| Age | Commit message (Collapse) | Author |
|---|
|
- See #371.
|
|
- See #371.
|
|
- See #371.
|
|
|
|
- These are low-level cryptographic traits that are not concerned
with the role of a key.
- Fixes #382.
|
|
|
|
- Fixes #359.
|
|
- See #359.
|
|
- Fixes #387.
|
|
- To that end, make VerificationHelper::get_public_keys take
KeyHandles for all the issuers.
|
|
|
|
- Remove Fingerprint::to_keyid, use From instead.
|
|
I'm not even sure if we even need to use "de facto" when we're also
saying "convention", but i'm just doing a targeted fix here.
The fact that this one string was copied around in a dozen places
makes me a bit sad. If there are other changes to make in this
boilerplate text, they'll also have to be made in a dozen places.
I don't know enough about how sequoia is designed to be able to
suggest a plausible boilerplate reduction strategy though.
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
|
|
- Once KeyIter::secret or KeyIter::unencrypted_secret is called,
change the iterator type to iterate over &Key<SecretParts, _>.
- Fixes #384.
|
|
- Fixes #381.
|
|
- Fixes #380.
|
|
- Restore the functionality removed in 8693a005 when replacing the
RFC 2822 mailbox parser.
|
|
- In sq and sqv, use chrono to interface with the user.
- Fixes #341.
|
|
- Fixes #375.
|
|
- See #375.
|
|
- See #375.
|
|
- Consider the following scenario: computer A's clock says 9:00.00
and signs and sends a message to computer B. Computer B's clock
says 8:59.59, it receives the message and tries to verify it.
From Computer B's perspective, the signature is not valid, because
it was generated in the future.
- This situation occured, because the two clocks were not completely
synchronized. Unfortunately, a few seconds of clock skew are not
unusual, particularly when dealing with VMs.
- Since it is almost always better to consider such messages as
valid, be tolerant when deciding whether a signature is alive.
|
|
|
|
- Return a different `VerificationResult` for signatures that are
not alive (BadSignature) from signatures that are actually
bad (BadCheck).
|
|
- RFC 4880 says that "by convention, [a User ID Packet] includes an
RFC 2822 [RFC2822] mail name-addr." This is not the actual
convention, and attempting to parse User IDs using an RFC 2822
parser means that many common User IDs cannot be parsed.
- Disparities between the actual convention and the stated
convention include:
- Neither users nor the software they use to create keys
correctly quotes User IDs:
- 'Nachname, Vorname <name@example.org>' is not valid, because
it contains an unquoted comma. It should be 'Nachname\,
Vorname <name@example.org>' or '"Nachname, Vorname"
<name@example.org>'. (The same goes for dots, single
quotes, etc.)
- 'user@example.org <user@example.org>' is not valid, because
it contains an unquoted at symbol.
- 'Bj=?utf-8?q?=C3=B6?=rn <bjoern@example.net>' is encoded
using RFC 2047, which is what RFC 2822 mandates when using
non-ASCII characters, but no OpenPGP software would decode
this User ID. In practice, everyone just uses UTF-8 (in
this case: 'Björn <bjoern@example.net>').
- There are many examples of User IDs containing raw email
addresses ('user@example.org'). But, these are not
"name-addr"s. At best, they are RFC 2822 "mailbox"es.
- Some User IDs only contain a name (e.g, "Frank PGP").
- RFC 2822 also includes a lot of complexity that no one uses or
needs. For instance, CFWS (comments and folding whitespace) can
be placed everywhere, and the rules for parsing them are
complex.
- Instead of continuing to bend the RFC 2822 parser to our will, we
instead accept reality.
- This patch replaces the RFC 2822 parser with a significantly
simpler parser, which is based on actual convention (i.e., User
IDs in the wild).
- This parser is based on dkg's mail to the OpenPGP working group
mailing list.
Message-ID: <87woe7zx7o.fsf@fifthhorseman.net>
https://mailarchive.ietf.org/arch/msg/openpgp/wNo27-0STfGR9JZSlC7s6OYOJkI
- This initial version has one notable regression with respect to
the RFC 2822 parser: it doesn't handle User IDs holding URIs.
|
|
- Force pgp_tag_t to have a defined size, and return integers of
that size from the ffi glue.
- This problem did only manifest itself when compiling with
opt-level=1.
|
|
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
|
|
Newer Rust compilers requre `dyn` marking trait objects.
Signed-off-by: Daniel Silverstone <dsilvers@digital-scurf.org>
|
|
- TPK::revoke is now redundant. Remove it.
|
|
- The primary key is not a binding; it is a single component.
Thus, returning a ComponentBinding is misleading.
- Add methods to the TPK structure to return the direct signatures,
certifications, self revocations, and other revocations.
|
|
- Combine Signature4::signature_alive and
Signature4::signature_alive_at.
- Use an Into<Option<time::Tm>> to distinguish the two previous
cases: the current time (None), and a specific time (a time::Tm).
|
|
- Combine Signature4::signature_expired and
Signature4::signature_expired_at.
- Use an Into<Option<time::Tm>> to distinguish the two previous
cases: the current time (None), and a specific time (a time::Tm).
|
|
- Combine TPK::alive and TPK::alive_at.
- Use an Into<Option<time::Tm>> to distinguish the two previous
cases: the current time (None), and a specific time (a time::Tm).
|
|
- Combine Signature4::key_alive and Signature4::key_alive_at.
- Use an Into<Option<time::Tm>> to distinguish the two previous
cases: the current time (None), and a specific time (a time::Tm).
|
|
- Combine TPK::expired and TPK::expired_at.
- Use an Into<Option<time::Tm>> to distinguish the two previous
cases: the current time (None), and a specific time (a time::Tm).
|
|
- Combine Signature4::key_expired and Signature4::key_expired_at.
- Use an Into<Option<time::Tm>> to distinguish the two previous
cases: the current time (None), and a specific time (a time::Tm).
|
|
- Combine TPK::revocation_status and TPK::revocation_status_at; only
keep the version with the optional time parameter.
- Rename TPK::revocation_status to TPK::revoked to match
KeyBinding::revoked, UserIDBinding::revoked, and
UserAttributeBinding::revoked.
- Do the same for the C API.
|
|
- Change ComponentBinding::binding_signature to take an optional
timestamp and return the self signature that is active at that
time.
|
|
|
|
|
|
- Instead of giving a set of TPKs to the encryptor, hand in a set of
recipients, which are (keyid, key)-tuples, conveniently created
from key queries over TPKs. This simplifies the encryptor, and
makes the key selection explicit.
- Drop the EncryptionMode type.
- As a nice side effect, we can now generate encrypted messages with
wildcard recipient addresses.
|
|
|
|
- This introduces a configurable limit for
non-data (i.e. non-container) packets. This prevents a trivial
DoS on our parser, which previously assumed that all non-data
packets can be buffered.
- Fixes #242.
|
|
- In addition to providing some added protection, this allows us to
implement 'From<Key<_, _>> for Packet'.
|
|
|
|
- Automatically using AEAD if all recipients claim support is a
policy decision, which we'd rather avoid in the openpgp crate.
- Fixes #293.
|
|
|
|
|
|
- This is the result of running `cargo fix --edition`, with some
manual adjustments.
- The vast majority of changes merely qualify module paths with
'crate::'.
- Two instances of adding an anonymous pattern to a trait's
function.
- `async` is a keyword in Rust 2018, and hence it needs to be
escaped (e.g. in the case of the net::r#async module).
- The manual adjustments were needed due to various shortcomings of
the analysis employed by `cargo fix`, e.g. unexpanded macros,
procedural macros, lalrpop grammars.
|
|
|
