From 4364eaef96b5ec89cbf8e73994eab08d8a45fcad Mon Sep 17 00:00:00 2001 From: larabr Date: Fri, 19 Apr 2024 16:10:03 +0200 Subject: [PATCH] Temporarily add `config.ignoreSEIPDv2FeatureFlag` for compatibility (#15) SEIPDv2 is a more secure and faster choice, but it is not necessarily compatible with other libs and our mobile apps. Co-authored-by: Daniel Huigens --- openpgp.d.ts | 1 + src/config/config.js | 8 ++++++++ src/key/helper.js | 2 +- test/general/openpgp.js | 11 +++++++++++ 4 files changed, 21 insertions(+), 1 deletion(-) diff --git a/openpgp.d.ts b/openpgp.d.ts index a8225a40f..707bc7e4f 100644 --- a/openpgp.d.ts +++ b/openpgp.d.ts @@ -326,6 +326,7 @@ interface Config { showVersion: boolean; showComment: boolean; aeadProtect: boolean; + ignoreSEIPDv2FeatureFlag: boolean; allowUnauthenticatedMessages: boolean; allowUnauthenticatedStream: boolean; allowForwardedMessages: boolean; diff --git a/src/config/config.js b/src/config/config.js index 286d6a0d5..82947d734 100644 --- a/src/config/config.js +++ b/src/config/config.js @@ -50,6 +50,14 @@ export default { * @property {Boolean} aeadProtect */ aeadProtect: false, + /** + * Whether to disable encrypton using SEIPDv2 even if the encryption keys include the SEIPDv2 feature flag. + * If true, SEIPDv1 (i.e. no AEAD) packets are always used instead. + * SEIPDv2 is a more secure and faster choice, but it is not necessarily compatible with other libs and our mobile apps. + * @memberof module:config + * @property {Boolean} ignoreSEIPDv2FeatureFlag + */ + ignoreSEIPDv2FeatureFlag: false, /** * When reading OpenPGP v4 private keys (e.g. those generated in OpenPGP.js when not setting `config.v5Keys = true`) * which were encrypted by OpenPGP.js v5 (or older) using `config.aeadProtect = true`, diff --git a/src/key/helper.js b/src/key/helper.js index d5c184d5a..704ccc194 100644 --- a/src/key/helper.js +++ b/src/key/helper.js @@ -173,7 +173,7 @@ export async function getPreferredCompressionAlgo(keys = [], date = new Date(), export async function getPreferredCipherSuite(keys = [], date = new Date(), userIDs = [], config = defaultConfig) { const selfSigs = await Promise.all(keys.map((key, i) => key.getPrimarySelfSignature(date, userIDs[i], config))); const withAEAD = keys.length ? - selfSigs.every(selfSig => selfSig.features && (selfSig.features[0] & enums.features.seipdv2)) : + !config.ignoreSEIPDv2FeatureFlag && selfSigs.every(selfSig => selfSig.features && (selfSig.features[0] & enums.features.seipdv2)) : config.aeadProtect; if (withAEAD) { diff --git a/test/general/openpgp.js b/test/general/openpgp.js index d6d1df92c..8d2a91127 100644 --- a/test/general/openpgp.js +++ b/test/general/openpgp.js @@ -2309,6 +2309,17 @@ k0mXubZvyl4GBg== expect(seipd).to.be.instanceOf(openpgp.SymEncryptedIntegrityProtectedDataPacket); expect(seipd.version).to.equal(2); expect(seipd.aeadAlgorithm).to.equal(openpgp.enums.aead.ocb); + + const encryptedWithoutAEAD = await openpgp.encrypt({ + message: await openpgp.createMessage({ text: 'test' }), + encryptionKeys: [v4PrivateKeyWithOCBPref, v6PrivateKeyWithOCBPref], + format: 'object', + config: { ignoreSEIPDv2FeatureFlag: true } + }); + + const seipdV1 = encryptedWithoutAEAD.packets[2]; + expect(seipdV1).to.be.instanceOf(openpgp.SymEncryptedIntegrityProtectedDataPacket); + expect(seipdV1.version).to.equal(1); }); it('should support encrypting to a key without features (missing SEIPDv1 feature)', async function () {