We should review if these utils are needed in the library, otherwise move them over to the clients monorepo.

Regardless, the following refactoring should be done:

• Remove the binary string variants encodeUtf8 and decodeUtf8
• Accept/return Uint8Arrays for base64 encoding/decoding
• Remove encodeUtf8Base64 and decodeUtf8Base64 (they can just chain two functions)

decodeBase64 (or base64ToBytes/Array) should return a Uint8Array, and then utf8BytesToString should take a Uint8Array and return a string, so that utf8BytesToString ∘ base64ToBytes == decodeUtf8Base64.

And then if binary strings are needed in some cases, binaryStringToArray / arrayToBinaryString can be used.

The encoding/decoding of binaryStringToArray/arrayToBinaryString is problematic for unicode chars.

• str2ab('aéこん') gives an ArrayBuffer of
  • Int8Array(8) [97, 0, -23, 0, 83, 48, -109, 48]
  • Int16Array(4) [97, 233, 12371, 12435]
  • Int32Array(2) [15269985, 814952531]
  • Uint8Array(8) [97, 0, 233, 0, 83, 48, 147, 48]

Ref:

• https://developer.mozilla.org/en-US/docs/Web/API/TextEncoder

The exported types should be checked, similarly to what is done in OpenPGP.js (https://github.com/openpgpjs/openpgpjs/blob/master/test/typescript/definitions.ts).

Related to #111 .

See https://github.com/ProtonMail/Angular/issues/7862.

Another thing that I forgot to mention is that we increased the default number of S2K rounds, which makes things slower. Since we use bcrypt in addition to S2K for key derivation, it's probably safe to add openpgp.config.s2k_iteration_count_byte = 96 to https://github.com/ProtonMail/pmcrypto/blob/master/lib/openpgp.js for performance

If content is missing, parsing fails at this line. We should instead treat the content as empty in that case.

All the dependants on pmcrypto do not need to parse mail

And it's over 1 MB large

Hello!

By looking at the code at https://github.com/ProtonMail/pmcrypto/blob/master/lib/key/check.js#L18 I assume that if info.user.userId ends with "<[email protected]>" and email is "[email protected]", it would match as . is any character in regular expression.

I think this would trigger unwanted behaviors.

If my analyse sounds correct to you, you can assign this issue to me and I will propose a PR to escape this email variable.

It's a very large library with redundant/unclear dependencies.

const { data } = await decryptMessage({
    message: openpgp.message.read(stream),
    signature: getSignature(decryptedSignature),
    sessionKeys: keys.sessionKeys,
    publicKeys: keys.privateKey.toPublic(),
    streaming: 'web',
    format: 'binary',
});

Code like this will fail with Cannot convert undefined or null to object because of

This function is passed a Promise of signature (because of streaming decryption), so packets resolves to undefined.

This function should possibly accept and return a promise. There are three scenarios which I can think of in which it must work:

• streaming decryption + known signature (like original example)
• streaming decryption + inlined signature (promise is required in that case)
• non-streaming decryption + signature

We want to be able to display the curve type in the FE, so people can check if they are using nist curves etcetera.

So I would like to have some parameter in keyinfo that describes the curve type.

It can't request the bitsize of a key.
cf:

TypeError: this.params[0].byteLength is not a function
    at i.getBitSize (openpgp.min.js:2)
    at vendor.js:80215
    at <anonymous>

There is an issue where boundary delimiters with regex characters does not get parsed, e.g.

=-=rzmb8HM+ZkeNcG=-=

because the current parser creates a regexp of the delimiter.

In tests, the line references given on error are off, due to two separate issues:

• since webpack does not emit source map files for TS, a custom plugin should be set: codymikol/karma-webpack#109 (comment)
• even with the above fix, karma-webpack v5 has a bug that breaks the source map referencing: codymikol/karma-webpack#493. The proposed temporary solution (set splitChunks: false) does not work for us, because chunking is needed in the tests to load the mailparses and openpgp.js. Their next karma-webpack release will hopefully fix the problem.

It's bad practice to pollute the global namespace. It would be better to export this library as a ES6 module. This way we can also benefit from code reductions in the future.

Just wanted to highlight a potentially wrong comparison here:

if (!parts.length === 4) {

There is a comparison of boolean with number.

• keyCheck should be removed since it is not used in our apps, and it is strongly coupled with keyInfo. The checks it does should be re-implemented in a different function (e.g. named checkPersonalKey), taking an OpenPGPKey in input, instead of a custom object. It should check key strength requirements through the function(s) implemented in #121 , as well as binding signature validity, whether the key can encrypt etc (same checks as API).
• keyInfo should be removed, or simplified to not include key checks. It is currently used in apps to collect minimal key metadata.

Keeping a single createMessage function prevents us from supporting both streamed text and streamed binary data (see #124 (comment)).

Would it not make sense to add openpgpjs as a dependency to this package?

https://github.com/ProtonMail/pmcrypto/blob/master/lib/key/info.js#L77

To determine the expiration time of a key we usually do this in the context of both encrypting and signing by passing in "encrypt_sign". For contact public keys, because we only use them for encryption, we can pass in just "encrypt" here instead.