fix: invalid checksum mismatch error in signed messages with public key attached (#5950)

Author: Ioan Moldovan

extension/chrome/elements/pgp_block_modules/pgp-block-render-module.ts

@@ -49,7 +49,7 @@ export class PgpBlockViewRenderModule {
   public renderContent = (htmlContent: string, isErr: boolean, isChecksumInvalid = false) => {
     let contentWithLink = linkifyHtml(htmlContent);
     if (isChecksumInvalid) {
-      contentWithLink = `<div class="pgp-invalid-checksum">${Lang.pgpBlock.invalidCheckSum}</div>${contentWithLink}}`;
+      contentWithLink = `<div class="pgp-invalid-checksum">${Lang.pgpBlock.invalidCheckSum}</div>${contentWithLink}`;
     }
     // Temporary workaround for an issue where 'cryptup_reply' divs are not being hidden when replying to all
     // messages from the FES. The root cause is that FES currently returns the body of

extension/js/common/core/crypto/key.ts

@@ -489,48 +489,71 @@ export class KeyUtil {
     return keys.map(k => ({ id: k.id, emails: k.emails, armored: KeyUtil.armor(k), family: k.family }));
   }
 
-  public static validateChecksum = (armoredText: string): boolean => {
-    const lines = armoredText.split('\n').map(l => l.trim());
-
-    // Filter out known non-data lines
-    const dataCandidates = lines.filter(line => line.length > 0 && !line.startsWith('-----') && !line.startsWith('Version:') && !line.startsWith('Comment:'));
+  public static validateChecksum(armoredText: string): boolean {
+    // Regex to capture any PGP armor block, e.g. SIGNATURE, MESSAGE, etc.
+    // It captures: the block type in group (1), and the content in group (2)
+    const pgpBlockRegex = /-----BEGIN PGP ([A-Z ]+)-----([\s\S]*?)-----END PGP \1-----/g;
+
+    let match: RegExpExecArray | null;
+    let validFound = false;
+
+    // Iterate over all PGP blocks in the text
+    while ((match = pgpBlockRegex.exec(armoredText))) {
+      const blockContent = match[2] || ''; // the captured block text
+      const lines = blockContent.split('\n').map(l => l.trim());
+
+      // Filter out known non-base64 lines
+      const dataCandidates = lines.filter(
+        line => line.length > 0 && !line.startsWith('Version:') && !line.startsWith('Comment:') && !line.startsWith('Hash:') && !line.startsWith('-----')
+      );
+
+      // Find the checksum line (starts with '=')
+      const checksumIndex = dataCandidates.findIndex(line => line.startsWith('='));
+      if (checksumIndex === -1) {
+        continue; // No checksum line found in this block, skip
+      }
 
-    // Find checksum line
-    const checksumIndex = dataCandidates.findIndex(line => line.startsWith('='));
-    if (checksumIndex === -1) return false;
+      // Get the base64 after the '='
+      const checksumLine = dataCandidates[checksumIndex].slice(1);
+      let providedBytes: string;
+      try {
+        providedBytes = atob(checksumLine);
+      } catch {
+        continue; // Not valid base64, skip
+      }
 
-    const checksumLine = dataCandidates[checksumIndex].slice(1);
-    const dataLines = dataCandidates.slice(0, checksumIndex);
+      // Check that decoded checksum is 3 bytes for CRC24
+      if (providedBytes.length !== 3) {
+        continue;
+      }
+      const providedCRC = (providedBytes.charCodeAt(0) << 16) | (providedBytes.charCodeAt(1) << 8) | providedBytes.charCodeAt(2);
 
-    // Decode checksum
-    let providedBytes: string;
-    try {
-      providedBytes = atob(checksumLine);
-    } catch {
-      return false;
-    }
-    if (providedBytes.length !== 3) return false;
+      // Decode all lines before the checksum line
+      const dataLines = dataCandidates.slice(0, checksumIndex);
+      const decodedChunks: string[] = [];
+      for (const line of dataLines) {
+        try {
+          decodedChunks.push(atob(line));
+        } catch {
+          // skip lines that aren't valid base64
+        }
+      }
 
-    const providedCRC = (providedBytes.charCodeAt(0) << 16) | (providedBytes.charCodeAt(1) << 8) | providedBytes.charCodeAt(2);
+      if (!decodedChunks.length) {
+        continue;
+      }
 
-    // Attempt to decode all data lines (some may not be base64)
-    const decodedChunks: string[] = [];
-    for (const line of dataLines) {
-      try {
-        decodedChunks.push(atob(line));
-      } catch {
-        // Not a valid base64 line, skip it
+      // Join all decoded base64 data and calculate its CRC
+      const rawData = decodedChunks.join('');
+      // eslint-disable-next-line @typescript-eslint/no-misused-spread
+      const dataBytes = new Uint8Array([...rawData].map(c => c.charCodeAt(0)));
+      if (KeyUtil.crc24(dataBytes) === providedCRC) {
+        validFound = true;
       }
     }
 
-    if (decodedChunks.length === 0) return false;
-
-    const rawData = decodedChunks.join('');
-    // eslint-disable-next-line @typescript-eslint/no-misused-spread
-    const dataBytes = new Uint8Array([...rawData].map(c => c.charCodeAt(0)));
-
-    return KeyUtil.crc24(dataBytes) === providedCRC;
-  };
+    return validFound;
+  }
 
   private static crc24 = (dataBytes: Uint8Array): number => {
     let crc = 0xb704ce;