suzanne.soy/fork-openpgpjs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Remove primaryKey argument from User methods, rename User.sign to User.certify (#1329)

Browse Source 
- Add `User.mainKey` field to store a reference to the corresponding `Key`,
allowing to simplify calling some `User` methods.
- Rename `User.sign` to `User.certify`, since it's used for third-party
certifications and not as a counterpart of `User.verify`, which deals with
self-signatures.
- Change `Key.update` behaviour to store a copy of newly added users and
subkeys. Pointing to the same instance could give issues as the lists of
certifications and signatures could be altered by both the source key and the
updated one.

Breaking changes in `User` methods:
- `User.constructor(userPacket)` -> `constructor(userPacket, mainKey)`
- `User.sign(primaryKey, signingKeys, date, config)` -> `.certify(signingKeys,
date, config)`
- `User.verify(primaryKey, date = new Date(), config)` -> `.verify(date = new
Date(), config)`
- `User.verifyCertificate(primaryKey, certificate, verificationKeys, date = new
Date(), config)` -> `.verifyCertificate(certificate, verificationKeys, date =
new Date(), config)`
- `User.verifyAllCertifications(primaryKey, verificationKeys, date = new
Date(), config)` -> `.verifyAllCertifications(verificationKeys, date = new
Date(), config)`
- `User.isRevoked(primaryKey, certificate, keyPacket, date = new Date(),
config)` -> `.isRevoked(certificate, keyPacket, date = new Date(), config)`
- `User.update(sourceUser, primaryKey, date, config)` -> `.update(sourceUser,
date, config)`
This commit is contained in:
larabr 2021-06-15 17:42:00 +02:00 committed by GitHub
parent e785df4c8f
commit 1166de205c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 142 additions and 108 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/key/helper.js
View File

@ -247,7 +247,7 @@ export async function mergeSignatures(source, dest, attr, date = new Date(), che
* @param {PublicSubkeyPacket|
* SecretSubkeyPacket|
* PublicKeyPacket|
* SecretKeyPacket} key, optional The key packet to check the signature
* SecretKeyPacket} key, optional The key packet to verify the signature, instead of the primary key
* @param {Date} date - Use the given date instead of the current time
* @param {Object} config - Full configuration
* @returns {Promise<Boolean>} True if the signature revokes the data.

62
src/key/key.js
View File

@ -70,7 +70,7 @@ class Key {
break;
case enums.packet.userID:
case enums.packet.userAttribute:
user = new User(packet);
user = new User(packet, this);
this.users.push(user);
break;
case enums.packet.publicSubkey:
@ -440,7 +440,7 @@ class Key {
throw exception || new Error('Could not find primary user');
}
await Promise.all(users.map(async function (a) {
return a.user.revoked || a.user.isRevoked(primaryKey, a.selfCertification, null, date, config);
return a.user.revoked || a.user.isRevoked(a.selfCertification, null, date, config);
}));
// sort by primary user flag and signature creation time
const primaryUser = users.sort(function(a, b) {
@ -449,7 +449,7 @@ class Key {
return B.revoked - A.revoked || A.isPrimaryUserID - B.isPrimaryUserID || A.created - B.created;
}).pop();
const { user, selfCertification: cert } = primaryUser;
if (cert.revoked || await user.isRevoked(primaryKey, cert, null, date, config)) {
if (cert.revoked || await user.isRevoked(cert, null, date, config)) {
throw new Error('Primary user is revoked');
}
return primaryUser;
@ -507,10 +507,12 @@ class Key {
));
if (usersToUpdate.length > 0) {
await Promise.all(
usersToUpdate.map(userToUpdate => userToUpdate.update(srcUser, updatedKey.keyPacket, date, config))
usersToUpdate.map(userToUpdate => userToUpdate.update(srcUser, date, config))
);
} else {
updatedKey.users.push(srcUser);
const newUser = srcUser.clone();
newUser.mainKey = updatedKey;
updatedKey.users.push(newUser);
}
}));
// update subkeys
@ -524,7 +526,9 @@ class Key {
subkeysToUpdate.map(subkeyToUpdate => subkeyToUpdate.update(srcSubkey, date, config))
);
} else {
updatedKey.subkeys.push(srcSubkey);
const newSubkey = srcSubkey.clone();
newSubkey.mainKey = updatedKey;
updatedKey.subkeys.push(newSubkey);
}
}));
@ -588,7 +592,7 @@ class Key {
*/
async signPrimaryUser(privateKeys, date, userID, config = defaultConfig) {
const { index, user } = await this.getPrimaryUser(date, userID, config);
const userSign = await user.sign(this.keyPacket, privateKeys, date, config);
const userSign = await user.certify(privateKeys, date, config);
const key = this.clone();
key.users[index] = userSign;
return key;
@ -603,10 +607,9 @@ class Key {
* @async
*/
async signAllUsers(privateKeys, date = new Date(), config = defaultConfig) {
const that = this;
const key = this.clone();
key.users = await Promise.all(this.users.map(function(user) {
return user.sign(that.keyPacket, privateKeys, date, config);
return user.certify(privateKeys, date, config);
}));
return key;
}
@ -615,21 +618,23 @@ class Key {
* Verifies primary user of key
* - if no arguments are given, verifies the self certificates;
* - otherwise, verifies all certificates signed with given keys.
* @param {Array<Key>} keys - array of keys to verify certificate signatures
* @param {Array<PublicKey>} [verificationKeys] - array of keys to verify certificate signatures, instead of the primary key
* @param {Date} [date] - Use the given date for verification instead of the current time
* @param {Object} [userID] - User ID to get instead of the primary user, if it exists
* @param {Object} [config] - Full configuration, defaults to openpgp.config
* @returns {Promise<Array<{
* keyID: module:type/keyid~KeyID,
* valid: Boolean
* }>>} List of signer's keyID and validity of signature
* valid: Boolean|null
* }>>} List of signer's keyID and validity of signature.
* Signature validity is null if the verification keys do not correspond to the certificate.
* @async
*/
async verifyPrimaryUser(keys, date = new Date(), userID, config = defaultConfig) {
async verifyPrimaryUser(verificationKeys, date = new Date(), userID, config = defaultConfig) {
const primaryKey = this.keyPacket;
const { user } = await this.getPrimaryUser(date, userID, config);
const results = keys ? await user.verifyAllCertifications(primaryKey, keys, date, config) :
[{ keyID: primaryKey.getKeyID(), valid: await user.verify(primaryKey, date, config).catch(() => false) }];
const results = verificationKeys ?
await user.verifyAllCertifications(verificationKeys, date, config) :
[{ keyID: primaryKey.getKeyID(), valid: await user.verify(date, config).catch(() => false) }];
return results;
}
@ -637,29 +642,32 @@ class Key {
* Verifies all users of key
* - if no arguments are given, verifies the self certificates;
* - otherwise, verifies all certificates signed with given keys.
* @param {Array<Key>} keys - array of keys to verify certificate signatures
* @param {Array<PublicKey>} [verificationKeys] - array of keys to verify certificate signatures
* @param {Date} [date] - Use the given date for verification instead of the current time
* @param {Object} [config] - Full configuration, defaults to openpgp.config
* @returns {Promise<Array<{
* userID: String,
* keyID: module:type/keyid~KeyID,
* valid: Boolean
* }>>} List of userID, signer's keyID and validity of signature
* valid: Boolean|null
* }>>} List of userID, signer's keyID and validity of signature.
* Signature validity is null if the verification keys do not correspond to the certificate.
* @async
*/
async verifyAllUsers(keys, date = new Date(), config = defaultConfig) {
const results = [];
async verifyAllUsers(verificationKeys, date = new Date(), config = defaultConfig) {
const primaryKey = this.keyPacket;
await Promise.all(this.users.map(async function(user) {
const signatures = keys ? await user.verifyAllCertifications(primaryKey, keys, date, config) :
[{ keyID: primaryKey.getKeyID(), valid: await user.verify(primaryKey, date, config).catch(() => false) }];
signatures.forEach(signature => {
results.push({
const results = [];
await Promise.all(this.users.map(async user => {
const signatures = verificationKeys ?
await user.verifyAllCertifications(verificationKeys, date, config) :
[{ keyID: primaryKey.getKeyID(), valid: await user.verify(date, config).catch(() => false) }];
results.push(...signatures.map(
signature => ({
userID: user.userID.userID,
keyID: signature.keyID,
valid: signature.valid
});
});
}))
);
}));
return results;
}

11
src/key/subkey.js
View File

@ -41,6 +41,17 @@ class Subkey {
return packetlist;
}
/**
* Shallow clone
* @return {Subkey}
*/
clone() {
const subkey = new Subkey(this.keyPacket, this.mainKey);
subkey.bindingSignatures = [...this.bindingSignatures];
subkey.revocationSignatures = [...this.revocationSignatures];
return subkey;
}
/**
* Checks if a binding signature of a subkey is revoked
* @param {SignaturePacket} signature - The binding signature to verify

136
src/key/user.js
View File

@ -10,14 +10,17 @@ import { mergeSignatures, isDataRevoked, createSignaturePacket } from './helper'
/**
* Class that represents an user ID or attribute packet and the relevant signatures.
* @param {UserIDPacket|UserAttributePacket} userPacket - packet containing the user info
* @param {Key} mainKey - reference to main Key object containing the primary key and subkeys that the user is associated with
*/
class User {
constructor(userPacket) {
constructor(userPacket, mainKey) {
this.userID = userPacket.constructor.tag === enums.packet.userID ? userPacket : null;
this.userAttribute = userPacket.constructor.tag === enums.packet.userAttribute ? userPacket : null;
this.selfCertifications = [];
this.otherCertifications = [];
this.revocationSignatures = [];
this.mainKey = mainKey;
}
/**
@ -34,28 +37,39 @@ class User {
}
/**
* Signs user
* @param {SecretKeyPacket|
* PublicKeyPacket} primaryKey The primary key packet
* @param {Array<Key>} privateKeys - Decrypted private keys for signing
* @param {Date} date - Date to overwrite creation date of the signature
* Shallow clone
* @returns {User}
*/
clone() {
const user = new User(this.userID || this.userAttribute, this.mainKey);
user.selfCertifications = [...this.selfCertifications];
user.otherCertifications = [...this.otherCertifications];
user.revocationSignatures = [...this.revocationSignatures];
return user;
}
/**
* Generate third-party certifications over this user and its primary key
* @param {Array<PrivateKey>} signingKeys - Decrypted private keys for signing
* @param {Date} [date] - Date to use as creation date of the certificate, instead of the current time
* @param {Object} config - Full configuration
* @returns {Promise<Key>} New user with new certificate signatures.
* @returns {Promise<User>} New user with new certifications.
* @async
*/
async sign(primaryKey, privateKeys, date, config) {
async certify(signingKeys, date, config) {
const primaryKey = this.mainKey.keyPacket;
const dataToSign = {
userID: this.userID,
userAttribute: this.userAttribute,
key: primaryKey
};
const user = new User(dataToSign.userID || dataToSign.userAttribute);
user.otherCertifications = await Promise.all(privateKeys.map(async function(privateKey) {
const user = new User(dataToSign.userID || dataToSign.userAttribute, this.mainKey);
user.otherCertifications = await Promise.all(signingKeys.map(async function(privateKey) {
if (privateKey.isPublic()) {
throw new Error('Need private key for signing');
}
if (privateKey.hasSameFingerprintAs(primaryKey)) {
throw new Error('Not implemented for self signing');
throw new Error("The user's own key can only be used for self-certifications");
}
const signingKey = await privateKey.getSigningKey(undefined, date, undefined, config);
return createSignaturePacket(dataToSign, privateKey, signingKey.keyPacket, {
@ -64,59 +78,57 @@ class User {
keyFlags: [enums.keyFlags.certifyKeys | enums.keyFlags.signData]
}, date, undefined, undefined, config);
}));
await user.update(this, primaryKey, date, config);
await user.update(this, date, config);
return user;
}
/**
* Checks if a given certificate of the user is revoked
* @param {SecretKeyPacket|
* PublicKeyPacket} primaryKey The primary key packet
* @param {SignaturePacket} certificate - The certificate to verify
* @param {PublicSubkeyPacket|
* SecretSubkeyPacket|
* PublicKeyPacket|
* SecretKeyPacket} key, optional The key to verify the signature
* @param {Date} date - Use the given date instead of the current time
* SecretKeyPacket} [keyPacket] The key packet to verify the signature, instead of the primary key
* @param {Date} [date] - Use the given date for verification instead of the current time
* @param {Object} config - Full configuration
* @returns {Promise<Boolean>} True if the certificate is revoked.
* @async
*/
async isRevoked(primaryKey, certificate, key, date = new Date(), config) {
return isDataRevoked(
primaryKey, enums.signature.certRevocation, {
key: primaryKey,
userID: this.userID,
userAttribute: this.userAttribute
}, this.revocationSignatures, certificate, key, date, config
);
async isRevoked(certificate, keyPacket, date = new Date(), config) {
const primaryKey = this.mainKey.keyPacket;
return isDataRevoked(primaryKey, enums.signature.certRevocation, {
key: primaryKey,
userID: this.userID,
userAttribute: this.userAttribute
}, this.revocationSignatures, certificate, keyPacket, date, config);
}
/**
* Verifies the user certificate. Throws if the user certificate is invalid.
* @param {SecretKeyPacket|
* PublicKeyPacket} primaryKey The primary key packet
* Verifies the user certificate.
* @param {SignaturePacket} certificate - A certificate of this user
* @param {Array<Key>} keys - Array of keys to verify certificate signatures
* @param {Date} date - Use the given date instead of the current time
* @param {Array<PublicKey>} verificationKeys - Array of keys to verify certificate signatures
* @param {Date} [date] - Use the given date instead of the current time
* @param {Object} config - Full configuration
* @returns {Promise<true|null>} Status of the certificate.
* @returns {Promise<true|null>} true if the certificate could be verified, or null if the verification keys do not correspond to the certificate
* @throws if the user certificate is invalid.
* @async
*/
async verifyCertificate(primaryKey, certificate, keys, date = new Date(), config) {
async verifyCertificate(certificate, verificationKeys, date = new Date(), config) {
const that = this;
const keyID = certificate.issuerKeyID;
const primaryKey = this.mainKey.keyPacket;
const dataToVerify = {
userID: this.userID,
userAttribute: this.userAttribute,
key: primaryKey
};
const results = await Promise.all(keys.map(async function(key) {
if (!key.getKeyIDs().some(id => id.equals(keyID))) {
return null;
}
const signingKey = await key.getSigningKey(keyID, certificate.created, undefined, config);
if (certificate.revoked || await that.isRevoked(primaryKey, certificate, signingKey.keyPacket, date, config)) {
const { issuerKeyID } = certificate;
const issuerKeys = verificationKeys.filter(key => key.getKeys(issuerKeyID).length > 0);
if (issuerKeys.length === 0) {
return null;
}
await Promise.all(issuerKeys.map(async key => {
const signingKey = await key.getSigningKey(issuerKeyID, certificate.created, undefined, config);
if (certificate.revoked || await that.isRevoked(certificate, signingKey.keyPacket, date, config)) {
throw new Error('User certificate is revoked');
}
try {
@ -124,51 +136,46 @@ class User {
} catch (e) {
throw util.wrapError('User certificate is invalid', e);
}
return true;
}));
return results.find(result => result !== null) || null;
return true;
}
/**
* Verifies all user certificates
* @param {SecretKeyPacket|
* PublicKeyPacket} primaryKey The primary key packet
* @param {Array<Key>} keys - Array of keys to verify certificate signatures
* @param {Date} date - Use the given date instead of the current time
* @param {Array<PublicKey>} verificationKeys - Array of keys to verify certificate signatures
* @param {Date} [date] - Use the given date instead of the current time
* @param {Object} config - Full configuration
* @returns {Promise<Array<{
* keyID: module:type/keyid~KeyID,
* valid: Boolean
* }>>} List of signer's keyID and validity of signature
* valid: Boolean | null
* }>>} List of signer's keyID and validity of signature.
* Signature validity is null if the verification keys do not correspond to the certificate.
* @async
*/
async verifyAllCertifications(primaryKey, keys, date = new Date(), config) {
async verifyAllCertifications(verificationKeys, date = new Date(), config) {
const that = this;
const certifications = this.selfCertifications.concat(this.otherCertifications);
return Promise.all(certifications.map(async function(certification) {
return {
keyID: certification.issuerKeyID,
valid: await that.verifyCertificate(primaryKey, certification, keys, date, config).catch(() => false)
};
}));
return Promise.all(certifications.map(async certification => ({
keyID: certification.issuerKeyID,
valid: await that.verifyCertificate(certification, verificationKeys, date, config).catch(() => false)
})));
}
/**
* Verify User. Checks for existence of self signatures, revocation signatures
* and validity of self signature.
* @param {SecretKeyPacket|
* PublicKeyPacket} primaryKey The primary key packet
* @param {Date} date - Use the given date instead of the current time
* @param {Object} config - Full configuration
* @returns {Promise<true>} Status of user.
* @throws {Error} if there are no valid self signatures.
* @async
*/
async verify(primaryKey, date = new Date(), config) {
async verify(date = new Date(), config) {
if (!this.selfCertifications.length) {
throw new Error('No self-certifications');
throw new Error('No self-certifications found');
}
const that = this;
const primaryKey = this.mainKey.keyPacket;
const dataToVerify = {
userID: this.userID,
userAttribute: this.userAttribute,
@ -179,7 +186,7 @@ class User {
for (let i = this.selfCertifications.length - 1; i >= 0; i--) {
try {
const selfCertification = this.selfCertifications[i];
if (selfCertification.revoked || await that.isRevoked(primaryKey, selfCertification, undefined, date, config)) {
if (selfCertification.revoked || await that.isRevoked(selfCertification, undefined, date, config)) {
throw new Error('Self-certification is revoked');
}
try {
@ -197,22 +204,21 @@ class User {
/**
* Update user with new components from specified user
* @param {User} user - Source user to merge
* @param {SecretKeyPacket|
* SecretSubkeyPacket} primaryKey primary key used for validation
* @param {User} sourceUser - Source user to merge
* @param {Date} date - Date to verify the validity of signatures
* @param {Object} config - Full configuration
* @returns {Promise<undefined>}
* @async
*/
async update(user, primaryKey, date, config) {
async update(sourceUser, date, config) {
const primaryKey = this.mainKey.keyPacket;
const dataToVerify = {
userID: this.userID,
userAttribute: this.userAttribute,
key: primaryKey
};
// self signatures
await mergeSignatures(user, this, 'selfCertifications', date, async function(srcSelfSig) {
await mergeSignatures(sourceUser, this, 'selfCertifications', date, async function(srcSelfSig) {
try {
await srcSelfSig.verify(primaryKey, enums.signature.certGeneric, dataToVerify, date, false, config);
return true;
@ -221,9 +227,9 @@ class User {
}
});
// other signatures
await mergeSignatures(user, this, 'otherCertifications', date);
await mergeSignatures(sourceUser, this, 'otherCertifications', date);
// revocation signatures
await mergeSignatures(user, this, 'revocationSignatures', date, function(srcRevSig) {
await mergeSignatures(sourceUser, this, 'revocationSignatures', date, function(srcRevSig) {
return isDataRevoked(primaryKey, enums.signature.certRevocation, dataToVerify, [srcRevSig], undefined, undefined, date, config);
});
}

29
test/general/key.js
View File

@ -2840,7 +2840,7 @@ module.exports = () => describe('Key', function() {
expect(signatures[1].valid).to.be.false;
const { user } = await pubKey.getPrimaryUser();
await expect(user.verifyCertificate(pubKey.keyPacket, user.otherCertifications[0], [certifyingKey], undefined, openpgp.config)).to.be.rejectedWith('User certificate is revoked');
await expect(user.verifyCertificate(user.otherCertifications[0], [certifyingKey], undefined, openpgp.config)).to.be.rejectedWith('User certificate is revoked');
} finally {
openpgp.config.rejectPublicKeyAlgorithms = rejectPublicKeyAlgorithms;
}
@ -2854,10 +2854,10 @@ module.exports = () => describe('Key', function() {
it('Verify certificate of key with future creation date', async function() {
const pubKey = await openpgp.readKey({ armoredKey: key_created_2030 });
const user = pubKey.users[0];
await user.verifyCertificate(pubKey.keyPacket, user.selfCertifications[0], [pubKey], pubKey.keyPacket.created, openpgp.config);
const verifyAllResult = await user.verifyAllCertifications(pubKey.keyPacket, [pubKey], pubKey.keyPacket.created);
await user.verifyCertificate(user.selfCertifications[0], [pubKey], pubKey.keyPacket.created, openpgp.config);
const verifyAllResult = await user.verifyAllCertifications([pubKey], pubKey.keyPacket.created, openpgp.config);
expect(verifyAllResult[0].valid).to.be.true;
await user.verify(pubKey.keyPacket, pubKey.keyPacket.created);
await user.verify(pubKey.keyPacket.created, openpgp.config);
});
it('Evaluate key flags to find valid encryption key packet', async function() {
@ -3118,10 +3118,16 @@ module.exports = () => describe('Key', function() {
const dest = await openpgp.readKey({ armoredKey: pub_sig_test });
expect(source.users[1]).to.exist;
dest.users.pop();
return dest.update(source).then(updated => {
expect(updated.users[1]).to.exist;
expect(updated.users[1].userID).to.equal(source.users[1].userID);
});
const updated = await dest.update(source);
expect(updated.users[1]).to.exist;
expect(updated.users[1].userID).to.equal(source.users[1].userID);
expect(updated.users[1].selfCertifications.length).to.equal(source.users[1].selfCertifications.length);
// check that the added users stores certifications separately
updated.users[1].selfCertifications.pop();
expect(updated.users[1].selfCertifications.length).to.not.equal(source.users[1].selfCertifications.length);
// merge self-signatures
const updatedAgain = await updated.update(source);
expect(updatedAgain.users[1].selfCertifications.length).to.equal(source.users[1].selfCertifications.length);
});
it('update() - merge user - other and certification revocation signatures', async function() {
@ -3151,6 +3157,13 @@ module.exports = () => describe('Key', function() {
).to.equal(
source.subkeys[1].getKeyID().toHex()
);
expect(updated.subkeys[1].bindingSignatures.length).to.equal(source.subkeys[1].bindingSignatures.length);
// check that the added subkey stores binding signatures separately
updated.subkeys[1].bindingSignatures.pop();
expect(updated.subkeys[1].bindingSignatures.length).to.not.equal(source.subkeys[1].bindingSignatures.length);
// merge binding signature
const updatedAgain = await updated.update(source);
expect(updatedAgain.subkeys[1].bindingSignatures.length).to.equal(source.subkeys[1].bindingSignatures.length);
});
it('update() - merge subkey - revocation signature', async function() {

2
test/general/signature.js
View File

@ -1623,7 +1623,7 @@ iTuGu4fEU1UligAXSrZmCdE=
const key = await openpgp.readKey({ armoredKey: armoredKeyWithPhoto });
await Promise.all(key.users.map(async user => {
await user.verify(key.keyPacket);
await user.verify(undefined, openpgp.config);
}));
});

8
test/general/x25519.js
View File

@ -407,9 +407,7 @@ function omnibus() {
await certificate.verify(
primaryKey, openpgp.enums.signature.certGeneric, { userID: user.userID, key: primaryKey }
);
await user.verifyCertificate(
primaryKey, certificate, [hi.toPublic()], undefined, openpgp.config
);
await user.verifyCertificate(certificate, [hi.toPublic()], undefined, openpgp.config);
const options = {
userIDs: { name: "Bye", email: "bye@good.bye" },
@ -428,9 +426,7 @@ function omnibus() {
await certificate.verify(
bye.keyPacket, openpgp.enums.signature.certGeneric, { userID: user.userID, key: bye.keyPacket }
);
await user.verifyCertificate(
bye.keyPacket, user.selfCertifications[0], [bye.toPublic()], undefined, openpgp.config
);
await user.verifyCertificate(user.selfCertifications[0], [bye.toPublic()], undefined, openpgp.config);
return Promise.all([
// Hi trusts Bye!