Mirroristas/openpgpjs
2
0
Fork 0
mirror of https://github.com/openpgpjs/openpgpjs.git synced 2026-03-02 15:03:28 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
f5b5b73f078a8222c6ebb3e95cd3bf1d47bb933f
openpgpjs/src/packet/public_key_encrypted_session_key.js
larabr 22a68878e4 Add support for constant-time decryption of PKCS#1 v1.5-encoded session keys (#1445) 
Implement optional constant-time decryption flow to hinder Bleichenbacher-like
attacks against RSA- and ElGamal public-key encrypted session keys.

Changes:
- Add `config.constantTimePKCS1Decryption` to enable the constant-time
processing (defaults to `false`). The constant-time option is off by default
since it has measurable performance impact on message decryption, and it is
only helpful in specific application scenarios (more info below).
- Add `config.constantTimePKCS1DecryptionSupportedSymmetricAlgorithms`
(defaults to the AES algorithms). The set of supported ciphers is restricted by
default since the number of algorithms negatively affects performance.

Bleichenbacher-like attacks are of concern for applications where both of the
following conditions are met:
1. new/incoming messages are automatically decrypted (without user
interaction);
2. an attacker can determine how long it takes to decrypt each message (e.g.
due to decryption errors being logged remotely).
2022-01-19 19:05:43 +01:00

158 lines
6.3 KiB
JavaScript
Raw Blame History

// GPG4Browsers - An OpenPGP implementation in javascript
// Copyright (C) 2011 Recurity Labs GmbH
//
// This library is free software; you can redistribute it and/or
// modify it under the terms of the GNU Lesser General Public
// License as published by the Free Software Foundation; either
// version 3.0 of the License, or (at your option) any later version.
//
// This library is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
// Lesser General Public License for more details.
//
// You should have received a copy of the GNU Lesser General Public
// License along with this library; if not, write to the Free Software
// Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
import KeyID from '../type/keyid';
import crypto from '../crypto';
import enums from '../enums';
import util from '../util';
import { UnsupportedError } from './packet';
const VERSION = 3;
/**
* Public-Key Encrypted Session Key Packets (Tag 1)
*
* {@link https://tools.ietf.org/html/rfc4880#section-5.1|RFC4880 5.1}:
* A Public-Key Encrypted Session Key packet holds the session key
* used to encrypt a message. Zero or more Public-Key Encrypted Session Key
* packets and/or Symmetric-Key Encrypted Session Key packets may precede a
* Symmetrically Encrypted Data Packet, which holds an encrypted message. The
* message is encrypted with the session key, and the session key is itself
* encrypted and stored in the Encrypted Session Key packet(s). The
* Symmetrically Encrypted Data Packet is preceded by one Public-Key Encrypted
* Session Key packet for each OpenPGP key to which the message is encrypted.
* The recipient of the message finds a session key that is encrypted to their
* public key, decrypts the session key, and then uses the session key to
* decrypt the message.
*/
class PublicKeyEncryptedSessionKeyPacket {
static get tag() {
return enums.packet.publicKeyEncryptedSessionKey;
}
constructor() {
this.version = 3;
this.publicKeyID = new KeyID();
this.publicKeyAlgorithm = null;
this.sessionKey = null;
/**
* Algorithm to encrypt the message with
* @type {enums.symmetric}
*/
this.sessionKeyAlgorithm = null;
/** @type {Object} */
this.encrypted = {};
}
/**
* Parsing function for a publickey encrypted session key packet (tag 1).
*
* @param {Uint8Array} bytes - Payload of a tag 1 packet
*/
read(bytes) {
this.version = bytes[0];
if (this.version !== VERSION) {
throw new UnsupportedError(`Version ${this.version} of the PKESK packet is unsupported.`);
}
this.publicKeyID.read(bytes.subarray(1, bytes.length));
this.publicKeyAlgorithm = bytes[9];
this.encrypted = crypto.parseEncSessionKeyParams(this.publicKeyAlgorithm, bytes.subarray(10));
}
/**
* Create a binary representation of a tag 1 packet
*
* @returns {Uint8Array} The Uint8Array representation.
*/
write() {
const arr = [
new Uint8Array([this.version]),
this.publicKeyID.write(),
new Uint8Array([this.publicKeyAlgorithm]),
crypto.serializeParams(this.publicKeyAlgorithm, this.encrypted)
];
return util.concatUint8Array(arr);
}
/**
* Encrypt session key packet
* @param {PublicKeyPacket} key - Public key
* @throws {Error} if encryption failed
* @async
*/
async encrypt(key) {
const data = util.concatUint8Array([
new Uint8Array([enums.write(enums.symmetric, this.sessionKeyAlgorithm)]),
this.sessionKey,
util.writeChecksum(this.sessionKey)
]);
const algo = enums.write(enums.publicKey, this.publicKeyAlgorithm);
this.encrypted = await crypto.publicKeyEncrypt(
algo, key.publicParams, data, key.getFingerprintBytes());
}
/**
* Decrypts the session key (only for public key encrypted session key packets (tag 1)
* @param {SecretKeyPacket} key - decrypted private key
* @param {Object} [randomSessionKey] - Bogus session key to use in case of sensitive decryption error, or if the decrypted session key is of a different type/size.
* This is needed for constant-time processing. Expected object of the form: { sessionKey: Uint8Array, sessionKeyAlgorithm: enums.symmetric }
* @throws {Error} if decryption failed, unless `randomSessionKey` is given
* @async
*/
async decrypt(key, randomSessionKey) {
// check that session key algo matches the secret key algo
if (this.publicKeyAlgorithm !== key.algorithm) {
throw new Error('Decryption error');
}
const randomPayload = randomSessionKey ? util.concatUint8Array([
new Uint8Array([randomSessionKey.sessionKeyAlgorithm]),
randomSessionKey.sessionKey,
util.writeChecksum(randomSessionKey.sessionKey)
]) : null;
const decoded = await crypto.publicKeyDecrypt(this.publicKeyAlgorithm, key.publicParams, key.privateParams, this.encrypted, key.getFingerprintBytes(), randomPayload);
const symmetricAlgoByte = decoded[0];
const sessionKey = decoded.subarray(1, decoded.length - 2);
const checksum = decoded.subarray(decoded.length - 2);
const computedChecksum = util.writeChecksum(sessionKey);
const isValidChecksum = computedChecksum[0] === checksum[0] & computedChecksum[1] === checksum[1];
if (randomSessionKey) {
// We must not leak info about the validity of the decrypted checksum or cipher algo.
// The decrypted session key must be of the same algo and size as the random session key, otherwise we discard it and use the random data.
const isValidPayload = isValidChecksum & symmetricAlgoByte === randomSessionKey.sessionKeyAlgorithm & sessionKey.length === randomSessionKey.sessionKey.length;
this.sessionKeyAlgorithm = util.selectUint8(isValidPayload, symmetricAlgoByte, randomSessionKey.sessionKeyAlgorithm);
this.sessionKey = util.selectUint8Array(isValidPayload, sessionKey, randomSessionKey.sessionKey);
} else {
const isValidPayload = isValidChecksum && enums.read(enums.symmetric, symmetricAlgoByte);
if (isValidPayload) {
this.sessionKey = sessionKey;
this.sessionKeyAlgorithm = symmetricAlgoByte;
} else {
throw new Error('Decryption error');
}
}
}
}
export default PublicKeyEncryptedSessionKeyPacket;
Reference in New Issue View Git Blame Copy Permalink