suzanne.soy/fork-openpgpjs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #1620

Browse Source 
Add support for new Ed25519/X25519 keys, signatures and messages,
as per crypto-refresh document.
This commit is contained in:
larabr 2023-07-26 10:08:41 +02:00 committed by GitHub
commit 8d4dd349ae
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
31 changed files with 976 additions and 237 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
package.json
View File

@ -45,7 +45,7 @@
"prebrowsertest": "npm run build-test",
"browsertest": "npm start -- -o test/unittests.html",
"test-browser": "karma start test/karma.conf.js",
"test-browserstack": "karma start test/karma.conf.js --browsers bs_safari_latest,bs_ios_15,bs_safari_13_1",
"test-browserstack": "karma start test/karma.conf.js --browsers bs_safari_latest,bs_ios_14,bs_safari_13_1",
"coverage": "nyc npm test",
"lint": "eslint .",
"docs": "jsdoc --configure .jsdocrc.js --destination docs --recurse README.md src && printf '%s' 'docs.openpgpjs.org' > docs/CNAME",

99
src/crypto/crypto.js
View File

@ -33,21 +33,23 @@ import KDFParams from '../type/kdf_params';
import enums from '../enums';
import util from '../util';
import OID from '../type/oid';
import { Curve } from './public_key/elliptic/curves';
import { CurveWithOID } from './public_key/elliptic/oid_curves';
import { UnsupportedError } from '../packet/packet';
import ECDHXSymmetricKey from '../type/ecdh_x_symkey';
/**
* Encrypts data using specified algorithm and public key parameters.
* See {@link https://tools.ietf.org/html/rfc4880#section-9.1|RFC 4880 9.1} for public key algorithms.
* @param {module:enums.publicKey} algo - Public key algorithm
* @param {module:enums.publicKey} keyAlgo - Public key algorithm
* @param {module:enums.symmetric} symmetricAlgo - Cipher algorithm
* @param {Object} publicParams - Algorithm-specific public key parameters
* @param {Uint8Array} data - Data to be encrypted
* @param {Uint8Array} data - Session key data to be encrypted
* @param {Uint8Array} fingerprint - Recipient fingerprint
* @returns {Promise<Object>} Encrypted session key parameters.
* @async
*/
export async function publicKeyEncrypt(algo, publicParams, data, fingerprint) {
switch (algo) {
export async function publicKeyEncrypt(keyAlgo, symmetricAlgo, publicParams, data, fingerprint) {
switch (keyAlgo) {
case enums.publicKey.rsaEncrypt:
case enums.publicKey.rsaEncryptSign: {
const { n, e } = publicParams;
@ -64,6 +66,17 @@ export async function publicKeyEncrypt(algo, publicParams, data, fingerprint) {
oid, kdfParams, data, Q, fingerprint);
return { V, C: new ECDHSymkey(C) };
}
case enums.publicKey.x25519: {
if (!util.isAES(symmetricAlgo)) {
// see https://gitlab.com/openpgp-wg/rfc4880bis/-/merge_requests/276
throw new Error('X25519 keys can only encrypt AES session keys');
}
const { A } = publicParams;
const { ephemeralPublicKey, wrappedKey } = await publicKey.elliptic.ecdhX.encrypt(
keyAlgo, data, A);
const C = ECDHXSymmetricKey.fromObject({ algorithm: symmetricAlgo, wrappedKey });
return { ephemeralPublicKey, C };
}
default:
return [];
}
@ -105,6 +118,16 @@ export async function publicKeyDecrypt(algo, publicKeyParams, privateKeyParams,
return publicKey.elliptic.ecdh.decrypt(
oid, kdfParams, V, C.data, Q, d, fingerprint);
}
case enums.publicKey.x25519: {
const { A } = publicKeyParams;
const { k } = privateKeyParams;
const { ephemeralPublicKey, C } = sessionKeyParams;
if (!util.isAES(C.algorithm)) {
throw new Error('AES session key expected');
}
return publicKey.elliptic.ecdhX.decrypt(
algo, ephemeralPublicKey, C.wrappedKey, A, k);
}
default:
throw new Error('Unknown public key encryption algorithm.');
}
@ -145,7 +168,8 @@ export function parsePublicKeyParams(algo, bytes) {
const Q = util.readMPI(bytes.subarray(read)); read += Q.length + 2;
return { read: read, publicParams: { oid, Q } };
}
case enums.publicKey.eddsa: {
case enums.publicKey.eddsa:
case enums.publicKey.ed25519Legacy: {
const oid = new OID(); read += oid.read(bytes);
checkSupportedCurve(oid);
let Q = util.readMPI(bytes.subarray(read)); read += Q.length + 2;
@ -159,6 +183,11 @@ export function parsePublicKeyParams(algo, bytes) {
const kdfParams = new KDFParams(); read += kdfParams.read(bytes.subarray(read));
return { read: read, publicParams: { oid, Q, kdfParams } };
}
case enums.publicKey.ed25519:
case enums.publicKey.x25519: {
const A = bytes.subarray(read, read + 32); read += A.length;
return { read, publicParams: { A } };
}
default:
throw new UnsupportedError('Unknown public key encryption algorithm.');
}
@ -190,17 +219,26 @@ export function parsePrivateKeyParams(algo, bytes, publicParams) {
}
case enums.publicKey.ecdsa:
case enums.publicKey.ecdh: {
const curve = new Curve(publicParams.oid);
const curve = new CurveWithOID(publicParams.oid);
let d = util.readMPI(bytes.subarray(read)); read += d.length + 2;
d = util.leftPad(d, curve.payloadSize);
return { read, privateParams: { d } };
}
case enums.publicKey.eddsa: {
const curve = new Curve(publicParams.oid);
case enums.publicKey.eddsa:
case enums.publicKey.ed25519Legacy: {
const curve = new CurveWithOID(publicParams.oid);
let seed = util.readMPI(bytes.subarray(read)); read += seed.length + 2;
seed = util.leftPad(seed, curve.payloadSize);
return { read, privateParams: { seed } };
}
case enums.publicKey.ed25519: {
const seed = bytes.subarray(read, read + 32); read += seed.length;
return { read, privateParams: { seed } };
}
case enums.publicKey.x25519: {
const k = bytes.subarray(read, read + 32); read += k.length;
return { read, privateParams: { k } };
}
default:
throw new UnsupportedError('Unknown public key encryption algorithm.');
}
@ -238,6 +276,16 @@ export function parseEncSessionKeyParams(algo, bytes) {
const C = new ECDHSymkey(); C.read(bytes.subarray(read));
return { V, C };
}
// Algorithm-Specific Fields for X25519 encrypted session keys:
// - 32 octets representing an ephemeral X25519 public key.
// - A one-octet size of the following fields.
// - The one-octet algorithm identifier, if it was passed (in the case of a v3 PKESK packet).
// - The encrypted session key.
case enums.publicKey.x25519: {
const ephemeralPublicKey = bytes.subarray(read, read + 32); read += ephemeralPublicKey.length;
const C = new ECDHXSymmetricKey(); C.read(bytes.subarray(read));
return { ephemeralPublicKey, C };
}
default:
throw new UnsupportedError('Unknown public key encryption algorithm.');
}
@ -250,9 +298,12 @@ export function parseEncSessionKeyParams(algo, bytes) {
* @returns {Uint8Array} The array containing the MPIs.
*/
export function serializeParams(algo, params) {
// Some algorithms do not rely on MPIs to store the binary params
const algosWithNativeRepresentation = new Set([enums.publicKey.ed25519, enums.publicKey.x25519]);
const orderedParams = Object.keys(params).map(name => {
const param = params[name];
return util.isUint8Array(param) ? util.uint8ArrayToMPI(param) : param.write();
if (!util.isUint8Array(param)) return param.write();
return algosWithNativeRepresentation.has(algo) ? param : util.uint8ArrayToMPI(param);
});
return util.concatUint8Array(orderedParams);
}
@ -281,6 +332,7 @@ export function generateParams(algo, bits, oid) {
publicParams: { oid: new OID(oid), Q }
}));
case enums.publicKey.eddsa:
case enums.publicKey.ed25519Legacy:
return publicKey.elliptic.generate(oid).then(({ oid, Q, secret }) => ({
privateParams: { seed: secret },
publicParams: { oid: new OID(oid), Q }
@ -294,6 +346,16 @@ export function generateParams(algo, bits, oid) {
kdfParams: new KDFParams({ hash, cipher })
}
}));
case enums.publicKey.ed25519:
return publicKey.elliptic.eddsa.generate(algo).then(({ A, seed }) => ({
privateParams: { seed },
publicParams: { A }
}));
case enums.publicKey.x25519:
return publicKey.elliptic.ecdhX.generate(algo).then(({ A, k }) => ({
privateParams: { k },
publicParams: { A }
}));
case enums.publicKey.dsa:
case enums.publicKey.elgamal:
throw new Error('Unsupported algorithm for key generation.');
@ -339,10 +401,21 @@ export async function validateParams(algo, publicParams, privateParams) {
const { d } = privateParams;
return algoModule.validateParams(oid, Q, d);
}
case enums.publicKey.eddsa: {
const { oid, Q } = publicParams;
case enums.publicKey.eddsa:
case enums.publicKey.ed25519Legacy: {
const { Q, oid } = publicParams;
const { seed } = privateParams;
return publicKey.elliptic.eddsa.validateParams(oid, Q, seed);
return publicKey.elliptic.eddsaLegacy.validateParams(oid, Q, seed);
}
case enums.publicKey.ed25519: {
const { A } = publicParams;
const { seed } = privateParams;
return publicKey.elliptic.eddsa.validateParams(algo, A, seed);
}
case enums.publicKey.x25519: {
const { A } = publicParams;
const { k } = privateParams;
return publicKey.elliptic.ecdhX.validateParams(algo, A, k);
}
default:
throw new Error('Unknown public key algorithm.');

61
src/crypto/hkdf.js Normal file
View File

@ -0,0 +1,61 @@
/**
* @fileoverview This module implements HKDF using either the WebCrypto API or Node.js' crypto API.
* @module crypto/hkdf
* @private
*/
import enums from '../enums';
import util from '../util';
const webCrypto = util.getWebCrypto();
const nodeCrypto = util.getNodeCrypto();
const nodeSubtleCrypto = nodeCrypto && nodeCrypto.webcrypto && nodeCrypto.webcrypto.subtle;
export default async function HKDF(hashAlgo, inputKey, salt, info, outLen) {
const hash = enums.read(enums.webHash, hashAlgo);
if (!hash) throw new Error('Hash algo not supported with HKDF');
if (webCrypto || nodeSubtleCrypto) {
const crypto = webCrypto || nodeSubtleCrypto;
const importedKey = await crypto.importKey('raw', inputKey, 'HKDF', false, ['deriveBits']);
const bits = await crypto.deriveBits({ name: 'HKDF', hash, salt, info }, importedKey, outLen * 8);
return new Uint8Array(bits);
}
if (nodeCrypto) {
const hashAlgoName = enums.read(enums.hash, hashAlgo);
// Node-only HKDF implementation based on https://www.rfc-editor.org/rfc/rfc5869
const computeHMAC = (hmacKey, hmacMessage) => nodeCrypto.createHmac(hashAlgoName, hmacKey).update(hmacMessage).digest();
// Step 1: Extract
// PRK = HMAC-Hash(salt, IKM)
const pseudoRandomKey = computeHMAC(salt, inputKey);
const hashLen = pseudoRandomKey.length;
// Step 2: Expand
// HKDF-Expand(PRK, info, L) -> OKM
const n = Math.ceil(outLen / hashLen);
const outputKeyingMaterial = new Uint8Array(n * hashLen);
// HMAC input buffer updated at each iteration
const roundInput = new Uint8Array(hashLen + info.length + 1);
// T_i and last byte are updated at each iteration, but `info` remains constant
roundInput.set(info, hashLen);
for (let i = 0; i < n; i++) {
// T(0) = empty string (zero length)
// T(i) = HMAC-Hash(PRK, T(i-1) | info | i)
roundInput[roundInput.length - 1] = i + 1;
// t = T(i+1)
const t = computeHMAC(pseudoRandomKey, i > 0 ? roundInput : roundInput.subarray(hashLen));
roundInput.set(t, 0);
outputKeyingMaterial.set(t, i * hashLen);
}
return outputKeyingMaterial.subarray(0, outLen);
}
throw new Error('No HKDF implementation available');
}

4
src/crypto/mode/cfb.js
View File

@ -57,7 +57,7 @@ export async function encrypt(algo, key, plaintext, iv, config) {
if (util.getNodeCrypto() && nodeAlgos[algoName]) { // Node crypto library.
return nodeEncrypt(algo, key, plaintext, iv);
}
if (algoName.substr(0, 3) === 'aes') {
if (util.isAES(algo)) {
return aesEncrypt(algo, key, plaintext, iv, config);
}
@ -100,7 +100,7 @@ export async function decrypt(algo, key, ciphertext, iv) {
if (util.getNodeCrypto() && nodeAlgos[algoName]) { // Node crypto library.
return nodeDecrypt(algo, key, ciphertext, iv);
}
if (algoName.substr(0, 3) === 'aes') {
if (util.isAES(algo)) {
return aesDecrypt(algo, key, ciphertext, iv);
}

22
src/crypto/public_key/elliptic/ecdh.js
View File

@ -22,7 +22,7 @@
*/
import nacl from '@openpgp/tweetnacl/nacl-fast-light';
import { Curve, jwkToRawPublic, rawPublicToJWK, privateToJWK, validateStandardParams } from './curves';
import { CurveWithOID, jwkToRawPublic, rawPublicToJWK, privateToJWK, validateStandardParams } from './oid_curves';
import * as aesKW from '../../aes_kw';
import { getRandomBytes } from '../../random';
import hash from '../../hash';
@ -86,7 +86,7 @@ async function kdf(hashAlgo, X, length, param, stripLeading = false, stripTraili
/**
* Generate ECDHE ephemeral key and secret from public key
*
* @param {Curve} curve - Elliptic curve object
* @param {CurveWithOID} curve - Elliptic curve object
* @param {Uint8Array} Q - Recipient public key
* @returns {Promise<{publicKey: Uint8Array, sharedKey: Uint8Array}>}
* @async
@ -129,7 +129,7 @@ async function genPublicEphemeralKey(curve, Q) {
export async function encrypt(oid, kdfParams, data, Q, fingerprint) {
const m = pkcs5.encode(data);
const curve = new Curve(oid);
const curve = new CurveWithOID(oid);
const { publicKey, sharedKey } = await genPublicEphemeralKey(curve, Q);
const param = buildEcdhParam(enums.publicKey.ecdh, oid, kdfParams, fingerprint);
const { keySize } = getCipher(kdfParams.cipher);
@ -141,7 +141,7 @@ export async function encrypt(oid, kdfParams, data, Q, fingerprint) {
/**
* Generate ECDHE secret from private key and public part of ephemeral key
*
* @param {Curve} curve - Elliptic curve object
* @param {CurveWithOID} curve - Elliptic curve object
* @param {Uint8Array} V - Public part of ephemeral key
* @param {Uint8Array} Q - Recipient public key
* @param {Uint8Array} d - Recipient private key
@ -189,7 +189,7 @@ async function genPrivateEphemeralKey(curve, V, Q, d) {
* @async
*/
export async function decrypt(oid, kdfParams, V, C, Q, d, fingerprint) {
const curve = new Curve(oid);
const curve = new CurveWithOID(oid);
const { sharedKey } = await genPrivateEphemeralKey(curve, V, Q, d);
const param = buildEcdhParam(enums.publicKey.ecdh, oid, kdfParams, fingerprint);
const { keySize } = getCipher(kdfParams.cipher);
@ -209,7 +209,7 @@ export async function decrypt(oid, kdfParams, V, C, Q, d, fingerprint) {
/**
* Generate ECDHE secret from private key and public part of ephemeral key using webCrypto
*
* @param {Curve} curve - Elliptic curve object
* @param {CurveWithOID} curve - Elliptic curve object
* @param {Uint8Array} V - Public part of ephemeral key
* @param {Uint8Array} Q - Recipient public key
* @param {Uint8Array} d - Recipient private key
@ -262,7 +262,7 @@ async function webPrivateEphemeralKey(curve, V, Q, d) {
/**
* Generate ECDHE ephemeral key and secret from public key using webCrypto
*
* @param {Curve} curve - Elliptic curve object
* @param {CurveWithOID} curve - Elliptic curve object
* @param {Uint8Array} Q - Recipient public key
* @returns {Promise<{publicKey: Uint8Array, sharedKey: Uint8Array}>}
* @async
@ -310,7 +310,7 @@ async function webPublicEphemeralKey(curve, Q) {
/**
* Generate ECDHE secret from private key and public part of ephemeral key using indutny/elliptic
*
* @param {Curve} curve - Elliptic curve object
* @param {CurveWithOID} curve - Elliptic curve object
* @param {Uint8Array} V - Public part of ephemeral key
* @param {Uint8Array} d - Recipient private key
* @returns {Promise<{secretKey: Uint8Array, sharedKey: Uint8Array}>}
@ -330,7 +330,7 @@ async function ellipticPrivateEphemeralKey(curve, V, d) {
/**
* Generate ECDHE ephemeral key and secret from public key using indutny/elliptic
*
* @param {Curve} curve - Elliptic curve object
* @param {CurveWithOID} curve - Elliptic curve object
* @param {Uint8Array} Q - Recipient public key
* @returns {Promise<{publicKey: Uint8Array, sharedKey: Uint8Array}>}
* @async
@ -350,7 +350,7 @@ async function ellipticPublicEphemeralKey(curve, Q) {
/**
* Generate ECDHE secret from private key and public part of ephemeral key using nodeCrypto
*
* @param {Curve} curve - Elliptic curve object
* @param {CurveWithOID} curve - Elliptic curve object
* @param {Uint8Array} V - Public part of ephemeral key
* @param {Uint8Array} d - Recipient private key
* @returns {Promise<{secretKey: Uint8Array, sharedKey: Uint8Array}>}
@ -367,7 +367,7 @@ async function nodePrivateEphemeralKey(curve, V, d) {
/**
* Generate ECDHE ephemeral key and secret from public key using nodeCrypto
*
* @param {Curve} curve - Elliptic curve object
* @param {CurveWithOID} curve - Elliptic curve object
* @param {Uint8Array} Q - Recipient public key
* @returns {Promise<{publicKey: Uint8Array, sharedKey: Uint8Array}>}
* @async

125
src/crypto/public_key/elliptic/ecdh_x.js Normal file
View File

@ -0,0 +1,125 @@
/**
* @fileoverview Key encryption and decryption for RFC 6637 ECDH
* @module crypto/public_key/elliptic/ecdh
* @private
*/
import nacl from '@openpgp/tweetnacl/nacl-fast-light';
import * as aesKW from '../../aes_kw';
import { getRandomBytes } from '../../random';
import enums from '../../../enums';
import util from '../../../util';
import getCipher from '../../cipher/getCipher';
import computeHKDF from '../../hkdf';
const HKDF_INFO = {
x25519: util.encodeUTF8('OpenPGP X25519')
};
/**
* Generate ECDH key for Montgomery curves
* @param {module:enums.publicKey} algo - Algorithm identifier
* @returns {Promise<{ A: Uint8Array, k: Uint8Array }>}
*/
export async function generate(algo) {
switch (algo) {
case enums.publicKey.x25519: {
// k stays in little-endian, unlike legacy ECDH over curve25519
const k = getRandomBytes(32);
k[0] &= 248;
k[31] = (k[31] & 127) | 64;
const { publicKey: A } = nacl.box.keyPair.fromSecretKey(k);
return { A, k };
}
default:
throw new Error('Unsupported ECDH algorithm');
}
}
/**
* Validate ECDH parameters
* @param {module:enums.publicKey} algo - Algorithm identifier
* @param {Uint8Array} A - ECDH public point
* @param {Uint8Array} k - ECDH secret scalar
* @returns {Promise<Boolean>} Whether params are valid.
* @async
*/
export async function validateParams(algo, A, k) {
switch (algo) {
case enums.publicKey.x25519: {
/**
* Derive public point A' from private key
* and expect A == A'
*/
const { publicKey } = nacl.box.keyPair.fromSecretKey(k);
return util.equalsUint8Array(A, publicKey);
}
default:
return false;
}
}
/**
* Wrap and encrypt a session key
*
* @param {module:enums.publicKey} algo - Algorithm identifier
* @param {Uint8Array} data - session key data to be encrypted
* @param {Uint8Array} recipientA - Recipient public key (K_B)
* @returns {Promise<{
* ephemeralPublicKey: Uint8Array,
* wrappedKey: Uint8Array
* }>} ephemeral public key (K_A) and encrypted key
* @async
*/
export async function encrypt(algo, data, recipientA) {
switch (algo) {
case enums.publicKey.x25519: {
const ephemeralSecretKey = getRandomBytes(32);
const sharedSecret = nacl.scalarMult(ephemeralSecretKey, recipientA);
const { publicKey: ephemeralPublicKey } = nacl.box.keyPair.fromSecretKey(ephemeralSecretKey);
const hkdfInput = util.concatUint8Array([
ephemeralPublicKey,
recipientA,
sharedSecret
]);
const { keySize } = getCipher(enums.symmetric.aes128);
const encryptionKey = await computeHKDF(enums.hash.sha256, hkdfInput, new Uint8Array(), HKDF_INFO.x25519, keySize);
const wrappedKey = aesKW.wrap(encryptionKey, data);
return { ephemeralPublicKey, wrappedKey };
}
default:
throw new Error('Unsupported ECDH algorithm');
}
}
/**
* Decrypt and unwrap the session key
*
* @param {module:enums.publicKey} algo - Algorithm identifier
* @param {Uint8Array} ephemeralPublicKey - (K_A)
* @param {Uint8Array} wrappedKey,
* @param {Uint8Array} A - Recipient public key (K_b), needed for KDF
* @param {Uint8Array} k - Recipient secret key (b)
* @returns {Promise<Uint8Array>} decrypted session key data
* @async
*/
export async function decrypt(algo, ephemeralPublicKey, wrappedKey, A, k) {
switch (algo) {
case enums.publicKey.x25519: {
const sharedSecret = nacl.scalarMult(k, ephemeralPublicKey);
const hkdfInput = util.concatUint8Array([
ephemeralPublicKey,
A,
sharedSecret
]);
const { keySize } = getCipher(enums.symmetric.aes128);
const encryptionKey = await computeHKDF(enums.hash.sha256, hkdfInput, new Uint8Array(), HKDF_INFO.x25519, keySize);
return aesKW.unwrap(encryptionKey, wrappedKey);
}
default:
throw new Error('Unsupported ECDH algorithm');
}
}

8
src/crypto/public_key/elliptic/ecdsa.js
View File

@ -25,7 +25,7 @@ import enums from '../../../enums';
import util from '../../../util';
import { getRandomBytes } from '../../random';
import hash from '../../hash';
import { Curve, webCurves, privateToJWK, rawPublicToJWK, validateStandardParams } from './curves';
import { CurveWithOID, webCurves, privateToJWK, rawPublicToJWK, validateStandardParams } from './oid_curves';
import { getIndutnyCurve, keyFromPrivate, keyFromPublic } from './indutnyKey';
const webCrypto = util.getWebCrypto();
@ -46,7 +46,7 @@ const nodeCrypto = util.getNodeCrypto();
* @async
*/
export async function sign(oid, hashAlgo, message, publicKey, privateKey, hashed) {
const curve = new Curve(oid);
const curve = new CurveWithOID(oid);
if (message && !util.isStream(message)) {
const keyPair = { publicKey, privateKey };
switch (curve.type) {
@ -91,7 +91,7 @@ export async function sign(oid, hashAlgo, message, publicKey, privateKey, hashed
* @async
*/
export async function verify(oid, hashAlgo, signature, message, publicKey, hashed) {
const curve = new Curve(oid);
const curve = new CurveWithOID(oid);
if (message && !util.isStream(message)) {
switch (curve.type) {
case 'web':
@ -125,7 +125,7 @@ export async function verify(oid, hashAlgo, signature, message, publicKey, hashe
* @async
*/
export async function validateParams(oid, Q, d) {
const curve = new Curve(oid);
const curve = new CurveWithOID(oid);
// Reject curves x25519 and ed25519
if (curve.keyType !== enums.publicKey.ecdsa) {
return false;

95
src/crypto/public_key/elliptic/eddsa.js
View File

@ -26,72 +26,101 @@ import nacl from '@openpgp/tweetnacl/nacl-fast-light';
import util from '../../../util';
import enums from '../../../enums';
import hash from '../../hash';
import { getRandomBytes } from '../../random';
nacl.hash = bytes => new Uint8Array(sha512().update(bytes).digest());
/**
* Generate (non-legacy) EdDSA key
* @param {module:enums.publicKey} algo - Algorithm identifier
* @returns {Promise<{ A: Uint8Array, seed: Uint8Array }>}
*/
export async function generate(algo) {
switch (algo) {
case enums.publicKey.ed25519: {
const seed = getRandomBytes(32);
const { publicKey: A } = nacl.sign.keyPair.fromSeed(seed);
return { A, seed };
}
default:
throw new Error('Unsupported EdDSA algorithm');
}
}
/**
* Sign a message using the provided key
* @param {module:type/oid} oid - Elliptic curve object identifier
* @param {module:enums.publicKey} algo - Algorithm identifier
* @param {module:enums.hash} hashAlgo - Hash algorithm used to sign (must be sha256 or stronger)
* @param {Uint8Array} message - Message to sign
* @param {Uint8Array} publicKey - Public key
* @param {Uint8Array} privateKey - Private key used to sign the message
* @param {Uint8Array} hashed - The hashed message
* @returns {Promise<{
* r: Uint8Array,
* s: Uint8Array
* RS: Uint8Array
* }>} Signature of the message
* @async
*/
export async function sign(oid, hashAlgo, message, publicKey, privateKey, hashed) {
export async function sign(algo, hashAlgo, message, publicKey, privateKey, hashed) {
if (hash.getHashByteLength(hashAlgo) < hash.getHashByteLength(enums.hash.sha256)) {
// see https://tools.ietf.org/id/draft-ietf-openpgp-rfc4880bis-10.html#section-15-7.2
throw new Error('Hash algorithm too weak: sha256 or stronger is required for EdDSA.');
}
const secretKey = util.concatUint8Array([privateKey, publicKey.subarray(1)]);
const signature = nacl.sign.detached(hashed, secretKey);
// EdDSA signature params are returned in little-endian format
return {
r: signature.subarray(0, 32),
s: signature.subarray(32)
};
switch (algo) {
case enums.publicKey.ed25519: {
const secretKey = util.concatUint8Array([privateKey, publicKey]);
const signature = nacl.sign.detached(hashed, secretKey);
return { RS: signature };
}
case enums.publicKey.ed448:
default:
throw new Error('Unsupported EdDSA algorithm');
}
}
/**
* Verifies if a signature is valid for a message
* @param {module:type/oid} oid - Elliptic curve object identifier
* @param {module:enums.publicKey} algo - Algorithm identifier
* @param {module:enums.hash} hashAlgo - Hash algorithm used in the signature
* @param {{r: Uint8Array,
s: Uint8Array}} signature Signature to verify the message
* @param {{ RS: Uint8Array }} signature Signature to verify the message
* @param {Uint8Array} m - Message to verify
* @param {Uint8Array} publicKey - Public key used to verify the message
* @param {Uint8Array} hashed - The hashed message
* @returns {Boolean}
* @async
*/
export async function verify(oid, hashAlgo, { r, s }, m, publicKey, hashed) {
const signature = util.concatUint8Array([r, s]);
return nacl.sign.detached.verify(hashed, signature, publicKey.subarray(1));
export async function verify(algo, hashAlgo, { RS }, m, publicKey, hashed) {
switch (algo) {
case enums.publicKey.ed25519: {
return nacl.sign.detached.verify(hashed, RS, publicKey);
}
case enums.publicKey.ed448:
default:
throw new Error('Unsupported EdDSA algorithm');
}
}
/**
* Validate EdDSA parameters
* @param {module:type/oid} oid - Elliptic curve object identifier
* @param {Uint8Array} Q - EdDSA public point
* @param {Uint8Array} k - EdDSA secret seed
* Validate (non-legacy) EdDSA parameters
* @param {module:enums.publicKey} algo - Algorithm identifier
* @param {Uint8Array} A - EdDSA public point
* @param {Uint8Array} seed - EdDSA secret seed
* @param {Uint8Array} oid - (legacy only) EdDSA OID
* @returns {Promise<Boolean>} Whether params are valid.
* @async
*/
export async function validateParams(oid, Q, k) {
// Check whether the given curve is supported
if (oid.getName() !== 'ed25519') {
return false;
}
export async function validateParams(algo, A, seed) {
switch (algo) {
case enums.publicKey.ed25519: {
/**
* Derive public point A' from private key
* and expect A == A'
*/
const { publicKey } = nacl.sign.keyPair.fromSeed(seed);
return util.equalsUint8Array(A, publicKey);
}
/**
* Derive public point Q' = dG from private key
* and expect Q == Q'
*/
const { publicKey } = nacl.sign.keyPair.fromSeed(k);
const dG = new Uint8Array([0x40, ...publicKey]); // Add public key prefix
return util.equalsUint8Array(Q, dG);
case enums.publicKey.ed448: // unsupported
default:
return false;
}
}

99
src/crypto/public_key/elliptic/eddsa_legacy.js Normal file
View File

@ -0,0 +1,99 @@
// OpenPGP.js - An OpenPGP implementation in javascript
// Copyright (C) 2018 Proton Technologies AG
//
// This library is free software; you can redistribute it and/or
// modify it under the terms of the GNU Lesser General Public
// License as published by the Free Software Foundation; either
// version 3.0 of the License, or (at your option) any later version.
//
// This library is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
// Lesser General Public License for more details.
//
// You should have received a copy of the GNU Lesser General Public
// License along with this library; if not, write to the Free Software
// Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
/**
* @fileoverview Implementation of legacy EdDSA following RFC4880bis-03 for OpenPGP.
* This key type has been deprecated by the crypto-refresh RFC.
* @module crypto/public_key/elliptic/eddsa_legacy
* @private
*/
import sha512 from 'hash.js/lib/hash/sha/512';
import nacl from '@openpgp/tweetnacl/nacl-fast-light';
import util from '../../../util';
import enums from '../../../enums';
import hash from '../../hash';
nacl.hash = bytes => new Uint8Array(sha512().update(bytes).digest());
/**
* Sign a message using the provided legacy EdDSA key
* @param {module:type/oid} oid - Elliptic curve object identifier
* @param {module:enums.hash} hashAlgo - Hash algorithm used to sign (must be sha256 or stronger)
* @param {Uint8Array} message - Message to sign
* @param {Uint8Array} publicKey - Public key
* @param {Uint8Array} privateKey - Private key used to sign the message
* @param {Uint8Array} hashed - The hashed message
* @returns {Promise<{
* r: Uint8Array,
* s: Uint8Array
* }>} Signature of the message
* @async
*/
export async function sign(oid, hashAlgo, message, publicKey, privateKey, hashed) {
if (hash.getHashByteLength(hashAlgo) < hash.getHashByteLength(enums.hash.sha256)) {
// see https://tools.ietf.org/id/draft-ietf-openpgp-rfc4880bis-10.html#section-15-7.2
throw new Error('Hash algorithm too weak: sha256 or stronger is required for EdDSA.');
}
const secretKey = util.concatUint8Array([privateKey, publicKey.subarray(1)]);
const signature = nacl.sign.detached(hashed, secretKey);
// EdDSA signature params are returned in little-endian format
return {
r: signature.subarray(0, 32),
s: signature.subarray(32)
};
}
/**
* Verifies if a legacy EdDSA signature is valid for a message
* @param {module:type/oid} oid - Elliptic curve object identifier
* @param {module:enums.hash} hashAlgo - Hash algorithm used in the signature
* @param {{r: Uint8Array,
s: Uint8Array}} signature Signature to verify the message
* @param {Uint8Array} m - Message to verify
* @param {Uint8Array} publicKey - Public key used to verify the message
* @param {Uint8Array} hashed - The hashed message
* @returns {Boolean}
* @async
*/
export async function verify(oid, hashAlgo, { r, s }, m, publicKey, hashed) {
const signature = util.concatUint8Array([r, s]);
return nacl.sign.detached.verify(hashed, signature, publicKey.subarray(1));
}
/**
* Validate legacy EdDSA parameters
* @param {module:type/oid} oid - Elliptic curve object identifier
* @param {Uint8Array} Q - EdDSA public point
* @param {Uint8Array} k - EdDSA secret seed
* @returns {Promise<Boolean>} Whether params are valid.
* @async
*/
export async function validateParams(oid, Q, k) {
// Check whether the given curve is supported
if (oid.getName() !== 'ed25519') {
return false;
}
/**
* Derive public point Q' = dG from private key
* and expect Q == Q'
*/
const { publicKey } = nacl.sign.keyPair.fromSeed(k);
const dG = new Uint8Array([0x40, ...publicKey]); // Add public key prefix
return util.equalsUint8Array(Q, dG);
}

6
src/crypto/public_key/elliptic/index.js
View File

@ -25,11 +25,13 @@
* @private
*/
import { Curve, generate, getPreferredHashAlgo } from './curves';
import { CurveWithOID, generate, getPreferredHashAlgo } from './oid_curves';
import * as ecdsa from './ecdsa';
import * as eddsaLegacy from './eddsa_legacy';
import * as eddsa from './eddsa';
import * as ecdh from './ecdh';
import * as ecdhX from './ecdh_x';
export {
Curve, ecdh, ecdsa, eddsa, generate, getPreferredHashAlgo
CurveWithOID, ecdh, ecdhX, ecdsa, eddsaLegacy, eddsa, generate, getPreferredHashAlgo
};

6
src/crypto/public_key/elliptic/curves.js → src/crypto/public_key/elliptic/oid_curves.js
View File

@ -131,7 +131,7 @@ const curves = {
}
};
class Curve {
class CurveWithOID {
constructor(oidOrName, params) {
try {
if (util.isArray(oidOrName) ||
@ -208,7 +208,7 @@ class Curve {
async function generate(curve) {
const BigInteger = await util.getBigInteger();
curve = new Curve(curve);
curve = new CurveWithOID(curve);
const keyPair = await curve.genKeyPair();
const Q = new BigInteger(keyPair.publicKey).toUint8Array();
const secret = new BigInteger(keyPair.privateKey).toUint8Array('be', curve.payloadSize);
@ -293,7 +293,7 @@ async function validateStandardParams(algo, oid, Q, d) {
}
export {
Curve, curves, webCurves, nodeCurves, generate, getPreferredHashAlgo, jwkToRawPublic, rawPublicToJWK, privateToJWK, validateStandardParams
CurveWithOID, curves, webCurves, nodeCurves, generate, getPreferredHashAlgo, jwkToRawPublic, rawPublicToJWK, privateToJWK, validateStandardParams
};
//////////////////////////

32
src/crypto/signature.js
View File

@ -43,10 +43,11 @@ export function parseSignatureParams(algo, signature) {
const s = util.readMPI(signature.subarray(read));
return { r, s };
}
// Algorithm-Specific Fields for EdDSA signatures:
// Algorithm-Specific Fields for legacy EdDSA signatures:
// - MPI of an EC point r.
// - EdDSA value s, in MPI, in the little endian representation
case enums.publicKey.eddsa: {
case enums.publicKey.eddsa:
case enums.publicKey.ed25519Legacy: {
// When parsing little-endian MPI data, we always need to left-pad it, as done with big-endian values:
// https://www.ietf.org/archive/id/draft-ietf-openpgp-rfc4880bis-10.html#section-3.2-9
let r = util.readMPI(signature.subarray(read)); read += r.length + 2;
@ -55,6 +56,12 @@ export function parseSignatureParams(algo, signature) {
s = util.leftPad(s, 32);
return { r, s };
}
// Algorithm-Specific Fields for Ed25519 signatures:
// - 64 octets of the native signature
case enums.publicKey.ed25519: {
const RS = signature.subarray(read, read + 64); read += RS.length;
return { RS };
}
default:
throw new UnsupportedError('Unknown signature algorithm.');
}
@ -90,16 +97,21 @@ export async function verify(algo, hashAlgo, signature, publicParams, data, hash
}
case enums.publicKey.ecdsa: {
const { oid, Q } = publicParams;
const curveSize = new publicKey.elliptic.Curve(oid).payloadSize;
const curveSize = new publicKey.elliptic.CurveWithOID(oid).payloadSize;
// padding needed for webcrypto
const r = util.leftPad(signature.r, curveSize);
const s = util.leftPad(signature.s, curveSize);
return publicKey.elliptic.ecdsa.verify(oid, hashAlgo, { r, s }, data, Q, hashed);
}
case enums.publicKey.eddsa: {
case enums.publicKey.eddsa:
case enums.publicKey.ed25519Legacy: {
const { oid, Q } = publicParams;
// signature already padded on parsing
return publicKey.elliptic.eddsa.verify(oid, hashAlgo, signature, data, Q, hashed);
return publicKey.elliptic.eddsaLegacy.verify(oid, hashAlgo, signature, data, Q, hashed);
}
case enums.publicKey.ed25519: {
const { A } = publicParams;
return publicKey.elliptic.eddsa.verify(algo, hashAlgo, signature, data, A, hashed);
}
default:
throw new Error('Unknown signature algorithm.');
@ -146,10 +158,16 @@ export async function sign(algo, hashAlgo, publicKeyParams, privateKeyParams, da
const { d } = privateKeyParams;
return publicKey.elliptic.ecdsa.sign(oid, hashAlgo, data, Q, d, hashed);
}
case enums.publicKey.eddsa: {
case enums.publicKey.eddsa:
case enums.publicKey.ed25519Legacy: {
const { oid, Q } = publicKeyParams;
const { seed } = privateKeyParams;
return publicKey.elliptic.eddsa.sign(oid, hashAlgo, data, Q, seed, hashed);
return publicKey.elliptic.eddsaLegacy.sign(oid, hashAlgo, data, Q, seed, hashed);
}
case enums.publicKey.ed25519: {
const { A } = publicKeyParams;
const { seed } = privateKeyParams;
return publicKey.elliptic.eddsa.sign(algo, hashAlgo, data, A, seed, hashed);
}
default:
throw new Error('Unknown signature algorithm.');

17
src/enums.js
View File

@ -90,7 +90,7 @@ export default {
gnu: 101
},
/** {@link https://tools.ietf.org/html/draft-ietf-openpgp-rfc4880bis-04#section-9.1|RFC4880bis-04, section 9.1}
/** {@link https://tools.ietf.org/html/draft-ietf-openpgp-crypto-refresh-08.html#section-9.1|crypto-refresh RFC, section 9.1}
* @enum {Integer}
* @readonly
*/
@ -109,13 +109,22 @@ export default {
ecdh: 18,
/** ECDSA (Sign only) [RFC6637] */
ecdsa: 19,
/** EdDSA (Sign only)
/** EdDSA (Sign only) - deprecated by crypto-refresh (replaced by `ed25519` identifier below)
* [{@link https://tools.ietf.org/html/draft-koch-eddsa-for-openpgp-04|Draft RFC}] */
eddsa: 22,
ed25519Legacy: 22, // NB: this is declared before `eddsa` to translate 22 to 'eddsa' for backwards compatibility
eddsa: 22, // to be deprecated in v6
/** Reserved for AEDH */
aedh: 23,
/** Reserved for AEDSA */
aedsa: 24
aedsa: 24,
/** X25519 (Encrypt only) */
x25519: 25,
/** X448 (Encrypt only) */
x448: 26,
/** Ed25519 (Sign only) */
ed25519: 27,
/** Ed448 (Sign only) */
ed448: 28
},
/** {@link https://tools.ietf.org/html/rfc4880#section-9.2|RFC4880, section 9.2}

9
src/message.js
View File

@ -345,6 +345,15 @@ export class Message {
enums.read(enums.aead, await getPreferredAlgo('aead', encryptionKeys, date, userIDs, config)) :
undefined;
await Promise.all(encryptionKeys.map(key => key.getEncryptionKey()
.catch(() => null) // ignore key strength requirements
.then(maybeKey => {
if (maybeKey && (maybeKey.keyPacket.algorithm === enums.publicKey.x25519) && !util.isAES(algo)) {
throw new Error('Could not generate a session key compatible with the given `encryptionKeys`: X22519 keys can only be used to encrypt AES session keys; change `config.preferredSymmetricAlgorithm` accordingly.');
}
})
));
const sessionKeyData = crypto.generateSessionKey(algo);
return { data: sessionKeyData, algorithm: algorithmName, aeadAlgorithm: aeadAlgorithmName };
}

2
src/packet/public_key.js
View File

@ -260,7 +260,7 @@ class PublicKeyPacket {
const modulo = this.publicParams.n || this.publicParams.p;
if (modulo) {
result.bits = util.uint8ArrayBitLength(modulo);
} else {
} else if (this.publicParams.oid) {
result.curve = this.publicParams.oid.getName();
}
return result;

120
src/packet/public_key_encrypted_session_key.js
View File

@ -67,13 +67,17 @@ class PublicKeyEncryptedSessionKeyPacket {
* @param {Uint8Array} bytes - Payload of a tag 1 packet
*/
read(bytes) {
this.version = bytes[0];
let i = 0;
this.version = bytes[i++];
if (this.version !== VERSION) {
throw new UnsupportedError(`Version ${this.version} of the PKESK packet is unsupported.`);
}
this.publicKeyID.read(bytes.subarray(1, bytes.length));
this.publicKeyAlgorithm = bytes[9];
this.encrypted = crypto.parseEncSessionKeyParams(this.publicKeyAlgorithm, bytes.subarray(10));
i += this.publicKeyID.read(bytes.subarray(i));
this.publicKeyAlgorithm = bytes[i++];
this.encrypted = crypto.parseEncSessionKeyParams(this.publicKeyAlgorithm, bytes.subarray(i), this.version);
if (this.publicKeyAlgorithm === enums.publicKey.x25519) {
this.sessionKeyAlgorithm = enums.write(enums.symmetric, this.encrypted.C.algorithm);
}
}
/**
@ -99,14 +103,10 @@ class PublicKeyEncryptedSessionKeyPacket {
* @async
*/
async encrypt(key) {
const data = util.concatUint8Array([
new Uint8Array([enums.write(enums.symmetric, this.sessionKeyAlgorithm)]),
this.sessionKey,
util.writeChecksum(this.sessionKey)
]);
const algo = enums.write(enums.publicKey, this.publicKeyAlgorithm);
const encoded = encodeSessionKey(this.version, algo, this.sessionKeyAlgorithm, this.sessionKey);
this.encrypted = await crypto.publicKeyEncrypt(
algo, key.publicParams, data, key.getFingerprintBytes());
algo, this.sessionKeyAlgorithm, key.publicParams, encoded, key.getFingerprintBytes());
}
/**
@ -123,35 +123,85 @@ class PublicKeyEncryptedSessionKeyPacket {
throw new Error('Decryption error');
}
const randomPayload = randomSessionKey ? util.concatUint8Array([
new Uint8Array([randomSessionKey.sessionKeyAlgorithm]),
randomSessionKey.sessionKey,
util.writeChecksum(randomSessionKey.sessionKey)
]) : null;
const decoded = await crypto.publicKeyDecrypt(this.publicKeyAlgorithm, key.publicParams, key.privateParams, this.encrypted, key.getFingerprintBytes(), randomPayload);
const symmetricAlgoByte = decoded[0];
const sessionKey = decoded.subarray(1, decoded.length - 2);
const checksum = decoded.subarray(decoded.length - 2);
const computedChecksum = util.writeChecksum(sessionKey);
const isValidChecksum = computedChecksum[0] === checksum[0] & computedChecksum[1] === checksum[1];
const randomPayload = randomSessionKey ?
encodeSessionKey(this.version, this.publicKeyAlgorithm, randomSessionKey.sessionKeyAlgorithm, randomSessionKey.sessionKey) :
null;
const decryptedData = await crypto.publicKeyDecrypt(this.publicKeyAlgorithm, key.publicParams, key.privateParams, this.encrypted, key.getFingerprintBytes(), randomPayload);
if (randomSessionKey) {
// We must not leak info about the validity of the decrypted checksum or cipher algo.
// The decrypted session key must be of the same algo and size as the random session key, otherwise we discard it and use the random data.
const isValidPayload = isValidChecksum & symmetricAlgoByte === randomSessionKey.sessionKeyAlgorithm & sessionKey.length === randomSessionKey.sessionKey.length;
this.sessionKeyAlgorithm = util.selectUint8(isValidPayload, symmetricAlgoByte, randomSessionKey.sessionKeyAlgorithm);
this.sessionKey = util.selectUint8Array(isValidPayload, sessionKey, randomSessionKey.sessionKey);
const { sessionKey, sessionKeyAlgorithm } = decodeSessionKey(this.version, this.publicKeyAlgorithm, decryptedData, randomSessionKey);
} else {
const isValidPayload = isValidChecksum && enums.read(enums.symmetric, symmetricAlgoByte);
if (isValidPayload) {
this.sessionKey = sessionKey;
this.sessionKeyAlgorithm = symmetricAlgoByte;
} else {
throw new Error('Decryption error');
}
// v3 Montgomery curves have cleartext cipher algo
if (this.publicKeyAlgorithm !== enums.publicKey.x25519) {
this.sessionKeyAlgorithm = sessionKeyAlgorithm;
}
this.sessionKey = sessionKey;
}
}
export default PublicKeyEncryptedSessionKeyPacket;
function encodeSessionKey(version, keyAlgo, cipherAlgo, sessionKeyData) {
switch (keyAlgo) {
case enums.publicKey.rsaEncrypt:
case enums.publicKey.rsaEncryptSign:
case enums.publicKey.elgamal:
case enums.publicKey.ecdh: {
// add checksum
return util.concatUint8Array([
new Uint8Array([cipherAlgo]),
sessionKeyData,
util.writeChecksum(sessionKeyData.subarray(sessionKeyData.length % 8))
]);
}
case enums.publicKey.x25519:
return sessionKeyData;
default:
throw new Error('Unsupported public key algorithm');
}
}
function decodeSessionKey(version, keyAlgo, decryptedData, randomSessionKey) {
switch (keyAlgo) {
case enums.publicKey.rsaEncrypt:
case enums.publicKey.rsaEncryptSign:
case enums.publicKey.elgamal:
case enums.publicKey.ecdh: {
// verify checksum in constant time
const result = decryptedData.subarray(0, decryptedData.length - 2);
const checksum = decryptedData.subarray(decryptedData.length - 2);
const computedChecksum = util.writeChecksum(result.subarray(result.length % 8));
const isValidChecksum = computedChecksum[0] === checksum[0] & computedChecksum[1] === checksum[1];
const decryptedSessionKey = { sessionKeyAlgorithm: result[0], sessionKey: result.subarray(1) };
if (randomSessionKey) {
// We must not leak info about the validity of the decrypted checksum or cipher algo.
// The decrypted session key must be of the same algo and size as the random session key, otherwise we discard it and use the random data.
const isValidPayload = isValidChecksum &
decryptedSessionKey.sessionKeyAlgorithm === randomSessionKey.sessionKeyAlgorithm &
decryptedSessionKey.sessionKey.length === randomSessionKey.sessionKey.length;
return {
sessionKey: util.selectUint8Array(isValidPayload, decryptedSessionKey.sessionKey, randomSessionKey.sessionKey),
sessionKeyAlgorithm: util.selectUint8(
isValidPayload,
decryptedSessionKey.sessionKeyAlgorithm,
randomSessionKey.sessionKeyAlgorithm
)
};
} else {
const isValidPayload = isValidChecksum && enums.read(enums.symmetric, decryptedSessionKey.sessionKeyAlgorithm);
if (isValidPayload) {
return decryptedSessionKey;
} else {
throw new Error('Decryption error');
}
}
}
case enums.publicKey.x25519:
return {
sessionKey: decryptedData
};
default:
throw new Error('Unsupported public key algorithm');
}
}

29
src/type/ecdh_symkey.js
View File

@ -16,7 +16,7 @@
// Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
/**
* Encoded symmetric key for ECDH
* Encoded symmetric key for ECDH (incl. legacy x25519)
*
* @module type/ecdh_symkey
* @private
@ -26,26 +26,23 @@ import util from '../util';
class ECDHSymmetricKey {
constructor(data) {
if (typeof data === 'undefined') {
data = new Uint8Array([]);
} else if (util.isString(data)) {
data = util.stringToUint8Array(data);
} else {
data = new Uint8Array(data);
if (data) {
this.data = data;
}
this.data = data;
}
/**
* Read an ECDHSymmetricKey from an Uint8Array
* @param {Uint8Array} input - Where to read the encoded symmetric key from
* Read an ECDHSymmetricKey from an Uint8Array:
* - 1 octect for the length `l`
* - `l` octects of encoded session key data
* @param {Uint8Array} bytes
* @returns {Number} Number of read bytes.
*/
read(input) {
if (input.length >= 1) {
const length = input[0];
if (input.length >= 1 + length) {
this.data = input.subarray(1, 1 + length);
read(bytes) {
if (bytes.length >= 1) {
const length = bytes[0];
if (bytes.length >= 1 + length) {
this.data = bytes.subarray(1, 1 + length);
return 1 + this.data.length;
}
}
@ -54,7 +51,7 @@ class ECDHSymmetricKey {
/**
* Write an ECDHSymmetricKey as an Uint8Array
* @returns {Uint8Array} An array containing the value
* @returns {Uint8Array} Serialised data
*/
write() {
return util.concatUint8Array([new Uint8Array([this.data.length]), this.data]);

47
src/type/ecdh_x_symkey.js Normal file
View File

@ -0,0 +1,47 @@
/**
* Encoded symmetric key for x25519 and x448
* The payload format varies for v3 and v6 PKESK:
* the former includes an algorithm byte preceeding the encrypted session key.
*
* @module type/x25519x448_symkey
*/
import util from '../util';
class ECDHXSymmetricKey {
static fromObject({ wrappedKey, algorithm }) {
const instance = new ECDHXSymmetricKey();
instance.wrappedKey = wrappedKey;
instance.algorithm = algorithm;
return instance;
}
/**
* - 1 octect for the length `l`
* - `l` octects of encoded session key data (with optional leading algorithm byte)
* @param {Uint8Array} bytes
* @returns {Number} Number of read bytes.
*/
read(bytes) {
let read = 0;
let followLength = bytes[read++];
this.algorithm = followLength % 2 ? bytes[read++] : null; // session key size is always even
followLength -= followLength % 2;
this.wrappedKey = bytes.subarray(read, read + followLength); read += followLength;
}
/**
* Write an MontgomerySymmetricKey as an Uint8Array
* @returns {Uint8Array} Serialised data
*/
write() {
return util.concatUint8Array([
this.algorithm ?
new Uint8Array([this.wrappedKey.length + 1, this.algorithm]) :
new Uint8Array([this.wrappedKey.length]),
this.wrappedKey
]);
}
}
export default ECDHXSymmetricKey;

1
src/type/keyid.js
View File

@ -42,6 +42,7 @@ class KeyID {
*/
read(bytes) {
this.bytes = util.uint8ArrayToString(bytes.subarray(0, 8));
return this.bytes.length;
}
/**

7
src/util.js
View File

@ -25,6 +25,7 @@
import * as stream from '@openpgp/web-stream-tools';
import { getBigInteger } from './biginteger';
import enums from './enums';
const debugMode = (() => {
try {
@ -605,6 +606,12 @@ const util = {
*/
selectUint8: function(cond, a, b) {
return (a & (256 - cond)) | (b & (255 + cond));
},
/**
* @param {module:enums.symmetric} cipherAlgo
*/
isAES: function(cipherAlgo) {
return cipherAlgo === enums.symmetric.aes128 || cipherAlgo === enums.symmetric.aes192 || cipherAlgo === enums.symmetric.aes256;
}
};

4
test/crypto/crypto.js
View File

@ -269,7 +269,7 @@ module.exports = () => describe('API functional testing', function() {
it('Asymmetric using RSA with eme_pkcs1 padding', function () {
const symmKey = crypto.generateSessionKey(openpgp.enums.symmetric.aes256);
return crypto.publicKeyEncrypt(algoRSA, RSAPublicParams, symmKey).then(RSAEncryptedData => {
return crypto.publicKeyEncrypt(algoRSA, openpgp.enums.symmetric.aes256, RSAPublicParams, symmKey).then(RSAEncryptedData => {
return crypto.publicKeyDecrypt(
algoRSA, RSAPublicParams, RSAPrivateParams, RSAEncryptedData
).then(data => {
@ -280,7 +280,7 @@ module.exports = () => describe('API functional testing', function() {
it('Asymmetric using Elgamal with eme_pkcs1 padding', function () {
const symmKey = crypto.generateSessionKey(openpgp.enums.symmetric.aes256);
return crypto.publicKeyEncrypt(algoElGamal, elGamalPublicParams, symmKey).then(ElgamalEncryptedData => {
return crypto.publicKeyEncrypt(algoElGamal, openpgp.enums.symmetric.aes256, elGamalPublicParams, symmKey).then(ElgamalEncryptedData => {
return crypto.publicKeyDecrypt(
algoElGamal, elGamalPublicParams, elGamalPrivateParams, ElgamalEncryptedData
).then(data => {

192
test/crypto/ecdh.js
View File

@ -8,6 +8,7 @@ const KDFParams = require('../../src/type/kdf_params');
const elliptic_curves = require('../../src/crypto/public_key/elliptic');
const util = require('../../src/util');
const elliptic_data = require('./elliptic_data');
const random = require('../../src/crypto/random');
const key_data = elliptic_data.key_data;
/* eslint-disable no-invalid-this */
@ -19,7 +20,7 @@ module.exports = () => describe('ECDH key exchange @lightweight', function () {
data = new Uint8Array(data);
}
return Promise.resolve().then(() => {
const curve = new elliptic_curves.Curve(oid);
const curve = new elliptic_curves.CurveWithOID(oid);
return elliptic_curves.ecdh.decrypt(
new OID(curve.oid),
new KDFParams({ cipher, hash }),
@ -131,111 +132,122 @@ module.exports = () => describe('ECDH key exchange @lightweight', function () {
71, 245, 86, 3, 168, 101, 74, 209, 105
]);
describe('ECDHE key generation', function () {
const ecdh = elliptic_curves.ecdh;
const ecdh = elliptic_curves.ecdh;
it('Invalid curve', async function () {
if (!openpgp.config.useIndutnyElliptic && !util.getNodeCrypto()) {
this.skip();
}
const curve = new elliptic_curves.Curve('secp256k1');
it('Invalid curve', async function () {
if (!openpgp.config.useIndutnyElliptic && !util.getNodeCrypto()) {
this.skip();
}
const curve = new elliptic_curves.CurveWithOID('secp256k1');
const oid = new OID(curve.oid);
const kdfParams = new KDFParams({ hash: curve.hash, cipher: curve.cipher });
const data = util.stringToUint8Array('test');
expect(
ecdh.encrypt(oid, kdfParams, data, Q1, fingerprint1)
).to.be.rejectedWith(Error, /Public key is not valid for specified curve|Failed to translate Buffer to a EC_POINT|Unknown point format/);
});
it('Different keys', async function () {
const curve = new elliptic_curves.CurveWithOID('curve25519');
const oid = new OID(curve.oid);
const kdfParams = new KDFParams({ hash: curve.hash, cipher: curve.cipher });
const data = util.stringToUint8Array('test');
const { publicKey: V, wrappedKey: C } = await ecdh.encrypt(oid, kdfParams, data, Q1, fingerprint1);
await expect(
ecdh.decrypt(oid, kdfParams, V, C, Q2, d2, fingerprint1)
).to.be.rejectedWith(/Key Data Integrity failed/);
});
it('Invalid fingerprint', async function () {
const curve = new elliptic_curves.CurveWithOID('curve25519');
const oid = new OID(curve.oid);
const kdfParams = new KDFParams({ hash: curve.hash, cipher: curve.cipher });
const data = util.stringToUint8Array('test');
const { publicKey: V, wrappedKey: C } = await ecdh.encrypt(oid, kdfParams, data, Q2, fingerprint1);
await expect(
ecdh.decrypt(oid, kdfParams, V, C, Q2, d2, fingerprint2)
).to.be.rejectedWith(/Key Data Integrity failed/);
});
it('Successful exchange x25519 (legacy)', async function () {
const curve = new elliptic_curves.CurveWithOID('curve25519');
const oid = new OID(curve.oid);
const kdfParams = new KDFParams({ hash: curve.hash, cipher: curve.cipher });
const data = util.stringToUint8Array('test');
const { publicKey: V, wrappedKey: C } = await ecdh.encrypt(oid, kdfParams, data, Q1, fingerprint1);
expect(await ecdh.decrypt(oid, kdfParams, V, C, Q1, d1, fingerprint1)).to.deep.equal(data);
});
it('Successful exchange x25519', async function () {
const { ecdhX } = elliptic_curves;
const data = random.getRandomBytes(32);
// Bob's keys from https://www.rfc-editor.org/rfc/rfc7748#section-6.1
const b = util.hexToUint8Array('5dab087e624a8a4b79e17f8b83800ee66f3bb1292618b6fd1c2f8b27ff88e0eb');
const K_B = util.hexToUint8Array('de9edb7d7b7dc1b4d35b61c2ece435373f8343c85b78674dadfc7e146f882b4f');
const { ephemeralPublicKey, wrappedKey } = await ecdhX.encrypt(openpgp.enums.publicKey.x25519, data, K_B);
expect(await ecdhX.decrypt(openpgp.enums.publicKey.x25519, ephemeralPublicKey, wrappedKey, K_B, b)).to.deep.equal(data);
});
['p256', 'p384', 'p521'].forEach(curveName => {
it(`NIST ${curveName} - Successful exchange`, async function () {
const curve = new elliptic_curves.CurveWithOID(curveName);
const oid = new OID(curve.oid);
const kdfParams = new KDFParams({ hash: curve.hash, cipher: curve.cipher });
const data = util.stringToUint8Array('test');
expect(
ecdh.encrypt(oid, kdfParams, data, Q1, fingerprint1)
).to.be.rejectedWith(Error, /Public key is not valid for specified curve|Failed to translate Buffer to a EC_POINT|Unknown point format/);
const Q = key_data[curveName].pub;
const d = key_data[curveName].priv;
const { publicKey: V, wrappedKey: C } = await ecdh.encrypt(oid, kdfParams, data, Q, fingerprint1);
expect(await ecdh.decrypt(oid, kdfParams, V, C, Q, d, fingerprint1)).to.deep.equal(data);
});
it('Different keys', async function () {
const curve = new elliptic_curves.Curve('curve25519');
const oid = new OID(curve.oid);
const kdfParams = new KDFParams({ hash: curve.hash, cipher: curve.cipher });
const data = util.stringToUint8Array('test');
const { publicKey: V, wrappedKey: C } = await ecdh.encrypt(oid, kdfParams, data, Q1, fingerprint1);
await expect(
ecdh.decrypt(oid, kdfParams, V, C, Q2, d2, fingerprint1)
).to.be.rejectedWith(/Key Data Integrity failed/);
});
describe('Comparing decrypting with and without native crypto', () => {
let sinonSandbox;
let getWebCryptoStub;
let getNodeCryptoStub;
beforeEach(function () {
sinonSandbox = sandbox.create();
});
it('Invalid fingerprint', async function () {
const curve = new elliptic_curves.Curve('curve25519');
const oid = new OID(curve.oid);
const kdfParams = new KDFParams({ hash: curve.hash, cipher: curve.cipher });
const data = util.stringToUint8Array('test');
const { publicKey: V, wrappedKey: C } = await ecdh.encrypt(oid, kdfParams, data, Q2, fingerprint1);
await expect(
ecdh.decrypt(oid, kdfParams, V, C, Q2, d2, fingerprint2)
).to.be.rejectedWith(/Key Data Integrity failed/);
});
it('Successful exchange curve25519', async function () {
const curve = new elliptic_curves.Curve('curve25519');
const oid = new OID(curve.oid);
const kdfParams = new KDFParams({ hash: curve.hash, cipher: curve.cipher });
const data = util.stringToUint8Array('test');
const { publicKey: V, wrappedKey: C } = await ecdh.encrypt(oid, kdfParams, data, Q1, fingerprint1);
expect(await ecdh.decrypt(oid, kdfParams, V, C, Q1, d1, fingerprint1)).to.deep.equal(data);
afterEach(function () {
sinonSandbox.restore();
});
const disableNative = () => {
enableNative();
// stubbed functions return undefined
getWebCryptoStub = sinonSandbox.stub(util, 'getWebCrypto');
getNodeCryptoStub = sinonSandbox.stub(util, 'getNodeCrypto');
};
const enableNative = () => {
getWebCryptoStub && getWebCryptoStub.restore();
getNodeCryptoStub && getNodeCryptoStub.restore();
};
['p256', 'p384', 'p521'].forEach(curveName => {
it(`NIST ${curveName} - Successful exchange`, async function () {
const curve = new elliptic_curves.Curve(curveName);
it(`NIST ${curveName}`, async function () {
const nodeCrypto = util.getNodeCrypto();
const webCrypto = util.getWebCrypto();
if (!nodeCrypto && !webCrypto) {
this.skip();
}
const curve = new elliptic_curves.CurveWithOID(curveName);
const oid = new OID(curve.oid);
const kdfParams = new KDFParams({ hash: curve.hash, cipher: curve.cipher });
const data = util.stringToUint8Array('test');
const Q = key_data[curveName].pub;
const d = key_data[curveName].priv;
const { publicKey: V, wrappedKey: C } = await ecdh.encrypt(oid, kdfParams, data, Q, fingerprint1);
const nativeDecryptSpy = webCrypto ? sinonSandbox.spy(webCrypto, 'deriveBits') : sinonSandbox.spy(nodeCrypto, 'createECDH');
expect(await ecdh.decrypt(oid, kdfParams, V, C, Q, d, fingerprint1)).to.deep.equal(data);
});
});
describe('Comparing decrypting with and without native crypto', () => {
let sinonSandbox;
let getWebCryptoStub;
let getNodeCryptoStub;
beforeEach(function () {
sinonSandbox = sandbox.create();
});
afterEach(function () {
sinonSandbox.restore();
});
const disableNative = () => {
enableNative();
// stubbed functions return undefined
getWebCryptoStub = sinonSandbox.stub(util, 'getWebCrypto');
getNodeCryptoStub = sinonSandbox.stub(util, 'getNodeCrypto');
};
const enableNative = () => {
getWebCryptoStub && getWebCryptoStub.restore();
getNodeCryptoStub && getNodeCryptoStub.restore();
};
['p256', 'p384', 'p521'].forEach(curveName => {
it(`NIST ${curveName}`, async function () {
const nodeCrypto = util.getNodeCrypto();
const webCrypto = util.getWebCrypto();
if (!nodeCrypto && !webCrypto) {
this.skip();
}
const curve = new elliptic_curves.Curve(curveName);
const oid = new OID(curve.oid);
const kdfParams = new KDFParams({ hash: curve.hash, cipher: curve.cipher });
const data = util.stringToUint8Array('test');
const Q = key_data[curveName].pub;
const d = key_data[curveName].priv;
const { publicKey: V, wrappedKey: C } = await ecdh.encrypt(oid, kdfParams, data, Q, fingerprint1);
const nativeDecryptSpy = webCrypto ? sinonSandbox.spy(webCrypto, 'deriveBits') : sinonSandbox.spy(nodeCrypto, 'createECDH');
expect(await ecdh.decrypt(oid, kdfParams, V, C, Q, d, fingerprint1)).to.deep.equal(data);
disableNative();
expect(await ecdh.decrypt(oid, kdfParams, V, C, Q, d, fingerprint1)).to.deep.equal(data);
if (curveName !== 'p521') { // safari does not implement p521 in webcrypto
expect(nativeDecryptSpy.calledOnce).to.be.true;
}
});
disableNative();
expect(await ecdh.decrypt(oid, kdfParams, V, C, Q, d, fingerprint1)).to.deep.equal(data);
if (curveName !== 'p521') { // safari does not implement p521 in webcrypto
expect(nativeDecryptSpy.calledOnce).to.be.true;
}
});
});
});

8
test/crypto/elliptic.js
View File

@ -59,10 +59,10 @@ module.exports = () => describe('Elliptic Curve Cryptography @lightweight', func
describe('Basic Operations', function () {
it('Creating curve from name or oid', function (done) {
Object.keys(openpgp.enums.curve).forEach(function(name_or_oid) {
expect(new elliptic_curves.Curve(name_or_oid)).to.exist;
expect(new elliptic_curves.CurveWithOID(name_or_oid)).to.exist;
});
Object.values(openpgp.enums.curve).forEach(function(name_or_oid) {
expect(new elliptic_curves.Curve(name_or_oid)).to.exist;
expect(new elliptic_curves.CurveWithOID(name_or_oid)).to.exist;
});
done();
});
@ -73,7 +73,7 @@ module.exports = () => describe('Elliptic Curve Cryptography @lightweight', func
const names = config.useIndutnyElliptic ? ['p256', 'p384', 'p521', 'secp256k1', 'curve25519', 'brainpoolP256r1', 'brainpoolP384r1', 'brainpoolP512r1'] :
['p256', 'p384', 'p521', 'curve25519'];
return Promise.all(names.map(function (name) {
const curve = new elliptic_curves.Curve(name);
const curve = new elliptic_curves.CurveWithOID(name);
return curve.genKeyPair().then(keyPair => {
expect(keyPair).to.exist;
});
@ -243,7 +243,7 @@ module.exports = () => describe('Elliptic Curve Cryptography @lightweight', func
.to.eventually.be.true.notify(done);
});
it('Sign and verify message', function () {
const curve = new elliptic_curves.Curve('p521');
const curve = new elliptic_curves.CurveWithOID('p521');
return curve.genKeyPair().then(async keyPair => {
const keyPublic = new Uint8Array(keyPair.publicKey);
const keyPrivate = new Uint8Array(keyPair.privateKey);

47
test/crypto/hkdf.js Normal file
View File

@ -0,0 +1,47 @@
const { expect } = require('chai');
const computeHKDF = require('../../src/crypto/hkdf');
const enums = require('../../src/enums');
const util = require('../../src/util');
// WebCrypto implements HKDF natively, no need to test it
const maybeDescribe = util.getNodeCrypto() ? describe : describe;
module.exports = () => maybeDescribe('HKDF test vectors', function() {
// Vectors from https://www.rfc-editor.org/rfc/rfc5869#appendix-A
it('Test Case 1', async function() {
const inputKey = util.hexToUint8Array('0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b');
const salt = util.hexToUint8Array('000102030405060708090a0b0c');
const info = util.hexToUint8Array('f0f1f2f3f4f5f6f7f8f9');
const outLen = 42;
const actual = await computeHKDF(enums.hash.sha256, inputKey, salt, info, outLen);
const expected = util.hexToUint8Array('3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b887185865');
expect(actual).to.deep.equal(expected);
});
it('Test Case 2', async function() {
const inputKey = util.hexToUint8Array('000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f');
const salt = util.hexToUint8Array('606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeaf');
const info = util.hexToUint8Array('b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff');
const outLen = 82;
const actual = await computeHKDF(enums.hash.sha256, inputKey, salt, info, outLen);
const expected = util.hexToUint8Array('b11e398dc80327a1c8e7f78c596a49344f012eda2d4efad8a050cc4c19afa97c59045a99cac7827271cb41c65e590e09da3275600c2f09b8367793a9aca3db71cc30c58179ec3e87c14c01d5c1f3434f1d87');
expect(actual).to.deep.equal(expected);
});
it('Test Case 3', async function() {
const inputKey = util.hexToUint8Array('0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b');
const salt = new Uint8Array();
const info = new Uint8Array();
const outLen = 42;
const actual = await computeHKDF(enums.hash.sha256, inputKey, salt, info, outLen);
const expected = util.hexToUint8Array('8da4e775a563c18f715f802a063c5a31b8a11f5c5ee1879ec3454e5f3c738d2d9d201395faa4b61a96c8');
expect(actual).to.deep.equal(expected);
});
});

1
test/crypto/index.js
View File

@ -6,6 +6,7 @@ module.exports = () => describe('Crypto', function () {
require('./ecdh')();
require('./pkcs5')();
require('./aes_kw')();
require('./hkdf')();
require('./gcm')();
require('./eax')();
require('./ocb')();

2
test/crypto/validate.js
View File

@ -87,7 +87,7 @@ async function generatePrivateKeyObject(options) {
/* eslint-disable no-invalid-this */
module.exports = () => {
describe('EdDSA parameter validation', function() {
describe('EdDSA parameter validation (legacy format)', function() {
let eddsaKey;
before(async () => {
eddsaKey = await generatePrivateKeyObject({ curve: 'ed25519' });

30
test/general/key.js
View File

@ -3012,6 +3012,32 @@ zWBsBR8VnoOVfEE+VQk6YAi7cTSjcMjfsIez9FYtAQDKo9aCMhUohYyqvhZjn8aS
})).to.be.rejectedWith(/Cannot read KDFParams/);
});
it('Parsing V4 key using new curve25519 format', async function() {
const privateKey = await openpgp.readKey({ armoredKey: `-----BEGIN PGP PRIVATE KEY BLOCK-----
xUkEZB3qzRto01j2k2pwN5ux9w70stPinAdXULLr20CRW7U7h2GSeACch0M+
qzQg8yjFQ8VBvu3uwgKH9senoHmj72lLSCLTmhFKzQR0ZXN0wogEEBsIAD4F
gmQd6s0ECwkHCAmQIf45+TuC+xMDFQgKBBYAAgECGQECmwMCHgEWIQSWEzMi
jJUHvyIbVKIh/jn5O4L7EwAAUhaHNlgudvxARdPPETUzVgjuWi+YIz8w1xIb
lHQMvIrbe2sGCQIethpWofd0x7DHuv/ciHg+EoxJ/Td6h4pWtIoKx0kEZB3q
zRm4CyA7quliq7yx08AoOqHTuuCgvpkSdEhpp3pEyejQOgBo0p6ywIiLPllY
0t+jpNspHpAGfXID6oqjpYuJw3AfVRBlwnQEGBsIACoFgmQd6s0JkCH+Ofk7
gvsTApsMFiEElhMzIoyVB78iG1SiIf45+TuC+xMAAGgQuN9G73446ykvJ/mL
sCZ7zGFId2gBd1EnG0FTC4npfOKpck0X8dngByrCxU8LDSfvjsEp/xDAiKsQ
aU71tdtNBQ==
=e7jT
-----END PGP PRIVATE KEY BLOCK-----` });
// sanity checks
await expect(privateKey.validate()).to.be.fulfilled;
const signingKey = await privateKey.getSigningKey();
expect(signingKey.keyPacket.algorithm).to.equal(openpgp.enums.publicKey.ed25519);
expect(signingKey.getAlgorithmInfo()).to.deep.equal({ algorithm: 'ed25519' });
const encryptionKey = await privateKey.getEncryptionKey();
expect(encryptionKey.keyPacket.algorithm).to.equal(openpgp.enums.publicKey.x25519);
expect(encryptionKey.getAlgorithmInfo()).to.deep.equal({ algorithm: 'x25519' });
});
it('Testing key ID and fingerprint for V4 keys', async function() {
const pubKeysV4 = await openpgp.readKeys({ armoredKeys: twoKeys });
expect(pubKeysV4).to.exist;
@ -4077,7 +4103,7 @@ XvmoLueOOShu01X/kaylMqaT8w==
await subkey.verify();
});
it('sign/verify data with the new subkey correctly using curve25519', async function() {
it('sign/verify data with the new subkey correctly using curve25519 (legacy format)', async function() {
const userID = { name: 'test', email: 'a@b.com' };
const opt = { curve: 'curve25519', userIDs: [userID], format: 'object', subkeys:[] };
const { privateKey } = await openpgp.generateKey(opt);
@ -4104,7 +4130,7 @@ XvmoLueOOShu01X/kaylMqaT8w==
expect(await signatures[0].verified).to.be.true;
});
it('encrypt/decrypt data with the new subkey correctly using curve25519', async function() {
it('encrypt/decrypt data with the new subkey correctly using curve25519 (legacy format)', async function() {
const userID = { name: 'test', email: 'a@b.com' };
const vData = 'the data to encrypted!';
const opt = { curve: 'curve25519', userIDs: [userID], format: 'object', subkeys:[] };

126
test/general/openpgp.js
View File

@ -2018,6 +2018,65 @@ aOU=
expect(await stream.readToEnd(streamedData)).to.equal(text);
});
it('supports decrypting new x25519 format', async function () {
// v4 key
const privateKey = await openpgp.readKey({ armoredKey: `-----BEGIN PGP PRIVATE KEY BLOCK-----
xUkEZIbSkxsHknQrXGfb+kM2iOsOvin8yE05ff5hF8KE6k+saspAZQCy/kfFUYc2
GkpOHc42BI+MsysKzk4ofjBAfqM+bb7goQ3hzRV1c2VyIDx1c2VyQHRlc3QudGVz
dD7ChwQTGwgAPQUCZIbSkwmQQezK2iB2tIkWIQRqZza9wQZcwxpjGYNB7MraIHa0
iQIbAwIeAQIZAQILBwIVCAIWAAMnBwIAAFOeZ7jrKZsCzRfu1ffFa77074st0zRo
BTJXoXBQ1ZzLjsh+ZO6fB2odnYJtQYstv45H/3JyLVogcMnFeYmHeSP3AMdJBGSG
0pMZfpd7TiOQv7uKSK+k4HT9lKr5+dmvb7vox/8ids6unEkAF1v8fCKogIrtBWVT
nVbwnovjM3LLexpXFZSgTKRcNMgPRMJ0BBgbCAAqBQJkhtKTCZBB7MraIHa0iRYh
BGpnNr3BBlzDGmMZg0HsytogdrSJAhsMAADCYs2I9wBakIu9Hhxs4R3Jq9F8J7AH
yxsNL0GomZ+hxiE0MOZwRr10DxfVaRabF1fcf9PHSHX2SwEFXUKMIHgbMQs=
=bJqd
-----END PGP PRIVATE KEY BLOCK-----` });
const messageToDecrypt = `-----BEGIN PGP MESSAGE-----
wUQDYc6clYlCdtoZ3rAsvBDIwvoLmvM0zwViG8Ec0PgFfN5R6C4BqEZD53UZB1WM
J68hXSj1Sa235XAUYE1pZerTKhglvdI9Aeve8+L0w5RDMjmBBA50Yv/YT8liqhNi
mNwbfFbSNhZYWjFada77EKBn60j8QT/xCQzLR1clci7ieW2knw==
=NKye
-----END PGP MESSAGE-----`;
const { data } = await openpgp.decrypt({
message: await openpgp.readMessage({ armoredMessage: messageToDecrypt }),
decryptionKeys: privateKey
});
expect(data).to.equal('Hello World!');
});
it('supports encrypting new x25519 format', async function () {
// v4 key
const privateKey = await openpgp.readKey({ armoredKey: `-----BEGIN PGP PRIVATE KEY BLOCK-----
xUkEZIbSkxsHknQrXGfb+kM2iOsOvin8yE05ff5hF8KE6k+saspAZQCy/kfFUYc2
GkpOHc42BI+MsysKzk4ofjBAfqM+bb7goQ3hzRV1c2VyIDx1c2VyQHRlc3QudGVz
dD7ChwQTGwgAPQUCZIbSkwmQQezK2iB2tIkWIQRqZza9wQZcwxpjGYNB7MraIHa0
iQIbAwIeAQIZAQILBwIVCAIWAAMnBwIAAFOeZ7jrKZsCzRfu1ffFa77074st0zRo
BTJXoXBQ1ZzLjsh+ZO6fB2odnYJtQYstv45H/3JyLVogcMnFeYmHeSP3AMdJBGSG
0pMZfpd7TiOQv7uKSK+k4HT9lKr5+dmvb7vox/8ids6unEkAF1v8fCKogIrtBWVT
nVbwnovjM3LLexpXFZSgTKRcNMgPRMJ0BBgbCAAqBQJkhtKTCZBB7MraIHa0iRYh
BGpnNr3BBlzDGmMZg0HsytogdrSJAhsMAADCYs2I9wBakIu9Hhxs4R3Jq9F8J7AH
yxsNL0GomZ+hxiE0MOZwRr10DxfVaRabF1fcf9PHSHX2SwEFXUKMIHgbMQs=
=bJqd
-----END PGP PRIVATE KEY BLOCK-----` });
const plaintext = 'plaintext';
const signed = await openpgp.encrypt({
message: await openpgp.createMessage({ text: plaintext }),
encryptionKeys: privateKey
});
const { data } = await openpgp.decrypt({
message: await openpgp.readMessage({ armoredMessage: signed }),
decryptionKeys: privateKey
});
expect(data).to.equal(plaintext);
});
it('should support encrypting with encrypted key with unknown s2k (unparseableKeyMaterial)', async function() {
const originalDecryptedKey = await openpgp.readKey({ armoredKey: `-----BEGIN PGP PRIVATE KEY BLOCK-----
@ -4023,6 +4082,45 @@ bsZgJWVlAa5eil6J9ePX2xbo1vVAkLQdzE9+1jL+l7PRIZuVBQ==
expect(data).to.equal('test');
});
it('should enforce using AES session keys with x25519 keys (new format)', async function () {
// x25519 key (v4) with cast5 as preferred cipher
const privateKeyCast5 = await openpgp.readKey({ armoredKey: `-----BEGIN PGP PRIVATE KEY BLOCK-----
xUkEZK8BixuMghYwdEgHl+3ASI4VZkn048KG4DVuugT1bMe4QTtFtQCoKBOG
JxrZh8E+7I5nK7McXP2U9gyC0+RFcD46AxSmRA46zQDCiAQQGwgAPgWCZK8B
iwQLAwcICZCaWrTxMIPhVwMVCAoEFgACAQIZAQKbAwIeARYhBDFBS8Xnfotk
Oun5WZpatPEwg+FXAABwwuNWCdr1WahiGrLupYaOYQO4S9y+FYTxqEV/gsOP
TKwmNIcIJPROV2LgyxvzQo79//0CocEYojEeUhGn7BH5lwvHSQRkrwGLGbVM
1JxFUJeQ253sHMko73uPkyyb9DvaeyWHPwgF2k9GACA9caoO8GsZI7KMnVGP
c4EpytBwVIsr4ck3QaEV/UxvDpnCdAQYGwgAKgWCZK8BiwmQmlq08TCD4VcC
mwwWIQQxQUvF536LZDrp+VmaWrTxMIPhVwAAXycLtMyiv0lon4qU5/rKWjrq
MIxMchUbHvktvUqomU0pDDLMPqLFtzBbtHqODPVbLTOygJRVLeHyWTOEfmOD
kl0L
=SYJZ
-----END PGP PRIVATE KEY BLOCK-----` });
await expect(openpgp.generateSessionKey({
encryptionKeys: privateKeyCast5,
config: { preferredSymmetricAlgorithm: openpgp.enums.symmetric.cast5 }
})).to.be.rejectedWith(/Could not generate a session key compatible with the given `encryptionKeys`/);
await expect(openpgp.encrypt({
message: await openpgp.createMessage({ text: plaintext }),
encryptionKeys: privateKeyCast5,
sessionKey: { data: new Uint8Array(16).fill(1), algorithm: 'cast5' }
})).to.be.rejectedWith(/X25519 keys can only encrypt AES session keys/);
await expect(openpgp.decryptSessionKeys({
message: await openpgp.readMessage({ armoredMessage: `-----BEGIN PGP MESSAGE-----
wUQD66NYAXF0vfYZNWpc7s9eihtgj7EhHBeLOq2Ktw79artbhN5JMs+9aCIZ
A7sB7uYCTVCLIMfPFwVZH+c29gpCzPxSXQ==
=Dr02
-----END PGP MESSAGE-----` }),
decryptionKeys: privateKeyCast5
})).to.be.rejectedWith(/AES session key expected/);
});
describe('Sign and verify with each curve', function() {
const curves = ['secp256k1' , 'p256', 'p384', 'p521', 'curve25519', 'brainpoolP256r1', 'brainpoolP384r1', 'brainpoolP512r1'];
curves.forEach(curve => {
@ -4035,6 +4133,34 @@ bsZgJWVlAa5eil6J9ePX2xbo1vVAkLQdzE9+1jL+l7PRIZuVBQ==
expect(await verified.signatures[0].verified).to.be.true;
});
});
it('sign/verify with new Ed25519 format', async function () {
// v4 key, which we do not support generating
const privateKey = await openpgp.readKey({ armoredKey: `-----BEGIN PGP PRIVATE KEY BLOCK-----
xUkEZBw5PBscroGar9fsilA0q9AX979pBhTNkGQ69vQGGW7kxRxNuABB+eAw
JrQ9A3o1gUJg28ORTQd72+kFo87184qR97a6rRGFzQR0ZXN0wogEEBsIAD4F
gmQcOTwECwkHCAmQT/m+Rl22Ps8DFQgKBBYAAgECGQECmwMCHgEWIQSUlOfm
G7MWJd2909ZP+b5GXbY+zwAAVs/4pWH4l7pWcTATBavVqSATMKi4A+usp89G
J/qaHc+qmcEpIMmPNvLQ7n4F4kEXk8Zwz+OXovVWLQ+Njl5gzooF
=wYg1
-----END PGP PRIVATE KEY BLOCK-----
` });
const plaintext = 'plaintext';
const signed = await openpgp.sign({
message: await openpgp.createMessage({ text: plaintext }),
signingKeys: privateKey
});
const { signatures, data } = await openpgp.verify({
message: await openpgp.readMessage({ armoredMessage: signed }),
verificationKeys: privateKey
});
expect(data).to.equal(plaintext);
expect(signatures).to.have.length(1);
expect(await signatures[0].verified).to.be.true;
});
});
describe('Errors', function() {

2
test/general/streaming.js
View File

@ -730,7 +730,7 @@ function tests() {
expect(await verified.signatures[0].verified).to.be.true;
});
it('Detached sign small message using x25519 curve keys', async function() {
it('Detached sign small message using curve25519 keys (legacy format)', async function() {
dataArrived(); // Do not wait until data arrived.
const data = global.ReadableStream ? new global.ReadableStream({
async start(controller) {

4
test/general/x25519.js
View File

@ -11,7 +11,7 @@ const util = require('../../src/util');
const input = require('./testInputs');
module.exports = () => (openpgp.config.ci ? describe.skip : describe)('X25519 Cryptography', function () {
module.exports = () => (openpgp.config.ci ? describe.skip : describe)('X25519 Cryptography (legacy format)', function () {
const data = {
light: {
id: '1ecdf026c0245830',
@ -218,7 +218,7 @@ module.exports = () => (openpgp.config.ci ? describe.skip : describe)('X25519 Cr
describe('Ed25519 Test Vectors from RFC8032', function () {
// https://tools.ietf.org/html/rfc8032#section-7.1
function testVector(vector) {
const curve = new elliptic.Curve('ed25519');
const curve = new elliptic.CurveWithOID('ed25519');
const { publicKey } = nacl.sign.keyPair.fromSeed(util.hexToUint8Array(vector.SECRET_KEY));
expect(publicKey).to.deep.equal(util.hexToUint8Array(vector.PUBLIC_KEY));
const data = vector.MESSAGE;

6
test/karma.conf.js
View File

@ -109,12 +109,12 @@ module.exports = function(config) {
os: 'OS X',
os_version: 'Catalina'
},
bs_ios_15: {
bs_ios_14: {
base: 'BrowserStack',
device: 'iPhone 13',
device: 'iPhone 12',
real_mobile: true,
os: 'ios',
os_version: '15'
os_version: '14'
}
},