Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

crypto-refresh: minor fixes and updates for X25519/Ed25519 (new format) #1687

Merged
merged 7 commits into from Oct 10, 2023
Merged

crypto-refresh: minor fixes and updates for X25519/Ed25519 (new format) #1687

merged 7 commits into from Oct 10, 2023

Conversation

larabr
Copy link
Collaborator

@larabr larabr commented Sep 29, 2023
edited

See commit messages.

TODO:

  • reject signatures with weak hashes? (waiting for spec decision)

@larabr larabr changed the title crypto-refresh: minor changes to X25519/Ed25519 (new format) crypto-refresh: minor fixes and updates for X25519/Ed25519 (new format) Sep 29, 2023
@larabr
Add enums.publicKey.eddsaLegacy
5b28355 
Set to replace `enums.publicKey.eddsa`, which can still be used everywhere,
but it will be dropped in v6.
Deprecation notices have been added to ease transition.
@larabr
Always select SHA-256 or longer hash for Ed25519 signatures (new format)
01b02d6 
Due to a bug, a shorter hash could be selected, and signing would throw as a result.
This change fixes the issue by automatically picking SHA-256, if needed.
The same was already done for legacy EdDSA signatures.
@larabr
Fix binding signature generation using shorter hash than expected for…
1fd9d2f 
… some ECDSA subkeys

The required hash size was determined based on the subkey algo rather than the primary key.
As a result, if the subkey being certified required a shorter hash size than the ECDSA primary key,
the issued signature would include a shorter digest than expected.

This issue is not expected to have practical security impact, and
it only affected keys with ECDSA subkeys with smaller key sizes than their ECDSA primary key
(e.g. NIST p521 primary key and NIST p256 subkey).
@larabr larabr requested a review from twiss October 3, 2023 16:52
@larabr larabr force-pushed the eddsa-rename-legacy branch 2 times, most recently from 022d8c9 to 5367f43 Compare October 4, 2023 08:36
twiss
twiss reviewed Oct 4, 2023
View reviewed changes
src/key/helper.js Outdated Show resolved Hide resolved
@larabr
Internally use createSignaturePacket helper whenever possible
b6fbab0
@larabr
Do not clamp generated private key in X25519 (new format)
c0f57df 
This was required by legacy ECDH over curve25519, but not for the new format.
Relevant spec: https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-curve25519legacy-ecdh-secre
@larabr
Reject signatures with hash digest shorter than 256-bit for ed25519
a12ca97 
As mandated by the new crypto-refresh spec.
This applies to both the new and legacy EdDSA format.
For the legacy signatures, it is not expected to be a breaking change, since the spec
already mandated the use SHA-256 (or stronger).
@larabr
Add enums.curve.ed25519Legacy and .x25519Legacy
99ba76c 
Set to replace `enums.curve.ed25519` (resp. `.curve25519`), which can still be used everywhere,
but it will be dropped in v6.
Deprecation notices have been added to ease transition.
@larabr larabr merged commit ed482a1 into openpgpjs:main Oct 10, 2023
12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@twiss twiss twiss approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@larabr @twiss