passforios/passKit/Crypto/PGPAgent.swift

//
//  PGPAgent.swift
//  passKit
//
//  Created by Yishi Lin on 2019/7/17.
//  Copyright © 2019 Bob Sun. All rights reserved.
//

public class PGPAgent {
    public static let shared = PGPAgent()

    private let keyStore: KeyStore
    private var pgpInterface: PGPInterface?
    private var latestDecryptStatus = true

    public init(keyStore: KeyStore = AppKeychain.shared) {
        self.keyStore = keyStore
    }

    init(keyStore: KeyStore, pgpInterface: PGPInterface) {
        self.keyStore = keyStore
        self.pgpInterface = pgpInterface
    }

    public func initKeys() throws {
        guard let publicKey: String = keyStore.get(for: PGPKey.PUBLIC.getKeychainKey()),
              let privateKey: String = keyStore.get(for: PGPKey.PRIVATE.getKeychainKey()) else {
            pgpInterface = nil
            throw AppError.keyImport
        }
        do {
            pgpInterface = try GopenPGPInterface(publicArmoredKey: publicKey, privateArmoredKey: privateKey)
        } catch {
            pgpInterface = try ObjectivePGPInterface(publicArmoredKey: publicKey, privateArmoredKey: privateKey)
        }
    }

    public func uninitKeys() {
        pgpInterface = nil
    }

    public func isInitialized() -> Bool {
        pgpInterface != nil
    }

    public func getKeyID() throws -> [String] {
        try checkAndInit()
        return pgpInterface?.keyID ?? []
    }

    public func getShortKeyID() throws -> [String] {
        try checkAndInit()
        return pgpInterface?.shortKeyID.sorted() ?? []
    }

    public func decrypt(encryptedData: Data, keyID: String, requestPGPKeyPassphrase: @escaping (String) -> String) throws -> Data? {
        // Init keys.
        try checkAndInit()
        guard let pgpInterface else {
            throw AppError.decryption
        }

        var keyID = keyID
        if !pgpInterface.containsPrivateKey(with: keyID) {
            if pgpInterface.keyID.count == 1 {
                keyID = pgpInterface.keyID.first!
            } else {
                throw AppError.pgpPrivateKeyNotFound(keyID: keyID)
            }
        }

        // Remember the previous status and set the current status
        let previousDecryptStatus = latestDecryptStatus
        latestDecryptStatus = false

        // Get the PGP key passphrase.
        let providePassPhraseForKey = { (selectedKeyID: String) -> String in
            if previousDecryptStatus == false {
                return requestPGPKeyPassphrase(selectedKeyID)
            }
            return self.keyStore.get(for: AppKeychain.getPGPKeyPassphraseKey(keyID: selectedKeyID)) ?? requestPGPKeyPassphrase(selectedKeyID)
        }
        // Decrypt.
        guard let result = try pgpInterface.decrypt(encryptedData: encryptedData, keyIDHint: keyID, passPhraseForKey: providePassPhraseForKey) else {
            return nil
        }
        // The decryption step has succeed.
        latestDecryptStatus = true
        return result
    }

    public func encrypt(plainData: Data, keyID: String) throws -> Data {
        try checkAndInit()
        guard let pgpInterface else {
            throw AppError.encryption
        }
        var keyID = keyID
        if !pgpInterface.containsPublicKey(with: keyID) {
            if pgpInterface.keyID.count == 1 {
                keyID = pgpInterface.keyID.first!
            } else {
                throw AppError.pgpPublicKeyNotFound(keyID: keyID)
            }
        }
        return try pgpInterface.encrypt(plainData: plainData, keyID: keyID)
    }

    public func decrypt(encryptedData: Data, requestPGPKeyPassphrase: @escaping (String) -> String) throws -> Data? {
        // Remember the previous status and set the current status
        let previousDecryptStatus = latestDecryptStatus
        latestDecryptStatus = false
        // Init keys.
        try checkAndInit()
        // Get the PGP key passphrase.
        let providePassPhraseForKey = { (selectedKeyID: String) -> String in
            if previousDecryptStatus == false {
                return requestPGPKeyPassphrase(selectedKeyID)
            }
            return self.keyStore.get(for: AppKeychain.getPGPKeyPassphraseKey(keyID: selectedKeyID)) ?? requestPGPKeyPassphrase(selectedKeyID)
        }
        // Decrypt.
        guard let result = try pgpInterface!.decrypt(encryptedData: encryptedData, keyIDHint: nil, passPhraseForKey: providePassPhraseForKey) else {
            return nil
        }
        // The decryption step has succeed.
        latestDecryptStatus = true
        return result
    }

    public func encrypt(plainData: Data) throws -> Data {
        try checkAndInit()
        guard let pgpInterface else {
            throw AppError.encryption
        }
        return try pgpInterface.encrypt(plainData: plainData, keyID: nil)
    }

    public var isPrepared: Bool {
        keyStore.contains(key: PGPKey.PUBLIC.getKeychainKey())
            && keyStore.contains(key: PGPKey.PRIVATE.getKeychainKey())
    }

    private func checkAndInit() throws {
        if pgpInterface == nil || !keyStore.contains(key: Globals.pgpKeyPassphrase) {
            try initKeys()
        }
    }
}
Separate encryption/decryption logic for different frameworks used 2019-09-08 23:00:46 +02:00			`//`
			`// PGPAgent.swift`
			`// passKit`
			`//`
			`// Created by Yishi Lin on 2019/7/17.`
			`// Copyright © 2019 Bob Sun. All rights reserved.`
			`//`

			`public class PGPAgent {`
Enable SwiftLint rule 'redundant_type_annotation' and fix all violations 2020-07-05 22:59:03 +02:00			`public static let shared = PGPAgent()`
Separate encryption/decryption logic for different frameworks used 2019-09-08 23:00:46 +02:00
			`private let keyStore: KeyStore`
Name classes/structs consistently 2020-04-19 15:41:30 +02:00			`private var pgpInterface: PGPInterface?`
Use SwiftLint version 0.43.x 2021-03-06 15:26:42 +01:00			`private var latestDecryptStatus = true`
Separate encryption/decryption logic for different frameworks used 2019-09-08 23:00:46 +02:00
			`public init(keyStore: KeyStore = AppKeychain.shared) {`
			`self.keyStore = keyStore`
			`}`

add detailed API tests checking how calls to PGPAgent propagate to the underlying interface this is refactoring support, so that we can notice changes in how the underlying APIs are called, and make changes intentionally when needed, instead of accidentally. 2026-03-11 11:36:36 +01:00			`init(keyStore: KeyStore, pgpInterface: PGPInterface) {`
			`self.keyStore = keyStore`
			`self.pgpInterface = pgpInterface`
			`}`

Separate encryption/decryption logic for different frameworks used 2019-09-08 23:00:46 +02:00			`public func initKeys() throws {`
Use SwiftFormat version 0.49.x and enable some new rules (#527) 2021-12-28 02:57:11 +01:00			`guard let publicKey: String = keyStore.get(for: PGPKey.PUBLIC.getKeychainKey()),`
			`let privateKey: String = keyStore.get(for: PGPKey.PRIVATE.getKeychainKey()) else {`
Cleanup and fix the erase logic Explicitly uninit PGP agent during erasing all data. 2019-10-01 00:40:33 +08:00			`pgpInterface = nil`
Enable SwiftLint rule 'identifier_name' and handle all violations 2020-09-20 15:07:18 +02:00			`throw AppError.keyImport`
Separate encryption/decryption logic for different frameworks used 2019-09-08 23:00:46 +02:00			`}`
			`do {`
Name classes/structs consistently 2020-04-19 15:41:30 +02:00			`pgpInterface = try GopenPGPInterface(publicArmoredKey: publicKey, privateArmoredKey: privateKey)`
Separate encryption/decryption logic for different frameworks used 2019-09-08 23:00:46 +02:00			`} catch {`
Name classes/structs consistently 2020-04-19 15:41:30 +02:00			`pgpInterface = try ObjectivePGPInterface(publicArmoredKey: publicKey, privateArmoredKey: privateKey)`
Separate encryption/decryption logic for different frameworks used 2019-09-08 23:00:46 +02:00			`}`
			`}`

			`public func uninitKeys() {`
			`pgpInterface = nil`
			`}`

more tests: entity fetching + erase 2026-03-09 00:34:34 +01:00			`public func isInitialized() -> Bool {`
			`pgpInterface != nil`
			`}`

Change logic of passphrass for multikeys 2020-04-13 19:15:52 -07:00			`public func getKeyID() throws -> [String] {`
Init PGPAgent while getting keyID 2019-10-01 01:19:41 +08:00			`try checkAndInit()`
Change logic of passphrass for multikeys 2020-04-13 19:15:52 -07:00			`return pgpInterface?.keyID ?? []`
Separate encryption/decryption logic for different frameworks used 2019-09-08 23:00:46 +02:00			`}`

Change logic of passphrass for multikeys 2020-04-13 19:15:52 -07:00			`public func getShortKeyID() throws -> [String] {`
Update to gopengpg v2.0.0 2020-04-11 23:23:38 -07:00			`try checkAndInit()`
Implement fail-safe mechanism if key id is not found 2020-04-17 23:56:14 -07:00			`return pgpInterface?.shortKeyID.sorted() ?? []`
Update to gopengpg v2.0.0 2020-04-11 23:23:38 -07:00			`}`

Fix fail-safe mechanism for other decryption scenarios 2020-04-18 22:35:17 -07:00			`public func decrypt(encryptedData: Data, keyID: String, requestPGPKeyPassphrase: @escaping (String) -> String) throws -> Data? {`
Do not forget pgp passphrase on decryption error #296 2019-09-30 02:05:01 +08:00			`// Init keys.`
Separate encryption/decryption logic for different frameworks used 2019-09-08 23:00:46 +02:00			`try checkAndInit()`
Update SwiftLint and SwiftFormat (#613) * Update Swift version used by SwiftFormat * Update SwiftLint version * Rely on new virtual 'all' rule in SwiftLint * Enable SwiftLint rule 'direct_return' rule and fix all violations * Enable SwiftLint rule 'shorthand_optional_binding' rule and fix all violations * Enable SwiftLint rule 'blanket_disable_command' rule and fix all violations 2023-04-23 22:01:37 +02:00			`guard let pgpInterface else {`
Enable SwiftLint rule 'identifier_name' and handle all violations 2020-09-20 15:07:18 +02:00			`throw AppError.decryption`
Check existence of PGP keys before encrypt/decrypt 2020-04-14 20:20:16 -07:00			`}`

Format code with SwiftFormat automatically in every build 2020-06-28 21:25:40 +02:00			`var keyID = keyID`
Check existence of PGP keys before encrypt/decrypt 2020-04-14 20:20:16 -07:00			`if !pgpInterface.containsPrivateKey(with: keyID) {`
Fix fail-safe mechanism for other decryption scenarios 2020-04-18 22:35:17 -07:00			`if pgpInterface.keyID.count == 1 {`
			`keyID = pgpInterface.keyID.first!`
			`} else {`
Enable SwiftLint rule 'identifier_name' and handle all violations 2020-09-20 15:07:18 +02:00			`throw AppError.pgpPrivateKeyNotFound(keyID: keyID)`
Fix fail-safe mechanism for other decryption scenarios 2020-04-18 22:35:17 -07:00			`}`
Check existence of PGP keys before encrypt/decrypt 2020-04-14 20:20:16 -07:00			`}`

Implement fail-safe mechanism if key id is not found 2020-04-17 23:56:14 -07:00			`// Remember the previous status and set the current status`
Format code with SwiftFormat automatically in every build 2020-06-28 21:25:40 +02:00			`let previousDecryptStatus = latestDecryptStatus`
			`latestDecryptStatus = false`
Implement fail-safe mechanism if key id is not found 2020-04-17 23:56:14 -07:00
Do not forget pgp passphrase on decryption error #296 2019-09-30 02:05:01 +08:00			`// Get the PGP key passphrase.`
decryption: always request key passphrase based on key ID 2026-03-10 17:14:11 +01:00			`let providePassPhraseForKey = { (selectedKeyID: String) -> String in`
			`if previousDecryptStatus == false {`
			`return requestPGPKeyPassphrase(selectedKeyID)`
			`}`
			`return self.keyStore.get(for: AppKeychain.getPGPKeyPassphraseKey(keyID: selectedKeyID)) ?? requestPGPKeyPassphrase(selectedKeyID)`
Do not forget pgp passphrase on decryption error #296 2019-09-30 02:05:01 +08:00			`}`
			`// Decrypt.`
decryption: GopenPGPInterface tries to identify decryption key from message metadata So the system can have multiple private keys, and the caller doesn't need to specify a specific one regardless. Ideally: If there are several matches we could also take into account which keys have already been unlocked (or passthrases saved in keychain). Right now it only grabs the first match. 2026-03-10 22:16:42 +01:00			`guard let result = try pgpInterface.decrypt(encryptedData: encryptedData, keyIDHint: keyID, passPhraseForKey: providePassPhraseForKey) else {`
Do not forget pgp passphrase on decryption error #296 2019-09-30 02:05:01 +08:00			`return nil`
			`}`
			`// The decryption step has succeed.`
Format code with SwiftFormat automatically in every build 2020-06-28 21:25:40 +02:00			`latestDecryptStatus = true`
Do not forget pgp passphrase on decryption error #296 2019-09-30 02:05:01 +08:00			`return result`
Separate encryption/decryption logic for different frameworks used 2019-09-08 23:00:46 +02:00			`}`

Partially implement multikeys support (decryption) 2020-04-13 01:30:00 -07:00			`public func encrypt(plainData: Data, keyID: String) throws -> Data {`
Separate encryption/decryption logic for different frameworks used 2019-09-08 23:00:46 +02:00			`try checkAndInit()`
Update SwiftLint and SwiftFormat (#613) * Update Swift version used by SwiftFormat * Update SwiftLint version * Rely on new virtual 'all' rule in SwiftLint * Enable SwiftLint rule 'direct_return' rule and fix all violations * Enable SwiftLint rule 'shorthand_optional_binding' rule and fix all violations * Enable SwiftLint rule 'blanket_disable_command' rule and fix all violations 2023-04-23 22:01:37 +02:00			`guard let pgpInterface else {`
Enable SwiftLint rule 'identifier_name' and handle all violations 2020-09-20 15:07:18 +02:00			`throw AppError.encryption`
Separate encryption/decryption logic for different frameworks used 2019-09-08 23:00:46 +02:00			`}`
No need to select key for encryption if there only one imported key 2020-04-18 23:21:50 -07:00			`var keyID = keyID`
Check existence of PGP keys before encrypt/decrypt 2020-04-14 20:20:16 -07:00			`if !pgpInterface.containsPublicKey(with: keyID) {`
No need to select key for encryption if there only one imported key 2020-04-18 23:21:50 -07:00			`if pgpInterface.keyID.count == 1 {`
			`keyID = pgpInterface.keyID.first!`
			`} else {`
Enable SwiftLint rule 'identifier_name' and handle all violations 2020-09-20 15:07:18 +02:00			`throw AppError.pgpPublicKeyNotFound(keyID: keyID)`
No need to select key for encryption if there only one imported key 2020-04-18 23:21:50 -07:00			`}`
Check existence of PGP keys before encrypt/decrypt 2020-04-14 20:20:16 -07:00			`}`
Partially implement multikeys support (decryption) 2020-04-13 01:30:00 -07:00			`return try pgpInterface.encrypt(plainData: plainData, keyID: keyID)`
Separate encryption/decryption logic for different frameworks used 2019-09-08 23:00:46 +02:00			`}`

decryption: always request key passphrase based on key ID 2026-03-10 17:14:11 +01:00			`public func decrypt(encryptedData: Data, requestPGPKeyPassphrase: @escaping (String) -> String) throws -> Data? {`
Add ignore .gpg-id switch default ON 2021-01-07 21:58:38 -08:00			`// Remember the previous status and set the current status`
Format code with SwiftFormat 2021-01-31 13:17:37 +01:00			`let previousDecryptStatus = latestDecryptStatus`
			`latestDecryptStatus = false`
Add ignore .gpg-id switch default ON 2021-01-07 21:58:38 -08:00			`// Init keys.`
			`try checkAndInit()`
			`// Get the PGP key passphrase.`
decryption: always request key passphrase based on key ID 2026-03-10 17:14:11 +01:00			`let providePassPhraseForKey = { (selectedKeyID: String) -> String in`
			`if previousDecryptStatus == false {`
			`return requestPGPKeyPassphrase(selectedKeyID)`
			`}`
			`return self.keyStore.get(for: AppKeychain.getPGPKeyPassphraseKey(keyID: selectedKeyID)) ?? requestPGPKeyPassphrase(selectedKeyID)`
Add ignore .gpg-id switch default ON 2021-01-07 21:58:38 -08:00			`}`
			`// Decrypt.`
decryption: GopenPGPInterface tries to identify decryption key from message metadata So the system can have multiple private keys, and the caller doesn't need to specify a specific one regardless. Ideally: If there are several matches we could also take into account which keys have already been unlocked (or passthrases saved in keychain). Right now it only grabs the first match. 2026-03-10 22:16:42 +01:00			`guard let result = try pgpInterface!.decrypt(encryptedData: encryptedData, keyIDHint: nil, passPhraseForKey: providePassPhraseForKey) else {`
Add ignore .gpg-id switch default ON 2021-01-07 21:58:38 -08:00			`return nil`
			`}`
			`// The decryption step has succeed.`
Format code with SwiftFormat 2021-01-31 13:17:37 +01:00			`latestDecryptStatus = true`
Add ignore .gpg-id switch default ON 2021-01-07 21:58:38 -08:00			`return result`
			`}`

			`public func encrypt(plainData: Data) throws -> Data {`
			`try checkAndInit()`
Update SwiftLint and SwiftFormat (#613) * Update Swift version used by SwiftFormat * Update SwiftLint version * Rely on new virtual 'all' rule in SwiftLint * Enable SwiftLint rule 'direct_return' rule and fix all violations * Enable SwiftLint rule 'shorthand_optional_binding' rule and fix all violations * Enable SwiftLint rule 'blanket_disable_command' rule and fix all violations 2023-04-23 22:01:37 +02:00			`guard let pgpInterface else {`
Add ignore .gpg-id switch default ON 2021-01-07 21:58:38 -08:00			`throw AppError.encryption`
			`}`
			`return try pgpInterface.encrypt(plainData: plainData, keyID: nil)`
			`}`

Separate encryption/decryption logic for different frameworks used 2019-09-08 23:00:46 +02:00			`public var isPrepared: Bool {`
Use SwiftFormat version 0.49.x and enable some new rules (#527) 2021-12-28 02:57:11 +01:00			`keyStore.contains(key: PGPKey.PUBLIC.getKeychainKey())`
			`&& keyStore.contains(key: PGPKey.PRIVATE.getKeychainKey())`
Separate encryption/decryption logic for different frameworks used 2019-09-08 23:00:46 +02:00			`}`

			`private func checkAndInit() throws {`
			`if pgpInterface == nil \|\| !keyStore.contains(key: Globals.pgpKeyPassphrase) {`
			`try initKeys()`
			`}`
			`}`
			`}`