Fix issues with keys that have a creation date that is in the future.

2019-03-07 11:53:27 +01:00 · 2019-03-07 11:53:27 +01:00 · 9159bd5a47
parent 1fcf791560
commit 9159bd5a47
5 changed files with 19 additions and 15 deletions
--- a/package-lock.json
+++ b/package-lock.json
@ -1,6 +1,6 @@
 {
  "name": "mailvelope-keyserver",
-  "version": "2.0.0",
+  "version": "3.0.0",
  "lockfileVersion": 1,
  "requires": true,
  "dependencies": {
@ -1619,9 +1619,8 @@
      "integrity": "sha1-Kv3oTQPlC5qO3EROMGEKcCle37Q="
    },
    "openpgp": {
-      "version": "4.4.9",
-      "resolved": "https://registry.npmjs.org/openpgp/-/openpgp-4.4.9.tgz",
-      "integrity": "sha512-GpPRBJ/bmRtVIzM4XyZFNWueo4X7NmbeFz6/PyjolPLj2/n2XgKDaNSgR3KTjjuAoJJrbjLFAeARa+4G0mz6Ig==",
+      "version": "github:mailvelope/openpgpjs#a9d95ef7f0b640149f0a6d5d53b06389dc82d803",
+      "from": "github:mailvelope/openpgpjs#fix_user_verify_dist",
      "requires": {
        "@mattiasbuelens/web-streams-polyfill": "^0.3.1",
        "address-rfc2822": "^2.0.3",
--- a/package.json
+++ b/package.json
@ -29,7 +29,7 @@
    "koa-static": "5.0.0",
    "mongodb": "3.1.13",
    "nodemailer": "5.1.1",
-    "openpgp": "4.4.9",
+    "openpgp": "github:mailvelope/openpgpjs#fix_user_verify_dist",
    "winston": "3.2.1",
    "winston-papertrail": "1.0.5"
  },
--- a/src/app/middleware.js
+++ b/src/app/middleware.js
@ -39,7 +39,7 @@ exports.setHTTPResponseHeaders = async function(ctx, next) {
    ctx.set('Public-Key-Pins', `pin-sha256="${config.server.httpsKeyPin}"; pin-sha256="${config.server.httpsKeyPinBackup}"; max-age=16070400`);
  }
  // CSP
-  ctx.set('Content-Security-Policy', "default-src 'self'; object-src 'none'; script-src 'self' code.jquery.com; style-src 'self' stackpath.bootstrapcdn.com; font-src 'self' stackpath.bootstrapcdn.com");
+  ctx.set('Content-Security-Policy', "default-src 'self'; object-src 'none'; script-src 'self' code.jquery.com; style-src 'self' stackpath.bootstrapcdn.com 'unsafe-inline'; font-src 'self' stackpath.bootstrapcdn.com");
  // Prevent rendering website in foreign iframe (Clickjacking)
  ctx.set('X-Frame-Options', 'DENY');
  // CORS
--- a/src/email/email.js
+++ b/src/email/email.js
@ -82,13 +82,17 @@ class Email {
   * @return {string}                    the encrypted PGP message block
   */
  async _pgpEncrypt(plaintext, publicKeyArmored) {
-    const {keys, err} = await openpgp.key.readArmored(publicKeyArmored);
+    const {keys : [key], err} = await openpgp.key.readArmored(publicKeyArmored);
    if (err) {
      log.error('email', 'Reading armored key failed.', err, publicKeyArmored);
    }
+    const now = new Date();
+    // set message creation date if key has been created with future creation date
+    const msgCreationDate = key.primaryKey.created > now ? key.primaryKey.created : now;
    const ciphertext = await openpgp.encrypt({
      message: openpgp.message.fromText(plaintext),
-      publicKeys: keys,
+      publicKeys: key,
+      date: msgCreationDate
    });
    return ciphertext.data;
  }
--- a/src/service/pgp.js
+++ b/src/service/pgp.js
@ -54,10 +54,9 @@ class PGP {
    // verify primary key
    const key = r.keys[0];
    const primaryKey = key.primaryKey;
-    if (primaryKey.created > new Date()) {
-      log.error('pgp', 'Key creation date is in the future', primaryKey.created);
-    }
-    if (await key.verifyPrimaryKey() !== openpgp.enums.keyStatus.valid) {
+    const now = new Date();
+    const verifyDate = primaryKey.created > now ? primaryKey.created : now;
+    if (await key.verifyPrimaryKey(verifyDate) !== openpgp.enums.keyStatus.valid) {
      util.throw(400, 'Invalid PGP key: primary key verification failed');
    }

@ -69,7 +68,7 @@ class PGP {
    }

    // check for at least one valid user id
-    const userIds = await this.parseUserIds(key.users, primaryKey);
+    const userIds = await this.parseUserIds(key.users, primaryKey, verifyDate);
    if (!userIds.length) {
      util.throw(400, 'Invalid PGP key: invalid user IDs');
    }
@ -119,16 +118,18 @@ class PGP {
  /**
   * Parse an array of user ids and verify signatures
   * @param  {Array} users   A list of openpgp.js user objects
+   * @param {Object} primaryKey The primary key packet of the key
+   * @param {Date} verifyDate Verify user IDs at this point in time
   * @return {Array}         An array of user id objects
   */
-  async parseUserIds(users, primaryKey) {
+  async parseUserIds(users, primaryKey, verifyDate = new Date()) {
    if (!users || !users.length) {
      util.throw(400, 'Invalid PGP key: no user ID found');
    }
    // at least one user id must be valid, revoked or expired
    const result = [];
    for (const user of users) {
-      const userStatus = await user.verify(primaryKey);
+      const userStatus = await user.verify(primaryKey, verifyDate);
      if (userStatus !== openpgp.enums.keyStatus.invalid && user.userId && user.userId.userid) {
        const uid = addressparser(user.userId.userid)[0];
        if (util.isEmail(uid.address)) {