(encData.getKeyID()) + KeyRings.buildUnifiedKeyRingsFindBySubkeyUri(subKeyId) ); } catch (ProviderHelper.NotFoundException e) { // continue with the next packet in the while loop + log.add(LogLevel.DEBUG, LogType.MSG_DC_ASKIP_NO_KEY, indent +1); continue; } if (secretKeyRing == null) { // continue with the next packet in the while loop + log.add(LogLevel.DEBUG, LogType.MSG_DC_ASKIP_NO_KEY, indent +1); continue; } // get subkey which has been used for this encryption packet secretEncryptionKey = secretKeyRing.getSecretKey(subKeyId); if (secretEncryptionKey == null) { - // continue with the next packet in the while loop + // should actually never happen, so no need to be more specific. + log.add(LogLevel.DEBUG, LogType.MSG_DC_ASKIP_NO_KEY, indent +1); continue; } @@ -294,6 +306,7 @@ public class PgpDecryptVerify { if (!mAllowedKeyIds.contains(masterKeyId)) { // this key is in our db, but NOT allowed! // continue with the next packet in the while loop + log.add(LogLevel.DEBUG, LogType.MSG_DC_ASKIP_NOT_ALLOWED, indent +1); continue; } } @@ -308,14 +321,15 @@ public class PgpDecryptVerify { try { // returns "" if key has no passphrase mPassphrase = mPassphraseCache.getCachedPassphrase(subKeyId); + log.add(LogLevel.DEBUG, LogType.MSG_DC_PASS_CACHED, indent +1); } catch (NoSecretKeyException e) { - // log.add(LogLevel.ERROR, LogType.MSG_DEC_ERROR_NO_KEY); + log.add(LogLevel.ERROR, LogType.MSG_DC_ERROR_NO_KEY, indent +1); return new DecryptVerifyResult(DecryptVerifyResult.RESULT_ERROR, log); } - // if passphrase was not cached, return here - // indicating that a passphrase is missing! + // if passphrase was not cached, return here indicating that a passphrase is missing! if (mPassphrase == null) { + log.add(LogLevel.INFO, LogType.MSG_DC_PENDING_PASSPHRASE, indent +1); DecryptVerifyResult result = new DecryptVerifyResult(DecryptVerifyResult.RESULT_PENDING_ASYM_PASSPHRASE, log); result.setKeyIdPassphraseNeeded(subKeyId); @@ -324,9 +338,18 @@ public class PgpDecryptVerify { } // break out of while, only decrypt the first packet where we have a key - // TODO???: There could be more pgp objects, which are not decrypted! break; - } else if (mAllowSymmetricDecryption && obj instanceof PGPPBEEncryptedData) { + + } else if (obj instanceof PGPPBEEncryptedData) { + anyPacketFound = true; + + log.add(LogLevel.DEBUG, LogType.MSG_DC_SYM, indent); + + if (! mAllowSymmetricDecryption) { + log.add(LogLevel.WARN, LogType.MSG_DC_SYM_SKIP, indent +1); + continue; + } + /* * When mAllowSymmetricDecryption == true and we find a data packet here, * we do not search for other available asymmetric packets! @@ -338,15 +361,30 @@ public class PgpDecryptVerify { // if no passphrase is given, return here // indicating that a passphrase is missing! if (mPassphrase == null) { + log.add(LogLevel.INFO, LogType.MSG_DC_PENDING_PASSPHRASE, indent +1); return new DecryptVerifyResult(DecryptVerifyResult.RESULT_PENDING_SYM_PASSPHRASE, log); } // break out of while, only decrypt the first packet - // TODO???: There could be more pgp objects, which are not decrypted! break; } } + // More data, just acknowledge and ignore. + while (it.hasNext()) { + Object obj = it.next(); + if (obj instanceof PGPPublicKeyEncryptedData) { + log.add(LogLevel.WARN, LogType.MSG_DC_TRAIL_ASYM, 0); + } else if (obj instanceof PGPPBEEncryptedData) { + log.add(LogLevel.WARN, LogType.MSG_DC_TRAIL_SYM, 0); + } else { + log.add(LogLevel.WARN, LogType.MSG_DC_TRAIL_UNKNOWN, 0); + } + } + + log.add(LogLevel.DEBUG, LogType.MSG_DC_PREP_STREAMS, indent); + + // we made sure above one of these two would be true if (symmetricPacketFound) { currentProgress += 2; updateProgress(R.string.progress_preparing_streams, currentProgress, 100); @@ -358,18 +396,20 @@ public class PgpDecryptVerify { mPassphrase.toCharArray()); clear = encryptedDataSymmetric.getDataStream(decryptorFactory); - encryptedData = encryptedDataSymmetric; + } else if (asymmetricPacketFound) { currentProgress += 2; updateProgress(R.string.progress_extracting_key, currentProgress, 100); + try { + log.add(LogLevel.WARN, LogType.MSG_DC_UNLOCKING, indent +1); if (!secretEncryptionKey.unlock(mPassphrase)) { - // log.add(LogLevel.ERROR, LogType.MSG_DC_ERROR_BAD_PASSPHRASE); + log.add(LogLevel.ERROR, LogType.MSG_DC_ERROR_BAD_PASSPHRASE, indent +1); return new DecryptVerifyResult(DecryptVerifyResult.RESULT_ERROR, log); } } catch (PgpGeneralException e) { - // log.add(LogLevel.ERROR, LogType.MSG_DC_ERROR_EXTRACT_KEY); + log.add(LogLevel.ERROR, LogType.MSG_DC_ERROR_EXTRACT_KEY, indent +1); return new DecryptVerifyResult(DecryptVerifyResult.RESULT_ERROR, log); } @@ -381,8 +421,7 @@ public class PgpDecryptVerify { = secretEncryptionKey.getDecryptorFactory(mDecryptedSessionKey); clear = encryptedDataAsymmetric.getDataStream(decryptorFactory); } catch (NfcSyncPublicKeyDataDecryptorFactoryBuilder.NfcInteractionNeeded e) { - // log.add(LogLevel.ERROR, LogType.MSG_DC_ERROR_NFC_INTERACTION); - + log.add(LogLevel.INFO, LogType.MSG_DC_PENDING_NFC, indent +1); DecryptVerifyResult result = new DecryptVerifyResult(DecryptVerifyResult.RESULT_PENDING_NFC, log); result.setNfcEncryptedSessionKey(e.encryptedSessionKey); @@ -391,8 +430,10 @@ public class PgpDecryptVerify { } encryptedData = encryptedDataAsymmetric; } else { + // If we didn't find any useful data, error out // no packet has been found where we have the corresponding secret key in our db - // log.add(LogLevel.ERROR, LogType.MSG_DC_MISSING_SECRET_KEY); + log.add(LogLevel.ERROR, + anyPacketFound ? LogType.MSG_DC_ERROR_NO_KEY : LogType.MSG_DC_ERROR_NO_DATA, indent +1); return new DecryptVerifyResult(DecryptVerifyResult.RESULT_ERROR, log); } @@ -403,7 +444,11 @@ public class PgpDecryptVerify { CanonicalizedPublicKeyRing signingRing = null; CanonicalizedPublicKey signingKey = null; + log.add(LogLevel.DEBUG, LogType.MSG_DC_CLEAR, indent); + indent += 1; + if (dataChunk instanceof PGPCompressedData) { + log.add(LogLevel.DEBUG, LogType.MSG_DC_CLEAR_DECOMPRESS, indent +1); currentProgress += 2; updateProgress(R.string.progress_decompressing_data, currentProgress, 100); @@ -416,6 +461,7 @@ public class PgpDecryptVerify { PGPOnePassSignature signature = null; if (dataChunk instanceof PGPOnePassSignatureList) { + log.add(LogLevel.DEBUG, LogType.MSG_DC_CLEAR_SIGNATURE, indent +1); currentProgress += 2; updateProgress(R.string.progress_processing_signature, currentProgress, 100); @@ -466,6 +512,8 @@ public class PgpDecryptVerify { OpenPgpMetadata metadata; if (dataChunk instanceof PGPLiteralData) { + log.add(LogLevel.DEBUG, LogType.MSG_DC_CLEAR_DATA, indent +1); + indent += 2; currentProgress += 4; updateProgress(R.string.progress_decrypting, currentProgress, 100); @@ -506,8 +554,14 @@ public class PgpDecryptVerify { literalData.getModificationTime().getTime(), originalSize); + log.add(LogLevel.DEBUG, LogType.MSG_DC_CLEAR_META_FILE, indent +1); + log.add(LogLevel.DEBUG, LogType.MSG_DC_CLEAR_META_MIME, indent +1); + log.add(LogLevel.DEBUG, LogType.MSG_DC_CLEAR_META_TIME, indent +1); + log.add(LogLevel.DEBUG, LogType.MSG_DC_CLEAR_META_SIZE, indent +1); + // return here if we want to decrypt the metadata only if (mDecryptMetadataOnly) { + log.add(LogLevel.OK, LogType.MSG_DC_OK_META_ONLY, indent); DecryptVerifyResult result = new DecryptVerifyResult(DecryptVerifyResult.RESULT_OK, log); result.setDecryptMetadata(metadata); @@ -554,6 +608,7 @@ public class PgpDecryptVerify { if (signature != null) { updateProgress(R.string.progress_verifying_signature, 90, 100); + log.add(LogLevel.DEBUG, LogType.MSG_DC_CLEAR_SIGNATURE_CHECK, indent); PGPSignatureList signatureList = (PGPSignatureList) plainFact.nextObject(); PGPSignature messageSignature = signatureList.get(signatureIndex); @@ -564,8 +619,15 @@ public class PgpDecryptVerify { // Verify signature and check binding signatures boolean validSignature = signature.verify(messageSignature); + if (validSignature) { + log.add(LogLevel.DEBUG, LogType.MSG_DC_CLEAR_SIGNATURE_OK, indent +1); + } else { + log.add(LogLevel.WARN, LogType.MSG_DC_CLEAR_SIGNATURE_BAD, indent +1); + } signatureResultBuilder.setValidSignature(validSignature); } + + indent -= 1; } else { // If there is no literalData, we don't have any metadata metadata = null; @@ -575,9 +637,9 @@ public class PgpDecryptVerify { updateProgress(R.string.progress_verifying_integrity, 95, 100); if (encryptedData.verify()) { - // log.add(LogLevel.INFO, LogType.MSG_DC_INTEGRITY_CHECK_OK) + log.add(LogLevel.INFO, LogType.MSG_DC_INTEGRITY_CHECK_OK, indent); } else { - // log.add(LogLevel.ERROR, LogType.MSG_DC_ERROR_INTEGRITY_CHECK) + log.add(LogLevel.ERROR, LogType.MSG_DC_ERROR_INTEGRITY_CHECK, indent); return new DecryptVerifyResult(DecryptVerifyResult.RESULT_ERROR, log); } } else { @@ -588,13 +650,15 @@ public class PgpDecryptVerify { // Handle missing integrity protection like failed integrity protection! // The MDC packet can be stripped by an attacker! if (!signatureResultBuilder.isValidSignature()) { - // log.add(LogLevel.ERROR, LogType.MSG_DC_ERROR_INTEGRITY_CHECK) + log.add(LogLevel.ERROR, LogType.MSG_DC_ERROR_INTEGRITY_CHECK, indent); return new DecryptVerifyResult(DecryptVerifyResult.RESULT_ERROR, log); } } updateProgress(R.string.progress_done, 100, 100); + log.add(LogLevel.OK, LogType.MSG_DC_OK, indent); + // Return a positive result, with metadata and verification info DecryptVerifyResult result = new DecryptVerifyResult(DecryptVerifyResult.RESULT_OK, log); @@ -649,7 +713,7 @@ public class PgpDecryptVerify { PGPSignatureList sigList = (PGPSignatureList) pgpFact.nextObject(); if (sigList == null) { - // log.add(LogLevel.ERROR, LogType.MSG_DC_ERROR_INVALID_DATA) + log.add(LogLevel.ERROR, LogType.MSG_DC_ERROR_INVALID_SIGLIST, 0); return new DecryptVerifyResult(DecryptVerifyResult.RESULT_ERROR, log); } |