mirror of
https://github.com/openpgpjs/openpgpjs.git
synced 2025-03-30 15:08:32 +00:00
Rename internal functions, filter key algos on decryption
This commit is contained in:
larabr
parent
690346a854
commit
917faa56f5
@ -357,7 +357,7 @@ export function sanitizeKeyOptions(options, subkeyDefaults = {}) {
|
||||
return options;
|
||||
}
|
||||
|
||||
export function isValidSigningKeyPacket(keyPacket, signature, config) {
|
||||
export function validateSigningKeyPacket(keyPacket, signature, config) {
|
||||
switch (keyPacket.algorithm) {
|
||||
case enums.publicKey.rsaEncryptSign:
|
||||
case enums.publicKey.rsaSign:
|
||||
@ -365,18 +365,41 @@ export function isValidSigningKeyPacket(keyPacket, signature, config) {
|
||||
case enums.publicKey.ecdsa:
|
||||
case enums.publicKey.eddsaLegacy:
|
||||
case enums.publicKey.ed25519:
|
||||
case enums.publicKey.ed448: {
|
||||
case enums.publicKey.ed448:
|
||||
if (!signature.keyFlags && !config.allowMissingKeyFlags) {
|
||||
throw new Error('None of the key flags is set: consider passing `config.allowMissingKeyFlags`');
|
||||
}
|
||||
|
||||
return !signature.keyFlags ||
|
||||
(signature.keyFlags[0] & enums.keyFlags.signData) !== 0;
|
||||
}
|
||||
default:
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
export function isValidEncryptionKeyPacket(keyPacket, signature, config) {
|
||||
export function validateEncryptionKeyPacket(keyPacket, signature, config) {
|
||||
switch (keyPacket.algorithm) {
|
||||
case enums.publicKey.rsaEncryptSign:
|
||||
case enums.publicKey.rsaEncrypt:
|
||||
case enums.publicKey.elgamal:
|
||||
case enums.publicKey.ecdh:
|
||||
case enums.publicKey.x25519:
|
||||
case enums.publicKey.x448:
|
||||
if (!signature.keyFlags && !config.allowMissingKeyFlags) {
|
||||
throw new Error('None of the key flags is set: consider passing `config.allowMissingKeyFlags`');
|
||||
}
|
||||
return !signature.keyFlags ||
|
||||
(signature.keyFlags[0] & enums.keyFlags.encryptCommunication) !== 0 ||
|
||||
(signature.keyFlags[0] & enums.keyFlags.encryptStorage) !== 0;
|
||||
default:
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
export function validateDecryptionKeyPacket(keyPacket, signature, config) {
|
||||
if (!signature.keyFlags && !config.allowMissingKeyFlags) {
|
||||
throw new Error('None of the key flags is set: consider passing `config.allowMissingKeyFlags`');
|
||||
}
|
||||
|
||||
switch (keyPacket.algorithm) {
|
||||
case enums.publicKey.rsaEncryptSign:
|
||||
case enums.publicKey.rsaEncrypt:
|
||||
@ -384,33 +407,21 @@ export function isValidEncryptionKeyPacket(keyPacket, signature, config) {
|
||||
case enums.publicKey.ecdh:
|
||||
case enums.publicKey.x25519:
|
||||
case enums.publicKey.x448: {
|
||||
if (!signature.keyFlags && !config.allowMissingKeyFlags) {
|
||||
throw new Error('None of the key flags is set: consider passing `config.allowMissingKeyFlags`');
|
||||
const isValidSigningKeyPacket = !signature.keyFlags || (signature.keyFlags[0] & enums.keyFlags.signData) !== 0;
|
||||
if (isValidSigningKeyPacket && config.allowInsecureDecryptionWithSigningKeys) {
|
||||
// This is only relevant for RSA keys, all other signing algorithms cannot decrypt
|
||||
return true;
|
||||
}
|
||||
|
||||
return !signature.keyFlags ||
|
||||
(signature.keyFlags[0] & enums.keyFlags.encryptCommunication) !== 0 ||
|
||||
(signature.keyFlags[0] & enums.keyFlags.encryptStorage) !== 0;
|
||||
(signature.keyFlags[0] & enums.keyFlags.encryptCommunication) !== 0 ||
|
||||
(signature.keyFlags[0] & enums.keyFlags.encryptStorage) !== 0;
|
||||
}
|
||||
default:
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
export function isValidDecryptionKeyPacket(signature, config) {
|
||||
if (!signature.keyFlags && !config.allowMissingKeyFlags) {
|
||||
throw new Error('None of the key flags is set: consider passing `config.allowMissingKeyFlags`');
|
||||
}
|
||||
|
||||
const isValidSigningKeyPacket = !signature.keyFlags || (signature.keyFlags[0] & enums.keyFlags.signData) !== 0;
|
||||
if (isValidSigningKeyPacket && config.allowInsecureDecryptionWithSigningKeys) {
|
||||
// This is only relevant for RSA keys, all other signing algorithms cannot decrypt
|
||||
return true;
|
||||
}
|
||||
|
||||
return !signature.keyFlags ||
|
||||
(signature.keyFlags[0] & enums.keyFlags.encryptCommunication) !== 0 ||
|
||||
(signature.keyFlags[0] & enums.keyFlags.encryptStorage) !== 0;
|
||||
}
|
||||
|
||||
/**
|
||||
* Check key against blacklisted algorithms and minimum strength requirements.
|
||||
* @param {SecretKeyPacket|PublicKeyPacket|
|
||||
|
||||
@ -269,7 +269,7 @@ class Key {
|
||||
const bindingSignature = await helper.getLatestValidSignature(
|
||||
subkey.bindingSignatures, primaryKey, enums.signature.subkeyBinding, dataToVerify, date, config
|
||||
);
|
||||
if (!helper.isValidSigningKeyPacket(subkey.keyPacket, bindingSignature, config)) {
|
||||
if (!helper.validateSigningKeyPacket(subkey.keyPacket, bindingSignature, config)) {
|
||||
continue;
|
||||
}
|
||||
if (!bindingSignature.embeddedSignature) {
|
||||
@ -290,7 +290,7 @@ class Key {
|
||||
try {
|
||||
const selfCertification = await this.getPrimarySelfSignature(date, userID, config);
|
||||
if ((!keyID || primaryKey.getKeyID().equals(keyID)) &&
|
||||
helper.isValidSigningKeyPacket(primaryKey, selfCertification, config)) {
|
||||
helper.validateSigningKeyPacket(primaryKey, selfCertification, config)) {
|
||||
helper.checkKeyRequirements(primaryKey, config);
|
||||
return this;
|
||||
}
|
||||
@ -322,7 +322,7 @@ class Key {
|
||||
await subkey.verify(date, config);
|
||||
const dataToVerify = { key: primaryKey, bind: subkey.keyPacket };
|
||||
const bindingSignature = await helper.getLatestValidSignature(subkey.bindingSignatures, primaryKey, enums.signature.subkeyBinding, dataToVerify, date, config);
|
||||
if (helper.isValidEncryptionKeyPacket(subkey.keyPacket, bindingSignature, config)) {
|
||||
if (helper.validateEncryptionKeyPacket(subkey.keyPacket, bindingSignature, config)) {
|
||||
helper.checkKeyRequirements(subkey.keyPacket, config);
|
||||
return subkey;
|
||||
}
|
||||
@ -336,7 +336,7 @@ class Key {
|
||||
// if no valid subkey for encryption, evaluate primary key
|
||||
const selfCertification = await this.getPrimarySelfSignature(date, userID, config);
|
||||
if ((!keyID || primaryKey.getKeyID().equals(keyID)) &&
|
||||
helper.isValidEncryptionKeyPacket(primaryKey, selfCertification, config)) {
|
||||
helper.validateEncryptionKeyPacket(primaryKey, selfCertification, config)) {
|
||||
helper.checkKeyRequirements(primaryKey, config);
|
||||
return this;
|
||||
}
|
||||
|
||||
@ -85,7 +85,7 @@ class PrivateKey extends PublicKey {
|
||||
try {
|
||||
const dataToVerify = { key: primaryKey, bind: this.subkeys[i].keyPacket };
|
||||
const bindingSignature = await helper.getLatestValidSignature(this.subkeys[i].bindingSignatures, primaryKey, enums.signature.subkeyBinding, dataToVerify, date, config);
|
||||
if (helper.isValidDecryptionKeyPacket(bindingSignature, config)) {
|
||||
if (helper.validateDecryptionKeyPacket(this.subkeys[i].keyPacket, bindingSignature, config)) {
|
||||
keys.push(this.subkeys[i]);
|
||||
}
|
||||
} catch (e) {}
|
||||
@ -95,7 +95,7 @@ class PrivateKey extends PublicKey {
|
||||
// evaluate primary key
|
||||
const selfCertification = await this.getPrimarySelfSignature(date, userID, config);
|
||||
if ((!keyID || primaryKey.getKeyID().equals(keyID, true)) &&
|
||||
helper.isValidDecryptionKeyPacket(selfCertification, config)) {
|
||||
helper.validateDecryptionKeyPacket(primaryKey, selfCertification, config)) {
|
||||
keys.push(this);
|
||||
}
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user