Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prevent adding subkeys that use blacklisted curves #1423

Merged
merged 1 commit into from Dec 1, 2021
Merged

Prevent adding subkeys that use blacklisted curves #1423

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
1 change: 1 addition & 0 deletions src/key/private_key.js
View file
Open in desktop
Expand Up @@ -230,6 +230,7 @@ class PrivateKey extends PublicKey {
defaultOptions.curve = defaultOptions.curve || 'curve25519';
options = helper.sanitizeKeyOptions(options, defaultOptions);
const keyPacket = await helper.generateSecretSubkey(options);
helper.checkKeyRequirements(keyPacket, config);
const bindingSignature = await helper.createBindingSignature(keyPacket, secretKeyPacket, options, config);
const packetList = this.toPacketList();
packetList.push(keyPacket, bindingSignature);
Expand Down
24 changes: 24 additions & 0 deletions test/general/key.js
View file
Open in desktop
Expand Up @@ -3629,6 +3629,30 @@ VYGdb3eNlV8CfoEC
expect(newKey.subkeys[total].getAlgorithmInfo().bits).to.equal(Math.max(key.getAlgorithmInfo().bits, openpgp.config.minRSABits));
});

it('should throw when trying to add a new default subkey to an ecc key that uses a blacklisted curve (brainpool)', async function() {
const armoredBrainpoolKey = `-----BEGIN PGP PRIVATE KEY BLOCK-----

xXgEYW7c5RMJKyQDAwIIAQEHAgMEhb5YqML5gwfkorwV49zIfNJYqNiog+IL
RDSKaIbGMzNnzLeNgwxKe1/kKJMFxy0crCRegNbV9ZC0uF7UO3t/0gAA/3MH
gGJRuuMIHv5S5brj0AankEMSsY8w8T134O/NGm+eEXvNDnRlc3QgPGFAYi5j
b20+wowEEBMIAB0FAmFu3OUECwkHCAMVCAoEFgACAQIZAQIbAwIeAQAhCRCh
WWHcIlm4OxYhBCHAUhC7Zo79nXseR6FZYdwiWbg7KMoA/iMNJ+NX0fkc3ohL
4ZTxg5syNJwV2lleynzFOLpJ0a9RAP9b1Nt/eObuezUT/uic62ap8c8nycpN
OJbyn4p7uIjc1w==
=64W/
-----END PGP PRIVATE KEY BLOCK-----`;
const key = await openpgp.readKey({ armoredKey: armoredBrainpoolKey });
expect(key.subkeys).to.have.length(0);
await expect(key.addSubkey()).to.be.rejectedWith(/Support for ecdh keys using curve brainpoolP256r1 is disabled/);
expect(key.subkeys).to.have.length(0);

// explicitly allow brainpool curve
const config = { rejectCurves: new Set() };
const newKey = await key.addSubkey({ config });
expect(newKey.subkeys[0].getAlgorithmInfo().algorithm).to.equal('ecdh');
expect(newKey.subkeys[0].getAlgorithmInfo().curve).to.equal('brainpoolP256r1');
});

it('should throw when trying to encrypt a subkey separately from key', async function() {
const privateKey = await openpgp.decryptKey({
privateKey: await openpgp.readKey({ armoredKey: priv_key_rsa }),
Expand Down