For v6 keys, create direct-key signature for key properties

Store key flags, features and preferences in a direct-key signature instead of user ID signatures, for V6 keys.
2025-10-14 00:59:29 +00:00 · 2022-03-02 17:16:58 +01:00 · 2022-03-02 17:16:58 +01:00 · 3ea21f6c6a
commit 3ea21f6c6a
parent 091be036f4
2 changed files with 31 additions and 14 deletions
--- a/src/key/factory.js
+++ b/src/key/factory.js
@ -188,18 +188,12 @@ async function wrapKeyObject(secretKeyPacket, secretSubkeyPackets, options, conf
  const packetlist = new PacketList();
  packetlist.push(secretKeyPacket);

-  await Promise.all(options.userIDs.map(async function(userID, index) {
  function createPreferredAlgos(algos, preferredAlgo) {
    return [preferredAlgo, ...algos.filter(algo => algo !== preferredAlgo)];
  }

-    const userIDPacket = UserIDPacket.fromObject(userID);
-    const dataToSign = {};
-    dataToSign.userID = userIDPacket;
-    dataToSign.key = secretKeyPacket;
-
+  function getKeySignatureProperties() {
    const signatureProperties = {};
-    signatureProperties.signatureType = enums.signature.certGeneric;
    signatureProperties.keyFlags = [enums.keyFlags.certifyKeys | enums.keyFlags.signData];
    signatureProperties.preferredSymmetricAlgorithms = createPreferredAlgos([
      // prefer aes256, aes128, then aes192 (no WebCrypto support: https://www.chromium.org/blink/webcrypto#TOC-AES-support)
@ -223,9 +217,6 @@ async function wrapKeyObject(secretKeyPacket, secretSubkeyPackets, options, conf
      enums.compression.zip,
      enums.compression.uncompressed
    ], config.preferredCompressionAlgorithm);
-    if (index === 0) {
-      signatureProperties.isPrimaryUserID = true;
-    }
    // integrity protection always enabled
    signatureProperties.features = [0];
    signatureProperties.features[0] |= enums.features.modificationDetection;
@ -236,6 +227,32 @@ async function wrapKeyObject(secretKeyPacket, secretSubkeyPackets, options, conf
      signatureProperties.keyExpirationTime = options.keyExpirationTime;
      signatureProperties.keyNeverExpires = false;
    }
+    return signatureProperties;
+  }
+
+  if (secretKeyPacket.version === 6) { // add direct key signature with key prefs
+    const dataToSign = {
+      key: secretKeyPacket
+    };
+
+    const signatureProperties = getKeySignatureProperties();
+    signatureProperties.signatureType = enums.signature.key;
+
+    const signaturePacket = await helper.createSignaturePacket(dataToSign, null, secretKeyPacket, signatureProperties, options.date, undefined, undefined, undefined, config);
+    packetlist.push(signaturePacket);
+  }
+
+  await Promise.all(options.userIDs.map(async function(userID, index) {
+    const userIDPacket = UserIDPacket.fromObject(userID);
+    const dataToSign = {
+      userID: userIDPacket,
+      key: secretKeyPacket
+    };
+    const signatureProperties = secretKeyPacket.version !== 6 ? getKeySignatureProperties() : {};
+    signatureProperties.signatureType = enums.signature.certGeneric;
+    if (index === 0) {
+      signatureProperties.isPrimaryUserID = true;
+    }

    const signaturePacket = await helper.createSignaturePacket(dataToSign, null, secretKeyPacket, signatureProperties, options.date, undefined, undefined, undefined, config);

--- a/test/general/config.js
+++ b/test/general/config.js
@ -146,7 +146,7 @@ n9/quqtmyOtYOA6gXNCw0Fal3iANKBmsPmYI
      const key2 = await openpgp.readKey({ armoredKey: privateKeyArmored2 });
      expect(key2.keyPacket.version).to.equal(6);
      expect(privateKeyArmored2.indexOf(openpgp.config.commentString) > 0).to.be.true;
-      expect(key2.users[0].selfCertifications[0].preferredHashAlgorithms[0]).to.equal(config.preferredHashAlgorithm);
+      expect(key2.directSignatures[0].preferredHashAlgorithms[0]).to.equal(config.preferredHashAlgorithm);
    } finally {
      openpgp.config.v6Keys = v6KeysVal;
      openpgp.config.preferredHashAlgorithm = preferredHashAlgorithmVal;