Finish with tests

openpgpjs · Mar 12, 2021 · 56333d6 · 56333d6
1 parent 1c86ce4
commit 56333d6
Show file tree

Hide file tree

Showing 3 changed files with 91 additions and 19 deletions.
diff --git a/test/general/config.js b/test/general/config.js
@@ -62,7 +62,8 @@ module.exports = () => describe('Custom configuration', function() {
       const config = {
         showComment: true,
         preferredCompressionAlgorithm: openpgp.enums.compression.zip,
-        preferredHashAlgorithm: openpgp.enums.hash.sha512
+        preferredHashAlgorithm: openpgp.enums.hash.sha512,
+        rejectPublicKeyAlgorithms: new Set([openpgp.enums.publicKey.eddsa]) // should not matter in this context
       };
       const opt2 = { privateKey: origKey, userIds, config };
       const { key: refKey2, privateKeyArmored: refKeyArmored2 } = await openpgp.reformatKey(opt2);
@@ -171,12 +172,54 @@ module.exports = () => describe('Custom configuration', function() {
       const { packets: [compressed] } = await encrypted2.decrypt(null, passwords, null, encrypted2.fromStream, openpgp.config);
       expect(compressed.tag).to.equal(openpgp.enums.packet.compressedData);
       expect(compressed.algorithm).to.equal("zip");
+
+      const userIds = { name: 'Test User', email: 'text2@example.com' };
+      const { key } = await openpgp.generateKey({ userIds });
+      await expect(openpgp.encrypt({
+        message, publicKeys: [key], config: { rejectPublicKeyAlgorithms: new Set([openpgp.enums.publicKey.ecdh]) }
+      })).to.be.eventually.rejectedWith(/ecdh keys are considered too weak/);
     } finally {
       openpgp.config.aeadProtect = aeadProtectVal;
       openpgp.config.preferredCompressionAlgorithm = preferredCompressionAlgorithmVal;
     }
   });
 
+  it('openpgp.decrypt', async function() {
+    const plaintext = 'test';
+    const message = openpgp.Message.fromText(plaintext);
+    const userIds = { name: 'Test User', email: 'text2@example.com' };
+    const { key } = await openpgp.generateKey({ userIds, type: 'rsa', rsaBits: 2048 });
+
+    const armoredMessage = await openpgp.encrypt({ message, publicKeys:[key], privateKeys: [key] });
+    const { data, signatures } = await openpgp.decrypt({
+      message: await openpgp.readMessage({ armoredMessage }),
+      privateKeys: [key],
+      publicKeys: [key]
+    });
+    expect(data).to.equal(plaintext);
+    expect(signatures[0].valid).to.be.true;
+
+    const { data: data2, signatures: signatures2 } = await openpgp.decrypt({
+      message: await openpgp.readMessage({ armoredMessage }),
+      privateKeys: [key],
+      publicKeys: [key],
+      config: { minRsaBits: 4096 }
+    });
+    expect(data2).to.equal(plaintext);
+    expect(signatures2[0].valid).to.be.false;
+    expect(signatures2[0].error).to.match(/keys shorter than 4096 bits are considered too weak/);
+
+    const { data: data3, signatures: signatures3 } = await openpgp.decrypt({
+      message: await openpgp.readMessage({ armoredMessage }),
+      privateKeys: [key],
+      publicKeys: [key],
+      config: { rejectPublicKeyAlgorithms: new Set([openpgp.enums.publicKey.rsaEncryptSign]) }
+    });
+    expect(data3).to.equal(plaintext);
+    expect(signatures3[0].valid).to.be.false;
+    expect(signatures3[0].error).to.match(/rsaEncryptSign keys are considered too weak/);
+  });
+
   it('openpgp.sign', async function() {
     const userIds = { name: 'Test User', email: 'text2@example.com' };
     const { privateKeyArmored } = await openpgp.generateKey({ userIds });
@@ -199,6 +242,10 @@ module.exports = () => describe('Custom configuration', function() {
       config: { rejectHashAlgorithms: new Set([openpgp.enums.hash.sha256, openpgp.enums.hash.sha512]) }
     };
     await expect(openpgp.sign(opt2)).to.be.rejectedWith(/Insecure hash algorithm/);
+
+    await expect(openpgp.sign({
+      message, privateKeys: [key], config: { rejectPublicKeyAlgorithms: new Set([openpgp.enums.publicKey.eddsa]) }
+    })).to.be.eventually.rejectedWith(/eddsa keys are considered too weak/);
   });
 
   it('openpgp.verify', async function() {
@@ -237,6 +284,14 @@ module.exports = () => describe('Custom configuration', function() {
     const { signatures: [sig3] } = await openpgp.verify(opt3);
     await expect(sig3.error).to.match(/Insecure message hash algorithm/);
 
+    const opt4 = {
+      message: await openpgp.readMessage({ armoredMessage: signed }),
+      publicKeys: [key],
+      config: { rejectPublicKeyAlgorithms: new Set([openpgp.enums.publicKey.eddsa]) }
+    };
+    const { signatures: [sig4] } = await openpgp.verify(opt4);
+    await expect(sig4.valid).to.be.false;
+    await expect(sig4.error).to.match(/eddsa keys are considered too weak/);
   });
 
 });
diff --git a/test/general/streaming.js b/test/general/streaming.js
@@ -237,7 +237,8 @@ function tests() {
   it('Sign: Input stream should be canceled when canceling encrypted stream', async function() {
     const signed = await openpgp.sign({
       message: openpgp.Message.fromBinary(data),
-      privateKeys: privKey
+      privateKeys: privKey,
+      config: { minRsaBits: 1024 }
     });
     const reader = openpgp.stream.getReader(signed);
     expect(await reader.readBytes(1024)).to.match(/^-----BEGIN PGP MESSAGE-----\n/);
@@ -312,7 +313,8 @@ function tests() {
         message: openpgp.Message.fromBinary(data),
         publicKeys: pubKey,
         privateKeys: privKey,
-        armor: false
+        armor: false,
+        config: { minRsaBits: 1024 }
       });
       expect(openpgp.stream.isStream(encrypted)).to.equal(expectedType);
 
@@ -443,7 +445,8 @@ function tests() {
       const encrypted = await openpgp.encrypt({
         message: openpgp.Message.fromBinary(data),
         publicKeys: pubKey,
-        privateKeys: privKey
+        privateKeys: privKey,
+        config: { minRsaBits: 1024 }
       });
       expect(openpgp.stream.isStream(encrypted)).to.equal(expectedType);
 
@@ -480,7 +483,8 @@ function tests() {
       const encrypted = await openpgp.encrypt({
         message: openpgp.Message.fromBinary(data),
         publicKeys: pubKey,
-        privateKeys: privKey
+        privateKeys: privKey,
+        config: { minRsaBits: 1024 }
       });
       expect(openpgp.stream.isStream(encrypted)).to.equal(expectedType);
 
@@ -504,7 +508,7 @@ function tests() {
       dataArrived();
       await expect(reader.readToEnd()).to.be.rejectedWith('Ascii armor integrity check on message failed');
       expect(decrypted.signatures).to.exist.and.have.length(1);
-      expect(await decrypted.signatures[0].verified).to.be.null;
+      await expect(decrypted.signatures[0].verified).to.be.eventually.rejectedWith(/Could not find key/);
     } finally {
       openpgp.config.allowUnauthenticatedStream = allowUnauthenticatedStreamValue;
     }
@@ -513,7 +517,8 @@ function tests() {
   it('Sign/verify: Detect armor checksum error', async function() {
     const signed = await openpgp.sign({
       message: openpgp.Message.fromBinary(data),
-      privateKeys: privKey
+      privateKeys: privKey,
+      config: { minRsaBits: 1024 }
     });
     expect(openpgp.stream.isStream(signed)).to.equal(expectedType);
 
@@ -529,7 +534,8 @@ function tests() {
       publicKeys: pubKey,
       message,
       streaming: expectedType,
-      format: 'binary'
+      format: 'binary',
+      config: { minRsaBits: 1024 }
     });
     expect(openpgp.stream.isStream(verified.data)).to.equal(expectedType);
     const reader = openpgp.stream.getReader(verified.data);
@@ -567,15 +573,17 @@ function tests() {
   it('Sign/verify: Input stream should be canceled when canceling verified stream', async function() {
     const signed = await openpgp.sign({
       message: openpgp.Message.fromBinary(data),
-      privateKeys: privKey
+      privateKeys: privKey,
+      config: { minRsaBits: 1024 }
     });
     expect(openpgp.stream.isStream(signed)).to.equal(expectedType);
 
     const message = await openpgp.readMessage({ armoredMessage: signed });
     const verified = await openpgp.verify({
       publicKeys: pubKey,
       message,
-      format: 'binary'
+      format: 'binary',
+      config: { minRsaBits: 1024 }
     });
     expect(openpgp.stream.isStream(verified.data)).to.equal(expectedType);
     const reader = openpgp.stream.getReader(verified.data);
@@ -605,7 +613,8 @@ function tests() {
   it("Sign: Don't pull entire input stream when we're not pulling signed stream", async function() {
     const signed = await openpgp.sign({
       message: openpgp.Message.fromBinary(data),
-      privateKeys: privKey
+      privateKeys: privKey,
+      config: { minRsaBits: 1024 }
     });
     expect(openpgp.stream.isStream(signed)).to.equal(expectedType);
 
@@ -619,7 +628,8 @@ function tests() {
   it("Sign/verify: Don't pull entire input stream when we're not pulling verified stream", async function() {
     const signed = await openpgp.sign({
       message: openpgp.Message.fromBinary(data),
-      privateKeys: privKey
+      privateKeys: privKey,
+      config: { minRsaBits: 1024 }
     });
     expect(openpgp.stream.isStream(signed)).to.equal(expectedType);
     const message = await openpgp.readMessage({ armoredMessage: signed });
@@ -649,15 +659,17 @@ function tests() {
       message: openpgp.Message.fromBinary(data),
       privateKeys: privKey,
       detached: true,
-      streaming: expectedType
+      streaming: expectedType,
+      config: { minRsaBits: 1024 }
     });
     expect(openpgp.stream.isStream(signed)).to.equal(expectedType);
     const armoredSignature = await openpgp.stream.readToEnd(signed);
     const signature = await openpgp.readSignature({ armoredSignature });
     const verified = await openpgp.verify({
       signature,
       publicKeys: pubKey,
-      message: openpgp.Message.fromText('hello world')
+      message: openpgp.Message.fromText('hello world'),
+      config: { minRsaBits: 1024 }
     });
     expect(verified.data).to.equal('hello world');
     expect(verified.signatures).to.exist.and.have.length(1);
@@ -678,14 +690,16 @@ function tests() {
       privateKeys: privKey,
       detached: true,
       streaming: false,
-      armor: false
+      armor: false,
+      config: { minRsaBits: 1024 }
     });
     expect(openpgp.stream.isStream(signed)).to.be.false;
     const signature = await openpgp.readMessage({ binaryMessage: signed });
     const verified = await openpgp.verify({
       signature,
       publicKeys: pubKey,
-      message: openpgp.Message.fromText('hello world')
+      message: openpgp.Message.fromText('hello world'),
+      config: { minRsaBits: 1024 }
     });
     expect(verified.data).to.equal('hello world');
     expect(verified.signatures).to.exist.and.have.length(1);
@@ -758,7 +772,8 @@ function tests() {
     const signed = await openpgp.sign({
       message: openpgp.Message.fromBinary(data),
       privateKeys: privKey,
-      detached: true
+      detached: true,
+      config: { minRsaBits: 1024 }
     });
     expect(openpgp.stream.isStream(signed)).to.equal(expectedType);
     const reader = openpgp.stream.getReader(signed);
@@ -772,7 +787,8 @@ function tests() {
     const signed = await openpgp.sign({
       message: openpgp.Message.fromBinary(data),
       privateKeys: privKey,
-      detached: true
+      detached: true,
+      config: { minRsaBits: 1024 }
     });
     expect(openpgp.stream.isStream(signed)).to.equal(expectedType);
     const reader = openpgp.stream.getReader(signed);

diff --git a/test/security/subkey_trust.js b/test/security/subkey_trust.js
@@ -72,7 +72,8 @@ async function testSubkeyTrust() {
     streaming: false
   });
   expect(verifyAttackerIsBatman.signatures[0].keyid.equals(victimPubKey.subKeys[0].getKeyId())).to.be.true;
-  expect(verifyAttackerIsBatman.signatures[0].valid).to.be.null;
+  expect(verifyAttackerIsBatman.signatures[0].valid).to.be.false;
+  expect(verifyAttackerIsBatman.signatures[0].error).to.match(/Could not find valid signing key packet/);
 }
 
 module.exports = () => it('Does not trust subkeys without Primary Key Binding Signature', testSubkeyTrust);