OP-01-010 Invalid Armor Checksum Validation (Low)

2014-03-29 16:25:28 +01:00 · 2014-03-29 16:25:28 +01:00 · e8ef355604
commit e8ef355604
parent 5eca11ca5b
2 changed files with 30 additions and 2 deletions
--- a/src/encoding/armor.js
+++ b/src/encoding/armor.js
@ -131,7 +131,7 @@ function getCheckSum(data) {
 function verifyCheckSum(data, checksum) {
  var c = getCheckSum(data);
  var d = checksum;
-  return c[0] == d[0] && c[1] == d[1] && c[2] == d[2];
+  return c[0] == d[0] && c[1] == d[1] && c[2] == d[2] && c[3] == d[3];
 }
 /**
 * Internal function to calculate a CRC-24 checksum over a given string (data)
@ -323,11 +323,13 @@ function dearmor(text) {
    checksum = sig_sum.checksum;
  }

+  checksum = checksum.substr(0, 4);
+
  if (!verifyCheckSum(result.data, checksum)) {
    throw new Error("Ascii armor integrity check on message failed: '" +
      checksum +
      "' should be '" +
-      getCheckSum(result) + "'");
+      getCheckSum(result.data) + "'");
  }

  verifyHeaders(result.headers);
--- a/test/general/armor.js
+++ b/test/general/armor.js
@ -131,6 +131,32 @@ describe("ASCII armor", function() {
    expect(msg).to.throw(Error, /Unknow ASCII armor type/);
  });

+  it('Armor checksum validation', function () {
+    var privKey =
+      ['-----BEGIN PGP PRIVATE KEY BLOCK-----',
+      'Version: OpenPGP.js v0.3.0',
+      'Comment: http://openpgpjs.org',
+      '',
+      'xbYEUubX7gEBANDWhzoP+Tr/IyRSv++vl5jBesQIPTYGQBdzF4YDnGEBABEB',
+      'AAH+CQMIfzdw4/PKNl5gVXdtfDFdSIN8yJT2rbeg3+SsWexXZNNdRaONWaiB',
+      'Z5cG9Q6+BoXKsEshIdcYOgwsAgRxlPpRA34Vvmg2QBk7PhdrkbK7aqENsJ1w',
+      'dIlLD6p9GmLE20yVff58/fMiUtPRgsD83SpKTAX6EM1ulpkuQQNjmrVc5qc8',
+      '7AMdF80JdW5kZWZpbmVkwj8EEAEIABMFAlLm1+4JEBD8MASZrpALAhsDAAAs',
+      'QgD8CUrwv7Hrp/INR0/UvAvzS52VztREQwQWTJMrgTNHBGjHtgRS5tfuAQEA',
+      'nys9SaSgR+l6iZc/M8hGIUmbuahE2/+mtw+/l0RO+WcAEQEAAf4JAwjr39Yi',
+      'FzjxImDN1IoYVsonA9M+BtIIJHafuQUHjyEr1paJJK5xS6KlyGgpMTXTD6y/',
+      'qxS3ZSPPzHGRrs2CmkVEiPmurn9Ed05tb0y9OnJkWtuh3z9VVq9d8zHzuENa',
+      'bUfli+P/v+dRaZ+1rSOxUFbFYbFB5XK/A9b/OPFrv+mb4KrtLxugwj8EGAEI',
+      'ABMFAlLm1+4JEBD8MASZrpALAhsMAAC3IgD8DnLGbMnpLtrX72RCkPW1ffLq',
+      '71vlXMJNXvoCeuejiRw=',
+      '=wJN@',
+      '-----END PGP PRIVATE KEY BLOCK-----'].join('\n');
+
+    var result = openpgp.key.readArmored(privKey);
+    expect(result.err).to.exist;
+    expect(result.err[0].message).to.match(/Ascii armor integrity check on message failed/);
+  });
+
 });