Move the RDE encryption to a dedicated file

Merges the encryptor creation between RyDE and Ghostryde. The new file - RydeEncryption.java - is a merge of the removed functions in Ghostryde.java and the RydePgpEncryptionOutputStream.java. This is one of a series of CLs - each merging a single "part" of the encoding. ------------- Created by MOE: https://github.com/google/moe MOE_MIGRATED_REVID=205246053
2025-05-14 08:27:14 +02:00 · 2018-07-19 08:34:59 -07:00 · 2018-07-19 08:34:59 -07:00 · 8a8cd9f0d2
commit 8a8cd9f0d2
parent 260a6fb23b
7 changed files with 388 additions and 271 deletions
--- a/java/google/registry/rde/Ghostryde.java
+++ b/java/google/registry/rde/Ghostryde.java
@ -18,12 +18,14 @@ import static com.google.common.base.Preconditions.checkArgument;
 import static com.google.common.base.Preconditions.checkNotNull;
 import static google.registry.rde.RydeCompression.openCompressor;
 import static google.registry.rde.RydeCompression.openDecompressor;
 import static google.registry.rde.RydeEncryption.GHOSTRYDE_USE_INTEGRITY_PACKET;
 import static google.registry.rde.RydeEncryption.openDecryptor;
 import static google.registry.rde.RydeEncryption.openEncryptor;
 import static java.nio.charset.StandardCharsets.US_ASCII;
 import static java.nio.charset.StandardCharsets.UTF_8;
 import static org.bouncycastle.bcpg.SymmetricKeyAlgorithmTags.AES_128;
 import static org.bouncycastle.jce.provider.BouncyCastleProvider.PROVIDER_NAME;
 import static org.bouncycastle.openpgp.PGPLiteralData.BINARY;
 import com.google.common.collect.ImmutableList;
 import com.google.common.io.ByteStreams;
 import com.google.common.io.Closer;
 import google.registry.util.ImprovedInputStream;
@ -33,25 +35,14 @@ import java.io.ByteArrayOutputStream;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.OutputStream;
 import java.security.NoSuchAlgorithmException;
 import java.security.ProviderException;
 import java.security.SecureRandom;
 import java.util.Optional;
 import java.util.stream.Collectors;
 import javax.annotation.CheckReturnValue;
 import javax.annotation.Nullable;
 import javax.annotation.WillNotClose;
 import org.bouncycastle.openpgp.PGPEncryptedDataGenerator;
 import org.bouncycastle.openpgp.PGPEncryptedDataList;
 import org.bouncycastle.openpgp.PGPException;
 import org.bouncycastle.openpgp.PGPLiteralData;
 import org.bouncycastle.openpgp.PGPLiteralDataGenerator;
 import org.bouncycastle.openpgp.PGPPrivateKey;
 import org.bouncycastle.openpgp.PGPPublicKey;
 import org.bouncycastle.openpgp.PGPPublicKeyEncryptedData;
 import org.bouncycastle.openpgp.operator.bc.BcPublicKeyDataDecryptorFactory;
 import org.bouncycastle.openpgp.operator.bc.BcPublicKeyKeyEncryptionMethodGenerator;
 import org.bouncycastle.openpgp.operator.jcajce.JcePGPDataEncryptorBuilder;
 import org.joda.time.DateTime;
 /**
@ -125,32 +116,6 @@ public final class Ghostryde {
  /** Size of the buffer used by the intermediate streams. */
  static final int BUFFER_SIZE = 64 * 1024;
  /**
   * Symmetric encryption cipher to use when creating ghostryde files.
   *
   * <p>We're going to use AES-128 just like {@link RydePgpEncryptionOutputStream}, although we
   * aren't forced to use this algorithm by the ICANN RFCs since this is an internal format.
   *
   * @see org.bouncycastle.bcpg.SymmetricKeyAlgorithmTags
   */
  static final int CIPHER = AES_128;
  /**
   * Unlike {@link RydePgpEncryptionOutputStream}, we're going to enable the integrity packet
   * because it makes GnuPG happy. It's also probably necessary to prevent tampering since we
   * don't sign ghostryde files.
   */
  static final boolean USE_INTEGRITY_PACKET = true;
  /**
   * The source of random bits. You are strongly discouraged from changing this value because at
   * Google it's configured to use {@code /dev/&lbrace;,u&rbrace;random} in production and somehow
   * magically go fast and not drain entropy in the testing environment.
   *
   * @see SecureRandom#getInstance(String)
   */
  static final String RANDOM_SOURCE = "NativePRNG";
  /**
   * For backwards compatibility reasons, we wrap the data in a PGP file, which preserves the
   * original filename and modification time. However, these values are never used, so we just
@ -214,11 +179,13 @@ public final class Ghostryde {
   */
  public static ImprovedOutputStream encoder(
      OutputStream output, PGPPublicKey encryptionKey, @Nullable OutputStream lengthOutput)
-      throws IOException, PGPException {
+      throws IOException {
    // We use a Closer to handle the stream .close, to make sure it's done correctly.
    Closer closer = Closer.create();
-    OutputStream encryptionLayer = closer.register(openEncryptor(output, encryptionKey));
+    OutputStream encryptionLayer =
        closer.register(
            openEncryptor(output, GHOSTRYDE_USE_INTEGRITY_PACKET, ImmutableList.of(encryptionKey)));
    OutputStream kompressor = closer.register(openCompressor(encryptionLayer));
    OutputStream fileLayer =
        closer.register(
@ -245,7 +212,7 @@ public final class Ghostryde {
   * @param encryptionKey the encryption key to use
   */
  public static ImprovedOutputStream encoder(OutputStream output, PGPPublicKey encryptionKey)
-      throws IOException, PGPException {
+      throws IOException {
    return encoder(output, encryptionKey, null);
  }
@ -260,7 +227,8 @@ public final class Ghostryde {
    // We use a Closer to handle the stream .close, to make sure it's done correctly.
    Closer closer = Closer.create();
-    InputStream decryptionLayer = closer.register(openDecryptor(input, decryptionKey));
+    InputStream decryptionLayer =
        closer.register(openDecryptor(input, GHOSTRYDE_USE_INTEGRITY_PACKET, decryptionKey));
    InputStream decompressor = closer.register(openDecompressor(decryptionLayer));
    InputStream fileLayer = closer.register(openPgpFileInputStream(decompressor));
@ -275,43 +243,6 @@ public final class Ghostryde {
  private Ghostryde() {}
  /**
   * Opens a new encryptor (Writing Step 1/3)
   *
   * <p>This is the first step in creating a ghostryde file. After this method, you'll want to call
   * {@link #openCompressor}.
   *
   * <p>TODO(b/110465985): merge with the RyDE version.
   *
   * @param os is the upstream {@link OutputStream} to which the result is written.
   * @param publicKey is the public encryption key of the recipient.
   * @throws IOException
   * @throws PGPException
   */
  @CheckReturnValue
  private static ImprovedOutputStream openEncryptor(
      @WillNotClose OutputStream os, PGPPublicKey publicKey) throws IOException, PGPException {
    PGPEncryptedDataGenerator encryptor = new PGPEncryptedDataGenerator(
        new JcePGPDataEncryptorBuilder(CIPHER)
           .setWithIntegrityPacket(USE_INTEGRITY_PACKET)
           .setSecureRandom(getRandom())
           .setProvider(PROVIDER_NAME));
    encryptor.addMethod(new BcPublicKeyKeyEncryptionMethodGenerator(publicKey));
    return new ImprovedOutputStream(
        "GhostrydeEncryptor", encryptor.open(os, new byte[BUFFER_SIZE]));
  }
  /** Does stuff. */
  private static SecureRandom getRandom() {
    SecureRandom random;
    try {
      random = SecureRandom.getInstance(RANDOM_SOURCE);
    } catch (NoSuchAlgorithmException e) {
      throw new ProviderException(e);
    }
    return random;
  }
  /**
   * Opens an {@link OutputStream} to which the actual data should be written (Writing Step 3/3)
   *
@ -334,65 +265,6 @@ public final class Ghostryde {
            .open(os, BINARY, name, modified.toDate(), new byte[BUFFER_SIZE]));
  }
  /**
   * Opens a new decryptor (Reading Step 1/3)
   *
   * <p>This is the first step in opening a ghostryde file. After this method, you'll want to call
   * {@link #openDecompressor}.
   *
   * <p>Note: If {@link Ghostryde#USE_INTEGRITY_PACKET} is {@code true}, any ghostryde file without
   * an integrity packet will be considered invalid and an exception will be thrown.
   *
   * <p>TODO(b/110465985): merge with the RyDE version.
   *
   * @param input is an {@link InputStream} of the ghostryde file data.
   * @param privateKey is the private encryption key of the recipient (which is us!)
   * @throws IOException
   * @throws PGPException
   */
  @CheckReturnValue
  private static ImprovedInputStream openDecryptor(
      @WillNotClose InputStream input, PGPPrivateKey privateKey) throws IOException, PGPException {
    checkNotNull(privateKey, "privateKey");
    PGPEncryptedDataList ciphertextList =
        PgpUtils.readSinglePgpObject(input, PGPEncryptedDataList.class);
    // Go over all the possible decryption keys, and look for the one that has our key ID.
    Optional<PGPPublicKeyEncryptedData> cyphertext =
        PgpUtils.stream(ciphertextList, PGPPublicKeyEncryptedData.class)
            .filter(ciphertext -> ciphertext.getKeyID() == privateKey.getKeyID())
            .findAny();
    // If we can't find one with our key ID, then we can't decrypt the file!
    if (!cyphertext.isPresent()) {
      String keyIds =
          PgpUtils.stream(ciphertextList, PGPPublicKeyEncryptedData.class)
              .map(ciphertext -> Long.toHexString(ciphertext.getKeyID()))
              .collect(Collectors.joining(","));
      throw new PGPException(
          String.format(
              "Message was encrypted for keyids [%s] but ours is %x",
              keyIds, privateKey.getKeyID()));
    }
    // We want an input stream that also verifies ciphertext wasn't corrupted or tampered with when
    // the stream is closed.
    return new ImprovedInputStream(
        "GhostrydeDecryptor",
        cyphertext.get().getDataStream(new BcPublicKeyDataDecryptorFactory(privateKey))) {
      @Override
      protected void onClose() throws IOException {
        if (USE_INTEGRITY_PACKET) {
          try {
            if (!cyphertext.get().verify()) {
              throw new PGPException("ghostryde integrity check failed: possible tampering D:");
            }
          } catch (PGPException e) {
            throw new IllegalStateException(e);
          }
        }
      }
    };
  }
  /**
   * Opens a new decoder for reading the original contents (Reading Step 3/3)
   *
--- a/java/google/registry/rde/RdeStagingReducer.java
+++ b/java/google/registry/rde/RdeStagingReducer.java
@ -57,7 +57,6 @@ import java.util.Optional;
 import java.util.concurrent.Callable;
 import javax.inject.Inject;
 import org.bouncycastle.jce.provider.BouncyCastleProvider;
 import org.bouncycastle.openpgp.PGPException;
 import org.bouncycastle.openpgp.PGPPublicKey;
 import org.joda.time.DateTime;
 import org.joda.time.Duration;
@ -134,7 +133,7 @@ public final class RdeStagingReducer extends Reducer<PendingDeposit, DepositFrag
      prefix = "manual/" + key.directoryWithTrailingSlash() + prefix;
    }
    GcsFilename xmlFilename = new GcsFilename(bucket, prefix + ".xml.ghostryde");
-    // This file will containg the byte length (ASCII) of the raw unencrypted XML.
+    // This file will contain the byte length (ASCII) of the raw unencrypted XML.
    //
    // This is necessary because RdeUploadAction creates a tar file which requires that the length
    // be outputted. We don't want to have to decrypt the entire ghostryde file to determine the
@ -181,7 +180,7 @@ public final class RdeStagingReducer extends Reducer<PendingDeposit, DepositFrag
      // Output the bottom of the XML document.
      output.write(marshaller.makeFooter());
-    } catch (IOException | PGPException e) {
+    } catch (IOException e) {
      throw new RuntimeException(e);
    }
@ -196,7 +195,7 @@ public final class RdeStagingReducer extends Reducer<PendingDeposit, DepositFrag
      try (OutputStream gcsOutput = cloudStorage.openOutputStream(reportFilename);
          OutputStream ghostrydeEncoder = Ghostryde.encoder(gcsOutput, stagingKey)) {
        counter.makeReport(id, watermark, header, revision).marshal(ghostrydeEncoder, UTF_8);
-      } catch (IOException | PGPException | XmlException e) {
+      } catch (IOException | XmlException e) {
        throw new RuntimeException(e);
      }
    }
--- a/java/google/registry/rde/RydeEncoder.java
+++ b/java/google/registry/rde/RydeEncoder.java
@ -16,6 +16,8 @@ package google.registry.rde;
 import static com.google.common.base.Preconditions.checkNotNull;
 import static google.registry.rde.RydeCompression.openCompressor;
 import static google.registry.rde.RydeEncryption.RYDE_USE_INTEGRITY_PACKET;
 import static google.registry.rde.RydeEncryption.openEncryptor;
 import com.google.common.collect.ImmutableList;
 import com.google.common.io.Closer;
@ -69,7 +71,7 @@ public final class RydeEncoder extends FilterOutputStream {
    super(null);
    this.sigOutput = sigOutput;
    signer = closer.register(new RydePgpSigningOutputStream(checkNotNull(rydeOutput), signingKey));
-    encryptLayer = closer.register(new RydePgpEncryptionOutputStream(signer, receiverKeys));
+    encryptLayer = closer.register(openEncryptor(signer, RYDE_USE_INTEGRITY_PACKET, receiverKeys));
    kompressor = closer.register(openCompressor(encryptLayer));
    fileLayer =
        closer.register(new RydePgpFileOutputStream(kompressor, modified, filenamePrefix + ".tar"));
--- a/java/google/registry/rde/RydeEncryption.java
+++ b/java/google/registry/rde/RydeEncryption.java
@ -0,0 +1,203 @@
 // Copyright 2018 The Nomulus Authors. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 package google.registry.rde;
 import static com.google.common.base.Preconditions.checkArgument;
 import static org.bouncycastle.bcpg.SymmetricKeyAlgorithmTags.AES_128;
 import static org.bouncycastle.jce.provider.BouncyCastleProvider.PROVIDER_NAME;
 import google.registry.util.ImprovedInputStream;
 import google.registry.util.ImprovedOutputStream;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.OutputStream;
 import java.security.NoSuchAlgorithmException;
 import java.security.ProviderException;
 import java.security.SecureRandom;
 import java.util.Collection;
 import java.util.Optional;
 import java.util.stream.Collectors;
 import javax.annotation.CheckReturnValue;
 import javax.annotation.WillNotClose;
 import org.bouncycastle.openpgp.PGPEncryptedDataGenerator;
 import org.bouncycastle.openpgp.PGPEncryptedDataList;
 import org.bouncycastle.openpgp.PGPException;
 import org.bouncycastle.openpgp.PGPPrivateKey;
 import org.bouncycastle.openpgp.PGPPublicKey;
 import org.bouncycastle.openpgp.PGPPublicKeyEncryptedData;
 import org.bouncycastle.openpgp.operator.jcajce.JcePGPDataEncryptorBuilder;
 import org.bouncycastle.openpgp.operator.jcajce.JcePublicKeyDataDecryptorFactoryBuilder;
 import org.bouncycastle.openpgp.operator.jcajce.JcePublicKeyKeyEncryptionMethodGenerator;
 /**
 * Input/Output Streams for encryption and decryption of RyDE and GhostRyDE files.
 *
 * <p>This uses 128-bit AES (Rijndael) as the symmetric encryption algorithm. This is the only key
 * strength ICANN allows. The other valid algorithms are TripleDES and CAST5 per RFC 4880. It's
 * probably for the best that we're not using AES-256 since it's been weakened over the years to
 * potentially being worse than AES-128.
 *
 * <p>The key for the symmetric algorithm is generated by a random number generator which SHOULD
 * come from {@code /dev/random} (see: {@link sun.security.provider.NativePRNG}) but Java doesn't
 * offer any guarantees that {@link SecureRandom} isn't pseudo-random.
 *
 * <p>The asymmetric algorithm is whatever one is associated with the {@link PGPPublicKey} object
 * you provide. That should be either RSA or DSA, per the ICANN escrow spec. The underlying {@link
 * PGPEncryptedDataGenerator} class uses PGP Cipher Feedback Mode to chain blocks. No integrity
 * packet is used.
 *
 * @see <a href="http://tools.ietf.org/html/rfc4880">RFC 4880 (OpenPGP Message Format)</a>
 * @see <a href="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard">AES (Wikipedia)</a>
 */
 final class RydeEncryption {
  private static final int BUFFER_SIZE = 64 * 1024;
  /**
   * The symmetric encryption algorithm to use. Do not change this value without checking the RFCs
   * to make sure the encryption algorithm and strength combination is allowed.
   *
   * @see org.bouncycastle.bcpg.SymmetricKeyAlgorithmTags
   */
  private static final int CIPHER = AES_128;
  /**
   * This option adds an additional checksum to the OpenPGP message. From what I can tell, this is
   * meant to fix a bug that made a certain type of message tampering possible. GPG will actually
   * complain on the command line when decrypting a message without this feature.
   *
   * <p>However I'm reasonably certain that this is not required if you have a signature (and
   * remember to use it!) and the ICANN requirements document do not mention this. So we're going to
   * leave it out.
   */
  static final boolean RYDE_USE_INTEGRITY_PACKET = false;
  /**
   * Unlike Ryde, we're going to enable the integrity packet because it makes GnuPG happy. It's also
   * probably necessary to prevent tampering since we don't sign ghostryde files.
   */
  static final boolean GHOSTRYDE_USE_INTEGRITY_PACKET = true;
  /**
   * The source of random bits. This should not be changed at Google because it uses dev random in
   * production, and the testing environment is configured to make this go fast and not drain system
   * entropy.
   *
   * @see SecureRandom#getInstance(String)
   */
  private static final String RANDOM_SOURCE = "NativePRNG";
  /**
   * Creates an OutputStream that encrypts data for the owners of {@code receiverKeys}.
   *
   * <p>TODO(b/110465964): document where the input comes from / output goes to. Something like
   * documenting that os is the upstream OutputStream and the result goes into openCompressor.
   *
   * @param os where to write the encrypted data. Is not closed by this object.
   * @param withIntegrityPacket whether to add the integrity packet to the encrypted data. Not
   *     allowed in RyDE.
   * @param receiverKeys at least one encryption key. The message will be decryptable with any of
   *     the given keys.
   * @throws IllegalArgumentException if {@code publicKey} is invalid
   * @throws RuntimeException to rethrow {@link PGPException} and {@link IOException}
   */
  @CheckReturnValue
  static ImprovedOutputStream openEncryptor(
      @WillNotClose OutputStream os,
      boolean withIntegrityPacket,
      Collection<PGPPublicKey> receiverKeys) {
    try {
      PGPEncryptedDataGenerator encryptor =
          new PGPEncryptedDataGenerator(
              new JcePGPDataEncryptorBuilder(CIPHER)
                  .setWithIntegrityPacket(withIntegrityPacket)
                  .setSecureRandom(SecureRandom.getInstance(RANDOM_SOURCE))
                  .setProvider(PROVIDER_NAME));
      checkArgument(!receiverKeys.isEmpty(), "Must give at least one receiver key");
      receiverKeys.forEach(
          key -> encryptor.addMethod(new JcePublicKeyKeyEncryptionMethodGenerator(key)));
      return new ImprovedOutputStream("RydeEncryptor", encryptor.open(os, new byte[BUFFER_SIZE]));
    } catch (NoSuchAlgorithmException e) {
      throw new ProviderException(e);
    } catch (IOException | PGPException e) {
      throw new RuntimeException(e);
    }
  }
  /**
   * Creates an InputStream that encrypts data for the owners of {@code receiverKeys}.
   *
   * <p>TODO(b/110465964): document where the input comes from / output goes to. Something like
   * documenting that input is upstream InputStream and the result goes into openDecompressor.
   *
   * @param input from where to read the encrypted data. Is not closed by this object.
   * @param checkIntegrityPacket whether to check the integrity packet on the encrypted data. Only
   *     use if the integrety packet was created when encrypting.
   * @param privateKey the private counterpart of one of the receiverKeys used to encrypt.
   * @throws IllegalArgumentException if {@code publicKey} is invalid
   * @throws RuntimeException to rethrow {@link PGPException} and {@link IOException}
   */
  @CheckReturnValue
  static ImprovedInputStream openDecryptor(
      @WillNotClose InputStream input, boolean checkIntegrityPacket, PGPPrivateKey privateKey) {
    try {
      PGPEncryptedDataList ciphertextList =
          PgpUtils.readSinglePgpObject(input, PGPEncryptedDataList.class);
      // Go over all the possible decryption keys, and look for the one that has our key ID.
      Optional<PGPPublicKeyEncryptedData> cyphertext =
          PgpUtils.stream(ciphertextList, PGPPublicKeyEncryptedData.class)
              .filter(ciphertext -> ciphertext.getKeyID() == privateKey.getKeyID())
              .findAny();
      // If we can't find one with our key ID, then we can't decrypt the file!
      if (!cyphertext.isPresent()) {
        String keyIds =
            PgpUtils.stream(ciphertextList, PGPPublicKeyEncryptedData.class)
                .map(ciphertext -> Long.toHexString(ciphertext.getKeyID()))
                .collect(Collectors.joining(","));
        throw new PGPException(
            String.format(
                "Message was encrypted for keyids [%s] but ours is %x",
                keyIds, privateKey.getKeyID()));
      }
      InputStream dataStream =
          cyphertext.get().getDataStream(
              new JcePublicKeyDataDecryptorFactoryBuilder()
                  .setProvider(PROVIDER_NAME)
                  .build(privateKey));
      if (!checkIntegrityPacket) {
        return new ImprovedInputStream("RydeDecryptor", dataStream);
      }
      // We want an input stream that also verifies ciphertext wasn't corrupted or tampered with
      // when the stream is closed.
      return new ImprovedInputStream("RydeDecryptor", dataStream) {
        @Override
        protected void onClose() throws IOException {
          try {
            if (!cyphertext.get().verify()) {
              throw new PGPException("integrity check failed: possible tampering D:");
            }
          } catch (PGPException e) {
            throw new IllegalStateException(e);
          }
        }
      };
    } catch (PGPException e) {
      throw new RuntimeException(e);
    }
  }
  private RydeEncryption() {}
 }
--- a/java/google/registry/rde/RydePgpEncryptionOutputStream.java
+++ b/java/google/registry/rde/RydePgpEncryptionOutputStream.java
@ -1,118 +0,0 @@
 // Copyright 2017 The Nomulus Authors. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 package google.registry.rde;
 import static com.google.common.base.Preconditions.checkArgument;
 import static org.bouncycastle.bcpg.SymmetricKeyAlgorithmTags.AES_128;
 import static org.bouncycastle.jce.provider.BouncyCastleProvider.PROVIDER_NAME;
 import google.registry.util.ImprovedOutputStream;
 import java.io.IOException;
 import java.io.OutputStream;
 import java.security.NoSuchAlgorithmException;
 import java.security.ProviderException;
 import java.security.SecureRandom;
 import java.util.Collection;
 import javax.annotation.WillNotClose;
 import org.bouncycastle.openpgp.PGPEncryptedDataGenerator;
 import org.bouncycastle.openpgp.PGPException;
 import org.bouncycastle.openpgp.PGPPublicKey;
 import org.bouncycastle.openpgp.operator.jcajce.JcePGPDataEncryptorBuilder;
 import org.bouncycastle.openpgp.operator.jcajce.JcePublicKeyKeyEncryptionMethodGenerator;
 /**
 * OpenPGP encryption service that wraps an {@link OutputStream}.
 *
 * <p>This uses 128-bit AES (Rijndael) as the symmetric encryption algorithm. This is the only key
 * strength ICANN allows. The other valid algorithms are TripleDES and CAST5 per RFC 4880. It's
 * probably for the best that we're not using AES-256 since it's been weakened over the years to
 * potentially being worse than AES-128.
 *
 * <p>The key for the symmetric algorithm is generated by a random number generator which SHOULD
 * come from {@code /dev/random} (see: {@link sun.security.provider.NativePRNG}) but Java doesn't
 * offer any guarantees that {@link SecureRandom} isn't pseudo-random.
 *
 * <p>The asymmetric algorithm is whatever one is associated with the {@link PGPPublicKey} object
 * you provide. That should be either RSA or DSA, per the ICANN escrow spec. The underlying
 * {@link PGPEncryptedDataGenerator} class uses PGP Cipher Feedback Mode to chain blocks. No
 * integrity packet is used.
 *
 * @see <a href="http://tools.ietf.org/html/rfc4880">RFC 4880 (OpenPGP Message Format)</a>
 * @see <a href="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard">AES (Wikipedia)</a>
 */
 public class RydePgpEncryptionOutputStream extends ImprovedOutputStream {
  private static final int BUFFER_SIZE = 64 * 1024;
  /**
   * The symmetric encryption algorithm to use. Do not change this value without checking the
   * RFCs to make sure the encryption algorithm and strength combination is allowed.
   *
   * @see org.bouncycastle.bcpg.SymmetricKeyAlgorithmTags
   */
  private static final int CIPHER = AES_128;
  /**
   * This option adds an additional checksum to the OpenPGP message. From what I can tell, this is
   * meant to fix a bug that made a certain type of message tampering possible. GPG will actually
   * complain on the command line when decrypting a message without this feature.
   *
   * <p>However I'm reasonably certain that this is not required if you have a signature (and
   * remember to use it!) and the ICANN requirements document do not mention this. So we're going
   * to leave it out.
   */
  private static final boolean USE_INTEGRITY_PACKET = false;
  /**
   * The source of random bits. This should not be changed at Google because it uses dev random
   * in production, and the testing environment is configured to make this go fast and not drain
   * system entropy.
   *
   * @see SecureRandom#getInstance(String)
   */
  private static final String RANDOM_SOURCE = "NativePRNG";
  /**
   * Creates a new instance that encrypts data for the owner of {@code receiverKey}.
   *
   * @param os is the upstream {@link OutputStream} which is not closed by this object
   * @throws IllegalArgumentException if {@code publicKey} is invalid
   * @throws RuntimeException to rethrow {@link PGPException} and {@link IOException}
   */
  public RydePgpEncryptionOutputStream(
      @WillNotClose OutputStream os,
      Collection<PGPPublicKey> receiverKeys) {
    super("RydePgpEncryptionOutputStream", createDelegate(os, receiverKeys));
  }
  private static OutputStream createDelegate(
      OutputStream os, Collection<PGPPublicKey> receiverKeys) {
    try {
      PGPEncryptedDataGenerator encryptor = new PGPEncryptedDataGenerator(
          new JcePGPDataEncryptorBuilder(CIPHER)
              .setWithIntegrityPacket(USE_INTEGRITY_PACKET)
              .setSecureRandom(SecureRandom.getInstance(RANDOM_SOURCE))
              .setProvider(PROVIDER_NAME));
      checkArgument(!receiverKeys.isEmpty(), "Must give at least one receiver key");
      receiverKeys.forEach(
          key -> encryptor.addMethod(new JcePublicKeyKeyEncryptionMethodGenerator(key)));
      return encryptor.open(os, new byte[BUFFER_SIZE]);
    } catch (NoSuchAlgorithmException e) {
      throw new ProviderException(e);
    } catch (IOException | PGPException e) {
      throw new RuntimeException(e);
    }
  }
 }
--- a/javatests/google/registry/rde/GhostrydeTest.java
+++ b/javatests/google/registry/rde/GhostrydeTest.java
@ -161,13 +161,15 @@ public class GhostrydeTest {
    korruption(ciphertext, ciphertext.length / 2);
    ByteArrayInputStream bsIn = new ByteArrayInputStream(ciphertext);
    RuntimeException thrown =
        assertThrows(
-        PGPException.class,
+            RuntimeException.class,
            () -> {
              try (InputStream decoder = Ghostryde.decoder(bsIn, privateKey)) {
                ByteStreams.copy(decoder, ByteStreams.nullOutputStream());
              }
            });
    assertThat(thrown).hasCauseThat().isInstanceOf(PGPException.class);
  }
  @Test
@ -219,15 +221,17 @@ public class GhostrydeTest {
    }
    ByteArrayInputStream bsIn = new ByteArrayInputStream(bsOut.toByteArray());
-    PGPException thrown =
+    RuntimeException thrown =
        assertThrows(
-            PGPException.class,
+            RuntimeException.class,
            () -> {
              try (InputStream decoder = Ghostryde.decoder(bsIn, privateKey)) {
                ByteStreams.copy(decoder, ByteStreams.nullOutputStream());
              }
            });
    assertThat(thrown).hasCauseThat().isInstanceOf(PGPException.class);
    assertThat(thrown)
        .hasCauseThat()
        .hasMessageThat()
        .contains(
            "Message was encrypted for keyids [a59c132f3589a1d5] but ours is c9598c84ec70b9fd");
--- a/javatests/google/registry/rde/RydeEncryptionTest.java
+++ b/javatests/google/registry/rde/RydeEncryptionTest.java
@ -0,0 +1,155 @@
 // Copyright 2018 The Nomulus Authors. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 package google.registry.rde;
 import static com.google.common.truth.Truth.assertThat;
 import static google.registry.keyring.api.PgpHelper.KeyRequirement.ENCRYPT;
 import static google.registry.testing.JUnitBackports.assertThrows;
 import static java.nio.charset.StandardCharsets.UTF_8;
 import com.google.common.collect.ImmutableList;
 import com.google.common.io.ByteStreams;
 import google.registry.testing.BouncyCastleProviderRule;
 import google.registry.testing.FakeKeyringModule;
 import google.registry.testing.ShardableTestCase;
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
 import java.io.InputStream;
 import java.io.OutputStream;
 import java.util.Base64;
 import org.bouncycastle.openpgp.PGPException;
 import org.bouncycastle.openpgp.PGPKeyPair;
 import org.junit.Rule;
 import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.junit.runners.JUnit4;
@RunWith(JUnit4.class)
 public final class RydeEncryptionTest extends ShardableTestCase {
  @Rule public final BouncyCastleProviderRule bouncy = new BouncyCastleProviderRule();
  @Test
  public void testSuccess_oneReceiver_decryptWithCorrectKey() throws Exception {
    FakeKeyringModule keyringModule = new FakeKeyringModule();
    PGPKeyPair key = keyringModule.get("rde-unittest@registry.test", ENCRYPT);
    byte[] expected = "Testing 1, 2, 3".getBytes(UTF_8);
    ByteArrayOutputStream output = new ByteArrayOutputStream();
    try (OutputStream encryptor =
        RydeEncryption.openEncryptor(output, false, ImmutableList.of(key.getPublicKey()))) {
      encryptor.write(expected);
    }
    byte[] encryptedData = output.toByteArray();
    ByteArrayInputStream input = new ByteArrayInputStream(encryptedData);
    try (InputStream decryptor = RydeEncryption.openDecryptor(input, false, key.getPrivateKey())) {
      assertThat(ByteStreams.toByteArray(decryptor)).isEqualTo(expected);
    }
  }
  @Test
  public void testFail_oneReceiver_decryptWithWrongKey() throws Exception {
    FakeKeyringModule keyringModule = new FakeKeyringModule();
    PGPKeyPair key = keyringModule.get("rde-unittest@registry.test", ENCRYPT);
    PGPKeyPair wrongKey = keyringModule.get("rde-unittest-dsa@registry.test", ENCRYPT);
    assertThat(key.getKeyID()).isNotEqualTo(wrongKey.getKeyID());
    byte[] expected = "Testing 1, 2, 3".getBytes(UTF_8);
    ByteArrayOutputStream output = new ByteArrayOutputStream();
    try (OutputStream encryptor =
        RydeEncryption.openEncryptor(output, false, ImmutableList.of(key.getPublicKey()))) {
      encryptor.write(expected);
    }
    byte[] encryptedData = output.toByteArray();
    ByteArrayInputStream input = new ByteArrayInputStream(encryptedData);
    RuntimeException thrown =
        assertThrows(
            RuntimeException.class,
            () -> {
              RydeEncryption.openDecryptor(input, false, wrongKey.getPrivateKey()).read();
            });
    assertThat(thrown).hasCauseThat().isInstanceOf(PGPException.class);
  }
  @Test
  public void testSuccess_twoReceivers() throws Exception {
    FakeKeyringModule keyringModule = new FakeKeyringModule();
    PGPKeyPair key1 = keyringModule.get("rde-unittest@registry.test", ENCRYPT);
    PGPKeyPair key2 = keyringModule.get("rde-unittest-dsa@registry.test", ENCRYPT);
    assertThat(key1.getKeyID()).isNotEqualTo(key2.getKeyID());
    byte[] expected = "Testing 1, 2, 3".getBytes(UTF_8);
    ByteArrayOutputStream output = new ByteArrayOutputStream();
    try (OutputStream encryptor =
        RydeEncryption.openEncryptor(
            output, false, ImmutableList.of(key1.getPublicKey(), key2.getPublicKey()))) {
      encryptor.write(expected);
    }
    byte[] encryptedData = output.toByteArray();
    ByteArrayInputStream input = new ByteArrayInputStream(encryptedData);
    try (InputStream decryptor = RydeEncryption.openDecryptor(input, false, key1.getPrivateKey())) {
      assertThat(ByteStreams.toByteArray(decryptor)).isEqualTo(expected);
    }
    input.reset();
    try (InputStream decryptor = RydeEncryption.openDecryptor(input, false, key2.getPrivateKey())) {
      assertThat(ByteStreams.toByteArray(decryptor)).isEqualTo(expected);
    }
  }
  @Test
  public void testSuccess_decryptHasntChanged() throws Exception {
    FakeKeyringModule keyringModule = new FakeKeyringModule();
    PGPKeyPair key = keyringModule.get("rde-unittest@registry.test", ENCRYPT);
    byte[] expected = "Testing 1, 2, 3".getBytes(UTF_8);
    byte[] encryptedData =
        Base64.getMimeDecoder()
            .decode(
                "hQEMA6WcEy81iaHVAQf+I14Ewo1Fr6epwqtUoMSuy3qtobayZI54u/ohyMBgnpfts8B15320x4eO"
                    + "ElbaMKLJFZzOI8IsJRlX9mpSMp+qALdhOjXfM4q9wHNPKTRXqkhhblyTt7r4MTRp1w8lTA8R5hGO"
                    + "MCoxYwicK7DYrqL728FCeA2UBaQVXB6FZIIjujwNRzghvyqGDLLF6LxnR8ovB2PqT4Ho0wTmHWNy"
                    + "CZWyR5y9TBgTZWpIoNFuHQGe8egz/rTR+ixp1Ru3lxib7xuJVQyjbiGMO+lk4ffeEg4KpwEFblMx"
                    + "s17nxCrT5E30qktKjRQopvGICSrxyMGrbyUu5HdASZDj4jyqgP152KxJ18khC05Kf6zT4ouLoJHB"
                    + "XENDmLN3Onf6IwR043Lk0KISKi6z");
    ByteArrayInputStream input = new ByteArrayInputStream(encryptedData);
    try (InputStream decryptor = RydeEncryption.openDecryptor(input, false, key.getPrivateKey())) {
      assertThat(ByteStreams.toByteArray(decryptor)).isEqualTo(expected);
    }
  }
  @Test
  public void testSuccess_oneReceiver_withIntegrityPacket() throws Exception {
    FakeKeyringModule keyringModule = new FakeKeyringModule();
    PGPKeyPair key = keyringModule.get("rde-unittest@registry.test", ENCRYPT);
    byte[] expected = "Testing 1, 2, 3".getBytes(UTF_8);
    ByteArrayOutputStream output = new ByteArrayOutputStream();
    try (OutputStream encryptor =
        RydeEncryption.openEncryptor(output, true, ImmutableList.of(key.getPublicKey()))) {
      encryptor.write(expected);
    }
    byte[] encryptedData = output.toByteArray();
    ByteArrayInputStream input = new ByteArrayInputStream(encryptedData);
    try (InputStream decryptor = RydeEncryption.openDecryptor(input, true, key.getPrivateKey())) {
      assertThat(ByteStreams.toByteArray(decryptor)).isEqualTo(expected);
    }
  }
 }