Age | Commit message (Collapse) | Author |
|
- The Galois/Counter mode for block ciphers is a FIPS-approved AEAD
mode. It will be added to the upcoming OpenPGP standard so that
we have a FIPS-compliant subset of OpenPGP.
- Currently, this is only implemented by the Nettle backend.
|
|
- In order to deal with version 2 SEIP packets, we first need to be
explicit about the packet version in the message parser.
- Rename the token and grammar rules, pass in a version to
MessageParser::push.
|
|
|
|
- We implement the cleartext signature framework by transforming the
message on the fly to a signed message, then using our parsing
framework as usual. However, we need to tweak the behavior
slightly.
- Notably, our CSF transformation yields just one OPS packet per
encountered 'Hash' algorithm header, and it cannot know how many
signatures are in fact following. Therefore, the message will not
be well-formed according to the grammar. But, since we created the
message structure during the transformation, we know it is good,
even if it is a little out of spec.
- This patch tweaks the streaming verifier's behavior to accommodate
this.
|
|
- The former commit fixes a crash that should never have happened:
with a fallible conversion to GenericArrays, the error can be
handled at runtime.
- Unfortunately, the upstream crate does not offer a convenient
fallible conversion. Implement and use it.
|
|
- Doing the conversion before matching on the algorithm tries to
convert nonces of different sizes to an array suitable for EAX,
leading to a panic.
|
|
|
|
- Previously, we used the same session key for every encrypted
memory region, relying on the nonces being derived from a random
initialization vector.
- However, in cf2a472a34588c453f10efa0263ec51e0c860988 we changed
the nonce to be a simple counter. This leads reuse of (key,
nonce) pairs.
- Instead of relying on the nonces having some entropy, a more
robust way to deal with this is to have distinct keys. To that
end, add a random salt to each memory region that we hash before
hashing the prekey.
|
|
- Use a custom schedule, which is a simple counter nonce, no AAD
except for the final chunk which digests the plaintext size.
|
|
- Introduce a trait that schedules nonce and additional
authenticated data for each AEAD chunk.
- Factoring that out allows us to support different schemes, and
decouple memory encryption from the OpenPGP schedules.
|
|
- We cannot make that kind of assumption in a test.
|
|
The new scenario is more explicit in how the verification is done
rather than just checking the output is a public key block.
Also, fix a tiny markup error in another scenario (missing _ to end
italic section).
Sponsored-by: NLnet Foundation; NGI Assure; European Commission
|
|
|
|
Fixes #811
Sponsored-by: NLnet Foundation; NGI Assure; European Commission
|
|
|
|
The exact architecture is armv7-unknown-linux-gnueabihf.
|
|
- This is the most problematic part of the test, actually.
- Fixes #777. Again.
|
|
- Previously, the test asserted that we can create at least
SIG_BACKDATE_BY signatures, and at most 2 * SIG_BACKDATE_BY
signatures.
- The former may fail, presumably due to a corner case involving
losing the sub-second precision of SystemTime. The latter may
fail depending on CPU resources and scheduling.
- Tame the test by demonstrating that we can override a couple of
signatures. Drop the test for the maximum number of overrides.
- Fixes #777.
|
|
|
|
|
|
- `get_keys` only returned a key for the first certificate. It should
return a key for each certificate.
- Fixes #750.
|
|
|
|
|
|
- If a key is inappropriate, include an explanation in the error
message to simplify debugging.
|
|
|
|
|
|
- Better distinguish multiple certifications. Previously just the
issuers of the certification were shown and there can be more than
one issuer subpacket per certification.
- Also, when set, display the signature's creation time, its
expiration time, and the trust depth & trust amount.
|
|
- Allow the user to explicitly set the key's creation time.
- This is useful for:
- obscuring the actual creation time.
- testing.
|
|
- Previously, during parsing and serialization, OpenPGP's unsigned
32-bit timestamps were converted to Rust's SystemTime, which uses
time_t. On platforms where that is a signed 32-bit value, the time
was truncated. See #668.
- One way to fix that is to make Rust's SystemTime independent of
time_t. See https://github.com/rust-lang/rust/issues/44394.
- The other way is not to convert to SystemTime at the API
boundary. See
https://gitlab.com/sequoia-pgp/sequoia/-/issues/806.
- This fixes handling during parsing and serialization, but doesn't
address the API issue.
- Fixes #802.
|
|
- Previously, we used the cipher algorithm returned by
SKESK5::decrypt, which always returns
SymmetricAlgorithm::Unencrypted.
|
|
- Now that the chunk size is capped, just initialize the scratch
vector.
|
|
|
|
- `str::starts_with` already checks that the string is not empty.
Don't first check that the string is not empty.
|
|
- There may be a valid key, but not at the specified time. When no
key is found and a time stamp is given, add a diagnostic that
this might be the problem.
|
|
- Generalize the existing code to handle revoking both certificates
and User IDs.
|
|
|
|
- Generate `cert_stub` to optionally take a User ID. If a User ID
is specified emit that instead of the primary User ID.
|
|
|
|
Also, tidy up some older stuff a bit.
Sponsored-by: NLnet Foundation; NGI Assure; European Commission
|
|
Sponsored-by: NLnet Foundation; NGI Assure; European Commission
|
|
Sponsored-by: NLnet Foundation; NGI Assure; European Commission
|
|
|
|
|
|
Sponsored-by: NLnet Foundation; NGI Assure; European Commission
|
|
Sponsored-by: NLnet Foundation; NGI Assure; European Commission
|
|
Sponsored-by: NLnet Foundation; NGI Assure; European Commission
|
|
Sponsored-by: NLnet Foundation; NGI Assure; European Commission
|
|
Sponsored-by: NLnet Foundation; NGI Assure; European Commission
|
|
Closes #799
|
|
|