decryption: always request key passphrase based on key ID

2026-03-10 17:14:11 +01:00 · 2026-03-10 17:14:11 +01:00 · 01739e5aec
commit 01739e5aec
parent c4f81c16eb
4 changed files with 23 additions and 17 deletions
--- a/passKit/Crypto/PGPAgent.swift
+++ b/passKit/Crypto/PGPAgent.swift
@ -69,14 +69,14 @@ public class PGPAgent {
        latestDecryptStatus = false

        // Get the PGP key passphrase.
-        var passphrase = ""
-        if previousDecryptStatus == false {
-            passphrase = requestPGPKeyPassphrase(keyID)
-        } else {
-            passphrase = keyStore.get(for: AppKeychain.getPGPKeyPassphraseKey(keyID: keyID)) ?? requestPGPKeyPassphrase(keyID)
+        let providePassPhraseForKey = { (selectedKeyID: String) -> String in
+            if previousDecryptStatus == false {
+                return requestPGPKeyPassphrase(selectedKeyID)
+            }
+            return self.keyStore.get(for: AppKeychain.getPGPKeyPassphraseKey(keyID: selectedKeyID)) ?? requestPGPKeyPassphrase(selectedKeyID)
        }
        // Decrypt.
-        guard let result = try pgpInterface.decrypt(encryptedData: encryptedData, keyID: keyID, passphrase: passphrase) else {
+        guard let result = try pgpInterface.decrypt(encryptedData: encryptedData, keyID: keyID, passPhraseForKey: providePassPhraseForKey) else {
            return nil
        }
        // The decryption step has succeed.
@ -100,21 +100,21 @@ public class PGPAgent {
        return try pgpInterface.encrypt(plainData: plainData, keyID: keyID)
    }

-    public func decrypt(encryptedData: Data, requestPGPKeyPassphrase: (String) -> String) throws -> Data? {
+    public func decrypt(encryptedData: Data, requestPGPKeyPassphrase: @escaping (String) -> String) throws -> Data? {
        // Remember the previous status and set the current status
        let previousDecryptStatus = latestDecryptStatus
        latestDecryptStatus = false
        // Init keys.
        try checkAndInit()
        // Get the PGP key passphrase.
-        var passphrase = ""
-        if previousDecryptStatus == false {
-            passphrase = requestPGPKeyPassphrase("")
-        } else {
-            passphrase = keyStore.get(for: AppKeychain.getPGPKeyPassphraseKey(keyID: "")) ?? requestPGPKeyPassphrase("")
+        let providePassPhraseForKey = { (selectedKeyID: String) -> String in
+            if previousDecryptStatus == false {
+                return requestPGPKeyPassphrase(selectedKeyID)
+            }
+            return self.keyStore.get(for: AppKeychain.getPGPKeyPassphraseKey(keyID: selectedKeyID)) ?? requestPGPKeyPassphrase(selectedKeyID)
        }
        // Decrypt.
-        guard let result = try pgpInterface!.decrypt(encryptedData: encryptedData, keyID: nil, passphrase: passphrase) else {
+        guard let result = try pgpInterface!.decrypt(encryptedData: encryptedData, keyID: nil, passPhraseForKey: providePassPhraseForKey) else {
            return nil
        }
        // The decryption step has succeed.