ASA-2019-00529 – OpenPGP.js: Information from unhashed subpackets is trusted

OpenPGP signature subpackets contain information related to a signature (e.g. the creation timestamp). These subpackets may appear in a “hashed” and “unhashed” subpacket container. While the information in the hashed subpackets is signed, the unhashed subpackets are not cryptographically protected. OpenPGP.js however does not distinguish between these subpackets. When parsing a signature packet, the signed information is parsed first. When the unhashed packets are read, the information from the hashed packets is overwritten. An attacker could arbitrarily modify the contents of e.g. a key certification signature or revocation signature. As a result, the attacker could e.g. convince a victim to use an obsolete key for encryption.