feat: Improve API for encryption with a session key

lubux · lubux · commit 63f920c85f41 · 2025-04-10T16:10:00.000+02:00
With RFC 9580, clients can encrypt data using AEAD with SEIPDv2 packets.
However, SEIPDv2 packets are only compatible with PKESK v6 and
SKESK v6 packets when the session key is encrypted using an OpenPGP certificate.

This commit improves the API to reduce the risk of encrypting data with SEIPDv2
while using a session key encrypted in a packet version below v6.
Specifically, the session key now includes an indicator of whether it is intended for AEAD use or not
and affects the produced packets.
diff --git a/crypto/crypto.go b/crypto/crypto.go
@@ -73,7 +73,9 @@ func (p *PGPHandle) LockKey(key *Key, passphrase []byte) (*Key, error) {
 }
 
 // GenerateSessionKey generates a random session key for the profile.
+// Use GenerateSessionKey on the encryption handle, if the PGP encryption keys are known.
+// This function only considers the profile to determine the session key type.
 func (p *PGPHandle) GenerateSessionKey() (*SessionKey, error) {
 	config := p.profile.EncryptionConfig()
-	return generateSessionKey(config)
+	return generateSessionKey(config, nil, nil)
 }
diff --git a/crypto/decryption_core.go b/crypto/decryption_core.go
@@ -191,7 +191,7 @@ Loop:
 				}
 			}
 			var dc packet.CipherFunction
-			if !sessionKey.v6 {
+			if sessionKey.hasAlgorithm() {
 				dc, err = sessionKey.GetCipherFunc()
 				if err != nil {
 					return nil, errors.Wrap(err, "gopenpgp: unable to decrypt with session key")
diff --git a/crypto/encryption.go b/crypto/encryption.go
@@ -23,6 +23,9 @@ type PGPEncryption interface {
 	// EncryptSessionKey encrypts a session key with the encryption handle.
 	// To encrypt a session key, the handle must contain either recipients or a password.
 	EncryptSessionKey(sessionKey *SessionKey) ([]byte, error)
+	// GenerateSessionKey generates a random session key for the given encryption handle
+	// considering the algorithm preferences of the recipient keys.
+	GenerateSessionKey() (*SessionKey, error)
 	// ClearPrivateParams clears all private key material contained in EncryptionHandle from memory.
 	ClearPrivateParams()
 }
diff --git a/crypto/encryption_core.go b/crypto/encryption_core.go
@@ -216,7 +216,7 @@ func (eh *encryptionHandle) encryptStreamWithSessionKeyHelper(
 		return nil, nil, err
 	}
 
-	if !eh.SessionKey.v6 {
+	if eh.SessionKey.hasAlgorithm() {
 		config.DefaultCipher, err = eh.SessionKey.GetCipherFunc()
 		if err != nil {
 			return nil, nil, errors.Wrap(err, "gopenpgp: unable to encrypt with session key")
@@ -226,7 +226,7 @@ func (eh *encryptionHandle) encryptStreamWithSessionKeyHelper(
 	encryptWriter, err = packet.SerializeSymmetricallyEncrypted(
 		dataPacketWriter,
 		config.Cipher(),
-		config.AEAD() != nil,
+		eh.SessionKey.v6,
 		packet.CipherSuite{Cipher: config.Cipher(), Mode: config.AEAD().Mode()},
 		eh.SessionKey.Key,
 		config,
@@ -349,7 +349,7 @@ func (eh *encryptionHandle) encryptSignDetachedStreamToRecipients(
 	configInput.Time = NewConstantClock(eh.clock().Unix())
 	// Generate a session key for encryption.
 	if eh.SessionKey == nil {
-		eh.SessionKey, err = generateSessionKey(configInput)
+		eh.SessionKey, err = eh.GenerateSessionKey()
 		if err != nil {
 			return nil, err
 		}
diff --git a/crypto/encryption_handle.go b/crypto/encryption_handle.go
@@ -131,6 +131,14 @@ func (eh *encryptionHandle) EncryptSessionKey(sessionKey *SessionKey) ([]byte, e
 	return nil, errors.New("gopenpgp: no password or recipients in encryption handle")
 }
 
+// GenerateSessionKey generates a random session key for the given encryption handle
+// considering the algorithm preferences of the recipient keys.
+func (eh *encryptionHandle) GenerateSessionKey() (*SessionKey, error) {
+	config := eh.profile.EncryptionConfig()
+	config.Time = NewConstantClock(eh.clock().Unix())
+	return generateSessionKey(config, eh.Recipients, eh.HiddenRecipients)
+}
+
 // --- Helper methods on encryption handle
 
 func (eh *encryptionHandle) validate() error {
diff --git a/crypto/encryption_session.go b/crypto/encryption_session.go
@@ -128,6 +128,9 @@ func encryptSessionKeyToWriter(
 		}
 		pubKeys = append(pubKeys, encryptionKey.PublicKey)
 	}
+	if sk.v6 {
+		aeadSupport = true
+	}
 	if len(pubKeys) == 0 {
 		return errors.New("gopenpgp: cannot set key: no public key available")
 	}
@@ -201,10 +204,11 @@ func encryptSessionKeyWithPasswordToWriter(password []byte, sk *SessionKey, outp
 		cf = config.Cipher()
 	} else {
 		cf, err = sk.GetCipherFunc()
+		if err != nil {
+			return errors.Wrap(err, "gopenpgp: unable to encrypt session key with password")
+		}
 	}
-	if err != nil {
-		return errors.Wrap(err, "gopenpgp: unable to encrypt session key with password")
-	}
+	useAead := sk.v6
 
 	if len(password) == 0 {
 		return errors.New("gopenpgp: password can't be empty")
@@ -215,7 +219,7 @@ func encryptSessionKeyWithPasswordToWriter(password []byte, sk *SessionKey, outp
 	}
 	config.DefaultCipher = cf
 
-	err = packet.SerializeSymmetricKeyEncryptedReuseKey(outputWriter, sk.Key, password, config)
+	err = packet.SerializeSymmetricKeyEncryptedAEADReuseKey(outputWriter, sk.Key, password, useAead, config)
 	if err != nil {
 		return errors.Wrap(err, "gopenpgp: unable to encrypt session key with password")
 	}
diff --git a/crypto/sessionkey.go b/crypto/sessionkey.go
@@ -19,7 +19,8 @@ type SessionKey struct {
 	// Algo defines the symmetric encryption algorithm used with this key.
 	// Only present if the key was not parsed from a v6 packet.
 	Algo string
-	// v6 is a flag to indicate that the session key was parsed from a v6 PKESK or SKESK packet
+	// v6 is a flag to indicate that the session key is capable
+	// to be used in v6 PKESK or SKESK, and SEIPDv2 packets
 	v6 bool
 }
 
@@ -66,8 +67,8 @@ func (cr checkReader) Read(buf []byte) (int, error) {
 // with this SessionKey.
 // Not supported in go-mobile clients use sk.GetCipherFuncInt instead.
 func (sk *SessionKey) GetCipherFunc() (packet.CipherFunction, error) {
-	if sk.v6 {
-		return 0, errors.New("gopenpgp: no cipher function available for a v6 session key")
+	if !sk.hasAlgorithm() {
+		return 0, errors.New("gopenpgp: no cipher function available for the session key")
 	}
 	cf, ok := symKeyAlgos[sk.Algo]
 	if !ok {
@@ -89,6 +90,11 @@ func (sk *SessionKey) GetBase64Key() string {
 	return base64.StdEncoding.EncodeToString(sk.Key)
 }
 
+// IsV6 indicates if the session key can be used with SEIPDv2, PKESKv6/SKESKv6.
+func (sk *SessionKey) IsV6() bool {
+	return sk.v6
+}
+
 // RandomToken generates a random token with the specified key size.
 func RandomToken(size int) ([]byte, error) {
 	config := &packet.Config{DefaultCipher: packet.CipherAES256}
@@ -118,13 +124,61 @@ func GenerateSessionKeyAlgo(algo string) (sk *SessionKey, err error) {
 	return sk, nil
 }
 
-// GenerateSessionKey generates a random key for the default cipher.
-func generateSessionKey(config *packet.Config) (*SessionKey, error) {
-	cf, ok := algosToSymKey[config.DefaultCipher]
+// GenerateSessionKey generates a random key.
+// Considers the cipher and aead preferences in recipients and hiddenRecipients for
+// session key generation.
+func generateSessionKey(config *packet.Config, recipients *KeyRing, hiddenRecipients *KeyRing) (*SessionKey, error) {
+	candidateCiphers := []uint8{
+		uint8(packet.CipherAES256),
+		uint8(packet.CipherAES128),
+	}
+
+	currentTime := config.Now()
+	aeadSupport := config.AEADConfig != nil
+	for _, e := range append(recipients.getEntities(), hiddenRecipients.getEntities()...) {
+		primarySelfSignature, _ := e.PrimarySelfSignature(currentTime, config)
+		if primarySelfSignature == nil {
+			continue
+		}
+
+		if !primarySelfSignature.SEIPDv2 {
+			aeadSupport = false
+		}
+
+		candidateCiphers = intersectPreferences(candidateCiphers, primarySelfSignature.PreferredSymmetric)
+	}
+
+	if len(candidateCiphers) == 0 {
+		candidateCiphers = []uint8{uint8(packet.CipherAES128)}
+	}
+	cipher := packet.CipherFunction(candidateCiphers[0])
+
+	// If the cipher specified by config is a candidate, we'll use that.
+	configuredCipher := config.Cipher()
+	for _, c := range candidateCiphers {
+		cipherFunc := packet.CipherFunction(c)
+		if cipherFunc == configuredCipher {
+			cipher = cipherFunc
+			break
+		}
+	}
+
+	algo, ok := algosToSymKey[cipher]
 	if !ok {
 		return nil, errors.New("gopenpgp: unsupported cipher function")
 	}
-	return GenerateSessionKeyAlgo(cf)
+
+	r, err := RandomToken(cipher.KeySize())
+	if err != nil {
+		return nil, err
+	}
+
+	sk := &SessionKey{
+		Key:  r,
+		Algo: algo,
+		v6:   aeadSupport,
+	}
+	return sk, nil
 }
 
 // NewSessionKeyFromToken creates a SessionKey struct with the given token and algorithm.
@@ -136,6 +190,16 @@ func NewSessionKeyFromToken(token []byte, algo string) *SessionKey {
 	}
 }
 
+// NewSessionKeyFromTokenWithAead creates a SessionKey struct with the given token and algorithm,
+// If aead is set to true, the key is used with v6 PKESK or SKESK, and SEIPDv2 packets.
+func NewSessionKeyFromTokenWithAead(token []byte, algo string, aead bool) *SessionKey {
+	return &SessionKey{
+		Key:  clone(token),
+		Algo: algo,
+		v6:   aead,
+	}
+}
+
 func newSessionKeyFromEncrypted(ek *packet.EncryptedKey) (*SessionKey, error) {
 	var algo string
 	for k, v := range symKeyAlgos {
@@ -178,6 +242,10 @@ func (sk *SessionKey) checkSize() error {
 	return nil
 }
 
+func (sk *SessionKey) hasAlgorithm() bool {
+	return sk.Algo != ""
+}
+
 func getAlgo(cipher packet.CipherFunction) string {
 	algo := ""
 	for k, v := range symKeyAlgos {
@@ -188,3 +256,17 @@ func getAlgo(cipher packet.CipherFunction) string {
 	}
 	return algo
 }
+
+func intersectPreferences(a []uint8, b []uint8) (intersection []uint8) {
+	var currentIndex int
+	for _, valueFirst := range a {
+		for _, valueSecond := range b {
+			if valueFirst == valueSecond {
+				a[currentIndex] = valueFirst
+				currentIndex++
+				break
+			}
+		}
+	}
+	return a[:currentIndex]
+}
diff --git a/crypto/sessionkey_test.go b/crypto/sessionkey_test.go
@@ -1,12 +1,15 @@
 package crypto
 
 import (
+	"bytes"
 	"encoding/base64"
 	"encoding/hex"
 	"os"
 	"testing"
 
+	"github.com/ProtonMail/go-crypto/openpgp/packet"
 	"github.com/ProtonMail/gopenpgp/v3/constants"
+	"github.com/ProtonMail/gopenpgp/v3/profile"
 	"github.com/stretchr/testify/assert"
 )
 
@@ -373,3 +376,101 @@ func TestAsymmetricKeyPacketDecryptionFailure(t *testing.T) {
 	_, err = decryptor.DecryptSessionKey(keyPacket)
 	assert.Error(t, err, "gopenpgp: unable to decrypt session key")
 }
+
+func TestSessionKeyAeadHandling(t *testing.T) {
+	pgp := PGPWithProfile(profile.Default())
+	profileAead := profile.Default()
+	profileAead.AeadEncryption = &packet.AEADConfig{}
+	pgpAead := PGPWithProfile(profileAead)
+
+	keyDefault, err := pgp.KeyGeneration().AddUserId("nodeKey", "nodeKey").New().GenerateKey()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	keyAEAD, err := pgpAead.KeyGeneration().AddUserId("nodeKey", "nodeKey").New().GenerateKey()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	encHandle, _ := pgpAead.Encryption().Recipient(keyDefault).New()
+	encHandleAead, _ := pgpAead.Encryption().Recipient(keyAEAD).New()
+
+	sessionKey, err := encHandle.GenerateSessionKey()
+	if err != nil {
+		t.Fatal(err)
+	}
+	sessionKeyAead, err := encHandleAead.GenerateSessionKey()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if sessionKey.IsV6() {
+		t.Error("Expected session key to be non-v6 compatible")
+	}
+	if !sessionKeyAead.IsV6() {
+		t.Error("Expected session key to be v6 compatible")
+	}
+
+	pkeskv3, err := encHandle.EncryptSessionKey(sessionKey)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	pkeskv6, err := encHandle.EncryptSessionKey(sessionKeyAead)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	checkPKESK(t, pkeskv3, 3)
+	checkPKESK(t, pkeskv6, 6)
+
+	encHandle, _ = pgpAead.Encryption().SessionKey(sessionKey).New()
+	encHandleAead, _ = pgpAead.Encryption().SessionKey(sessionKeyAead).New()
+
+	seipdv1, err := encHandle.Encrypt([]byte("hello"))
+	if err != nil {
+		t.Fatal(err)
+	}
+	seipdv2, err := encHandleAead.Encrypt([]byte("hello"))
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	checkSEIPD(t, seipdv1.DataPacket, 1)
+	checkSEIPD(t, seipdv2.DataPacket, 2)
+}
+
+func checkPKESK(t *testing.T, data []byte, version int) {
+	packets := packet.NewReader(bytes.NewReader(data))
+	p, err := packets.Next()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	pk, ok := p.(*packet.EncryptedKey)
+	if !ok {
+		t.Fatal("Expected PKESK packet")
+	}
+
+	if pk.Version != version {
+		t.Errorf("Expected PKESK version %d, got %d", version, pk.Version)
+	}
+}
+
+func checkSEIPD(t *testing.T, data []byte, version int) {
+	packets := packet.NewReader(bytes.NewReader(data))
+	p, err := packets.Next()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	pk, ok := p.(*packet.SymmetricallyEncrypted)
+	if !ok {
+		t.Fatal("Expected SEIPD packet")
+	}
+
+	if pk.Version != version {
+		t.Errorf("Expected SEIPD version %d, got %d", version, pk.Version)
+	}
+}

Original file line number	Diff line number	Diff line change
`@@ -73,7 +73,9 @@ func (p PGPHandle) LockKey(key Key, passphrase []byte) (*Key, error) {`
`73`	`73`	`}`
`74`	`74`
`75`	`75`	`// GenerateSessionKey generates a random session key for the profile.`
	`76`	`+// Use GenerateSessionKey on the encryption handle, if the PGP encryption keys are known.`
	`77`	`+// This function only considers the profile to determine the session key type.`
`76`	`78`	`func (p PGPHandle) GenerateSessionKey() (SessionKey, error) {`
`77`	`79`	`config := p.profile.EncryptionConfig()`
`78`		`- return generateSessionKey(config)`
	`80`	`+ return generateSessionKey(config, nil, nil)`
`79`	`81`	`}`
Original file line number	Diff line number	Diff line change
`@@ -191,7 +191,7 @@ Loop:`
`191`	`191`	`}`
`192`	`192`	`}`
`193`	`193`	`var dc packet.CipherFunction`
`194`		`- if !sessionKey.v6 {`
	`194`	`+ if sessionKey.hasAlgorithm() {`
`195`	`195`	`dc, err = sessionKey.GetCipherFunc()`
`196`	`196`	`if err != nil {`
`197`	`197`	`return nil, errors.Wrap(err, "gopenpgp: unable to decrypt with session key")`
Original file line number	Diff line number	Diff line change
`@@ -128,6 +128,9 @@ func encryptSessionKeyToWriter(`
`128`	`128`	`}`
`129`	`129`	`pubKeys = append(pubKeys, encryptionKey.PublicKey)`
`130`	`130`	`}`
	`131`	`+ if sk.v6 {`
	`132`	`+ aeadSupport = true`
	`133`	`+ }`
`131`	`134`	`if len(pubKeys) == 0 {`
`132`	`135`	`return errors.New("gopenpgp: cannot set key: no public key available")`
`133`	`136`	`}`
`@@ -201,10 +204,11 @@ func encryptSessionKeyWithPasswordToWriter(password []byte, sk *SessionKey, outp`
`201`	`204`	`cf = config.Cipher()`
`202`	`205`	`} else {`
`203`	`206`	`cf, err = sk.GetCipherFunc()`
	`207`	`+ if err != nil {`
	`208`	`+ return errors.Wrap(err, "gopenpgp: unable to encrypt session key with password")`
	`209`	`+ }`
`204`	`210`	`}`
`205`		`- if err != nil {`
`206`		`- return errors.Wrap(err, "gopenpgp: unable to encrypt session key with password")`
`207`		`- }`
	`211`	`+ useAead := sk.v6`
`208`	`212`
`209`	`213`	`if len(password) == 0 {`
`210`	`214`	`return errors.New("gopenpgp: password can't be empty")`
`@@ -215,7 +219,7 @@ func encryptSessionKeyWithPasswordToWriter(password []byte, sk *SessionKey, outp`
`215`	`219`	`}`
`216`	`220`	`config.DefaultCipher = cf`
`217`	`221`
`218`		`- err = packet.SerializeSymmetricKeyEncryptedReuseKey(outputWriter, sk.Key, password, config)`
	`222`	`+ err = packet.SerializeSymmetricKeyEncryptedAEADReuseKey(outputWriter, sk.Key, password, useAead, config)`
`219`	`223`	`if err != nil {`
`220`	`224`	`return errors.Wrap(err, "gopenpgp: unable to encrypt session key with password")`
`221`	`225`	`}`