Enforce AES with PKESK v3 using x25519 (new format)

Fail on PKESK parsing as well as session key generation and encryption

src/crypto/crypto.js

@@ -67,12 +67,15 @@ export async function publicKeyEncrypt(keyAlgo, symmetricAlgo, publicParams, dat
       return { V, C: new ECDHSymkey(C) };
     }
     case enums.publicKey.x25519: {
+      if (!util.isAES(symmetricAlgo)) {
+        // see https://gitlab.com/openpgp-wg/rfc4880bis/-/merge_requests/276
+        throw new Error('X25519 keys can only encrypt AES session keys');
+      }
       const { A } = publicParams;
       const { ephemeralPublicKey, wrappedKey } = await publicKey.elliptic.ecdhX.encrypt(
         keyAlgo, data, A);
       const C = ECDHXSymmetricKey.fromObject({ algorithm: symmetricAlgo, wrappedKey });
       return { ephemeralPublicKey, C };
-     
     }
     default:
       return [];
@@ -119,6 +122,9 @@ export async function publicKeyDecrypt(algo, publicKeyParams, privateKeyParams,
       const { A } = publicKeyParams;
       const { k } = privateKeyParams;
       const { ephemeralPublicKey, C } = sessionKeyParams;
+      if (!util.isAES(C.algorithm)) {
+        throw new Error('AES session key expected');
+      }
       return publicKey.elliptic.ecdhX.decrypt(
         algo, ephemeralPublicKey, C.wrappedKey, A, k);
     }

src/crypto/mode/cfb.js

@@ -57,7 +57,7 @@ export async function encrypt(algo, key, plaintext, iv, config) {
   if (util.getNodeCrypto() && nodeAlgos[algoName]) { // Node crypto library.
     return nodeEncrypt(algo, key, plaintext, iv);
   }
-  if (algoName.substr(0, 3) === 'aes') {
+  if (util.isAES(algo)) {
     return aesEncrypt(algo, key, plaintext, iv, config);
   }
 
@@ -100,7 +100,7 @@ export async function decrypt(algo, key, ciphertext, iv) {
   if (util.getNodeCrypto() && nodeAlgos[algoName]) { // Node crypto library.
     return nodeDecrypt(algo, key, ciphertext, iv);
   }
-  if (algoName.substr(0, 3) === 'aes') {
+  if (util.isAES(algo)) {
     return aesDecrypt(algo, key, ciphertext, iv);
   }
 

src/message.js

@@ -345,6 +345,15 @@ export class Message {
       enums.read(enums.aead, await getPreferredAlgo('aead', encryptionKeys, date, userIDs, config)) :
       undefined;
 
+    await Promise.all(encryptionKeys.map(key => key.getEncryptionKey()
+      .catch(() => null) // ignore key strength requirements
+      .then(maybeKey => {
+        if (maybeKey && (maybeKey.keyPacket.algorithm === enums.publicKey.x25519) && !util.isAES(algo)) {
+          throw new Error('Could not generate a session key compatible with the given `encryptionKeys`: X22519 keys can only be used to encrypt AES session keys; change `config.preferredSymmetricAlgorithm` accordingly.');
+        }
+      })
+    ));
+
     const sessionKeyData = crypto.generateSessionKey(algo);
     return { data: sessionKeyData, algorithm: algorithmName, aeadAlgorithm: aeadAlgorithmName };
   }

src/util.js

@@ -25,6 +25,7 @@
 
 import * as stream from '@openpgp/web-stream-tools';
 import { getBigInteger } from './biginteger';
+import enums from './enums';
 
 const debugMode = (() => {
   try {
@@ -605,6 +606,12 @@ const util = {
    */
   selectUint8: function(cond, a, b) {
     return (a & (256 - cond)) | (b & (255 + cond));
+  },
+  /**
+   * @param {module:enums.symmetric} cipherAlgo
+   */
+  isAES: function(cipherAlgo) {
+    return cipherAlgo === enums.symmetric.aes128 || cipherAlgo === enums.symmetric.aes192 || cipherAlgo === enums.symmetric.aes256;
   }
 };
 

test/general/openpgp.js

@@ -2123,6 +2123,7 @@ VFBLG8uc9IiaKann/DYBAJcZNZHRSfpDoV2pUA5EAEi2MdjxkRysFQnYPRAu
       });
       expect(decrypted.data).to.equal('test');
     });
+  });
 
   describe('encryptSessionKey - unit tests', function() {
     it('should output message of expected format', async function() {
@@ -4081,6 +4082,45 @@ bsZgJWVlAa5eil6J9ePX2xbo1vVAkLQdzE9+1jL+l7PRIZuVBQ==
       expect(data).to.equal('test');
     });
 
+    it('should enforce using AES session keys with x25519 keys (new format)', async function () {
+      // x25519 key (v4) with cast5 as preferred cipher
+      const privateKeyCast5 = await openpgp.readKey({ armoredKey: `-----BEGIN PGP PRIVATE KEY BLOCK-----
+
+xUkEZK8BixuMghYwdEgHl+3ASI4VZkn048KG4DVuugT1bMe4QTtFtQCoKBOG
+JxrZh8E+7I5nK7McXP2U9gyC0+RFcD46AxSmRA46zQDCiAQQGwgAPgWCZK8B
+iwQLAwcICZCaWrTxMIPhVwMVCAoEFgACAQIZAQKbAwIeARYhBDFBS8Xnfotk
+Oun5WZpatPEwg+FXAABwwuNWCdr1WahiGrLupYaOYQO4S9y+FYTxqEV/gsOP
+TKwmNIcIJPROV2LgyxvzQo79//0CocEYojEeUhGn7BH5lwvHSQRkrwGLGbVM
+1JxFUJeQ253sHMko73uPkyyb9DvaeyWHPwgF2k9GACA9caoO8GsZI7KMnVGP
+c4EpytBwVIsr4ck3QaEV/UxvDpnCdAQYGwgAKgWCZK8BiwmQmlq08TCD4VcC
+mwwWIQQxQUvF536LZDrp+VmaWrTxMIPhVwAAXycLtMyiv0lon4qU5/rKWjrq
+MIxMchUbHvktvUqomU0pDDLMPqLFtzBbtHqODPVbLTOygJRVLeHyWTOEfmOD
+kl0L
+=SYJZ
+-----END PGP PRIVATE KEY BLOCK-----` });
+
+      await expect(openpgp.generateSessionKey({
+        encryptionKeys: privateKeyCast5,
+        config: { preferredSymmetricAlgorithm: openpgp.enums.symmetric.cast5 }
+      })).to.be.rejectedWith(/Could not generate a session key compatible with the given `encryptionKeys`/);
+
+      await expect(openpgp.encrypt({
+        message: await openpgp.createMessage({ text: plaintext }),
+        encryptionKeys: privateKeyCast5,
+        sessionKey: { data: new Uint8Array(16).fill(1), algorithm: 'cast5' }
+      })).to.be.rejectedWith(/X25519 keys can only encrypt AES session keys/);
+
+      await expect(openpgp.decryptSessionKeys({
+        message: await openpgp.readMessage({ armoredMessage: `-----BEGIN PGP MESSAGE-----
+
+wUQD66NYAXF0vfYZNWpc7s9eihtgj7EhHBeLOq2Ktw79artbhN5JMs+9aCIZ
+A7sB7uYCTVCLIMfPFwVZH+c29gpCzPxSXQ==
+=Dr02
+-----END PGP MESSAGE-----` }),
+        decryptionKeys: privateKeyCast5
+      })).to.be.rejectedWith(/AES session key expected/);
+    });
+
     describe('Sign and verify with each curve', function() {
       const curves = ['secp256k1' , 'p256', 'p384', 'p521', 'curve25519', 'brainpoolP256r1', 'brainpoolP384r1', 'brainpoolP512r1'];
       curves.forEach(curve => {