From 76241e90ad440bedaf40f148ba0584e06064096a Mon Sep 17 00:00:00 2001 From: Joey Castillo Date: Wed, 6 May 2015 13:08:03 -0400 Subject: Adding NFC Key to Card operation, accessible from Edit Key activity. --- .../keychain/operations/NfcKeyToCardOperation.java | 77 +++++++ .../operations/results/NfcKeyToCardResult.java | 30 +++ .../keychain/pgp/CanonicalizedSecretKey.java | 24 ++ .../keychain/remote/OpenPgpService.java | 1 + .../keychain/service/KeychainIntentService.java | 20 ++ .../service/input/RequiredInputParcel.java | 7 +- .../keychain/ui/CreateKeyActivity.java | 63 +++-- .../keychain/ui/CreateKeyFinalFragment.java | 22 +- .../keychain/ui/EditKeyFragment.java | 81 ++++++- .../keychain/ui/NfcOperationActivity.java | 51 ++++- .../keychain/ui/adapter/SubkeysAdapter.java | 15 ++ .../keychain/ui/base/BaseNfcActivity.java | 253 ++++++++++++++++++++- .../keychain/ui/base/CryptoOperationFragment.java | 1 + .../ui/dialog/EditSubkeyDialogFragment.java | 4 + 14 files changed, 615 insertions(+), 34 deletions(-) create mode 100644 OpenKeychain/src/main/java/org/sufficientlysecure/keychain/operations/NfcKeyToCardOperation.java create mode 100644 OpenKeychain/src/main/java/org/sufficientlysecure/keychain/operations/results/NfcKeyToCardResult.java (limited to 'OpenKeychain/src/main/java/org/sufficientlysecure/keychain') diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/operations/NfcKeyToCardOperation.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/operations/NfcKeyToCardOperation.java new file mode 100644 index 000000000..95937a233 --- /dev/null +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/operations/NfcKeyToCardOperation.java @@ -0,0 +1,77 @@ +/* + * Copyright (C) 2015 Joey Castillo + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + */ + +package org.sufficientlysecure.keychain.operations; + +import android.content.Context; + +import org.sufficientlysecure.keychain.operations.results.NfcKeyToCardResult; +import org.sufficientlysecure.keychain.operations.results.OperationResult; +import org.sufficientlysecure.keychain.pgp.CanonicalizedSecretKey; +import org.sufficientlysecure.keychain.pgp.CanonicalizedSecretKeyRing; +import org.sufficientlysecure.keychain.pgp.Progressable; +import org.sufficientlysecure.keychain.provider.ProviderHelper; +import org.sufficientlysecure.keychain.service.input.RequiredInputParcel; + +public class NfcKeyToCardOperation extends BaseOperation { + public NfcKeyToCardOperation(Context context, ProviderHelper providerHelper, Progressable progressable) { + super(context, providerHelper, progressable); + } + + public NfcKeyToCardResult execute(long subKeyId) { + OperationResult.OperationLog log = new OperationResult.OperationLog(); + int indent = 0; + long masterKeyId; + + try { + // fetch the indicated master key id + masterKeyId = mProviderHelper.getMasterKeyId(subKeyId); + CanonicalizedSecretKeyRing keyRing = + mProviderHelper.getCanonicalizedSecretKeyRing(masterKeyId); + + log.add(OperationResult.LogType.MSG_KC_SECRET, indent); + + // fetch the specific subkey + CanonicalizedSecretKey subKey = keyRing.getSecretKey(subKeyId); + + switch (subKey.getSecretKeyType()) { + case DIVERT_TO_CARD: + case GNU_DUMMY: { + throw new AssertionError( + "Cannot export GNU_DUMMY/DIVERT_TO_CARD key to a smart card!" + + " This is a programming error!"); + } + + case PIN: + case PATTERN: + case PASSPHRASE: { + log.add(OperationResult.LogType.MSG_PSE_PENDING_NFC, indent); + return new NfcKeyToCardResult(log, RequiredInputParcel + .createNfcKeyToCardOperation(masterKeyId, subKeyId)); + } + + default: { + throw new AssertionError("Unhandled SecretKeyType! (should not happen)"); + } + + } + } catch (ProviderHelper.NotFoundException e) { + log.add(OperationResult.LogType.MSG_PSE_ERROR_UNLOCK, indent); + return new NfcKeyToCardResult(NfcKeyToCardResult.RESULT_ERROR, log); + } + } +} diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/operations/results/NfcKeyToCardResult.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/operations/results/NfcKeyToCardResult.java new file mode 100644 index 000000000..c4bd3986c --- /dev/null +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/operations/results/NfcKeyToCardResult.java @@ -0,0 +1,30 @@ +/* + * Copyright (C) 2015 Joey Castillo + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + */ + +package org.sufficientlysecure.keychain.operations.results; + +import org.sufficientlysecure.keychain.service.input.RequiredInputParcel; + +public class NfcKeyToCardResult extends InputPendingResult { + public NfcKeyToCardResult(int result, OperationLog log) { + super(result, log); + } + + public NfcKeyToCardResult(OperationLog log, RequiredInputParcel requiredInput) { + super(log, requiredInput); + } +} diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/CanonicalizedSecretKey.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/CanonicalizedSecretKey.java index 39d0a2f1d..fd023576b 100644 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/CanonicalizedSecretKey.java +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/CanonicalizedSecretKey.java @@ -33,6 +33,7 @@ import org.spongycastle.openpgp.operator.PBESecretKeyDecryptor; import org.spongycastle.openpgp.operator.PGPContentSignerBuilder; import org.spongycastle.openpgp.operator.PublicKeyDataDecryptorFactory; import org.spongycastle.openpgp.operator.jcajce.JcaPGPContentSignerBuilder; +import org.spongycastle.openpgp.operator.jcajce.JcaPGPKeyConverter; import org.spongycastle.openpgp.operator.jcajce.JcePBESecretKeyDecryptorBuilder; import org.spongycastle.openpgp.operator.jcajce.JcePublicKeyDataDecryptorFactoryBuilder; import org.spongycastle.openpgp.operator.jcajce.NfcSyncPGPContentSignerBuilder; @@ -45,6 +46,8 @@ import org.sufficientlysecure.keychain.util.Log; import org.sufficientlysecure.keychain.util.Passphrase; import java.nio.ByteBuffer; +import java.security.PrivateKey; +import java.security.interfaces.RSAPrivateCrtKey; import java.util.ArrayList; import java.util.Date; import java.util.HashMap; @@ -281,6 +284,27 @@ public class CanonicalizedSecretKey extends CanonicalizedPublicKey { } } + // For use only in card export; returns the secret key in Chinese Remainder Theorem format. + public RSAPrivateCrtKey getCrtSecretKey() throws PgpGeneralException { + if (mPrivateKeyState == PRIVATE_KEY_STATE_LOCKED) { + throw new PgpGeneralException("Cannot get secret key attributes while key is locked."); + } + + if (mPrivateKeyState == PRIVATE_KEY_STATE_DIVERT_TO_CARD) { + throw new PgpGeneralException("Cannot get secret key attributes of divert-to-card key."); + } + + JcaPGPKeyConverter keyConverter = new JcaPGPKeyConverter(); + PrivateKey retVal; + try { + retVal = keyConverter.getPrivateKey(mPrivateKey); + } catch (PGPException e) { + throw new PgpGeneralException("Error converting private key!", e); + } + + return (RSAPrivateCrtKey)retVal; + } + public byte[] getIv() { return mSecretKey.getIV(); } diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/remote/OpenPgpService.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/remote/OpenPgpService.java index 4a8bf9332..1e2a72c3c 100644 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/remote/OpenPgpService.java +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/remote/OpenPgpService.java @@ -167,6 +167,7 @@ public class OpenPgpService extends RemoteService { Intent data, RequiredInputParcel requiredInput) { switch (requiredInput.mType) { + case NFC_KEYTOCARD: case NFC_DECRYPT: case NFC_SIGN: { // build PendingIntent for YubiKey NFC operations diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/service/KeychainIntentService.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/service/KeychainIntentService.java index e0509ac9b..0fad22e4a 100644 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/service/KeychainIntentService.java +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/service/KeychainIntentService.java @@ -40,6 +40,7 @@ import org.sufficientlysecure.keychain.operations.CertifyOperation; import org.sufficientlysecure.keychain.operations.DeleteOperation; import org.sufficientlysecure.keychain.operations.EditKeyOperation; import org.sufficientlysecure.keychain.operations.ImportExportOperation; +import org.sufficientlysecure.keychain.operations.NfcKeyToCardOperation; import org.sufficientlysecure.keychain.operations.PromoteKeyOperation; import org.sufficientlysecure.keychain.operations.SignEncryptOperation; import org.sufficientlysecure.keychain.operations.results.CertifyResult; @@ -48,6 +49,7 @@ import org.sufficientlysecure.keychain.operations.results.DecryptVerifyResult; import org.sufficientlysecure.keychain.operations.results.DeleteResult; import org.sufficientlysecure.keychain.operations.results.ExportResult; import org.sufficientlysecure.keychain.operations.results.ImportKeyResult; +import org.sufficientlysecure.keychain.operations.results.NfcKeyToCardResult; import org.sufficientlysecure.keychain.operations.results.OperationResult; import org.sufficientlysecure.keychain.operations.results.OperationResult.OperationLog; import org.sufficientlysecure.keychain.operations.results.PromoteKeyResult; @@ -111,6 +113,8 @@ public class KeychainIntentService extends IntentService implements Progressable public static final String ACTION_IMPORT_KEYRING = Constants.INTENT_PREFIX + "IMPORT_KEYRING"; public static final String ACTION_EXPORT_KEYRING = Constants.INTENT_PREFIX + "EXPORT_KEYRING"; + public static final String ACTION_NFC_KEYTOCARD = Constants.INTENT_PREFIX + "NFC_KEYTOCARD"; + public static final String ACTION_UPLOAD_KEYRING = Constants.INTENT_PREFIX + "UPLOAD_KEYRING"; public static final String ACTION_CERTIFY_KEYRING = Constants.INTENT_PREFIX + "SIGN_KEYRING"; @@ -176,6 +180,9 @@ public class KeychainIntentService extends IntentService implements Progressable public static final String EXPORT_ALL = "export_all"; public static final String EXPORT_KEY_RING_MASTER_KEY_ID = "export_key_ring_id"; + // NFC export key to card + public static final String NFC_KEYTOCARD_SUBKEY_ID = "nfc_keytocard_subkey_id"; + // upload key public static final String UPLOAD_KEY_SERVER = "upload_key_server"; @@ -532,6 +539,19 @@ public class KeychainIntentService extends IntentService implements Progressable break; } + case ACTION_NFC_KEYTOCARD: { + // Input + long subKeyId = data.getLong(NFC_KEYTOCARD_SUBKEY_ID); + + // Operation + NfcKeyToCardOperation exportOp = new NfcKeyToCardOperation(this, providerHelper, this); + NfcKeyToCardResult result = exportOp.execute(subKeyId); + + // Result + sendMessageToHandler(MessageStatus.OKAY, result); + + break; + } case ACTION_SIGN_ENCRYPT: { // Input diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/service/input/RequiredInputParcel.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/service/input/RequiredInputParcel.java index 535c1e735..50fb35e90 100644 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/service/input/RequiredInputParcel.java +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/service/input/RequiredInputParcel.java @@ -13,7 +13,7 @@ import org.sufficientlysecure.keychain.Constants.key; public class RequiredInputParcel implements Parcelable { public enum RequiredInputType { - PASSPHRASE, PASSPHRASE_SYMMETRIC, NFC_SIGN, NFC_DECRYPT + PASSPHRASE, PASSPHRASE_SYMMETRIC, NFC_SIGN, NFC_DECRYPT, NFC_KEYTOCARD } public Date mSignatureTime; @@ -87,6 +87,11 @@ public class RequiredInputParcel implements Parcelable { new byte[][] { inputHash }, null, null, null, subKeyId); } + public static RequiredInputParcel createNfcKeyToCardOperation(long masterKeyId, long subKeyId) { + return new RequiredInputParcel(RequiredInputType.NFC_KEYTOCARD, null, null, null, + masterKeyId, subKeyId); + } + public static RequiredInputParcel createRequiredSignPassphrase( long masterKeyId, long subKeyId, Date signatureTime) { return new RequiredInputParcel(RequiredInputType.PASSPHRASE, diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/CreateKeyActivity.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/CreateKeyActivity.java index e0b728bd4..45451bf38 100644 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/CreateKeyActivity.java +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/CreateKeyActivity.java @@ -17,6 +17,8 @@ package org.sufficientlysecure.keychain.ui; +import android.app.AlertDialog; +import android.content.DialogInterface; import android.content.Intent; import android.os.Bundle; import android.support.v4.app.Fragment; @@ -41,6 +43,7 @@ public class CreateKeyActivity extends BaseNfcActivity { public static final String EXTRA_FIRST_TIME = "first_time"; public static final String EXTRA_ADDITIONAL_EMAILS = "additional_emails"; public static final String EXTRA_PASSPHRASE = "passphrase"; + public static final String EXTRA_USE_SMART_CARD_SETTINGS = "use_smart_card_settings"; public static final String EXTRA_NFC_USER_ID = "nfc_user_id"; public static final String EXTRA_NFC_AID = "nfc_aid"; @@ -53,6 +56,7 @@ public class CreateKeyActivity extends BaseNfcActivity { ArrayList mAdditionalEmails; Passphrase mPassphrase; boolean mFirstTime; + boolean mUseSmartCardSettings; Fragment mCurrentFragment; @@ -68,6 +72,7 @@ public class CreateKeyActivity extends BaseNfcActivity { mAdditionalEmails = savedInstanceState.getStringArrayList(EXTRA_ADDITIONAL_EMAILS); mPassphrase = savedInstanceState.getParcelable(EXTRA_PASSPHRASE); mFirstTime = savedInstanceState.getBoolean(EXTRA_FIRST_TIME); + mUseSmartCardSettings = savedInstanceState.getBoolean(EXTRA_USE_SMART_CARD_SETTINGS); mCurrentFragment = getSupportFragmentManager().findFragmentByTag(FRAGMENT_TAG); } else { @@ -77,6 +82,7 @@ public class CreateKeyActivity extends BaseNfcActivity { mName = intent.getStringExtra(EXTRA_NAME); mEmail = intent.getStringExtra(EXTRA_EMAIL); mFirstTime = intent.getBooleanExtra(EXTRA_FIRST_TIME, false); + mUseSmartCardSettings = intent.getBooleanExtra(EXTRA_USE_SMART_CARD_SETTINGS, false); if (intent.hasExtra(EXTRA_NFC_FINGERPRINTS)) { byte[] nfcFingerprints = intent.getByteArrayExtra(EXTRA_NFC_FINGERPRINTS); @@ -116,23 +122,45 @@ public class CreateKeyActivity extends BaseNfcActivity { byte[] nfcAid = nfcGetAid(); String userId = nfcGetUserId(); - try { - long masterKeyId = KeyFormattingUtils.getKeyIdFromFingerprint(scannedFingerprints); - CachedPublicKeyRing ring = new ProviderHelper(this).getCachedPublicKeyRing(masterKeyId); - ring.getMasterKeyId(); - - Intent intent = new Intent(this, ViewKeyActivity.class); - intent.setData(KeyRings.buildGenericKeyRingUri(masterKeyId)); - intent.putExtra(ViewKeyActivity.EXTRA_NFC_AID, nfcAid); - intent.putExtra(ViewKeyActivity.EXTRA_NFC_USER_ID, userId); - intent.putExtra(ViewKeyActivity.EXTRA_NFC_FINGERPRINTS, scannedFingerprints); - startActivity(intent); - finish(); - - } catch (PgpKeyNotFoundException e) { - Fragment frag = CreateKeyYubiKeyImportFragment.createInstance( - scannedFingerprints, nfcAid, userId); - loadFragment(frag, FragAction.TO_RIGHT); + // If all fingerprint bytes are 0, the card contains no keys. + boolean cardContainsKeys = false; + for (byte b : scannedFingerprints) { + if (b != 0) { + cardContainsKeys = true; + break; + } + } + + if (cardContainsKeys) { + try { + long masterKeyId = KeyFormattingUtils.getKeyIdFromFingerprint(scannedFingerprints); + CachedPublicKeyRing ring = new ProviderHelper(this).getCachedPublicKeyRing(masterKeyId); + ring.getMasterKeyId(); + + Intent intent = new Intent(this, ViewKeyActivity.class); + intent.setData(KeyRings.buildGenericKeyRingUri(masterKeyId)); + intent.putExtra(ViewKeyActivity.EXTRA_NFC_AID, nfcAid); + intent.putExtra(ViewKeyActivity.EXTRA_NFC_USER_ID, userId); + intent.putExtra(ViewKeyActivity.EXTRA_NFC_FINGERPRINTS, scannedFingerprints); + startActivity(intent); + finish(); + + } catch (PgpKeyNotFoundException e) { + Fragment frag = CreateKeyYubiKeyImportFragment.createInstance( + scannedFingerprints, nfcAid, userId); + loadFragment(frag, FragAction.TO_RIGHT); + } + } else { + AlertDialog.Builder builder = new AlertDialog.Builder(this); + builder.setTitle("Blank Smart Card / Yubikey Detected") + .setMessage("Would you like to generate a smart card compatible key?") + .setPositiveButton(android.R.string.yes, new DialogInterface.OnClickListener() { + @Override + public void onClick(DialogInterface dialog, int button) { + CreateKeyActivity.this.mUseSmartCardSettings = true; + } + }) + .setNegativeButton(android.R.string.no, null).show(); } } @@ -146,6 +174,7 @@ public class CreateKeyActivity extends BaseNfcActivity { outState.putStringArrayList(EXTRA_ADDITIONAL_EMAILS, mAdditionalEmails); outState.putParcelable(EXTRA_PASSPHRASE, mPassphrase); outState.putBoolean(EXTRA_FIRST_TIME, mFirstTime); + outState.putBoolean(EXTRA_USE_SMART_CARD_SETTINGS, mUseSmartCardSettings); } @Override diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/CreateKeyFinalFragment.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/CreateKeyFinalFragment.java index b0a13c897..84962915b 100644 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/CreateKeyFinalFragment.java +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/CreateKeyFinalFragment.java @@ -163,12 +163,22 @@ public class CreateKeyFinalFragment extends Fragment { if (mSaveKeyringParcel == null) { mSaveKeyringParcel = new SaveKeyringParcel(); - mSaveKeyringParcel.mAddSubKeys.add(new SaveKeyringParcel.SubkeyAdd( - Algorithm.RSA, 4096, null, KeyFlags.CERTIFY_OTHER, 0L)); - mSaveKeyringParcel.mAddSubKeys.add(new SaveKeyringParcel.SubkeyAdd( - Algorithm.RSA, 4096, null, KeyFlags.SIGN_DATA, 0L)); - mSaveKeyringParcel.mAddSubKeys.add(new SaveKeyringParcel.SubkeyAdd( - Algorithm.RSA, 4096, null, KeyFlags.ENCRYPT_COMMS | KeyFlags.ENCRYPT_STORAGE, 0L)); + if (mCreateKeyActivity.mUseSmartCardSettings) { + mSaveKeyringParcel.mAddSubKeys.add(new SaveKeyringParcel.SubkeyAdd(Algorithm.RSA, + 2048, null, KeyFlags.SIGN_DATA | KeyFlags.CERTIFY_OTHER, 0L)); + mSaveKeyringParcel.mAddSubKeys.add(new SaveKeyringParcel.SubkeyAdd(Algorithm.RSA, + 2048, null, KeyFlags.ENCRYPT_COMMS | KeyFlags.ENCRYPT_STORAGE, 0L)); + mSaveKeyringParcel.mAddSubKeys.add(new SaveKeyringParcel.SubkeyAdd(Algorithm.RSA, + 2048, null, KeyFlags.AUTHENTICATION, 0L)); + mEditText.setText(R.string.create_key_custom); + } else { + mSaveKeyringParcel.mAddSubKeys.add(new SaveKeyringParcel.SubkeyAdd(Algorithm.RSA, + 4096, null, KeyFlags.CERTIFY_OTHER, 0L)); + mSaveKeyringParcel.mAddSubKeys.add(new SaveKeyringParcel.SubkeyAdd(Algorithm.RSA, + 4096, null, KeyFlags.SIGN_DATA, 0L)); + mSaveKeyringParcel.mAddSubKeys.add(new SaveKeyringParcel.SubkeyAdd(Algorithm.RSA, + 4096, null, KeyFlags.ENCRYPT_COMMS | KeyFlags.ENCRYPT_STORAGE, 0L)); + } String userId = KeyRing.createUserId( new KeyRing.UserId(mCreateKeyActivity.mName, mCreateKeyActivity.mEmail, null) ); diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/EditKeyFragment.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/EditKeyFragment.java index 390efddce..aef770174 100644 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/EditKeyFragment.java +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/EditKeyFragment.java @@ -36,12 +36,14 @@ import android.view.ViewGroup; import android.widget.AdapterView; import android.widget.ListView; +import org.spongycastle.bcpg.PublicKeyAlgorithmTags; import org.sufficientlysecure.keychain.Constants; import org.sufficientlysecure.keychain.R; import org.sufficientlysecure.keychain.compatibility.DialogFragmentWorkaround; import org.sufficientlysecure.keychain.operations.results.OperationResult; import org.sufficientlysecure.keychain.operations.results.OperationResult.LogType; import org.sufficientlysecure.keychain.operations.results.SingletonResult; +import org.sufficientlysecure.keychain.pgp.CanonicalizedSecretKey; import org.sufficientlysecure.keychain.pgp.KeyRing; import org.sufficientlysecure.keychain.pgp.exception.PgpKeyNotFoundException; import org.sufficientlysecure.keychain.provider.CachedPublicKeyRing; @@ -65,6 +67,8 @@ import org.sufficientlysecure.keychain.ui.util.Notify; import org.sufficientlysecure.keychain.util.Log; import org.sufficientlysecure.keychain.util.Passphrase; +import java.nio.ByteBuffer; + public class EditKeyFragment extends CryptoOperationFragment implements LoaderManager.LoaderCallbacks { @@ -415,7 +419,7 @@ public class EditKeyFragment extends CryptoOperationFragment implements mSaveKeyringParcel.mRevokeSubKeys.add(keyId); } break; - case EditSubkeyDialogFragment.MESSAGE_STRIP: + case EditSubkeyDialogFragment.MESSAGE_STRIP: { SubkeyChange change = mSaveKeyringParcel.getSubkeyChange(keyId); if (change == null) { mSaveKeyringParcel.mChangeSubKeys.add(new SubkeyChange(keyId, true, null)); @@ -424,6 +428,69 @@ public class EditKeyFragment extends CryptoOperationFragment implements // toggle change.mDummyStrip = !change.mDummyStrip; break; + } + case EditSubkeyDialogFragment.MESSAGE_KEYTOCARD: { + // Three checks to verify that this is a smart card compatible key: + + // 1. Key algorithm must be RSA + int algorithm = mSubkeysAdapter.getAlgorithm(position); + if (algorithm != PublicKeyAlgorithmTags.RSA_ENCRYPT && + algorithm != PublicKeyAlgorithmTags.RSA_SIGN && + algorithm != PublicKeyAlgorithmTags.RSA_GENERAL) { + Notify.create(getActivity(), R.string.edit_key_error_bad_nfc_algo, + Notify.Style.ERROR).show(); + return; + } + + // 2. Key size must be 2048 + if (mSubkeysAdapter.getKeySize(position) != 2048) { + Notify.create(getActivity(), R.string.edit_key_error_bad_nfc_size, + Notify.Style.ERROR).show(); + return; + } + + // 3. Secret key parts must be available + CanonicalizedSecretKey.SecretKeyType type = + mSubkeysAdapter.getSecretKeyType(position); + if (type == CanonicalizedSecretKey.SecretKeyType.DIVERT_TO_CARD || + type == CanonicalizedSecretKey.SecretKeyType.GNU_DUMMY) { + Notify.create(getActivity(), R.string.edit_key_error_bad_nfc_stripped, + Notify.Style.ERROR).show(); + return; + } + + SubkeyChange change; + change = mSaveKeyringParcel.getSubkeyChange(keyId); + if (change == null) { + mSaveKeyringParcel.mChangeSubKeys.add( + new SubkeyChange(keyId, false, new byte[0]) + ); + } + final Bundle data = new Bundle(); + data.putLong(KeychainIntentService.NFC_KEYTOCARD_SUBKEY_ID, keyId); + Intent intent = new Intent(EditKeyFragment.this.getActivity(), + KeychainIntentService.class); + intent.setAction(KeychainIntentService.ACTION_NFC_KEYTOCARD); + intent.putExtra(KeychainIntentService.EXTRA_DATA, data); + + ServiceProgressHandler serviceHandler = new ServiceProgressHandler( + getActivity(), + getString(R.string.progress_exporting), + ProgressDialog.STYLE_HORIZONTAL, + ProgressDialogFragment.ServiceType.KEYCHAIN_INTENT) { + public void handleMessage(Message message) { + super.handleMessage(message); + EditKeyFragment.this.handlePendingMessage(message); + } + }; + // Create a new Messenger for the communication back + Messenger messenger = new Messenger(serviceHandler); + intent.putExtra(KeychainIntentService.EXTRA_MESSENGER, messenger); + serviceHandler.showProgressDialog(getActivity()); + + getActivity().startService(intent); + break; + } } getLoaderManager().getLoader(LOADER_ID_SUBKEYS).forceLoad(); } @@ -593,6 +660,18 @@ public class EditKeyFragment extends CryptoOperationFragment implements Intent intent = new Intent(getActivity(), KeychainIntentService.class); intent.setAction(KeychainIntentService.ACTION_EDIT_KEYRING); + for (SubkeyChange change : mSaveKeyringParcel.mChangeSubKeys) { + if(change.mDummyDivert != null) { + // Convert long key ID to byte buffer + byte[] subKeyId = new byte[8]; + ByteBuffer buf = ByteBuffer.wrap(subKeyId); + buf.putLong(change.mKeyId).rewind(); + + byte[] cardSerial = cryptoInput.getCryptoData().get(buf); + change.mDummyDivert = cardSerial; + } + } + // fill values for this action Bundle data = new Bundle(); data.putParcelable(KeychainIntentService.EXTRA_CRYPTO_INPUT, cryptoInput); diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/NfcOperationActivity.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/NfcOperationActivity.java index aa66053fa..1a618329d 100644 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/NfcOperationActivity.java +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/NfcOperationActivity.java @@ -10,8 +10,13 @@ import android.content.Intent; import android.os.Bundle; import android.view.WindowManager; +import org.spongycastle.util.Arrays; import org.sufficientlysecure.keychain.Constants; import org.sufficientlysecure.keychain.R; +import org.sufficientlysecure.keychain.pgp.CanonicalizedSecretKey; +import org.sufficientlysecure.keychain.pgp.CanonicalizedSecretKeyRing; +import org.sufficientlysecure.keychain.provider.KeychainContract; +import org.sufficientlysecure.keychain.provider.ProviderHelper; import org.sufficientlysecure.keychain.remote.CryptoInputParcelCacheService; import org.sufficientlysecure.keychain.service.PassphraseCacheService; import org.sufficientlysecure.keychain.service.input.CryptoInputParcel; @@ -21,6 +26,7 @@ import org.sufficientlysecure.keychain.util.Log; import org.sufficientlysecure.keychain.util.Preferences; import java.io.IOException; +import java.nio.ByteBuffer; /** * This class provides a communication interface to OpenPGP applications on ISO SmartCard compliant @@ -53,8 +59,11 @@ public class NfcOperationActivity extends BaseNfcActivity { mRequiredInput = data.getParcelable(EXTRA_REQUIRED_INPUT); mServiceIntent = data.getParcelable(EXTRA_SERVICE_INTENT); - // obtain passphrase for this subkey - obtainYubiKeyPin(RequiredInputParcel.createRequiredPassphrase(mRequiredInput)); + if (mRequiredInput.mType == RequiredInputParcel.RequiredInputType.NFC_KEYTOCARD) { + obtainKeyExportPassphrase(RequiredInputParcel.createRequiredPassphrase(mRequiredInput)); + } else { + obtainYubiKeyPin(RequiredInputParcel.createRequiredPassphrase(mRequiredInput)); + } } @Override @@ -85,6 +94,44 @@ public class NfcOperationActivity extends BaseNfcActivity { } break; } + case NFC_KEYTOCARD: { + ProviderHelper providerHelper = new ProviderHelper(this); + CanonicalizedSecretKeyRing secretKeyRing; + try { + secretKeyRing = providerHelper.getCanonicalizedSecretKeyRing( + KeychainContract.KeyRings.buildUnifiedKeyRingsFindBySubkeyUri(mRequiredInput.getSubKeyId()) + ); + } catch (ProviderHelper.NotFoundException e) { + throw new IOException("Couldn't find subkey for key to card operation."); + } + CanonicalizedSecretKey key = secretKeyRing.getSecretKey(mRequiredInput.getSubKeyId()); + + long keyGenerationTimestampMillis = key.getCreationTime().getTime(); + long keyGenerationTimestamp = keyGenerationTimestampMillis / 1000; + byte[] timestampBytes = ByteBuffer.allocate(4).putInt((int) keyGenerationTimestamp).array(); + byte[] cardSerialNumber = Arrays.copyOf(nfcGetAid(), 16); + + if (key.canSign() || key.canCertify()) { + nfcPutKey(0xB6, key); + nfcPutData(0xCE, timestampBytes); + nfcPutData(0xC7, key.getFingerprint()); + } else if (key.canEncrypt()) { + nfcPutKey(0xB8, key); + nfcPutData(0xCF, timestampBytes); + nfcPutData(0xC8, key.getFingerprint()); + } else if (key.canAuthenticate()) { + nfcPutKey(0xA4, key); + nfcPutData(0xD0, timestampBytes); + nfcPutData(0xC9, key.getFingerprint()); + } else { + throw new IOException("Inappropriate key flags for smart card key."); + } + + byte[] subKeyId = new byte[8]; + ByteBuffer buf = ByteBuffer.wrap(subKeyId); + buf.putLong(mRequiredInput.getSubKeyId()); + inputParcel.addCryptoData(subKeyId, cardSerialNumber); + } } if (mServiceIntent != null) { diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/adapter/SubkeysAdapter.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/adapter/SubkeysAdapter.java index 096dea51f..db0a930ed 100644 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/adapter/SubkeysAdapter.java +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/adapter/SubkeysAdapter.java @@ -116,6 +116,21 @@ public class SubkeysAdapter extends CursorAdapter { } } + public int getAlgorithm(int position) { + mCursor.moveToPosition(position); + return mCursor.getInt(INDEX_ALGORITHM); + } + + public int getKeySize(int position) { + mCursor.moveToPosition(position); + return mCursor.getInt(INDEX_KEY_SIZE); + } + + public SecretKeyType getSecretKeyType(int position) { + mCursor.moveToPosition(position); + return SecretKeyType.fromNum(mCursor.getInt(INDEX_HAS_SECRET)); + } + @Override public Cursor swapCursor(Cursor newCursor) { hasAnySecret = false; diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/base/BaseNfcActivity.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/base/BaseNfcActivity.java index 1d09b281f..4506fe3c1 100644 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/base/BaseNfcActivity.java +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/base/BaseNfcActivity.java @@ -19,7 +19,9 @@ package org.sufficientlysecure.keychain.ui.base; import java.io.IOException; +import java.math.BigInteger; import java.nio.ByteBuffer; +import java.security.interfaces.RSAPrivateCrtKey; import android.app.Activity; import android.app.PendingIntent; @@ -32,9 +34,12 @@ import android.os.Bundle; import android.widget.Toast; import org.spongycastle.bcpg.HashAlgorithmTags; +import org.spongycastle.util.Arrays; import org.spongycastle.util.encoders.Hex; import org.sufficientlysecure.keychain.Constants; import org.sufficientlysecure.keychain.R; +import org.sufficientlysecure.keychain.pgp.CanonicalizedSecretKey; +import org.sufficientlysecure.keychain.pgp.exception.PgpGeneralException; import org.sufficientlysecure.keychain.pgp.exception.PgpKeyNotFoundException; import org.sufficientlysecure.keychain.provider.CachedPublicKeyRing; import org.sufficientlysecure.keychain.provider.KeychainContract.KeyRings; @@ -54,12 +59,16 @@ import org.sufficientlysecure.keychain.util.Preferences; public abstract class BaseNfcActivity extends BaseActivity { - public static final int REQUEST_CODE_PASSPHRASE = 1; + public static final int REQUEST_CODE_PIN = 1; + public static final int REQUEST_CODE_PASSPHRASE = 2; protected Passphrase mPin; + protected Passphrase mAdminPin; + protected Passphrase mPassphrase; // For key export protected boolean mPw1ValidForMultipleSignatures; protected boolean mPw1ValidatedForSignature; protected boolean mPw1ValidatedForDecrypt; // Mode 82 does other things; consider renaming? + protected boolean mPw3Validated; private NfcAdapter mNfcAdapter; private IsoDep mIsoDep; @@ -127,6 +136,15 @@ public abstract class BaseNfcActivity extends BaseActivity { enableNfcForegroundDispatch(); } + protected void obtainKeyExportPassphrase(RequiredInputParcel requiredInput) { + + Intent intent = new Intent(this, PassphraseDialogActivity.class); + intent.putExtra(PassphraseDialogActivity.EXTRA_REQUIRED_INPUT, + RequiredInputParcel.createRequiredPassphrase(requiredInput)); + startActivityForResult(intent, REQUEST_CODE_PASSPHRASE); + + } + protected void obtainYubiKeyPin(RequiredInputParcel requiredInput) { Preferences prefs = Preferences.getPreferences(this); @@ -138,7 +156,7 @@ public abstract class BaseNfcActivity extends BaseActivity { Intent intent = new Intent(this, PassphraseDialogActivity.class); intent.putExtra(PassphraseDialogActivity.EXTRA_REQUIRED_INPUT, RequiredInputParcel.createRequiredPassphrase(requiredInput)); - startActivityForResult(intent, REQUEST_CODE_PASSPHRASE); + startActivityForResult(intent, REQUEST_CODE_PIN); } @@ -149,7 +167,7 @@ public abstract class BaseNfcActivity extends BaseActivity { @Override protected void onActivityResult(int requestCode, int resultCode, Intent data) { switch (requestCode) { - case REQUEST_CODE_PASSPHRASE: + case REQUEST_CODE_PIN: { if (resultCode != Activity.RESULT_OK) { setResult(resultCode); finish(); @@ -158,6 +176,18 @@ public abstract class BaseNfcActivity extends BaseActivity { CryptoInputParcel input = data.getParcelableExtra(PassphraseDialogActivity.RESULT_CRYPTO_INPUT); mPin = input.getPassphrase(); break; + } + + case REQUEST_CODE_PASSPHRASE: { + if (resultCode != Activity.RESULT_OK) { + setResult(resultCode); + finish(); + return; + } + CryptoInputParcel input = data.getParcelableExtra(PassphraseDialogActivity.RESULT_CRYPTO_INPUT); + mPassphrase = input.getPassphrase(); + break; + } default: super.onActivityResult(requestCode, resultCode, data); @@ -208,6 +238,10 @@ public abstract class BaseNfcActivity extends BaseActivity { mPw1ValidForMultipleSignatures = (pwStatusBytes[0] == 1); mPw1ValidatedForSignature = false; mPw1ValidatedForDecrypt = false; + mPw3Validated = false; + + // TODO: Handle non-default Admin PIN + mAdminPin = new Passphrase("12345678"); onNfcPerform(); @@ -460,13 +494,21 @@ public abstract class BaseNfcActivity extends BaseActivity { return Hex.decode(decryptedSessionKey); } - /** Verifies the user's PW1 with the appropriate mode. + /** Verifies the user's PW1 or PW3 with the appropriate mode. * - * @param mode This is 0x81 for signing, 0x82 for everything else + * @param mode For PW1, this is 0x81 for signing, 0x82 for everything else. + * For PW3 (Admin PIN), mode is 0x83. */ public void nfcVerifyPIN(int mode) throws IOException { - if (mPin != null) { - byte[] pin = new String(mPin.getCharArray()).getBytes(); + if (mPin != null || mode == 0x83) { + byte[] pin; + + if (mode == 0x83) { + pin = new String(mAdminPin.getCharArray()).getBytes(); + } else { + pin = new String(mPin.getCharArray()).getBytes(); + } + // SW1/2 0x9000 is the generic "ok" response, which we expect most of the time. // See specification, page 51 String accepted = "9000"; @@ -488,10 +530,207 @@ public abstract class BaseNfcActivity extends BaseActivity { mPw1ValidatedForSignature = true; } else if (mode == 0x82) { mPw1ValidatedForDecrypt = true; + } else if (mode == 0x83) { + mPw3Validated = true; } } } + /** Modifies the user's PW1 or PW3. Before sending, the new PIN will be validated for + * conformance to the card's requirements for key length. + * + * @param pw For PW1, this is 0x81. For PW3 (Admin PIN), mode is 0x83. + * @param newPinString The new PW1 or PW3. + */ + public void nfcModifyPIN(int pw, String newPinString) throws IOException { + final int MAX_PW1_LENGTH_INDEX = 1; + final int MAX_PW3_LENGTH_INDEX = 3; + + byte[] pwStatusBytes = nfcGetPwStatusBytes(); + byte[] newPin = newPinString.getBytes(); + + if (pw == 0x81) { + if (newPin.length < 6 || newPin.length > pwStatusBytes[MAX_PW1_LENGTH_INDEX]) { + throw new IOException("Invalid PIN length"); + } + } else if (pw == 0x83) { + if (newPin.length < 8 || newPin.length > pwStatusBytes[MAX_PW3_LENGTH_INDEX]) { + throw new IOException("Invalid PIN length"); + } + } else { + throw new IOException("Invalid PW index for modify PIN operation"); + } + + byte[] pin; + + if (pw == 0x83) { + pin = new String(mAdminPin.getCharArray()).getBytes(); + } else { + pin = new String(mPin.getCharArray()).getBytes(); + } + + // Command APDU for CHANGE REFERENCE DATA command (page 32) + String changeReferenceDataApdu = "00" // CLA + + "24" // INS + + "00" // P1 + + String.format("%02x", pw) // P2 + + String.format("%02x", pin.length + newPin.length) // Lc + + getHex(pin) + + getHex(newPin); + if (!nfcCommunicate(changeReferenceDataApdu).equals("9000")) { // Change reference data + handlePinError(); + throw new IOException("Failed to change PIN"); + } + } + + /** + * Stores a data object on the card. Automatically validates the proper PIN for the operation. + * Supported for all data objects < 255 bytes in length. Only the cardholder certificate + * (0x7F21) can exceed this length. + * + * @param dataObject The data object to be stored. + * @param data The data to store in the object + */ + public void nfcPutData(int dataObject, byte[] data) throws IOException { + if (data.length > 254) { + throw new IOException("Cannot PUT DATA with length > 254"); + } + if (dataObject == 0x0101 || dataObject == 0x0103) { + if (!mPw1ValidatedForDecrypt) { + nfcVerifyPIN(0x82); // (Verify PW1 for non-signing operations) + } + } else if (!mPw3Validated) { + nfcVerifyPIN(0x83); // (Verify PW3) + } + + String putDataApdu = "00" // CLA + + "DA" // INS + + String.format("%02x", (dataObject & 0xFF00) >> 8) // P1 + + String.format("%02x", dataObject & 0xFF) // P2 + + String.format("%02x", data.length) // Lc + + getHex(data); + + String response = nfcCommunicate(putDataApdu); + if (!response.equals("9000")) { + throw new IOException("Failed to put data for tag " + + String.format("%02x", (dataObject & 0xFF00) >> 8) + + String.format("%02x", dataObject & 0xFF) + + ": " + response); + } + } + + /** + * Puts a key on the card in the given slot. + * + * @param slot The slot on the card where the key should be stored: + * 0xB6: Signature Key + * 0xB8: Decipherment Key + * 0xA4: Authentication Key + */ + public void nfcPutKey(int slot, CanonicalizedSecretKey secretKey) + throws IOException { + if (slot != 0xB6 && slot != 0xB8 && slot != 0xA4) { + throw new IOException("Invalid key slot"); + } + + RSAPrivateCrtKey crtSecretKey = null; + try { + secretKey.unlock(mPassphrase); + crtSecretKey = secretKey.getCrtSecretKey(); + } catch (PgpGeneralException e) { + throw new IOException(e.getMessage()); + } + + // Shouldn't happen; the UI should block the user from getting an incompatible key this far. + if (crtSecretKey.getModulus().bitLength() > 2048) { + throw new IOException("Key too large to export to smart card."); + } + + // Should happen only rarely; all GnuPG keys since 2006 use public exponent 65537. + if (!crtSecretKey.getPublicExponent().equals(new BigInteger("65537"))) { + throw new IOException("Invalid public exponent for smart card key."); + } + + if (!mPw3Validated) { + nfcVerifyPIN(0x83); // (Verify PW1 with mode 83) + } + + byte[] header= Hex.decode( + "4D82" + "03A2" // Extended header list 4D82, length of 930 bytes. (page 23) + + String.format("%02x", slot) + "00" // CRT to indicate targeted key, no length + + "7F48" + "15" // Private key template 0x7F48, length 21 (decimal, 0x15 hex) + + "9103" // Public modulus, length 3 + + "928180" // Prime P, length 128 + + "938180" // Prime Q, length 128 + + "948180" // Coefficient (1/q mod p), length 128 + + "958180" // Prime exponent P (d mod (p - 1)), length 128 + + "968180" // Prime exponent Q (d mod (1 - 1)), length 128 + + "97820100" // Modulus, length 256, last item in private key template + + "5F48" + "820383");// DO 5F48; 899 bytes of concatenated key data will follow + byte[] dataToSend = new byte[934]; + byte[] currentKeyObject; + int offset = 0; + + System.arraycopy(header, 0, dataToSend, offset, header.length); + offset += header.length; + currentKeyObject = crtSecretKey.getPublicExponent().toByteArray(); + System.arraycopy(currentKeyObject, 0, dataToSend, offset, 3); + offset += 3; + // NOTE: For a 2048-bit key, these lengths are fixed. However, bigint includes a leading 0 + // in the array to represent sign, so we take care to set the offset to 1 if necessary. + currentKeyObject = crtSecretKey.getPrimeP().toByteArray(); + System.arraycopy(currentKeyObject, currentKeyObject.length - 128, dataToSend, offset, 128); + Arrays.fill(currentKeyObject, (byte)0); + offset += 128; + currentKeyObject = crtSecretKey.getPrimeQ().toByteArray(); + System.arraycopy(currentKeyObject, currentKeyObject.length - 128, dataToSend, offset, 128); + Arrays.fill(currentKeyObject, (byte)0); + offset += 128; + currentKeyObject = crtSecretKey.getCrtCoefficient().toByteArray(); + System.arraycopy(currentKeyObject, currentKeyObject.length - 128, dataToSend, offset, 128); + Arrays.fill(currentKeyObject, (byte)0); + offset += 128; + currentKeyObject = crtSecretKey.getPrimeExponentP().toByteArray(); + System.arraycopy(currentKeyObject, currentKeyObject.length - 128, dataToSend, offset, 128); + Arrays.fill(currentKeyObject, (byte)0); + offset += 128; + currentKeyObject = crtSecretKey.getPrimeExponentQ().toByteArray(); + System.arraycopy(currentKeyObject, currentKeyObject.length - 128, dataToSend, offset, 128); + Arrays.fill(currentKeyObject, (byte)0); + offset += 128; + currentKeyObject = crtSecretKey.getModulus().toByteArray(); + System.arraycopy(currentKeyObject, currentKeyObject.length - 256, dataToSend, offset, 256); + + String putKeyCommand = "10DB3FFF"; + String lastPutKeyCommand = "00DB3FFF"; + + // Now we're ready to communicate with the card. + offset = 0; + String response; + while(offset < dataToSend.length) { + int dataRemaining = dataToSend.length - offset; + if (dataRemaining > 254) { + response = nfcCommunicate( + putKeyCommand + "FE" + Hex.toHexString(dataToSend, offset, 254) + ); + offset += 254; + } else { + int length = dataToSend.length - offset; + response = nfcCommunicate( + lastPutKeyCommand + String.format("%02x", length) + + Hex.toHexString(dataToSend, offset, length)); + offset += length; + } + + if (!response.endsWith("9000")) { + throw new IOException("Key export to card failed"); + } + } + + // Clear array with secret data before we return. + Arrays.fill(dataToSend, (byte) 0); + } + /** * Prints a message to the screen * diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/base/CryptoOperationFragment.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/base/CryptoOperationFragment.java index 232a39f86..3b92f7208 100644 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/base/CryptoOperationFragment.java +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/base/CryptoOperationFragment.java @@ -43,6 +43,7 @@ public abstract class CryptoOperationFragment extends Fragment { private void initiateInputActivity(RequiredInputParcel requiredInput) { switch (requiredInput.mType) { + case NFC_KEYTOCARD: case NFC_DECRYPT: case NFC_SIGN: { Intent intent = new Intent(getActivity(), NfcOperationActivity.class); diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/dialog/EditSubkeyDialogFragment.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/dialog/EditSubkeyDialogFragment.java index 9568312f5..eafa129f0 100644 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/dialog/EditSubkeyDialogFragment.java +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/dialog/EditSubkeyDialogFragment.java @@ -35,6 +35,7 @@ public class EditSubkeyDialogFragment extends DialogFragment { public static final int MESSAGE_CHANGE_EXPIRY = 1; public static final int MESSAGE_REVOKE = 2; public static final int MESSAGE_STRIP = 3; + public static final int MESSAGE_KEYTOCARD = 4; private Messenger mMessenger; @@ -76,6 +77,9 @@ public class EditSubkeyDialogFragment extends DialogFragment { case 2: sendMessageToHandler(MESSAGE_STRIP, null); break; + case 3: + sendMessageToHandler(MESSAGE_KEYTOCARD, null); + break; default: break; } -- cgit v1.2.3 From a0107afd3efefb152b5691b04c6343a4382fcd6a Mon Sep 17 00:00:00 2001 From: Joey Castillo Date: Tue, 12 May 2015 17:31:14 -0400 Subject: Moved checks from fragment to operation, impoved logging. --- .../keychain/operations/NfcKeyToCardOperation.java | 52 ++++++++++++++-------- .../operations/results/NfcKeyToCardResult.java | 21 +++++++++ .../operations/results/OperationResult.java | 5 +++ .../keychain/ui/EditKeyFragment.java | 41 ++++------------- 4 files changed, 69 insertions(+), 50 deletions(-) (limited to 'OpenKeychain/src/main/java/org/sufficientlysecure/keychain') diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/operations/NfcKeyToCardOperation.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/operations/NfcKeyToCardOperation.java index 95937a233..36f31e20e 100644 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/operations/NfcKeyToCardOperation.java +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/operations/NfcKeyToCardOperation.java @@ -19,6 +19,7 @@ package org.sufficientlysecure.keychain.operations; import android.content.Context; +import org.spongycastle.bcpg.PublicKeyAlgorithmTags; import org.sufficientlysecure.keychain.operations.results.NfcKeyToCardResult; import org.sufficientlysecure.keychain.operations.results.OperationResult; import org.sufficientlysecure.keychain.pgp.CanonicalizedSecretKey; @@ -26,6 +27,7 @@ import org.sufficientlysecure.keychain.pgp.CanonicalizedSecretKeyRing; import org.sufficientlysecure.keychain.pgp.Progressable; import org.sufficientlysecure.keychain.provider.ProviderHelper; import org.sufficientlysecure.keychain.service.input.RequiredInputParcel; +import org.sufficientlysecure.keychain.ui.util.KeyFormattingUtils; public class NfcKeyToCardOperation extends BaseOperation { public NfcKeyToCardOperation(Context context, ProviderHelper providerHelper, Progressable progressable) { @@ -43,32 +45,46 @@ public class NfcKeyToCardOperation extends BaseOperation { CanonicalizedSecretKeyRing keyRing = mProviderHelper.getCanonicalizedSecretKeyRing(masterKeyId); - log.add(OperationResult.LogType.MSG_KC_SECRET, indent); + log.add(OperationResult.LogType.MSG_KC_SECRET, indent, + KeyFormattingUtils.convertKeyIdToHex(masterKeyId)); // fetch the specific subkey CanonicalizedSecretKey subKey = keyRing.getSecretKey(subKeyId); - switch (subKey.getSecretKeyType()) { - case DIVERT_TO_CARD: - case GNU_DUMMY: { - throw new AssertionError( - "Cannot export GNU_DUMMY/DIVERT_TO_CARD key to a smart card!" - + " This is a programming error!"); - } + // Key algorithm must be RSA + int algorithm = subKey.getAlgorithm(); + if (algorithm != PublicKeyAlgorithmTags.RSA_ENCRYPT && + algorithm != PublicKeyAlgorithmTags.RSA_SIGN && + algorithm != PublicKeyAlgorithmTags.RSA_GENERAL) { + log.add(OperationResult.LogType.MSG_K2C_ERROR_BAD_ALGO, indent + 1); + return new NfcKeyToCardResult(NfcKeyToCardResult.RESULT_ERROR, log); + } - case PIN: - case PATTERN: - case PASSPHRASE: { - log.add(OperationResult.LogType.MSG_PSE_PENDING_NFC, indent); - return new NfcKeyToCardResult(log, RequiredInputParcel - .createNfcKeyToCardOperation(masterKeyId, subKeyId)); - } + // Key size must be 2048 + int keySize = subKey.getBitStrength(); + if (keySize != 2048) { + log.add(OperationResult.LogType.MSG_K2C_ERROR_BAD_SIZE, indent + 1); + return new NfcKeyToCardResult(NfcKeyToCardResult.RESULT_ERROR, log); + } - default: { - throw new AssertionError("Unhandled SecretKeyType! (should not happen)"); - } + // Secret key parts must be available + CanonicalizedSecretKey.SecretKeyType type = subKey.getSecretKeyType(); + if (type == CanonicalizedSecretKey.SecretKeyType.DIVERT_TO_CARD || + type == CanonicalizedSecretKey.SecretKeyType.GNU_DUMMY) { + log.add(OperationResult.LogType.MSG_K2C_ERROR_BAD_STRIPPED, indent + 1); + return new NfcKeyToCardResult(NfcKeyToCardResult.RESULT_ERROR, log); + } + if (type == CanonicalizedSecretKey.SecretKeyType.PIN || + type == CanonicalizedSecretKey.SecretKeyType.PATTERN || + type == CanonicalizedSecretKey.SecretKeyType.PASSPHRASE || + type == CanonicalizedSecretKey.SecretKeyType.PASSPHRASE_EMPTY) { + log.add(OperationResult.LogType.MSG_PSE_PENDING_NFC, indent); + return new NfcKeyToCardResult(log, RequiredInputParcel + .createNfcKeyToCardOperation(masterKeyId, subKeyId)); } + + throw new AssertionError("Unhandled SecretKeyType! (should not happen)"); } catch (ProviderHelper.NotFoundException e) { log.add(OperationResult.LogType.MSG_PSE_ERROR_UNLOCK, indent); return new NfcKeyToCardResult(NfcKeyToCardResult.RESULT_ERROR, log); diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/operations/results/NfcKeyToCardResult.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/operations/results/NfcKeyToCardResult.java index c4bd3986c..93899bbbe 100644 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/operations/results/NfcKeyToCardResult.java +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/operations/results/NfcKeyToCardResult.java @@ -17,6 +17,8 @@ package org.sufficientlysecure.keychain.operations.results; +import android.os.Parcel; + import org.sufficientlysecure.keychain.service.input.RequiredInputParcel; public class NfcKeyToCardResult extends InputPendingResult { @@ -27,4 +29,23 @@ public class NfcKeyToCardResult extends InputPendingResult { public NfcKeyToCardResult(OperationLog log, RequiredInputParcel requiredInput) { super(log, requiredInput); } + + public NfcKeyToCardResult(Parcel source) { + super(source); + } + + @Override + public void writeToParcel(Parcel dest, int flags) { + super.writeToParcel(dest, flags); + } + + public static Creator CREATOR = new Creator() { + public NfcKeyToCardResult createFromParcel(final Parcel source) { + return new NfcKeyToCardResult(source); + } + + public NfcKeyToCardResult[] newArray(final int size) { + return new NfcKeyToCardResult[size]; + } + }; } diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/operations/results/OperationResult.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/operations/results/OperationResult.java index 094afd4a5..4c40b0e5b 100644 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/operations/results/OperationResult.java +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/operations/results/OperationResult.java @@ -736,6 +736,11 @@ public abstract class OperationResult implements Parcelable { MSG_EXPORT_LOG_EXPORT_ERROR_FOPEN(LogLevel.ERROR,R.string.msg_export_log_error_fopen), MSG_EXPORT_LOG_EXPORT_ERROR_WRITING(LogLevel.ERROR,R.string.msg_export_log_error_writing), MSG_EXPORT_LOG_EXPORT_SUCCESS (LogLevel.OK, R.string.msg_export_log_success), + + // NFC keytocard + MSG_K2C_ERROR_BAD_ALGO(LogLevel.ERROR, R.string.edit_key_error_bad_nfc_algo), + MSG_K2C_ERROR_BAD_SIZE(LogLevel.ERROR, R.string.edit_key_error_bad_nfc_size), + MSG_K2C_ERROR_BAD_STRIPPED(LogLevel.ERROR, R.string.edit_key_error_bad_nfc_stripped), ; public final int mMsgId; diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/EditKeyFragment.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/EditKeyFragment.java index aef770174..3b342bec0 100644 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/EditKeyFragment.java +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/EditKeyFragment.java @@ -36,14 +36,12 @@ import android.view.ViewGroup; import android.widget.AdapterView; import android.widget.ListView; -import org.spongycastle.bcpg.PublicKeyAlgorithmTags; import org.sufficientlysecure.keychain.Constants; import org.sufficientlysecure.keychain.R; import org.sufficientlysecure.keychain.compatibility.DialogFragmentWorkaround; import org.sufficientlysecure.keychain.operations.results.OperationResult; import org.sufficientlysecure.keychain.operations.results.OperationResult.LogType; import org.sufficientlysecure.keychain.operations.results.SingletonResult; -import org.sufficientlysecure.keychain.pgp.CanonicalizedSecretKey; import org.sufficientlysecure.keychain.pgp.KeyRing; import org.sufficientlysecure.keychain.pgp.exception.PgpKeyNotFoundException; import org.sufficientlysecure.keychain.provider.CachedPublicKeyRing; @@ -430,35 +428,6 @@ public class EditKeyFragment extends CryptoOperationFragment implements break; } case EditSubkeyDialogFragment.MESSAGE_KEYTOCARD: { - // Three checks to verify that this is a smart card compatible key: - - // 1. Key algorithm must be RSA - int algorithm = mSubkeysAdapter.getAlgorithm(position); - if (algorithm != PublicKeyAlgorithmTags.RSA_ENCRYPT && - algorithm != PublicKeyAlgorithmTags.RSA_SIGN && - algorithm != PublicKeyAlgorithmTags.RSA_GENERAL) { - Notify.create(getActivity(), R.string.edit_key_error_bad_nfc_algo, - Notify.Style.ERROR).show(); - return; - } - - // 2. Key size must be 2048 - if (mSubkeysAdapter.getKeySize(position) != 2048) { - Notify.create(getActivity(), R.string.edit_key_error_bad_nfc_size, - Notify.Style.ERROR).show(); - return; - } - - // 3. Secret key parts must be available - CanonicalizedSecretKey.SecretKeyType type = - mSubkeysAdapter.getSecretKeyType(position); - if (type == CanonicalizedSecretKey.SecretKeyType.DIVERT_TO_CARD || - type == CanonicalizedSecretKey.SecretKeyType.GNU_DUMMY) { - Notify.create(getActivity(), R.string.edit_key_error_bad_nfc_stripped, - Notify.Style.ERROR).show(); - return; - } - SubkeyChange change; change = mSaveKeyringParcel.getSubkeyChange(keyId); if (change == null) { @@ -480,7 +449,15 @@ public class EditKeyFragment extends CryptoOperationFragment implements ProgressDialogFragment.ServiceType.KEYCHAIN_INTENT) { public void handleMessage(Message message) { super.handleMessage(message); - EditKeyFragment.this.handlePendingMessage(message); + if (EditKeyFragment.this.handlePendingMessage(message)) { + return; + } + Bundle data = message.getData(); + OperationResult result = data.getParcelable(OperationResult.EXTRA_RESULT); + if (result.getResult() == OperationResult.RESULT_ERROR) { + result.createNotify(getActivity()).show(); + } + } }; // Create a new Messenger for the communication back -- cgit v1.2.3 From d21fb7733697a8f947604dbd1d6c608f5b2a21d5 Mon Sep 17 00:00:00 2001 From: Joey Castillo Date: Wed, 13 May 2015 05:33:28 -0400 Subject: Moving keytocard process into PgpKeyOperation. --- .../keychain/operations/EditKeyOperation.java | 2 +- .../keychain/operations/NfcKeyToCardOperation.java | 93 ------------------ .../operations/results/NfcKeyToCardResult.java | 51 ---------- .../operations/results/OperationResult.java | 3 + .../keychain/pgp/PgpKeyOperation.java | 105 ++++++++++++++++++--- .../keychain/service/KeychainIntentService.java | 20 ---- .../keychain/service/SaveKeyringParcel.java | 3 +- .../service/input/RequiredInputParcel.java | 50 ++++++++-- .../keychain/ui/EditKeyFragment.java | 77 +++++++-------- .../keychain/ui/NfcOperationActivity.java | 72 ++++++++------ .../keychain/ui/adapter/SubkeysAdapter.java | 24 +++-- .../keychain/ui/base/BaseNfcActivity.java | 26 +---- 12 files changed, 236 insertions(+), 290 deletions(-) delete mode 100644 OpenKeychain/src/main/java/org/sufficientlysecure/keychain/operations/NfcKeyToCardOperation.java delete mode 100644 OpenKeychain/src/main/java/org/sufficientlysecure/keychain/operations/results/NfcKeyToCardResult.java (limited to 'OpenKeychain/src/main/java/org/sufficientlysecure/keychain') diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/operations/EditKeyOperation.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/operations/EditKeyOperation.java index 4072d91c5..152585040 100644 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/operations/EditKeyOperation.java +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/operations/EditKeyOperation.java @@ -83,7 +83,7 @@ public class EditKeyOperation extends BaseOperation { CanonicalizedSecretKeyRing secRing = mProviderHelper.getCanonicalizedSecretKeyRing(saveParcel.mMasterKeyId); - modifyResult = keyOperations.modifySecretKeyRing(secRing, cryptoInput, saveParcel); + modifyResult = keyOperations.modifySecretKeyRing(secRing, cryptoInput, saveParcel, log); if (modifyResult.isPending()) { return modifyResult; } diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/operations/NfcKeyToCardOperation.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/operations/NfcKeyToCardOperation.java deleted file mode 100644 index 36f31e20e..000000000 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/operations/NfcKeyToCardOperation.java +++ /dev/null @@ -1,93 +0,0 @@ -/* - * Copyright (C) 2015 Joey Castillo - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program. If not, see . - */ - -package org.sufficientlysecure.keychain.operations; - -import android.content.Context; - -import org.spongycastle.bcpg.PublicKeyAlgorithmTags; -import org.sufficientlysecure.keychain.operations.results.NfcKeyToCardResult; -import org.sufficientlysecure.keychain.operations.results.OperationResult; -import org.sufficientlysecure.keychain.pgp.CanonicalizedSecretKey; -import org.sufficientlysecure.keychain.pgp.CanonicalizedSecretKeyRing; -import org.sufficientlysecure.keychain.pgp.Progressable; -import org.sufficientlysecure.keychain.provider.ProviderHelper; -import org.sufficientlysecure.keychain.service.input.RequiredInputParcel; -import org.sufficientlysecure.keychain.ui.util.KeyFormattingUtils; - -public class NfcKeyToCardOperation extends BaseOperation { - public NfcKeyToCardOperation(Context context, ProviderHelper providerHelper, Progressable progressable) { - super(context, providerHelper, progressable); - } - - public NfcKeyToCardResult execute(long subKeyId) { - OperationResult.OperationLog log = new OperationResult.OperationLog(); - int indent = 0; - long masterKeyId; - - try { - // fetch the indicated master key id - masterKeyId = mProviderHelper.getMasterKeyId(subKeyId); - CanonicalizedSecretKeyRing keyRing = - mProviderHelper.getCanonicalizedSecretKeyRing(masterKeyId); - - log.add(OperationResult.LogType.MSG_KC_SECRET, indent, - KeyFormattingUtils.convertKeyIdToHex(masterKeyId)); - - // fetch the specific subkey - CanonicalizedSecretKey subKey = keyRing.getSecretKey(subKeyId); - - // Key algorithm must be RSA - int algorithm = subKey.getAlgorithm(); - if (algorithm != PublicKeyAlgorithmTags.RSA_ENCRYPT && - algorithm != PublicKeyAlgorithmTags.RSA_SIGN && - algorithm != PublicKeyAlgorithmTags.RSA_GENERAL) { - log.add(OperationResult.LogType.MSG_K2C_ERROR_BAD_ALGO, indent + 1); - return new NfcKeyToCardResult(NfcKeyToCardResult.RESULT_ERROR, log); - } - - // Key size must be 2048 - int keySize = subKey.getBitStrength(); - if (keySize != 2048) { - log.add(OperationResult.LogType.MSG_K2C_ERROR_BAD_SIZE, indent + 1); - return new NfcKeyToCardResult(NfcKeyToCardResult.RESULT_ERROR, log); - } - - // Secret key parts must be available - CanonicalizedSecretKey.SecretKeyType type = subKey.getSecretKeyType(); - if (type == CanonicalizedSecretKey.SecretKeyType.DIVERT_TO_CARD || - type == CanonicalizedSecretKey.SecretKeyType.GNU_DUMMY) { - log.add(OperationResult.LogType.MSG_K2C_ERROR_BAD_STRIPPED, indent + 1); - return new NfcKeyToCardResult(NfcKeyToCardResult.RESULT_ERROR, log); - } - - if (type == CanonicalizedSecretKey.SecretKeyType.PIN || - type == CanonicalizedSecretKey.SecretKeyType.PATTERN || - type == CanonicalizedSecretKey.SecretKeyType.PASSPHRASE || - type == CanonicalizedSecretKey.SecretKeyType.PASSPHRASE_EMPTY) { - log.add(OperationResult.LogType.MSG_PSE_PENDING_NFC, indent); - return new NfcKeyToCardResult(log, RequiredInputParcel - .createNfcKeyToCardOperation(masterKeyId, subKeyId)); - } - - throw new AssertionError("Unhandled SecretKeyType! (should not happen)"); - } catch (ProviderHelper.NotFoundException e) { - log.add(OperationResult.LogType.MSG_PSE_ERROR_UNLOCK, indent); - return new NfcKeyToCardResult(NfcKeyToCardResult.RESULT_ERROR, log); - } - } -} diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/operations/results/NfcKeyToCardResult.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/operations/results/NfcKeyToCardResult.java deleted file mode 100644 index 93899bbbe..000000000 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/operations/results/NfcKeyToCardResult.java +++ /dev/null @@ -1,51 +0,0 @@ -/* - * Copyright (C) 2015 Joey Castillo - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program. If not, see . - */ - -package org.sufficientlysecure.keychain.operations.results; - -import android.os.Parcel; - -import org.sufficientlysecure.keychain.service.input.RequiredInputParcel; - -public class NfcKeyToCardResult extends InputPendingResult { - public NfcKeyToCardResult(int result, OperationLog log) { - super(result, log); - } - - public NfcKeyToCardResult(OperationLog log, RequiredInputParcel requiredInput) { - super(log, requiredInput); - } - - public NfcKeyToCardResult(Parcel source) { - super(source); - } - - @Override - public void writeToParcel(Parcel dest, int flags) { - super.writeToParcel(dest, flags); - } - - public static Creator CREATOR = new Creator() { - public NfcKeyToCardResult createFromParcel(final Parcel source) { - return new NfcKeyToCardResult(source); - } - - public NfcKeyToCardResult[] newArray(final int size) { - return new NfcKeyToCardResult[size]; - } - }; -} diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/operations/results/OperationResult.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/operations/results/OperationResult.java index 4c40b0e5b..065ca710c 100644 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/operations/results/OperationResult.java +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/operations/results/OperationResult.java @@ -494,6 +494,7 @@ public abstract class OperationResult implements Parcelable { MSG_MF_ERROR_REVOKED_PRIMARY (LogLevel.ERROR, R.string.msg_mf_error_revoked_primary), MSG_MF_ERROR_SIG (LogLevel.ERROR, R.string.msg_mf_error_sig), MSG_MF_ERROR_SUBKEY_MISSING(LogLevel.ERROR, R.string.msg_mf_error_subkey_missing), + MSG_MF_ERROR_CONFLICTING_NFC_COMMANDS(LogLevel.ERROR, R.string.msg_mf_error_conflicting_nfc_commands), MSG_MF_MASTER (LogLevel.DEBUG, R.string.msg_mf_master), MSG_MF_NOTATION_PIN (LogLevel.DEBUG, R.string.msg_mf_notation_pin), MSG_MF_NOTATION_EMPTY (LogLevel.DEBUG, R.string.msg_mf_notation_empty), @@ -511,6 +512,8 @@ public abstract class OperationResult implements Parcelable { MSG_MF_SUBKEY_NEW (LogLevel.INFO, R.string.msg_mf_subkey_new), MSG_MF_SUBKEY_REVOKE (LogLevel.INFO, R.string.msg_mf_subkey_revoke), MSG_MF_SUBKEY_STRIP (LogLevel.INFO, R.string.msg_mf_subkey_strip), + MSG_MF_KEYTOCARD_START (LogLevel.INFO, R.string.msg_mf_keytocard_start), + MSG_MF_KEYTOCARD_FINISH (LogLevel.OK, R.string.msg_mf_keytocard_finish), MSG_MF_SUCCESS (LogLevel.OK, R.string.msg_mf_success), MSG_MF_UID_ADD (LogLevel.INFO, R.string.msg_mf_uid_add), MSG_MF_UID_PRIMARY (LogLevel.INFO, R.string.msg_mf_uid_primary), diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/PgpKeyOperation.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/PgpKeyOperation.java index 89db378a9..93c479d5e 100644 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/PgpKeyOperation.java +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/PgpKeyOperation.java @@ -18,6 +18,7 @@ package org.sufficientlysecure.keychain.pgp; +import org.spongycastle.bcpg.PublicKeyAlgorithmTags; import org.spongycastle.bcpg.S2K; import org.spongycastle.bcpg.sig.Features; import org.spongycastle.bcpg.sig.KeyFlags; @@ -45,8 +46,10 @@ import org.spongycastle.openpgp.operator.jcajce.JcePBESecretKeyDecryptorBuilder; import org.spongycastle.openpgp.operator.jcajce.JcePBESecretKeyEncryptorBuilder; import org.spongycastle.openpgp.operator.jcajce.NfcSyncPGPContentSignerBuilder; import org.spongycastle.openpgp.operator.jcajce.NfcSyncPGPContentSignerBuilder.NfcInteractionNeeded; +import org.spongycastle.util.encoders.Hex; import org.sufficientlysecure.keychain.Constants; import org.sufficientlysecure.keychain.R; +import org.sufficientlysecure.keychain.operations.results.EditKeyResult; import org.sufficientlysecure.keychain.operations.results.OperationResult; import org.sufficientlysecure.keychain.operations.results.OperationResult.LogType; import org.sufficientlysecure.keychain.operations.results.OperationResult.OperationLog; @@ -59,6 +62,7 @@ import org.sufficientlysecure.keychain.service.SaveKeyringParcel.SubkeyAdd; import org.sufficientlysecure.keychain.service.input.CryptoInputParcel; import org.sufficientlysecure.keychain.service.input.RequiredInputParcel; import org.sufficientlysecure.keychain.service.input.RequiredInputParcel.NfcSignOperationsBuilder; +import org.sufficientlysecure.keychain.service.input.RequiredInputParcel.NfcKeyToCardOperationsBuilder; import org.sufficientlysecure.keychain.ui.util.KeyFormattingUtils; import org.sufficientlysecure.keychain.util.IterableIterator; import org.sufficientlysecure.keychain.util.Log; @@ -68,6 +72,7 @@ import org.sufficientlysecure.keychain.util.ProgressScaler; import java.io.IOException; import java.math.BigInteger; +import java.nio.ByteBuffer; import java.security.InvalidAlgorithmParameterException; import java.security.KeyPairGenerator; import java.security.NoSuchAlgorithmException; @@ -355,11 +360,17 @@ public class PgpKeyOperation { * namely stripping of subkeys and changing the protection mode of dummy keys. * */ + public PgpEditKeyResult modifySecretKeyRing(CanonicalizedSecretKeyRing wsKR, + CryptoInputParcel cryptoInput, + SaveKeyringParcel saveParcel) { + return modifySecretKeyRing(wsKR, cryptoInput, saveParcel, new OperationLog()); + } + public PgpEditKeyResult modifySecretKeyRing(CanonicalizedSecretKeyRing wsKR, CryptoInputParcel cryptoInput, - SaveKeyringParcel saveParcel) { + SaveKeyringParcel saveParcel, + OperationLog log) { - OperationLog log = new OperationLog(); int indent = 0; /* @@ -400,6 +411,21 @@ public class PgpKeyOperation { return new PgpEditKeyResult(PgpEditKeyResult.RESULT_ERROR, log, null); } + for(SaveKeyringParcel.SubkeyChange change : saveParcel.mChangeSubKeys) { + if (change.mDummyDivert != null && change.mDummyDivert.length == 0) { + // If this is a keytocard operation, see if it was completed: look for a hash + // matching the given subkey ID in cryptoData. + byte[] subKeyId = new byte[8]; + ByteBuffer buf = ByteBuffer.wrap(subKeyId); + buf.putLong(change.mKeyId).rewind(); + + byte[] serialNumber = cryptoInput.getCryptoData().get(buf); + if (serialNumber != null) { + change.mDummyDivert = serialNumber; + } + } + } + if (isDummy(masterSecretKey) || saveParcel.isRestrictedOnly()) { log.add(LogType.MSG_MF_RESTRICTED_MODE, indent); return internalRestricted(sKR, saveParcel, log); @@ -435,6 +461,8 @@ public class PgpKeyOperation { NfcSignOperationsBuilder nfcSignOps = new NfcSignOperationsBuilder( cryptoInput.getSignatureTime(), masterSecretKey.getKeyID(), masterSecretKey.getKeyID()); + NfcKeyToCardOperationsBuilder nfcKeyToCardOps = new NfcKeyToCardOperationsBuilder( + masterSecretKey.getKeyID()); progress(R.string.progress_modify, 0); @@ -743,22 +771,37 @@ public class PgpKeyOperation { return new PgpEditKeyResult(PgpEditKeyResult.RESULT_ERROR, log, null); } - if (change.mDummyStrip || change.mDummyDivert != null) { + if (change.mDummyStrip) { // IT'S DANGEROUS~ // no really, it is. this operation irrevocably removes the private key data from the key - if (change.mDummyStrip) { - sKey = PGPSecretKey.constructGnuDummyKey(sKey.getPublicKey()); - } else { - // the serial number must be 16 bytes in length - if (change.mDummyDivert.length != 16) { - log.add(LogType.MSG_MF_ERROR_DIVERT_SERIAL, - indent + 1, KeyFormattingUtils.convertKeyIdToHex(change.mKeyId)); - return new PgpEditKeyResult(PgpEditKeyResult.RESULT_ERROR, log, null); + sKey = PGPSecretKey.constructGnuDummyKey(sKey.getPublicKey()); + sKR = PGPSecretKeyRing.insertSecretKey(sKR, sKey); + } else if (change.mDummyDivert != null) { + if (change.mDummyDivert.length == 0) { + // If serial number is 0 length, we're moving the key to a card. + if (checkSmartCardCompatibility(sKey, log, indent + 1)) { + log.add(LogType.MSG_MF_KEYTOCARD_START, indent + 1, + KeyFormattingUtils.convertKeyIdToHex(change.mKeyId)); + nfcKeyToCardOps.addSubkey(change.mKeyId); + } else { + return new PgpEditKeyResult(EditKeyResult.RESULT_ERROR, log, null); } + } else if (change.mDummyDivert.length == 16) { + // If serial number is 16 bytes long, we're associating the key with a card. + log.add(LogType.MSG_MF_KEYTOCARD_FINISH, indent + 1, + KeyFormattingUtils.convertKeyIdToHex(change.mKeyId), + Hex.toHexString(change.mDummyDivert, 8, 6)); + sKey = PGPSecretKey.constructGnuDummyKey(sKey.getPublicKey(), change.mDummyDivert); + sKR = PGPSecretKeyRing.insertSecretKey(sKR, sKey); + } else { + log.add(LogType.MSG_MF_ERROR_DIVERT_SERIAL, + indent + 1, KeyFormattingUtils.convertKeyIdToHex(change.mKeyId)); + return new PgpEditKeyResult(PgpEditKeyResult.RESULT_ERROR, log, null); } - sKR = PGPSecretKeyRing.insertSecretKey(sKR, sKey); } + + // This doesn't concern us any further if (!change.mRecertify && (change.mExpiry == null && change.mFlags == null)) { continue; @@ -980,11 +1023,21 @@ public class PgpKeyOperation { progress(R.string.progress_done, 100); + if (!nfcSignOps.isEmpty() && !nfcKeyToCardOps.isEmpty()) { + log.add(LogType.MSG_MF_ERROR_CONFLICTING_NFC_COMMANDS, indent+1); + return new PgpEditKeyResult(PgpEditKeyResult.RESULT_ERROR, log, null); + } + if (!nfcSignOps.isEmpty()) { log.add(LogType.MSG_MF_REQUIRE_DIVERT, indent); return new PgpEditKeyResult(log, nfcSignOps.build()); } + if (!nfcKeyToCardOps.isEmpty()) { + log.add(LogType.MSG_MF_REQUIRE_DIVERT, indent); + return new PgpEditKeyResult(log, nfcKeyToCardOps.build()); + } + log.add(LogType.MSG_MF_SUCCESS, indent); return new PgpEditKeyResult(OperationResult.RESULT_OK, log, new UncachedKeyRing(sKR)); @@ -1042,6 +1095,9 @@ public class PgpKeyOperation { indent + 1, KeyFormattingUtils.convertKeyIdToHex(change.mKeyId)); return new PgpEditKeyResult(PgpEditKeyResult.RESULT_ERROR, log, null); } + log.add(LogType.MSG_MF_KEYTOCARD_FINISH, indent + 1, + KeyFormattingUtils.convertKeyIdToHex(change.mKeyId), + Hex.toHexString(change.mDummyDivert, 8, 6)); sKey = PGPSecretKey.constructGnuDummyKey(sKey.getPublicKey(), change.mDummyDivert); } sKR = PGPSecretKeyRing.insertSecretKey(sKR, sKey); @@ -1481,4 +1537,29 @@ public class PgpKeyOperation { && s2k.getProtectionMode() == S2K.GNU_PROTECTION_MODE_DIVERT_TO_CARD; } + private static boolean checkSmartCardCompatibility(PGPSecretKey key, OperationLog log, int indent) { + PGPPublicKey publicKey = key.getPublicKey(); + int algorithm = publicKey.getAlgorithm(); + if (algorithm != PublicKeyAlgorithmTags.RSA_ENCRYPT && + algorithm != PublicKeyAlgorithmTags.RSA_SIGN && + algorithm != PublicKeyAlgorithmTags.RSA_GENERAL) { + log.add(OperationResult.LogType.MSG_K2C_ERROR_BAD_ALGO, indent + 1); + return true; + } + + // Key size must be 2048 + int keySize = publicKey.getBitStrength(); + if (keySize != 2048) { + log.add(OperationResult.LogType.MSG_K2C_ERROR_BAD_SIZE, indent + 1); + return false; + } + + // Secret key parts must be available + if (isDivertToCard(key) || isDummy(key)) { + log.add(OperationResult.LogType.MSG_K2C_ERROR_BAD_STRIPPED, indent + 1); + return false; + } + + return true; + } } diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/service/KeychainIntentService.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/service/KeychainIntentService.java index 0fad22e4a..e0509ac9b 100644 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/service/KeychainIntentService.java +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/service/KeychainIntentService.java @@ -40,7 +40,6 @@ import org.sufficientlysecure.keychain.operations.CertifyOperation; import org.sufficientlysecure.keychain.operations.DeleteOperation; import org.sufficientlysecure.keychain.operations.EditKeyOperation; import org.sufficientlysecure.keychain.operations.ImportExportOperation; -import org.sufficientlysecure.keychain.operations.NfcKeyToCardOperation; import org.sufficientlysecure.keychain.operations.PromoteKeyOperation; import org.sufficientlysecure.keychain.operations.SignEncryptOperation; import org.sufficientlysecure.keychain.operations.results.CertifyResult; @@ -49,7 +48,6 @@ import org.sufficientlysecure.keychain.operations.results.DecryptVerifyResult; import org.sufficientlysecure.keychain.operations.results.DeleteResult; import org.sufficientlysecure.keychain.operations.results.ExportResult; import org.sufficientlysecure.keychain.operations.results.ImportKeyResult; -import org.sufficientlysecure.keychain.operations.results.NfcKeyToCardResult; import org.sufficientlysecure.keychain.operations.results.OperationResult; import org.sufficientlysecure.keychain.operations.results.OperationResult.OperationLog; import org.sufficientlysecure.keychain.operations.results.PromoteKeyResult; @@ -113,8 +111,6 @@ public class KeychainIntentService extends IntentService implements Progressable public static final String ACTION_IMPORT_KEYRING = Constants.INTENT_PREFIX + "IMPORT_KEYRING"; public static final String ACTION_EXPORT_KEYRING = Constants.INTENT_PREFIX + "EXPORT_KEYRING"; - public static final String ACTION_NFC_KEYTOCARD = Constants.INTENT_PREFIX + "NFC_KEYTOCARD"; - public static final String ACTION_UPLOAD_KEYRING = Constants.INTENT_PREFIX + "UPLOAD_KEYRING"; public static final String ACTION_CERTIFY_KEYRING = Constants.INTENT_PREFIX + "SIGN_KEYRING"; @@ -180,9 +176,6 @@ public class KeychainIntentService extends IntentService implements Progressable public static final String EXPORT_ALL = "export_all"; public static final String EXPORT_KEY_RING_MASTER_KEY_ID = "export_key_ring_id"; - // NFC export key to card - public static final String NFC_KEYTOCARD_SUBKEY_ID = "nfc_keytocard_subkey_id"; - // upload key public static final String UPLOAD_KEY_SERVER = "upload_key_server"; @@ -539,19 +532,6 @@ public class KeychainIntentService extends IntentService implements Progressable break; } - case ACTION_NFC_KEYTOCARD: { - // Input - long subKeyId = data.getLong(NFC_KEYTOCARD_SUBKEY_ID); - - // Operation - NfcKeyToCardOperation exportOp = new NfcKeyToCardOperation(this, providerHelper, this); - NfcKeyToCardResult result = exportOp.execute(subKeyId); - - // Result - sendMessageToHandler(MessageStatus.OKAY, result); - - break; - } case ACTION_SIGN_ENCRYPT: { // Input diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/service/SaveKeyringParcel.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/service/SaveKeyringParcel.java index 2e0524141..6064c28fb 100644 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/service/SaveKeyringParcel.java +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/service/SaveKeyringParcel.java @@ -95,7 +95,8 @@ public class SaveKeyringParcel implements Parcelable { } for (SubkeyChange change : mChangeSubKeys) { - if (change.mRecertify || change.mFlags != null || change.mExpiry != null) { + if (change.mRecertify || change.mFlags != null || change.mExpiry != null || + (change.mDummyDivert != null && change.mDummyDivert.length == 0)) { return false; } } diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/service/input/RequiredInputParcel.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/service/input/RequiredInputParcel.java index 50fb35e90..727f1638c 100644 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/service/input/RequiredInputParcel.java +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/service/input/RequiredInputParcel.java @@ -1,5 +1,6 @@ package org.sufficientlysecure.keychain.service.input; +import java.nio.ByteBuffer; import java.util.ArrayList; import java.util.Collections; import java.util.Date; @@ -7,8 +8,6 @@ import java.util.Date; import android.os.Parcel; import android.os.Parcelable; -import org.sufficientlysecure.keychain.Constants.key; - public class RequiredInputParcel implements Parcelable { @@ -87,11 +86,6 @@ public class RequiredInputParcel implements Parcelable { new byte[][] { inputHash }, null, null, null, subKeyId); } - public static RequiredInputParcel createNfcKeyToCardOperation(long masterKeyId, long subKeyId) { - return new RequiredInputParcel(RequiredInputType.NFC_KEYTOCARD, null, null, null, - masterKeyId, subKeyId); - } - public static RequiredInputParcel createRequiredSignPassphrase( long masterKeyId, long subKeyId, Date signatureTime) { return new RequiredInputParcel(RequiredInputType.PASSPHRASE, @@ -216,4 +210,46 @@ public class RequiredInputParcel implements Parcelable { } + public static class NfcKeyToCardOperationsBuilder { + ArrayList mSubkeysToExport = new ArrayList<>(); + Long mMasterKeyId; + + public NfcKeyToCardOperationsBuilder(Long masterKeyId) { + mMasterKeyId = masterKeyId; + } + + public RequiredInputParcel build() { + byte[][] inputHashes = new byte[mSubkeysToExport.size()][]; + mSubkeysToExport.toArray(inputHashes); + ByteBuffer buf = ByteBuffer.wrap(mSubkeysToExport.get(0)); + + // We need to pass in a subkey here... + return new RequiredInputParcel(RequiredInputType.NFC_KEYTOCARD, + inputHashes, null, null, mMasterKeyId, buf.getLong()); + } + + public void addSubkey(long subkeyId) { + byte[] subKeyId = new byte[8]; + ByteBuffer buf = ByteBuffer.wrap(subKeyId); + buf.putLong(subkeyId).rewind(); + mSubkeysToExport.add(subKeyId); + } + + public void addAll(RequiredInputParcel input) { + if (!mMasterKeyId.equals(input.mMasterKeyId)) { + throw new AssertionError("Master keys must match, this is a programming error!"); + } + if (input.mType != RequiredInputType.NFC_KEYTOCARD) { + throw new AssertionError("Operation types must match, this is a programming error!"); + } + + Collections.addAll(mSubkeysToExport, input.mInputHashes); + } + + public boolean isEmpty() { + return mSubkeysToExport.isEmpty(); + } + + } + } diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/EditKeyFragment.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/EditKeyFragment.java index 3b342bec0..bc2fbff76 100644 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/EditKeyFragment.java +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/EditKeyFragment.java @@ -35,6 +35,7 @@ import android.view.View.OnClickListener; import android.view.ViewGroup; import android.widget.AdapterView; import android.widget.ListView; +import android.widget.Toast; import org.sufficientlysecure.keychain.Constants; import org.sufficientlysecure.keychain.R; @@ -42,6 +43,7 @@ import org.sufficientlysecure.keychain.compatibility.DialogFragmentWorkaround; import org.sufficientlysecure.keychain.operations.results.OperationResult; import org.sufficientlysecure.keychain.operations.results.OperationResult.LogType; import org.sufficientlysecure.keychain.operations.results.SingletonResult; +import org.sufficientlysecure.keychain.pgp.CanonicalizedSecretKey; import org.sufficientlysecure.keychain.pgp.KeyRing; import org.sufficientlysecure.keychain.pgp.exception.PgpKeyNotFoundException; import org.sufficientlysecure.keychain.provider.CachedPublicKeyRing; @@ -418,6 +420,13 @@ public class EditKeyFragment extends CryptoOperationFragment implements } break; case EditSubkeyDialogFragment.MESSAGE_STRIP: { + CanonicalizedSecretKey.SecretKeyType secretKeyType = + mSubkeysAdapter.getSecretKeyType(position); + if (secretKeyType == CanonicalizedSecretKey.SecretKeyType.GNU_DUMMY) { + // Key is already stripped; this is a no-op. + break; + } + SubkeyChange change = mSaveKeyringParcel.getSubkeyChange(keyId); if (change == null) { mSaveKeyringParcel.mChangeSubKeys.add(new SubkeyChange(keyId, true, null)); @@ -425,47 +434,39 @@ public class EditKeyFragment extends CryptoOperationFragment implements } // toggle change.mDummyStrip = !change.mDummyStrip; + if (change.mDummyStrip && change.mDummyDivert != null) { + // User had chosen to divert key, but now wants to strip it instead. + change.mDummyDivert = null; + } break; } case EditSubkeyDialogFragment.MESSAGE_KEYTOCARD: { + CanonicalizedSecretKey.SecretKeyType secretKeyType = + mSubkeysAdapter.getSecretKeyType(position); + if (secretKeyType == CanonicalizedSecretKey.SecretKeyType.DIVERT_TO_CARD || + secretKeyType == CanonicalizedSecretKey.SecretKeyType.GNU_DUMMY) { + Toast.makeText(EditKeyFragment.this.getActivity(), + R.string.edit_key_error_bad_nfc_stripped, Toast.LENGTH_SHORT) + .show(); + break; + } + SubkeyChange change; change = mSaveKeyringParcel.getSubkeyChange(keyId); if (change == null) { mSaveKeyringParcel.mChangeSubKeys.add( - new SubkeyChange(keyId, false, new byte[0]) + new SubkeyChange(keyId, false, null) ); + change = mSaveKeyringParcel.getSubkeyChange(keyId); + } + // toggle + if (change.mDummyDivert == null) { + change.mDummyDivert = new byte[0]; + // If user had chosen to strip key, we cancel that action now. + change.mDummyStrip = false; + } else { + change.mDummyDivert = null; } - final Bundle data = new Bundle(); - data.putLong(KeychainIntentService.NFC_KEYTOCARD_SUBKEY_ID, keyId); - Intent intent = new Intent(EditKeyFragment.this.getActivity(), - KeychainIntentService.class); - intent.setAction(KeychainIntentService.ACTION_NFC_KEYTOCARD); - intent.putExtra(KeychainIntentService.EXTRA_DATA, data); - - ServiceProgressHandler serviceHandler = new ServiceProgressHandler( - getActivity(), - getString(R.string.progress_exporting), - ProgressDialog.STYLE_HORIZONTAL, - ProgressDialogFragment.ServiceType.KEYCHAIN_INTENT) { - public void handleMessage(Message message) { - super.handleMessage(message); - if (EditKeyFragment.this.handlePendingMessage(message)) { - return; - } - Bundle data = message.getData(); - OperationResult result = data.getParcelable(OperationResult.EXTRA_RESULT); - if (result.getResult() == OperationResult.RESULT_ERROR) { - result.createNotify(getActivity()).show(); - } - - } - }; - // Create a new Messenger for the communication back - Messenger messenger = new Messenger(serviceHandler); - intent.putExtra(KeychainIntentService.EXTRA_MESSENGER, messenger); - serviceHandler.showProgressDialog(getActivity()); - - getActivity().startService(intent); break; } } @@ -637,18 +638,6 @@ public class EditKeyFragment extends CryptoOperationFragment implements Intent intent = new Intent(getActivity(), KeychainIntentService.class); intent.setAction(KeychainIntentService.ACTION_EDIT_KEYRING); - for (SubkeyChange change : mSaveKeyringParcel.mChangeSubKeys) { - if(change.mDummyDivert != null) { - // Convert long key ID to byte buffer - byte[] subKeyId = new byte[8]; - ByteBuffer buf = ByteBuffer.wrap(subKeyId); - buf.putLong(change.mKeyId).rewind(); - - byte[] cardSerial = cryptoInput.getCryptoData().get(buf); - change.mDummyDivert = cardSerial; - } - } - // fill values for this action Bundle data = new Bundle(); data.putParcelable(KeychainIntentService.EXTRA_CRYPTO_INPUT, cryptoInput); diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/NfcOperationActivity.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/NfcOperationActivity.java index 1a618329d..bed846dd3 100644 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/NfcOperationActivity.java +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/NfcOperationActivity.java @@ -23,6 +23,7 @@ import org.sufficientlysecure.keychain.service.input.CryptoInputParcel; import org.sufficientlysecure.keychain.service.input.RequiredInputParcel; import org.sufficientlysecure.keychain.ui.base.BaseNfcActivity; import org.sufficientlysecure.keychain.util.Log; +import org.sufficientlysecure.keychain.util.Passphrase; import org.sufficientlysecure.keychain.util.Preferences; import java.io.IOException; @@ -59,9 +60,7 @@ public class NfcOperationActivity extends BaseNfcActivity { mRequiredInput = data.getParcelable(EXTRA_REQUIRED_INPUT); mServiceIntent = data.getParcelable(EXTRA_SERVICE_INTENT); - if (mRequiredInput.mType == RequiredInputParcel.RequiredInputType.NFC_KEYTOCARD) { - obtainKeyExportPassphrase(RequiredInputParcel.createRequiredPassphrase(mRequiredInput)); - } else { + if (mRequiredInput.mType != RequiredInputParcel.RequiredInputType.NFC_KEYTOCARD) { obtainYubiKeyPin(RequiredInputParcel.createRequiredPassphrase(mRequiredInput)); } } @@ -99,38 +98,51 @@ public class NfcOperationActivity extends BaseNfcActivity { CanonicalizedSecretKeyRing secretKeyRing; try { secretKeyRing = providerHelper.getCanonicalizedSecretKeyRing( - KeychainContract.KeyRings.buildUnifiedKeyRingsFindBySubkeyUri(mRequiredInput.getSubKeyId()) + KeychainContract.KeyRings.buildUnifiedKeyRingsFindBySubkeyUri(mRequiredInput.getMasterKeyId()) ); } catch (ProviderHelper.NotFoundException e) { throw new IOException("Couldn't find subkey for key to card operation."); } - CanonicalizedSecretKey key = secretKeyRing.getSecretKey(mRequiredInput.getSubKeyId()); - - long keyGenerationTimestampMillis = key.getCreationTime().getTime(); - long keyGenerationTimestamp = keyGenerationTimestampMillis / 1000; - byte[] timestampBytes = ByteBuffer.allocate(4).putInt((int) keyGenerationTimestamp).array(); - byte[] cardSerialNumber = Arrays.copyOf(nfcGetAid(), 16); - - if (key.canSign() || key.canCertify()) { - nfcPutKey(0xB6, key); - nfcPutData(0xCE, timestampBytes); - nfcPutData(0xC7, key.getFingerprint()); - } else if (key.canEncrypt()) { - nfcPutKey(0xB8, key); - nfcPutData(0xCF, timestampBytes); - nfcPutData(0xC8, key.getFingerprint()); - } else if (key.canAuthenticate()) { - nfcPutKey(0xA4, key); - nfcPutData(0xD0, timestampBytes); - nfcPutData(0xC9, key.getFingerprint()); - } else { - throw new IOException("Inappropriate key flags for smart card key."); - } - byte[] subKeyId = new byte[8]; - ByteBuffer buf = ByteBuffer.wrap(subKeyId); - buf.putLong(mRequiredInput.getSubKeyId()); - inputParcel.addCryptoData(subKeyId, cardSerialNumber); + // Note: we're abusing mInputHashes to hold the subkey IDs we need to export. + for (int i = 0; i < mRequiredInput.mInputHashes.length; i++) { + byte[] subkeyBytes = mRequiredInput.mInputHashes[i]; + ByteBuffer buf = ByteBuffer.wrap(subkeyBytes); + long subkeyId = buf.getLong(); + + CanonicalizedSecretKey key = secretKeyRing.getSecretKey(subkeyId); + + long keyGenerationTimestampMillis = key.getCreationTime().getTime(); + long keyGenerationTimestamp = keyGenerationTimestampMillis / 1000; + byte[] timestampBytes = ByteBuffer.allocate(4).putInt((int) keyGenerationTimestamp).array(); + byte[] cardSerialNumber = Arrays.copyOf(nfcGetAid(), 16); + + Passphrase passphrase; + try { + passphrase = PassphraseCacheService.getCachedPassphrase(this, + mRequiredInput.getMasterKeyId(), mRequiredInput.getSubKeyId()); + } catch (PassphraseCacheService.KeyNotFoundException e) { + throw new IOException("Unable to get cached passphrase!"); + } + + if (key.canSign() || key.canCertify()) { + nfcPutKey(0xB6, key, passphrase); + nfcPutData(0xCE, timestampBytes); + nfcPutData(0xC7, key.getFingerprint()); + } else if (key.canEncrypt()) { + nfcPutKey(0xB8, key, passphrase); + nfcPutData(0xCF, timestampBytes); + nfcPutData(0xC8, key.getFingerprint()); + } else if (key.canAuthenticate()) { + nfcPutKey(0xA4, key, passphrase); + nfcPutData(0xD0, timestampBytes); + nfcPutData(0xC9, key.getFingerprint()); + } else { + throw new IOException("Inappropriate key flags for smart card key."); + } + + inputParcel.addCryptoData(subkeyBytes, cardSerialNumber); + } } } diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/adapter/SubkeysAdapter.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/adapter/SubkeysAdapter.java index db0a930ed..dfa5a39fb 100644 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/adapter/SubkeysAdapter.java +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/adapter/SubkeysAdapter.java @@ -179,13 +179,23 @@ public class SubkeysAdapter extends CursorAdapter { ? mSaveKeyringParcel.getSubkeyChange(keyId) : null; - if (change != null && change.mDummyStrip) { - algorithmStr.append(", "); - final SpannableString boldStripped = new SpannableString( - context.getString(R.string.key_stripped) - ); - boldStripped.setSpan(new StyleSpan(Typeface.BOLD), 0, boldStripped.length(), Spannable.SPAN_EXCLUSIVE_EXCLUSIVE); - algorithmStr.append(boldStripped); + if (change != null && (change.mDummyStrip || change.mDummyDivert != null)) { + if (change.mDummyStrip) { + algorithmStr.append(", "); + final SpannableString boldStripped = new SpannableString( + context.getString(R.string.key_stripped) + ); + boldStripped.setSpan(new StyleSpan(Typeface.BOLD), 0, boldStripped.length(), Spannable.SPAN_EXCLUSIVE_EXCLUSIVE); + algorithmStr.append(boldStripped); + } + if (change.mDummyDivert != null) { + algorithmStr.append(", "); + final SpannableString boldDivert = new SpannableString( + context.getString(R.string.key_divert) + ); + boldDivert.setSpan(new StyleSpan(Typeface.BOLD), 0, boldDivert.length(), Spannable.SPAN_EXCLUSIVE_EXCLUSIVE); + algorithmStr.append(boldDivert); + } } else { switch (SecretKeyType.fromNum(cursor.getInt(INDEX_HAS_SECRET))) { case GNU_DUMMY: diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/base/BaseNfcActivity.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/base/BaseNfcActivity.java index 4506fe3c1..686c86b3a 100644 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/base/BaseNfcActivity.java +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/base/BaseNfcActivity.java @@ -60,11 +60,9 @@ import org.sufficientlysecure.keychain.util.Preferences; public abstract class BaseNfcActivity extends BaseActivity { public static final int REQUEST_CODE_PIN = 1; - public static final int REQUEST_CODE_PASSPHRASE = 2; protected Passphrase mPin; protected Passphrase mAdminPin; - protected Passphrase mPassphrase; // For key export protected boolean mPw1ValidForMultipleSignatures; protected boolean mPw1ValidatedForSignature; protected boolean mPw1ValidatedForDecrypt; // Mode 82 does other things; consider renaming? @@ -136,15 +134,6 @@ public abstract class BaseNfcActivity extends BaseActivity { enableNfcForegroundDispatch(); } - protected void obtainKeyExportPassphrase(RequiredInputParcel requiredInput) { - - Intent intent = new Intent(this, PassphraseDialogActivity.class); - intent.putExtra(PassphraseDialogActivity.EXTRA_REQUIRED_INPUT, - RequiredInputParcel.createRequiredPassphrase(requiredInput)); - startActivityForResult(intent, REQUEST_CODE_PASSPHRASE); - - } - protected void obtainYubiKeyPin(RequiredInputParcel requiredInput) { Preferences prefs = Preferences.getPreferences(this); @@ -178,17 +167,6 @@ public abstract class BaseNfcActivity extends BaseActivity { break; } - case REQUEST_CODE_PASSPHRASE: { - if (resultCode != Activity.RESULT_OK) { - setResult(resultCode); - finish(); - return; - } - CryptoInputParcel input = data.getParcelableExtra(PassphraseDialogActivity.RESULT_CRYPTO_INPUT); - mPassphrase = input.getPassphrase(); - break; - } - default: super.onActivityResult(requestCode, resultCode, data); } @@ -627,7 +605,7 @@ public abstract class BaseNfcActivity extends BaseActivity { * 0xB8: Decipherment Key * 0xA4: Authentication Key */ - public void nfcPutKey(int slot, CanonicalizedSecretKey secretKey) + public void nfcPutKey(int slot, CanonicalizedSecretKey secretKey, Passphrase passphrase) throws IOException { if (slot != 0xB6 && slot != 0xB8 && slot != 0xA4) { throw new IOException("Invalid key slot"); @@ -635,7 +613,7 @@ public abstract class BaseNfcActivity extends BaseActivity { RSAPrivateCrtKey crtSecretKey = null; try { - secretKey.unlock(mPassphrase); + secretKey.unlock(passphrase); crtSecretKey = secretKey.getCrtSecretKey(); } catch (PgpGeneralException e) { throw new IOException(e.getMessage()); -- cgit v1.2.3 From 28b9068ae03b6c17b247a1d2fdf9b20d8a11a274 Mon Sep 17 00:00:00 2001 From: Joey Castillo Date: Wed, 13 May 2015 06:01:42 -0400 Subject: Adding keytocard flag to SubkeyChange: UI sets this flag to initiate keytocard; operation unsets it and fills in dummyDivert to finish it. --- .../keychain/pgp/PgpKeyOperation.java | 36 +++++++++++----------- .../keychain/service/SaveKeyringParcel.java | 19 ++++++++++-- .../keychain/ui/EditKeyFragment.java | 18 +++++------ .../keychain/ui/adapter/SubkeysAdapter.java | 4 +-- 4 files changed, 45 insertions(+), 32 deletions(-) (limited to 'OpenKeychain/src/main/java/org/sufficientlysecure/keychain') diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/PgpKeyOperation.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/PgpKeyOperation.java index 93c479d5e..b6e978f48 100644 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/PgpKeyOperation.java +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/PgpKeyOperation.java @@ -412,7 +412,7 @@ public class PgpKeyOperation { } for(SaveKeyringParcel.SubkeyChange change : saveParcel.mChangeSubKeys) { - if (change.mDummyDivert != null && change.mDummyDivert.length == 0) { + if (change.mMoveKeyToCard) { // If this is a keytocard operation, see if it was completed: look for a hash // matching the given subkey ID in cryptoData. byte[] subKeyId = new byte[8]; @@ -421,6 +421,7 @@ public class PgpKeyOperation { byte[] serialNumber = cryptoInput.getCryptoData().get(buf); if (serialNumber != null) { + change.mMoveKeyToCard = false; change.mDummyDivert = serialNumber; } } @@ -776,28 +777,27 @@ public class PgpKeyOperation { // no really, it is. this operation irrevocably removes the private key data from the key sKey = PGPSecretKey.constructGnuDummyKey(sKey.getPublicKey()); sKR = PGPSecretKeyRing.insertSecretKey(sKR, sKey); - } else if (change.mDummyDivert != null) { - if (change.mDummyDivert.length == 0) { - // If serial number is 0 length, we're moving the key to a card. - if (checkSmartCardCompatibility(sKey, log, indent + 1)) { - log.add(LogType.MSG_MF_KEYTOCARD_START, indent + 1, - KeyFormattingUtils.convertKeyIdToHex(change.mKeyId)); - nfcKeyToCardOps.addSubkey(change.mKeyId); - } else { - return new PgpEditKeyResult(EditKeyResult.RESULT_ERROR, log, null); - } - } else if (change.mDummyDivert.length == 16) { - // If serial number is 16 bytes long, we're associating the key with a card. - log.add(LogType.MSG_MF_KEYTOCARD_FINISH, indent + 1, - KeyFormattingUtils.convertKeyIdToHex(change.mKeyId), - Hex.toHexString(change.mDummyDivert, 8, 6)); - sKey = PGPSecretKey.constructGnuDummyKey(sKey.getPublicKey(), change.mDummyDivert); - sKR = PGPSecretKeyRing.insertSecretKey(sKR, sKey); + } else if (change.mMoveKeyToCard) { + if (checkSmartCardCompatibility(sKey, log, indent + 1)) { + log.add(LogType.MSG_MF_KEYTOCARD_START, indent + 1, + KeyFormattingUtils.convertKeyIdToHex(change.mKeyId)); + nfcKeyToCardOps.addSubkey(change.mKeyId); } else { + // Appropriate log message already set by checkSmartCardCompatibility + return new PgpEditKeyResult(EditKeyResult.RESULT_ERROR, log, null); + } + } else if (change.mDummyDivert != null) { + // NOTE: Does this code get executed? Or always handled in internalRestricted? + if (change.mDummyDivert.length != 16) { log.add(LogType.MSG_MF_ERROR_DIVERT_SERIAL, indent + 1, KeyFormattingUtils.convertKeyIdToHex(change.mKeyId)); return new PgpEditKeyResult(PgpEditKeyResult.RESULT_ERROR, log, null); } + log.add(LogType.MSG_MF_KEYTOCARD_FINISH, indent + 1, + KeyFormattingUtils.convertKeyIdToHex(change.mKeyId), + Hex.toHexString(change.mDummyDivert, 8, 6)); + sKey = PGPSecretKey.constructGnuDummyKey(sKey.getPublicKey(), change.mDummyDivert); + sKR = PGPSecretKeyRing.insertSecretKey(sKR, sKey); } diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/service/SaveKeyringParcel.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/service/SaveKeyringParcel.java index 6064c28fb..dd6697f21 100644 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/service/SaveKeyringParcel.java +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/service/SaveKeyringParcel.java @@ -95,8 +95,8 @@ public class SaveKeyringParcel implements Parcelable { } for (SubkeyChange change : mChangeSubKeys) { - if (change.mRecertify || change.mFlags != null || change.mExpiry != null || - (change.mDummyDivert != null && change.mDummyDivert.length == 0)) { + if (change.mRecertify || change.mFlags != null || change.mExpiry != null + || change.mMoveKeyToCard) { return false; } } @@ -143,6 +143,8 @@ public class SaveKeyringParcel implements Parcelable { public boolean mRecertify; // if this flag is true, the subkey should be changed to a stripped key public boolean mDummyStrip; + // if this flag is true, the subkey should be moved to a card + public boolean mMoveKeyToCard; // if this is non-null, the subkey will be changed to a divert-to-card // key for the given serial number public byte[] mDummyDivert; @@ -174,12 +176,25 @@ public class SaveKeyringParcel implements Parcelable { mDummyDivert = dummyDivert; } + public SubkeyChange(long keyId, boolean dummyStrip, boolean moveKeyToCard) { + this(keyId, null, null); + + // these flags are mutually exclusive! + if (dummyStrip && moveKeyToCard) { + throw new AssertionError( + "cannot set strip and keytocard flags at the same time - this is a bug!"); + } + mDummyStrip = dummyStrip; + mMoveKeyToCard = moveKeyToCard; + } + @Override public String toString() { String out = "mKeyId: " + mKeyId + ", "; out += "mFlags: " + mFlags + ", "; out += "mExpiry: " + mExpiry + ", "; out += "mDummyStrip: " + mDummyStrip + ", "; + out += "mMoveKeyToCard: " + mMoveKeyToCard + ", "; out += "mDummyDivert: [" + (mDummyDivert == null ? 0 : mDummyDivert.length) + " bytes]"; return out; diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/EditKeyFragment.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/EditKeyFragment.java index bc2fbff76..acc0c32b8 100644 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/EditKeyFragment.java +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/EditKeyFragment.java @@ -429,14 +429,14 @@ public class EditKeyFragment extends CryptoOperationFragment implements SubkeyChange change = mSaveKeyringParcel.getSubkeyChange(keyId); if (change == null) { - mSaveKeyringParcel.mChangeSubKeys.add(new SubkeyChange(keyId, true, null)); + mSaveKeyringParcel.mChangeSubKeys.add(new SubkeyChange(keyId, true, false)); break; } // toggle change.mDummyStrip = !change.mDummyStrip; - if (change.mDummyStrip && change.mDummyDivert != null) { + if (change.mDummyStrip && change.mMoveKeyToCard) { // User had chosen to divert key, but now wants to strip it instead. - change.mDummyDivert = null; + change.mMoveKeyToCard = false; } break; } @@ -455,17 +455,15 @@ public class EditKeyFragment extends CryptoOperationFragment implements change = mSaveKeyringParcel.getSubkeyChange(keyId); if (change == null) { mSaveKeyringParcel.mChangeSubKeys.add( - new SubkeyChange(keyId, false, null) + new SubkeyChange(keyId, false, true) ); - change = mSaveKeyringParcel.getSubkeyChange(keyId); + break; } // toggle - if (change.mDummyDivert == null) { - change.mDummyDivert = new byte[0]; - // If user had chosen to strip key, we cancel that action now. + change.mMoveKeyToCard = !change.mMoveKeyToCard; + if (change.mMoveKeyToCard && change.mDummyStrip) { + // User had chosen to strip key, but now wants to divert it. change.mDummyStrip = false; - } else { - change.mDummyDivert = null; } break; } diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/adapter/SubkeysAdapter.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/adapter/SubkeysAdapter.java index dfa5a39fb..87539ea05 100644 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/adapter/SubkeysAdapter.java +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/adapter/SubkeysAdapter.java @@ -179,7 +179,7 @@ public class SubkeysAdapter extends CursorAdapter { ? mSaveKeyringParcel.getSubkeyChange(keyId) : null; - if (change != null && (change.mDummyStrip || change.mDummyDivert != null)) { + if (change != null && (change.mDummyStrip || change.mMoveKeyToCard)) { if (change.mDummyStrip) { algorithmStr.append(", "); final SpannableString boldStripped = new SpannableString( @@ -188,7 +188,7 @@ public class SubkeysAdapter extends CursorAdapter { boldStripped.setSpan(new StyleSpan(Typeface.BOLD), 0, boldStripped.length(), Spannable.SPAN_EXCLUSIVE_EXCLUSIVE); algorithmStr.append(boldStripped); } - if (change.mDummyDivert != null) { + if (change.mMoveKeyToCard) { algorithmStr.append(", "); final SpannableString boldDivert = new SpannableString( context.getString(R.string.key_divert) -- cgit v1.2.3 From de2006a61f71ada64763112706b61bf51ae5f6e4 Mon Sep 17 00:00:00 2001 From: Joey Castillo Date: Wed, 13 May 2015 13:10:38 -0400 Subject: Bugfixes and changes based on feedback --- .../keychain/operations/EditKeyOperation.java | 2 +- .../operations/results/OperationResult.java | 8 ++--- .../keychain/pgp/PgpKeyOperation.java | 30 +++++++++---------- .../keychain/ui/EditKeyFragment.java | 34 ++++++++++++++-------- .../keychain/ui/NfcOperationActivity.java | 1 - 5 files changed, 39 insertions(+), 36 deletions(-) (limited to 'OpenKeychain/src/main/java/org/sufficientlysecure/keychain') diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/operations/EditKeyOperation.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/operations/EditKeyOperation.java index 152585040..e8e888c7a 100644 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/operations/EditKeyOperation.java +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/operations/EditKeyOperation.java @@ -83,7 +83,7 @@ public class EditKeyOperation extends BaseOperation { CanonicalizedSecretKeyRing secRing = mProviderHelper.getCanonicalizedSecretKeyRing(saveParcel.mMasterKeyId); - modifyResult = keyOperations.modifySecretKeyRing(secRing, cryptoInput, saveParcel, log); + modifyResult = keyOperations.modifySecretKeyRing(secRing, cryptoInput, saveParcel, log, 2); if (modifyResult.isPending()) { return modifyResult; } diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/operations/results/OperationResult.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/operations/results/OperationResult.java index 065ca710c..f14589774 100644 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/operations/results/OperationResult.java +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/operations/results/OperationResult.java @@ -495,6 +495,9 @@ public abstract class OperationResult implements Parcelable { MSG_MF_ERROR_SIG (LogLevel.ERROR, R.string.msg_mf_error_sig), MSG_MF_ERROR_SUBKEY_MISSING(LogLevel.ERROR, R.string.msg_mf_error_subkey_missing), MSG_MF_ERROR_CONFLICTING_NFC_COMMANDS(LogLevel.ERROR, R.string.msg_mf_error_conflicting_nfc_commands), + MSG_MF_ERROR_BAD_NFC_ALGO(LogLevel.ERROR, R.string.edit_key_error_bad_nfc_algo), + MSG_MF_ERROR_BAD_NFC_SIZE(LogLevel.ERROR, R.string.edit_key_error_bad_nfc_size), + MSG_MF_ERROR_BAD_NFC_STRIPPED(LogLevel.ERROR, R.string.edit_key_error_bad_nfc_stripped), MSG_MF_MASTER (LogLevel.DEBUG, R.string.msg_mf_master), MSG_MF_NOTATION_PIN (LogLevel.DEBUG, R.string.msg_mf_notation_pin), MSG_MF_NOTATION_EMPTY (LogLevel.DEBUG, R.string.msg_mf_notation_empty), @@ -739,11 +742,6 @@ public abstract class OperationResult implements Parcelable { MSG_EXPORT_LOG_EXPORT_ERROR_FOPEN(LogLevel.ERROR,R.string.msg_export_log_error_fopen), MSG_EXPORT_LOG_EXPORT_ERROR_WRITING(LogLevel.ERROR,R.string.msg_export_log_error_writing), MSG_EXPORT_LOG_EXPORT_SUCCESS (LogLevel.OK, R.string.msg_export_log_success), - - // NFC keytocard - MSG_K2C_ERROR_BAD_ALGO(LogLevel.ERROR, R.string.edit_key_error_bad_nfc_algo), - MSG_K2C_ERROR_BAD_SIZE(LogLevel.ERROR, R.string.edit_key_error_bad_nfc_size), - MSG_K2C_ERROR_BAD_STRIPPED(LogLevel.ERROR, R.string.edit_key_error_bad_nfc_stripped), ; public final int mMsgId; diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/PgpKeyOperation.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/PgpKeyOperation.java index b6e978f48..566ffd44b 100644 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/PgpKeyOperation.java +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/PgpKeyOperation.java @@ -329,7 +329,7 @@ public class PgpKeyOperation { subProgressPush(50, 100); CryptoInputParcel cryptoInput = new CryptoInputParcel(new Date(), new Passphrase("")); - return internal(sKR, masterSecretKey, add.mFlags, add.mExpiry, cryptoInput, saveParcel, log); + return internal(sKR, masterSecretKey, add.mFlags, add.mExpiry, cryptoInput, saveParcel, log, indent); } catch (PGPException e) { log.add(LogType.MSG_CR_ERROR_INTERNAL_PGP, indent); @@ -363,15 +363,14 @@ public class PgpKeyOperation { public PgpEditKeyResult modifySecretKeyRing(CanonicalizedSecretKeyRing wsKR, CryptoInputParcel cryptoInput, SaveKeyringParcel saveParcel) { - return modifySecretKeyRing(wsKR, cryptoInput, saveParcel, new OperationLog()); + return modifySecretKeyRing(wsKR, cryptoInput, saveParcel, new OperationLog(), 0); } public PgpEditKeyResult modifySecretKeyRing(CanonicalizedSecretKeyRing wsKR, CryptoInputParcel cryptoInput, SaveKeyringParcel saveParcel, - OperationLog log) { - - int indent = 0; + OperationLog log, + int indent) { /* * 1. Unlock private key @@ -429,7 +428,7 @@ public class PgpKeyOperation { if (isDummy(masterSecretKey) || saveParcel.isRestrictedOnly()) { log.add(LogType.MSG_MF_RESTRICTED_MODE, indent); - return internalRestricted(sKR, saveParcel, log); + return internalRestricted(sKR, saveParcel, log, indent + 1); } // Do we require a passphrase? If so, pass it along @@ -447,7 +446,7 @@ public class PgpKeyOperation { Date expiryTime = wsKR.getPublicKey().getExpiryTime(); long masterKeyExpiry = expiryTime != null ? expiryTime.getTime() / 1000 : 0L; - return internal(sKR, masterSecretKey, masterKeyFlags, masterKeyExpiry, cryptoInput, saveParcel, log); + return internal(sKR, masterSecretKey, masterKeyFlags, masterKeyExpiry, cryptoInput, saveParcel, log, indent); } @@ -455,9 +454,8 @@ public class PgpKeyOperation { int masterKeyFlags, long masterKeyExpiry, CryptoInputParcel cryptoInput, SaveKeyringParcel saveParcel, - OperationLog log) { - - int indent = 1; + OperationLog log, + int indent) { NfcSignOperationsBuilder nfcSignOps = new NfcSignOperationsBuilder( cryptoInput.getSignatureTime(), masterSecretKey.getKeyID(), @@ -1048,9 +1046,7 @@ public class PgpKeyOperation { * otherwise. */ private PgpEditKeyResult internalRestricted(PGPSecretKeyRing sKR, SaveKeyringParcel saveParcel, - OperationLog log) { - - int indent = 1; + OperationLog log, int indent) { progress(R.string.progress_modify, 0); @@ -1543,20 +1539,20 @@ public class PgpKeyOperation { if (algorithm != PublicKeyAlgorithmTags.RSA_ENCRYPT && algorithm != PublicKeyAlgorithmTags.RSA_SIGN && algorithm != PublicKeyAlgorithmTags.RSA_GENERAL) { - log.add(OperationResult.LogType.MSG_K2C_ERROR_BAD_ALGO, indent + 1); - return true; + log.add(LogType.MSG_MF_ERROR_BAD_NFC_ALGO, indent + 1); + return false; } // Key size must be 2048 int keySize = publicKey.getBitStrength(); if (keySize != 2048) { - log.add(OperationResult.LogType.MSG_K2C_ERROR_BAD_SIZE, indent + 1); + log.add(LogType.MSG_MF_ERROR_BAD_NFC_SIZE, indent + 1); return false; } // Secret key parts must be available if (isDivertToCard(key) || isDummy(key)) { - log.add(OperationResult.LogType.MSG_K2C_ERROR_BAD_STRIPPED, indent + 1); + log.add(LogType.MSG_MF_ERROR_BAD_NFC_STRIPPED, indent + 1); return false; } diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/EditKeyFragment.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/EditKeyFragment.java index acc0c32b8..1f7a0eb0d 100644 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/EditKeyFragment.java +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/EditKeyFragment.java @@ -35,7 +35,6 @@ import android.view.View.OnClickListener; import android.view.ViewGroup; import android.widget.AdapterView; import android.widget.ListView; -import android.widget.Toast; import org.sufficientlysecure.keychain.Constants; import org.sufficientlysecure.keychain.R; @@ -43,7 +42,7 @@ import org.sufficientlysecure.keychain.compatibility.DialogFragmentWorkaround; import org.sufficientlysecure.keychain.operations.results.OperationResult; import org.sufficientlysecure.keychain.operations.results.OperationResult.LogType; import org.sufficientlysecure.keychain.operations.results.SingletonResult; -import org.sufficientlysecure.keychain.pgp.CanonicalizedSecretKey; +import org.sufficientlysecure.keychain.pgp.CanonicalizedSecretKey.SecretKeyType; import org.sufficientlysecure.keychain.pgp.KeyRing; import org.sufficientlysecure.keychain.pgp.exception.PgpKeyNotFoundException; import org.sufficientlysecure.keychain.provider.CachedPublicKeyRing; @@ -420,9 +419,8 @@ public class EditKeyFragment extends CryptoOperationFragment implements } break; case EditSubkeyDialogFragment.MESSAGE_STRIP: { - CanonicalizedSecretKey.SecretKeyType secretKeyType = - mSubkeysAdapter.getSecretKeyType(position); - if (secretKeyType == CanonicalizedSecretKey.SecretKeyType.GNU_DUMMY) { + SecretKeyType secretKeyType = mSubkeysAdapter.getSecretKeyType(position); + if (secretKeyType == SecretKeyType.GNU_DUMMY) { // Key is already stripped; this is a no-op. break; } @@ -441,15 +439,27 @@ public class EditKeyFragment extends CryptoOperationFragment implements break; } case EditSubkeyDialogFragment.MESSAGE_KEYTOCARD: { - CanonicalizedSecretKey.SecretKeyType secretKeyType = - mSubkeysAdapter.getSecretKeyType(position); - if (secretKeyType == CanonicalizedSecretKey.SecretKeyType.DIVERT_TO_CARD || - secretKeyType == CanonicalizedSecretKey.SecretKeyType.GNU_DUMMY) { - Toast.makeText(EditKeyFragment.this.getActivity(), - R.string.edit_key_error_bad_nfc_stripped, Toast.LENGTH_SHORT) - .show(); + Activity activity = EditKeyFragment.this.getActivity(); + SecretKeyType secretKeyType = mSubkeysAdapter.getSecretKeyType(position); + if (secretKeyType == SecretKeyType.DIVERT_TO_CARD || + secretKeyType == SecretKeyType.GNU_DUMMY) { + Notify.create(activity, R.string.edit_key_error_bad_nfc_stripped, Notify.Style.ERROR) + .show((ViewGroup) activity.findViewById(R.id.import_snackbar)); break; } + int algorithm = mSubkeysAdapter.getAlgorithm(position); + // these are the PGP constants for RSA_GENERAL, RSA_ENCRYPT and RSA_SIGN + if (algorithm != 1 && algorithm != 2 && algorithm != 3) { + Notify.create(activity, R.string.edit_key_error_bad_nfc_algo, Notify.Style.ERROR) + .show((ViewGroup) activity.findViewById(R.id.import_snackbar)); + break; + } + if (mSubkeysAdapter.getKeySize(position) != 2048) { + Notify.create(activity, R.string.edit_key_error_bad_nfc_size, Notify.Style.ERROR) + .show((ViewGroup) activity.findViewById(R.id.import_snackbar)); + break; + } + SubkeyChange change; change = mSaveKeyringParcel.getSubkeyChange(keyId); diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/NfcOperationActivity.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/NfcOperationActivity.java index bed846dd3..3d7058ae5 100644 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/NfcOperationActivity.java +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/NfcOperationActivity.java @@ -104,7 +104,6 @@ public class NfcOperationActivity extends BaseNfcActivity { throw new IOException("Couldn't find subkey for key to card operation."); } - // Note: we're abusing mInputHashes to hold the subkey IDs we need to export. for (int i = 0; i < mRequiredInput.mInputHashes.length; i++) { byte[] subkeyBytes = mRequiredInput.mInputHashes[i]; ByteBuffer buf = ByteBuffer.wrap(subkeyBytes); -- cgit v1.2.3 From bc48ce4210a01fb37146d210c10fb98abc15aa17 Mon Sep 17 00:00:00 2001 From: Joey Castillo Date: Wed, 13 May 2015 14:29:51 -0400 Subject: Add check for exporting two keys to same smart card slot. --- .../operations/results/OperationResult.java | 2 ++ .../keychain/pgp/PgpKeyOperation.java | 36 ++++++++++++++++++++++ 2 files changed, 38 insertions(+) (limited to 'OpenKeychain/src/main/java/org/sufficientlysecure/keychain') diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/operations/results/OperationResult.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/operations/results/OperationResult.java index f14589774..7f36aeb08 100644 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/operations/results/OperationResult.java +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/operations/results/OperationResult.java @@ -495,6 +495,8 @@ public abstract class OperationResult implements Parcelable { MSG_MF_ERROR_SIG (LogLevel.ERROR, R.string.msg_mf_error_sig), MSG_MF_ERROR_SUBKEY_MISSING(LogLevel.ERROR, R.string.msg_mf_error_subkey_missing), MSG_MF_ERROR_CONFLICTING_NFC_COMMANDS(LogLevel.ERROR, R.string.msg_mf_error_conflicting_nfc_commands), + MSG_MF_ERROR_DUPLICATE_KEYTOCARD_FOR_SLOT(LogLevel.ERROR, R.string.msg_mf_error_duplicate_keytocard_for_slot), + MSG_MF_ERROR_INVALID_FLAGS_FOR_KEYTOCARD(LogLevel.ERROR, R.string.msg_mf_error_invalid_flags_for_keytocard), MSG_MF_ERROR_BAD_NFC_ALGO(LogLevel.ERROR, R.string.edit_key_error_bad_nfc_algo), MSG_MF_ERROR_BAD_NFC_SIZE(LogLevel.ERROR, R.string.edit_key_error_bad_nfc_size), MSG_MF_ERROR_BAD_NFC_STRIPPED(LogLevel.ERROR, R.string.edit_key_error_bad_nfc_stripped), diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/PgpKeyOperation.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/PgpKeyOperation.java index 566ffd44b..62809ca6b 100644 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/PgpKeyOperation.java +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/PgpKeyOperation.java @@ -410,6 +410,10 @@ public class PgpKeyOperation { return new PgpEditKeyResult(PgpEditKeyResult.RESULT_ERROR, log, null); } + // Ensure we don't have multiple keys for the same slot. + boolean hasSign = false; + boolean hasEncrypt = false; + boolean hasAuth = false; for(SaveKeyringParcel.SubkeyChange change : saveParcel.mChangeSubKeys) { if (change.mMoveKeyToCard) { // If this is a keytocard operation, see if it was completed: look for a hash @@ -424,6 +428,38 @@ public class PgpKeyOperation { change.mDummyDivert = serialNumber; } } + + if (change.mMoveKeyToCard) { + // Pending keytocard operation. Need to make sure that we don't have multiple + // subkeys pending for the same slot. + CanonicalizedSecretKey wsK = wsKR.getSecretKey(change.mKeyId); + + if ((wsK.canSign() || wsK.canCertify())) { + if (hasSign) { + log.add(LogType.MSG_MF_ERROR_DUPLICATE_KEYTOCARD_FOR_SLOT, indent + 1); + return new PgpEditKeyResult(PgpEditKeyResult.RESULT_ERROR, log, null); + } else { + hasSign = true; + } + } else if ((wsK.canEncrypt())) { + if (hasEncrypt) { + log.add(LogType.MSG_MF_ERROR_DUPLICATE_KEYTOCARD_FOR_SLOT, indent + 1); + return new PgpEditKeyResult(PgpEditKeyResult.RESULT_ERROR, log, null); + } else { + hasEncrypt = true; + } + } else if ((wsK.canAuthenticate())) { + if (hasAuth) { + log.add(LogType.MSG_MF_ERROR_DUPLICATE_KEYTOCARD_FOR_SLOT, indent + 1); + return new PgpEditKeyResult(PgpEditKeyResult.RESULT_ERROR, log, null); + } else { + hasAuth = true; + } + } else { + log.add(LogType.MSG_MF_ERROR_INVALID_FLAGS_FOR_KEYTOCARD, indent + 1); + return new PgpEditKeyResult(PgpEditKeyResult.RESULT_ERROR, log, null); + } + } } if (isDummy(masterSecretKey) || saveParcel.isRestrictedOnly()) { -- cgit v1.2.3 From aa75534e5b622baf39717de7d3a7a4fd4020adf7 Mon Sep 17 00:00:00 2001 From: Joey Castillo Date: Wed, 13 May 2015 17:04:01 -0400 Subject: Moving blank smart card messages to strings.xml --- .../java/org/sufficientlysecure/keychain/ui/CreateKeyActivity.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'OpenKeychain/src/main/java/org/sufficientlysecure/keychain') diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/CreateKeyActivity.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/CreateKeyActivity.java index 45451bf38..68a809b69 100644 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/CreateKeyActivity.java +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/CreateKeyActivity.java @@ -152,8 +152,8 @@ public class CreateKeyActivity extends BaseNfcActivity { } } else { AlertDialog.Builder builder = new AlertDialog.Builder(this); - builder.setTitle("Blank Smart Card / Yubikey Detected") - .setMessage("Would you like to generate a smart card compatible key?") + builder.setTitle(R.string.first_time_blank_smartcard_title) + .setMessage(R.string.first_time_blank_smartcard_message) .setPositiveButton(android.R.string.yes, new DialogInterface.OnClickListener() { @Override public void onClick(DialogInterface dialog, int button) { -- cgit v1.2.3 From 2d3f745c36280fcd0e5c73820cc3e72f41feae2d Mon Sep 17 00:00:00 2001 From: Joey Castillo Date: Wed, 13 May 2015 17:17:10 -0400 Subject: Removing unused SubkeyChange constructor. --- .../keychain/service/SaveKeyringParcel.java | 12 ------------ 1 file changed, 12 deletions(-) (limited to 'OpenKeychain/src/main/java/org/sufficientlysecure/keychain') diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/service/SaveKeyringParcel.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/service/SaveKeyringParcel.java index dd6697f21..e2c4dc542 100644 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/service/SaveKeyringParcel.java +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/service/SaveKeyringParcel.java @@ -164,18 +164,6 @@ public class SaveKeyringParcel implements Parcelable { mExpiry = expiry; } - public SubkeyChange(long keyId, boolean dummyStrip, byte[] dummyDivert) { - this(keyId, null, null); - - // these flags are mutually exclusive! - if (dummyStrip && dummyDivert != null) { - throw new AssertionError( - "cannot set strip and divert flags at the same time - this is a bug!"); - } - mDummyStrip = dummyStrip; - mDummyDivert = dummyDivert; - } - public SubkeyChange(long keyId, boolean dummyStrip, boolean moveKeyToCard) { this(keyId, null, null); -- cgit v1.2.3