From a315c46583df87cb931639f78ff02ca45fbc6687 Mon Sep 17 00:00:00 2001 From: larabr <7375870+larabr@users.noreply.github.com> Date: Thu, 30 May 2024 17:25:05 +0200 Subject: [PATCH] `openpgp.verify`: fix bug preventing verification of detached signature over streamed data When given a streamed `message` and a detached `signature` in input, the function would return an empty array as `data` instead of the input stream, meaning it was not possible to pull it, causing the `verified` promise to hang indefinitely. The above issue was introduced v5.0.0-2, and thus affects all v5 releases up to v5.11.1. --- src/openpgp.js | 2 +- test/general/streaming.js | 51 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 52 insertions(+), 1 deletion(-) diff --git a/src/openpgp.js b/src/openpgp.js index 4d11f0a8..e109f6dd 100644 --- a/src/openpgp.js +++ b/src/openpgp.js @@ -480,7 +480,7 @@ export async function verify({ message, verificationKeys, expectSigned = false, result.signatures = await message.verify(verificationKeys, date, config); } result.data = format === 'binary' ? message.getLiteralData() : message.getText(); - if (message.fromStream) linkStreams(result, message); + if (message.fromStream && !signature) linkStreams(result, message); if (expectSigned) { if (result.signatures.length === 0) { throw new Error('Message is not signed'); diff --git a/test/general/streaming.js b/test/general/streaming.js index b604907a..de5e1bd1 100644 --- a/test/general/streaming.js +++ b/test/general/streaming.js @@ -653,6 +653,57 @@ function tests() { expect(i).to.be.lessThan(expectedType === 'web' ? 50 : 250); }); + it('Detached sign/verify: support streamed input', async function() { + dataArrived(); + const signed = await openpgp.sign({ + message: await openpgp.createMessage({ binary: stream.clone(data) }), + signingKeys: privKey, + config: { minRSABits: 1024 }, + detached: true + }); + const armoredSignature = await stream.readToEnd(signed); + + const message = await openpgp.createMessage({ binary: data }); + const verified = await openpgp.verify({ + message, + signature: await openpgp.readSignature({ armoredSignature }), + verificationKeys: pubKey, + format: 'binary', + config: { minRSABits: 1024 } + }); + expect(await stream.readToEnd(verified.data)).to.deep.equal(util.concatUint8Array(plaintext)); + expect(verified.signatures).to.exist.and.have.length(1); + expect(await verified.signatures[0].verified).to.be.true; + }); + + it('Detached verify: Input stream should be canceled when canceling verified stream', async function() { + const armoredSignature = await openpgp.sign({ + message: await openpgp.createMessage({ binary: util.concatUint8Array(plaintext) }), + signingKeys: privKey, + config: { minRSABits: 1024 }, + detached: true + }); + + const message = await openpgp.createMessage({ binary: data }); + const verified = await openpgp.verify({ + message, + signature: await openpgp.readSignature({ armoredSignature }), + verificationKeys: pubKey, + format: 'binary', + config: { minRSABits: 1024 } + }); + expect(stream.isStream(verified.data)).to.equal(expectedType); + const reader = stream.getReader(verified.data); + expect(await reader.readBytes(1024)).to.deep.equal(plaintext[0]); + dataArrived(); + reader.releaseLock(); + await stream.cancel(verified.data, new Error('canceled by test')); + expect(canceled).to.be.true; + expect(verified.signatures).to.exist.and.have.length(1); + await expect(verified.signatures[0].verified).to.be.rejectedWith('canceled'); + }); + + it('Detached sign small message', async function() { dataArrived(); // Do not wait until data arrived. const data = global.ReadableStream ? new global.ReadableStream({