From fd9371a2a4bd1e4b5e54671fa92c7c826694fc36 Mon Sep 17 00:00:00 2001 From: Daniel Huigens Date: Thu, 7 Nov 2019 20:58:32 +0100 Subject: [PATCH] Mask curve25519 keys during generation (before serializing them) This was broken in #922 (merged as part of #956). This would cause GPG to be unable to parse unencrypted secret keys, thinking they were encrypted. rfc4880bis-08 hints at this requirement, saying: o MPI of an integer representing the secret key, which is a scalar of the public EC point. Since scalar multiplication happens after masking the private key, this implies that we should serialize the private key after masking, as well. --- src/crypto/public_key/elliptic/curves.js | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/crypto/public_key/elliptic/curves.js b/src/crypto/public_key/elliptic/curves.js index b241bf30..d3058f4a 100644 --- a/src/crypto/public_key/elliptic/curves.js +++ b/src/crypto/public_key/elliptic/curves.js @@ -191,6 +191,8 @@ Curve.prototype.genKeyPair = async function () { return nodeGenKeyPair(this.name); case 'curve25519': { const privateKey = await random.getRandomBytes(32); + privateKey[0] = (privateKey[0] & 127) | 64; + privateKey[31] &= 248; const secretKey = privateKey.slice().reverse(); keyPair = nacl.box.keyPair.fromSecretKey(secretKey); const publicKey = util.concatUint8Array([new Uint8Array([0x40]), keyPair.publicKey]);