Add config option to allow insecure decryption with RSA signing keys (#1148)

src/config/config.js

@@ -120,6 +120,14 @@ export default {
    * @property {Boolean} revocations_expire If true, expired revocation signatures are ignored
    */
   revocations_expire:       false,
+  /**
+   * Allow decryption using RSA keys without `encrypt` flag.
+   * This setting is potentially insecure, but it is needed to get around an old openpgpjs bug
+   * where key flags were ignored when selecting a key for encryption.
+   * @memberof module:config
+   * @property {Boolean} allow_insecure_decryption_with_signing_keys
+   */
+  allow_insecure_decryption_with_signing_keys: false,
 
   /**
    * @memberof module:config

src/key/helper.js

@@ -366,6 +366,12 @@ export function isValidDecryptionKeyPacket(signature) {
   if (!signature.verified) { // Sanity check
     throw new Error('Signature not verified');
   }
+
+  if (config.allow_insecure_decryption_with_signing_keys) {
+    // This is only relevant for RSA keys, all other signing ciphers cannot decrypt
+    return true;
+  }
+
   return !signature.keyFlags ||
     (signature.keyFlags[0] & enums.keyFlags.encrypt_communication) !== 0 ||
     (signature.keyFlags[0] & enums.keyFlags.encrypt_storage) !== 0;