Age | Commit message (Collapse) | Author |
|
- See https://openpgp-wg.gitlab.io/rfc4880bis/#name-argon2
|
|
- We don't always actually need it, so it is nice to defer creating
it until we do.
|
|
- Add S2K::parse_common that optionally takes an S2K octet count
parameter. We'll use that for v5 packet parsing where we now the
size of the S2K object we're parsing.
|
|
|
|
|
|
- Add `SignatureBuilder::effective_signature_creation_time` to
return the signature creation time that would be used were a
signature generated now.
|
|
- When using a `SignatureBuilder`, sometimes the default time should
not be now, but some specific reference time.
- Expose `SignatureBuilder::set_reference_time`, an interface to set
a `SignatureBuilder`'s reference time.
|
|
This makes the `sq wkd generate --skip` work with keyrings that
contain mixedn certificates some of which do not have the domain
in User IDs.
|
|
|
|
|
|
- When `sq inspect` displays a certification, also display the hash
algorithm, and whether the certification is valid according to the
currently policy.
- Recall: The standard policy rejects certifications that use SHA-1,
but GnuPG doesn't. This makes is easier for users to understand
why some certifications are ignored.
|
|
|
|
|
|
|
|
|
|
- We cannot assert that an algorithm is supported in tests.
|
|
|
|
- Enables the test unconditionally, but avoids the panic if an
algorithm is not supported. This is a workaround until we have
reworked the compressed data handling.
- See https://gitlab.com/sequoia-pgp/sequoia/-/issues/830.
- This addresses the same problem like !1235 but in a more general
way.
|
|
|
|
The word "no" was missing, making the requirement be the opposite of
what was intended.
Sponsored-by: pep.foundation
|
|
- I now see "Expiration time: 2038-01-19 03:14:07 UTC" in the
output, the exact timestamp that is given to --expires. However,
I don't think it is a good idea to check for second-accurate times
here, because that is OpenPGP's time resolution and there may be
rounding issues.
|
|
|
|
- Previously, we implicitly set the certification flag when we
created subkeys. However, certification is about certifying other
keys and (key, userid)-bindings, it has nothing to do with the
primary key's ability to bind components together.
- By default, the primary key is marked as certification-capable,
but the user should be able to override this, including removing
the certification-capability.
|
|
|
|
- Add context to ValidKeyAmalgamation::alive that explain why
a (sub)key is not alive.
|
|
- assert_cli has been deprecated for a long time, assert_cmd is the
successor.
- a4cfd15805a543a327d2242f9c0f2b653a11ee55 introduced assert_cmd to
sq, in addition to assert_cli. It does not make sense to use two
different crates for cli testing.
- Closes #640.
|
|
- Fixes #824.
|
|
|
|
- State default features in terms of sq's features.
|
|
- Closes #763
|
|
- Remove the compression feature, it is now redundant with
compression-bzip2 as both add the bzip2 feature to buffered-reader
and sequoia-openpgp, but compression-bzip2 is more explicit.
|
|
- Supporting v5 fingerprints is important so that we can process
signature subpackets containing them, even if we don't yet support
any v5 formats. Consider being part of a group of recipients
where one of the recipients has a v5 key: then, the intended
recipient fingerprint subpacket contains a v5 fingerprint for that
v5 recipient. See also #820.
|
|
|
|
|
|
- Previously, Sequoia refused to decrypt ESK-less SKESK4 using
S2K::Simple. This behavior was introduced very early on in
2a66a5aa. In the commit message, Kai wrote:
Also fixed a bug where ESK-less SKESK with simple S2K were
accepted despite the RFC forbidding it.
Which is an odd conclusion because the last paragraph of Section
5.3 is right next to the paragraph talking about having an ESK.
- In any case, I think this advice actually applies to both
variants. In both cases, CFB is used with an all zero IV, and then
a high-entropy session key (if ESK is present) or a high-entropy
first block (if we're using the SK to encrypt with a SEIPD
packet). If session-key reuse is a problem despite the plaintext
starting with a high-entropy string, then it is a problem in
either case.
- I see that as an advice for producers, I don't see any harm in
consuming and decrypting such an artifact.
- Fixes #796.
|
|
- Previously, stream::Signer did not properly bracket OPS/Sig
packets when using more than one signer, i.e. OPS_a OPS_b Literal
Sig_a Sig_b instead of OPS_a OPS_b Literal Sig_b Sig_a.
- This is a regression introduced in
5bef3bde45f71126cdca3e8ad30b1047287c843a.
- Fixes #816.
|
|
- Add missing NEWS entry, drop documentation comments from trait
implementation.
- Fixes de8fab8d1b74fa87d3c20d7a2b9e49aea929e6ea.
|
|
|
|
- We implement the cleartext signature framework by transforming the
message on the fly to a signed message, then using our parsing
framework as usual. However, we need to tweak the behavior
slightly.
- Notably, our CSF transformation yields just one OPS packet per
encountered 'Hash' algorithm header, and it cannot know how many
signatures are in fact following. Therefore, the message will not
be well-formed according to the grammar. But, since we created the
message structure during the transformation, we know it is good,
even if it is a little out of spec.
- This patch tweaks the streaming verifier's behavior to accommodate
this.
|
|
- The former commit fixes a crash that should never have happened:
with a fallible conversion to GenericArrays, the error can be
handled at runtime.
- Unfortunately, the upstream crate does not offer a convenient
fallible conversion. Implement and use it.
|
|
- Doing the conversion before matching on the algorithm tries to
convert nonces of different sizes to an array suitable for EAX,
leading to a panic.
|
|
|
|
- Previously, we used the same session key for every encrypted
memory region, relying on the nonces being derived from a random
initialization vector.
- However, in cf2a472a34588c453f10efa0263ec51e0c860988 we changed
the nonce to be a simple counter. This leads reuse of (key,
nonce) pairs.
- Instead of relying on the nonces having some entropy, a more
robust way to deal with this is to have distinct keys. To that
end, add a random salt to each memory region that we hash before
hashing the prekey.
|
|
- Use a custom schedule, which is a simple counter nonce, no AAD
except for the final chunk which digests the plaintext size.
|
|
- Introduce a trait that schedules nonce and additional
authenticated data for each AEAD chunk.
- Factoring that out allows us to support different schemes, and
decouple memory encryption from the OpenPGP schedules.
|
|
- We cannot make that kind of assumption in a test.
|
|
The new scenario is more explicit in how the verification is done
rather than just checking the output is a public key block.
Also, fix a tiny markup error in another scenario (missing _ to end
italic section).
Sponsored-by: NLnet Foundation; NGI Assure; European Commission
|
|
|
|
Fixes #811
Sponsored-by: NLnet Foundation; NGI Assure; European Commission
|
|
|