Merge pull request #45 from passbolt/gopenpgp-v3

Gopenpgp v3

api/auth.go

@@ -7,9 +7,6 @@ import (
 	"net/http"
 	"net/url"
 	"strings"
-
-	"github.com/ProtonMail/gopenpgp/v2/crypto"
-	"github.com/ProtonMail/gopenpgp/v2/helper"
 )
 
 // Login is used for login
@@ -33,15 +30,7 @@ func (c *Client) CheckSession(ctx context.Context) bool {
 func (c *Client) Login(ctx context.Context) error {
 	c.csrfToken = http.Cookie{}
 
-	if c.userPrivateKey == "" {
-		return fmt.Errorf("Client has no Private Key")
-	}
-
-	privateKeyObj, err := crypto.NewKeyFromArmored(c.userPrivateKey)
-	if err != nil {
-		return fmt.Errorf("Parsing User Private Key: %w", err)
-	}
-	data := Login{&GPGAuth{KeyID: privateKeyObj.GetFingerprint()}}
+	data := Login{&GPGAuth{KeyID: c.userPrivateKey.GetFingerprint()}}
 
 	res, _, err := c.DoCustomRequestAndReturnRawResponse(ctx, "POST", "/auth/login.json", "v2", data, nil)
 	if err != nil && !strings.Contains(err.Error(), "Error API JSON Response Status: Message: The authentication failed.") {
@@ -62,7 +51,7 @@ func (c *Client) Login(ctx context.Context) error {
 	}
 	encAuthToken = strings.ReplaceAll(encAuthToken, "\\ ", " ")
 
-	authToken, err := helper.DecryptMessageArmored(c.userPrivateKey, c.userPassword, encAuthToken)
+	authToken, err := c.DecryptMessage(encAuthToken)
 	if err != nil {
 		return fmt.Errorf("Decrypting User Auth Token: %w", err)
 	}
@@ -104,29 +93,13 @@ func (c *Client) Login(ctx context.Context) error {
 		return fmt.Errorf("Getting CSRF Token: %w", err)
 	}
 
-	// Get Users Own Public Key from Server
+	// Get Users ID from Server
 	var user User
 	err = json.Unmarshal(apiMsg.Body, &user)
 	if err != nil {
 		return fmt.Errorf("Parsing User 'Me' JSON from API Request: %w", err)
 	}
 
-	// Validate that this Publickey that the Server gave us actually Matches our Privatekey
-	randomString := randStringBytesRmndr(50)
-	armor, err := helper.EncryptMessageArmored(user.GPGKey.ArmoredKey, randomString)
-	if err != nil {
-		return fmt.Errorf("Encryping PublicKey Validation Message: %w", err)
-	}
-	decrypted, err := helper.DecryptMessageArmored(c.userPrivateKey, c.userPassword, armor)
-	if err != nil {
-		return fmt.Errorf("Decrypting PublicKey Validation Message (you might be getting Hacked): %w", err)
-	}
-	if decrypted != randomString {
-		return fmt.Errorf("Decrypted PublicKey Validation Message does not Match Original (you might be getting Hacked): %w", err)
-	}
-
-	// Insert PublicKey into Client after checking it to Prevent ignored errors leading to proceeding with a potentially Malicious PublicKey
-	c.userPublicKey = user.GPGKey.ArmoredKey
 	c.userID = user.ID
 
 	// after Login, fetch MetadataTypeSettings to finish the Client Setup

api/client.go

@@ -6,12 +6,11 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
-	"io/ioutil"
 	"net/http"
 	"net/url"
 	"path"
 
-	"github.com/ProtonMail/gopenpgp/v2/crypto"
+	"github.com/ProtonMail/gopenpgp/v3/crypto"
 	"github.com/google/go-querystring/query"
 )
 
@@ -25,10 +24,10 @@ type Client struct {
 	csrfToken    http.Cookie
 	mfaToken     http.Cookie
 
-	// for some reason []byte is used for Passwords in gopenpgp instead of string like they do for keys...
-	userPassword   []byte
-	userPrivateKey string
-	userPublicKey  string
+	// userPublicKey has been removed since it can be gotten from the private userPrivateKey
+
+	// be sure to make a copy since using ClearPrivateParams on a handler also wipes the key...
+	userPrivateKey *crypto.Key
 	userID         string
 
 	// Server Settings Determining which Resource Types we can use
@@ -39,6 +38,9 @@ type Client struct {
 	// You need to Return the Cookie that Passbolt expects to verify you MFA, usually it is called passbolt_mfa
 	MFACallback func(ctx context.Context, c *Client, res *APIResponse) (http.Cookie, error)
 
+	// gopengpg Handler, allow for custom settings in the future
+	pgp *crypto.PGPHandle
+
 	// Enable Debug Logging
 	Debug bool
 }
@@ -67,23 +69,15 @@ func NewClient(httpClient *http.Client, UserAgent, BaseURL, UserPrivateKey, User
 		return nil, fmt.Errorf("Parsing Base URL: %w", err)
 	}
 
-	// Verify that the Given Privatekey and Password are valid and work Together if we were provieded one
-	if UserPrivateKey != "" {
-		privateKeyObj, err := crypto.NewKeyFromArmored(UserPrivateKey)
-		if err != nil {
-			return nil, fmt.Errorf("Unable to Create Key From UserPrivateKey string: %w", err)
-		}
-		unlockedKeyObj, err := privateKeyObj.Unlock([]byte(UserPassword))
-		if err != nil {
-			return nil, fmt.Errorf("Unable to Unlock UserPrivateKey using UserPassword: %w", err)
-		}
-		privateKeyRing, err := crypto.NewKeyRing(unlockedKeyObj)
-		if err != nil {
-			return nil, fmt.Errorf("Unable to Create a new Key Ring using the unlocked UserPrivateKey: %w", err)
-		}
+	pgp := crypto.PGP()
 
-		// Cleanup Secrets
-		privateKeyRing.ClearPrivateParams()
+	var unlockedKey *crypto.Key = nil
+	if UserPrivateKey != "" {
+		key, err := GetPrivateKeyFromArmor(UserPrivateKey, []byte(UserPassword))
+		if err != nil {
+			return nil, fmt.Errorf("Get Private Key: %w", err)
+		}
+		unlockedKey = key
 	}
 
 	// Create Client Object
@@ -91,8 +85,8 @@ func NewClient(httpClient *http.Client, UserAgent, BaseURL, UserPrivateKey, User
 		httpClient:     httpClient,
 		baseURL:        u,
 		userAgent:      UserAgent,
-		userPassword:   []byte(UserPassword),
-		userPrivateKey: UserPrivateKey,
+		userPrivateKey: unlockedKey,
+		pgp:            pgp,
 	}
 	return c, err
 }
@@ -150,7 +144,7 @@ func (c *Client) do(ctx context.Context, req *http.Request, v *APIResponse) (*ht
 		resp.Body.Close()
 	}()
 
-	bodyBytes, err := ioutil.ReadAll(resp.Body)
+	bodyBytes, err := io.ReadAll(resp.Body)
 	if err != nil {
 		return resp, fmt.Errorf("Error Reading Resopnse Body: %w", err)
 	}
@@ -202,11 +196,11 @@ func (c *Client) GetPublicKey(ctx context.Context) (string, string, error) {
 	}
 
 	// Lets get the actual Fingerprint instead of trusting the Server
-	privateKeyObj, err := crypto.NewKeyFromArmored(c.userPrivateKey)
+	serverKey, err := crypto.NewKeyFromArmored(body.Keydata)
 	if err != nil {
 		return "", "", fmt.Errorf("Parsing Server Key: %w", err)
 	}
-	return body.Keydata, privateKeyObj.GetFingerprint(), nil
+	return body.Keydata, serverKey.GetFingerprint(), nil
 }
 
 // setMetadataTypeSettings Gets and configures the Client to use the Types the Server wants us to use
@@ -231,3 +225,8 @@ func (c *Client) setMetadataTypeSettings(ctx context.Context) error {
 	}
 	return nil
 }
+
+// GetPGPHandle Gets the Gopgenpgp Handler
+func (c *Client) GetPGPHandle() *crypto.PGPHandle {
+	return c.pgp
+}

api/encryption.go

@@ -3,33 +3,133 @@ package api
 import (
 	"fmt"
 
-	"github.com/ProtonMail/gopenpgp/v2/helper"
+	"github.com/ProtonMail/gopenpgp/v3/crypto"
 )
 
 // EncryptMessage encrypts a message using the users public key and then signes the message using the users private key
 func (c *Client) EncryptMessage(message string) (string, error) {
-	if c.userPrivateKey == "" {
-		return "", fmt.Errorf("Client has no Private Key")
-	} else if c.userPublicKey == "" {
-		return "", fmt.Errorf("Client has no Public Key")
+	key, err := c.userPrivateKey.Copy()
+	if err != nil {
+		return "", fmt.Errorf("Get Private Key Copy: %w", err)
 	}
-	return helper.EncryptSignMessageArmored(c.userPublicKey, c.userPrivateKey, c.userPassword, message)
+
+	encHandle, err := c.pgp.Encryption().SigningKey(key).Recipient(c.userPrivateKey).New()
+	if err != nil {
+		return "", fmt.Errorf("New Encryptor: %w", err)
+	}
+
+	defer encHandle.ClearPrivateParams()
+
+	encMessage, err := encHandle.Encrypt([]byte(message))
+	if err != nil {
+		return "", fmt.Errorf("Encrypt Message: %w", err)
+	}
+
+	encArmor, err := encMessage.Armor()
+	if err != nil {
+		return "", fmt.Errorf("Armor Message: %w", err)
+	}
+	return encArmor, nil
 }
 
 // EncryptMessageWithPublicKey encrypts a message using the provided public key and then signes the message using the users private key
 func (c *Client) EncryptMessageWithPublicKey(publickey, message string) (string, error) {
-	if c.userPrivateKey == "" {
-		return "", fmt.Errorf("Client has no Private Key")
+	publicKey, err := crypto.NewKeyFromArmored(publickey)
+	if err != nil {
+		return "", fmt.Errorf("Get Public Key: %w", err)
 	}
-	return helper.EncryptSignMessageArmored(publickey, c.userPrivateKey, c.userPassword, message)
+
+	key, err := c.userPrivateKey.Copy()
+	if err != nil {
+		return "", fmt.Errorf("Get Private Key Copy: %w", err)
+	}
+
+	encHandle, err := c.pgp.Encryption().SigningKey(key).Recipient(publicKey).New()
+	if err != nil {
+		return "", fmt.Errorf("New Encryptor: %w", err)
+	}
+
+	defer encHandle.ClearPrivateParams()
+
+	encMessage, err := encHandle.Encrypt([]byte(message))
+	if err != nil {
+		return "", fmt.Errorf("Encrypt Message: %w", err)
+	}
+
+	encArmor, err := encMessage.Armor()
+	if err != nil {
+		return "", fmt.Errorf("Armor Message: %w", err)
+	}
+	return encArmor, nil
 }
 
 // DecryptMessage decrypts a message using the users Private Key
-func (c *Client) DecryptMessage(message string) (string, error) {
-	if c.userPrivateKey == "" {
-		return "", fmt.Errorf("Client has no Private Key")
+func (c *Client) DecryptMessage(armoredCiphertext string) (string, error) {
+	key, err := c.userPrivateKey.Copy()
+	if err != nil {
+		return "", fmt.Errorf("Get Private Key Copy: %w", err)
 	}
-	// We cant Verify the signature as we don't store other users public keys locally and don't know which user did encrypt it
-	//return helper.DecryptVerifyMessageArmored(c.userPublicKey, c.userPrivateKey, c.userPassword, message)
-	return helper.DecryptMessageArmored(c.userPrivateKey, c.userPassword, message)
+
+	message, _, err := c.DecryptMessageWithPrivateKeyAndReturnSessionKey(key, armoredCiphertext)
+	return message, err
+}
+
+// DecryptMessageWithPrivateKey Decrypts a Message using the Provided Private Key
+// Returns the Session key so that it can be saved in a cache
+func (c *Client) DecryptMessageWithPrivateKeyAndReturnSessionKey(privateKey *crypto.Key, armoredCiphertext string) (string, *crypto.SessionKey, error) {
+
+	decHandle, err := c.pgp.Decryption().
+		DecryptionKey(privateKey).
+		RetrieveSessionKey().
+		New()
+	if err != nil {
+		return "", nil, fmt.Errorf("New Decryptor: %w", err)
+	}
+
+	defer decHandle.ClearPrivateParams()
+
+	res, err := decHandle.Decrypt([]byte(armoredCiphertext), crypto.Armor)
+	if err != nil {
+		return "", nil, fmt.Errorf("Decrypt: %w", err)
+	}
+
+	return res.String(), res.SessionKey(), nil
+}
+
+func GetPrivateKeyFromArmor(privateKey string, passphrase []byte) (*crypto.Key, error) {
+	key, err := crypto.NewKeyFromArmored(privateKey)
+	if err != nil {
+		return nil, fmt.Errorf("Key From Armored: %w", err)
+	}
+
+	locked, err := key.IsLocked()
+	if err != nil {
+		return nil, fmt.Errorf("Is Key Locked: %w", err)
+	}
+
+	if locked {
+		unlocked, err := key.Unlock(passphrase)
+		if err != nil {
+			return nil, fmt.Errorf("Unlock Key: %w", err)
+		}
+		return unlocked, nil
+	}
+	return key, nil
+}
+
+// DecryptMessageWithSessionKey Decrypts a Message using the Provided Session Key
+func (c *Client) DecryptMessageWithSessionKey(sessionKey *crypto.SessionKey, ciphertextArmored string) (string, error) {
+	decHandle, err := c.pgp.Decryption().SessionKey(sessionKey).New()
+	if err != nil {
+		return "", fmt.Errorf("New Decryptor: %w", err)
+	}
+
+	defer decHandle.ClearPrivateParams()
+
+	res, err := decHandle.Decrypt([]byte(ciphertextArmored), crypto.Armor)
+	if err != nil {
+		return "", fmt.Errorf("Decrypt: %w", err)
+	}
+
+	return res.String(), nil
 }

api/verify.go

@@ -5,7 +5,6 @@ import (
 	"fmt"
 	"strings"
 
-	"github.com/ProtonMail/gopenpgp/v2/crypto"
 	"github.com/google/uuid"
 )
 
@@ -44,15 +43,10 @@ func (c *Client) SetupServerVerification(ctx context.Context) (string, string, e
 
 // VerifyServer verifys that the Server is still the same one as during the Setup, Only works before login
 func (c *Client) VerifyServer(ctx context.Context, token, encToken string) error {
-	privateKeyObj, err := crypto.NewKeyFromArmored(c.userPrivateKey)
-	if err != nil {
-		return fmt.Errorf("Parsing User Private Key: %w", err)
-	}
-
 	data := GPGVerifyContainer{
 		Req: GPGVerify{
 			Token: encToken,
-			KeyID: privateKeyObj.GetFingerprint(),
+			KeyID: c.userPrivateKey.GetFingerprint(),
 		},
 	}
 	raw, _, err := c.DoCustomRequestAndReturnRawResponse(ctx, "POST", "/auth/verify.json", "v2", data, nil)

go.mod

@@ -3,7 +3,7 @@ module github.com/passbolt/go-passbolt
 go 1.23.0
 
 require (
-	github.com/ProtonMail/gopenpgp/v2 v2.8.3
+	github.com/ProtonMail/gopenpgp/v3 v3.1.3
 	github.com/google/go-querystring v1.1.0
 	github.com/google/uuid v1.6.0
 	github.com/santhosh-tekuri/jsonschema v1.2.4
@@ -11,10 +11,8 @@ require (
 
 require (
 	github.com/ProtonMail/go-crypto v1.1.6 // indirect
-	github.com/ProtonMail/go-mime v0.0.0-20230322103455-7d82a3887f2f // indirect
 	github.com/cloudflare/circl v1.6.0 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	golang.org/x/crypto v0.35.0 // indirect
 	golang.org/x/sys v0.30.0 // indirect
-	golang.org/x/text v0.22.0 // indirect
 )

go.sum

@@ -1,24 +1,11 @@
-github.com/ProtonMail/go-crypto v0.0.0-20230717121422-5aa5874ade95/go.mod h1:EjAoLdwvbIOoOQr3ihjnSoLZRtE8azugULFRteWMNc0=
-github.com/ProtonMail/go-crypto v1.0.0 h1:LRuvITjQWX+WIfr930YHG2HNfjR1uOfyf5vE0kC2U78=
-github.com/ProtonMail/go-crypto v1.0.0/go.mod h1:EjAoLdwvbIOoOQr3ihjnSoLZRtE8azugULFRteWMNc0=
 github.com/ProtonMail/go-crypto v1.1.6 h1:ZcV+Ropw6Qn0AX9brlQLAUXfqLBc7Bl+f/DmNxpLfdw=
 github.com/ProtonMail/go-crypto v1.1.6/go.mod h1:rA3QumHc/FZ8pAHreoekgiAbzpNsfQAosU5td4SnOrE=
-github.com/ProtonMail/go-mime v0.0.0-20230322103455-7d82a3887f2f h1:tCbYj7/299ekTTXpdwKYF8eBlsYsDVoggDAuAjoK66k=
-github.com/ProtonMail/go-mime v0.0.0-20230322103455-7d82a3887f2f/go.mod h1:gcr0kNtGBqin9zDW9GOHcVntrwnjrK+qdJ06mWYBybw=
-github.com/ProtonMail/gopenpgp/v2 v2.7.5 h1:STOY3vgES59gNgoOt2w0nyHBjKViB/qSg7NjbQWPJkA=
-github.com/ProtonMail/gopenpgp/v2 v2.7.5/go.mod h1:IhkNEDaxec6NyzSI0PlxapinnwPVIESk8/76da3Ct3g=
-github.com/ProtonMail/gopenpgp/v2 v2.8.3 h1:1jHlELwCR00qovx2B50DkL/FjYwt/P91RnlsqeOp2Hs=
-github.com/ProtonMail/gopenpgp/v2 v2.8.3/go.mod h1:LiuOTbnJit8w9ZzOoLscj0kmdALY7hfoCVh5Qlb0bcg=
-github.com/bwesterb/go-ristretto v1.2.3/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0=
-github.com/cloudflare/circl v1.3.3/go.mod h1:5XYMA4rFBvNIrhs50XuiBJ15vF2pZn4nnUKZrLbUZFA=
-github.com/cloudflare/circl v1.3.9 h1:QFrlgFYf2Qpi8bSpVPK1HBvWpx16v/1TZivyo7pGuBE=
-github.com/cloudflare/circl v1.3.9/go.mod h1:PDRU+oXvdD7KCtgKxW95M5Z8BpSCJXQORiZFnBQS5QU=
+github.com/ProtonMail/gopenpgp/v3 v3.1.3 h1:nxUd0Na4MeElx0sA1t6U8/IxmjmCv3MKnTJGhEUK+qY=
+github.com/ProtonMail/gopenpgp/v3 v3.1.3/go.mod h1:Ve9JYzwGau9DT0F9C9gsuEBU/T3Zbk0j1/+mPpWBogc=
 github.com/cloudflare/circl v1.6.0 h1:cr5JKic4HI+LkINy2lg3W2jF8sHCVTBncJr5gIIq7qk=
 github.com/cloudflare/circl v1.6.0/go.mod h1:uddAzsPgqdMAYatqJ0lsjX1oECcQLIlRpzZh3pJrofs=
 github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
-github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/google/go-cmp v0.5.2 h1:X2ev0eStA3AbceY54o37/0PQ/UWqKEiiO2dKL5OPaFM=
 github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8=
@@ -31,63 +18,12 @@ github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZb
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/santhosh-tekuri/jsonschema v1.2.4 h1:hNhW8e7t+H1vgY+1QeEQpveR6D4+OwKPXCfD2aieJis=
 github.com/santhosh-tekuri/jsonschema v1.2.4/go.mod h1:TEAUOeZSmIxTTuHatJzrvARHiuO9LYd+cIxzgEHCQI4=
-github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
-golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
-golang.org/x/crypto v0.3.1-0.20221117191849-2c476679df9a/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
-golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU=
-golang.org/x/crypto v0.26.0 h1:RrRspgV4mU+YwB4FYnuBoKsUapNIL5cohGAmSH3azsw=
-golang.org/x/crypto v0.26.0/go.mod h1:GY7jblb9wI+FOo5y8/S2oY4zWP07AkOJ4+jxCqdqn54=
 golang.org/x/crypto v0.35.0 h1:b15kiHdrGCHrP6LvwaQ3c03kgNhhiMgvlhxHQhmg2Xs=
 golang.org/x/crypto v0.35.0/go.mod h1:dy7dXNW32cAb/6/PRuTNsix8T+vJAqvuIy5Bli/x0YQ=
-golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
-golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
-golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
-golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
-golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
-golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
-golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
-golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.24.0 h1:Twjiwq9dn6R1fQcyiK+wQyHWfaz/BJB+YIpzU/Cv3Xg=
-golang.org/x/sys v0.24.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.30.0 h1:QjkSwP/36a20jFYWkSue1YwXzLmsV5Gfq7Eiy72C1uc=
 golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc=
-golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
-golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U=
-golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
-golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
-golang.org/x/text v0.17.0 h1:XtiM5bkSOt+ewxlOE/aE/AKEHibwj/6gvWMl9Rsh0Qc=
-golang.org/x/text v0.17.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY=
-golang.org/x/text v0.22.0 h1:bofq7m3/HAFvbF51jz3Q9wLg3jkvSPuiZu/pD1XwgtM=
-golang.org/x/text v0.22.0/go.mod h1:YRoo4H8PVmsu+E3Ou7cqLVH8oXWIHVoX0jqUWALQhfY=
-golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
-golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
-golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

helper/setup.go

@@ -6,9 +6,6 @@ import (
 	"strings"
 
 	"github.com/passbolt/go-passbolt/api"
-
-	"github.com/ProtonMail/gopenpgp/v2/crypto"
-	"github.com/ProtonMail/gopenpgp/v2/helper"
 )
 
 // ParseInviteUrl Parses a Passbolt Invite URL into a user id and token
@@ -31,21 +28,34 @@ func SetupAccount(ctx context.Context, c *api.Client, userID, token, password st
 
 	keyName := install.Profile.FirstName + " " + install.Profile.LastName + " " + install.Username
 
-	privateKey, err := helper.GenerateKey(keyName, install.Username, []byte(password), "rsa", 4096)
+	pgp := c.GetPGPHandle()
+
+	keyHandler := pgp.KeyGeneration().AddUserId(keyName, install.Username).New()
+
+	key, err := keyHandler.GenerateKey()
 	if err != nil {
 		return "", fmt.Errorf("Generating Private Key: %w", err)
 	}
 
-	key, err := crypto.NewKeyFromArmoredReader(strings.NewReader(privateKey))
-	if err != nil {
-		return "", fmt.Errorf("Reading Private Key: %w", err)
-	}
+	defer key.ClearPrivateParams()
 
 	publicKey, err := key.GetArmoredPublicKey()
 	if err != nil {
 		return "", fmt.Errorf("Get Public Key: %w", err)
 	}
 
+	lockedKey, err := pgp.LockKey(key, []byte(password))
+	if err != nil {
+		return "", fmt.Errorf("Locking Private Key: %w", err)
+	}
+
+	defer lockedKey.ClearPrivateParams()
+
+	privateKey, err := lockedKey.Armor()
+	if err != nil {
+		return "", fmt.Errorf("Get Private Key: %w", err)
+	}
+
 	request := api.SetupCompleteRequest{
 		AuthenticationToken: api.AuthenticationToken{
 			Token: token,