Assets 2

This release fixes more security issues. Please upgrade to the latest version as soon as possible.

Security fixes

  • Validate ECC public keys, to prevent an attack extracting private keys
  • Remove non-AES CFB quick check, to prevent side-channel timing attacks
  • Reject messages encrypted with a symmetric algorithm not in preferred algorithms
  • Check signature public key algorithm against issuer key algorithm
  • Always look at the same literal data packet in getText() and verify()
  • Return generic error on PKESK checksum mismatch when decrypting

Other changes

  • Fix undefined behavior when reading 3DES-encrypted packet
  • Consider non-expired signatures from expired keys to still be valid
  • Check that signing key was not expired at signature creation time
  • Check that message signatures are not expired when verifying them
  • Fix revocation example in README, use revocationCertificate instead of revocationSignature
  • Fix CMAC of the empty string
  • Add config values to preferred algorithms
  • Fall back to RFC4880bis-mandated symmetric algorithms (AES128 and EAX) instead of config value

Example of behavior changes for preferred algorithms

As an example, previously, if you set openpgp.config.symmetric = openpgp.enums.twofish, OpenPGP.js would:

  1. When generating a key, not add Twofish to the preferred algorithms
  2. When encrypting to that generated key, not use Twofish (since it wasn't in the preferred algorithms)
  3. When encrypting to a key with non-supported preferred algorithms, or multiple keys with no overlapping preferred algorithms, fall back to Twofish

Then, if you were to decrypt that last message using GPG, it would warn that the message was encrypted with an algorithm that's not in the preferred algorithms. This could happen even with the default config value of AES256, since RFC4880 mandates falling back to 3DES, not AES256. (RFC4880bis mandates falling back to AES128.)

Since this version, if you set openpgp.config.symmetric = openpgp.enums.twofish, OpenPGP.js will instead:

  1. When generating a key, add Twofish to the preferred algorithms
  2. When encrypting to that generated key, use Twofish (since it is in the preferred algorithms)
  3. When encrypting to a key with non-supported preferred algorithms, or multiple keys with no overlapping preferred algorithms, fall back to AES128 (since that's the algorithm mandated by RFC4880bis)

Example of backwards-incompatible behavior

In some edge cases, some of the above changes are not backwards-compatible. For example, if you use OpenPGP.js < 4.3.0 and:

  1. Set openpgp.config.symmetric to any value other than openpgp.enums.aes256, openpgp.enums.aes128 or openpgp.enums.tripledes, and
  2. Encrypt messages to a key with non-supported preferred algorithms, or multiple keys with no overlapping preferred algorithms

And then try to decrypt those messages using OpenPGP.js >= 4.3.0, you will get an error. (Similarly, GPG gives a warning in this situation, but still decrypts the messages as well.)

Dec 7, 2018
Release new version

@twiss twiss released this Nov 6, 2018 · 27 commits to master since this release

Assets 2

When verifying signatures, compute data to verify based on expected signature type rather than the type of the signature to be verified. (#799)

@twiss twiss released this Nov 5, 2018 · 34 commits to master since this release

Assets 2

This release fixes a number of security issues. Please upgrade to the latest version as soon as possible.

  • Fix Message Signature Bypass: Only accept text or binary signatures when verifying data
  • Don't trust information in unhashed subpackets
  • Respect "critical" flag in unrecognized signature subpackets
  • Strengthen default S2K algorithm configuration
  • Add and verify Primary Key Binding Signatures
  • Reject keys with a Designated Revoker, as third-party key revocation is not supported by OpenPGP.js

Other changes:

  • Remove bzip2 compression support (decompression is still supported) (#798)
  • Use Web Crypto for SHA hashing (#795)
  • Fix decryption with multiple passwords (#792)
  • Fix unhandled promise rejection when decrypting non-MDC message (#794)
  • Check that one-pass signatures match their corresponding signature (#793)
  • Don't return streams in openpgp.reformatKey() and openpgp.revokeKey()
  • Fix key lookup example in README.md (#790)

@sanjanarajan sanjanarajan released this Oct 20, 2018 · 60 commits to master since this release

Assets 2
  • Fixes #787 which caused performance issues for large messages
  • Multiple documentation updates
  • Parsing an invalid integrity protected packet will now throw an error

@sanjanarajan sanjanarajan released this Oct 5, 2018 · 74 commits to master since this release

Assets 2

Fixes #776 - checks whether one-pass signature packets correspond to signature packets and errors if not

@sanjanarajan sanjanarajan released this Sep 25, 2018 · 77 commits to master since this release

Assets 2

Bug fixes:

  • Fixed #762 by always considering the last valid signature rather than just the last signature
  • Fixed #765 by disregarding non-self revocation signatures and by returning an error when parsing a key with an authorized revocation key subpacket (not supported by the library)
  • Fixed #752 by adding some documentation to avoid confusion about text vs. binary formats

API changes:

  • Key.prototype.getRevocationCertificate is now async
  • SubKey.prototype.getExpirationTime is now async and takes primaryKey, [date] as parameters instead of just [date]
  • When parsing a key with an authorized revocation key subpacket, we now return an error in the (await openpgp.key.read/readArmored(key)).err array, but also still return the key in the .keys array. This is because we ignore valid third-party revocation signatures made by authorized keys, so the key might not be safe to use in some cases.

@sanjanarajan sanjanarajan released this Sep 17, 2018 · 86 commits to master since this release

Assets 2
  • Fixes #771: publish compat builds with npm
  • Fixes #768: various issues with armoring
  • Allows slower platforms/browsers to be successfully tested with Saucelabs by grouping tests into separate test groups (they would previously time out after 5 minutes)

@sanjanarajan sanjanarajan released this Sep 4, 2018 · 93 commits to master since this release

Assets 2
  • Updates to saucelabs browsers/versions
  • Performance optimizations for decrypting armored messages
  • Improved handling for the case when a capability for a key is passed into getExpirationTime that the key does not have
  • Armor parsing is slightly stricter: leading spaces before -----END PGP ...----- now cause an error to be thrown
Sep 4, 2018
Release new version