diff options
author | Neal H. Walfield <neal@pep.foundation> | 2020-12-11 14:41:17 +0100 |
---|---|---|
committer | Neal H. Walfield <neal@pep.foundation> | 2020-12-11 14:46:30 +0100 |
commit | 35119b755db270ab43a8e1ec13577bc0f9846546 (patch) | |
tree | 2499fe86c242b8aa7e05df02f56640e11e8e920b /openpgp/src/packet/unknown.rs | |
parent | 582a079f1cccc07bd74432ceb55da09e698da2d0 (diff) |
openpgp: Pass the hash algo's security reqs to Policy::signature.
- If the signer controls the data that is being signed, then the
hash algorithm only needs second pre-image resistance.
- This observation can be used to extend the life of hash algorithms
that have been weakened, as is the case for SHA-1.
- Introduces a new `enum HashAlgoSecurity`, which is now passed to
`Policy::signature`.
- See #595.
Diffstat (limited to 'openpgp/src/packet/unknown.rs')
-rw-r--r-- | openpgp/src/packet/unknown.rs | 30 |
1 files changed, 30 insertions, 0 deletions
diff --git a/openpgp/src/packet/unknown.rs b/openpgp/src/packet/unknown.rs index 086f1b32..86758601 100644 --- a/openpgp/src/packet/unknown.rs +++ b/openpgp/src/packet/unknown.rs @@ -4,6 +4,7 @@ use std::cmp::Ordering; use crate::packet::Tag; use crate::packet; use crate::Packet; +use crate::policy::HashAlgoSecurity; /// Holds an unknown packet. /// @@ -73,6 +74,35 @@ impl Unknown { } } + /// The security requirements of the hash algorithm for + /// self-signatures. + /// + /// A cryptographic hash algorithm usually has [three security + /// properties]: pre-image resistance, second pre-image + /// resistance, and collision resistance. If an attacker can + /// influence the signed data, then the hash algorithm needs to + /// have both second pre-image resistance, and collision + /// resistance. If not, second pre-image resistance is + /// sufficient. + /// + /// [three security properties]: https://en.wikipedia.org/wiki/Cryptographic_hash_function#Properties + /// + /// In general, an attacker may be able to influence third-party + /// signatures. But direct key signatures, and binding signatures + /// are only over data fully determined by signer. And, an + /// attacker's control over self signatures over User IDs is + /// limited due to their structure. + /// + /// These observations can be used to extend the life of a hash + /// algorithm after its collision resistance has been partially + /// compromised, but not completely broken. For more details, + /// please refer to the documentation for [HashAlgoSecurity]. + /// + /// [HashAlgoSecurity]: ../policy/enum.HashAlgoSecurity.html + pub fn hash_algo_security(&self) -> HashAlgoSecurity { + HashAlgoSecurity::CollisionResistance + } + /// Gets the unknown packet's tag. pub fn tag(&self) -> Tag { self.tag |