Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

implement crypto-refresh-10 #455

Open
wants to merge 291 commits into
base: master
Choose a base branch
from
Open

implement crypto-refresh-10 #455

wants to merge 291 commits into from

Conversation

dkg
Copy link
Contributor

@dkg dkg commented Jul 22, 2023

This series tries to implement the new parts from draft-ietf-openpgp-crypto-refresh-10. It is based on #451, which restructures some of the internal mechanisms of PGPy to make these changes end up simpler.

I've tried to continue to keep the reasonable type signatures already present in #451, and to at least not introduce regressions in the type safety of the codebase. There are also some additional tests to try to ensure that things are at least internally consistent.

dkg added 30 commits June 16, 2023 17:45
@dkg
sopgpy: drop sop armor's --allow-nested option (deprecated in the spec)
112f8f5
@dkg
sopgpy: fix decrypt warnings when symmetric decryption fails
40aa017
@dkg
sopgpy: clean up _maybe_armor type definitions
6da28fc
@dkg
sopgpy: clean up tz-naive objects if pgpy emits them (it shouldn't)
a727188
@dkg
sopgpy: create wrapper that permits a closure to do operations with a…
28fc92f 
… locked secret key
@dkg
sopgpy: add sop sign --micalg-out
6678af8
@dkg
sopgpy: announce backend distinctly from version of sopgpy
6210476
@dkg
sopgpy: add sop generate-key --with-key-password
faf8f4e
@dkg
sopgpy: add --with-key-password to decrypt, sign, and encrypt (when s…
14d94b7 
…igning)
@dkg
sopgpy: add inline-{detach,sign,verify}
323b48f
@dkg
sopgpy: bump to version 0.3.0 (depends on sop 0.4.0)
b7c3192
@dkg
sopgpy generate-key: improve key password
114321b 
See discussion at
https://gitlab.com/sequoia-pgp/sequoia-sop/-/issues/17
@dkg
sopgpy: move to PGPy 0.6.0 (sigsubj changes)
8272870 
sigsubj objects have an "issues" bitfield, which follows
the "Anna Karenina principle" instead of "verified"
boolean.
@dkg
sopgpy: move to PGPy 0.6.0 (from_blob() behavior changes)
34a35b8 
as of 0.6.0, from_blob() methods will return non-functioning objects
rather than raising an error directly.
@dkg
sopgpy: change license to match PGPy license. I am the sole author so…
be04b27 
… far.
@dkg
sopgpy: use the PGPy version directly, rather than a distinct sopgpy …
70601fc 
…version
@dkg
sopgpy version --extended: add version info about cryptography module…
a2a0621 
… and OpenSSL
@dkg
intentionally distribute sopgpy as part of the module
02bd731
@dkg
sopgpy: drop trailing whitespace
4127e47
@dkg
sopgpy: return ArgumentParser for argparse-manpage
c3090f9
@dkg
sopgpy: lowercase name to match the command-line name
8d071c8
@dkg
use keyword-based arguments when creating SOPSigResult
d21c5de
@dkg
OPSv3: get the "nested" flag right
773f39b 
"nested" semantically probably is meant to mean "another OPS packet follows".
But the byte on the wire is defined as 0 means another OPS packet follows.

Furthermore, the flags are set in the wrong way: before this commit, the
code produced a series of OPS packets where the first packet had a different
value for the flag than all subsequent ones.  What we want is where all the
flags *except* the last OPS packet (corresponding to the *first* Sig packet)
are 0.

See https://gitlab.com/sequoia-pgp/openpgp-interoperability-test-suite/-/issues/84
@dkg
Add PGPSignatures object, representing bundled detached signatures
e0c2ba8 
a PGPMessage object can contain more than one signature.  Detached signatures should
also be able to handle having more than one signature.

https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-09.html#name-detached-signatures says:

> These detached signatures are simply one or more Signature packets
> stored separately from the data for which they are a signature.

A PGPSignatures object makes the most sense to represent such a thing.

Closes: SecurityInnovation#197
@dkg
sopgpy: clean up type annotations
f087339
@dkg
sopgpy: use sop 0.5.1 (support profiles)
37a741b
@dkg
sopgpy generate-key: Add "rfc4880" profile, for 3072-bit RSA keys
cbe16c5
@dkg
PEP-8 whitespace cleanup
0aa4d68
@dkg
Add PubKeyAlgorithm.Unknown
a01c66c
@dkg
Handle signatures that use an unknown public key algorithm
d38c069
dkg added 25 commits August 23, 2023 18:26
@dkg
define AEADCiphersuiteList in a way that it is both inspectable and s…
e781a6d 
…erializable
@dkg
Define PreferredAEADCiphersuites subpacket
231b2ea
@dkg
allow aead_ciphersuites preferences when certifying
05fd07f
@dkg
Make an AEAD object that can encrypt and decrypt
c2aca31
@dkg
implement SEIPDv2
19901a5
@dkg
String2Key: add AEAD mode (we will re-use the "iv" field for nonce)
747e0cb
@dkg
enable AEAD protection of secret key material (reading not yet suppor…
a4dcb9f 
…ted)
@dkg
implement version 6 of SKESK
1a49ef6
@dkg
implement padding packet
e96068d
@dkg
Handle v6 fingerprints
a11a537
@dkg
add v6 PKESK
8191571
@dkg
add v6 keys, v6 signatures
400ede1 
- serializing v6 keys is subtly different than v4 keys
- v6 certs (or later) don't need a UID any longer
- v6 signature salt length varies by hash algorithm
@dkg
Implement Ed25519 and Ed448 as top-level pubkey algorithm ids
9462547
@dkg
Add X25519 and X448
b8e72f8 
Note that for PKESKv3, they store their symmetric key in the clear,
outside of the ciphertext.  this allows us to avoid padding
shenanigans on the cleartext.
@dkg
enable decryption of secret keys with AEAD
5d35c41
@dkg
sopgpy: generate-key profile for crypto-refresh
0316e15
@dkg
Avoid emitting CRC during ASCII armor of new elements
bb71ac1 
See also the "Optional checksum" part of draft-ietf-openpgp-crypto-refresh-10)
@dkg
When protecting a v6 key, protect it using AEAD with OCB by default.
7deb51c
@dkg
PGPKey.encrypt: select SEIPDv1 or SEIPDv2 according to Features flag
4493171
@dkg
PGPMessage.encrypt: passing aead_mode parameter will use SEIPDv2 with…
03f315a 
… Argon2

(we also allow passing an explicit salt, which normally should not be used
but is useful for generating deterministic test vectors)
@dkg
sopgpy: encrypt: add a profile that distinguishes password-based encr…
93fcc25 
…yption
@dkg
Add encrypt/decrypt and sign/verify roundtrips
070de1f 
This uses cached key generation, and ensures that we cover versions 4
and 6 of keys, as well as all the pubkey algorithms, and different
possible feature sets (SEIPDv1 and SEIPDv2).
@dkg
sopgpy: ensure alignment between {P,S}KESK and SEIPD packets
b55fdd2 
make this work even in the face of multiple passwords and keys
@dkg
sopgpy encrypt: add profile "rfc4880" which only uses SEIPDv1
d2813ae
@dkg
Avoid copy on raw pubkey objects
50efe13 
These pubkey objects are immutable, as noted in
pyca/cryptography#9403, so it should be safe to just
assign.
@dkg dkg force-pushed the dkg/crypto-refresh branch 2 times, most recently from 567f1d5 to 5b05f47 Compare August 24, 2023 13:40
@dkg
AEAD: handle EAX, using Cryptodome if it is available
c030e7a
@dkg
Allow creation and use of v4 keys without a User ID (with warning)
eb631c1 
draft-ietf-openpgp-crypto-refresh-10 makes it clear that even v4
OpenPGP certificates MAY not have a user ID.

Keep a warning in place though, to encourage interoperability with
legacy v4 implementations.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@dkg