Add SecretKey.prototype.makeDummy (#1131)

openpgpjs · Aug 3, 2020 · 25bf080 · 25bf080
1 parent e29de76
commit 25bf080
Show file tree

Hide file tree

Showing 3 changed files with 40 additions and 1 deletion.
diff --git a/src/key/key.js b/src/key/key.js
@@ -457,7 +457,7 @@ Key.prototype.validate = async function() {
   }
 
   let signingKeyPacket;
-  if (!this.keyPacket.isDummy()) {
+  if (!this.primaryKey.isDummy()) {
     signingKeyPacket = this.primaryKey;
   } else {
     /**

diff --git a/src/packet/secret_key.js b/src/packet/secret_key.js
@@ -267,6 +267,26 @@ SecretKey.prototype.isDummy = function() {
   return !!(this.s2k && this.s2k.type === 'gnu-dummy');
 };
 
+/**
+ * Remove private key material, converting the key to a dummy one
+ * The resulting key cannot be used for signing/decrypting but can still verify signatures
+ */
+SecretKey.prototype.makeDummy = function () {
+  if (this.isDummy()) {
+    return;
+  }
+  if (!this.isDecrypted()) {
+    // this is technically not needed, but makes the conversion simpler
+    throw new Error("Key is not decrypted");
+  }
+  this.clearPrivateParams();
+  this.isEncrypted = false;
+  this.s2k = new type_s2k();
+  this.s2k.algorithm = 0;
+  this.s2k.c = 0;
+  this.s2k.type = 'gnu-dummy';
+};
+
 /**
  * Encrypt the payload. By default, we use aes256 and iterated, salted string
  * to key specifier. If the key is in a decrypted state (isEncrypted === false)

diff --git a/test/general/key.js b/test/general/key.js
@@ -2748,6 +2748,25 @@ describe('Key', function() {
     await expect(key.validate()).to.be.rejectedWith('Key is invalid');
   });
 
+  it('makeDummy() - the converted key is valid but can no longer sign', async function() {
+    const { keys: [key] } = await openpgp.key.readArmored(priv_key_rsa);
+    await key.decrypt('hello world');
+    expect(key.primaryKey.isDummy()).to.be.false;
+    key.primaryKey.makeDummy();
+    expect(key.primaryKey.isDummy()).to.be.true;
+    await key.validate();
+    await expect(openpgp.reformatKey({ privateKey: key, userIds: 'test2 <b@a.com>' })).to.be.rejectedWith(/Missing private key parameters/);
+  });
+
+  it('makeDummy() - subkeys of the converted key can still sign', async function() {
+    const { keys: [key] } = await openpgp.key.readArmored(priv_key_rsa);
+    await key.decrypt('hello world');
+    expect(key.primaryKey.isDummy()).to.be.false;
+    key.primaryKey.makeDummy();
+    expect(key.primaryKey.isDummy()).to.be.true;
+    await expect(openpgp.sign({ message: openpgp.message.fromText('test'), privateKeys: [key] })).to.be.fulfilled;
+  });
+
   it('clearPrivateParams() - check that private key can no longer be used', async function() {
     const { keys: [key] } = await openpgp.key.readArmored(priv_key_rsa);
     await key.decrypt('hello world');