We would fail to verify EdDSA signatures with leading zeros, when
encoded according to the spec (without leading zeros, leading to
short MPIs). OpenPGP.js itself encodes them with leading zeros.
This is accepted by many implementations, but not valid according
to the spec. We will fix that in a future version.
This is allowed by the spec to hide the length of the session key:
For example, assuming that an AES algorithm is
used for the session key, the sender MAY use 21, 13, and 5 bytes of
padding for AES-128, AES-192, and AES-256, respectively, to provide
the same number of octets, 40 total, as an input to the key wrapping
method.
Also, switch from returning false to throwing errors in most verify*()
functions, as well as in `await signatures[*].verified`, in order to be
able to show more informative error messages.
(When config.allow_unauthenticated_stream is set or the message is
AEAD-encrypted.)
The issue was that, when hashing the data for verification, we would
only start hashing at the very end (and keep the message in memory)
because nobody was "pulling" the stream containing the hash yet, so
backpressure was keeping the data from being hashed.
Note that, of the two patches in this commit, only the onePassSig.hashed
property actually mattered, for some reason. Also, the minimum
highWaterMark of 1 should have pulled the hashed stream anyway, I think.
I'm not sure why that didn't happen.
Both those with a 2-byte hash (instead of SHA1 or an AEAD authentication
tag) and those without an S2K specifier (i.e., using MD5 for S2K) -
support for the latter was already broken.
Vulnerabilities can arise not just from generating keys like this, but
from using them as well (if an attacker can tamper with them), hence why
we're removing support.
This function checks whether the private and public key parameters
of the primary key match.
This check is necessary when using your own private key to encrypt
data if the private key was stored on an untrusted medium, and
trust is derived from being able to decrypt the private key.
