decryption: always request key passphrase based on key ID

2026-03-10 17:14:11 +01:00 · 2026-03-10 17:14:11 +01:00 · 01739e5aec
commit 01739e5aec
parent c4f81c16eb
4 changed files with 23 additions and 17 deletions
--- a/passKit/Crypto/GopenPGPInterface.swift
+++ b/passKit/Crypto/GopenPGPInterface.swift
@ -70,7 +70,7 @@ struct GopenPGPInterface: PGPInterface {
        privateKeys.keys.contains { key in key.hasSuffix(keyID.lowercased()) }
    }

-    func decrypt(encryptedData: Data, keyID: String?, passphrase: String) throws -> Data? {
+    func decrypt(encryptedData: Data, keyID: String?, passPhraseForKey: @escaping (String) -> String) throws -> Data? {
        let key: CryptoKey? = {
            if let keyID {
                return privateKeys.first(where: { key, _ in key.hasSuffix(keyID.lowercased()) })?.value
@ -87,6 +87,7 @@ struct GopenPGPInterface: PGPInterface {
            try privateKey.isLocked(&isLocked)
            var unlockedKey: CryptoKey!
            if isLocked.boolValue {
+                let passphrase = passPhraseForKey(privateKey.getFingerprint())
                unlockedKey = try privateKey.unlock(passphrase.data(using: .utf8))
            } else {
                unlockedKey = privateKey
--- a/passKit/Crypto/ObjectivePGPInterface.swift
+++ b/passKit/Crypto/ObjectivePGPInterface.swift
@ -24,8 +24,13 @@ struct ObjectivePGPInterface: PGPInterface {
        }
    }

-    func decrypt(encryptedData: Data, keyID _: String?, passphrase: String) throws -> Data? {
-        try ObjectivePGP.decrypt(encryptedData, andVerifySignature: false, using: keyring.keys) { _ in passphrase }
+    func decrypt(encryptedData: Data, keyID _: String?, passPhraseForKey: @escaping (String) -> String) throws -> Data? {
+        try ObjectivePGP.decrypt(encryptedData, andVerifySignature: false, using: keyring.keys) { selectedKey in
+            guard let selectedKey else {
+                return nil
+            }
+            return passPhraseForKey(selectedKey.keyID.longIdentifier)
+        }
    }

    func encrypt(plainData: Data, keyID _: String?) throws -> Data {
--- a/passKit/Crypto/PGPAgent.swift
+++ b/passKit/Crypto/PGPAgent.swift
@ -69,14 +69,14 @@ public class PGPAgent {
        latestDecryptStatus = false

        // Get the PGP key passphrase.
-        var passphrase = ""
-        if previousDecryptStatus == false {
-            passphrase = requestPGPKeyPassphrase(keyID)
-        } else {
-            passphrase = keyStore.get(for: AppKeychain.getPGPKeyPassphraseKey(keyID: keyID)) ?? requestPGPKeyPassphrase(keyID)
+        let providePassPhraseForKey = { (selectedKeyID: String) -> String in
+            if previousDecryptStatus == false {
+                return requestPGPKeyPassphrase(selectedKeyID)
+            }
+            return self.keyStore.get(for: AppKeychain.getPGPKeyPassphraseKey(keyID: selectedKeyID)) ?? requestPGPKeyPassphrase(selectedKeyID)
        }
        // Decrypt.
-        guard let result = try pgpInterface.decrypt(encryptedData: encryptedData, keyID: keyID, passphrase: passphrase) else {
+        guard let result = try pgpInterface.decrypt(encryptedData: encryptedData, keyID: keyID, passPhraseForKey: providePassPhraseForKey) else {
            return nil
        }
        // The decryption step has succeed.
@ -100,21 +100,21 @@ public class PGPAgent {
        return try pgpInterface.encrypt(plainData: plainData, keyID: keyID)
    }

-    public func decrypt(encryptedData: Data, requestPGPKeyPassphrase: (String) -> String) throws -> Data? {
+    public func decrypt(encryptedData: Data, requestPGPKeyPassphrase: @escaping (String) -> String) throws -> Data? {
        // Remember the previous status and set the current status
        let previousDecryptStatus = latestDecryptStatus
        latestDecryptStatus = false
        // Init keys.
        try checkAndInit()
        // Get the PGP key passphrase.
-        var passphrase = ""
-        if previousDecryptStatus == false {
-            passphrase = requestPGPKeyPassphrase("")
-        } else {
-            passphrase = keyStore.get(for: AppKeychain.getPGPKeyPassphraseKey(keyID: "")) ?? requestPGPKeyPassphrase("")
+        let providePassPhraseForKey = { (selectedKeyID: String) -> String in
+            if previousDecryptStatus == false {
+                return requestPGPKeyPassphrase(selectedKeyID)
+            }
+            return self.keyStore.get(for: AppKeychain.getPGPKeyPassphraseKey(keyID: selectedKeyID)) ?? requestPGPKeyPassphrase(selectedKeyID)
        }
        // Decrypt.
-        guard let result = try pgpInterface!.decrypt(encryptedData: encryptedData, keyID: nil, passphrase: passphrase) else {
+        guard let result = try pgpInterface!.decrypt(encryptedData: encryptedData, keyID: nil, passPhraseForKey: providePassPhraseForKey) else {
            return nil
        }
        // The decryption step has succeed.
--- a/passKit/Crypto/PGPInterface.swift
+++ b/passKit/Crypto/PGPInterface.swift
@ -7,7 +7,7 @@
 //

 protocol PGPInterface {
-    func decrypt(encryptedData: Data, keyID: String?, passphrase: String) throws -> Data?
+    func decrypt(encryptedData: Data, keyID: String?, passPhraseForKey: @escaping (String) -> String) throws -> Data?

    func encrypt(plainData: Data, keyID: String?) throws -> Data