From e8ef355604bd1ff5797f64b20b50a62bb33abe45 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thomas=20Obernd=C3=B6rfer?= <toberndo@yarkon.de>
Date: Sat, 29 Mar 2014 16:25:28 +0100
Subject: [PATCH] OP-01-010 Invalid Armor Checksum Validation (Low)

---
 src/encoding/armor.js |  6 ++++--
 test/general/armor.js | 26 ++++++++++++++++++++++++++
 2 files changed, 30 insertions(+), 2 deletions(-)

diff --git a/src/encoding/armor.js b/src/encoding/armor.js
index 08ce0fd1..dcdc6295 100644
--- a/src/encoding/armor.js
+++ b/src/encoding/armor.js
@@ -131,7 +131,7 @@ function getCheckSum(data) {
 function verifyCheckSum(data, checksum) {
   var c = getCheckSum(data);
   var d = checksum;
-  return c[0] == d[0] && c[1] == d[1] && c[2] == d[2];
+  return c[0] == d[0] && c[1] == d[1] && c[2] == d[2] && c[3] == d[3];
 }
 /**
  * Internal function to calculate a CRC-24 checksum over a given string (data)
@@ -323,11 +323,13 @@ function dearmor(text) {
     checksum = sig_sum.checksum;
   }
 
+  checksum = checksum.substr(0, 4);
+
   if (!verifyCheckSum(result.data, checksum)) {
     throw new Error("Ascii armor integrity check on message failed: '" +
       checksum +
       "' should be '" +
-      getCheckSum(result) + "'");
+      getCheckSum(result.data) + "'");
   }
 
   verifyHeaders(result.headers);
diff --git a/test/general/armor.js b/test/general/armor.js
index b684d7eb..76cfdc98 100644
--- a/test/general/armor.js
+++ b/test/general/armor.js
@@ -131,6 +131,32 @@ describe("ASCII armor", function() {
     expect(msg).to.throw(Error, /Unknow ASCII armor type/);
   });
 
+  it('Armor checksum validation', function () {
+    var privKey =
+      ['-----BEGIN PGP PRIVATE KEY BLOCK-----',
+      'Version: OpenPGP.js v0.3.0',
+      'Comment: http://openpgpjs.org',
+      '',
+      'xbYEUubX7gEBANDWhzoP+Tr/IyRSv++vl5jBesQIPTYGQBdzF4YDnGEBABEB',
+      'AAH+CQMIfzdw4/PKNl5gVXdtfDFdSIN8yJT2rbeg3+SsWexXZNNdRaONWaiB',
+      'Z5cG9Q6+BoXKsEshIdcYOgwsAgRxlPpRA34Vvmg2QBk7PhdrkbK7aqENsJ1w',
+      'dIlLD6p9GmLE20yVff58/fMiUtPRgsD83SpKTAX6EM1ulpkuQQNjmrVc5qc8',
+      '7AMdF80JdW5kZWZpbmVkwj8EEAEIABMFAlLm1+4JEBD8MASZrpALAhsDAAAs',
+      'QgD8CUrwv7Hrp/INR0/UvAvzS52VztREQwQWTJMrgTNHBGjHtgRS5tfuAQEA',
+      'nys9SaSgR+l6iZc/M8hGIUmbuahE2/+mtw+/l0RO+WcAEQEAAf4JAwjr39Yi',
+      'FzjxImDN1IoYVsonA9M+BtIIJHafuQUHjyEr1paJJK5xS6KlyGgpMTXTD6y/',
+      'qxS3ZSPPzHGRrs2CmkVEiPmurn9Ed05tb0y9OnJkWtuh3z9VVq9d8zHzuENa',
+      'bUfli+P/v+dRaZ+1rSOxUFbFYbFB5XK/A9b/OPFrv+mb4KrtLxugwj8EGAEI',
+      'ABMFAlLm1+4JEBD8MASZrpALAhsMAAC3IgD8DnLGbMnpLtrX72RCkPW1ffLq',
+      '71vlXMJNXvoCeuejiRw=',
+      '=wJN@',
+      '-----END PGP PRIVATE KEY BLOCK-----'].join('\n');
+
+    var result = openpgp.key.readArmored(privKey);
+    expect(result.err).to.exist;
+    expect(result.err[0].message).to.match(/Ascii armor integrity check on message failed/);
+  });
+
 });