Age | Commit message (Collapse) | Author |
|
- When looking for the relevant binding signature, search on the
unverified signatures and verify them on demand.
- When looking for revocation signatures, use the iterator.
|
|
- In the original implementation of `Cert::canonicalize`, all
self-signatures were verified. This has turned out to be very
expensive. Instead, we should only verify the signatures we are
actually interested in.
- To preserve the semantics, every self signature we hand out from
the `Cert` API must have been verified first. However, we can do
that lazily. And, when we reason over the cert (i.e. we are
looking for the right self-signature), we can search the
signatures without triggering the verification, and only verify
the one we are really interested in.
|
|
- Previously, when the third-party key is not
available (i.e. always), we only hashed the signature and did not
check whether the signature has the right type. This has the
potential (1 in 2^16 chance) of not recognizing that a signature
is misplaced (also happens when using Cert::insert_packets).
- Fix this by also checking the signature type when using the hash
heuristic.
- See also #1107.
|
|
- Previously, attestation key signatures were put into the
self_signatures bin. Then, in canonicalize they would fail to
verify as binding signature, and be put into the bad bin. Later,
when re-trying the bad signatures, we'd find the correct place for
it again.
- Instead, sort them into the attestations bin, and correctly verify
the attestations on the first try in Cert::canonicalize.
|
|
- Previously, all signature verification methods took a mutable self
reference in order to persist authentication results. Now that we
use interior mutability for that, signature verification doesn't
have to take a mutable reference any longer, enabling more
optimizations down the road.
|
|
|
|
|
|
- Notably, Signature4::set_computed_digest now takes an immutable
self. Use OnceLock to make this safe and ergonomic.
|
|
|
|
- Currently, the reference time is not set, hence evaluated to the
current time on demand. If `now` is at the end of a whole
second (OpenPGP's time resolution), it may be that we are off by
one second. Explicitly set the reference time to avoid this.
- See #998.
|
|
|
|
|
|
|
|
|
|
- See #638.
|
|
|
|
- Instead of splitting them again. Filing them into the correct
bucket is a bit faster, and avoids us to make parser::split_sigs
pub(crate).
|
|
- Unknown::hash_algo_security returns CollisionResistance, and that
is what we use for UnknownBundles elsewhere in the grammar. We
should hold all UnknownBundles to the higher bar of requiring
CollisionResistance.
|
|
|
|
- This is a variant of Key::take_secret that doesn't change the type
and only requires a mutable reference.
|
|
|
|
- Like other crates, allow the user to select what crypto backend to
use by disabling the default features for the `sequoia-openpgp`
dependency.
|
|
- License the guide under the CC-BY-SA-4.0.
- Fixes #1101.
|
|
|
|
|
|
|
|
- Mention the bug bounty program in the security vulnerabilities
guide.
- Link to the security vulnerabilities guide from the main readme.
|
|
|
|
|
|
|
|
|
|
- When we discover issuer information not yet recorded in the
signature, we insert this information when we get the chance.
However, previously this failed to set the authenticated flag
because it was cleared in SubpacketArea::add. Fix that.
|
|
|
|
|
|
|
|
|
|
- Add a test to ensure that the `impl BufferedReader<C> for &mut T`
also works with cookies.
|
|
|
|
|
|
|
|
- Except for clap (which doesn't built using our MSRV), and anyhow,
because of a severe performance regression on Windows:
https://github.com/dtolnay/anyhow/issues/347
|
|
- Previously, we rejected v3 signatures after 2007 by default.
However, Panu Matilainen observed:
GnuPG appears to have only switched to v4 by default in version
1.4.8, released on 2007-12-20. Before that was in the hands of
users would've been many more months, and in case of users of
enterprise distro users, years. For example, RHEL 5 (initially
released in early 2007) had 1.4.5 still at it's end-of-life in
2017 (and extended life end at 2020) so users on that would've
still been merrily (and probably unknowingly) producing v3
signatures at 2017.
- RHEL 5 support ended 2020-11-30. Cryptographically, there is
nothing wrong with them. Reject v3 signatures only after
2021-02-01.
- Fixes #948.
|
|
- Fixes #664.
|
|
|
|
- Previously, only the supported-algorithms example was executed.
|
|
- Fixes f9e15b3974b71aed87871999014b901a5aee03a8 by also applying
the change to the low-level cert parser.
- Fixes #1084.
|
|
|
|
- For historical reasons, if the S2K usage octet is not a known S2K
mechanism, the octet denotes a symmetric algorithm used to
encrypt the key material with. In this case, the symmetric key is
the MD5 sum over the password. See section 5.5.3. Secret-Key
Packet Formats of RFC4880.While this is obviously not a great
choice, it is no worse than `S2K::Simple { hash: MD5 }`, since
it is equivalent to that.
- Model this by adding a new S2K variant.
- Notably, this fixes handling of packets with unknown S2K
mechanisms. Under the model of RFC4880, which we implement, any
unknown S2K mechanism is an implicit S2K, where the usage octet
denotes an unsupported symmetric algorithm. Using this will fail,
but we now can parse and serialize it correctly, and with them the
secret key packets they come in.
- Fixes #1095.
|
|
|
|
- There is no `Curve::Private`.
|