Mirroristas/openpgpjs
2
0
Fork 0
mirror of https://github.com/openpgpjs/openpgpjs.git synced 2025-06-24 15:12:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix openpgp.verify/decrypt with expectSigned: true and format: 'binary' (#1805)

Browse Source
This commit is contained in:
Daniel Huigens 2024-11-11 15:42:33 +01:00 committed by GitHub
parent 3f060660c2
commit ac1bfc0d60
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 307 additions and 282 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/openpgp.js
View File

@ -369,6 +369,7 @@ export async function decrypt({ message, decryptionKeys, passwords, sessionKeys,
result.data, result.data,
stream.fromAsync(async () => { stream.fromAsync(async () => {
await util.anyPromise(result.signatures.map(sig => sig.verified)); await util.anyPromise(result.signatures.map(sig => sig.verified));
return format === 'binary' ? new Uint8Array() : '';
}) })
]); ]);
} }
@ -500,6 +501,7 @@ export async function verify({ message, verificationKeys, expectSigned = false,
result.data, result.data,
stream.fromAsync(async () => { stream.fromAsync(async () => {
await util.anyPromise(result.signatures.map(sig => sig.verified)); await util.anyPromise(result.signatures.map(sig => sig.verified));
return format === 'binary' ? new Uint8Array() : '';
}) })
]); ]);
} }

587
test/general/openpgp.js
View File

@ -1480,170 +1480,186 @@ VFBLG8uc9IiaKann/DYBAJcZNZHRSfpDoV2pUA5EAEi2MdjxkRysFQnYPRAu
await expect(openpgp.decrypt(decOpt)).to.be.rejectedWith('Error decrypting message: Decryption key is not decrypted.'); await expect(openpgp.decrypt(decOpt)).to.be.rejectedWith('Error decrypting message: Decryption key is not decrypted.');
}); });
it('decrypt/verify should succeed with valid signature (expectSigned=true)', async function () { ['binary', 'text'].forEach(format => {
const publicKey = await openpgp.readKey({ armoredKey: pub_key }); describe(`decrypt/verify with expectSigned=true, format=${format}`, function() {
const privateKey = await openpgp.decryptKey({ const message =
privateKey: await openpgp.readKey({ armoredKey: priv_key }), format === 'binary' ? util.encodeUTF8(plaintext) :
passphrase plaintext;
});
const encrypted = await openpgp.encrypt({ it('decrypt/verify should succeed with valid signature (expectSigned=true)', async function () {
message: await openpgp.createMessage({ text: plaintext }), const publicKey = await openpgp.readKey({ armoredKey: pub_key });
signingKeys: privateKey, const privateKey = await openpgp.decryptKey({
encryptionKeys: publicKey privateKey: await openpgp.readKey({ armoredKey: priv_key }),
}); passphrase
const { data, signatures } = await openpgp.decrypt({ });
message: await openpgp.readMessage({ armoredMessage: encrypted }),
decryptionKeys: privateKey,
verificationKeys: publicKey,
expectSigned: true
});
expect(data).to.equal(plaintext);
expect(await signatures[0].verified).to.be.true;
});
it('decrypt/verify should throw on missing public keys (expectSigned=true)', async function () { const encrypted = await openpgp.encrypt({
const publicKey = await openpgp.readKey({ armoredKey: pub_key }); message: await openpgp.createMessage({ [format]: message }),
const privateKey = await openpgp.decryptKey({ signingKeys: privateKey,
privateKey: await openpgp.readKey({ armoredKey: priv_key }), encryptionKeys: publicKey
passphrase });
}); const { data, signatures } = await openpgp.decrypt({
message: await openpgp.readMessage({ armoredMessage: encrypted }),
decryptionKeys: privateKey,
verificationKeys: publicKey,
expectSigned: true,
format
});
expect(data).to.deep.equal(message);
expect(await signatures[0].verified).to.be.true;
});
const encrypted = await openpgp.encrypt({ it('decrypt/verify should throw on missing public keys (expectSigned=true)', async function () {
message: await openpgp.createMessage({ text: plaintext }), const publicKey = await openpgp.readKey({ armoredKey: pub_key });
encryptionKeys: publicKey, const privateKey = await openpgp.decryptKey({
signingKeys: privateKey privateKey: await openpgp.readKey({ armoredKey: priv_key }),
}); passphrase
await expect(openpgp.decrypt({ });
message: await openpgp.readMessage({ armoredMessage: encrypted }),
decryptionKeys: privateKey,
expectSigned: true
})).to.be.eventually.rejectedWith(/Verification keys are required/);
});
it('decrypt/verify should throw on missing signature (expectSigned=true)', async function () { const encrypted = await openpgp.encrypt({
const publicKey = await openpgp.readKey({ armoredKey: pub_key }); message: await openpgp.createMessage({ [format]: message }),
const privateKey = await openpgp.decryptKey({ encryptionKeys: publicKey,
privateKey: await openpgp.readKey({ armoredKey: priv_key }), signingKeys: privateKey
passphrase });
}); await expect(openpgp.decrypt({
message: await openpgp.readMessage({ armoredMessage: encrypted }),
decryptionKeys: privateKey,
expectSigned: true,
format
})).to.be.eventually.rejectedWith(/Verification keys are required/);
});
const encrypted = await openpgp.encrypt({ it('decrypt/verify should throw on missing signature (expectSigned=true)', async function () {
message: await openpgp.createMessage({ text: plaintext }), const publicKey = await openpgp.readKey({ armoredKey: pub_key });
encryptionKeys: publicKey const privateKey = await openpgp.decryptKey({
}); privateKey: await openpgp.readKey({ armoredKey: priv_key }),
await expect(openpgp.decrypt({ passphrase
message: await openpgp.readMessage({ armoredMessage: encrypted }), });
decryptionKeys: privateKey,
verificationKeys: publicKey,
expectSigned: true
})).to.be.eventually.rejectedWith(/Message is not signed/);
});
it('decrypt/verify should throw on invalid signature (expectSigned=true)', async function () { const encrypted = await openpgp.encrypt({
const publicKey = await openpgp.readKey({ armoredKey: pub_key }); message: await openpgp.createMessage({ [format]: message }),
const wrongPublicKey = (await openpgp.readKey({ armoredKey: priv_key_2000_2008 })).toPublic(); encryptionKeys: publicKey
const privateKey = await openpgp.decryptKey({ });
privateKey: await openpgp.readKey({ armoredKey: priv_key }), await expect(openpgp.decrypt({
passphrase message: await openpgp.readMessage({ armoredMessage: encrypted }),
}); decryptionKeys: privateKey,
verificationKeys: publicKey,
expectSigned: true,
format
})).to.be.eventually.rejectedWith(/Message is not signed/);
});
const encrypted = await openpgp.encrypt({ it('decrypt/verify should throw on invalid signature (expectSigned=true)', async function () {
message: await openpgp.createMessage({ text: plaintext }), const publicKey = await openpgp.readKey({ armoredKey: pub_key });
encryptionKeys: publicKey, const wrongPublicKey = (await openpgp.readKey({ armoredKey: priv_key_2000_2008 })).toPublic();
signingKeys: privateKey const privateKey = await openpgp.decryptKey({
}); privateKey: await openpgp.readKey({ armoredKey: priv_key }),
await expect(openpgp.decrypt({ passphrase
message: await openpgp.readMessage({ armoredMessage: encrypted }), });
decryptionKeys: privateKey,
verificationKeys: wrongPublicKey,
expectSigned: true
})).to.be.eventually.rejectedWith(/Could not find signing key/);
});
it('decrypt/verify should succeed with valid signature (expectSigned=true, with streaming)', async function () { const encrypted = await openpgp.encrypt({
const publicKey = await openpgp.readKey({ armoredKey: pub_key }); message: await openpgp.createMessage({ [format]: message }),
const privateKey = await openpgp.decryptKey({ encryptionKeys: publicKey,
privateKey: await openpgp.readKey({ armoredKey: priv_key }), signingKeys: privateKey
passphrase });
}); await expect(openpgp.decrypt({
message: await openpgp.readMessage({ armoredMessage: encrypted }),
decryptionKeys: privateKey,
verificationKeys: wrongPublicKey,
expectSigned: true,
format
})).to.be.eventually.rejectedWith(/Could not find signing key/);
});
const encrypted = await openpgp.encrypt({ it('decrypt/verify should succeed with valid signature (expectSigned=true, with streaming)', async function () {
message: await openpgp.createMessage({ text: plaintext }), const publicKey = await openpgp.readKey({ armoredKey: pub_key });
signingKeys: privateKey, const privateKey = await openpgp.decryptKey({
encryptionKeys: publicKey privateKey: await openpgp.readKey({ armoredKey: priv_key }),
}); passphrase
const { data: streamedData, signatures } = await openpgp.decrypt({ });
message: await openpgp.readMessage({ armoredMessage: stream.toStream(encrypted) }),
decryptionKeys: privateKey,
verificationKeys: publicKey,
expectSigned: true
});
const data = await stream.readToEnd(streamedData);
expect(data).to.equal(plaintext);
expect(await signatures[0].verified).to.be.true;
});
it('decrypt/verify should throw on missing public keys (expectSigned=true, with streaming)', async function () { const encrypted = await openpgp.encrypt({
const publicKey = await openpgp.readKey({ armoredKey: pub_key }); message: await openpgp.createMessage({ [format]: message }),
const privateKey = await openpgp.decryptKey({ signingKeys: privateKey,
privateKey: await openpgp.readKey({ armoredKey: priv_key }), encryptionKeys: publicKey
passphrase });
}); const { data: streamedData, signatures } = await openpgp.decrypt({
message: await openpgp.readMessage({ armoredMessage: stream.toStream(encrypted) }),
decryptionKeys: privateKey,
verificationKeys: publicKey,
expectSigned: true,
format
});
const data = await stream.readToEnd(streamedData);
expect(data).to.deep.equal(message);
expect(await signatures[0].verified).to.be.true;
});
const encrypted = await openpgp.encrypt({ it('decrypt/verify should throw on missing public keys (expectSigned=true, with streaming)', async function () {
message: await openpgp.createMessage({ text: plaintext }), const publicKey = await openpgp.readKey({ armoredKey: pub_key });
encryptionKeys: publicKey, const privateKey = await openpgp.decryptKey({
signingKeys: privateKey privateKey: await openpgp.readKey({ armoredKey: priv_key }),
}); passphrase
await expect(openpgp.decrypt({ });
message: await openpgp.readMessage({ armoredMessage: stream.toStream(encrypted) }),
decryptionKeys: privateKey,
expectSigned: true
})).to.be.eventually.rejectedWith(/Verification keys are required/);
});
it('decrypt/verify should throw on missing signature (expectSigned=true, with streaming)', async function () { const encrypted = await openpgp.encrypt({
const publicKey = await openpgp.readKey({ armoredKey: pub_key }); message: await openpgp.createMessage({ [format]: message }),
const privateKey = await openpgp.decryptKey({ encryptionKeys: publicKey,
privateKey: await openpgp.readKey({ armoredKey: priv_key }), signingKeys: privateKey
passphrase });
}); await expect(openpgp.decrypt({
message: await openpgp.readMessage({ armoredMessage: stream.toStream(encrypted) }),
decryptionKeys: privateKey,
expectSigned: true,
format
})).to.be.eventually.rejectedWith(/Verification keys are required/);
});
const encrypted = await openpgp.encrypt({ it('decrypt/verify should throw on missing signature (expectSigned=true, with streaming)', async function () {
message: await openpgp.createMessage({ text: plaintext }), const publicKey = await openpgp.readKey({ armoredKey: pub_key });
encryptionKeys: publicKey const privateKey = await openpgp.decryptKey({
}); privateKey: await openpgp.readKey({ armoredKey: priv_key }),
await expect(openpgp.decrypt({ passphrase
message: await openpgp.readMessage({ armoredMessage: stream.toStream(encrypted) }), });
decryptionKeys: privateKey,
verificationKeys: publicKey,
expectSigned: true
})).to.be.eventually.rejectedWith(/Message is not signed/);
});
it('decrypt/verify should throw on invalid signature (expectSigned=true, with streaming)', async function () { const encrypted = await openpgp.encrypt({
const publicKey = await openpgp.readKey({ armoredKey: pub_key }); message: await openpgp.createMessage({ [format]: message }),
const wrongPublicKey = (await openpgp.readKey({ armoredKey: priv_key_2000_2008 })).toPublic(); encryptionKeys: publicKey
const privateKey = await openpgp.decryptKey({ });
privateKey: await openpgp.readKey({ armoredKey: priv_key }), await expect(openpgp.decrypt({
passphrase message: await openpgp.readMessage({ armoredMessage: stream.toStream(encrypted) }),
}); decryptionKeys: privateKey,
verificationKeys: publicKey,
expectSigned: true,
format
})).to.be.eventually.rejectedWith(/Message is not signed/);
});
const encrypted = await openpgp.encrypt({ it('decrypt/verify should throw on invalid signature (expectSigned=true, with streaming)', async function () {
message: await openpgp.createMessage({ text: plaintext }), const publicKey = await openpgp.readKey({ armoredKey: pub_key });
encryptionKeys: publicKey, const wrongPublicKey = (await openpgp.readKey({ armoredKey: priv_key_2000_2008 })).toPublic();
signingKeys: privateKey const privateKey = await openpgp.decryptKey({
privateKey: await openpgp.readKey({ armoredKey: priv_key }),
passphrase
});
const encrypted = await openpgp.encrypt({
message: await openpgp.createMessage({ [format]: message }),
encryptionKeys: publicKey,
signingKeys: privateKey
});
const { data: streamedData } = await openpgp.decrypt({
message: await openpgp.readMessage({ armoredMessage: stream.toStream(encrypted) }),
decryptionKeys: privateKey,
verificationKeys: wrongPublicKey,
expectSigned: true,
format
});
await expect(
stream.readToEnd(streamedData)
).to.be.eventually.rejectedWith(/Could not find signing key/);
});
}); });
const { data: streamedData } = await openpgp.decrypt({
message: await openpgp.readMessage({ armoredMessage: stream.toStream(encrypted) }),
decryptionKeys: privateKey,
verificationKeys: wrongPublicKey,
expectSigned: true
});
await expect(
stream.readToEnd(streamedData)
).to.be.eventually.rejectedWith(/Could not find signing key/);
}); });
it('Supports decrypting with GnuPG dummy key', async function() { it('Supports decrypting with GnuPG dummy key', async function() {
@ -1792,151 +1808,158 @@ aOU=
openpgp.config.minRSABits = minRSABitsVal; openpgp.config.minRSABits = minRSABitsVal;
}); });
describe('message', function() { ['binary', 'text', 'cleartext'].forEach(format => {
verifyTests(false); describe(`verify ${format} message`, function() {
const createMessage = format === 'cleartext' ? openpgp.createCleartextMessage : openpgp.createMessage;
const readMessage = ({ armoredMessage }) => (
format === 'cleartext' ?
openpgp.readCleartextMessage({ cleartextMessage: armoredMessage }) :
openpgp.readMessage({ armoredMessage })
);
const message =
format === 'cleartext' ? util.removeTrailingSpaces(plaintext) :
format === 'binary' ? util.encodeUTF8(plaintext) :
plaintext;
it('verify should succeed with valid signature (expectSigned=true, with streaming)', async function () { const property = format === 'cleartext' ? 'text' : format;
const publicKey = await openpgp.readKey({ armoredKey: pub_key });
const privateKey = await openpgp.decryptKey({ it('verify should succeed with valid signature (expectSigned=true)', async function () {
privateKey: await openpgp.readKey({ armoredKey: priv_key }), const publicKey = await openpgp.readKey({ armoredKey: pub_key });
passphrase const privateKey = await openpgp.decryptKey({
privateKey: await openpgp.readKey({ armoredKey: priv_key }),
passphrase
});
const signed = await openpgp.sign({
message: await createMessage({ [property]: message }),
signingKeys: privateKey
});
const { data, signatures } = await openpgp.verify({
message: await readMessage({ armoredMessage: signed }),
verificationKeys: publicKey,
expectSigned: true,
format
});
expect(data).to.deep.equal(message);
expect(await signatures[0].verified).to.be.true;
}); });
const signed = await openpgp.sign({ it('verify should throw on missing signature (expectSigned=true)', async function () {
message: await openpgp.createMessage({ text: plaintext }), const publicKey = await openpgp.readKey({ armoredKey: pub_key });
signingKeys: privateKey
});
const { data: streamedData, signatures } = await openpgp.verify({
message: await openpgp.readMessage({ armoredMessage: stream.toStream(signed) }),
verificationKeys: publicKey,
expectSigned: true
});
const data = await stream.readToEnd(streamedData);
expect(data).to.equal(plaintext);
expect(await signatures[0].verified).to.be.true;
});
it('verify should throw on missing signature (expectSigned=true, with streaming)', async function () { await expect(openpgp.verify({
message: await createMessage({ [property]: message }),
const publicKey = await openpgp.readKey({ armoredKey: pub_key }); verificationKeys: publicKey,
expectSigned: true,
await expect(openpgp.verify({ format
message: await openpgp.createMessage({ text: stream.toStream(plaintext) }), })).to.be.eventually.rejectedWith(/Message is not signed/);
verificationKeys: publicKey,
expectSigned: true
})).to.be.eventually.rejectedWith(/Message is not signed/);
});
it('verify should throw on invalid signature (expectSigned=true, with streaming)', async function () {
const wrongPublicKey = (await openpgp.readKey({ armoredKey: priv_key_2000_2008 })).toPublic();
const privateKey = await openpgp.decryptKey({
privateKey: await openpgp.readKey({ armoredKey: priv_key }),
passphrase
}); });
const signed = await openpgp.sign({ it('verify should throw on invalid signature (expectSigned=true)', async function () {
message: await openpgp.createMessage({ text: plaintext }), const wrongPublicKey = (await openpgp.readKey({ armoredKey: priv_key_2000_2008 })).toPublic();
signingKeys: privateKey const privateKey = await openpgp.decryptKey({
}); privateKey: await openpgp.readKey({ armoredKey: priv_key }),
const { data: streamedData } = await openpgp.verify({ passphrase
message: await openpgp.readMessage({ armoredMessage: stream.toStream(signed) }), });
verificationKeys: wrongPublicKey,
expectSigned: true
});
await expect(
stream.readToEnd(streamedData)
).to.be.eventually.rejectedWith(/Could not find signing key/);
});
it('verify should fail if the signature is re-used with a different message', async function () { const signed = await openpgp.sign({
const privateKey = await openpgp.decryptKey({ message: await createMessage({ [property]: message }),
privateKey: await openpgp.readKey({ armoredKey: priv_key }), signingKeys: privateKey
passphrase });
await expect(openpgp.verify({
message: await readMessage({ armoredMessage: signed }),
verificationKeys: wrongPublicKey,
expectSigned: true,
format
})).to.be.eventually.rejectedWith(/Could not find signing key/);
}); });
const message = await openpgp.createMessage({ text: 'a message' }); if (format !== 'cleartext') {
const armoredSignature = await openpgp.sign({ it('verify should succeed with valid signature (expectSigned=true, with streaming)', async function () {
message, const publicKey = await openpgp.readKey({ armoredKey: pub_key });
signingKeys: privateKey, const privateKey = await openpgp.decryptKey({
detached: true privateKey: await openpgp.readKey({ armoredKey: priv_key }),
}); passphrase
const { signatures } = await openpgp.verify({ });
message,
signature: await openpgp.readSignature({ armoredSignature }), const signed = await openpgp.sign({
verificationKeys: privateKey.toPublic() message: await openpgp.createMessage({ [property]: stream.toStream(message) }),
}); signingKeys: privateKey
expect(await signatures[0].verified).to.be.true; });
// pass a different message const { data: streamedData, signatures } = await openpgp.verify({
await expect(openpgp.verify({ message: await openpgp.readMessage({ armoredMessage: stream.toStream(signed) }),
message: await openpgp.createMessage({ text: 'a different message' }), verificationKeys: publicKey,
signature: await openpgp.readSignature({ armoredSignature }), expectSigned: true,
verificationKeys: privateKey.toPublic(), format
expectSigned: true });
})).to.be.rejectedWith(/digest did not match/); const data = await stream.readToEnd(streamedData);
expect(data).to.deep.equal(message);
expect(await signatures[0].verified).to.be.true;
});
it('verify should throw on missing signature (expectSigned=true, with streaming)', async function () {
const publicKey = await openpgp.readKey({ armoredKey: pub_key });
await expect(openpgp.verify({
message: await openpgp.createMessage({ [property]: stream.toStream(message) }),
verificationKeys: publicKey,
expectSigned: true
})).to.be.eventually.rejectedWith(/Message is not signed/);
});
it('verify should throw on invalid signature (expectSigned=true, with streaming)', async function () {
const wrongPublicKey = (await openpgp.readKey({ armoredKey: priv_key_2000_2008 })).toPublic();
const privateKey = await openpgp.decryptKey({
privateKey: await openpgp.readKey({ armoredKey: priv_key }),
passphrase
});
const signed = await openpgp.sign({
message: await openpgp.createMessage({ [property]: stream.toStream(message) }),
signingKeys: privateKey
});
const { data: streamedData } = await openpgp.verify({
message: await openpgp.readMessage({ armoredMessage: stream.toStream(signed) }),
verificationKeys: wrongPublicKey,
expectSigned: true
});
await expect(
stream.readToEnd(streamedData)
).to.be.eventually.rejectedWith(/Could not find signing key/);
});
it('verify should fail if the signature is re-used with a different message', async function () {
const privateKey = await openpgp.decryptKey({
privateKey: await openpgp.readKey({ armoredKey: priv_key }),
passphrase
});
const correctMessage = await createMessage({ [property]: message });
const armoredSignature = await openpgp.sign({
message: correctMessage,
signingKeys: privateKey,
detached: true
});
const { signatures } = await openpgp.verify({
message: correctMessage,
signature: await openpgp.readSignature({ armoredSignature }),
verificationKeys: privateKey.toPublic()
});
expect(await signatures[0].verified).to.be.true;
// pass a different message
const wrongMessage =
format === 'binary' ? util.encodeUTF8('a different message') :
'a different message';
await expect(openpgp.verify({
message: await createMessage({ [property]: wrongMessage }),
signature: await openpgp.readSignature({ armoredSignature }),
verificationKeys: privateKey.toPublic(),
expectSigned: true
})).to.be.rejectedWith(/digest did not match/);
});
}
}); });
}); });
describe('cleartext message', function() {
verifyTests(true);
});
function verifyTests(useCleartext) {
const createMessage = useCleartext ? openpgp.createCleartextMessage : openpgp.createMessage;
const readMessage = ({ armoredMessage }) => (
useCleartext ?
openpgp.readCleartextMessage({ cleartextMessage: armoredMessage }) :
openpgp.readMessage({ armoredMessage })
);
const text = useCleartext ? util.removeTrailingSpaces(plaintext) : plaintext;
it('verify should succeed with valid signature (expectSigned=true)', async function () {
const publicKey = await openpgp.readKey({ armoredKey: pub_key });
const privateKey = await openpgp.decryptKey({
privateKey: await openpgp.readKey({ armoredKey: priv_key }),
passphrase
});
const signed = await openpgp.sign({
message: await createMessage({ text }),
signingKeys: privateKey
});
const { data, signatures } = await openpgp.verify({
message: await readMessage({ armoredMessage: signed }),
verificationKeys: publicKey,
expectSigned: true
});
expect(data).to.equal(text);
expect(await signatures[0].verified).to.be.true;
});
it('verify should throw on missing signature (expectSigned=true)', async function () {
const publicKey = await openpgp.readKey({ armoredKey: pub_key });
await expect(openpgp.verify({
message: await createMessage({ text }),
verificationKeys: publicKey,
expectSigned: true
})).to.be.eventually.rejectedWith(/Message is not signed/);
});
it('verify should throw on invalid signature (expectSigned=true)', async function () {
const wrongPublicKey = (await openpgp.readKey({ armoredKey: priv_key_2000_2008 })).toPublic();
const privateKey = await openpgp.decryptKey({
privateKey: await openpgp.readKey({ armoredKey: priv_key }),
passphrase
});
const signed = await openpgp.sign({
message: await createMessage({ text }),
signingKeys: privateKey
});
await expect(openpgp.verify({
message: await readMessage({ armoredMessage: signed }),
verificationKeys: wrongPublicKey,
expectSigned: true
})).to.be.eventually.rejectedWith(/Could not find signing key/);
});
}
}); });
describe('sign - unit tests', function() { describe('sign - unit tests', function() {