Reject insecure (RSA1024) primary key when verifying subkeys

[rrrooommmaaa]

• OpenPGP.js version: 5.6.0
• Both Browser or Node.js

In this setup PK RSA1024 [certifyKeys, signData], SK RSA4096 [encryptCommunication], we would expect the key to be unusable for both signing and encryption because the encryption subkey can't be securely verified with the weak primary key.
However, the library allows to encrypt with this key regardless of minRSABits setting value.
FlowCrypt/flowcrypt-browser#4905 (comment)

[larabr]

Thanks for reporting, this needs fixing indeed 👍

[twiss]

Hello 👋 To add some background, the reason it works this way is because we still wanted to allow decryption using 1024-bit keys by default (but not encryption), so we allow verifying the binding signatures - but probably we should reject them when using the key for encryption (or signing/verifying), indeed. Long-term, perhaps we could let minRSABits apply to all operations (including decryption), and just let applications pass a lower value for decryption if needed - but the risk is that some users of OpenPGP.js will just set a lower minRSABits globally.

[tomholub]

we still wanted to allow decryption using 1024-bit keys by default (but not encryption), so we allow verifying the binding signatures - but probably we should reject them when using the key for encryption (or signing/verifying), indeed.

This makes sense - still allowing decryption, but forbid for signing/verifying/encryption, which you could do without introducing additional configuration.

From there, you'll see if there is a need for introducing additional configuration, depending on use-cases that come up.