Merge pull request #196

Fix forwarding helpers: accept `date` option and use serverTime instead of local time by default
ProtonMail · Mar 12, 2024 · bc24425 · bc24425
2 parents 80e765a + b2bff02
commit bc24425
Show file tree

Hide file tree

Showing 5 changed files with 29 additions and 20 deletions.
diff --git a/lib/key/forwarding.ts b/lib/key/forwarding.ts
@@ -2,6 +2,7 @@ import BigIntegerInterface from '@openpgp/noble-hashes/esm/biginteger/interface'
 import NativeBigInteger from '@openpgp/noble-hashes/esm/biginteger/native.interface';
 import { KDFParams, PrivateKey, UserID, SecretSubkeyPacket, SecretKeyPacket, MaybeArray, Subkey, config as defaultConfig, SubkeyOptions, enums } from '../openpgp';
 import { generateKey, reformatKey } from './utils';
+import { serverTime } from '../serverTime';
 
 let initializedBigInteger = false;
 const getBigInteger = async () => {
@@ -36,11 +37,11 @@ export async function computeProxyParameter(
     return proxyParameter;
 }
 
-async function getEncryptionKeysForForwarding(forwarderKey: PrivateKey) {
+async function getEncryptionKeysForForwarding(forwarderKey: PrivateKey, date: Date) {
     const curveName = 'curve25519';
     const forwarderEncryptionKeys = await forwarderKey.getDecryptionKeys(
         undefined,
-        undefined,
+        date,
         undefined,
         { ...defaultConfig, allowInsecureDecryptionWithSigningKeys: false }
     ) as any as (PrivateKey | Subkey)[]; // TODO wrong TS defintion for `getDecryptionKeys`
@@ -62,13 +63,13 @@ async function getEncryptionKeysForForwarding(forwarderKey: PrivateKey) {
 /**
  * Whether the given key can be used as input to `generateForwardingMaterial` to setup forwarding.
  */
-export async function doesKeySupportForwarding(forwarderKey: PrivateKey): Promise<boolean> {
+export async function doesKeySupportForwarding(forwarderKey: PrivateKey, date: Date = serverTime()): Promise<boolean> {
     if (!forwarderKey.isDecrypted()) {
         return false;
     }
 
     try {
-        const keys = await getEncryptionKeysForForwarding(forwarderKey);
+        const keys = await getEncryptionKeysForForwarding(forwarderKey, date);
         return keys.length > 0;
     } catch {
         return false;
@@ -79,8 +80,8 @@ export async function doesKeySupportForwarding(forwarderKey: PrivateKey): Promis
  * Whether all the encryption-capable (sub)keys are setup as forwarding keys.
  * This function also supports encrypted private keys.
  */
-export const isForwardingKey = (keyToCheck: PrivateKey) => (
-    getEncryptionKeysForForwarding(keyToCheck)
+export const isForwardingKey = (keyToCheck: PrivateKey, date: Date = serverTime()) => (
+    getEncryptionKeysForForwarding(keyToCheck, date)
         // @ts-ignore missing `bindingSignatures` definition
         .then((keys) => keys.every((key) => key.bindingSignatures[0].keyFlags & enums.keyFlags.forwardedCommunication))
         .catch(() => false)
@@ -97,19 +98,21 @@ export const isForwardingKey = (keyToCheck: PrivateKey) => (
  */
 export async function generateForwardingMaterial(
     forwarderKey: PrivateKey,
-    userIDsForForwardeeKey: MaybeArray<UserID>
+    userIDsForForwardeeKey: MaybeArray<UserID>,
+    date: Date = serverTime()
 ) {
     if (!forwarderKey.isDecrypted()) {
         throw new Error('Forwarder key must be decrypted');
     }
 
     const curveName = 'curve25519';
-    const forwarderEncryptionKeys = await getEncryptionKeysForForwarding(forwarderKey);
+    const forwarderEncryptionKeys = await getEncryptionKeysForForwarding(forwarderKey, date);
     const { privateKey: forwardeeKeyToSetup } = await generateKey({ // TODO handle v6 keys
         type: 'ecc',
         userIDs: userIDsForForwardeeKey,
         subkeys: new Array<SubkeyOptions>(forwarderEncryptionKeys.length).fill({ curve: curveName, forwarding: true }),
-        format: 'object'
+        format: 'object',
+        date
     });
 
     // Setup forwardee encryption subkeys and generated corresponding proxy params

diff --git a/test/key/forwarding.spec.ts b/test/key/forwarding.spec.ts
@@ -3,7 +3,7 @@ import { ec as EllipticCurve } from 'elliptic';
 import BN from 'bn.js';
 
 import { decryptKey, enums, KeyID, PacketList } from '../../lib/openpgp';
-import { generateKey, generateForwardingMaterial, doesKeySupportForwarding, encryptMessage, decryptMessage, readMessage, readKey, readPrivateKey } from '../../lib';
+import { generateKey, generateForwardingMaterial, doesKeySupportForwarding, encryptMessage, decryptMessage, readMessage, readKey, readPrivateKey, serverTime } from '../../lib';
 import { computeProxyParameter, isForwardingKey } from '../../lib/key/forwarding';
 import { hexStringToArray, concatArrays, arrayToHexString } from '../../lib/utils';
 
@@ -98,7 +98,7 @@ yGZuVVMAK/ypFfebDf4D/rlEw3cysv213m8aoK8nAUO8xQX3XQq3Sg+EGm0BNV8E
         const charlieKey = await readKey({ armoredKey: forwardeeKey.armor() }); // ensure key is correctly serialized and parsed
 
         // Check subkey differences
-        const bobSubkey = await bobKey.getEncryptionKey();
+        const bobSubkey = await bobKey.getEncryptionKey(undefined, serverTime());
         const charlieSubkey = charlieKey.subkeys[0];
 
         expect(charlieSubkey.bindingSignatures[0].keyFlags![0]).to.equal(enums.keyFlags.forwardedCommunication);

diff --git a/test/key/utils.spec.ts b/test/key/utils.spec.ts
@@ -10,7 +10,8 @@ import {
     getMatchingKey,
     generateSessionKeyForAlgorithm,
     generateSessionKey,
-    getSHA256Fingerprints
+    getSHA256Fingerprints,
+    serverTime
 } from '../../lib';
 
 describe('key utils', () => {
@@ -39,7 +40,7 @@ describe('key utils', () => {
             userIDs: [{ name: 'name', email: '[email protected]' }],
             format: 'object'
         });
-        const now = new Date();
+        const now = serverTime();
         expect(Math.abs(+privateKey.getCreationTime() - +now) < 24 * 3600).to.be.true;
     });
 
@@ -48,7 +49,7 @@ describe('key utils', () => {
             userIDs: [{ name: 'name', email: '[email protected]' }],
             format: 'object'
         });
-        const { selfCertification } = await privateKey.getPrimaryUser();
+        const { selfCertification } = await privateKey.getPrimaryUser(serverTime());
         expect(selfCertification.preferredSymmetricAlgorithms).to.include(enums.symmetric.aes256);
         expect(selfCertification.preferredHashAlgorithms).to.include(enums.hash.sha256);
         expect(selfCertification.preferredCompressionAlgorithms).to.include(enums.compression.zlib);
@@ -70,7 +71,7 @@ describe('key utils', () => {
     });
 
     it('isExpiredKey - it can correctly detect an expired key', async () => {
-        const now = new Date();
+        const now = serverTime();
         // key expires in one second
         const { privateKey: expiringKey } = await generateKey({
             userIDs: [{ name: 'name', email: '[email protected]' }],
@@ -93,7 +94,7 @@ describe('key utils', () => {
 
     it('isRevokedKey - it can correctly detect a revoked key', async () => {
         const past = new Date(0);
-        const now = new Date();
+        const now = serverTime();
 
         const { privateKey: key, revocationCertificate } = await generateKey({
             userIDs: [{ name: 'name', email: '[email protected]' }],

diff --git a/test/message/context.spec.ts b/test/message/context.spec.ts
@@ -1,5 +1,5 @@
 import { expect } from 'chai';
-import { verifyMessage, signMessage, generateKey, readSignature, readMessage, decryptMessage, encryptMessage, readKey, ContextError } from '../../lib';
+import { verifyMessage, signMessage, generateKey, readSignature, readMessage, decryptMessage, encryptMessage, readKey, ContextError, serverTime } from '../../lib';
 import { VERIFICATION_STATUS } from '../../lib/constants';
 
 // verification without passing context should fail
@@ -233,7 +233,7 @@ describe('context', () => {
     });
 
     it('does not verify a message without context based on cutoff date (`expectFrom`)', async () => {
-        const now = new Date();
+        const now = serverTime();
         const nextHour = new Date(+now + (3600 * 1000));
         const { privateKey, publicKey } = await generateKey({
             userIDs: [{ name: 'name', email: '[email protected]' }],

diff --git a/test/setup.ts b/test/setup.ts
@@ -1,7 +1,12 @@
 import { use as chaiUse } from 'chai';
 import * as chaiAsPromised from 'chai-as-promised';
 
-import { init } from '../lib';
+import { init, updateServerTime } from '../lib';
 
 chaiUse(chaiAsPromised);
-before(init);
+before(() => {
+    // set server time in the future to spot functions that use local time unexpectedly
+    const HOUR = 3600 * 1000;
+    updateServerTime(new Date(Date.now() + HOUR));
+    init();
+});