diff --git a/src/config/config.js b/src/config/config.js index 9451063e..035243c9 100644 --- a/src/config/config.js +++ b/src/config/config.js @@ -130,6 +130,15 @@ export default { * @property {Boolean} allowInsecureDecryptionWithSigningKeys */ allowInsecureDecryptionWithSigningKeys: false, + /** + * Allow verification of message signatures with keys whose validity at the time of signing cannot be determined. + * Instead, a verification key will also be consider valid as long as it is valid at the current time. + * This setting is potentially insecure, but it is needed to verify messages signed with keys that were later reformatted, + * and have self-signature's creation date that does not match the primary key creation date. + * @memberof module:config + * @property {Boolean} allowInsecureDecryptionWithSigningKeys + */ + allowInsecureVerificationWithReformattedKeys: false, /** * @memberof module:config diff --git a/src/message.js b/src/message.js index 94ba9c1a..950c3f6c 100644 --- a/src/message.js +++ b/src/message.js @@ -734,7 +734,19 @@ async function createVerificationObject(signature, literalDataList, verification } // We pass the signature creation time to check whether the key was expired at the time of signing. // We check this after signature verification because for streamed one-pass signatures, the creation time is not available before - await primaryKey.getSigningKey(unverifiedSigningKey.getKeyID(), signaturePacket.created, undefined, config); + try { + await primaryKey.getSigningKey(unverifiedSigningKey.getKeyID(), signaturePacket.created, undefined, config); + } catch (e) { + // If a key was reformatted then the self-signatures of the signing key might be in the future compared to the message signature, + // making the key invalid at the time of signing. + // However, if the key is valid at the given `date`, we still allow using it provided the relevant `config` setting is enabled. + // Note: we do not support the edge case of a key that was reformatted and it has expired. + if (config.allowInsecureVerificationWithReformattedKeys && e.message.match(/Signature creation time is in the future/)) { + await primaryKey.getSigningKey(unverifiedSigningKey.getKeyID(), date, undefined, config); + } else { + throw e; + } + } return true; })(), signature: (async () => { diff --git a/src/openpgp.js b/src/openpgp.js index 7a6f3048..56a01c1f 100644 --- a/src/openpgp.js +++ b/src/openpgp.js @@ -88,7 +88,8 @@ export async function generateKey({ userIDs = [], passphrase = '', type = 'ecc', * @param {Object|Array} options.userIDs - User IDs as objects: `{ name: 'Jo Doe', email: 'info@jo.com' }` * @param {String} [options.passphrase=(not protected)] - The passphrase used to encrypt the reformatted private key. If omitted, the key won't be encrypted. * @param {Number} [options.keyExpirationTime=0 (never expires)] - Number of seconds from the key creation time after which the key expires - * @param {Date} [options.date] - Override the creation date of the key signatures + * @param {Date} [options.date] - Override the creation date of the key signatures. If the key was previously used to sign messages, it is recommended + * to set the same date as the key creation time to ensure that old message signatures will still be verifiable using the reformatted key. * @param {'armored'|'binary'|'object'} [options.format='armored'] - format of the output keys * @param {Object} [options.config] - Custom configuration settings to overwrite those in [config]{@link module:config} * @returns {Promise} The generated key object in the form: diff --git a/test/general/signature.js b/test/general/signature.js index 185bd2c0..156abaf3 100644 --- a/test/general/signature.js +++ b/test/general/signature.js @@ -839,6 +839,49 @@ ITEG9mMgp3TGS9ZzSifMZ8UGtHdp9QdBg8NEVPFzDOMGxpc/Bftav7RRRuPiAER+ await expect(sigInfo.verified).to.be.rejectedWith(/Signature is expired/); }); + it('Verification fails if signing key\'s self-sig were created after the time of signing, unless config allows it', async function() { + const armoredReformattedKey = `-----BEGIN PGP PRIVATE KEY BLOCK----- + +xVgEYWmlshYJKwYBBAHaRw8BAQdAAxpFNPiHxz9q4HBzWqveHdP/knjwlgv8 +pEQCMHDpIZIAAP9WFlwHDuVlvNb7CyoikwmG01nmdMDe9wXQRWA5vasWKA+g +zSV0ZXN0QHJlZm9ybWF0LmNvbSA8dGVzdEByZWZvcm1hdC5jb20+wowEEBYK +AB0FAmFppjQECwkHCAMVCAoEFgACAQIZAQIbAwIeAQAhCRAOZNKOg+/XQxYh +BGqP/hIaYCSJsZ4TrQ5k0o6D79dD+c8BAIXdh2hrC+l49WPN/KZF+ZzvWCWa +W5n+ozbp/sOGXvODAP4oGEj0RUDDA33b6x7fhQysBZxdrrnHxP9AXEdOTQC3 +CsddBGFppbISCisGAQQBl1UBBQEBB0Cjy8Z2K7rl6J6AK1lCfVozmyLE0Gbv +1cspce6oCF6oCwMBCAcAAP9OL5V80EaYm2ic19aM+NtTj4UNOqKqIt10AaH9 +SlcdMBDgwngEGBYIAAkFAmFppjQCGwwAIQkQDmTSjoPv10MWIQRqj/4SGmAk +ibGeE60OZNKOg+/XQx/EAQCM0UYrObp60YbOCxu07Dm6XjCVylbOcsaxCnE7 +2eMU4AD+OkgajZgbqSIdAR1ud76FW+W+3xlDi/SMFdU7D49SbQI= +=ASQu +-----END PGP PRIVATE KEY BLOCK----- + +`; + const armoredMessage = `-----BEGIN PGP MESSAGE----- + +xA0DAQoWDmTSjoPv10MByw91AGFpplFwbGFpbnRleHTCdQQBFgoABgUCYWml +sgAhCRAOZNKOg+/XQxYhBGqP/hIaYCSJsZ4TrQ5k0o6D79dDDWwBAKUnRWXj +P3HTW521iD/DngK54mYS3feQzhDokhkYjO3UAP0ZlsYShKaJvXh+JgvR5BPP +gjVcn04JVVlxqgVnMqeVBw== +=eyO7 +-----END PGP MESSAGE-----`; + // the key was reformatted and the message signature date preceeds the key self-signature creation date + const key = await openpgp.readKey({ armoredKey: armoredReformattedKey }); + const { signatures: [sigInfoRejected] } = await openpgp.verify({ + verificationKeys: key, + message: await openpgp.readMessage({ armoredMessage }) + }); + await expect(sigInfoRejected.verified).to.be.rejectedWith(/Signature creation time is in the future/); + + // since the key is valid at the current time, the message should be verifiable if the `config` allows it + const { signatures: [sigInfoValid] } = await openpgp.verify({ + verificationKeys: key, + message: await openpgp.readMessage({ armoredMessage }), + config: { allowInsecureVerificationWithReformattedKeys: true } + }); + expect(await sigInfoValid.verified).to.be.true; + }); + it('Verification fails if signing key was already expired at the time of signing (one-pass signature, streamed)', async function() { const armoredMessage = `-----BEGIN PGP MESSAGE-----