From 35e95a21a3fee160feb5728e68000a4b531dcc02 Mon Sep 17 00:00:00 2001
From: Samuel Lorch <sam@soontm.de>
Date: Thu, 13 Mar 2025 17:38:03 +0100
Subject: [PATCH 1/5] go.mod Update gopenpgp to v3

---
 go.mod | 1 +
 go.sum | 2 ++
 2 files changed, 3 insertions(+)

diff --git a/go.mod b/go.mod
index 64273dd..5c98b95 100644
--- a/go.mod
+++ b/go.mod
@@ -12,6 +12,7 @@ require (
 require (
 	github.com/ProtonMail/go-crypto v1.1.6 // indirect
 	github.com/ProtonMail/go-mime v0.0.0-20230322103455-7d82a3887f2f // indirect
+	github.com/ProtonMail/gopenpgp/v3 v3.1.3 // indirect
 	github.com/cloudflare/circl v1.6.0 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	golang.org/x/crypto v0.35.0 // indirect
diff --git a/go.sum b/go.sum
index 24212a3..ba1847f 100644
--- a/go.sum
+++ b/go.sum
@@ -9,6 +9,8 @@ github.com/ProtonMail/gopenpgp/v2 v2.7.5 h1:STOY3vgES59gNgoOt2w0nyHBjKViB/qSg7Nj
 github.com/ProtonMail/gopenpgp/v2 v2.7.5/go.mod h1:IhkNEDaxec6NyzSI0PlxapinnwPVIESk8/76da3Ct3g=
 github.com/ProtonMail/gopenpgp/v2 v2.8.3 h1:1jHlELwCR00qovx2B50DkL/FjYwt/P91RnlsqeOp2Hs=
 github.com/ProtonMail/gopenpgp/v2 v2.8.3/go.mod h1:LiuOTbnJit8w9ZzOoLscj0kmdALY7hfoCVh5Qlb0bcg=
+github.com/ProtonMail/gopenpgp/v3 v3.1.3 h1:nxUd0Na4MeElx0sA1t6U8/IxmjmCv3MKnTJGhEUK+qY=
+github.com/ProtonMail/gopenpgp/v3 v3.1.3/go.mod h1:Ve9JYzwGau9DT0F9C9gsuEBU/T3Zbk0j1/+mPpWBogc=
 github.com/bwesterb/go-ristretto v1.2.3/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0=
 github.com/cloudflare/circl v1.3.3/go.mod h1:5XYMA4rFBvNIrhs50XuiBJ15vF2pZn4nnUKZrLbUZFA=
 github.com/cloudflare/circl v1.3.9 h1:QFrlgFYf2Qpi8bSpVPK1HBvWpx16v/1TZivyo7pGuBE=

From 2949cd58b112b6f6c5bb939fc1336917f70fc55f Mon Sep 17 00:00:00 2001
From: Samuel Lorch <sam@soontm.de>
Date: Thu, 13 Mar 2025 17:38:43 +0100
Subject: [PATCH 2/5] Client update to gopenpgp v3

---
 api/client.go | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/api/client.go b/api/client.go
index 001fce3..e51ee08 100644
--- a/api/client.go
+++ b/api/client.go
@@ -6,12 +6,11 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
-	"io/ioutil"
 	"net/http"
 	"net/url"
 	"path"
 
-	"github.com/ProtonMail/gopenpgp/v2/crypto"
+	"github.com/ProtonMail/gopenpgp/v3/crypto"
 	"github.com/google/go-querystring/query"
 )
 
@@ -39,6 +38,9 @@ type Client struct {
 	// You need to Return the Cookie that Passbolt expects to verify you MFA, usually it is called passbolt_mfa
 	MFACallback func(ctx context.Context, c *Client, res *APIResponse) (http.Cookie, error)
 
+	// gopengpg Handler, allow for custom settings in the future
+	pgp *crypto.PGPHandle
+
 	// Enable Debug Logging
 	Debug bool
 }
@@ -67,6 +69,8 @@ func NewClient(httpClient *http.Client, UserAgent, BaseURL, UserPrivateKey, User
 		return nil, fmt.Errorf("Parsing Base URL: %w", err)
 	}
 
+	pgp := crypto.PGP()
+
 	// Verify that the Given Privatekey and Password are valid and work Together if we were provieded one
 	if UserPrivateKey != "" {
 		privateKeyObj, err := crypto.NewKeyFromArmored(UserPrivateKey)
@@ -93,6 +97,7 @@ func NewClient(httpClient *http.Client, UserAgent, BaseURL, UserPrivateKey, User
 		userAgent:      UserAgent,
 		userPassword:   []byte(UserPassword),
 		userPrivateKey: UserPrivateKey,
+		pgp:            pgp,
 	}
 	return c, err
 }
@@ -150,7 +155,7 @@ func (c *Client) do(ctx context.Context, req *http.Request, v *APIResponse) (*ht
 		resp.Body.Close()
 	}()
 
-	bodyBytes, err := ioutil.ReadAll(resp.Body)
+	bodyBytes, err := io.ReadAll(resp.Body)
 	if err != nil {
 		return resp, fmt.Errorf("Error Reading Resopnse Body: %w", err)
 	}
@@ -231,3 +236,8 @@ func (c *Client) setMetadataTypeSettings(ctx context.Context) error {
 	}
 	return nil
 }
+
+// GetPGPHandle Gets the Gopgenpgp Handler
+func (c *Client) GetPGPHandle() *crypto.PGPHandle {
+	return c.pgp
+}

From 7e9d0e035be1c18df49fab4120e12d89775f5f19 Mon Sep 17 00:00:00 2001
From: Samuel Lorch <sam@soontm.de>
Date: Thu, 13 Mar 2025 17:39:12 +0100
Subject: [PATCH 3/5] encryption.go update to gopenpgp v3

---
 api/encryption.go | 133 +++++++++++++++++++++++++++++++++++++++++-----
 1 file changed, 121 insertions(+), 12 deletions(-)

diff --git a/api/encryption.go b/api/encryption.go
index e87537e..ee5e40c 100644
--- a/api/encryption.go
+++ b/api/encryption.go
@@ -3,33 +3,142 @@ package api
 import (
 	"fmt"
 
-	"github.com/ProtonMail/gopenpgp/v2/helper"
+	"github.com/ProtonMail/gopenpgp/v3/crypto"
 )
 
 // EncryptMessage encrypts a message using the users public key and then signes the message using the users private key
 func (c *Client) EncryptMessage(message string) (string, error) {
-	if c.userPrivateKey == "" {
-		return "", fmt.Errorf("Client has no Private Key")
-	} else if c.userPublicKey == "" {
-		return "", fmt.Errorf("Client has no Public Key")
+	key, err := c.getPrivateKey(c.userPrivateKey, c.userPassword)
+	if err != nil {
+		return "", fmt.Errorf("Get Private Key: %w", err)
 	}
-	return helper.EncryptSignMessageArmored(c.userPublicKey, c.userPrivateKey, c.userPassword, message)
+
+	defer key.ClearPrivateParams()
+
+	encHandle, err := c.pgp.Encryption().SigningKey(key).Recipient(key).New()
+	if err != nil {
+		return "", fmt.Errorf("New Encryptor: %w", err)
+	}
+
+	defer encHandle.ClearPrivateParams()
+
+	encMessage, err := encHandle.Encrypt([]byte(message))
+	if err != nil {
+		return "", fmt.Errorf("Encrypt Message: %w", err)
+	}
+
+	encArmor, err := encMessage.Armor()
+	if err != nil {
+		return "", fmt.Errorf("Armor Message: %w", err)
+	}
+	return encArmor, nil
 }
 
 // EncryptMessageWithPublicKey encrypts a message using the provided public key and then signes the message using the users private key
 func (c *Client) EncryptMessageWithPublicKey(publickey, message string) (string, error) {
-	if c.userPrivateKey == "" {
-		return "", fmt.Errorf("Client has no Private Key")
+	key, err := c.getPrivateKey(c.userPrivateKey, c.userPassword)
+	if err != nil {
+		return "", fmt.Errorf("Get Private Key: %w", err)
 	}
-	return helper.EncryptSignMessageArmored(publickey, c.userPrivateKey, c.userPassword, message)
+
+	defer key.ClearPrivateParams()
+
+	publicKey, err := crypto.NewKeyFromArmored(publickey)
+	if err != nil {
+		return "", fmt.Errorf("Get Public Key: %w", err)
+	}
+
+	encHandle, err := c.pgp.Encryption().SigningKey(key).Recipient(publicKey).New()
+	if err != nil {
+		return "", fmt.Errorf("New Encryptor: %w", err)
+	}
+
+	defer encHandle.ClearPrivateParams()
+
+	encMessage, err := encHandle.Encrypt([]byte(message))
+	if err != nil {
+		return "", fmt.Errorf("Encrypt Message: %w", err)
+	}
+
+	encArmor, err := encMessage.Armor()
+	if err != nil {
+		return "", fmt.Errorf("Armor Message: %w", err)
+	}
+	return encArmor, nil
 }
 
 // DecryptMessage decrypts a message using the users Private Key
 func (c *Client) DecryptMessage(message string) (string, error) {
-	if c.userPrivateKey == "" {
-		return "", fmt.Errorf("Client has no Private Key")
+	key, err := c.getPrivateKey(c.userPrivateKey, c.userPassword)
+	if err != nil {
+		return "", fmt.Errorf("Get Private Key: %w", err)
 	}
+
+	defer key.ClearPrivateParams()
+
+	decHandle, err := c.pgp.Decryption().DecryptionKey(key).New()
+	if err != nil {
+		return "", fmt.Errorf("New Decryptor: %w", err)
+	}
+
+	defer decHandle.ClearPrivateParams()
+
+	res, err := decHandle.Decrypt([]byte(message), crypto.Armor)
+	if err != nil {
+		return "", fmt.Errorf("Decrypt Message: %w", err)
+	}
+
 	// We cant Verify the signature as we don't store other users public keys locally and don't know which user did encrypt it
 	//return helper.DecryptVerifyMessageArmored(c.userPublicKey, c.userPrivateKey, c.userPassword, message)
-	return helper.DecryptMessageArmored(c.userPrivateKey, c.userPassword, message)
+
+	return res.String(), nil
+}
+
+// TODO change []byte to string?
+func (c *Client) DecryptMessageWithPrivateKey(privateKey string, passphrase []byte, ciphertextArmored string) (string, error) {
+	key, err := c.getPrivateKey(privateKey, passphrase)
+	if err != nil {
+		return "", fmt.Errorf("Get Private Key: %w", err)
+	}
+
+	defer key.ClearPrivateParams()
+
+	decHandle, err := c.pgp.Decryption().DecryptionKey(key).New()
+	if err != nil {
+		return "", fmt.Errorf("New Decryptor: %w", err)
+	}
+
+	defer decHandle.ClearPrivateParams()
+
+	res, err := decHandle.Decrypt([]byte(ciphertextArmored), crypto.Armor)
+	if err != nil {
+		return "", fmt.Errorf("Decrypt: %w", err)
+	}
+
+	return string(res.Bytes()), nil
+}
+
+func (c *Client) getPrivateKey(privateKey string, passphrase []byte) (*crypto.Key, error) {
+	if c.userPrivateKey == "" {
+		return nil, fmt.Errorf("Client has no Private Key")
+	}
+
+	key, err := crypto.NewKeyFromArmored(privateKey)
+	if err != nil {
+		return nil, fmt.Errorf("Key From Armored: %w", err)
+	}
+
+	locked, err := key.IsLocked()
+	if err != nil {
+		return nil, fmt.Errorf("Is Key Locked: %w", err)
+	}
+
+	if locked {
+		unlocked, err := key.Unlock(passphrase)
+		if err != nil {
+			return nil, fmt.Errorf("Unlock Key: %w", err)
+		}
+		return unlocked, nil
+	}
+	return key, nil
 }

From 94992dbd4b95d846ae3fc220495e1c258d262c8f Mon Sep 17 00:00:00 2001
From: Samuel Lorch <sam@soontm.de>
Date: Thu, 13 Mar 2025 17:39:34 +0100
Subject: [PATCH 4/5] verify.go update to gopenpgp v3

---
 api/verify.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/api/verify.go b/api/verify.go
index 89a15b8..74e35b6 100644
--- a/api/verify.go
+++ b/api/verify.go
@@ -5,7 +5,7 @@ import (
 	"fmt"
 	"strings"
 
-	"github.com/ProtonMail/gopenpgp/v2/crypto"
+	"github.com/ProtonMail/gopenpgp/v3/crypto"
 	"github.com/google/uuid"
 )
 

From 146fe6662c7ab43df67090fed7092d0aeb3ad6dc Mon Sep 17 00:00:00 2001
From: Samuel Lorch <sam@soontm.de>
Date: Thu, 13 Mar 2025 17:40:16 +0100
Subject: [PATCH 5/5] Setup update to gopenpgp v3

---
 helper/setup.go | 26 ++++++++++++++++++--------
 1 file changed, 18 insertions(+), 8 deletions(-)

diff --git a/helper/setup.go b/helper/setup.go
index 7fdc006..37e202c 100644
--- a/helper/setup.go
+++ b/helper/setup.go
@@ -6,9 +6,6 @@ import (
 	"strings"
 
 	"github.com/passbolt/go-passbolt/api"
-
-	"github.com/ProtonMail/gopenpgp/v2/crypto"
-	"github.com/ProtonMail/gopenpgp/v2/helper"
 )
 
 // ParseInviteUrl Parses a Passbolt Invite URL into a user id and token
@@ -31,21 +28,34 @@ func SetupAccount(ctx context.Context, c *api.Client, userID, token, password st
 
 	keyName := install.Profile.FirstName + " " + install.Profile.LastName + " " + install.Username
 
-	privateKey, err := helper.GenerateKey(keyName, install.Username, []byte(password), "rsa", 4096)
+	pgp := c.GetPGPHandle()
+
+	keyHandler := pgp.KeyGeneration().AddUserId(keyName, install.Username).New()
+
+	key, err := keyHandler.GenerateKey()
 	if err != nil {
 		return "", fmt.Errorf("Generating Private Key: %w", err)
 	}
 
-	key, err := crypto.NewKeyFromArmoredReader(strings.NewReader(privateKey))
-	if err != nil {
-		return "", fmt.Errorf("Reading Private Key: %w", err)
-	}
+	defer key.ClearPrivateParams()
 
 	publicKey, err := key.GetArmoredPublicKey()
 	if err != nil {
 		return "", fmt.Errorf("Get Public Key: %w", err)
 	}
 
+	lockedKey, err := pgp.LockKey(key, []byte(password))
+	if err != nil {
+		return "", fmt.Errorf("Locking Private Key: %w", err)
+	}
+
+	defer lockedKey.ClearPrivateParams()
+
+	privateKey, err := lockedKey.Armor()
+	if err != nil {
+		return "", fmt.Errorf("Get Private Key: %w", err)
+	}
+
 	request := api.SetupCompleteRequest{
 		AuthenticationToken: api.AuthenticationToken{
 			Token: token,