This change makes it possible to easily expose types from internal .ts files.
This is achieved by adding a TS compilation step which generates .d.ts files from
.ts ones.
Additionally, a copying step is needed for existing .d.ts files, which are not
automatically moved to the outDir by tsc.
The dist types will still only include those exported by the index files.
Other tried approaches (to e.g. avoid the manual copying step) that were not viable:
- generating a single .d.ts bundle is not supported by tsc, and other tools/plugins
are either deprecated or (in the case of `rollup-plugin-dts`) failed to process our
source code due to unsupported JS syntax
- relying on the `rollup-typescript` plugin to emit declarations felt overly messy
to configure and potentially unreliable as it generated declarations for .js files as well
- renaming existing .d.ts to .ts (alongside .js ones) is not an option since it results
in an empty output for the corresponding modules on Rollup compilation, as the .js
source files are ignored.
And add lint TS rule to enforce declaring `Uint8Array<ArrayBuffer>`.
This change is to limit the need to downcast Uint8Array in output
when using them with e.g. WebCrypto and Blobs,
following an incompatible interface change between ArrayBuffer
and ArrayBufferLike (enforced in TS v5.9).
The Babel plugin `@babel/plugin-transform-regenerator` used in the web-app Jest tests
(as part of @babel/preset-env) introduces a bug when transforming this specific minified
lightweight built.
The issue is that the mangled `ArrayStream` class name (`n` in the specific case) gets wrongly
reused and shadowed by a local variable in the `readPacket` function.
As a workaround for the problem, and to not have to amend the babel config for each monorepo workspace,
we disable mangling the specific class name.
SEIPDv2 is a more secure and faster choice, but it is
not necessarily compatible with other libs and our mobile apps.
Co-authored-by: Daniel Huigens <d.huigens@protonmail.com>
These subkeys must not have the standard encryption flags (EtEr) set,
as they are not supposed to be used for direct messages.
Also:
- preserve 'forwarded communication' key flag when reformatting
- fix bug allowing to decrypt forwarded messages by setting
`config.allowInsecureDecryptionWithSigningKeys` instead of
`config.allowForwardedMessages`
- add TS definition for `config.allowForwardedMessages`
To enable stored messages to be protected using symmetric key encryption and validated
using message authentication codes, this set of changes adds support for storing
symmetric key material as Secret Key Packets, symmetric key encrypted session keys as
Public Key Encrypted Session Key Packets, and MAC tags as Signature Packets.
Co-authored-by: Konstantinos Andrikopoulos <kandrikopoulos@proton.ch>
Co-authored-by: Daniel Huigens <d.huigens@protonmail.com>
Regression introduced in https://github.com/openpgpjs/openpgpjs/pull/1826
(v6.2.0) .
Due to internal fflate lib changes, part of the compressed data ended up being discarded,
leading to a corrupted compressed payload for the encrypted/signed message,
which cannot be decompressed.
Compression is disabled by default in openpgpjs.
Hence, the issue affects only users who enabled zlib compression via e.g.
`config.preferredCompressionAlgorithm = openpgp.enums.compression.zlib`
and encrypted or signed data larger than 65KB.
Since all major browsers have shipped support for the curve
in WebCrypto, we only load the JS fallback if needed.
Also, add native/non-native ECDH test for Curve25519Legacy.
(The more modern X25519/X448 algo implementations cannot be
tested that way since they include an HKDF step for which
we assume native support and do not implement a fallback.)
For Ed25519/Ed25519Legacy native validation code does a sign-verify check over random data.
This is faster than re-deriving the public point using tweetnacl.
If the native implementation is not available, we fall back to re-deriving
the public point only.
For X25519/Curve25519Legacy, both the native and fallback flows do an ecdh exchange;
in the fallback case, this results in slower performance compared to the existing check,
but encryption subkeys are hardly ever validated directly (only in case of gnu-dummy keys),
and this solution keeps the code simpler.
Separately, all validation tests have been updated to use valid params from a different
key, rather than corrupted parameters.
Add workarounds for WebCrypto X25519 bugs on WebKit Linux
At least some of the errors were found to also affect Epiphany ,
not just the playwright built , unlike previously reported (4762d2c) .
Refactor & simplify the handling of the packet stream and errors in
packet parsing & grammar validation.
This PR also makes the following observable changes:
- Packet parsing errors in not-yet-authenticated streams (i.e. SEIPDv1
with `allowUnauthenticatedStream: true`) get delayed until the
decrypted data stream is authenticated (i.e. the MDC has been
validated)
- Non-critical unknown packets get turned into `UnparseablePacket`
objects on the packet stream instead of being ignored
- The grammar validation internals are changed to a state machine where
each input packet is only checked once, for efficiency (before, the
entire partial packet sequence was checked for every packet)
Co-authored-by: larabr <larabr+github@protonmail.com>
It enforces a message structure as defined in
https://www.rfc-editor.org/rfc/rfc9580.html#section-10.3
(but slightly more permissive with Padding packets allowed in all cases).
Since we are unclear on whether this change might
impact handling of some messages in the wild, generated by
odd use-cases or non-conformant implementations, we
also add the option to disable the grammar check via
`config.enforceGrammar`.
GrammarErrors are only sensitive in the context of
unauthenticated decrypted streams.
