keyfork-shard: add new methods to trait to support split()

crates/keyfork-shard/src/bin/keyfork-shard-combine-openpgp.rs

@@ -32,9 +32,7 @@ fn run() -> Result<()> {
     };
 
     let openpgp = OpenPGP;
-
     let bytes = openpgp.decrypt_all_shards_to_secret(key_discovery, messages_file)?;
-
     print!("{}", smex::encode(&bytes));
 
     Ok(())

crates/keyfork-shard/src/lib.rs

@@ -31,17 +31,20 @@ pub trait Format {
     type Error: std::error::Error + 'static;
 
     /// A type encapsulating the public key recipients of shards.
-    type PublicKeyData;
+    type PublicKeyData: IntoIterator<Item = Self::PublicKey>;
+
+    /// A type encapsulating a single public key recipient.
+    type PublicKey;
 
     /// A type encapsulating the private key recipients of shards.
     type PrivateKeyData;
 
+    /// A type representing a Signer derived from the secret.
+    type SigningKey;
+
     /// A type representing the parsed, but encrypted, Shard data.
     type ShardData;
 
-    /// A type representing a Signer derived from the secret.
-    type Signer;
-
     /// Parse the public key data from a readable type.
     ///
     /// # Errors
@@ -53,6 +56,36 @@ pub trait Format {
         key_data_path: impl AsRef<Path>,
     ) -> Result<Self::PublicKeyData, Self::Error>;
 
+    /// Derive a signer
+    fn derive_signing_key(&self, seed: &[u8]) -> Self::SigningKey;
+
+    /// Format a header containing necessary metadata. Such metadata contains a version byte, a
+    /// threshold byte, a public version of the [`Format::SigningKey`], and the public keys used to
+    /// encrypt shards. The public keys must be kept _in order_ to the encrypted shards. Keyfork
+    /// will use the same key_data for both, ensuring an iteration of this method will match with
+    /// iterations in methods called later.
+    ///
+    /// # Errors
+    /// The method may return an error if encryption to any of the public keys fails.
+    fn format_encrypted_header(
+        &self,
+        signing_key: &Self::SigningKey,
+        key_data: &Self::PublicKeyData,
+        threshold: u8,
+    ) -> Result<Vec<u8>, Self::Error>;
+
+    /// Format a shard encrypted to the given public key, signing with the private key.
+    ///
+    /// # Errors
+    /// The method may return an error if the public key used to encrypt the shard is unsuitable
+    /// for encryption, or if an error occurs while encrypting.
+    fn encrypt_shard(
+        &self,
+        shard: &[u8],
+        public_key: &Self::PublicKey,
+        signing_key: &mut Self::SigningKey,
+    ) -> Result<Vec<u8>, Self::Error>;
+
     /// Parse the private key data from a readable type. The private key may not be accessible (it
     /// may be hardware only, such as a smartcard), for which this method may return None.
     ///
@@ -85,24 +118,6 @@ pub trait Format {
         shard_file: impl Write,
     ) -> Result<(), Self::Error>;
 
-    /// Derive a Signer from the secret.
-    ///
-    /// # Errors
-    /// This function may return an error if a Signer could not be properly created.
-    fn derive_signer(&self, secret: &[u8]) -> Result<Self::Signer, Self::Error>;
-
-    /// Encrypt multiple shares to public keys.
-    ///
-    /// # Errors
-    /// The method may return an error if the share could not be encrypted to a public key or if
-    /// the ShardData could not be created.
-    fn generate_shard_data(
-        &self,
-        shares: &[Share],
-        signer: &Self::Signer,
-        public_keys: Self::PublicKeyData,
-    ) -> Result<Self::ShardData, Self::Error>;
-
     /// Decrypt shares and associated metadata from a readable input. For the current version of
     /// Keyfork, the only associated metadata is a u8 representing the threshold to combine
     /// secrets.

crates/keyfork-shard/src/openpgp.rs

@@ -57,9 +57,8 @@ const SHARD_METADATA_VERSION: u8 = 1;
 const SHARD_METADATA_OFFSET: usize = 2;
 
 use super::{
-    InvalidData, SharksError, HUNK_VERSION, QRCODE_COULDNT_READ, QRCODE_ERROR, QRCODE_PROMPT,
+    Format, InvalidData, SharksError, HUNK_VERSION, QRCODE_COULDNT_READ, QRCODE_ERROR,
-    QRCODE_TIMEOUT,
+    QRCODE_PROMPT, QRCODE_TIMEOUT,
-    Format,
 };
 
 // 256 bit share is 49 bytes + some amount of hunk bytes, gives us reasonable padding
@@ -256,10 +255,11 @@ impl OpenPGP {
 
 impl Format for OpenPGP {
     type Error = Error;
+    type PublicKey = Cert;
     type PublicKeyData = Vec<Cert>;
     type PrivateKeyData = Vec<Cert>;
+    type SigningKey = Cert;
     type ShardData = Vec<EncryptedMessage>;
-    type Signer = openpgp::crypto::KeyPair;
 
     fn parse_public_key_data(
         &self,
@@ -268,6 +268,145 @@ impl Format for OpenPGP {
         Self::discover_certs(key_data_path)
     }
 
+    /// Derive an OpenPGP Shard certificate from the given seed.
+    fn derive_signing_key(&self, seed: &[u8]) -> Self::SigningKey {
+        let seed = VariableLengthSeed::new(seed);
+        // build cert to sign encrypted shares
+        let userid = UserID::from("keyfork-sss");
+        let path = DerivationPath::from_str("m/7366512'/0'").expect("valid derivation path");
+        let xprv = XPrv::new(seed)
+            .derive_path(&path)
+            .expect("valid derivation");
+        keyfork_derive_openpgp::derive(
+            xprv,
+            &[KeyFlags::empty().set_certification().set_signing()],
+            &userid,
+        )
+        .expect("valid cert creation")
+    }
+
+    fn format_encrypted_header(
+        &self,
+        signing_key: &Self::SigningKey,
+        key_data: &Self::PublicKeyData,
+        threshold: u8,
+    ) -> Result<Vec<u8>, Self::Error> {
+        let policy = StandardPolicy::new();
+        let mut pp = vec![SHARD_METADATA_VERSION, threshold];
+        // Note: Sequoia does not export private keys on a Cert, only on a TSK
+        signing_key
+            .serialize(&mut pp)
+            .expect("serialize cert into bytes");
+        for cert in key_data {
+            cert.serialize(&mut pp)
+                .expect("serialize pubkey into bytes");
+        }
+
+        // verify packet pile
+        let mut iter = openpgp::cert::CertParser::from_bytes(&pp[SHARD_METADATA_OFFSET..])
+            .expect("should have certs");
+        let first_cert = iter.next().transpose().ok().flatten().expect("first cert");
+        assert_eq!(signing_key, &first_cert);
+
+        for (packet_cert, cert) in iter.zip(key_data) {
+            assert_eq!(
+                &packet_cert.expect("parsed packet cert"),
+                cert,
+                "packet pile could not recreate cert: {}",
+                cert.fingerprint(),
+            );
+        }
+
+        let valid_certs = key_data
+            .iter()
+            .map(|c| c.with_policy(&policy, None))
+            .collect::<openpgp::Result<Vec<_>>>()
+            .map_err(Error::Sequoia)?;
+        let recipients = valid_certs.iter().flat_map(|vc| {
+            get_encryption_keys(vc).map(|key| Recipient::new(KeyID::wildcard(), key.key()))
+        });
+
+        // Process is as follows:
+        // * Any OpenPGP message
+        // * An encrypted message
+        // * A literal message
+        // * The packet pile
+        //
+        // When decrypting, OpenPGP will see:
+        // * A message, and parse it
+        // * An encrypted message, and decrypt it
+        // * A literal message, and extract it
+        // * The packet pile
+        let mut output = vec![];
+        let message = Message::new(&mut output);
+        let encrypted_message = Encryptor2::for_recipients(message, recipients)
+            .build()
+            .map_err(Error::Sequoia)?;
+        let mut literal_message = LiteralWriter::new(encrypted_message)
+            .build()
+            .map_err(Error::Sequoia)?;
+        literal_message.write_all(&pp).map_err(Error::SequoiaIo)?;
+        literal_message.finalize().map_err(Error::Sequoia)?;
+
+        Ok(output)
+    }
+
+    fn encrypt_shard(
+        &self,
+        shard: &[u8],
+        public_key: &Cert,
+        signing_key: &mut Self::SigningKey,
+    ) -> Result<Vec<u8>> {
+        let policy = StandardPolicy::new();
+        let valid_cert = public_key
+            .with_policy(&policy, None)
+            .map_err(Error::Sequoia)?;
+        let encryption_keys = get_encryption_keys(&valid_cert).collect::<Vec<_>>();
+
+        let signing_key = signing_key
+            .primary_key()
+            .parts_into_secret()
+            .map_err(Error::Sequoia)?
+            .key()
+            .clone()
+            .into_keypair()
+            .map_err(Error::Sequoia)?;
+
+        // Process is as follows:
+        // * Any OpenPGP message
+        // * An encrypted message
+        // * A signed message
+        // * A literal message
+        // * The shard itself
+        //
+        // When decrypting, OpenPGP will see:
+        // * A message, and parse it
+        // * An encrypted message, and decrypt it
+        // * A signed message, and verify it
+        // * A literal message, and extract it
+        // * The shard itself
+        let mut message_output = vec![];
+        let message = Message::new(&mut message_output);
+        let encrypted_message = Encryptor2::for_recipients(
+            message,
+            encryption_keys
+                .iter()
+                .map(|k| Recipient::new(KeyID::wildcard(), k.key())),
+        )
+        .build()
+        .map_err(Error::Sequoia)?;
+        let signed_message = Signer::new(encrypted_message, signing_key)
+            .build()
+            .map_err(Error::Sequoia)?;
+        let mut message = LiteralWriter::new(signed_message)
+            .build()
+            .map_err(Error::Sequoia)?;
+        message.write_all(shard).map_err(Error::SequoiaIo)?;
+        message.finalize().map_err(Error::Sequoia)?;
+
+        Ok(message_output)
+    }
+
     fn parse_private_key_data(
         &self,
         key_data_path: impl AsRef<Path>,
@@ -300,29 +439,6 @@ impl Format for OpenPGP {
         Ok(encrypted_messages)
     }
 
-    fn derive_signer(&self, secret: &[u8]) -> Result<Self::Signer, Self::Error> {
-        let userid = UserID::from("keyfork-sss");
-        let path = DerivationPath::from_str("m/7366512'/0'")?;
-        let seed = VariableLengthSeed::new(secret);
-        let xprv = XPrv::new(seed).derive_path(&path)?;
-        let derived_cert = keyfork_derive_openpgp::derive(
-            xprv,
-            &[KeyFlags::empty().set_certification().set_signing()],
-            &userid,
-        )?;
-
-        let signing_key = derived_cert
-            .primary_key()
-            .parts_into_secret()
-            .map_err(Error::Sequoia)?
-            .key()
-            .clone()
-            .into_keypair()
-            .map_err(Error::Sequoia)?;
-
-        Ok(signing_key)
-    }
-
     fn format_shard_file(
         &self,
         shard_data: Self::ShardData,
@@ -336,53 +452,6 @@ impl Format for OpenPGP {
         Ok(())
     }
 
-    fn generate_shard_data(
-        &self,
-        shares: &[Share],
-        signer: &Self::Signer,
-        public_keys: Self::PublicKeyData,
-    ) -> std::result::Result<Self::ShardData, Self::Error> {
-        let policy = StandardPolicy::new();
-        let mut total_recipients = vec![];
-        let mut messages = vec![];
-
-        for (share, cert) in shares.iter().zip(public_keys) {
-            total_recipients.push(cert.clone());
-            let valid_cert = cert.with_policy(&policy, None).map_err(Error::Sequoia)?;
-            let encryption_keys = get_encryption_keys(&valid_cert).collect::<Vec<_>>();
-
-            let mut message_output = vec![];
-            let message = Message::new(&mut message_output);
-            let message = Encryptor2::for_recipients(
-                message,
-                encryption_keys
-                    .iter()
-                    .map(|k| Recipient::new(KeyID::wildcard(), k.key())),
-            )
-            .build()
-            .map_err(Error::Sequoia)?;
-            let message = Signer::new(message, signer.clone())
-                .build()
-                .map_err(Error::Sequoia)?;
-            let mut message = LiteralWriter::new(message)
-                .build()
-                .map_err(Error::Sequoia)?;
-            // NOTE: This shouldn't be an alloc, but it's a minor alloc, so it's fine.
-            message
-                .write_all(&Vec::from(share))
-                .map_err(Error::SequoiaIo)?;
-            message.finalize().map_err(Error::Sequoia)?;
-
-            messages.push(message_output);
-        }
-
-        // A little bit of back and forth, we're going to parse the messages just to serialize them
-        // later.
-        let message = messages.into_iter().flatten().collect::<Vec<_>>();
-        let data = self.parse_shard_file(message.as_slice())?;
-        Ok(data)
-    }
-
     fn decrypt_all_shards(
         &self,
         private_keys: Option<Self::PrivateKeyData>,
@@ -406,11 +475,8 @@ impl Format for OpenPGP {
         // because we control the order packets are encrypted and certificates are stored.
 
         // TODO: remove alloc, convert EncryptedMessage to &EncryptedMessage
-        let mut messages: HashMap<KeyID, EncryptedMessage> = certs
+        let mut messages: HashMap<KeyID, EncryptedMessage> =
-            .iter()
+            certs.iter().map(Cert::keyid).zip(shard_data).collect();
-            .map(Cert::keyid)
-            .zip(shard_data)
-            .collect();
         let mut decrypted_messages =
             decrypt_with_keyring(&mut messages, &certs, &policy, &mut keyring)?;
 
@@ -454,17 +520,15 @@ impl Format for OpenPGP {
 
         keyring.set_root_cert(root_cert.clone());
         manager.set_root_cert(root_cert.clone());
-        let mut messages: HashMap<KeyID, EncryptedMessage> = certs
+        let mut messages: HashMap<KeyID, EncryptedMessage> =
-            .iter()
+            certs.iter().map(Cert::keyid).zip(shard_data).collect();
-            .map(Cert::keyid)
-            .zip(shard_data)
-            .collect();
 
         let decrypted_messages =
             decrypt_with_keyring(&mut messages, &certs, &policy, &mut keyring)?;
 
         if let Some(message) = decrypted_messages.into_values().next() {
-            let share = Share::try_from(message.as_slice()).map_err(|e| SharksError::Share(e.to_string()))?;
+            let share = Share::try_from(message.as_slice())
+                .map_err(|e| SharksError::Share(e.to_string()))?;
             return Ok((share, threshold));
         }
 
@@ -472,7 +536,8 @@ impl Format for OpenPGP {
             decrypt_with_manager(1, &mut messages, &certs, &policy, &mut manager)?;
 
         if let Some(message) = decrypted_messages.into_values().next() {
-            let share = Share::try_from(message.as_slice()).map_err(|e| SharksError::Share(e.to_string()))?;
+            let share = Share::try_from(message.as_slice())
+                .map_err(|e| SharksError::Share(e.to_string()))?;
             return Ok((share, threshold));
         }
 

crates/keyfork/src/cli/recover.rs

@@ -3,10 +3,7 @@ use clap::{Parser, Subcommand};
 use std::path::PathBuf;
 
 use keyfork_mnemonic_util::Mnemonic;
-use keyfork_shard::{
+use keyfork_shard::{remote_decrypt, Format};
-    openpgp::{combine, discover_certs, parse_messages},
-    remote_decrypt,
-};
 
 type Result<T, E = Box<dyn std::error::Error>> = std::result::Result<T, E>;
 
@@ -37,15 +34,10 @@ impl RecoverSubcommands {
             } => {
                 let content = std::fs::read_to_string(shard_file)?;
                 if content.contains("BEGIN PGP MESSAGE") {
-                    let certs = key_discovery
+                    let openpgp = keyfork_shard::openpgp::OpenPGP;
-                        .as_ref()
+                    // TODO: remove .clone() by making handle() consume self
-                        .map(discover_certs)
+                    let seed = openpgp
-                        .transpose()?
+                        .decrypt_all_shards_to_secret(key_discovery.clone(), content.as_bytes())?;
-                        .unwrap_or(vec![]);
-                    let mut messages = parse_messages(content.as_bytes())?;
-                    let metadata = messages.pop_front().expect("any pgp encrypted message");
-                    let mut seed = vec![];
-                    combine(certs, &metadata, messages.into(), &mut seed)?;
                     Ok(seed)
                 } else {
                     panic!("unknown format of shard file");

crates/keyfork/src/cli/shard.rs

@@ -1,5 +1,6 @@
 use super::Keyfork;
 use clap::{builder::PossibleValue, Parser, Subcommand, ValueEnum};
+use keyfork_shard::Format as _;
 use std::{
     io::{stdin, stdout, Read, Write},
     path::{Path, PathBuf},
@@ -86,25 +87,8 @@ impl ShardExec for OpenPGP {
     where
         T: AsRef<Path>,
     {
-        let certs = key_discovery
+        let openpgp = keyfork_shard::openpgp::OpenPGP;
-            .map(|kd| keyfork_shard::openpgp::discover_certs(kd.as_ref()))
+        let bytes = openpgp.decrypt_all_shards_to_secret(key_discovery, input)?;
-            .transpose()?
-            .unwrap_or(vec![]);
-
-        let mut encrypted_messages = keyfork_shard::openpgp::parse_messages(input)?;
-        let encrypted_metadata = encrypted_messages
-            .pop_front()
-            .expect("any pgp encrypted message");
-
-        let mut bytes = vec![];
-
-        keyfork_shard::openpgp::combine(
-            certs,
-            &encrypted_metadata,
-            encrypted_messages.into(),
-            &mut bytes,
-        )?;
-
         write!(output, "{}", smex::encode(&bytes))?;
 
         Ok(())
@@ -118,21 +102,8 @@ impl ShardExec for OpenPGP {
     where
         T: AsRef<Path>,
     {
-        let certs = key_discovery
+        let openpgp = keyfork_shard::openpgp::OpenPGP;
-            .map(|kd| keyfork_shard::openpgp::discover_certs(kd.as_ref()))
+        openpgp.decrypt_one_shard_for_transport(key_discovery, input)?;
-            .transpose()?
-            .unwrap_or(vec![]);
-
-        let mut encrypted_messages = keyfork_shard::openpgp::parse_messages(input)?;
-        let encrypted_metadata = encrypted_messages
-            .pop_front()
-            .expect("any pgp encrypted message");
-
-        keyfork_shard::openpgp::decrypt(
-            &certs,
-            &encrypted_metadata,
-            encrypted_messages.make_contiguous(),
-        )?;
         Ok(())
     }
 }