passbolt-browser-extension 5.1.0 → 5.1.1

package/CHANGELOG.md

@@ -4,6 +4,18 @@ This project adheres to [Semantic Versioning](http://semver.org/).
 
 ## [Unreleased]
 
+## [5.1.1] - 2025-05-21
+
+### Added
+- PB-41365 Support options for ECC Key generation
+
+### Fixed
+- PB-41760 On some conditions, scrollbars can appear and break the design
+- PB-42561 The folder tree caret when scrolling appeared in the wrong orientation
+
+### Security
+- PB-42613 Upgrade browser extension OpenPGP.js to the latest version
+
 ## [5.1.0] - 2025-05-12
 
 ### Added
@@ -2153,7 +2165,8 @@ self registration settings option in the left-side bar
 - LU: Logged in user
 
 ## [4.12.0] - 2024-03-10
-[Unreleased]: https://github.com/passbolt/passbolt_browser_extension/compare/v5.1.0...HEAD
+[Unreleased]: https://github.com/passbolt/passbolt_browser_extension/compare/v5.1.1...HEAD
+[5.1.1]: https://github.com/passbolt/passbolt_browser_extension/compare/v5.1.0...v5.1.1
 [5.1.0]: https://github.com/passbolt/passbolt_browser_extension/compare/v5.0.1...v5.1.0
 [5.0.1]: https://github.com/passbolt/passbolt_browser_extension/compare/v5.0.0...v5.0.1
 [5.0.0]: https://github.com/passbolt/passbolt_browser_extension/compare/v4.12.0...v5.0.0

package/RELEASE_NOTES.md

@@ -1,84 +1,19 @@
-Song: https://www.youtube.com/watch?v=d9WHUTKMD8k
+Song: https://www.youtube.com/watch?v=Nbav4oWMqEY
 
-The 5.1 release adds support for encrypted resource metadata features as an opt-in feature. Early adopters can turn it on, test real-world workflows and feed back improvements, while more cautious teams, or teams with a lot of custom integrations, can wait until they are ready.
+Passbolt v5.1.1 is a security release that upgrades the OpenPGP.js library to address a recently discovered vulnerability. While the impact of this issue is minimal, OpenPGP.js is a cornerstone of the extension, so the update is essential.
 
-This is a major milestone for the product, further extending Passbolt’s security model to improve confidentiality for the contextual information surrounding credentials. This means that metadata such as names, login URLs, and similar fields are now also cryptographically protected. As is customary for high-risk security features, this implementation has been audited by security researchers from Cure53 with a public report publication coming soon.
+The release also includes fixes for several bugs reported by the community after the major v5 redesign.
 
-To ensure a smooth and cautious rollout, the feature is released in beta with v5.1 and is scheduled for stable release in v5.2. If you want to know more about how to enable it and start testing, a blog article published shortly, will provide a step-by-step guidance on how to activate the feature and a deeper dive into what’s changed.
+As always, thank you to everyone who provided bug reports and feedback, and a special thanks to the OpenPGP.js team for the timely heads-up and patch.
 
-Additionally, the password expiry feature is now enabled by default for new installations. This capability is considered a security best practice, helping organizations enforce rotation policies and mitigate risks associated with long-lived shared credentials. For existing instances, administrators can enable this feature manually from the administration workspace. To learn more, check out the blog article: [Passbolt’s New Automation of Shared Passwords Expiry](https://www.passbolt.com/blog/passbolts-new-automation-of-shared-passwords-expiry).
-
-As usual, this release also includes a few bug fixes and performance improvements, like a faster folder tree that handles 5,000+ folders for the ones that are running a tight ship.
-
-As always, thank you to our community for your feedback, contributions, and bug reports. A special thanks to the CakePHP maintainers for the fast post v5 upgrade support!
 
 ### Added
-- PB-41340 Add dedicated input to fix autofill on specific website
-- PB-41734 SPKD-1.1 Rename metadata private key getter/setter dataSignedByCurrentUser & ensure constructor pass options to its parent class to ensure validation can be disabled
-- PB-41735 SPKD-1.2 Verify the metadata public key entity fingerprint is equal to the  armored key fingerprint in FindMetadataKeysService findAll
-- PB-41737 SPKD-1.3 Verify metadata private  key data entity fingerprint with armored key fingerprint in DecryptMetadataPrivateKeysService decryptOne
-- PB-41738 SPKD-1.4 Assert metadata keys collection fingerprints public/private integrity in DecryptMetadataPrivateKeysService decryptAllFromMetadataKeysCollection
-- PB-41739 SPKD-1.5 Adapt DecryptMessageService.decrypt to return the raw OpenPGP decryption result, including signatures, without throwing an error when signature verification fails
-- PB-41740 SPKD-1.7 Implement findVerifiedSignatureForGpgKey in src/all/background_page/service/crypto/findSignatures utils to retrieve a signature for a given OpenPGP key
-- PB-41741 SPKD-1.8 Check current user signature when decrypting Metadata Private Key Data
-- PB-41742 SPKD-1.6 Implement ExternalGpgSignatureEntity to carry OpenPGP signature data
-- PB-41743 SPKD-1.9 Implement MetadataTrustedKeyEntity to carry the information relative to a trusted metadata key
-- PB-41744 SPKD-1.10 Implement TrustedMetadataKeyLocalStorage to support the persistence of the trusted metadata key
-- PB-41746 SPKD-2.1 Implement bext ConfirmMetadataKeyContentCodeService to request user to confirm trusted metadata keys changes
-- PB-41747 SPKD-2.2 Implement confirm metadata key event handler and dialog on the web application
-- PB-41748 SPKD-2.3 Implement confirm metadata key event handler and dialog on the quick application
-- PB-41749 SPKD-2.4 Implement GetMetadataTrustedKeyService get to retrieve the trusted metadata key from the local storage
-- PB-41753 SPKD-2.8 Implement VerifyOrTrustMetadataKeyService verifyTrustedOrTrustNewMetadataKey to verify that the current active metadata key is trusted or request the user to trust it
-- PB-41750 SPKD-2.5 Implement MetadataPrivateKeyApiService update to update a trusted metadata key on the API
-- PB-41751 SPKD-2.6 Implement UpdateMetadataKeyPrivateService update function to update a trusted metadata key
-- PB-41752 SPKD-2.7 Implement TrustMetadataKeyService trust to trust a new metadata key
-- PB-41847 SPKD-2.18 Add creator field to metadataKeyEntity test data
-- PB-41916 SPKD-2.19 Flush Metadata Keys Settings storage when a user is signed-out
-- PB-41918 SPKD-2.20 Adapt EncryptMessageService.encrypt so that it can sign a message with a specified date
-- PB-41919 SPKD-2.21 Adapt EncryptMetadataPrivateKeysService.encryptOne so that it can sign a message with a specified date
-- PB-41958 SPKD-2.10 Verify and trust metadata key prior to encrypt metadata
-- PB-41961 SPKD-2.21 Add in diagram TrustMetadataKeyService
-- PB-41962 SPKD-2.22 Add unit test and in the diagram for VerifyOrTrustMetadataKeyService
+- PB-41365 Support options for ECC Key generation
+
 
 ### Fixed
-- PB-35383 refresh folders list after delete parent folder and keep items inside
-- PB-39607 metadata migration should encrypt metadata with user's key when encrypting a personal resource
-- PB-40181 The session keys cache items are missing modified field
-- PB-41296 on a fresh install + first login after setup (firefox + debian) going to the user workspace crashes as roles are not defined
-- PB-41304 import password errors (UAT required & fix)
-- PB-41305 clicking on folder parent in location of a resource in the right sidebar just close the panel
-- PB-41407 account recovery in user profile can crash when clicking on review
-- PB-41638 Hide administration workspace shifter on desktop app
-- PB-41716 Permalink when paste in url and local storage is not loaded yet
-- PB-41753 safer key public distribution confirmation in quickaccess
-- PB-41776 password input with show icon can display a broken UI
-- PB-41841 user workspace displays a blank screen when accessing a user's URL directly from the browser
-- PB-41846 Other type resource dialog TOTP does not open a TOTP but a password + totp
-- PB-42030 'where to find my account kit' does no open the browser for help
-- PB-42033 design of security token in input field could be broken with some characters
-- PB-42046 set empty translations with their default string
-- PB-42105 import of resources process always uses shared metadata key instead of personal key
-- PB-42106 throw an error while decrypting resource metadata if the decrypted metadata object type is not valid
-- PB-41378 UI minor bug: multiple resource select, right sidebar cropped
-- PB-41435 Display the folder context menu above the “More” button
-- PB-41551 Show a disabled style when dragging an item over an invalid drop target
-- PB-41550 Refresh the folder tree after the folder‑hierarchy cache updates (order issue)
-- PB-41627 UI bug: Note formatting in the right sidebar
-- PB-41759 Browser extension should enforce object_type on metadata of resource creation / edition
+- PB-41760 On some conditions, scrollbars can appear and break the design
+- PB-42561 The folder tree caret when scrolling appeared in the wrong orientation
 
-### Maintenance
-- PB-38199 Update administration page Role-Based Access Control save behavior
-- PB-41346 Remove mfa settings screens from API
-- PB-41366 ECC-1.1 Update browser extension outdated OpenPGP.js to version 6
-- PB-41384 Upgrade vulnerable lib on bext 'image-size'
-- PB-41385 2.1 Display react list for folder tree
-- PB-41386 2.2 Folders updated should be refreshed in the folder tree
-- PB-41387 2.3 Navigate to a folder form route should scroll the folder tree to see the selected folder
-- PB-41388 2.4 Update the padding according to the depth of the folder
-- PB-41414 WP4-14.2 Migrate import account kit screen
-- PB-41646 UI adjustment: All tables should have a 0.8rem gap
-- PB-41648 UI adjustment: Name column size in grid should be large by default
-- PB-41647 UI adjustment: All dialog & setting primary should have a regular font weight
-- PB-41653 UI adjustment: Grid select column, padding left & right 1.6rem
-- PB-41709 Add activity diagram to verify metadata keys
-- PB-41720 Add licence on SVG in the folder svg on the styleguide
+### Security
+- PB-42613 Upgrade browser extension OpenPGP.js to the latest version

package/doc/browser-extension-class-diagram.md

@@ -529,7 +529,7 @@ classDiagram
             -string props.expires
             -string props.created
             -string props.algorithm
-            -number props.length
+            -integer props.length
             -string props.curve
             -boolean props.private
             -boolean props.revoked
@@ -541,7 +541,7 @@ classDiagram
             +get isValid() boolean
             +get created() string
             +get algorithm() string
-            +get length() number
+            +get length() integer
             +get curve() string
             +get revoked() boolean
             +get private() boolean
@@ -562,28 +562,6 @@ classDiagram
             +get created() string
         }
 
-        class GpgkeyEntity {
-            -uuid props.id
-            -uuid props.user_id
-            -string props.fingerprint
-            -string props.armored_key
-            -boolean props.deleted
-            -string props.type
-            -string props.uid
-            -integer props.bits
-            -string props.key_created
-            -string props.expires
-            -string props.created
-            -string props.modified
-            +get id() string
-            +get userId() string
-            +get armoredKey() string
-            +get fingerprint() boolean
-            +get created() string
-            +get modified() string
-            +get isDeleted() boolean
-        }
-
         class GroupsUsersCollection {
             +getById(string id) GroupUserEntity
             +getGroupUserByUserId(string userId) GroupUserEntity
@@ -931,6 +909,99 @@ classDiagram
         }
     }
 
+    namespace GpgKeyNs {
+    %% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+    %% GpgKey controllers
+    %% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+        class GenerateSetupKeyPairController {
+            +exec(object generateGpgKeyDto) Promise
+        }
+
+        class AccountRecoveryGenerateOrganizationKeyController {
+            +exec(generateGpgKeyPairOptionsDto object) Promise~ExternalGpgKeyPairEntity~
+        }
+
+    %% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+    %% GpgKey services
+    %% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+        class FindUserKeyPoliciesSettingsService {
+            +findSettingsAsGuest(userId string, authenticationToken string) Promise~UserKeyPoliciesSettingsEntity~
+        }
+
+    %% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+    %% GpgKey models
+    %% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+        class UserKeyPoliciesSettingsApiService {
+            +findSettingsAsGuest(userId string, authenticationToken string) Promise~object~
+        }
+
+        class UserKeyPoliciesSettingsEntity {
+            -string props.preferred_key_type
+            -string props.source
+
+            +get preferredKeyType() string
+            +get source() string|null
+
+            +createFromDefault(data: object)$ UserKeyPoliciesSettingsEntity
+        }
+
+        class GenerateGpgKeyPairOptionsEntity {
+            -string props.preferred_key_type
+            -string props.source
+            -string props.name
+            -string props.email
+            -string props.passphrase
+            -string props.type
+            -integer props.keySize
+            -string props.curve
+            -integer props.date
+
+            +toGenerateOpenpgpKeyDto() object
+            +get userId() string
+            +get name() string
+            +get email() string
+            +get type() string
+            +get passphrase() string
+            +get curve() string|null
+            +get rsaBits() integer|null
+            +get date() Date
+            +createForUserKeyGeneration(apiGpgKeyType string, generateGpgKeyPairDto object)$ GenerateGpgKeyPairOptionsEntity
+            +createForOrkKeyGeneration(generateGpgKeyPairDto object)$ GenerateGpgKeyPairOptionsEntity
+            +get ENTITY_NAME() string
+            +get DEFAULT_RSA_KEY_SIZE() integer
+            +get DEFAULT_KEY_TYPE() string
+            +get DEFAULT_ECC_KEY_CURVE() string
+            +get KEY_TYPE_RSA() string
+            +get KEY_TYPE_ECC() string
+            +get KEY_CURVE_ED25519() string
+        }
+
+        class GpgkeyEntity {
+            -uuid props.id
+            -uuid props.user_id
+            -string props.fingerprint
+            -string props.armored_key
+            -boolean props.deleted
+            -string props.type
+            -string props.uid
+            -integer props.bits
+            -string props.key_created
+            -string props.expires
+            -string props.created
+            -string props.modified
+            +get id() string
+            +get userId() string
+            +get armoredKey() string
+            +get fingerprint() boolean
+            +get created() string
+            +get modified() string
+            +get isDeleted() boolean
+        }
+    }
+
 %% Resource controllers relationships
     CreateResourceController*--CreateResourceService
 %%    CreateResourceController*--GetPassphraseService
@@ -1095,4 +1166,13 @@ classDiagram
     ShareResourceService*--ShareService
 %% Share models relationships.
     style ShareService fill:#DEE5D4
+
+%% GpgKey controllers relationships
+    GenerateSetupKeyPairController*--FindUserKeyPoliciesSettingsService
+    GenerateSetupKeyPairController*--GenerateGpgKeyPairService
+    GenerateSetupKeyPairController*--GenerateGpgKeyPairOptionsEntity
+    AccountRecoveryGenerateOrganizationKeyController*--GenerateGpgKeyPairService
+    AccountRecoveryGenerateOrganizationKeyController*--GenerateGpgKeyPairOptionsEntity
+%% GpgKey services relationships
+    FindUserKeyPoliciesSettingsService*--UserKeyPoliciesSettingsApiService
 ```

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "passbolt-browser-extension",
-  "version": "5.1.0",
+  "version": "5.1.1",
   "license": "AGPL-3.0",
   "copyright": "Copyright 2025 Passbolt SA",
   "description": "Passbolt web extension for the open source password manager for teams",
@@ -20,9 +20,9 @@
     "jssha": "~3.3.1",
     "kdbxweb": "2.1.1",
     "locutus": "~2.0.9",
-    "openpgp": "6.1",
+    "openpgp": "^6.1.1",
     "papaparse": "^5.2.0",
-    "passbolt-styleguide": "^5.1.2",
+    "passbolt-styleguide": "^5.1.3",
     "react": "17.0.2",
     "react-dom": "17.0.2",
     "secrets-passbolt": "github:passbolt/secrets.js#v2.0.1",
@@ -70,7 +70,12 @@
     "webpack-cli": "^5.1.4"
   },
   "overrides": {
-    "image-size": "^2.0.2"
+    "image-size": "^2.0.2",
+    "i18next-parser": {
+      "cheerio": {
+        "undici": "6.21.2"
+      }
+    }
   },
   "scripts": {
     "build": "npx grunt build",

package/src/all/background_page/controller/accountRecovery/accountRecoveryGenerateOrganizationKeyController.js

@@ -15,12 +15,6 @@ import GetGpgKeyCreationDateService from "../../service/crypto/getGpgKeyCreation
 import GenerateGpgKeyPairOptionsEntity from "../../model/entity/gpgkey/generate/generateGpgKeyPairOptionsEntity";
 import GenerateGpgKeyPairService from "../../service/crypto/generateGpgKeyPairService";
 
-/**
- * The account recovery organization key size.
- * @type {number}
- */
-const ACCOUNT_RECOVERY_ORGANIZATION_KEY_SIZE = 4096;
-
 /**
  * Controller related to the generation of the account recovery organization key
  */
@@ -58,14 +52,11 @@ class AccountRecoveryGenerateOrganizationKeyController {
    * @returns {Promise<ExternalGpgKeyPairEntity>}
    */
   async exec(generateGpgKeyPairOptionsDto = {}) {
-    // Enforce the key size & type.
-    const enforcedGenerateGpgKeyPairOptionsDto = {
-      type: GenerateGpgKeyPairOptionsEntity.TYPE_RSA,
-      keySize: ACCOUNT_RECOVERY_ORGANIZATION_KEY_SIZE,
+    generateGpgKeyPairOptionsDto = {
+      ...generateGpgKeyPairOptionsDto,
       date: await GetGpgKeyCreationDateService.getDate(this.apiClientOptions),
     };
-    Object.assign(generateGpgKeyPairOptionsDto, enforcedGenerateGpgKeyPairOptionsDto);
-    const generateKeyPairOptions = new GenerateGpgKeyPairOptionsEntity(generateGpgKeyPairOptionsDto);
+    const generateKeyPairOptions = GenerateGpgKeyPairOptionsEntity.createForOrkKeyGeneration(generateGpgKeyPairOptionsDto);
     return GenerateGpgKeyPairService.generateKeyPair(generateKeyPairOptions);
   }
 }

package/src/all/background_page/controller/crypto/validatePrivateGpgKeySetupController.js

@@ -15,7 +15,7 @@ import {OpenpgpAssertion} from "../../utils/openpgp/openpgpAssertions";
 import i18n from "../../sdk/i18n";
 import GetGpgKeyInfoService from "../../service/crypto/getGpgKeyInfoService";
 import GenerateGpgKeyPairOptionsEntity from "../../model/entity/gpgkey/generate/generateGpgKeyPairOptionsEntity";
-
+import {GPG_KEY_TYPE_RSA} from "passbolt-styleguide/src/shared/models/entity/gpgkey/gpgkeyEntity";
 
 class ValidatePrivateGpgKeySetupController {
   /**
@@ -75,9 +75,9 @@ class ValidatePrivateGpgKeySetupController {
       throw new Error(i18n.t("The private key should not have an expiry date."));
     }
 
-    if (keyInfo.algorithm === GenerateGpgKeyPairOptionsEntity.TYPE_RSA) {
-      if (keyInfo.length < GenerateGpgKeyPairOptionsEntity.DEFAULT_KEY_SIZE) {
-        throw new Error(i18n.t("An RSA key should have a length of {{size}} bits minimum.", {size: GenerateGpgKeyPairOptionsEntity.DEFAULT_KEY_SIZE}));
+    if (keyInfo.algorithm === GPG_KEY_TYPE_RSA) {
+      if (keyInfo.length < GenerateGpgKeyPairOptionsEntity.DEFAULT_RSA_KEY_SIZE) {
+        throw new Error(i18n.t("An RSA key should have a length of {{size}} bits minimum.", {size: GenerateGpgKeyPairOptionsEntity.DEFAULT_RSA_KEY_SIZE}));
       }
     } else {
       if (!keyInfo.curve) {

package/src/all/background_page/controller/setup/generateSetupKeyPairController.js

@@ -17,6 +17,8 @@ import GenerateGpgKeyPairService from "../../service/crypto/generateGpgKeyPairSe
 import {OpenpgpAssertion} from "../../utils/openpgp/openpgpAssertions";
 import AccountTemporarySessionStorageService from "../../service/sessionStorage/accountTemporarySessionStorageService";
 import FindAccountTemporaryService from "../../service/account/findAccountTemporaryService";
+import FindUserKeyPoliciesSettingsService
+  from "../../service/userKeyPolicies/findUserKeyPoliciesSettingsService";
 
 /**
  * @typedef {({passphrase: string})} GenerateKeyPairPassphraseDto
@@ -35,6 +37,7 @@ class GenerateSetupKeyPairController {
     this.apiClientOptions = apiClientOptions;
     // The temporary account stored in the session storage
     this.temporaryAccount = null;
+    this.findUserKeyPoliciesSettingsService = new FindUserKeyPoliciesSettingsService(apiClientOptions);
   }
 
   /**
@@ -55,12 +58,12 @@ class GenerateSetupKeyPairController {
   /**
    * Generate a key pair and associate to the account being set up.
    *
-   * @param {GenerateKeyPairPassphraseDto} passphraseDto
+   * @param {GenerateKeyPairPassphraseDto} generateGpgKeyDto
    * @returns {Promise<void>}
    */
-  async exec(passphraseDto) {
+  async exec(generateGpgKeyDto) {
     this.temporaryAccount = await FindAccountTemporaryService.exec(this.worker.port._port.name);
-    const generateGpgKeyPairOptionsEntity = await this._buildGenerateKeyPairOptionsEntity(passphraseDto.passphrase);
+    const generateGpgKeyPairOptionsEntity = await this._buildGenerateKeyPairOptionsEntity(generateGpgKeyDto.passphrase);
     const keyPair = await GenerateGpgKeyPairService.generateKeyPair(generateGpgKeyPairOptionsEntity);
     const generatedPublicKey = await OpenpgpAssertion.readKeyOrFail(keyPair.publicKey.armoredKey);
 
@@ -68,7 +71,7 @@ class GenerateSetupKeyPairController {
     this.temporaryAccount.account.userPrivateArmoredKey = keyPair.privateKey.armoredKey;
     this.temporaryAccount.account.userPublicArmoredKey = keyPair.publicKey.armoredKey;
     // The passphrase will be later use to sign in the user.
-    this.temporaryAccount.passphrase = passphraseDto.passphrase;
+    this.temporaryAccount.passphrase = generateGpgKeyDto.passphrase;
     // Update all data in the temporary account stored
     await AccountTemporarySessionStorageService.set(this.temporaryAccount);
   }
@@ -82,12 +85,18 @@ class GenerateSetupKeyPairController {
    * @private
    */
   async _buildGenerateKeyPairOptionsEntity(passphrase) {
-    return new GenerateGpgKeyPairOptionsEntity({
+    const userId = this.temporaryAccount.account.userId;
+    const authenticationToken = this.temporaryAccount.account.authenticationTokenToken;
+    const userKeyPoliciesSettings = await this.findUserKeyPoliciesSettingsService.findSettingsAsGuest(userId, authenticationToken);
+
+    const generateKeyPairOptionsDto = {
       name: `${this.temporaryAccount.account.firstName} ${this.temporaryAccount.account.lastName}`,
       email: this.temporaryAccount.account.username,
       passphrase: passphrase,
       date: await GetGpgKeyCreationDateService.getDate(this.apiClientOptions),
-    });
+    };
+
+    return GenerateGpgKeyPairOptionsEntity.createForUserKeyGeneration(userKeyPoliciesSettings, generateKeyPairOptionsDto);
   }
 }
 

package/src/all/background_page/controller/setup/generateSetupKeyPairController.test.js

@@ -23,6 +23,8 @@ import {defaultApiClientOptions} from "passbolt-styleguide/src/shared/lib/apiCli
 import AccountTemporarySessionStorageService from "../../service/sessionStorage/accountTemporarySessionStorageService";
 import {v4 as uuidv4} from "uuid";
 import AccountTemporaryEntity from "../../model/entity/account/accountTemporaryEntity";
+import UserKeyPoliciesSettingsEntity from "passbolt-styleguide/src/shared/models/entity/userKeyPolicies/UserKeyPoliciesSettingsEntity";
+import {defaultUserKeyPoliciesSettingsDto} from "passbolt-styleguide/src/shared/models/entity/userKeyPolicies/UserKeyPoliciesSettingsEntity.test.data";
 
 describe("GenerateSetupKeyPairController", () => {
   describe("GenerateSetupKeyPairController::exec", () => {
@@ -101,6 +103,44 @@ describe("GenerateSetupKeyPairController", () => {
       expect(expectedAccount.passphrase).toStrictEqual(generateKeyPairDto.passphrase);
     }, 10000);
 
+    it("Should generate an ECC gpg key pair and update the account accordingly.", async() => {
+      expect.assertions(11);
+      await MockExtension.withConfiguredAccount();
+      const generateKeyPairDto = {passphrase: "What a great passphrase!"};
+      const workerId = uuidv4();
+      const setupAccountDto = startAccountSetupDto();
+      const temporaryAccountEntity = new AccountTemporaryEntity({account: setupAccountDto, worker_id: workerId});
+      await AccountTemporarySessionStorageService.set(temporaryAccountEntity);
+      const controller = new GenerateSetupKeyPairController({port: {_port: {name: workerId}}}, null, defaultApiClientOptions());
+      jest.spyOn(controller.findUserKeyPoliciesSettingsService, "findSettingsAsGuest").mockImplementation(() => new UserKeyPoliciesSettingsEntity(defaultUserKeyPoliciesSettingsDto()));
+
+      await controller.exec(generateKeyPairDto);
+      const account = (await AccountTemporarySessionStorageService.get(workerId)).account;
+      const accountPublicKey = await OpenpgpAssertion.readKeyOrFail(account.userPublicArmoredKey);
+      const accountPrivateKey = await OpenpgpAssertion.readKeyOrFail(account.userPrivateArmoredKey);
+      const publicKeyInfo = await GetGpgKeyInfoService.getKeyInfo(accountPublicKey);
+      const privateKeyInfo = await GetGpgKeyInfoService.getKeyInfo(accountPrivateKey);
+
+      const expectedUserIds = [{
+        name: `${account.firstName} ${account.lastName}`,
+        email: account.username
+      }];
+      expect(privateKeyInfo.fingerprint).toBe(publicKeyInfo.fingerprint);
+      expect(publicKeyInfo.private).toBe(false);
+      expect(privateKeyInfo.private).toBe(true);
+      expect(publicKeyInfo.length).toBe(256);
+      expect(privateKeyInfo.length).toBe(256);
+      expect(privateKeyInfo.userIds).toStrictEqual(expectedUserIds);
+      expect(privateKeyInfo.algorithm).toStrictEqual("eddsa");
+      expect(publicKeyInfo.algorithm).toStrictEqual("eddsa");
+      expect(publicKeyInfo.curve).toStrictEqual("ed25519");
+      expect(publicKeyInfo.curve).toStrictEqual("ed25519");
+
+      const userPrivateKey = await OpenpgpAssertion.readKeyOrFail(account.userPrivateArmoredKey);
+      const decryptedPrivateKey = await DecryptPrivateKeyService.decrypt(userPrivateKey, generateKeyPairDto.passphrase);
+      expect(decryptedPrivateKey).not.toBeNull();
+    }, 10000);
+
     it("Should raise an error if no account has been found.", async() => {
       const controller = new GenerateSetupKeyPairController({port: {_port: {name: "test"}}}, null, defaultApiClientOptions());
       expect.assertions(1);