GithubHelp home page GithubHelp logo

Comments (5)

CJSmith-0141 avatar CJSmith-0141 commented on June 12, 2024 1

hello @bpholt sorry for the delay. I was able to build this branch, publishLocal and switch my project to use the snapshot version.

I have a unit test that is set up to fail in the case where this feature is implemented, and it failed. Which means the feature works!

test("FUTURE FEATURE: decrypt does not work with gpg encrypted message, anonymous recipient") {
    val input = "foobarfoobarfoobar\n"
    val encryptedInput = ??? //omitted for brevity

    (for {
      resultString <- PgpService.decryptString[IO](unitTestOnlyPrivateKeyString, encryptedInput)
    } yield resultString).unsafeRunSync() match {
        case Right(s) =>
          fail(
            s"Decryption with anonymous recipient worked, unexpectedly.\n" +
              s"Result String: ${s}\n" +
              s"input: ${input}"
          )
        case Left(e) =>
          assert(
            e.getMessage.contains(
              "Cannot decrypt message with the passed keyring because it requires key 0"
            )
          )
    }
  }

and the result:

[info] - FUTURE FEATURE: decrypt does not work with gpg encrypted message, anonymous recipient *** FAILED ***
[info]   Decryption with anonymous recipient worked, unexpectedly.
[info]   Result String: foobarfoobarfoobar
[info]
[info]   input: foobarfoobarfoobar (PgpServiceSpec.scala:560)

Thank you for implementing this!

from fs2-pgp.

bpholt avatar bpholt commented on June 12, 2024

I think I was able to reproduce this with the private key that's part of the test suite of this library.

$ export GNUPGHOME="$(mktemp -d)/.gnupg"
$ mkdir -m 0700 -p "${GNUPGHOME}"
$ pbpaste | gpg --import
gpg: invalid armor header: lQVYBGDozbkBDACt63OSGFh4pVHSpVcPZXot2ZcHepkPXSJOFE+PnLOAvcMK8O9s\n
gpg: /var/folders/zl/t99c6ptn4p78vg6l6f24xwjc0000gq/T/tmp.b1L1ozoY/.gnupg/trustdb.gpg: trustdb created
gpg: key 52AFF6B5A43D6EBB: public key "key 1 <[email protected]>" imported
gpg: key 52AFF6B5A43D6EBB: secret key imported
gpg: Total number processed: 1
gpg:               imported: 1
gpg:       secret keys read: 1
gpg:   secret keys imported: 1
$ echo "Hello World" | gpg --encrypt --armor --hidden-recipient "key 1 <[email protected]>"
gpg: 54E4844CFE7C68E1: There is no assurance this key belongs to the named user

sub  rsa3072/54E4844CFE7C68E1 2021-07-09 key 1 <[email protected]>
 Primary key fingerprint: 7EEE F61D E397 A6B1 350B  6F93 52AF F6B5 A43D 6EBB
      Subkey fingerprint: C4BD 9D01 85E9 B333 4D8D  D55D 54E4 844C FE7C 68E1

It is NOT certain that the key belongs to the person named
in the user ID.  If you *really* know what you are doing,
you may answer the next question with yes.

Use this key anyway? (y/N) y
-----BEGIN PGP MESSAGE-----

hQGMAwAAAAAAAAAAAQv/QQ8RnRGF6jaPTUpuBoPollIBvPIzqokTGzuTaVD4bKsg
GGt4ooPpcTkxn0MRLs3rNJfZjaULSkWtUxc4NsSbqmrl8g3smnwJWk/UIR097zlC
s30/o3WlmSodAGbEuP5Y+mbAErwGbCs1e7cn1LqQO3BrSZ3m7djif9fiWRdb3AZ4
YPX5dmmOZLZoNQO5zLNu3iolrTXyimQLcS7VoFQ+Nbj9hOS+vDzcg6Kycaky7U+M
arfyyaqWan8hVygDthMT+n3Au0l7lBzN99aZmC13OP2fhuBBXvrGF+njFS+RkEOs
LToMlpFVYWlEFSnYlIQjsxKBzMKThNudKM7r4Kc1yw88DQ9C/rWZxmMxTyLAA4C7
QZKdO+zYfzSCYq3bO+YdN8vUGZPS63YN8Pp6qWvIXOZ3oecxmidqjGsItLpxJ0KK
zJ0IWVsQj1Zc/2zSojw8edcMh86PFbQsC4aPpMK54KiU4YKXcUnaDeQ48BGv27Po
Qx9PqZi+1ROo+anCVWrn0kcB/+g0TzSpG+nwMI4gxNTTAuybzEscK2ifkA76Df45
cSypFoj4OIRtTZ8iSGhfgt0fCn1qUrEs7Vw+iNYSqpl9/ue3u1icCQ==
=kHjl
-----END PGP MESSAGE-----

Then I added a test to CryptoAlgSpec:

test("CryptoAlg should decrypt a fixed value encrypted with our test key") {
  val crypto = resource()

  val message =
    """-----BEGIN PGP MESSAGE-----
      |
      |hQGMAwAAAAAAAAAAAQv/QQ8RnRGF6jaPTUpuBoPollIBvPIzqokTGzuTaVD4bKsg
      |GGt4ooPpcTkxn0MRLs3rNJfZjaULSkWtUxc4NsSbqmrl8g3smnwJWk/UIR097zlC
      |s30/o3WlmSodAGbEuP5Y+mbAErwGbCs1e7cn1LqQO3BrSZ3m7djif9fiWRdb3AZ4
      |YPX5dmmOZLZoNQO5zLNu3iolrTXyimQLcS7VoFQ+Nbj9hOS+vDzcg6Kycaky7U+M
      |arfyyaqWan8hVygDthMT+n3Au0l7lBzN99aZmC13OP2fhuBBXvrGF+njFS+RkEOs
      |LToMlpFVYWlEFSnYlIQjsxKBzMKThNudKM7r4Kc1yw88DQ9C/rWZxmMxTyLAA4C7
      |QZKdO+zYfzSCYq3bO+YdN8vUGZPS63YN8Pp6qWvIXOZ3oecxmidqjGsItLpxJ0KK
      |zJ0IWVsQj1Zc/2zSojw8edcMh86PFbQsC4aPpMK54KiU4YKXcUnaDeQ48BGv27Po
      |Qx9PqZi+1ROo+anCVWrn0kcB/+g0TzSpG+nwMI4gxNTTAuybzEscK2ifkA76Df45
      |cSypFoj4OIRtTZ8iSGhfgt0fCn1qUrEs7Vw+iNYSqpl9/ue3u1icCQ==
      |=kHjl
      |-----END PGP MESSAGE-----
      |""".stripMargin

  for {
    key <- PGPKeyAlg[IO].readSecretKeyCollection(TestKey())
    text <- Stream
      .emit(message)
      .through(text.utf8.encode)
      .through(crypto.decrypt(key))
      .through(text.utf8.decode)
      .compile
      .lastOrError
  } yield {
    assertEquals(text, "Hello World")
  }
}

which fails with

com.dwolla.security.crypto.KeyRingMissingKeyException: Cannot decrypt message with the passed keyring because it requires key 0, but the ring does not contain that key

If I change it to use PGPKeyAlg[IO].readPrivateKey(TestKey()) instead of readSecretKeyCollection, it still fails, but with

com.dwolla.security.crypto.KeyMismatchException: Cannot decrypt message with key 0 because it requires key 5958252092039458491

Does that seem like a correct reproduction, @CJSmith-0141?

from fs2-pgp.

CJSmith-0141 avatar CJSmith-0141 commented on June 12, 2024

Yes, exactly. Reading through RFC 4880 It's not clear to me if this is compliant with OpenPGP or is a GPG extension.

EDIT: What I mean by saying that is if you tag this "will-not-do" I would totally understand.

from fs2-pgp.

bpholt avatar bpholt commented on June 12, 2024

@CJSmith-0141 could you try the code in the hidden-recipients branch (what's in #77) and let me know if it works for you? If so, we should be able to merge it and cut a new release.

from fs2-pgp.

bpholt avatar bpholt commented on June 12, 2024

Excellent! I'll get the PR merged and cut a release!

from fs2-pgp.

Related Issues (4)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.