Issue 1100 decrypt atts with kotlin (#1225)

* Added an ability to decrypt attachments with PGPainless. Removed 3Mb restriction for encrypted attachments. Refactored code.| #1100

* Added PgpDecrypt.| #1100

* Added handling some errors.| #1100

* Modified PgpDecrypt.decrypt() to return OpenPgpMetadata as result.| #1100

* Fixed wrongly added code.| #1100

* Improved streams usage in AttachmentDownloadManagerService.| #1100

* Reverted back changes in PgpMsg.| #1100

* Added PgpDecryptTest(not completed).| #1100

* Improved TemporaryFolder.createFileWithGivenSize to use really random data.| #1100

* Added PgpDecryptTest.testDecryptionErrorWrongPassphrase().| #1100

* Modified tests.| #1100

* Added using a regex pattern to detect encrypted attachments.| #1100

* Removed unused resources.| #1100

* Fixed "EOF" issue.| #1100

* Refactored code.| #1100

* Fixed PgpMsgTest after refactoring.| #1100

Author: DenBond7

FlowCrypt/src/main/java/com/flowcrypt/email/Constants.kt

@@ -75,11 +75,6 @@ class Constants {
      */
     const val MAX_PUB_KEY_SIZE = 1024 * 256
 
-    /**
-     * The max size off an attachment which can be decrypted via the app.
-     */
-    const val MAX_ATTACHMENT_SIZE_WHICH_CAN_BE_DECRYPTED = 1024 * 1024 * 3
-
     const val PGP_CACHE_DIR = "PGP"
     const val FORWARDED_ATTACHMENTS_CACHE_DIR = "forwarded"
     const val ATTACHMENTS_CACHE_DIR = "attachments"

FlowCrypt/src/main/java/com/flowcrypt/email/security/KeysStorageImpl.kt

@@ -17,8 +17,11 @@ import com.flowcrypt.email.database.entity.KeyEntity
 import com.flowcrypt.email.extensions.org.pgpainless.key.longId
 import com.flowcrypt.email.model.KeysStorage
 import com.flowcrypt.email.node.Node
+import com.flowcrypt.email.security.pgp.PgpDecrypt
 import com.flowcrypt.email.security.pgp.PgpKey
+import com.flowcrypt.email.util.exception.DecryptionException
 import org.bouncycastle.bcpg.ArmoredInputStream
+import org.bouncycastle.openpgp.PGPException
 import org.pgpainless.PGPainless
 import org.pgpainless.key.OpenPgpV4Fingerprint
 import org.pgpainless.key.protection.KeyRingProtectionSettings
@@ -42,31 +45,37 @@ class KeysStorageImpl private constructor(context: Context) : KeysStorage {
   private var keys = mutableListOf<KeyEntity>()
   private var nodeKeyDetailsList = mutableListOf<NodeKeyDetails>()
 
-  private val pureActiveAccountLiveData: LiveData<AccountEntity?> = Transformations.switchMap(nodeLiveData) {
-    roomDatabase.accountDao().getActiveAccountLD()
-  }
+  private val pureActiveAccountLiveData: LiveData<AccountEntity?> =
+    Transformations.switchMap(nodeLiveData) {
+      roomDatabase.accountDao().getActiveAccountLD()
+    }
 
-  private val encryptedKeysLiveData: LiveData<List<KeyEntity>> = Transformations.switchMap(pureActiveAccountLiveData) {
-    roomDatabase.keysDao().getAllKeysByAccountLD(it?.email ?: "")
-  }
+  private val encryptedKeysLiveData: LiveData<List<KeyEntity>> =
+    Transformations.switchMap(pureActiveAccountLiveData) {
+      roomDatabase.keysDao().getAllKeysByAccountLD(it?.email ?: "")
+    }
 
   private val keysLiveData = encryptedKeysLiveData.switchMap { list ->
     liveData {
       emit(list.map {
         it.copy(
-            privateKey = KeyStoreCryptoManager.decryptSuspend(it.privateKeyAsString).toByteArray(),
-            passphrase = KeyStoreCryptoManager.decryptSuspend(it.passphrase))
+          privateKey = KeyStoreCryptoManager.decryptSuspend(it.privateKeyAsString).toByteArray(),
+          passphrase = KeyStoreCryptoManager.decryptSuspend(it.passphrase)
+        )
       })
     }
   }
 
-  val nodeKeyDetailsLiveData: LiveData<List<NodeKeyDetails>> = Transformations.switchMap(keysLiveData) {
-    liveData {
-      emit(PgpKey.parseKeys(
-          it.joinToString(separator = "\n") { keyEntity -> keyEntity.privateKeyAsString })
-          .toNodeKeyDetailsList())
+  val nodeKeyDetailsLiveData: LiveData<List<NodeKeyDetails>> =
+    Transformations.switchMap(keysLiveData) {
+      liveData {
+        emit(
+          PgpKey.parseKeys(
+            it.joinToString(separator = "\n") { keyEntity -> keyEntity.privateKeyAsString })
+            .toNodeKeyDetailsList()
+        )
+      }
     }
-  }
 
   init {
     keysLiveData.observeForever {
@@ -135,8 +144,11 @@ class KeysStorageImpl private constructor(context: Context) : KeysStorage {
             val key = getPgpPrivateKey(openPgpV4Fingerprint.longId)
             if (key != null) {
               val passphrase: Passphrase
-              if (key.passphrase.isNullOrEmpty()) {
-                passphrase = Passphrase.emptyPassphrase()
+              if (key.passphrase == null) {
+                throw DecryptionException(
+                  decryptionErrorType = PgpDecrypt.DecryptionErrorType.NEED_PASSPHRASE,
+                  e = PGPException("flowcrypt: need passphrase")
+                )
               } else {
                 passphrase = Passphrase.fromPassword(key.passphrase)
               }
@@ -161,20 +173,24 @@ class KeysStorageImpl private constructor(context: Context) : KeysStorage {
    */
   suspend fun getLatestAllPgpPrivateKeys(): List<KeyEntity> {
     val account = pureActiveAccountLiveData.value
-        ?: roomDatabase.accountDao().getActiveAccountSuspend()
+      ?: roomDatabase.accountDao().getActiveAccountSuspend()
     account?.let { accountEntity ->
       val cachedKeysLongIds = keys.map { it.longId }.toSet()
-      val latestEncryptedKeys = roomDatabase.keysDao().getAllKeysByAccountSuspend(accountEntity.email)
-      val latestKeysLongIds = roomDatabase.keysDao().getAllKeysByAccountSuspend(accountEntity.email).map { it.longId }.toSet()
+      val latestEncryptedKeys =
+        roomDatabase.keysDao().getAllKeysByAccountSuspend(accountEntity.email)
+      val latestKeysLongIds =
+        roomDatabase.keysDao().getAllKeysByAccountSuspend(accountEntity.email).map { it.longId }
+          .toSet()
 
       if (cachedKeysLongIds == latestKeysLongIds) {
         return keys
       }
 
       return latestEncryptedKeys.map {
         it.copy(
-            privateKey = KeyStoreCryptoManager.decryptSuspend(it.privateKeyAsString).toByteArray(),
-            passphrase = KeyStoreCryptoManager.decryptSuspend(it.passphrase))
+          privateKey = KeyStoreCryptoManager.decryptSuspend(it.privateKeyAsString).toByteArray(),
+          passphrase = KeyStoreCryptoManager.decryptSuspend(it.passphrase)
+        )
       }
     }
 

FlowCrypt/src/main/java/com/flowcrypt/email/security/pgp/PgpDecrypt.kt

@@ -0,0 +1,100 @@
+/*
+ * © 2016-present FlowCrypt a.s. Limitations apply. Contact human@flowcrypt.com
+ * Contributors: DenBond7
+ */
+
+package com.flowcrypt.email.security.pgp
+
+import com.flowcrypt.email.util.exception.DecryptionException
+import org.bouncycastle.openpgp.PGPDataValidationException
+import org.bouncycastle.openpgp.PGPException
+import org.bouncycastle.openpgp.PGPSecretKeyRingCollection
+import org.pgpainless.PGPainless
+import org.pgpainless.decryption_verification.OpenPgpMetadata
+import org.pgpainless.exception.MessageNotIntegrityProtectedException
+import org.pgpainless.exception.ModificationDetectionException
+import org.pgpainless.key.protection.SecretKeyRingProtector
+import java.io.InputStream
+import java.io.OutputStream
+
+/**
+ * @author Denis Bondarenko
+ *         Date: 5/11/21
+ *         Time: 2:10 PM
+ *         E-mail: DenBond7@gmail.com
+ */
+object PgpDecrypt {
+  val DETECT_SEPARATE_ENCRYPTED_ATTACHMENTS_PATTERN =
+    "(?i)(\\.pgp$)|(\\.gpg$)|(\\.[a-zA-Z0-9]{3,4}\\.asc$)".toRegex()
+
+  fun decrypt(
+    srcInputStream: InputStream,
+    destOutputStream: OutputStream,
+    pgpSecretKeyRingCollection: PGPSecretKeyRingCollection,
+    protector: SecretKeyRingProtector
+  ): OpenPgpMetadata {
+    srcInputStream.use { srcStream ->
+      destOutputStream.use { outStream ->
+        try {
+          val decryptionStream = PGPainless.decryptAndOrVerify()
+            .onInputStream(srcStream)
+            .decryptWith(protector, pgpSecretKeyRingCollection)
+            .doNotVerify()
+            .build()
+
+          decryptionStream.use { it.copyTo(outStream) }
+          return decryptionStream.result
+        } catch (e: Exception) {
+          throw processDecryptionException(e)
+        }
+      }
+    }
+  }
+
+  private fun processDecryptionException(e: Exception): Exception {
+    return when (e) {
+      is PGPException -> {
+        when {
+          e.message == "checksum mismatch at 0 of 20" -> {
+            DecryptionException(DecryptionErrorType.WRONG_PASSPHRASE, e)
+          }
+
+          e.message?.contains("exception decrypting session info") == true
+              || e.message?.contains("encoded length out of range") == true
+              || e.message?.contains("Exception recovering session info") == true
+              || e.message?.contains("No suitable decryption key") == true -> {
+            DecryptionException(DecryptionErrorType.KEY_MISMATCH, e)
+          }
+
+          else -> DecryptionException(DecryptionErrorType.OTHER, e)
+        }
+      }
+
+      is MessageNotIntegrityProtectedException -> {
+        DecryptionException(DecryptionErrorType.NO_MDC, e)
+      }
+
+      is ModificationDetectionException -> {
+        DecryptionException(DecryptionErrorType.BAD_MDC, e)
+      }
+
+      is PGPDataValidationException -> {
+        DecryptionException(DecryptionErrorType.KEY_MISMATCH, e)
+      }
+
+      is DecryptionException -> e
+
+      else -> DecryptionException(DecryptionErrorType.OTHER, e)
+    }
+  }
+
+  enum class DecryptionErrorType {
+    KEY_MISMATCH,
+    WRONG_PASSPHRASE,
+    NO_MDC,
+    BAD_MDC,
+    NEED_PASSPHRASE,
+    FORMAT,
+    OTHER
+  }
+}

FlowCrypt/src/main/java/com/flowcrypt/email/security/pgp/PgpMsg.kt

@@ -82,18 +82,8 @@ object PgpMsg {
 
   private val maxTagNumber = 20
 
-  enum class DecryptionErrorType {
-    KEY_MISMATCH,
-    WRONG_PASSPHRASE,
-    NO_MDC,
-    BAD_MDC,
-    NEED_PASSPHRASE,
-    FORMAT,
-    OTHER
-  }
-
   data class DecryptionError(
-    val type: DecryptionErrorType,
+    val type: PgpDecrypt.DecryptionErrorType,
     val message: String,
     val cause: Throwable? = null
   )
@@ -119,7 +109,7 @@ object PgpMsg {
   ) {
     companion object {
       fun withError(
-        type: DecryptionErrorType,
+        type: PgpDecrypt.DecryptionErrorType,
         message: String,
         cause: Throwable? = null
       ): DecryptionResult {
@@ -147,7 +137,10 @@ object PgpMsg {
     pgpPublicKeyRingCollection: PGPPublicKeyRingCollection? // for verification
   ): DecryptionResult {
     if (data.isEmpty()) {
-      return DecryptionResult.withError(DecryptionErrorType.FORMAT, "Can't decrypt empty message")
+      return DecryptionResult.withError(
+        type = PgpDecrypt.DecryptionErrorType.FORMAT,
+        message = "Can't decrypt empty message"
+      )
     }
 
     val chunk = data.copyOfRange(0, data.size.coerceAtMost(50)).toString(StandardCharsets.US_ASCII)
@@ -162,13 +155,13 @@ object PgpMsg {
           ex is PGPException && ex.message != null && ex.message == "Cleartext format error"
         ) {
           DecryptionResult.withError(
-            type = DecryptionErrorType.FORMAT,
+            type = PgpDecrypt.DecryptionErrorType.FORMAT,
             message = ex.message!!,
             cause = ex.cause
           )
         } else {
           DecryptionResult.withError(
-            type = DecryptionErrorType.OTHER,
+            type = PgpDecrypt.DecryptionErrorType.OTHER,
             message = "Decode cleartext error",
             cause = ex
           )
@@ -192,12 +185,12 @@ object PgpMsg {
     } catch (ex: PGPException) {
       if (ex.message == "flowcrypt: need passphrase") {
         return DecryptionResult.withError(
-          type = DecryptionErrorType.NEED_PASSPHRASE,
+          type = PgpDecrypt.DecryptionErrorType.NEED_PASSPHRASE,
           message = "Need passphrase"
         )
       }
       return DecryptionResult.withError(
-        type = DecryptionErrorType.WRONG_PASSPHRASE,
+        type = PgpDecrypt.DecryptionErrorType.WRONG_PASSPHRASE,
         message = "Wrong passphrase",
         cause = ex
       )
@@ -222,20 +215,20 @@ object PgpMsg {
       return DecryptionResult.withDecrypted(output, streamResult.fileInfo?.fileName)
     } catch (ex: MessageNotIntegrityProtectedException) {
       return DecryptionResult.withError(
-        type = DecryptionErrorType.NO_MDC,
+        type = PgpDecrypt.DecryptionErrorType.NO_MDC,
         message = "Security threat! Message is missing integrity checks (MDC)." +
             " The sender should update their outdated software.",
         cause = ex
       )
     } catch (ex: ModificationDetectionException) {
       return DecryptionResult.withError(
-        type = DecryptionErrorType.BAD_MDC,
+        type = PgpDecrypt.DecryptionErrorType.BAD_MDC,
         message = "Security threat! Integrity check failed.",
         cause = ex
       )
     } catch (ex: PGPDataValidationException) {
       return DecryptionResult.withError(
-        type = DecryptionErrorType.KEY_MISMATCH,
+        type = PgpDecrypt.DecryptionErrorType.KEY_MISMATCH,
         message = "There is no matching key",
         cause = ex
       )
@@ -247,7 +240,7 @@ object PgpMsg {
         || ex.message?.contains("No suitable decryption key") == true
       ) {
         return DecryptionResult.withError(
-          type = DecryptionErrorType.KEY_MISMATCH,
+          type = PgpDecrypt.DecryptionErrorType.KEY_MISMATCH,
           message = "There is no suitable decryption key",
           cause = ex
         )
@@ -258,7 +251,7 @@ object PgpMsg {
       exception = ex
     }
     return DecryptionResult.withError(
-      type = DecryptionErrorType.OTHER,
+      type = PgpDecrypt.DecryptionErrorType.OTHER,
       message = "Decryption failed",
       cause = exception
     )