[openpgpjs] Re: Importing publicKey stores privateKey in keyring

Mon, 12 May 2014 10:57:34 -0700 

Hi,

I managed to make a simple workaround by splitting the ascii-key into 
pubic-Key-Parts and private-Key-Parts.

This code may not be the most elegant way to do that, but it works:
        var asciiPrivateKey = '';
        var asciiPublicKey = '';
        var delimiter = '-----BEGIN PGP ';

        var asciis = asciiKey.split(delimiter);
        for(var i=0;i<asciis.length;i++) {
                if(asciis[i].substring(0,3)=="PUB") {
                        asciiPublicKey = asciiPublicKey+delimiter+asciis[i];
                }
                if(asciis[i].substring(0,3)=="PRI") {
                        asciiPrivateKey = asciiPrivateKey+delimiter+asciis[i];
                }
        }
        var pwd = 
((asciiPrivateKey!='')?document.getElementById('pwd').value:'');

        var successPrivate = 
openpgp.keyring.importPrivateKey(asciiPrivateKey,pwd);
        var successPublic = openpgp.keyring.importPublicKey(asciiPublicKey);


Robert Schrenk
[email protected]

Am 12.05.2014 um 14:34 schrieb Robert Schrenk <[email protected]>:

> Hi,
> 
> I am working on a html5 offline web app using openpgpjs. I want my users to 
> be able to insert an
> ascii armored pgp-key (including public AND private key) into their keyring. 
> When looking into the localStorage itself I found out,
> that the publicKey-Object has an attribute called „armored“, which stores the 
> original ascii-code.
> 
> And here it is: it stores the ORIGINAL ascii-armored key.
> 
> So the publicKey from my Keyring stores my privateKey in armored Format. I 
> don’t think this is how
> it was meant to be. This is a potential security risk. If a user removes 
> his/her private key keeping the publicKey
> in Keyring he/she would never realize, that the privateKey still persists 
> sleeping inside the publicKey-Object.
> 
> Please have a look into that issue!
> 
> Here is my code - if I am making something wrong causing this I would 
> appreciate ideas for improvement:
> require(["openpgp","jquery-1.11.1.min"],
>         function() {
>                 openpgp.init();
>         }
> );
> 
> function setKey(asciiKey) {
>         console.log('Unarmoring Key from Ascii');
> 
>       // Importing private Key does not work, openpgp_read_privateKey has no 
> result 
>        //openpgp.keyring.importPrivateKey(asciiKey);
>         openpgp.keyring.importPublicKey(asciiKey);
>         openpgp.keyring.store();
> }
> 
> 
> Robert Schrenk
> [email protected]
>

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

_______________________________________________

http://openpgpjs.org
Subscribe/unsubscribe: http://list.openpgpjs.org

Reply via email to