diff --git a/src/key/helper.js b/src/key/helper.js index f2f48e38..d440cab2 100644 --- a/src/key/helper.js +++ b/src/key/helper.js @@ -357,7 +357,7 @@ export function sanitizeKeyOptions(options, subkeyDefaults = {}) { return options; } -export function isValidSigningKeyPacket(keyPacket, signature, config) { +export function validateSigningKeyPacket(keyPacket, signature, config) { switch (keyPacket.algorithm) { case enums.publicKey.rsaEncryptSign: case enums.publicKey.rsaSign: @@ -365,18 +365,41 @@ export function isValidSigningKeyPacket(keyPacket, signature, config) { case enums.publicKey.ecdsa: case enums.publicKey.eddsaLegacy: case enums.publicKey.ed25519: - case enums.publicKey.ed448: { + case enums.publicKey.ed448: if (!signature.keyFlags && !config.allowMissingKeyFlags) { throw new Error('None of the key flags is set: consider passing `config.allowMissingKeyFlags`'); } - return !signature.keyFlags || (signature.keyFlags[0] & enums.keyFlags.signData) !== 0; - } + default: + return false; } } -export function isValidEncryptionKeyPacket(keyPacket, signature, config) { +export function validateEncryptionKeyPacket(keyPacket, signature, config) { + switch (keyPacket.algorithm) { + case enums.publicKey.rsaEncryptSign: + case enums.publicKey.rsaEncrypt: + case enums.publicKey.elgamal: + case enums.publicKey.ecdh: + case enums.publicKey.x25519: + case enums.publicKey.x448: + if (!signature.keyFlags && !config.allowMissingKeyFlags) { + throw new Error('None of the key flags is set: consider passing `config.allowMissingKeyFlags`'); + } + return !signature.keyFlags || + (signature.keyFlags[0] & enums.keyFlags.encryptCommunication) !== 0 || + (signature.keyFlags[0] & enums.keyFlags.encryptStorage) !== 0; + default: + return false; + } +} + +export function validateDecryptionKeyPacket(keyPacket, signature, config) { + if (!signature.keyFlags && !config.allowMissingKeyFlags) { + throw new Error('None of the key flags is set: consider passing `config.allowMissingKeyFlags`'); + } + switch (keyPacket.algorithm) { case enums.publicKey.rsaEncryptSign: case enums.publicKey.rsaEncrypt: @@ -384,33 +407,21 @@ export function isValidEncryptionKeyPacket(keyPacket, signature, config) { case enums.publicKey.ecdh: case enums.publicKey.x25519: case enums.publicKey.x448: { - if (!signature.keyFlags && !config.allowMissingKeyFlags) { - throw new Error('None of the key flags is set: consider passing `config.allowMissingKeyFlags`'); + const isValidSigningKeyPacket = !signature.keyFlags || (signature.keyFlags[0] & enums.keyFlags.signData) !== 0; + if (isValidSigningKeyPacket && config.allowInsecureDecryptionWithSigningKeys) { + // This is only relevant for RSA keys, all other signing algorithms cannot decrypt + return true; } return !signature.keyFlags || - (signature.keyFlags[0] & enums.keyFlags.encryptCommunication) !== 0 || - (signature.keyFlags[0] & enums.keyFlags.encryptStorage) !== 0; + (signature.keyFlags[0] & enums.keyFlags.encryptCommunication) !== 0 || + (signature.keyFlags[0] & enums.keyFlags.encryptStorage) !== 0; } + default: + return false; } } -export function isValidDecryptionKeyPacket(signature, config) { - if (!signature.keyFlags && !config.allowMissingKeyFlags) { - throw new Error('None of the key flags is set: consider passing `config.allowMissingKeyFlags`'); - } - - const isValidSigningKeyPacket = !signature.keyFlags || (signature.keyFlags[0] & enums.keyFlags.signData) !== 0; - if (isValidSigningKeyPacket && config.allowInsecureDecryptionWithSigningKeys) { - // This is only relevant for RSA keys, all other signing algorithms cannot decrypt - return true; - } - - return !signature.keyFlags || - (signature.keyFlags[0] & enums.keyFlags.encryptCommunication) !== 0 || - (signature.keyFlags[0] & enums.keyFlags.encryptStorage) !== 0; -} - /** * Check key against blacklisted algorithms and minimum strength requirements. * @param {SecretKeyPacket|PublicKeyPacket| diff --git a/src/key/key.js b/src/key/key.js index 0349ae96..43154a88 100644 --- a/src/key/key.js +++ b/src/key/key.js @@ -269,7 +269,7 @@ class Key { const bindingSignature = await helper.getLatestValidSignature( subkey.bindingSignatures, primaryKey, enums.signature.subkeyBinding, dataToVerify, date, config ); - if (!helper.isValidSigningKeyPacket(subkey.keyPacket, bindingSignature, config)) { + if (!helper.validateSigningKeyPacket(subkey.keyPacket, bindingSignature, config)) { continue; } if (!bindingSignature.embeddedSignature) { @@ -290,7 +290,7 @@ class Key { try { const selfCertification = await this.getPrimarySelfSignature(date, userID, config); if ((!keyID || primaryKey.getKeyID().equals(keyID)) && - helper.isValidSigningKeyPacket(primaryKey, selfCertification, config)) { + helper.validateSigningKeyPacket(primaryKey, selfCertification, config)) { helper.checkKeyRequirements(primaryKey, config); return this; } @@ -322,7 +322,7 @@ class Key { await subkey.verify(date, config); const dataToVerify = { key: primaryKey, bind: subkey.keyPacket }; const bindingSignature = await helper.getLatestValidSignature(subkey.bindingSignatures, primaryKey, enums.signature.subkeyBinding, dataToVerify, date, config); - if (helper.isValidEncryptionKeyPacket(subkey.keyPacket, bindingSignature, config)) { + if (helper.validateEncryptionKeyPacket(subkey.keyPacket, bindingSignature, config)) { helper.checkKeyRequirements(subkey.keyPacket, config); return subkey; } @@ -336,7 +336,7 @@ class Key { // if no valid subkey for encryption, evaluate primary key const selfCertification = await this.getPrimarySelfSignature(date, userID, config); if ((!keyID || primaryKey.getKeyID().equals(keyID)) && - helper.isValidEncryptionKeyPacket(primaryKey, selfCertification, config)) { + helper.validateEncryptionKeyPacket(primaryKey, selfCertification, config)) { helper.checkKeyRequirements(primaryKey, config); return this; } diff --git a/src/key/private_key.js b/src/key/private_key.js index 9fe89ca9..3c6fe474 100644 --- a/src/key/private_key.js +++ b/src/key/private_key.js @@ -85,7 +85,7 @@ class PrivateKey extends PublicKey { try { const dataToVerify = { key: primaryKey, bind: this.subkeys[i].keyPacket }; const bindingSignature = await helper.getLatestValidSignature(this.subkeys[i].bindingSignatures, primaryKey, enums.signature.subkeyBinding, dataToVerify, date, config); - if (helper.isValidDecryptionKeyPacket(bindingSignature, config)) { + if (helper.validateDecryptionKeyPacket(this.subkeys[i].keyPacket, bindingSignature, config)) { keys.push(this.subkeys[i]); } } catch (e) {} @@ -95,7 +95,7 @@ class PrivateKey extends PublicKey { // evaluate primary key const selfCertification = await this.getPrimarySelfSignature(date, userID, config); if ((!keyID || primaryKey.getKeyID().equals(keyID, true)) && - helper.isValidDecryptionKeyPacket(selfCertification, config)) { + helper.validateDecryptionKeyPacket(primaryKey, selfCertification, config)) { keys.push(this); }