diff --git a/openpgp.d.ts b/openpgp.d.ts index 6ca41a56..a6e498a5 100644 --- a/openpgp.d.ts +++ b/openpgp.d.ts @@ -532,6 +532,7 @@ export interface RawNotation { name: string; value: Uint8Array; humanReadable: boolean; + critical: boolean; } export class TrustPacket extends BasePacket { @@ -604,7 +605,7 @@ interface EncryptOptions { signingUserIDs?: MaybeArray; /** (optional) array of user IDs to encrypt for, e.g. { name:'Robert Receiver', email:'robert@openpgp.org' } */ encryptionUserIDs?: MaybeArray; - /** (optional) array of notations to add to the signatures, e.g. { name: 'test@example.org', value: new TextEncoder().encode('test'), humanReadable: true } */ + /** (optional) array of notations to add to the signatures, e.g. { name: 'test@example.org', value: new TextEncoder().encode('test'), humanReadable: true, critical: false } */ signatureNotations?: MaybeArray; config?: PartialConfig; } diff --git a/src/cleartext.js b/src/cleartext.js index 10b65db6..bb6cd3ef 100644 --- a/src/cleartext.js +++ b/src/cleartext.js @@ -64,7 +64,7 @@ export class CleartextMessage { * @param {Array} [signingKeyIDs] - Array of key IDs to use for signing. Each signingKeyIDs[i] corresponds to privateKeys[i] * @param {Date} [date] - The creation time of the signature that should be created * @param {Array} [userIDs] - User IDs to sign with, e.g. [{ name:'Steve Sender', email:'steve@openpgp.org' }] - * @param {Array} [notations] - Notation Data to add to the signatures, e.g. [{ name: 'test@example.org', value: new TextEncoder().encode('test'), humanReadable: true }] + * @param {Array} [notations] - Notation Data to add to the signatures, e.g. [{ name: 'test@example.org', value: new TextEncoder().encode('test'), humanReadable: true, critical: false }] * @param {Object} [config] - Full configuration, defaults to openpgp.config * @returns {Promise} New cleartext message with signed content. * @async diff --git a/src/key/helper.js b/src/key/helper.js index 282dff26..ba8555b8 100644 --- a/src/key/helper.js +++ b/src/key/helper.js @@ -192,7 +192,7 @@ export async function getPreferredAlgo(type, keys = [], date = new Date(), userI * @param {Object} [signatureProperties] - Properties to write on the signature packet before signing * @param {Date} [date] - Override the creationtime of the signature * @param {Object} [userID] - User ID - * @param {Array} [notations] - Notation Data to add to the signature, e.g. [{ name: 'test@example.org', value: new TextEncoder().encode('test'), humanReadable: true }] + * @param {Array} [notations] - Notation Data to add to the signature, e.g. [{ name: 'test@example.org', value: new TextEncoder().encode('test'), humanReadable: true, critical: false }] * @param {Object} [detached] - Whether to create a detached signature packet * @param {Object} config - full configuration * @returns {Promise} Signature packet. diff --git a/src/message.js b/src/message.js index 4a65d5aa..ba5b86f2 100644 --- a/src/message.js +++ b/src/message.js @@ -476,7 +476,7 @@ export class Message { * @param {Array} [signingKeyIDs] - Array of key IDs to use for signing. Each signingKeyIDs[i] corresponds to signingKeys[i] * @param {Date} [date] - Override the creation time of the signature * @param {Array} [userIDs] - User IDs to sign with, e.g. [{ name:'Steve Sender', email:'steve@openpgp.org' }] - * @param {Array} [notations] - Notation Data to add to the signatures, e.g. [{ name: 'test@example.org', value: new TextEncoder().encode('test'), humanReadable: true }] + * @param {Array} [notations] - Notation Data to add to the signatures, e.g. [{ name: 'test@example.org', value: new TextEncoder().encode('test'), humanReadable: true, critical: false }] * @param {Object} [config] - Full configuration, defaults to openpgp.config * @returns {Promise} New message with signed content. * @async @@ -564,7 +564,7 @@ export class Message { * @param {Array} [signingKeyIDs] - Array of key IDs to use for signing. Each signingKeyIDs[i] corresponds to signingKeys[i] * @param {Date} [date] - Override the creation time of the signature * @param {Array} [userIDs] - User IDs to sign with, e.g. [{ name:'Steve Sender', email:'steve@openpgp.org' }] - * @param {Array} [notations] - Notation Data to add to the signatures, e.g. [{ name: 'test@example.org', value: new TextEncoder().encode('test'), humanReadable: true }] + * @param {Array} [notations] - Notation Data to add to the signatures, e.g. [{ name: 'test@example.org', value: new TextEncoder().encode('test'), humanReadable: true, critical: false }] * @param {Object} [config] - Full configuration, defaults to openpgp.config * @returns {Promise} New detached signature of message content. * @async @@ -707,7 +707,7 @@ export class Message { * @param {Array} [signingKeyIDs] - Array of key IDs to use for signing. Each signingKeyIDs[i] corresponds to signingKeys[i] * @param {Date} [date] - Override the creationtime of the signature * @param {Array} [userIDs] - User IDs to sign with, e.g. [{ name:'Steve Sender', email:'steve@openpgp.org' }] - * @param {Array} [notations] - Notation Data to add to the signatures, e.g. [{ name: 'test@example.org', value: new TextEncoder().encode('test'), humanReadable: true }] + * @param {Array} [notations] - Notation Data to add to the signatures, e.g. [{ name: 'test@example.org', value: new TextEncoder().encode('test'), humanReadable: true, critical: false }] * @param {Boolean} [detached] - Whether to create detached signature packets * @param {Object} [config] - Full configuration, defaults to openpgp.config * @returns {Promise} List of signature packets. diff --git a/src/openpgp.js b/src/openpgp.js index ba20164d..3d22bafc 100644 --- a/src/openpgp.js +++ b/src/openpgp.js @@ -256,7 +256,7 @@ export async function encryptKey({ privateKey, passphrase, config, ...rest }) { * @param {Date} [options.date=current date] - Override the creation date of the message signature * @param {Object|Object[]} [options.signingUserIDs=primary user IDs] - Array of user IDs to sign with, one per key in `signingKeys`, e.g. `[{ name: 'Steve Sender', email: 'steve@openpgp.org' }]` * @param {Object|Object[]} [options.encryptionUserIDs=primary user IDs] - Array of user IDs to encrypt for, one per key in `encryptionKeys`, e.g. `[{ name: 'Robert Receiver', email: 'robert@openpgp.org' }]` - * @param {Object|Object[]} [options.signatureNotations=[]] - Array of notations to add to the signatures, e.g. `[{ name: 'test@example.org', value: new TextEncoder().encode('test'), humanReadable: true }]` + * @param {Object|Object[]} [options.signatureNotations=[]] - Array of notations to add to the signatures, e.g. `[{ name: 'test@example.org', value: new TextEncoder().encode('test'), humanReadable: true, critical: false }]` * @param {Object} [options.config] - Custom configuration settings to overwrite those in [config]{@link module:config} * @returns {Promise|MaybeStream>} Encrypted message (string if `armor` was true, the default; Uint8Array if `armor` was false). * @async @@ -388,7 +388,7 @@ export async function decrypt({ message, decryptionKeys, passwords, sessionKeys, * @param {KeyID|KeyID[]} [options.signingKeyIDs=latest-created valid signing (sub)keys] - Array of key IDs to use for signing. Each signingKeyIDs[i] corresponds to signingKeys[i] * @param {Date} [options.date=current date] - Override the creation date of the signature * @param {Object|Object[]} [options.signingUserIDs=primary user IDs] - Array of user IDs to sign with, one per key in `signingKeys`, e.g. `[{ name: 'Steve Sender', email: 'steve@openpgp.org' }]` - * @param {Object|Object[]} [options.signatureNotations=[]] - Array of notations to add to the signatures, e.g. `[{ name: 'test@example.org', value: new TextEncoder().encode('test'), humanReadable: true }]` + * @param {Object|Object[]} [options.signatureNotations=[]] - Array of notations to add to the signatures, e.g. `[{ name: 'test@example.org', value: new TextEncoder().encode('test'), humanReadable: true, critical: false }]` * @param {Object} [options.config] - Custom configuration settings to overwrite those in [config]{@link module:config} * @returns {Promise>} Signed message (string if `armor` was true, the default; Uint8Array if `armor` was false). * @async diff --git a/src/packet/signature.js b/src/packet/signature.js index 960f035c..8bd0347a 100644 --- a/src/packet/signature.js +++ b/src/packet/signature.js @@ -226,41 +226,41 @@ class SignaturePacket { if (this.created === null) { throw new Error('Missing signature creation time'); } - arr.push(writeSubPacket(sub.signatureCreationTime, util.writeDate(this.created))); + arr.push(writeSubPacket(sub.signatureCreationTime, true, util.writeDate(this.created))); if (this.signatureExpirationTime !== null) { - arr.push(writeSubPacket(sub.signatureExpirationTime, util.writeNumber(this.signatureExpirationTime, 4))); + arr.push(writeSubPacket(sub.signatureExpirationTime, true, util.writeNumber(this.signatureExpirationTime, 4))); } if (this.exportable !== null) { - arr.push(writeSubPacket(sub.exportableCertification, new Uint8Array([this.exportable ? 1 : 0]))); + arr.push(writeSubPacket(sub.exportableCertification, true, new Uint8Array([this.exportable ? 1 : 0]))); } if (this.trustLevel !== null) { bytes = new Uint8Array([this.trustLevel, this.trustAmount]); - arr.push(writeSubPacket(sub.trustSignature, bytes)); + arr.push(writeSubPacket(sub.trustSignature, true, bytes)); } if (this.regularExpression !== null) { - arr.push(writeSubPacket(sub.regularExpression, this.regularExpression)); + arr.push(writeSubPacket(sub.regularExpression, true, this.regularExpression)); } if (this.revocable !== null) { - arr.push(writeSubPacket(sub.revocable, new Uint8Array([this.revocable ? 1 : 0]))); + arr.push(writeSubPacket(sub.revocable, true, new Uint8Array([this.revocable ? 1 : 0]))); } if (this.keyExpirationTime !== null) { - arr.push(writeSubPacket(sub.keyExpirationTime, util.writeNumber(this.keyExpirationTime, 4))); + arr.push(writeSubPacket(sub.keyExpirationTime, true, util.writeNumber(this.keyExpirationTime, 4))); } if (this.preferredSymmetricAlgorithms !== null) { bytes = util.stringToUint8Array(util.uint8ArrayToString(this.preferredSymmetricAlgorithms)); - arr.push(writeSubPacket(sub.preferredSymmetricAlgorithms, bytes)); + arr.push(writeSubPacket(sub.preferredSymmetricAlgorithms, false, bytes)); } if (this.revocationKeyClass !== null) { bytes = new Uint8Array([this.revocationKeyClass, this.revocationKeyAlgorithm]); bytes = util.concat([bytes, this.revocationKeyFingerprint]); - arr.push(writeSubPacket(sub.revocationKey, bytes)); + arr.push(writeSubPacket(sub.revocationKey, false, bytes)); } if (!this.issuerKeyID.isNull() && this.issuerKeyVersion !== 5) { // If the version of [the] key is greater than 4, this subpacket // MUST NOT be included in the signature. - arr.push(writeSubPacket(sub.issuer, this.issuerKeyID.write())); + arr.push(writeSubPacket(sub.issuer, true, this.issuerKeyID.write())); } - this.rawNotations.forEach(({ name, value, humanReadable }) => { + this.rawNotations.forEach(({ name, value, humanReadable, critical }) => { bytes = [new Uint8Array([humanReadable ? 0x80 : 0, 0, 0, 0])]; const encodedName = util.encodeUTF8(name); // 2 octets of name length @@ -270,61 +270,61 @@ class SignaturePacket { bytes.push(encodedName); bytes.push(value); bytes = util.concat(bytes); - arr.push(writeSubPacket(sub.notationData, bytes)); + arr.push(writeSubPacket(sub.notationData, critical, bytes)); }); if (this.preferredHashAlgorithms !== null) { bytes = util.stringToUint8Array(util.uint8ArrayToString(this.preferredHashAlgorithms)); - arr.push(writeSubPacket(sub.preferredHashAlgorithms, bytes)); + arr.push(writeSubPacket(sub.preferredHashAlgorithms, false, bytes)); } if (this.preferredCompressionAlgorithms !== null) { bytes = util.stringToUint8Array(util.uint8ArrayToString(this.preferredCompressionAlgorithms)); - arr.push(writeSubPacket(sub.preferredCompressionAlgorithms, bytes)); + arr.push(writeSubPacket(sub.preferredCompressionAlgorithms, false, bytes)); } if (this.keyServerPreferences !== null) { bytes = util.stringToUint8Array(util.uint8ArrayToString(this.keyServerPreferences)); - arr.push(writeSubPacket(sub.keyServerPreferences, bytes)); + arr.push(writeSubPacket(sub.keyServerPreferences, false, bytes)); } if (this.preferredKeyServer !== null) { - arr.push(writeSubPacket(sub.preferredKeyServer, util.encodeUTF8(this.preferredKeyServer))); + arr.push(writeSubPacket(sub.preferredKeyServer, false, util.encodeUTF8(this.preferredKeyServer))); } if (this.isPrimaryUserID !== null) { - arr.push(writeSubPacket(sub.primaryUserID, new Uint8Array([this.isPrimaryUserID ? 1 : 0]))); + arr.push(writeSubPacket(sub.primaryUserID, false, new Uint8Array([this.isPrimaryUserID ? 1 : 0]))); } if (this.policyURI !== null) { - arr.push(writeSubPacket(sub.policyURI, util.encodeUTF8(this.policyURI))); + arr.push(writeSubPacket(sub.policyURI, false, util.encodeUTF8(this.policyURI))); } if (this.keyFlags !== null) { bytes = util.stringToUint8Array(util.uint8ArrayToString(this.keyFlags)); - arr.push(writeSubPacket(sub.keyFlags, bytes)); + arr.push(writeSubPacket(sub.keyFlags, true, bytes)); } if (this.signersUserID !== null) { - arr.push(writeSubPacket(sub.signersUserID, util.encodeUTF8(this.signersUserID))); + arr.push(writeSubPacket(sub.signersUserID, false, util.encodeUTF8(this.signersUserID))); } if (this.reasonForRevocationFlag !== null) { bytes = util.stringToUint8Array(String.fromCharCode(this.reasonForRevocationFlag) + this.reasonForRevocationString); - arr.push(writeSubPacket(sub.reasonForRevocation, bytes)); + arr.push(writeSubPacket(sub.reasonForRevocation, true, bytes)); } if (this.features !== null) { bytes = util.stringToUint8Array(util.uint8ArrayToString(this.features)); - arr.push(writeSubPacket(sub.features, bytes)); + arr.push(writeSubPacket(sub.features, false, bytes)); } if (this.signatureTargetPublicKeyAlgorithm !== null) { bytes = [new Uint8Array([this.signatureTargetPublicKeyAlgorithm, this.signatureTargetHashAlgorithm])]; bytes.push(util.stringToUint8Array(this.signatureTargetHash)); bytes = util.concat(bytes); - arr.push(writeSubPacket(sub.signatureTarget, bytes)); + arr.push(writeSubPacket(sub.signatureTarget, true, bytes)); } if (this.embeddedSignature !== null) { - arr.push(writeSubPacket(sub.embeddedSignature, this.embeddedSignature.write())); + arr.push(writeSubPacket(sub.embeddedSignature, true, this.embeddedSignature.write())); } if (this.issuerFingerprint !== null) { bytes = [new Uint8Array([this.issuerKeyVersion]), this.issuerFingerprint]; bytes = util.concat(bytes); - arr.push(writeSubPacket(sub.issuerFingerprint, bytes)); + arr.push(writeSubPacket(sub.issuerFingerprint, this.version === 5, bytes)); } if (this.preferredAEADAlgorithms !== null) { bytes = util.stringToUint8Array(util.uint8ArrayToString(this.preferredAEADAlgorithms)); - arr.push(writeSubPacket(sub.preferredAEADAlgorithms, bytes)); + arr.push(writeSubPacket(sub.preferredAEADAlgorithms, false, bytes)); } const result = util.concat(arr); @@ -753,18 +753,19 @@ class SignaturePacket { export default SignaturePacket; /** - * Creates a string representation of a sub signature packet + * Creates a Uint8Array representation of a sub signature packet * @see {@link https://tools.ietf.org/html/rfc4880#section-5.2.3.1|RFC4880 5.2.3.1} * @see {@link https://tools.ietf.org/html/rfc4880#section-5.2.3.2|RFC4880 5.2.3.2} * @param {Integer} type - Subpacket signature type. + * @param {Boolean} critical - Whether the subpacket should be critical. * @param {String} data - Data to be included - * @returns {String} A string-representation of a sub signature packet. + * @returns {Uint8Array} The signature subpacket. * @private */ -function writeSubPacket(type, data) { +function writeSubPacket(type, critical, data) { const arr = []; arr.push(writeSimpleLength(data.length + 1)); - arr.push(new Uint8Array([type])); + arr.push(new Uint8Array([(critical ? 0x80 : 0) | type])); arr.push(data); return util.concat(arr); } diff --git a/test/general/signature.js b/test/general/signature.js index 8c712049..bdf8ffe8 100644 --- a/test/general/signature.js +++ b/test/general/signature.js @@ -1153,27 +1153,41 @@ eSvSZutLuKKbidSYMLhWROPlwKc2GU2ws6PrLZAyCAel/lU= { name: 'test@example.com', value: new TextEncoder().encode('test'), - humanReadable: true + humanReadable: true, + critical: true }, { name: 'séparation-de-domaine@proton.ch', value: new Uint8Array([0, 1, 2, 3]), - humanReadable: false + humanReadable: false, + critical: false } ], config }); + expect(openpgp.decrypt({ + message: await openpgp.readMessage({ armoredMessage: message_with_notation }), + decryptionKeys: privKey, + verificationKeys: privKey, + expectSigned: true, + config + })).to.be.rejectedWith('Unknown critical notation: test@example.com'); const { signatures: [sig] } = await openpgp.decrypt({ message: await openpgp.readMessage({ armoredMessage: message_with_notation }), decryptionKeys: privKey, - verificationKeys: privKey + verificationKeys: privKey, + config: { + knownNotations: ['test@example.com'], + ...config + } }); + expect(await sig.verified).to.be.true; const { packets: [{ rawNotations: notations }] } = await sig.signature; expect(notations).to.have.length(2); expect(notations[0].name).to.equal('test@example.com'); expect(notations[0].value).to.deep.equal(new Uint8Array([116, 101, 115, 116])); expect(notations[0].humanReadable).to.be.true; - expect(notations[0].critical).to.be.false; + expect(notations[0].critical).to.be.true; expect(notations[1].name).to.equal('séparation-de-domaine@proton.ch'); expect(notations[1].value).to.deep.equal(new Uint8Array([0, 1, 2, 3])); expect(notations[1].humanReadable).to.be.false; diff --git a/test/typescript/definitions.ts b/test/typescript/definitions.ts index 59f7664e..f955bdbb 100644 --- a/test/typescript/definitions.ts +++ b/test/typescript/definitions.ts @@ -138,7 +138,8 @@ import { const textSignedWithNotations: string = await sign({ signingKeys: privateKeys, message: textMessage, signatureNotations: [{ name: 'test@example.org', value: new TextEncoder().encode('test'), - humanReadable: true + humanReadable: true, + critical: false }] }); expect(textSignedWithNotations).to.include('-----BEGIN PGP MESSAGE-----');