should also search on advanced WKD url + use policy file

[tomholub]

Currently, the Wkd class only searches using the direct WKD method.

To fix: add the advanced method which should be tried first, only after which the basic WKD method should be attempted.
Further, before trying any WKD lookup, should pull WKD policy file first.

The spec is at https://tools.ietf.org/html/draft-koch-openpgp-webkey-service-10

relevant code

    // todo - could also search on `https://openpgpkey.{domain}/.well-known/openpgpkey/{domain}/hu/{hu}?l={user}`
    const url = `https://${recipientDomain}/.well-known/openpgpkey/hu/${hu}?l=${encodeURIComponent(user)}`;

Need to add tests for the WKD class. This can be done by adding all of these expected WKD endpoints to the mock, and testing lookup using browser unit tests.

For the mock, you will want to add one more set of endpoints here:

  const api = new LoggedApi<{ query: { [k: string]: string }, body?: unknown }, unknown>('google-mock', {
    ...mockGoogleEndpoints,
    ...mockBackendEndpoints,
    ...mockAttesterEndpoints,
    ...mockKeyManagerEndpoints,
    '/favicon.ico': async () => '',
  });

that could maybe be called mockWkdEndpoints where you add a couple of WKD paths. To create these test paths, use https://metacode.biz/openpgp/web-key-directory where you input a test email and it will give you the paths where the policy files and public keys should be.

[tomholub]

Will later assign to @rrrooommmaaa

[tomholub]

This will be useful to cover with browser unit tests also.

[tomholub]

For WKD related questions you may ask @wiktor-k who is very familiar with it (he wrote https://metacode.biz/openpgp/web-key-directory )

[rrrooommmaaa]

according to the spec,
it says The HTTP GET method MUST return the binary representation of the OpenPGP key for the given mail address. The key needs to carry a User ID packet ([RFC4880]) with that mail address.
Does it mean that I have to add additional check in Wkd.lookupEmail that received binary contains correct User ID? There is no such check as of now.

[tomholub]

Thanks for asking. Yes, I think it would be good to add that check in Wkd and test for it.

[wiktor-k]

To be honest GnuPG goes even further as to strip any User ID that does not contain the target e-mail. So if you have key with UIDs tom@flowcrypt.com and tom@gmail.com and do gpg --locate-key tom@flowcrypt.com you'll result in a partial key (but usable!) that has only tom@flowcrypt.com.

I don't think we need to do that though :)

[tomholub]

We import public keys "for a particular email" so it doesn't really matter if we strip the other ones or not before storing. Either is ok with me

[rrrooommmaaa]

@wiktor-k Can please you comment on these lines:

OpenPGP defines its User IDs, and thus the mail address, as UTF-8 strings. To help with the common pattern of using capitalized names (e.g. "Joe.Doe@example.org") for mail addresses, and under the premise that almost all MTAs treat the local-part case-insensitive and that the domain-part is required to be compared case-insensitive anyway, all upper-case ASCII characters in a User ID are mapped to lowercase. Non-ASCII characters are not changed.

I can see that wkd implementation is just using String.to_lowercase() functions and the like.
Does this imply that non-ASCII characters are converted too?

[wiktor-k]

Yes it does. It can have practical differences for some addresses like the ones using Turkish I. Do note that practically all other WKD implementations are also using a variant of UTF8 lowercase instead of ASCII one so I'd leave it like that unless a real customer complains :)