kbpgp icon indicating copy to clipboard operation
kbpgp copied to clipboard

Published 20 hours ago verified publisher icon keybase

Importing an armored private key results in export_public_armored exporting private key

Open unusualbob opened this issue 9 years ago • 7 comments

If a pgp private key is imported directly it works correctly, but it appears to be written to publickey areas as well. This results in the private key being exposed when trying to access the publicKey. Here is a simple proof of concept:

var kbpgp = require('kbpgp');

kbpgp.KeyManager.generate_ecc({'userid' : 'test'},  function(err, km1) {
  km1.sign({}, function(err) {
    km1.export_pgp_private({}, function(err, privateArmored) {

      //Will log out private key, as expected
      console.log('privateArmored', privateArmored);

      kbpgp.KeyManager.import_from_armored_pgp({armored: privateArmored}, function(err, km2) {
        km2.sign({}, function(err) {
          km2.export_pgp_public({}, function(err, publicArmored){

            //Also logs out private key, which should not happen
            console.log('publicArmored', publicArmored);

          });
        });
      });
    });
  });
});

unusualbob avatar Jun 10 '15 19:06 unusualbob

(bump) Came to report this same bug. Passing {regen:true} to the export_pgp_public options fixes the problem.

ghost avatar Nov 16 '15 20:11 ghost

(bump)

MichiShyGuy avatar Dec 11 '15 16:12 MichiShyGuy

Just to confirm this as a bug as well.

0xjjpa avatar Mar 24 '17 09:03 0xjjpa

Thanks for the report, this one got lost in the shuffle. We'll take a look.

maxtaco avatar Mar 25 '17 18:03 maxtaco

Taking a look, I see the bug. Working on a fix.

maxtaco avatar Mar 25 '17 18:03 maxtaco

Closed in #143. Sorry for the bug and thanks for the bug report. It will go live in 2.0.67.

maxtaco avatar Mar 25 '17 19:03 maxtaco

@maxtaco that was fast! Thanks!

0xjjpa avatar Mar 30 '17 14:03 0xjjpa