@protontech/openpgp 6.1.1-patch.0 → 6.1.1-patch.2

package/dist/openpgp.mjs

@@ -1,4 +1,4 @@
-/*! OpenPGP.js v6.1.1-patch.0 - 2025-02-12 - this is LGPL licensed code, see LICENSE/our website https://openpgpjs.org/ for more information. */
+/*! OpenPGP.js v6.1.1-patch.2 - 2025-05-14 - this is LGPL licensed code, see LICENSE/our website https://openpgpjs.org/ for more information. */
 const globalThis = typeof window !== 'undefined' ? window : typeof global !== 'undefined' ? global : typeof self !== 'undefined' ? self : {};
 
 function _mergeNamespaces(n, m) {
@@ -1545,6 +1545,8 @@ var config = {
    * by v6 keys and v6 signatures, respectively.
    * However, generation of v5 entities was supported behind config flag in OpenPGP.js v5, and some other libraries,
    * hence parsing them might be necessary in some cases.
+   * @memberof module:config
+   * @property {Boolean} enableParsingV5Entities
    */
   enableParsingV5Entities: false,
   /**
@@ -1681,10 +1683,22 @@ var config = {
    * @property {Boolean} ignoreMalformedPackets Ignore malformed packets on parsing instead of throwing an error
    */
   ignoreMalformedPackets: false,
+  /**
+   * @memberof module:config
+   * @property {Boolean} enforceGrammar whether parsed OpenPGP messages must comform to the OpenPGP grammar
+   *    defined in https://www.rfc-editor.org/rfc/rfc9580.html#name-openpgp-messages .
+   */
+  enforceGrammar: true,
+  /**
+   * @memberof module:config
+   * @property {function(string): any} pluggableGrammarErrorReporter callback meant to collect GrammarError reports even with `config.enforceGrammar` disabled.
+   */
+  pluggableGrammarErrorReporter: null,
   /**
    * Parsing of packets is normally restricted to a predefined set of packets. For example a Sym. Encrypted Integrity Protected Data Packet can only
    * contain a certain set of packets including LiteralDataPacket. With this setting we can allow additional packets, which is probably not advisable
    * as a global config setting, but can be used for specific function calls (e.g. decrypt method of Message).
+   * NB: `config.enforceGrammar` may need to be disabled as well.
    * @memberof module:config
    * @property {Array} additionalAllowedPackets Allow additional packets on parsing. Defined as array of packet classes, e.g. [PublicKeyPacket]
    */
@@ -1703,7 +1717,7 @@ var config = {
    * @memberof module:config
    * @property {String} versionString A version string to be included in armored messages
    */
-  versionString: 'OpenPGP.js 6.1.1-patch.0',
+  versionString: 'OpenPGP.js 6.1.1-patch.2',
   /**
    * @memberof module:config
    * @property {String} commentString A comment string to be included in armored messages
@@ -2076,6 +2090,21 @@ const util = {
     return true;
   },
 
+  /**
+   * Same as Array.findLastIndex, which is not supported on Safari 14 .
+   * @param {Array} arr
+   * @param {function(element, index, arr): boolean} findFn
+   * @return index of last element matching `findFn`, -1 if not found
+   */
+  findLastIndex: function(arr, findFn) {
+    for (let i = arr.length; i >= 0; i--) {
+      if (findFn(arr[i], i, arr)) {
+        return i;
+      }
+    }
+    return -1;
+  },
+
   /**
    * Calculates a 16bit sum of a Uint8Array by adding each character
    * codes modulus 65535
@@ -6895,11 +6924,7 @@ async function generate$a(algo) {
           seed: b64ToUint8Array(privateKey.d, true)
         };
       } catch (err) {
-        if (
-          err.name !== 'NotSupportedError' &&
-          err.name !== 'OperationError' && // Temporary (hopefully) fix for WebKit on Linux
-          err.name !== 'SyntaxError' // Temporary fix for Palemoon throwing 'SyntaxError'
-        ) {
+        if (err.name !== 'NotSupportedError' && err.name !== 'OperationError') { // Temporary (hopefully) fix for WebKit on Linux
           throw err;
         }
         const seed = getRandomBytes(getPayloadSize$1(algo));
@@ -6951,7 +6976,7 @@ async function sign$9(algo, hashAlgo, message, publicKey, privateKey, hashed) {
 
         return { RS: signature };
       } catch (err) {
-        if (err.name !== 'NotSupportedError' && err.name !== 'SyntaxError') { // Temporary fix for Palemoon throwing 'SyntaxError'
+        if (err.name !== 'NotSupportedError') {
           throw err;
         }
         const secretKey = util.concatUint8Array([privateKey, publicKey]);
@@ -6997,7 +7022,7 @@ async function verify$9(algo, hashAlgo, { RS }, m, publicKey, hashed) {
         const verified = await webCrypto.verify('Ed25519', key, RS, hashed);
         return verified;
       } catch (err) {
-        if (err.name !== 'NotSupportedError' && err.name !== 'SyntaxError') { // Temporary fix for Palemoon throwing 'SyntaxError'
+        if (err.name !== 'NotSupportedError') {
           throw err;
         }
         return verify$a(RS, hashed, publicKey);
@@ -15138,6 +15163,106 @@ OnePassSignaturePacket.prototype.hash = SignaturePacket.prototype.hash;
 OnePassSignaturePacket.prototype.toHash = SignaturePacket.prototype.toHash;
 OnePassSignaturePacket.prototype.toSign = SignaturePacket.prototype.toSign;
 
+class GrammarError extends Error {
+    constructor(...params) {
+        super(...params);
+        if (Error.captureStackTrace) {
+            Error.captureStackTrace(this, GrammarError);
+        }
+        this.name = 'GrammarError';
+    }
+}
+const isValidLiteralMessage = (tagList, _acceptPartial) => tagList.length === 1 && tagList[0] === enums.packet.literalData;
+const isValidCompressedMessage = (tagList, _acceptPartial) => tagList.length === 1 && tagList[0] === enums.packet.compressedData;
+const isValidEncryptedMessage = (tagList, acceptPartial) => {
+    // Encrypted Message: Encrypted Data | ESK Sequence, Encrypted Data.
+    const isValidESKSequence = (tagList, _acceptPartial) => (tagList.every(packetTag => new Set([enums.packet.publicKeyEncryptedSessionKey, enums.packet.symEncryptedSessionKey]).has(packetTag)));
+    const encryptedDataPacketIndex = tagList.findIndex(tag => new Set([enums.packet.aeadEncryptedData, enums.packet.symmetricallyEncryptedData, enums.packet.symEncryptedIntegrityProtectedData]).has(tag));
+    if (encryptedDataPacketIndex < 0) {
+        return isValidESKSequence(tagList);
+    }
+    return (encryptedDataPacketIndex === tagList.length - 1) &&
+        isValidESKSequence(tagList.slice(0, encryptedDataPacketIndex));
+};
+const isValidSignedMessage = (tagList, acceptPartial) => {
+    // Signature Packet, OpenPGP Message | One-Pass Signed Message.
+    if (tagList.findIndex(tag => tag === enums.packet.signature) === 0) {
+        return isValidOpenPGPMessage(tagList.slice(1), acceptPartial);
+    }
+    // One-Pass Signed Message:
+    //    One-Pass Signature Packet, OpenPGP Message, Corresponding Signature Packet.
+    if (tagList.findIndex(tag => tag === enums.packet.onePassSignature) === 0) {
+        const correspondingSigPacketIndex = util.findLastIndex(tagList, tag => tag === enums.packet.signature);
+        if (correspondingSigPacketIndex !== tagList.length - 1 && !acceptPartial) {
+            return false;
+        }
+        return isValidOpenPGPMessage(tagList.slice(1, correspondingSigPacketIndex < 0 ? undefined : correspondingSigPacketIndex), acceptPartial);
+    }
+    return false;
+};
+const isUnknownPacketTag = (tag) => {
+    try {
+        enums.read(enums.packet, tag);
+        return false;
+    }
+    catch (e) {
+        return true;
+    }
+};
+/**
+ * Implements grammar checks based on https://www.rfc-editor.org/rfc/rfc9580.html#section-10.3 .
+ * @param notNormalizedList - list of packet tags to validate
+ * @param acceptPartial - whether the list of tags corresponds to a partially-parsed message
+ * @returns whether the list of tags is valid
+ */
+const isValidOpenPGPMessage = (notNormalizedList /** might have unknown tags */, acceptPartial) => {
+    // Take care of packet tags that can appear anywhere in the sequence:
+    // 1. A Marker packet (Section 5.8) can appear anywhere in the sequence.
+    // 2. An implementation MUST be able to process Padding packets anywhere else in an OpenPGP stream so that future revisions of this document may specify further locations for padding.
+    // 3. An unknown non-critical packet MUST be ignored (criticality is enforced on parsing).
+    const normalizedList = notNormalizedList.filter(tag => (tag !== enums.packet.marker &&
+        tag !== enums.packet.padding &&
+        !isUnknownPacketTag(tag)));
+    return isValidLiteralMessage(normalizedList) ||
+        isValidCompressedMessage(normalizedList) ||
+        isValidEncryptedMessage(normalizedList) ||
+        isValidSignedMessage(normalizedList, acceptPartial);
+};
+/**
+ * If `delayReporting === false`, the grammar validator throws as soon as an invalid packet sequence is detected during parsing.
+ * This setting MUST NOT be used when parsing unauthenticated decrypted data, to avoid instantiating decryption oracles.
+ *  Passing `delayReporting === true` allows checking the grammar validity in an async manner, by
+ * only reporting the validity status after parsing is done (i.e. and authentication is expected to
+ * have been enstablished)
+ */
+const getMessageGrammarValidator = ({ delayReporting }) => {
+    let logged = false;
+    /**
+    * @returns `true` on successful grammar validation; if `delayReporting` is set, `null` is returned
+    *   if validation is still pending (partial parsing, waiting for authentication to be confirmed).
+    * @throws on grammar error, provided `config.enforceGrammar` is enabled.
+    */
+    return (list, isPartial, config) => {
+        if (delayReporting && isPartial)
+            return null; // delay until the full message has been parsed (i.e. authenticated)
+        if (!isValidOpenPGPMessage(list, isPartial)) {
+            const error = new GrammarError(`Data does not respect OpenPGP grammar [${list}]`);
+            if (!logged) {
+                config.pluggableGrammarErrorReporter?.(error.message);
+                util.printDebugError(error);
+                logged = true;
+            }
+            if (config.enforceGrammar) {
+                throw error;
+            }
+            else {
+                return true;
+            }
+        }
+        return true;
+    };
+};
+
 /**
  * Instantiate a new packet given its tag
  * @function newPacketFromTag
@@ -15177,9 +15302,9 @@ class PacketList extends Array {
    * @throws on parsing errors
    * @async
    */
-  static async fromBinary(bytes, allowedPackets, config$1 = config) {
+  static async fromBinary(bytes, allowedPackets, config$1 = config, grammarValidator = null) {
     const packets = new PacketList();
-    await packets.read(bytes, allowedPackets, config$1);
+    await packets.read(bytes, allowedPackets, config$1, grammarValidator);
     return packets;
   }
 
@@ -15188,15 +15313,17 @@ class PacketList extends Array {
    * @param {Uint8Array | ReadableStream<Uint8Array>} bytes - binary data to parse
    * @param {Object} allowedPackets - mapping where keys are allowed packet tags, pointing to their Packet class
    * @param {Object} [config] - full configuration, defaults to openpgp.config
+   * @param {function(enums.packet[], boolean, Object): void} [grammarValidator]
    * @throws on parsing errors
    * @async
    */
-  async read(bytes, allowedPackets, config$1 = config) {
+  async read(bytes, allowedPackets, config$1 = config, grammarValidator = null) {
     if (config$1.additionalAllowedPackets.length) {
       allowedPackets = { ...allowedPackets, ...util.constructAllowedPackets(config$1.additionalAllowedPackets) };
     }
     this.stream = transformPair(bytes, async (readable, writable) => {
       const writer = getWriter(writable);
+      const writtenTags = [];
       try {
         while (true) {
           await writer.ready;
@@ -15214,6 +15341,12 @@ class PacketList extends Array {
               packet.fromStream = util.isStream(parsed.packet);
               await packet.read(parsed.packet, config$1);
               await writer.write(packet);
+              writtenTags.push(parsed.tag);
+              // The `writtenTags` are only sensitive if we are parsing an _unauthenticated_ decrypted stream,
+              // since they can enable an decryption oracle.
+              // It's responsibility of the caller to pass a `grammarValidator` that takes care of
+              // postponing error reporting until the data has been authenticated.
+              grammarValidator?.(writtenTags, true, config$1);
             } catch (e) {
               // If an implementation encounters a critical packet where the packet type is unknown in a packet sequence,
               // it MUST reject the whole packet sequence. On the other hand, an unknown non-critical packet MUST be ignored.
@@ -15228,7 +15361,8 @@ class PacketList extends Array {
 
               const throwUnsupportedError = !config$1.ignoreUnsupportedPackets && e instanceof UnsupportedError;
               const throwMalformedError = !config$1.ignoreMalformedPackets && !(e instanceof UnsupportedError);
-              if (throwUnsupportedError || throwMalformedError || supportsStreaming(parsed.tag)) {
+              const throwGrammarError = e instanceof GrammarError;
+              if (throwUnsupportedError || throwMalformedError || throwGrammarError || supportsStreaming(parsed.tag)) {
                 // The packets that support streaming are the ones that contain message data.
                 // Those are also the ones we want to be more strict about and throw on parse errors
                 // (since we likely cannot process the message without these packets anyway).
@@ -15236,11 +15370,16 @@ class PacketList extends Array {
               } else {
                 const unparsedPacket = new UnparseablePacket(parsed.tag, parsed.packet);
                 await writer.write(unparsedPacket);
+                writtenTags.push(parsed.tag);
+                grammarValidator?.(writtenTags, true, config$1);
               }
               util.printDebugError(e);
             }
           });
           if (done) {
+            // Here we are past the MDC check for SEIPDv1 data, hence
+            // the data is always authenticated at this point.
+            grammarValidator?.(writtenTags, false, config$1);
             await writer.ready;
             await writer.close();
             return;
@@ -15463,7 +15602,8 @@ class CompressedDataPacket {
       throw new Error(`${compressionName} decompression not supported`);
     }
 
-    this.packets = await PacketList.fromBinary(await decompressionFn(this.compressed), allowedPackets$5, config$1);
+    // Decompressing a Compressed Data packet MUST also yield a valid OpenPGP Message
+    this.packets = await PacketList.fromBinary(await decompressionFn(this.compressed), allowedPackets$5, config$1, getMessageGrammarValidator({ enforceDelay: false }));
   }
 
   /**
@@ -15753,16 +15893,23 @@ class SymEncryptedIntegrityProtectedDataPacket {
     if (isArrayStream(encrypted)) encrypted = await readToEnd(encrypted);
 
     let packetbytes;
+    let grammarValidator;
     if (this.version === 2) {
       if (this.cipherAlgorithm !== sessionKeyAlgorithm) {
         // sanity check
         throw new Error('Unexpected session key algorithm');
       }
       packetbytes = await runAEAD(this, 'decrypt', key, encrypted);
+      grammarValidator = getMessageGrammarValidator({ delayReporting: false });
     } else {
       const { blockSize } = getCipherParams(sessionKeyAlgorithm);
       const decrypted = await decrypt$1(sessionKeyAlgorithm, key, encrypted, new Uint8Array(blockSize));
 
+      // Grammar validation cannot be run before message integrity has been enstablished,
+      // to avoid leaking info about the unauthenticated message structure.
+      const releaseUnauthenticatedStream = util.isStream(encrypted) && config$1.allowUnauthenticatedStream;
+      grammarValidator = getMessageGrammarValidator({ delayReporting: releaseUnauthenticatedStream });
+
       // there must be a modification detection code packet as the
       // last packet and everything gets hashed except the hash itself
       const realHash = slice(passiveClone(decrypted), -20);
@@ -15774,17 +15921,23 @@ class SymEncryptedIntegrityProtectedDataPacket {
         if (!util.equalsUint8Array(hash, mdc)) {
           throw new Error('Modification detected.');
         }
+        // this last chunk comes at the end of the stream passed to Packetlist.read's streamTransformPair,
+        // which can thus be 'done' only after the MDC has been checked.
         return new Uint8Array();
       });
       const bytes = slice(tohash, blockSize + 2); // Remove random prefix
       packetbytes = slice(bytes, 0, -2); // Remove MDC packet
       packetbytes = concat([packetbytes, fromAsync(() => verifyHash)]);
-      if (!util.isStream(encrypted) || !config$1.allowUnauthenticatedStream) {
+      if (!releaseUnauthenticatedStream) {
         packetbytes = await readToEnd(packetbytes);
       }
     }
 
-    this.packets = await PacketList.fromBinary(packetbytes, allowedPackets$4, config$1);
+    // - Decrypting a version 1 Symmetrically Encrypted and Integrity Protected Data packet
+    // MUST yield a valid OpenPGP Message.
+    // - Decrypting a version 2 Symmetrically Encrypted and Integrity Protected Data packet
+    // MUST yield a valid Optionally Padded Message.
+    this.packets = await PacketList.fromBinary(packetbytes, allowedPackets$4, config$1, grammarValidator);
     return true;
   }
 }
@@ -15999,7 +16152,8 @@ class AEADEncryptedDataPacket {
     this.packets = await PacketList.fromBinary(
       await runAEAD(this, 'decrypt', key, clone(this.encrypted)),
       allowedPackets$3,
-      config$1
+      config$1,
+      getMessageGrammarValidator({ enforceDelay: false })
     );
   }
 
@@ -16926,6 +17080,10 @@ class SymmetricallyEncryptedDataPacket {
       encrypted.subarray(2, blockSize + 2)
     );
 
+    // Decrypting a Symmetrically Encrypted Data packet MUST yield a valid OpenPGP Message.
+    // But due to the lack of authentication over the decrypted data,
+    // we do not run any grammarValidator, to avoid enabling a decryption oracle
+    // (plus, there is probably a higher chance that these messages have an expected structure).
     this.packets = await PacketList.fromBinary(decrypted, allowedPackets$2, config$1);
   }
 
@@ -21528,7 +21686,7 @@ async function readMessage({ armoredMessage, binaryMessage, config: config$1, ..
     }
     input = data;
   }
-  const packetlist = await PacketList.fromBinary(input, allowedMessagePackets, config$1);
+  const packetlist = await PacketList.fromBinary(input, allowedMessagePackets, config$1, getMessageGrammarValidator({ delayReporting: false }));
   const message = new Message(packetlist);
   message.fromStream = streamType;
   return message;
@@ -22148,7 +22306,7 @@ async function decrypt({ message, decryptionKeys, passwords, sessionKeys, verifi
     result.signatures = signature ? await decrypted.verifyDetached(signature, verificationKeys, date, config$1) : await decrypted.verify(verificationKeys, date, config$1);
     result.data = format === 'binary' ? decrypted.getLiteralData() : decrypted.getText();
     result.filename = decrypted.getFilename();
-    linkStreams(result, message);
+    linkStreams(result, message, ...new Set([decrypted, decrypted.unwrapCompressed()]));
     if (expectSigned) {
       if (verificationKeys.length === 0) {
         throw new Error('Verification keys are required to verify message signatures');
@@ -22283,7 +22441,9 @@ async function verify({ message, verificationKeys, expectSigned = false, format
       result.signatures = await message.verify(verificationKeys, date, config$1);
     }
     result.data = format === 'binary' ? message.getLiteralData() : message.getText();
-    if (message.fromStream && !signature) linkStreams(result, message);
+    if (message.fromStream && !signature) {
+      linkStreams(result, ...new Set([message, message.unwrapCompressed()]));
+    }
     if (expectSigned) {
       if (result.signatures.length === 0) {
         throw new Error('Message is not signed');
@@ -22480,22 +22640,25 @@ async function convertStream(data) {
 }
 
 /**
- * Link result.data to the message stream for cancellation.
- * Also, forward errors in the message to result.data.
+ * Link result.data to the input message stream for cancellation.
+ * Also, forward errors in the input message and intermediate messages to result.data.
  * @param {Object} result - the data to convert
- * @param {Message} message - message object
+ * @param {Message} message - message object provided by the user
+ * @param {Message} intermediateMessages - intermediate message object with packet streams to link
  * @returns {Object}
  * @private
  */
-function linkStreams(result, message) {
-  result.data = transformPair(message.packets.stream, async (readable, writable) => {
+function linkStreams(result, inputMessage, ...intermediateMessages) {
+  result.data = transformPair(inputMessage.packets.stream, async (readable, writable) => {
     await pipe(result.data, writable, {
       preventClose: true
     });
     const writer = getWriter(writable);
     try {
-      // Forward errors in the message stream to result.data.
+      // Forward errors in the message streams to result.data.
       await readToEnd(readable, _ => _);
+      await Promise.all(intermediateMessages.map(intermediate => readToEnd(intermediate.packets.stream, _ => _)));
+      // if result.data throws, the writable will be in errored state, and `close()` fails, but its ok.
       await writer.close();
     } catch (e) {
       await writer.abort(e);
@@ -31057,4 +31220,4 @@ var index = /*#__PURE__*/_mergeNamespaces({
   __proto__: null
 }, [lib]);
 
-export { AEADEncryptedDataPacket, Argon2OutOfMemoryError, Argon2S2K, CleartextMessage, CompressedDataPacket, KDFParams, LiteralDataPacket, MarkerPacket, Message, OnePassSignaturePacket, PacketList, PaddingPacket, PrivateKey, PublicKey, PublicKeyEncryptedSessionKeyPacket, PublicKeyPacket, PublicSubkeyPacket, SecretKeyPacket, SecretSubkeyPacket, Signature, SignaturePacket, Subkey, SymEncryptedIntegrityProtectedDataPacket, SymEncryptedSessionKeyPacket, SymmetricallyEncryptedDataPacket, TrustPacket, UnparseablePacket, UserAttributePacket, UserIDPacket, armor, config, createCleartextMessage, createMessage, decrypt, decryptKey, decryptSessionKeys, encrypt, encryptKey, encryptSessionKey, enums, generateKey, generateSessionKey, readCleartextMessage, readKey, readKeys, readMessage, readPrivateKey, readPrivateKeys, readSignature, reformatKey, revokeKey, sign, unarmor, verify };
+export { AEADEncryptedDataPacket, Argon2OutOfMemoryError, Argon2S2K, CleartextMessage, CompressedDataPacket, GrammarError, KDFParams, LiteralDataPacket, MarkerPacket, Message, OnePassSignaturePacket, PacketList, PaddingPacket, PrivateKey, PublicKey, PublicKeyEncryptedSessionKeyPacket, PublicKeyPacket, PublicSubkeyPacket, SecretKeyPacket, SecretSubkeyPacket, Signature, SignaturePacket, Subkey, SymEncryptedIntegrityProtectedDataPacket, SymEncryptedSessionKeyPacket, SymmetricallyEncryptedDataPacket, TrustPacket, UnparseablePacket, UserAttributePacket, UserIDPacket, armor, config, createCleartextMessage, createMessage, decrypt, decryptKey, decryptSessionKeys, encrypt, encryptKey, encryptSessionKey, enums, generateKey, generateSessionKey, readCleartextMessage, readKey, readKeys, readMessage, readPrivateKey, readPrivateKeys, readSignature, reformatKey, revokeKey, sign, unarmor, verify };