@protontech/openpgp 6.1.1-patch.0 → 6.1.1-patch.2

package/dist/openpgp.js

@@ -1,4 +1,4 @@
-/*! OpenPGP.js v6.1.1-patch.0 - 2025-02-12 - this is LGPL licensed code, see LICENSE/our website https://openpgpjs.org/ for more information. */
+/*! OpenPGP.js v6.1.1-patch.2 - 2025-05-14 - this is LGPL licensed code, see LICENSE/our website https://openpgpjs.org/ for more information. */
 var openpgp = (function (exports) {
   'use strict';
 
@@ -1548,6 +1548,8 @@ var openpgp = (function (exports) {
      * by v6 keys and v6 signatures, respectively.
      * However, generation of v5 entities was supported behind config flag in OpenPGP.js v5, and some other libraries,
      * hence parsing them might be necessary in some cases.
+     * @memberof module:config
+     * @property {Boolean} enableParsingV5Entities
      */
     enableParsingV5Entities: false,
     /**
@@ -1684,10 +1686,22 @@ var openpgp = (function (exports) {
      * @property {Boolean} ignoreMalformedPackets Ignore malformed packets on parsing instead of throwing an error
      */
     ignoreMalformedPackets: false,
+    /**
+     * @memberof module:config
+     * @property {Boolean} enforceGrammar whether parsed OpenPGP messages must comform to the OpenPGP grammar
+     *    defined in https://www.rfc-editor.org/rfc/rfc9580.html#name-openpgp-messages .
+     */
+    enforceGrammar: true,
+    /**
+     * @memberof module:config
+     * @property {function(string): any} pluggableGrammarErrorReporter callback meant to collect GrammarError reports even with `config.enforceGrammar` disabled.
+     */
+    pluggableGrammarErrorReporter: null,
     /**
      * Parsing of packets is normally restricted to a predefined set of packets. For example a Sym. Encrypted Integrity Protected Data Packet can only
      * contain a certain set of packets including LiteralDataPacket. With this setting we can allow additional packets, which is probably not advisable
      * as a global config setting, but can be used for specific function calls (e.g. decrypt method of Message).
+     * NB: `config.enforceGrammar` may need to be disabled as well.
      * @memberof module:config
      * @property {Array} additionalAllowedPackets Allow additional packets on parsing. Defined as array of packet classes, e.g. [PublicKeyPacket]
      */
@@ -1706,7 +1720,7 @@ var openpgp = (function (exports) {
      * @memberof module:config
      * @property {String} versionString A version string to be included in armored messages
      */
-    versionString: 'OpenPGP.js 6.1.1-patch.0',
+    versionString: 'OpenPGP.js 6.1.1-patch.2',
     /**
      * @memberof module:config
      * @property {String} commentString A comment string to be included in armored messages
@@ -2079,6 +2093,21 @@ var openpgp = (function (exports) {
       return true;
     },
 
+    /**
+     * Same as Array.findLastIndex, which is not supported on Safari 14 .
+     * @param {Array} arr
+     * @param {function(element, index, arr): boolean} findFn
+     * @return index of last element matching `findFn`, -1 if not found
+     */
+    findLastIndex: function(arr, findFn) {
+      for (let i = arr.length; i >= 0; i--) {
+        if (findFn(arr[i], i, arr)) {
+          return i;
+        }
+      }
+      return -1;
+    },
+
     /**
      * Calculates a 16bit sum of a Uint8Array by adding each character
      * codes modulus 65535
@@ -6898,11 +6927,7 @@ var openpgp = (function (exports) {
             seed: b64ToUint8Array(privateKey.d, true)
           };
         } catch (err) {
-          if (
-            err.name !== 'NotSupportedError' &&
-            err.name !== 'OperationError' && // Temporary (hopefully) fix for WebKit on Linux
-            err.name !== 'SyntaxError' // Temporary fix for Palemoon throwing 'SyntaxError'
-          ) {
+          if (err.name !== 'NotSupportedError' && err.name !== 'OperationError') { // Temporary (hopefully) fix for WebKit on Linux
             throw err;
           }
           const seed = getRandomBytes(getPayloadSize$1(algo));
@@ -6954,7 +6979,7 @@ var openpgp = (function (exports) {
 
           return { RS: signature };
         } catch (err) {
-          if (err.name !== 'NotSupportedError' && err.name !== 'SyntaxError') { // Temporary fix for Palemoon throwing 'SyntaxError'
+          if (err.name !== 'NotSupportedError') {
             throw err;
           }
           const secretKey = util.concatUint8Array([privateKey, publicKey]);
@@ -7000,7 +7025,7 @@ var openpgp = (function (exports) {
           const verified = await webCrypto.verify('Ed25519', key, RS, hashed);
           return verified;
         } catch (err) {
-          if (err.name !== 'NotSupportedError' && err.name !== 'SyntaxError') { // Temporary fix for Palemoon throwing 'SyntaxError'
+          if (err.name !== 'NotSupportedError') {
             throw err;
           }
           return verify$a(RS, hashed, publicKey);
@@ -15141,6 +15166,106 @@ var openpgp = (function (exports) {
   OnePassSignaturePacket.prototype.toHash = SignaturePacket.prototype.toHash;
   OnePassSignaturePacket.prototype.toSign = SignaturePacket.prototype.toSign;
 
+  class GrammarError extends Error {
+      constructor(...params) {
+          super(...params);
+          if (Error.captureStackTrace) {
+              Error.captureStackTrace(this, GrammarError);
+          }
+          this.name = 'GrammarError';
+      }
+  }
+  const isValidLiteralMessage = (tagList, _acceptPartial) => tagList.length === 1 && tagList[0] === enums.packet.literalData;
+  const isValidCompressedMessage = (tagList, _acceptPartial) => tagList.length === 1 && tagList[0] === enums.packet.compressedData;
+  const isValidEncryptedMessage = (tagList, acceptPartial) => {
+      // Encrypted Message: Encrypted Data | ESK Sequence, Encrypted Data.
+      const isValidESKSequence = (tagList, _acceptPartial) => (tagList.every(packetTag => new Set([enums.packet.publicKeyEncryptedSessionKey, enums.packet.symEncryptedSessionKey]).has(packetTag)));
+      const encryptedDataPacketIndex = tagList.findIndex(tag => new Set([enums.packet.aeadEncryptedData, enums.packet.symmetricallyEncryptedData, enums.packet.symEncryptedIntegrityProtectedData]).has(tag));
+      if (encryptedDataPacketIndex < 0) {
+          return isValidESKSequence(tagList);
+      }
+      return (encryptedDataPacketIndex === tagList.length - 1) &&
+          isValidESKSequence(tagList.slice(0, encryptedDataPacketIndex));
+  };
+  const isValidSignedMessage = (tagList, acceptPartial) => {
+      // Signature Packet, OpenPGP Message | One-Pass Signed Message.
+      if (tagList.findIndex(tag => tag === enums.packet.signature) === 0) {
+          return isValidOpenPGPMessage(tagList.slice(1), acceptPartial);
+      }
+      // One-Pass Signed Message:
+      //    One-Pass Signature Packet, OpenPGP Message, Corresponding Signature Packet.
+      if (tagList.findIndex(tag => tag === enums.packet.onePassSignature) === 0) {
+          const correspondingSigPacketIndex = util.findLastIndex(tagList, tag => tag === enums.packet.signature);
+          if (correspondingSigPacketIndex !== tagList.length - 1 && !acceptPartial) {
+              return false;
+          }
+          return isValidOpenPGPMessage(tagList.slice(1, correspondingSigPacketIndex < 0 ? undefined : correspondingSigPacketIndex), acceptPartial);
+      }
+      return false;
+  };
+  const isUnknownPacketTag = (tag) => {
+      try {
+          enums.read(enums.packet, tag);
+          return false;
+      }
+      catch (e) {
+          return true;
+      }
+  };
+  /**
+   * Implements grammar checks based on https://www.rfc-editor.org/rfc/rfc9580.html#section-10.3 .
+   * @param notNormalizedList - list of packet tags to validate
+   * @param acceptPartial - whether the list of tags corresponds to a partially-parsed message
+   * @returns whether the list of tags is valid
+   */
+  const isValidOpenPGPMessage = (notNormalizedList /** might have unknown tags */, acceptPartial) => {
+      // Take care of packet tags that can appear anywhere in the sequence:
+      // 1. A Marker packet (Section 5.8) can appear anywhere in the sequence.
+      // 2. An implementation MUST be able to process Padding packets anywhere else in an OpenPGP stream so that future revisions of this document may specify further locations for padding.
+      // 3. An unknown non-critical packet MUST be ignored (criticality is enforced on parsing).
+      const normalizedList = notNormalizedList.filter(tag => (tag !== enums.packet.marker &&
+          tag !== enums.packet.padding &&
+          !isUnknownPacketTag(tag)));
+      return isValidLiteralMessage(normalizedList) ||
+          isValidCompressedMessage(normalizedList) ||
+          isValidEncryptedMessage(normalizedList) ||
+          isValidSignedMessage(normalizedList, acceptPartial);
+  };
+  /**
+   * If `delayReporting === false`, the grammar validator throws as soon as an invalid packet sequence is detected during parsing.
+   * This setting MUST NOT be used when parsing unauthenticated decrypted data, to avoid instantiating decryption oracles.
+   *  Passing `delayReporting === true` allows checking the grammar validity in an async manner, by
+   * only reporting the validity status after parsing is done (i.e. and authentication is expected to
+   * have been enstablished)
+   */
+  const getMessageGrammarValidator = ({ delayReporting }) => {
+      let logged = false;
+      /**
+      * @returns `true` on successful grammar validation; if `delayReporting` is set, `null` is returned
+      *   if validation is still pending (partial parsing, waiting for authentication to be confirmed).
+      * @throws on grammar error, provided `config.enforceGrammar` is enabled.
+      */
+      return (list, isPartial, config) => {
+          if (delayReporting && isPartial)
+              return null; // delay until the full message has been parsed (i.e. authenticated)
+          if (!isValidOpenPGPMessage(list, isPartial)) {
+              const error = new GrammarError(`Data does not respect OpenPGP grammar [${list}]`);
+              if (!logged) {
+                  config.pluggableGrammarErrorReporter?.(error.message);
+                  util.printDebugError(error);
+                  logged = true;
+              }
+              if (config.enforceGrammar) {
+                  throw error;
+              }
+              else {
+                  return true;
+              }
+          }
+          return true;
+      };
+  };
+
   /**
    * Instantiate a new packet given its tag
    * @function newPacketFromTag
@@ -15180,9 +15305,9 @@ var openpgp = (function (exports) {
      * @throws on parsing errors
      * @async
      */
-    static async fromBinary(bytes, allowedPackets, config$1 = config) {
+    static async fromBinary(bytes, allowedPackets, config$1 = config, grammarValidator = null) {
       const packets = new PacketList();
-      await packets.read(bytes, allowedPackets, config$1);
+      await packets.read(bytes, allowedPackets, config$1, grammarValidator);
       return packets;
     }
 
@@ -15191,15 +15316,17 @@ var openpgp = (function (exports) {
      * @param {Uint8Array | ReadableStream<Uint8Array>} bytes - binary data to parse
      * @param {Object} allowedPackets - mapping where keys are allowed packet tags, pointing to their Packet class
      * @param {Object} [config] - full configuration, defaults to openpgp.config
+     * @param {function(enums.packet[], boolean, Object): void} [grammarValidator]
      * @throws on parsing errors
      * @async
      */
-    async read(bytes, allowedPackets, config$1 = config) {
+    async read(bytes, allowedPackets, config$1 = config, grammarValidator = null) {
       if (config$1.additionalAllowedPackets.length) {
         allowedPackets = { ...allowedPackets, ...util.constructAllowedPackets(config$1.additionalAllowedPackets) };
       }
       this.stream = transformPair(bytes, async (readable, writable) => {
         const writer = getWriter(writable);
+        const writtenTags = [];
         try {
           while (true) {
             await writer.ready;
@@ -15217,6 +15344,12 @@ var openpgp = (function (exports) {
                 packet.fromStream = util.isStream(parsed.packet);
                 await packet.read(parsed.packet, config$1);
                 await writer.write(packet);
+                writtenTags.push(parsed.tag);
+                // The `writtenTags` are only sensitive if we are parsing an _unauthenticated_ decrypted stream,
+                // since they can enable an decryption oracle.
+                // It's responsibility of the caller to pass a `grammarValidator` that takes care of
+                // postponing error reporting until the data has been authenticated.
+                grammarValidator?.(writtenTags, true, config$1);
               } catch (e) {
                 // If an implementation encounters a critical packet where the packet type is unknown in a packet sequence,
                 // it MUST reject the whole packet sequence. On the other hand, an unknown non-critical packet MUST be ignored.
@@ -15231,7 +15364,8 @@ var openpgp = (function (exports) {
 
                 const throwUnsupportedError = !config$1.ignoreUnsupportedPackets && e instanceof UnsupportedError;
                 const throwMalformedError = !config$1.ignoreMalformedPackets && !(e instanceof UnsupportedError);
-                if (throwUnsupportedError || throwMalformedError || supportsStreaming(parsed.tag)) {
+                const throwGrammarError = e instanceof GrammarError;
+                if (throwUnsupportedError || throwMalformedError || throwGrammarError || supportsStreaming(parsed.tag)) {
                   // The packets that support streaming are the ones that contain message data.
                   // Those are also the ones we want to be more strict about and throw on parse errors
                   // (since we likely cannot process the message without these packets anyway).
@@ -15239,11 +15373,16 @@ var openpgp = (function (exports) {
                 } else {
                   const unparsedPacket = new UnparseablePacket(parsed.tag, parsed.packet);
                   await writer.write(unparsedPacket);
+                  writtenTags.push(parsed.tag);
+                  grammarValidator?.(writtenTags, true, config$1);
                 }
                 util.printDebugError(e);
               }
             });
             if (done) {
+              // Here we are past the MDC check for SEIPDv1 data, hence
+              // the data is always authenticated at this point.
+              grammarValidator?.(writtenTags, false, config$1);
               await writer.ready;
               await writer.close();
               return;
@@ -15466,7 +15605,8 @@ var openpgp = (function (exports) {
         throw new Error(`${compressionName} decompression not supported`);
       }
 
-      this.packets = await PacketList.fromBinary(await decompressionFn(this.compressed), allowedPackets$5, config$1);
+      // Decompressing a Compressed Data packet MUST also yield a valid OpenPGP Message
+      this.packets = await PacketList.fromBinary(await decompressionFn(this.compressed), allowedPackets$5, config$1, getMessageGrammarValidator({ enforceDelay: false }));
     }
 
     /**
@@ -15756,16 +15896,23 @@ var openpgp = (function (exports) {
       if (isArrayStream(encrypted)) encrypted = await readToEnd(encrypted);
 
       let packetbytes;
+      let grammarValidator;
       if (this.version === 2) {
         if (this.cipherAlgorithm !== sessionKeyAlgorithm) {
           // sanity check
           throw new Error('Unexpected session key algorithm');
         }
         packetbytes = await runAEAD(this, 'decrypt', key, encrypted);
+        grammarValidator = getMessageGrammarValidator({ delayReporting: false });
       } else {
         const { blockSize } = getCipherParams(sessionKeyAlgorithm);
         const decrypted = await decrypt$1(sessionKeyAlgorithm, key, encrypted, new Uint8Array(blockSize));
 
+        // Grammar validation cannot be run before message integrity has been enstablished,
+        // to avoid leaking info about the unauthenticated message structure.
+        const releaseUnauthenticatedStream = util.isStream(encrypted) && config$1.allowUnauthenticatedStream;
+        grammarValidator = getMessageGrammarValidator({ delayReporting: releaseUnauthenticatedStream });
+
         // there must be a modification detection code packet as the
         // last packet and everything gets hashed except the hash itself
         const realHash = slice(passiveClone(decrypted), -20);
@@ -15777,17 +15924,23 @@ var openpgp = (function (exports) {
           if (!util.equalsUint8Array(hash, mdc)) {
             throw new Error('Modification detected.');
           }
+          // this last chunk comes at the end of the stream passed to Packetlist.read's streamTransformPair,
+          // which can thus be 'done' only after the MDC has been checked.
           return new Uint8Array();
         });
         const bytes = slice(tohash, blockSize + 2); // Remove random prefix
         packetbytes = slice(bytes, 0, -2); // Remove MDC packet
         packetbytes = concat([packetbytes, fromAsync(() => verifyHash)]);
-        if (!util.isStream(encrypted) || !config$1.allowUnauthenticatedStream) {
+        if (!releaseUnauthenticatedStream) {
           packetbytes = await readToEnd(packetbytes);
         }
       }
 
-      this.packets = await PacketList.fromBinary(packetbytes, allowedPackets$4, config$1);
+      // - Decrypting a version 1 Symmetrically Encrypted and Integrity Protected Data packet
+      // MUST yield a valid OpenPGP Message.
+      // - Decrypting a version 2 Symmetrically Encrypted and Integrity Protected Data packet
+      // MUST yield a valid Optionally Padded Message.
+      this.packets = await PacketList.fromBinary(packetbytes, allowedPackets$4, config$1, grammarValidator);
       return true;
     }
   }
@@ -16002,7 +16155,8 @@ var openpgp = (function (exports) {
       this.packets = await PacketList.fromBinary(
         await runAEAD(this, 'decrypt', key, clone(this.encrypted)),
         allowedPackets$3,
-        config$1
+        config$1,
+        getMessageGrammarValidator({ enforceDelay: false })
       );
     }
 
@@ -16929,6 +17083,10 @@ var openpgp = (function (exports) {
         encrypted.subarray(2, blockSize + 2)
       );
 
+      // Decrypting a Symmetrically Encrypted Data packet MUST yield a valid OpenPGP Message.
+      // But due to the lack of authentication over the decrypted data,
+      // we do not run any grammarValidator, to avoid enabling a decryption oracle
+      // (plus, there is probably a higher chance that these messages have an expected structure).
       this.packets = await PacketList.fromBinary(decrypted, allowedPackets$2, config$1);
     }
 
@@ -21531,7 +21689,7 @@ var openpgp = (function (exports) {
       }
       input = data;
     }
-    const packetlist = await PacketList.fromBinary(input, allowedMessagePackets, config$1);
+    const packetlist = await PacketList.fromBinary(input, allowedMessagePackets, config$1, getMessageGrammarValidator({ delayReporting: false }));
     const message = new Message(packetlist);
     message.fromStream = streamType;
     return message;
@@ -22151,7 +22309,7 @@ var openpgp = (function (exports) {
       result.signatures = signature ? await decrypted.verifyDetached(signature, verificationKeys, date, config$1) : await decrypted.verify(verificationKeys, date, config$1);
       result.data = format === 'binary' ? decrypted.getLiteralData() : decrypted.getText();
       result.filename = decrypted.getFilename();
-      linkStreams(result, message);
+      linkStreams(result, message, ...new Set([decrypted, decrypted.unwrapCompressed()]));
       if (expectSigned) {
         if (verificationKeys.length === 0) {
           throw new Error('Verification keys are required to verify message signatures');
@@ -22286,7 +22444,9 @@ var openpgp = (function (exports) {
         result.signatures = await message.verify(verificationKeys, date, config$1);
       }
       result.data = format === 'binary' ? message.getLiteralData() : message.getText();
-      if (message.fromStream && !signature) linkStreams(result, message);
+      if (message.fromStream && !signature) {
+        linkStreams(result, ...new Set([message, message.unwrapCompressed()]));
+      }
       if (expectSigned) {
         if (result.signatures.length === 0) {
           throw new Error('Message is not signed');
@@ -22483,22 +22643,25 @@ var openpgp = (function (exports) {
   }
 
   /**
-   * Link result.data to the message stream for cancellation.
-   * Also, forward errors in the message to result.data.
+   * Link result.data to the input message stream for cancellation.
+   * Also, forward errors in the input message and intermediate messages to result.data.
    * @param {Object} result - the data to convert
-   * @param {Message} message - message object
+   * @param {Message} message - message object provided by the user
+   * @param {Message} intermediateMessages - intermediate message object with packet streams to link
    * @returns {Object}
    * @private
    */
-  function linkStreams(result, message) {
-    result.data = transformPair(message.packets.stream, async (readable, writable) => {
+  function linkStreams(result, inputMessage, ...intermediateMessages) {
+    result.data = transformPair(inputMessage.packets.stream, async (readable, writable) => {
       await pipe(result.data, writable, {
         preventClose: true
       });
       const writer = getWriter(writable);
       try {
-        // Forward errors in the message stream to result.data.
+        // Forward errors in the message streams to result.data.
         await readToEnd(readable, _ => _);
+        await Promise.all(intermediateMessages.map(intermediate => readToEnd(intermediate.packets.stream, _ => _)));
+        // if result.data throws, the writable will be in errored state, and `close()` fails, but its ok.
         await writer.close();
       } catch (e) {
         await writer.abort(e);
@@ -31065,6 +31228,7 @@ var openpgp = (function (exports) {
   exports.Argon2S2K = Argon2S2K;
   exports.CleartextMessage = CleartextMessage;
   exports.CompressedDataPacket = CompressedDataPacket;
+  exports.GrammarError = GrammarError;
   exports.KDFParams = KDFParams;
   exports.LiteralDataPacket = LiteralDataPacket;
   exports.MarkerPacket = MarkerPacket;