Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

implement crypto-refresh-10 #455

Open
wants to merge 291 commits into
base: master
Choose a base branch
from

Conversation

dkg
Copy link
Contributor

@dkg dkg commented Jul 22, 2023

This series tries to implement the new parts from draft-ietf-openpgp-crypto-refresh-10. It is based on #451, which restructures some of the internal mechanisms of PGPy to make these changes end up simpler.

I've tried to continue to keep the reasonable type signatures already present in #451, and to at least not introduce regressions in the type safety of the codebase. There are also some additional tests to try to ensure that things are at least internally consistent.

dkg added 30 commits June 16, 2023 17:45
sigsubj objects have an "issues" bitfield, which follows
the "Anna Karenina principle" instead of "verified"
boolean.
as of 0.6.0, from_blob() methods will return non-functioning objects
rather than raising an error directly.
"nested" semantically probably is meant to mean "another OPS packet follows".
But the byte on the wire is defined as 0 means another OPS packet follows.

Furthermore, the flags are set in the wrong way: before this commit, the
code produced a series of OPS packets where the first packet had a different
value for the flag than all subsequent ones.  What we want is where all the
flags *except* the last OPS packet (corresponding to the *first* Sig packet)
are 0.

See https://gitlab.com/sequoia-pgp/openpgp-interoperability-test-suite/-/issues/84
a PGPMessage object can contain more than one signature.  Detached signatures should
also be able to handle having more than one signature.

https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-09.html#name-detached-signatures says:

> These detached signatures are simply one or more Signature packets
> stored separately from the data for which they are a signature.

A PGPSignatures object makes the most sense to represent such a thing.

Closes: SecurityInnovation#197
dkg added 25 commits August 23, 2023 18:26
- serializing v6 keys is subtly different than v4 keys
- v6 certs (or later) don't need a UID any longer
- v6 signature salt length varies by hash algorithm
Note that for PKESKv3, they store their symmetric key in the clear,
outside of the ciphertext.  this allows us to avoid padding
shenanigans on the cleartext.
See also the "Optional checksum" part of draft-ietf-openpgp-crypto-refresh-10)
… Argon2

(we also allow passing an explicit salt, which normally should not be used
but is useful for generating deterministic test vectors)
This uses cached key generation, and ensures that we cover versions 4
and 6 of keys, as well as all the pubkey algorithms, and different
possible feature sets (SEIPDv1 and SEIPDv2).
make this work even in the face of multiple passwords and keys
These pubkey objects are immutable, as noted in
pyca/cryptography#9403, so it should be safe to just
assign.
@dkg dkg force-pushed the dkg/crypto-refresh branch 2 times, most recently from 567f1d5 to 5b05f47 Compare August 24, 2023 13:40
draft-ietf-openpgp-crypto-refresh-10 makes it clear that even v4
OpenPGP certificates MAY not have a user ID.

Keep a warning in place though, to encourage interoperability with
legacy v4 implementations.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant