Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add config.rejectPublicKeyAlgorithms #1264

Merged
merged 13 commits into from Mar 25, 2021
Merged

Conversation

larabr
Copy link
Collaborator

@larabr larabr commented Mar 10, 2021

Changes:

  • add config.rejectPublicKeyAlgorithms to disallow using the given algos to verify, sign or encrypt new messages or third-party certifications
  • consider config.minRsaBits when signing, verifying and encrypting messages and third-party certifications, not just on key generation
  • when verifying a message, if the verification key is not found (i.e. not provided or too weak), the corresponding signature will have signature.valid=false (used to be signature.valid=null). signature.error will detail whether the key is missing/too weak/other.

Generating and verifying key certification signatures is still permitted in all cases.

@tomholub
Copy link
Contributor

Excellent!

Copy link
Member

@twiss twiss left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 Thanks, looks good! Small nitpicks below 😊

src/key/factory.js Outdated Show resolved Hide resolved
src/key/user.js Outdated Show resolved Hide resolved
src/message.js Outdated Show resolved Hide resolved
src/message.js Outdated Show resolved Hide resolved
src/key/helper.js Outdated Show resolved Hide resolved
src/key/key.js Outdated Show resolved Hide resolved
src/key/key.js Outdated Show resolved Hide resolved
@larabr larabr force-pushed the algo-blacklist branch 3 times, most recently from 292d04f to 2f04938 Compare March 15, 2021 12:56
src/key/factory.js Outdated Show resolved Hide resolved
src/key/helper.js Show resolved Hide resolved
src/key/helper.js Outdated Show resolved Hide resolved
src/key/key.js Outdated Show resolved Hide resolved
src/key/key.js Outdated Show resolved Hide resolved
@larabr larabr mentioned this pull request Mar 19, 2021
1 task
src/key/helper.js Outdated Show resolved Hide resolved
@twiss twiss merged commit 8a57246 into openpgpjs:master Mar 25, 2021
@larabr larabr deleted the algo-blacklist branch June 10, 2021 09:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants