suzanne.soy/fork-openpgpjs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2,317 Commits 1 Branch 0 Tags 39 MiB
75f10955e6
Commit Graph

1357 Commits

Author SHA1 Message Date
Daniel Huigens
7225251af8 Return Uint8Array(Stream) instead of object when armor = false 2021-02-09 19:25:20 +01:00
larabr
38ec5314d4 Fix ElGamal param range and PKCS1 decoding (#1169) 
* Fix ElGamal sampling range

* Stricter PKCS1 decoding
 2021-01-20 14:09:52 +01:00
Yarmo Mackenbach
a4b56c944a
WKD: Fix "TypeError: fetch is not a function" in Node.js environment (#1181) 2020-11-17 10:03:25 +01:00
larabr
08fc7b32ca
Fix and test dummy key conversion (#1172) 
Keys converted using makeDummy() were not serialised correctly as they were
treated as unencrypted keys.
 2020-11-10 17:32:44 +01:00
Chen Longhao
929b016948
Fix documentation of the HKP keyId option (#1151) 2020-09-09 12:26:03 +02:00
larabr
2eab8a1ebc
Add config option to allow insecure decryption with RSA signing keys (#1148) 2020-08-28 16:09:56 +02:00
larabr
cc1bdcbae8
Allow decryption with revoked keys (#1135) 
However, when decrypting session keys, check that the public key
algorithm matches that of the decryption key.
 2020-08-18 15:49:27 +02:00
Wiktor Kwapisiewicz
0712e8af2d
Support non-human-readable notation values (#983) 
This change adds support for binary (non-human-readable) values in
signature notations through `rawNotations` property on signature objects.
Human-readable notations will additionally appear in `notations` object
where the value of the notation will be deserialized into a string.

Additionally the check for human-readable flag was modified to check the
existence of the flag instead of comparison with the whole value.
 2020-08-18 11:07:58 +02:00
larabr
25bf080871
Add SecretKey.prototype.makeDummy (#1131) 2020-08-03 15:52:50 +02:00
Yarmo Mackenbach
de360e200c
Handle CORS errors during WKD lookup (#1125) 
Also, throw an error instead of returning null when the server returned
an error status.
 2020-07-17 14:22:54 +02:00
Yarmo Mackenbach
5801169432
Refactor WKD lookup code (#1123) 
* Replace chained then by await

* Improve fetch fallback flow
 2020-07-15 15:12:55 +02:00
Daniel Huigens
3218f7b7f8 Don't zero-copy transfer buffers from the worker by default 2020-07-14 18:15:08 +02:00
Yarmo Mackenbach
4af9b51915
Add support for advanced WKD lookup (#1115) 2020-07-13 20:08:30 +02:00
larabr
00c5f38689
Cipher-specific key validation (#1116) 
Also, check binding signatures for decryption keys.

Also, do not always fallback on Web Crypto ECC errors.
 2020-07-13 19:57:33 +02:00
cpupower
6988fdfee1
Fix stream-encrypting+signing a message using the Worker (#1112) 
- Include fromStream property when cloning a Message
- Restore fromStream property in packetlistCloneToMessage
 2020-06-25 12:53:27 +02:00
larabr
35b0012f2f
Pass around KDF params as object (#1104) 2020-06-03 14:16:54 +02:00
Matthew Shaylor
320efc2435
Fix keyId types in JSDoc comments (#1100) 2020-05-18 12:22:31 +02:00
Roman Zechmeister
1b91d428f0
Also create issuer fingerprint subpacket for v4 keys (#1097) 
Do not limit creation of signatures with issuer fingerprint subpacket to v5 keys.
 2020-05-11 21:45:04 +02:00
Daniel Huigens
5d71ae8691 Fix normalizing \n after \r\n 
Broken in c4a7455.
 2020-04-22 19:09:50 +02:00
Ilya Chesnokov
674e0217fc
Support compressed data packets with algorithm=uncompressed (#1085) 2020-04-21 16:00:38 +02:00
Daniel Huigens
c4a7455cb5 Fix memory usage when non-streaming-en/decrypting large files 
Broken in #1071.
 2020-04-20 18:05:07 +02:00
larabr
e39216424f Drop support for \r as EOL (#1073) 2020-04-20 18:05:07 +02:00
Daniel Huigens
90ff60cbb1
Fix verification of EdDSA signatures with short MPIs (#1083) 
We would fail to verify EdDSA signatures with leading zeros, when
encoded according to the spec (without leading zeros, leading to
short MPIs). OpenPGP.js itself encodes them with leading zeros.
This is accepted by many implementations, but not valid according
to the spec. We will fix that in a future version.
 2020-04-16 17:03:49 +02:00
Daniel Huigens
b69d0d0228
Support PKCS5 padding longer than 8 bytes (#1081) 
This is allowed by the spec to hide the length of the session key:

    For example, assuming that an AES algorithm is
    used for the session key, the sender MAY use 21, 13, and 5 bytes of
    padding for AES-128, AES-192, and AES-256, respectively, to provide
    the same number of octets, 40 total, as an input to the key wrapping
    method.
 2020-04-15 19:33:04 +02:00
larabr
6119dbb08e
Support verification of text signatures on non-UTF-8 messages (#1071) 2020-03-30 12:51:07 +02:00
Makoto Sakaguchi
66d83db51b
Fix "TypeError: fetch is not a function" in Node.js environment (#1052) 2020-03-03 14:50:28 +01:00
Daniel Huigens
e986c47ed5 Remove no-op revocationCertificate option from reformatKey 2020-02-27 16:04:06 +01:00
Daniel Huigens
60822d87d9 Fix generating keys with a date in the future 
This was broken in 8c3bcd1.

(Before then, the revocation certificate was already broken when
generating a key with a date in the future.)
 2020-02-27 16:04:07 +01:00
Daniel Huigens
2131fb0978 Fix error message for legacy encrypted private keys 2020-02-25 15:07:43 +01:00
Daniel Huigens
c6ed05d2c3 Optimize crc24 calculation 2020-02-25 15:06:38 +01:00
Daniel Huigens
2ff4fbb0e8 Optimize base64 encoding and decoding 2020-02-25 15:06:38 +01:00
Daniel Huigens
15202d9d40 Don't use polyfilled Set in compat build 
All methods of sets we need are available in all browsers we support.
 2020-02-25 15:06:15 +01:00
Daniel Huigens
8c3bcd1f21 Reject signatures using insecure hash algorithms 
Also, switch from returning false to throwing errors in most verify*()
functions, as well as in `await signatures[*].verified`, in order to be
able to show more informative error messages.
 2020-02-25 15:06:15 +01:00
Daniel Huigens
92eda27e61 Binary signature on text message: sign and verify text as UTF-8 2020-02-17 12:49:20 +01:00
Daniel Huigens
84a1287e50 Fix Blowfish block size 2020-02-02 16:51:56 +01:00
Daniel Huigens
801b44f2e7 Don't use Node symmetric crypto when !config.use_native 2020-02-02 16:51:56 +01:00
Daniel Huigens
fc0052e35a Implement streaming non-AES encryption and decryption 2020-02-02 16:51:56 +01:00
Daniel Huigens
2ec8831abf Use native Node crypto for non-AES encryption and decryption 2020-02-02 16:51:56 +01:00
Daniel Huigens
e8ee70b2a8 Fix UnhandledPromiseRejectionWarnings in Node.js 
These were introduced in 9bdeaa9 by `await`ing Promises later than
they're created.
 2020-01-24 18:05:50 +01:00
Daniel Huigens
9bdeaa927a Don't keep entire decrypted message in memory while streaming 
(When config.allow_unauthenticated_stream is set or the message is
AEAD-encrypted.)

The issue was that, when hashing the data for verification, we would
only start hashing at the very end (and keep the message in memory)
because nobody was "pulling" the stream containing the hash yet, so
backpressure was keeping the data from being hashed.

Note that, of the two patches in this commit, only the onePassSig.hashed
property actually mattered, for some reason. Also, the minimum
highWaterMark of 1 should have pulled the hashed stream anyway, I think.
I'm not sure why that didn't happen.
 2020-01-24 17:58:17 +01:00
Daniel Huigens
6e13604a64 Replace 'window' with 'global' 
In order to use Web Crypto in application workers, among other things.
 2020-01-24 17:58:04 +01:00
Daniel Huigens
66acd979bf Clear worker key caches in openpgp.destroyWorker() 2020-01-24 17:57:39 +01:00
Daniel Huigens
fb666f0624 Implement openpgp.getWorker().clearKeyCache() 2020-01-24 17:57:39 +01:00
Daniel Huigens
523432334f Implement Key.prototype.clearPrivateParams 2020-01-24 17:57:39 +01:00
Daniel Huigens
26d107b856 Zero out private key parameters in clearPrivateParams 2020-01-24 17:57:39 +01:00
Daniel Huigens
889e0c4930 Allow calling clearPrivateParams on decrypted keys 
Calling it on unencrypted keys was already allowed, so this safety check
didn't do much.
 2020-01-24 17:57:39 +01:00
Daniel Huigens
6ae6012786 Terminate workers in openpgp.destroyWorker() 2020-01-24 17:57:39 +01:00
Daniel Huigens
44a90d9465
Cache key objects in Workers by armor (#1030) 
This allows us to use the cached `verified` property on self-signatures,
so that we don't have to repeatedly verify them.
 2020-01-14 18:06:09 +01:00
Daniel Huigens
fd6d7b6088
Remove support for legacy encrypted private keys (#1029) 
Both those with a 2-byte hash (instead of SHA1 or an AEAD authentication
tag) and those without an S2K specifier (i.e., using MD5 for S2K) -
support for the latter was already broken.

Vulnerabilities can arise not just from generating keys like this, but
from using them as well (if an attacker can tamper with them), hence why
we're removing support.
 2020-01-07 18:17:00 +01:00
Daniel Huigens
8f355a75da
Implement key.validate() (#1028) 
This function checks whether the private and public key parameters
of the primary key match.

This check is necessary when using your own private key to encrypt
data if the private key was stored on an untrusted medium, and
trust is derived from being able to decrypt the private key.
 2020-01-07 18:16:45 +01:00
Alexandre Perrin
0a32f4d5e7 Comment typo fixes (#1022) 2019-12-27 12:47:37 +01:00
Daniel Huigens
3d75efc1dc
Only throw on authorized revocation key when verifying self-signatures (#1017) 
This also has the effect that we only throw on them when trying to use
the key, instead of when parsing it, and that we don't throw when the
authorized revocation key is specified in a separate direct-key
signature instead of a User ID self-signature (the spec only specifies
including it in a direct-key signature, so that means that we
effectively don't reject them anymore. This is because users that
wanted to use the key, could remove this separate signature, anyway.)
 2019-12-20 17:21:35 +01:00
Tom J
e1b9156e72 Explicitly include 'uncompressed' in preferred compression algos (#1020) 2019-12-20 17:20:18 +01:00
Daniel Huigens
5a24bc7698 Fix verifying RSA signatures with leading zero in Web Crypto 2019-11-29 11:39:38 +01:00
Daniel Huigens
ad0fdcc4da Fix openpgp.config.use_native = false for RSA sign/verify 2019-11-29 11:39:38 +01:00
Ilya Chesnokov
45c2e67624 Use native Node crypto for RSA encryption (#1006) 2019-11-26 16:06:49 +01:00
Ilya Chesnokov
6e7f399eb3 Use Web Crypto & Node crypto for RSA signing and verifying (#999) 
Also, when generating RSA keys in JS, generate them with p < q, as per
the spec.

Also, when generating RSA keys using Web Crypto or Node crypto, swap the
generated p and q around, so that will satisfy p < q in most browsers
(but not old Microsoft Edge, 50% of the time) and so that we can use the
generated u coefficient (p^-1 mod q in OpenPGP, q^-1 mod p in RFC3447).

Then, when signing and verifying, swap p and q again, so that the key
hopefully satisfies Safari's requirement that p > q, and so that we can
keep using u again.
 2019-11-18 14:59:01 +01:00
Daniel Huigens
e20d727d76 Always encrypt keys using AES 
Even if they were previously encrypted using another algorithm.
 2019-11-18 14:13:48 +01:00
Daniel Huigens
5bf0f96163 Fix encrypting keys using non-AES algorithms 2019-11-18 14:13:48 +01:00
Daniel Huigens
b0914663dd Iterated S2K: always hash the full salt+password at least once 
As per the spec:

   The one exception is that if the octet count is less than
   the size of the salt plus passphrase, the full salt plus passphrase
   will be hashed even though that is greater than the octet count.
 2019-11-08 20:15:31 +01:00
Daniel Huigens
6ddfca5f14 Refactor S2K function 2019-11-08 19:45:57 +01:00
Daniel Huigens
cd2bfca519 Optimize iterated S2K 2019-11-08 19:12:58 +01:00
Daniel Huigens
a6d7c466e2 Use serialized EdDSA public key when signing instead of deriving it 2019-11-08 17:10:47 +01:00
Daniel Huigens
fd9371a2a4 Mask curve25519 keys during generation (before serializing them) 
This was broken in #922 (merged as part of #956).

This would cause GPG to be unable to parse unencrypted secret keys,
thinking they were encrypted.

rfc4880bis-08 hints at this requirement, saying:

o  MPI of an integer representing the secret key, which is a scalar
   of the public EC point.

Since scalar multiplication happens after masking the private key,
this implies that we should serialize the private key after masking,
as well.
 2019-11-07 21:34:07 +01:00
Daniel Huigens
563b397391 Don't mask curve25519 private key twice 
Also, fix handling of private keys with leading zeros for certain
curves.
 2019-10-25 17:32:43 +02:00
Daniel Huigens
a06bf91f35 Fix queued bytes calculation for AEAD concurrency 2019-10-25 16:14:59 +02:00
Ilya Chesnokov
08b7725b8c Create lightweight build that can lazily load indutny/elliptic if needed (#956) 
This PR adds four config options to configure whether and how to load
indutny/elliptic: use_indutny_elliptic, external_indutny_elliptic,
indutny_elliptic_path and indutny_elliptic_fetch_options.

Also:

- Use tweetnacl.js instead of indutny/elliptic for curve25519 key generation

- Don't initialize indutny's curve25519, improving performance when using that curve

- Verify NIST signatures using Web Crypto instead of indutny/elliptic when not streaming

- Move KeyPair.sign/verify to ecdsa.js

- Move KeyPair.derive to ecdh.js

- Move keyFromPrivate and keyFromPublic to a new indutnyKey.js file
 2019-10-25 16:07:57 +02:00
Ilya Chesnokov
528fbfb017 Switch back to using upstream email-address library (#998) 2019-10-25 13:25:03 +02:00
descampsk
810b8daab2 Fix crypto.random.getRandomBytes when loading openpgp.js inside a worker (#997) 2019-10-25 13:20:54 +02:00
Ilya Chesnokov
114184c6f2 Split up key.js (#972) 2019-10-15 18:42:14 +02:00
Daniel Huigens
3ee77f9e50 AEAD: Fix high water mark calculation based on chunk size 
Use current packet's chunk size instead of default chunk size.
 2019-10-15 18:24:14 +02:00
Daniel Huigens
192893ecf0 Fix util.Uint8Array_to_b64 to not return lone \r characters 2019-10-15 14:24:58 +02:00
Daniel Huigens
9f8a139624 Fix openpgp.revokeKey().publicKey when using the Worker 2019-10-15 14:15:41 +02:00
Ilya Chesnokov
1e37b27673 Use rsaBits=2048 in addSubkey tests when using Web Crypto (#971) 
Fix tests failing in old browsers due to too low rsaBits.

Also, always throw in addSubkey when rsaBits is too low.
 2019-09-24 13:53:12 +02:00
Daniel Huigens
fbbeaa3cd9
Rename numBits and bits to rsaBits (#970) 
Keep supporting the old names as well though in `openpgp.generateKey`
and `getAlgorithmInfo`, but not in `openpgp.key.generate` (as it is
recommended that developers use `openpgp.generateKey` instead, and
it now throws when using `numBits` instead of `rsaBits`, so there's
no risk of silent key security downgrade).

The old names are now deprecated, and might be removed in v5.
 2019-09-18 13:40:44 +02:00
Ilya Chesnokov
7f40ab0940 Implement Key.prototype.addSubkey (#963) 2019-09-16 15:53:19 +02:00
Daniel Huigens
91aa8b0d4c Only store newly created signatures as valid in the non-streaming case 
When streaming, we're not actually sure yet that signing won't fail.
 2019-09-12 14:03:29 +02:00
Daniel Huigens
aa8d37a82c
Fix verifying one-pass signatures in the compat build (#968) 
This was broken in 735d6d0.

See babel/babel#10431.
 2019-09-12 00:42:35 +02:00
Daniel Huigens
18474bdfb6 Fix decrypting newly generated key object when using the Worker 2019-09-11 18:11:16 +02:00
Daniel Huigens
a731a607ce Fix writing newly generated embedded primary key binding signatures 2019-09-11 18:11:15 +02:00
Ilya Chesnokov
5d9629d6a3 Style fixes; add spaces around all infix operators, remove new Buffer (#954) 
* Add "space-infix-ops": "error" rule

* Remove deprecated Buffer constructor

* Resolve new-cap eslint rule

* @twiss: Clarify code that selects curve and algorithm
 2019-08-30 12:27:30 +02:00
Daniel Huigens
a7cc71e35e
Throw when trying to encrypt a key that's already encrypted (#950) 2019-08-19 13:27:52 +02:00
Tom J
d27060e508 Use native Node crypto for RSA key generation (#947) 2019-08-16 13:11:04 +02:00
Daniel Huigens
a184ef6ec4 Remove support for the previous draft00 AEAD 2019-08-12 17:46:37 +02:00
Daniel Huigens
80c535eeb7 Separate config option to use V5 keys from AEAD config option 2019-08-12 17:46:37 +02:00
Daniel Huigens
9bb1710a9f Remove unused writeOldHeader function 2019-08-12 17:46:37 +02:00
Daniel Huigens
8312399f9d Update V5 key hashing for signatures to rfc4880bis-07 2019-08-12 17:46:37 +02:00
Daniel Huigens
c8729a0295 Fix serializing GNU stripped-keys 2019-08-12 17:46:37 +02:00
Daniel Huigens
735d6d088f Implement V5 signatures 2019-08-12 17:46:37 +02:00
Daniel Huigens
f629ddcb31 Fix reading and writing unencrypted V5 secret key packets 2019-08-12 17:46:37 +02:00
Ilya Chesnokov
a0e9c608ba DSA: Fix intermittent generation of invalid signatures (#938) 2019-08-07 17:42:55 +02:00
Tom J
3be779e0a1 Fix comment describing RSA coefficient u (#937) 2019-08-07 17:39:57 +02:00
Daniel Huigens
562783df01 Fix armor checksum mismatch error message with allow_unauthenticated_stream 2019-07-19 19:06:19 +02:00
Daniel Huigens
2a5ab75fca Decrypt message with multiple keys in parallel 
Don't keep the entire message in memory.

This also fixes an unhandled promise rejection when the input
stream contains an error (e.g. an armor checksum mismatch).
 2019-07-19 19:05:26 +02:00
Daniel Huigens
237db2c7f3 Fix armor checksum errors being ignored when not streaming 2019-07-19 19:05:26 +02:00
Ilya Chesnokov
29d67415e2 Accept @ in User ID names (#930) 2019-07-18 15:45:54 +02:00
Ilya Chesnokov
70cf2d60ff Implement ECDH using Node crypto (#921) 2019-07-09 20:45:28 +02:00
Ilya Chesnokov
6d626ea70c Style fixes and new style rules for eslint (#919) 2019-06-28 15:33:18 +02:00
chesnokovilya
1bd5689d75 Implement ECDH using Web Crypto for supported (NIST) curves (#914) 2019-06-27 19:21:32 +02:00
Sam
c7fb8d8fe7 Node detection: base on process instead of window (#911) 2019-06-21 15:43:56 +02:00
Daniel Huigens
5a17648922 Fix error message when reformatting a GNU stripped-key with a passphrase 2019-06-06 16:08:22 +02:00
Daniel Huigens
43441bfe0d openpgp.reformatKey: Fix key preferences for signing subkeys 2019-05-23 17:37:20 +02:00
Wiktor Kwapisiewicz
82799390de
Fix signatures with critical notations 
Previously the signature parsing function ignored critical bit on
notations.

This change checks for notations that are marked "critical" but are not
on the known notations list (controlled by config array
`openpgp.config.known_notations`) and triggers parse error if such
a notation have been encountered.

See: #897.
 2019-05-16 09:57:58 +02:00
Wiktor Kwapisiewicz
16b12d7f55
Expose all signature notations 
Previous implementation used an object to hold notations so if multiple
notations had the same key name only the last one was visible.

After this change notations are exposed as an array of key-value pairs
that can be converted to a map through `new Map(notations)`.

See #897.
 2019-05-09 12:12:22 +02:00
Daniel Huigens
ee01883a52
Merge pull request #894 from twiss/dont-throw-verification-errors-workers 
Fix one-pass signature verification when using a Worker
 2019-05-05 00:01:14 +02:00
Daniel Huigens
df8364930b Fix one-pass signature verification when using a Worker 2019-05-03 18:40:31 +02:00
Daniel Huigens
1090464a70 Throw more informative error when trying to use a key with missing params 
E.g. when trying to sign with a GPG stripped key without a valid signing
subkey.
 2019-05-03 14:29:43 +02:00
Daniel Huigens
bc756d0ed4 Make key.isDecrypted() and key.encrypt() consistent for gnu-dummy keys 2019-05-03 12:39:28 +02:00
Daniel Huigens
10e10effb6 Support GNU export-secret-subkeys extension 2019-05-03 12:39:28 +02:00
Daniel Huigens
34e6eacb2f Don't attempt to use workers if they fail to load 2019-05-02 12:08:08 +02:00
Daniel Huigens
ffa8344809 Only include tweetnacl functions we need 2019-05-02 12:08:08 +02:00
Daniel Huigens
e637e75891 Clean up ECDH API 2019-05-02 12:08:08 +02:00
Daniel Huigens
ca0322bbea Use tweetnacl's X25519 implementation 2019-05-02 12:08:08 +02:00
Daniel Huigens
be1b4df140 Use tweetnacl's Ed25519 implementation 2019-05-02 12:08:08 +02:00
Si Feng
d2c38693f5 Put comment before email when generating UIDs (#892) 2019-05-01 13:12:52 +02:00
Daniel Huigens
d5e87dc6f4
Move non-external dependencies to devDependencies (#888) 
They are not needed to use the dist file.
 2019-04-29 13:45:58 +02:00
Daniel Huigens
7fb2901ede
Fix detached signing of messages created from streams (#887) 2019-04-29 13:45:09 +02:00
Thomas Oberndörfer
038d8466fe Add date parameter to user.verifyAllCertifications and user.verify methods (#871) 
Also, in user.verifyCertificate, fix certificate.isExpired check for keys with future creation date.
 2019-03-08 17:33:36 +01:00
Daniel Huigens
a9599fea42
Work around go crypto bug in ECDH messages (#869) 2019-03-04 13:53:19 +01:00
Thomas Oberndörfer
b1be7d1202 Fix merging multiple subkey binding signatures (#868) 2019-02-28 10:34:46 -08:00
Daniel Huigens
76ce33d96b Use ES6 build of web-streams-polyfill in non-compat builds 2019-02-25 20:56:33 +01:00
Daniel Huigens
a291a803fb Fix reading indeterminate-length packets in IE11 
Broken in 5dcaf85.
 2019-02-25 04:41:58 +01:00
Daniel Huigens
cd6eadd6e0 Fix reading empty partial body part (again) 
Broken in 5dcaf85.
 2019-02-25 04:34:28 +01:00
Daniel Huigens
5dcaf85f5a Optimize reading large messages with lots of tiny partial body parts (#864) 
* Fix pako decompression

* Optimize base64-decoding

* Don't stream-parse packets when not stream-reading data
 2019-02-21 08:33:55 -08:00
Daniel Huigens
54fc1dde3d Throw error before decrypting in non-MDC packets 2019-02-12 11:49:38 +01:00
Daniel Huigens
40360b4955 Fix streaming/signed encryption with config.integrity_protect=false 2019-02-12 11:49:38 +01:00
rash0
3edc6e7501 ++ Add another Domain for HKP server (#855) 
* ++ Add another Domain for HKP server

the pgp.mit.edu domain is most of the time down and responds with time out...so i discovered this ubuntu domain for the same database...but its much faster and never falls....i think too much traffic over the bit one :(

* Update hkp.js

* Change HKP server url

* Defined the default HKP server

* Update README.md

Co-Authored-By: rash0 <40761345+rash0@users.noreply.github.com>

* ++ Add revocation certificate test

didn't know if i should use the revocation certificate in the test/key.js file or generate a new one...so i generated a test one and used it...
 2019-02-11 11:33:24 +01:00
Daniel Huigens
1dd168e7a2 Fix ECDH message encryption for some session keys 2019-02-05 13:46:59 +01:00
Daniel Huigens
d91b064e14 Optimize util.removeTrailingSpaces (#848) 
Backtracking regexes have pathological worst-case performance when
a long line contains a large amount of whitespace not followed by
a newline, since the regex engine will attempt to match the regex
at each whitespace character, read ahead to the non-whitespace non-
newline, declare no match, and try again at the next whitespace.

E.g. try running

    util.removeTrailingSpaces(new Array(1e6).join(' ') + 'a').length

which would hang V8.
 2019-01-27 00:22:47 +00:00
Sanjana Rajan
b0ac142f2e
Merge pull request #847 from twiss/dont-throw-verification-errors 
Don't throw on signature verification errors in openpgp.decrypt/verify
 2019-01-27 00:18:41 +00:00
Daniel Huigens
9e4cc1acfe Don't throw on signature verification errors in openpgp.decrypt/verify 2019-01-26 11:41:44 +01:00
wussler
6b19af0a63
new BN, fix doc 2019-01-22 16:50:06 +01:00
wussler
2975e49dd0
genPublicEphemeralKey to return Uint8Array 2019-01-22 16:24:55 +01:00
wussler
6d9160dd87
Fix mistake in documentation 2019-01-22 16:22:05 +01:00
Aron Wussler
1face482ba Naming 2019-01-21 15:35:45 +01:00
Aron Wussler
4c809a4846 Fix to returns 2019-01-21 14:57:02 +01:00
Daniel Huigens
31f72fb64d
Update src/crypto/public_key/elliptic/ecdh.js 
Co-Authored-By: wussler <aron@wussler.it>
 2019-01-18 16:40:31 +01:00
Daniel Huigens
680aa03bcd
Update src/crypto/public_key/elliptic/ecdh.js 
Co-Authored-By: wussler <aron@wussler.it>
 2019-01-18 16:40:22 +01:00
Daniel Huigens
f77ebc7605
Update src/crypto/public_key/elliptic/ecdh.js 
Co-Authored-By: wussler <aron@wussler.it>
 2019-01-18 16:40:13 +01:00
Aron Wussler
06952b4e30 Make ephemeral secret available from ECDH module 2019-01-18 16:06:57 +01:00
Daniel Huigens
77055f6dfe Don't zero-copy transfer buffers in Safari 11.1 and Chrome < 56 
See https://bugs.webkit.org/show_bug.cgi?id=184254
and https://bugs.chromium.org/p/chromium/issues/detail?id=334408.
 2019-01-15 20:16:59 +01:00
Daniel Huigens
fe69cb882d Zero-copy transfer buffers when passing streams to workers 2019-01-09 15:18:59 +01:00
Daniel Huigens
625c6ea4b3 Zero-copy transfer buffers from the worker to the main thread 2019-01-09 15:18:56 +01:00
Daniel Huigens
c73b4536be Fix error handling in worker delegation 2019-01-09 15:06:15 +01:00
Sanjana Rajan
ffeb43ef04
Merge pull request #831 from twiss/web-crypto-cfb 
Web Crypto CFB encryption, revision 2
 2019-01-03 06:56:40 -08:00
Sanjana Rajan
37bc379663
Merge pull request #828 from tomholub/patch-1 
Fix various JSDoc typos etc
 2019-01-03 06:55:42 -08:00
Sanjana Rajan
9b599c86b2
Merge pull request #827 from estelendur/double_is_readonly 
Double is readonly
 2019-01-02 15:15:22 -08:00
Daniel Huigens
31931c9b0d Simplify MDC verification 2019-01-02 15:13:00 +01:00
Daniel Huigens
3f1734ae7a Move CFB optimizations into cfb.js 
So that uses of CFB other than sym_encrypted_integrity_protected.js
can benefit from them.

Also, implement CFB resync mode in terms of normal CFB rather than
separately (and duplicated).
 2019-01-02 15:12:53 +01:00
Daniel Huigens
a891e0b4ea Web Crypto CFB encryption 2019-01-02 15:12:48 +01:00
Daniel Huigens
5c5da1d86f Fix passing streams to workers in Safari 9 
Safari 9 does not expose the MessagePort object in workers
(but does expose it on window, and also exposes MessageChannel
in workers).
 2019-01-02 14:07:36 +01:00
Tom J
cf6278ddc9
Promisify hash.digest return value in jsdoc 2018-12-30 16:52:57 +00:00
Tom J
1054ed46d8
Fix util.js jsdoc Uint8Array typos 2018-12-29 11:44:26 +00:00
Esty Thomas
08fdb351d1
Renames var to prevent "double is read-only" error 
Under some build systems, the function `double` produces an error:
```SyntaxError: "double" is read-only"```
The error goes away if the variable named `double` inside the function
named `double` is renamed. This commit renames it to `double_var` for
simplicity's sake.
 2018-12-27 12:27:42 -05:00
Sanjana Rajan
836ad2805a
Revert "Web Crypto CFB encryption" 2018-12-23 18:42:24 +01:00
Sanjana Rajan
6c02b25aa5
Merge pull request #820 from twiss/web-crypto-cfb 
Web Crypto CFB encryption
 2018-12-23 17:55:25 +01:00
Sanjana Rajan
529973f2a2
Merge branch 'master' into fix/non-primary-non-revoked-sub-user 2018-12-23 17:52:01 +01:00
Sanjana Rajan
1bee091f2a
Merge pull request #815 from twiss/userIds 
Make fromUserIds/toUserIds params plural, and accept arrays of User IDs
 2018-12-23 17:50:46 +01:00
Daniel Huigens
113c4a5f1e Add CAST5 to always-allowed algorithms 
Golang's OpenPGP implementation uses CAST5 as its fallback.
(The spec mandates TripleDES as fallback.)

Fixes #819.
 2018-12-22 00:00:47 -05:00
Daniel Huigens
95cc9cecf0 Disable Web Workers on browsers without MessageChannel support 
For compatibility with old Firefox / Pale Moon 27
 2018-12-21 23:09:41 -05:00
Daniel Huigens
2c5cb6ad9f Fix armor parsing in edge case where reader.readToEnd() returns new Uint8Array([]) 2018-12-21 17:00:45 -05:00
Daniel Huigens
cfe7ff9bb8 Simplify MDC verification 2018-12-21 13:04:23 -05:00
Daniel Huigens
9691dc9c99 Fix getExpirationTime with capabilities and an expired signing subkey 
When the latest subkey with the requested capabilities is expired,
and the primary key has the requested capabilities, return the
primary key expiry instead.

Also, change isExpired/isDataExpired to still return false at the
date returned by getExpirationTime, so that the latter returns the
last date that the key can still be used.
 2018-12-21 12:49:22 -05:00
Daniel Huigens
668264aa9a Move CFB optimizations into cfb.js 
So that uses of CFB other than sym_encrypted_integrity_protected.js
can benefit from them.

Also, implement CFB resync mode in terms of normal CFB rather than
separately (and duplicated).
 2018-12-20 17:50:01 -05:00
Daniel Huigens
3c10c582e2 Web Crypto CFB encryption 2018-12-20 12:27:23 -05:00
Daniel Huigens
804e91140a Add config values to preferred algorithms 2018-12-17 12:52:30 -05:00
Daniel Huigens
926047f0b3 Default to RFC4880bis-mandated symmetric algos 2018-12-17 12:27:09 -05:00
Daniel Huigens
06608318d4 Fix CMAC of the empty string 
This is currently never called, as EAX always adds a prefix to
the CMAC'ed message.
 2018-12-17 12:27:08 -05:00
Daniel Huigens
9b83f6fcb2 Return generic error on PKESK checksum mismatch when decrypting 2018-12-17 12:27:07 -05:00
Daniel Huigens
e727097bb0 Always look at the same literal data packet in getText() and verify() 2018-12-17 12:27:05 -05:00
Daniel Huigens
8720adcf65 Check signature public key algorithm against issuer key algorithm 2018-12-17 12:27:04 -05:00
Daniel Huigens
3b9676f2e9 Reject messages encrypted with a symmetric algo not in preferred algos 2018-12-17 12:27:03 -05:00
Daniel Huigens
19be0831b9 Add userIds parameter to signPrimaryUser and verifyPrimaryUser 2018-12-14 17:49:09 +01:00
Daniel Huigens
cb3f644708 Validate ECC public keys 2018-12-14 17:21:12 +01:00
Daniel Huigens
d74a2af4d3 Return primary key expiry based on userId param in getExpirationTime 2018-12-14 16:54:55 +01:00
Daniel Huigens
65772d86b3 Make fromUserIds/toUserIds params plural, and accept arrays of User IDs 
Each User ID object is used for the key object at the corresponding index
in the privateKeys/publicKeys arrays.
 2018-12-14 16:54:44 +01:00
Daniel Huigens
d4d94c6fb7 Remove non-AES CFB quick check 2018-12-11 14:05:26 +01:00
Kay Lukas
2dbb8582d7 Add testcases 2018-12-10 20:21:55 +01:00
Kay Lukas
3c0b22268d Prefer a non-revoked primary user 2018-12-10 17:50:21 +01:00
Daniel Huigens
c7339f6f78 Check whether signing key was non-expired at signature creation time 2018-12-10 16:34:44 +01:00
Daniel Huigens
787965981a Check whether message signatures are expired when verifying them 2018-12-10 15:20:24 +01:00
Daniel Huigens
92230d2055 Consider non-expired signatures from expired keys to still be valid 2018-12-10 15:20:11 +01:00
Daniel Huigens
ff86b00315 Fix undefined behavior when reading 3des algo 2018-12-10 14:21:52 +01:00
Kay Lukas
a49529d243 Handle end of stream in compression correctly 2018-12-07 11:47:52 +01:00
Thomas Oberndörfer
a7bae10fe8 Revise check on key revocation sub packet: throwing the exception should only be done on single keys and not discard the whole armored block with possibly multiple keys. Evaluate only self-signatures. 2018-11-30 11:45:31 +01:00
Kay Lukas
c952e833d3 Support 3des as a session key algorithm 2018-11-06 17:38:17 +01:00
Daniel Huigens
997f3e8e38 Compute signed data based on expected signature type 2018-11-05 17:13:40 +01:00
Daniel Huigens
1071cb9bca Fix cloning embedded signatures 2018-11-05 16:32:30 +01:00
Sanjana Rajan
67de70fa01
Merge pull request #798 from twiss/seek-bzip 
Remove bzip2 compression
 2018-11-05 12:58:50 +01:00
Daniel Huigens
08f48bfc2c Switch to seek-bzip 2018-11-05 12:49:53 +01:00
Daniel Huigens
9a7fe9cd45 Bump S2K iteration count parameter 2018-11-05 11:47:46 +01:00
Daniel Huigens
d314a20e0f Don't return keys with an authorized revocation key 2018-11-05 11:47:45 +01:00
Daniel Huigens
8fa3aadea2 Add and require primary key binding signatures on signing keys 
Also, fix keyFlags of signing subkeys.

Also, store Issuer Key ID and Embedded Signature in unhashed rather
than hashed subpackets.
 2018-11-05 11:47:45 +01:00
Daniel Huigens
8c97112449 Throw on critical unknown signature subpackets 2018-11-05 11:47:44 +01:00
Daniel Huigens
47138eed61 Don't trust unhashed signature subpackets 
Also, export packet.Signature.prototype.read_sub_packets.
 2018-11-05 11:47:43 +01:00
Daniel Huigens
327d3e5392 Only accept binary or text signatures when verifying messages 2018-11-05 11:47:39 +01:00
Sanjana Rajan
17f639bc8d
Merge pull request #795 from twiss/web-crypto-hashing 
Web Crypto hashing
 2018-11-05 11:38:41 +01:00
Daniel Huigens
2245df6023 Don't return streams in openpgp.revokeKey() 2018-11-05 11:15:39 +01:00
Daniel Huigens
4faa84daa0 Inline iterated S2K loop 2018-11-01 15:40:04 +01:00
Daniel Huigens
a250ee9f91 Clean up checksum calculation 2018-11-01 14:47:22 +01:00
Daniel Huigens
e8a2c45390 Only use Web Crypto for hashing beyond a treshold number of bytes 
Sending data to the Web Crypto API involves some latency.
 2018-11-01 14:47:22 +01:00
Daniel Huigens
7253df1632 Don't hash when comparing key fingerprints 2018-11-01 14:47:21 +01:00
Daniel Huigens
abce79b509 Use Web Crypto for hashing 2018-11-01 14:11:22 +01:00
Sanjana Rajan
3c45b6f18a
Merge pull request #793 from twiss/signature-errors 
Check that one-pass signatures match their corresponding signature
 2018-11-01 12:13:02 +01:00
Daniel Huigens
11fd2313a7 Fix unhandled promise rejection when decrypting non-MDC message 2018-11-01 11:46:43 +01:00
Daniel Huigens
13c29b1fc9 Fix decryption with multiple passwords 2018-11-01 11:46:27 +01:00
Daniel Huigens
d442b6bad7 Throw when signature packet does not correspond to one pass signature packet 2018-10-29 11:47:39 +01:00
Daniel Huigens
9c82bf491e Reject signatures[*].verified and signatures[*].signature on read errors 
However, don't throw "unhandled promise rejection" when not using these
properties at all, or when they reject before the user has a chance to
handle them.
 2018-10-29 11:47:36 +01:00
Daniel Huigens
c3419e5cd0 Don't return streams in openpgp.reformatKey() 2018-10-25 19:41:59 +02:00
Daniel Huigens
baaa0716b4 Fix performance issue with handling large messages 2018-10-19 15:09:33 +02:00
Daniel Huigens
6f9670cc65 Clarify comment explaining packetlist's usage of supportsStreaming 2018-10-10 18:21:02 +02:00
Daniel Huigens
bc6118980f Throw on parse errors in integrity protected encrypted packets 2018-10-05 12:40:05 +02:00
Daniel Huigens
3751731330 Don't hang when signature packet corresponding to one-pass sig is missing 2018-10-04 22:13:10 +02:00
Daniel Huigens
ac6b57781b Make isValid*KeyPacket inner functions 2018-09-22 23:03:10 +02:00
Daniel Huigens
bbcdacef8d Small documentation fixes 2018-09-22 23:03:10 +02:00
Daniel Huigens
b3af56b8a3 Ignore third-party revocation signatures 
This check was removed in ec22dab.
 2018-09-22 23:03:10 +02:00
Daniel Huigens
a1c47ecdea Indicate an error when parsing a key with an authorized revocation key 
Since we will ignore revocation signatures from authorized revocation keys,
it is dangerous to use these keys.
 2018-09-22 23:03:10 +02:00
Daniel Huigens
5cf61daa19 Check validity of signatures before using them 2018-09-22 23:03:10 +02:00
Daniel Huigens
d8840294cf Make newlines in armored objects consistent 
- Don't add an extraneous newline at the end of base64-encoded data
  if it is a multiple of 60 characters long.
- Generate \r\n instead of \n in base64-encoded data.
- Generate one newline instead of two after END PGP PUBLIC KEY BLOCK
  for consistency with the other footers.
 2018-09-13 14:32:35 +02:00
Sanjana Rajan
d43437473f bugfix - when a requested key capability is not present, return null expiration 2018-09-03 21:59:58 -07:00
Daniel Huigens
ca2f6d03b6 Slightly optimize base64 decoding 2018-09-03 18:23:38 +02:00
Daniel Huigens
dc722770d0 Don't process armored message data line per line 
This cuts down on the overhead of streaming by reducing the amount
of calls to reader.read() and writer.write().
 2018-09-03 18:23:38 +02:00
Daniel Huigens
e055d86062 Update documentation 2018-08-14 17:50:26 +02:00
Daniel Huigens
e5a3095894 Fix GCM and EAX in Edge 
Web Crypto AES-GCM in Edge seems to require non-empty ADATA and an
explicit tagLength.

AES-CTR doesn't seem to be supported at all, so this disables Web Crypto
for EAX in Edge.
 2018-08-14 17:24:41 +02:00
Daniel Huigens
4bdc5e92ab Add --compat option 
Without it, the generated build is for recent versions of
Chrome, Firefox, Safari and Edge.

With it, the generated build is for IE11+.
 2018-08-14 17:24:41 +02:00
Daniel Huigens
c705f475b7 Switch back to hash.js SHA512 
asmcrypto.js SHA512 is huge (75kB, 7kB gzipped).

This partially reverts fadcc4b5.
 2018-08-14 17:24:40 +02:00
Daniel Huigens
00a2c0c0c2 Support unicode surrogate code points 2018-08-14 17:24:40 +02:00
Daniel Huigens
a2f53b2ce2 Speed up initial builds 2018-08-14 17:24:40 +02:00
Daniel Huigens
8c7e4386af Fix stream-reading zero-length (partial) packets 2018-08-14 17:19:54 +02:00
Daniel Huigens
052fa444be Support Node streams 2018-08-14 17:19:54 +02:00
Daniel Huigens
0ddff3ae7d Rename asStream to streaming 
Also, break up `postProcess`.
 2018-08-14 17:19:51 +02:00
Daniel Huigens
b35b167e63 Add openpgp.cleartext.fromText 
For symmetry with message.fromText
 2018-08-14 16:35:41 +02:00
Daniel Huigens
52c4fa9639 Move streams library to a separate package 2018-08-14 16:35:40 +02:00
Daniel Huigens
252da44419 Don't depend on util in stream.js 2018-08-14 16:35:40 +02:00
Daniel Huigens
bb15ffc2a0 Fix streaming verify when using Worker and streams polyfill 2018-08-14 16:35:40 +02:00
Daniel Huigens
29271accef Enable Transferables in IE11 
Reverts 11ff845c.
 2018-08-14 16:35:40 +02:00
Daniel Huigens
c75e2323c0 Support IE11 for streaming 2018-08-14 16:35:39 +02:00
Daniel Huigens
721e522b17 Don't increase buffering in transformWithCancel 
Keep backpressure the same as in default TransformStream().
 2018-08-14 16:35:39 +02:00
Daniel Huigens
0b0112d1e6 En/decrypt all AEAD chunks in parallel when not returning a stream 2018-08-14 16:35:39 +02:00
Daniel Huigens
d844b8b06c Add minimum AEAD buffer size 
This enables parallelism for streaming AEAD chunked encryption.

The reason we can't do so at the very end of the pipe chain
(e.g., in `readToEnd`) is because requests for increased
buffering (i.e. `desiredSize > 1`) do not propagate backwards,
only requests for backpressure (i.e. `desiredSize <= 0`) do.
 2018-08-14 16:35:39 +02:00
Daniel Huigens
ca537e439d Comments & code style 2018-08-14 16:35:38 +02:00
Daniel Huigens
1101a05b10 Don't return streams inside unarmored generated keys and signatures 
When not requested, we convert the streams to Uint8Arrays.

This makes the generated key safe to pass to a Worker more than once.

Partially reverts 735aa1da.
 2018-08-14 16:35:36 +02:00
Daniel Huigens
d489f3369f Update to asmcrypto.js 2 2018-08-10 14:46:30 +02:00
Daniel Huigens
e66d44e42d Rename config.unsafe_stream to allow_unauthenticated_stream 2018-08-10 14:46:29 +02:00
Daniel Huigens
2b30ab9c8f Replace data with message parameter in encrypt() and sign() 
When encrypting/signing a stream, this allows you to indicate whether it's a
stream of Strings or Uint8Arrays (using message.fromText or message.fromBinary,
respectively.)

When signing text, this allows you to control whether to create a cleartext
message or a regular armored text message.

When creating a detached signature, it allows you to control whether it's "meant
for" (verifying against) a cleartext message. A cleartext message has trailing
whitespace trimmed before signing. This fixes the case of passing a detached
signature from sign() to encrypt(). Since encrypt() doesn't create a cleartext
message, the signature would be invalid if the text contained lines with
trailing whitespace.
 2018-08-10 14:46:29 +02:00
Daniel Huigens
95413cc6ed Fix signatures of messages with leading/trailing whitespace 2018-08-10 14:46:29 +02:00
Daniel Huigens
160b03451f Fix key generation in Firefox 
Previously broken by daa0188e.
 2018-08-10 14:46:29 +02:00
Daniel Huigens
9f0f00e087 Make signature.verified a Promise instead of result.signatures 
Also, fix verifying detached signatures
 2018-08-10 14:46:28 +02:00
Daniel Huigens
0db32bea39 Backpressure and cancellation in sign/verify 2018-08-10 14:46:28 +02:00
Daniel Huigens
d2ba6b3c6c Wait for data to be read before resolving signatures 2018-08-10 14:46:28 +02:00