diff --git a/test/general/config.js b/test/general/config.js index f43f8df22..aa9b79e99 100644 --- a/test/general/config.js +++ b/test/general/config.js @@ -62,7 +62,8 @@ module.exports = () => describe('Custom configuration', function() { const config = { showComment: true, preferredCompressionAlgorithm: openpgp.enums.compression.zip, - preferredHashAlgorithm: openpgp.enums.hash.sha512 + preferredHashAlgorithm: openpgp.enums.hash.sha512, + rejectPublicKeyAlgorithms: new Set([openpgp.enums.publicKey.eddsa]) // should not matter in this context }; const opt2 = { privateKey: origKey, userIds, config }; const { key: refKey2, privateKeyArmored: refKeyArmored2 } = await openpgp.reformatKey(opt2); @@ -171,12 +172,54 @@ module.exports = () => describe('Custom configuration', function() { const { packets: [compressed] } = await encrypted2.decrypt(null, passwords, null, encrypted2.fromStream, openpgp.config); expect(compressed.tag).to.equal(openpgp.enums.packet.compressedData); expect(compressed.algorithm).to.equal("zip"); + + const userIds = { name: 'Test User', email: 'text2@example.com' }; + const { key } = await openpgp.generateKey({ userIds }); + await expect(openpgp.encrypt({ + message, publicKeys: [key], config: { rejectPublicKeyAlgorithms: new Set([openpgp.enums.publicKey.ecdh]) } + })).to.be.eventually.rejectedWith(/ecdh keys are considered too weak/); } finally { openpgp.config.aeadProtect = aeadProtectVal; openpgp.config.preferredCompressionAlgorithm = preferredCompressionAlgorithmVal; } }); + it('openpgp.decrypt', async function() { + const plaintext = 'test'; + const message = openpgp.Message.fromText(plaintext); + const userIds = { name: 'Test User', email: 'text2@example.com' }; + const { key } = await openpgp.generateKey({ userIds, type: 'rsa', rsaBits: 2048 }); + + const armoredMessage = await openpgp.encrypt({ message, publicKeys:[key], privateKeys: [key] }); + const { data, signatures } = await openpgp.decrypt({ + message: await openpgp.readMessage({ armoredMessage }), + privateKeys: [key], + publicKeys: [key] + }); + expect(data).to.equal(plaintext); + expect(signatures[0].valid).to.be.true; + + const { data: data2, signatures: signatures2 } = await openpgp.decrypt({ + message: await openpgp.readMessage({ armoredMessage }), + privateKeys: [key], + publicKeys: [key], + config: { minRsaBits: 4096 } + }); + expect(data2).to.equal(plaintext); + expect(signatures2[0].valid).to.be.false; + expect(signatures2[0].error).to.match(/keys shorter than 4096 bits are considered too weak/); + + const { data: data3, signatures: signatures3 } = await openpgp.decrypt({ + message: await openpgp.readMessage({ armoredMessage }), + privateKeys: [key], + publicKeys: [key], + config: { rejectPublicKeyAlgorithms: new Set([openpgp.enums.publicKey.rsaEncryptSign]) } + }); + expect(data3).to.equal(plaintext); + expect(signatures3[0].valid).to.be.false; + expect(signatures3[0].error).to.match(/rsaEncryptSign keys are considered too weak/); + }); + it('openpgp.sign', async function() { const userIds = { name: 'Test User', email: 'text2@example.com' }; const { privateKeyArmored } = await openpgp.generateKey({ userIds }); @@ -199,6 +242,10 @@ module.exports = () => describe('Custom configuration', function() { config: { rejectHashAlgorithms: new Set([openpgp.enums.hash.sha256, openpgp.enums.hash.sha512]) } }; await expect(openpgp.sign(opt2)).to.be.rejectedWith(/Insecure hash algorithm/); + + await expect(openpgp.sign({ + message, privateKeys: [key], config: { rejectPublicKeyAlgorithms: new Set([openpgp.enums.publicKey.eddsa]) } + })).to.be.eventually.rejectedWith(/eddsa keys are considered too weak/); }); it('openpgp.verify', async function() { @@ -237,6 +284,14 @@ module.exports = () => describe('Custom configuration', function() { const { signatures: [sig3] } = await openpgp.verify(opt3); await expect(sig3.error).to.match(/Insecure message hash algorithm/); + const opt4 = { + message: await openpgp.readMessage({ armoredMessage: signed }), + publicKeys: [key], + config: { rejectPublicKeyAlgorithms: new Set([openpgp.enums.publicKey.eddsa]) } + }; + const { signatures: [sig4] } = await openpgp.verify(opt4); + await expect(sig4.valid).to.be.false; + await expect(sig4.error).to.match(/eddsa keys are considered too weak/); }); }); diff --git a/test/general/streaming.js b/test/general/streaming.js index 132317f3b..0076f1109 100644 --- a/test/general/streaming.js +++ b/test/general/streaming.js @@ -237,7 +237,8 @@ function tests() { it('Sign: Input stream should be canceled when canceling encrypted stream', async function() { const signed = await openpgp.sign({ message: openpgp.Message.fromBinary(data), - privateKeys: privKey + privateKeys: privKey, + config: { minRsaBits: 1024 } }); const reader = openpgp.stream.getReader(signed); expect(await reader.readBytes(1024)).to.match(/^-----BEGIN PGP MESSAGE-----\n/); @@ -312,7 +313,8 @@ function tests() { message: openpgp.Message.fromBinary(data), publicKeys: pubKey, privateKeys: privKey, - armor: false + armor: false, + config: { minRsaBits: 1024 } }); expect(openpgp.stream.isStream(encrypted)).to.equal(expectedType); @@ -443,7 +445,8 @@ function tests() { const encrypted = await openpgp.encrypt({ message: openpgp.Message.fromBinary(data), publicKeys: pubKey, - privateKeys: privKey + privateKeys: privKey, + config: { minRsaBits: 1024 } }); expect(openpgp.stream.isStream(encrypted)).to.equal(expectedType); @@ -480,7 +483,8 @@ function tests() { const encrypted = await openpgp.encrypt({ message: openpgp.Message.fromBinary(data), publicKeys: pubKey, - privateKeys: privKey + privateKeys: privKey, + config: { minRsaBits: 1024 } }); expect(openpgp.stream.isStream(encrypted)).to.equal(expectedType); @@ -504,7 +508,7 @@ function tests() { dataArrived(); await expect(reader.readToEnd()).to.be.rejectedWith('Ascii armor integrity check on message failed'); expect(decrypted.signatures).to.exist.and.have.length(1); - expect(await decrypted.signatures[0].verified).to.be.null; + await expect(decrypted.signatures[0].verified).to.be.eventually.rejectedWith(/Could not find key/); } finally { openpgp.config.allowUnauthenticatedStream = allowUnauthenticatedStreamValue; } @@ -513,7 +517,8 @@ function tests() { it('Sign/verify: Detect armor checksum error', async function() { const signed = await openpgp.sign({ message: openpgp.Message.fromBinary(data), - privateKeys: privKey + privateKeys: privKey, + config: { minRsaBits: 1024 } }); expect(openpgp.stream.isStream(signed)).to.equal(expectedType); @@ -529,7 +534,8 @@ function tests() { publicKeys: pubKey, message, streaming: expectedType, - format: 'binary' + format: 'binary', + config: { minRsaBits: 1024 } }); expect(openpgp.stream.isStream(verified.data)).to.equal(expectedType); const reader = openpgp.stream.getReader(verified.data); @@ -567,7 +573,8 @@ function tests() { it('Sign/verify: Input stream should be canceled when canceling verified stream', async function() { const signed = await openpgp.sign({ message: openpgp.Message.fromBinary(data), - privateKeys: privKey + privateKeys: privKey, + config: { minRsaBits: 1024 } }); expect(openpgp.stream.isStream(signed)).to.equal(expectedType); @@ -575,7 +582,8 @@ function tests() { const verified = await openpgp.verify({ publicKeys: pubKey, message, - format: 'binary' + format: 'binary', + config: { minRsaBits: 1024 } }); expect(openpgp.stream.isStream(verified.data)).to.equal(expectedType); const reader = openpgp.stream.getReader(verified.data); @@ -605,7 +613,8 @@ function tests() { it("Sign: Don't pull entire input stream when we're not pulling signed stream", async function() { const signed = await openpgp.sign({ message: openpgp.Message.fromBinary(data), - privateKeys: privKey + privateKeys: privKey, + config: { minRsaBits: 1024 } }); expect(openpgp.stream.isStream(signed)).to.equal(expectedType); @@ -619,7 +628,8 @@ function tests() { it("Sign/verify: Don't pull entire input stream when we're not pulling verified stream", async function() { const signed = await openpgp.sign({ message: openpgp.Message.fromBinary(data), - privateKeys: privKey + privateKeys: privKey, + config: { minRsaBits: 1024 } }); expect(openpgp.stream.isStream(signed)).to.equal(expectedType); const message = await openpgp.readMessage({ armoredMessage: signed }); @@ -649,7 +659,8 @@ function tests() { message: openpgp.Message.fromBinary(data), privateKeys: privKey, detached: true, - streaming: expectedType + streaming: expectedType, + config: { minRsaBits: 1024 } }); expect(openpgp.stream.isStream(signed)).to.equal(expectedType); const armoredSignature = await openpgp.stream.readToEnd(signed); @@ -657,7 +668,8 @@ function tests() { const verified = await openpgp.verify({ signature, publicKeys: pubKey, - message: openpgp.Message.fromText('hello world') + message: openpgp.Message.fromText('hello world'), + config: { minRsaBits: 1024 } }); expect(verified.data).to.equal('hello world'); expect(verified.signatures).to.exist.and.have.length(1); @@ -678,14 +690,16 @@ function tests() { privateKeys: privKey, detached: true, streaming: false, - armor: false + armor: false, + config: { minRsaBits: 1024 } }); expect(openpgp.stream.isStream(signed)).to.be.false; const signature = await openpgp.readMessage({ binaryMessage: signed }); const verified = await openpgp.verify({ signature, publicKeys: pubKey, - message: openpgp.Message.fromText('hello world') + message: openpgp.Message.fromText('hello world'), + config: { minRsaBits: 1024 } }); expect(verified.data).to.equal('hello world'); expect(verified.signatures).to.exist.and.have.length(1); @@ -758,7 +772,8 @@ function tests() { const signed = await openpgp.sign({ message: openpgp.Message.fromBinary(data), privateKeys: privKey, - detached: true + detached: true, + config: { minRsaBits: 1024 } }); expect(openpgp.stream.isStream(signed)).to.equal(expectedType); const reader = openpgp.stream.getReader(signed); @@ -772,7 +787,8 @@ function tests() { const signed = await openpgp.sign({ message: openpgp.Message.fromBinary(data), privateKeys: privKey, - detached: true + detached: true, + config: { minRsaBits: 1024 } }); expect(openpgp.stream.isStream(signed)).to.equal(expectedType); const reader = openpgp.stream.getReader(signed); diff --git a/test/security/subkey_trust.js b/test/security/subkey_trust.js index c0ee35e88..3293e2838 100644 --- a/test/security/subkey_trust.js +++ b/test/security/subkey_trust.js @@ -72,7 +72,8 @@ async function testSubkeyTrust() { streaming: false }); expect(verifyAttackerIsBatman.signatures[0].keyid.equals(victimPubKey.subKeys[0].getKeyId())).to.be.true; - expect(verifyAttackerIsBatman.signatures[0].valid).to.be.null; + expect(verifyAttackerIsBatman.signatures[0].valid).to.be.false; + expect(verifyAttackerIsBatman.signatures[0].error).to.match(/Could not find valid signing key packet/); } module.exports = () => it('Does not trust subkeys without Primary Key Binding Signature', testSubkeyTrust);