suzanne.soy/fork-openpgpjs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Check key requirements in PrivateKey.addSubkey() (#1423)

Browse Source 
Breaking change:
when generating new subkeys through `key.addSubkey()`, we now check
`config.rejectCurves` and prevent adding subkeys using the corresponding
curves.
By default, `config.rejectCurves` includes the brainpool curves
(`brainpoolP256r1`, `brainpoolP384r1`, `brainpoolP512r1`) and the Bitcoin curve
(`secp256k1`).

This is a follow up to #1395 , which introduced the same check to
`openpgp.generateKey`.
This commit is contained in:
larabr 2021-12-01 17:04:02 +01:00 committed by GitHub
parent 2894b35d66
commit 6fc005f19c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 25 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
src/key/private_key.js
View File

@ -230,6 +230,7 @@ class PrivateKey extends PublicKey {
defaultOptions.curve = defaultOptions.curve || 'curve25519';
options = helper.sanitizeKeyOptions(options, defaultOptions);
const keyPacket = await helper.generateSecretSubkey(options);
helper.checkKeyRequirements(keyPacket, config);
const bindingSignature = await helper.createBindingSignature(keyPacket, secretKeyPacket, options, config);
const packetList = this.toPacketList();
packetList.push(keyPacket, bindingSignature);

24
test/general/key.js
View File

@ -3629,6 +3629,30 @@ VYGdb3eNlV8CfoEC
expect(newKey.subkeys[total].getAlgorithmInfo().bits).to.equal(Math.max(key.getAlgorithmInfo().bits, openpgp.config.minRSABits));
});
it('should throw when trying to add a new default subkey to an ecc key that uses a blacklisted curve (brainpool)', async function() {
const armoredBrainpoolKey = `-----BEGIN PGP PRIVATE KEY BLOCK-----
xXgEYW7c5RMJKyQDAwIIAQEHAgMEhb5YqML5gwfkorwV49zIfNJYqNiog+IL
RDSKaIbGMzNnzLeNgwxKe1/kKJMFxy0crCRegNbV9ZC0uF7UO3t/0gAA/3MH
gGJRuuMIHv5S5brj0AankEMSsY8w8T134O/NGm+eEXvNDnRlc3QgPGFAYi5j
b20+wowEEBMIAB0FAmFu3OUECwkHCAMVCAoEFgACAQIZAQIbAwIeAQAhCRCh
WWHcIlm4OxYhBCHAUhC7Zo79nXseR6FZYdwiWbg7KMoA/iMNJ+NX0fkc3ohL
4ZTxg5syNJwV2lleynzFOLpJ0a9RAP9b1Nt/eObuezUT/uic62ap8c8nycpN
OJbyn4p7uIjc1w==
=64W/
-----END PGP PRIVATE KEY BLOCK-----`;
const key = await openpgp.readKey({ armoredKey: armoredBrainpoolKey });
expect(key.subkeys).to.have.length(0);
await expect(key.addSubkey()).to.be.rejectedWith(/Support for ecdh keys using curve brainpoolP256r1 is disabled/);
expect(key.subkeys).to.have.length(0);
// explicitly allow brainpool curve
const config = { rejectCurves: new Set() };
const newKey = await key.addSubkey({ config });
expect(newKey.subkeys[0].getAlgorithmInfo().algorithm).to.equal('ecdh');
expect(newKey.subkeys[0].getAlgorithmInfo().curve).to.equal('brainpoolP256r1');
});
it('should throw when trying to encrypt a subkey separately from key', async function() {
const privateKey = await openpgp.decryptKey({
privateKey: await openpgp.readKey({ armoredKey: priv_key_rsa }),