From 3c5283705389a690e1631dbe771aef4b31702109 Mon Sep 17 00:00:00 2001
From: Simon Ser <contact@emersion.fr>
Date: Tue, 23 Nov 2021 12:33:33 +0100
Subject: [PATCH] Check private key token signatures

---
 protonmail/auth.go | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/protonmail/auth.go b/protonmail/auth.go
index d8c9a38..bb4a969 100644
--- a/protonmail/auth.go
+++ b/protonmail/auth.go
@@ -1,6 +1,7 @@
 package protonmail
 
 import (
+	"bytes"
 	"encoding/base64"
 	"fmt"
 	"io/ioutil"
@@ -273,8 +274,14 @@ func decryptPrivateKeyToken(key *PrivateKey, userKeyRing openpgp.EntityList) ([]
 		return nil, err
 	}
 
-	// TODO: check key.Signature
-	return ioutil.ReadAll(md.UnverifiedBody)
+	b, err := ioutil.ReadAll(md.UnverifiedBody)
+	if err != nil {
+		return nil, err
+	}
+
+	// TODO: check signer?
+	_, err = openpgp.CheckArmoredDetachedSignature(userKeyRing, bytes.NewReader(b), strings.NewReader(key.Signature), nil)
+	return b, err
 }
 
 func unlockPrivateKey(key *PrivateKey, userKeyRing openpgp.EntityList, keySalt []byte, passphraseBytes []byte) (*openpgp.Entity, error) {