Missing private key packets validation when importing/retrieving private key

[martgil]

FlowCrypt recently received a security report wherein a bad private key is not getting blocked when importing/retrieving the private key. eg retrieving the key from backup (inbox), importing a private key file.

Sample bad private key:
corrupted-rsa-key.asc.txt

Steps to reproduce:

1. The easiest way to reproduce it is by importing the private key file from the app.

error message from gpg:

For reference to how this issue gets fixed on the browser extension, please see FlowCrypt/flowcrypt-browser#4271.

Impact:
As stated from the original email:

In particular, given that encrypting the private key only encrypts (and authenticates) the private key parameters, but not the public key parameters, an attacker could overwrite the public key. This can lead to various vulnerabilities, and we realized some of these vulnerabilities might be applicable to FlowCrypt.

[tomholub]

@martgil could you please write a (failing) test case for this here? https://github.com/FlowCrypt/flowcrypt-ios/blob/master/Core/source/test.ts

[martgil]

sir @tomholub sorry for the late reply. I will try to, sir. I'm currently having a minor issue on /pull/1357 but will try to settle the errors and hopefully achieve the same result as FlowCrypt/flowcrypt-browser#4271