Age | Commit message (Collapse) | Author |
|
|
|
- Previously, there were two issues:
- There is an implicit policy that constraints the symmetric
algorithm to AES. RFC6637 doesn't forbid other ciphers, so
arguably this should be made explicit and moved to the standard
policy. Only using AES seems to be a sane default choice and will
not impede interoperability in practice (notably, GnuPG constrains
to AES as well).
- We constrain hashes only based on their output length, and are
hence willing to use dubious combinations like (AES128, MD5).
- Constrain the parameters in StandardPolicy::key. Mention this in
the documentation.
- Fixes #839.
|
|
- Fixes #769.
|
|
|
|
- openpgp: Make broken relative links absolute:
- find -name "*.rs" -exec sed -i -E 's,^( *//[/!](.*): )((super::)+packet),\1crate::packet,' {} +
- find -name "*.rs" -exec sed -i -E 's,^( *//[/!](.*): )((super::)+cert),\1crate::cert,' {} +
- find -name "*.rs" -exec sed -i -E 's,^( *//[/!](.*): )((super::)+parse),\1crate::parse,' {} +
- find -name "*.rs" -exec sed -i -E 's,^( *//[/!](.*): )((super::)+policy),\1crate::policy,' {} +
- find -name "*.rs" -exec sed -i -E 's,^( *//[/!](.*): )((super::)+serialize),\1crate::serialize,' {} +
- find -name "*.rs" -exec sed -i -E 's,^( *//[/!](.*): )((super::)+armor),\1crate::armor,' {} +
- find -name "*.rs" -exec sed -i -E 's,^( *//[/!](.*): )((super::)+types),\1crate::types,' {} +
- find -name "*.rs" -exec sed -i -E 's,^( *//[/!] *(\[`PacketPile`\]):).*$,\1 crate::PacketPile,' {} +
- openpgp: Link to PacketParser and Policy structs, not the modules.
- ffi: Make links to sequoia_openpgp and sequoia_net absolute
- find -name "*.rs" -exec sed -i -E 's,^( *//[/!](.*): )((super::)+sequoia_openpgp),\1sequoia_openpgp,' {} +
- find -name "*.rs" -exec sed -i -E 's,^( *//[/!](.*): )((super::)+sequoia_net),\1sequoia_net,' {} +
|
|
- Apply cargo intraconv.
|
|
|
|
- This is a low-level interface. We will provide nicer abstractions
in a followup.
- See #335.
|
|
- https://rust-lang.github.io/rust-clippy/master/index.html#iter_nth_zero
|
|
- Constants have by default a `'static` lifetime
- https://rust-lang.github.io/rust-clippy/master/index.html#redundant_static_lifetimes
|
|
- https://rust-lang.github.io/rust-clippy/master/index.html#match_like_matches_macro
|
|
- https://rust-lang.github.io/rust-clippy/master/index.html#or_fun_call
|
|
- SystemTime +/- Duration may over-/underflow.
|
|
- Currently, the openpgp crate doesn't process third-party
certifications.
- As such, there are no contexts in the openpgp crate where ignoring
a trust signature subpacket or regular expression subpacket would
lead to an incorrect result.
- Similarly, if an application doesn't process third-party
certifications, it also won't incorrectly handle the trust
signature and regular expression subpackets.
- If an application does process third-party certifications, and
doesn't handle trust signatures or regular expressions, then it
should explicitly opt-out.
- As such, change the StandardPolicy to accept the Trust Signature
subpacket and the Regular Expression subpacket.
|
|
|
|
- January 1st is a holiday in much of the world.
- When we disable an algorithm, things will almost certainly break
somewhere.
- Reduce the chance that things break when people are on vacation by
using February 1st as the cutoff day instead of January 1st.
|
|
- A `Policy` now knows whether the use of a hash requires collision
resistance or only second pre-image resistance.
- Extend `StandardPolicy`'s hash policy API to allow a user to
express a more nuanced policy that takes this information into
account.
- See #595.
|
|
- The standard policy currently has two policies related to hash
algorithms: when a hash algorithm should be rejected for normal
signatures, and when a hash algorithm should be rejected for
revocation sigantures.
- If we distinguish two security contexts, then we'll have four
policies (the cross product).
- If the currently state is not already unmanageable, then this
certainly is.
- Simplify this by using a single scalar to represent how long a
revocation certificate using a broken hash should continue to be
accepted.
- This is probably sufficiently expressive in practice as this is a
largely inexact science. And, if a more nuanced policy is
required, it is always possible to wrap `StandardPolicy`.
|
|
- Fixes #473.
|
|
|
|
|
|
- If the signer controls the data that is being signed, then the
hash algorithm only needs second pre-image resistance.
- This observation can be used to extend the life of hash algorithms
that have been weakened, as is the case for SHA-1.
- Introduces a new `enum HashAlgoSecurity`, which is now passed to
`Policy::signature`.
- See #595.
|
|
- All types that are `Send` and `Sync` are checked now.
- Fixes #627.
|
|
|
|
- This ensures that all types with Policies (`Valid*`) are `Send` and `Sync`.
|
|
- Use generics and the anonmymous lifetime in `assert_send_and_sync!`.
- See 627.
|
|
- See #627.
|
|
- Make `generate_key` polymorphic over `AsRef<KeyFlags>`.
- Since `set_key_flags` requires ownership of the key flags, it should
take ownership rather than borrowing and cloning the them.
See https://rust-lang.github.io/api-guidelines/flexibility.html#caller-decides-where-to-copy-and-place-data-c-caller-control .
- See #616.
|
|
`key` parameter.
- Make sign_direct_key take Key of key::PublicParts.
- Simplify calling sign_direct_key by using Into.
- Allow passing None to sign_subkey_binding.
- Allow passing None to sign_userid_binding.
- Allow using None as key parameter.
- Improve docs mentioning new default for `pk`.
- `pk` set to `Option::None` will now default to signer's public key.
- Fixes #565.
|
|
- Fixes #563
- With an MSRV >= 1.40.0, we can use #[non_exhaustive], as mentioned
in #406.
- This is also a clippy lint:
https://rust-lang.github.io/rust-clippy/master/index.html#manual_non_exhaustive
|
|
|
|
- This will allow us to mark subpackets as authenticated by the
verification operation.
|
|
- This is closer to collection types such as HashMap, and
distinguishes the function from Cert::merge that merges two
certificates.
- See #572.
|
|
|
|
- See #525.
|
|
- This also drops the implementation of PartialOrd since we did not
use it in the key selection after all.
- Fixes #525.
|
|
- When using the `SignatureBuilder`, the signature creation time and
issuer subpackets will be correctly set by default.
- Don't do it explicitly.
|
|
- Returning rich errors from this function may compromise secret key
material due to Bleichenbacher-style attacks. Change the API to
prevent this.
- Hat tip to Hanno Böck.
- Fixes #507.
|
|
- Returning rich errors from this function may compromise secret key
material due to Bleichenbacher-style attacks. Change the API to
prevent this.
- Hat tip to Hanno Böck.
- See #507.
|
|
- Fix unmatched references.
|
|
- See #498.
|
|
- See #498.
|
|
- See #498.
|
|
- Implement IntoIter and Deref to &'a [MessageLayer<'a>], drop the
custom iteration structs.
|
|
- Change `Cert::merge_packets` to take an `IntoIterator` instead of
a vector.
- This change simplifies the most common case of passing in a single
packet, and doesn't make the second most common case of passing in
a vector of packets any more complicated.
|
|
- Rename `Cert::revoke_in_place` to `Cert::revoke`.
- Return the revocation certificate; don't merge it.
- Fixes #485.
|
|
- Rename `Cert::revoked`, `ValidCert::revoked`,
`ValidAmalgamation::revoked`, and `ComponentBundle::revoked` to
revocation_status to more accurately match what it does.
- Don't rename `ValidComponentAmalgamationIter::revoked` or
`ValidKeyAmalgamationIter::revoked`. They don't return the
revocation status; they check whether the key is revoked.
|
|
- Fixes #495.
|
|
- Rename all calls to `Builder` with `SignatureBuilder`.
- Fixes #481.
|
|
To be consistent; we don't use plural forms for modules anywhere else
and Rust always uses singular forms.
|