From 5b283550b7552a3f4ac613aa6bd096f33ad89acd Mon Sep 17 00:00:00 2001 From: larabr <7375870+larabr@users.noreply.github.com> Date: Thu, 28 Sep 2023 19:21:24 +0200 Subject: [PATCH 1/7] Add `enums.publicKey.eddsaLegacy` Set to replace `enums.publicKey.eddsa`, which can still be used everywhere, but it will be dropped in v6. Deprecation notices have been added to ease transition. --- openpgp.d.ts | 2 ++ src/crypto/crypto.js | 12 ++++-------- src/crypto/public_key/elliptic/oid_curves.js | 2 +- src/crypto/signature.js | 9 +++------ src/enums.js | 7 +++++-- src/key/helper.js | 8 ++++---- test/general/config.js | 6 +++--- 7 files changed, 22 insertions(+), 24 deletions(-) diff --git a/openpgp.d.ts b/openpgp.d.ts index b2c4c4ee..9c8e2c98 100644 --- a/openpgp.d.ts +++ b/openpgp.d.ts @@ -820,7 +820,9 @@ export namespace enums { dsa = 17, ecdh = 18, ecdsa = 19, + /** @deprecated use `eddsaLegacy` instead */ eddsa = 22, + eddsaLegacy = 22, aedh = 23, aedsa = 24, } diff --git a/src/crypto/crypto.js b/src/crypto/crypto.js index d04a9765..35bf0bb0 100644 --- a/src/crypto/crypto.js +++ b/src/crypto/crypto.js @@ -168,8 +168,7 @@ export function parsePublicKeyParams(algo, bytes) { const Q = util.readMPI(bytes.subarray(read)); read += Q.length + 2; return { read: read, publicParams: { oid, Q } }; } - case enums.publicKey.eddsa: - case enums.publicKey.ed25519Legacy: { + case enums.publicKey.eddsaLegacy: { const oid = new OID(); read += oid.read(bytes); checkSupportedCurve(oid); let Q = util.readMPI(bytes.subarray(read)); read += Q.length + 2; @@ -224,8 +223,7 @@ export function parsePrivateKeyParams(algo, bytes, publicParams) { d = util.leftPad(d, curve.payloadSize); return { read, privateParams: { d } }; } - case enums.publicKey.eddsa: - case enums.publicKey.ed25519Legacy: { + case enums.publicKey.eddsaLegacy: { const curve = new CurveWithOID(publicParams.oid); let seed = util.readMPI(bytes.subarray(read)); read += seed.length + 2; seed = util.leftPad(seed, curve.payloadSize); @@ -331,8 +329,7 @@ export function generateParams(algo, bits, oid) { privateParams: { d: secret }, publicParams: { oid: new OID(oid), Q } })); - case enums.publicKey.eddsa: - case enums.publicKey.ed25519Legacy: + case enums.publicKey.eddsaLegacy: return publicKey.elliptic.generate(oid).then(({ oid, Q, secret }) => ({ privateParams: { seed: secret }, publicParams: { oid: new OID(oid), Q } @@ -401,8 +398,7 @@ export async function validateParams(algo, publicParams, privateParams) { const { d } = privateParams; return algoModule.validateParams(oid, Q, d); } - case enums.publicKey.eddsa: - case enums.publicKey.ed25519Legacy: { + case enums.publicKey.eddsaLegacy: { const { Q, oid } = publicParams; const { seed } = privateParams; return publicKey.elliptic.eddsaLegacy.validateParams(oid, Q, seed); diff --git a/src/crypto/public_key/elliptic/oid_curves.js b/src/crypto/public_key/elliptic/oid_curves.js index af04896f..e8d563ef 100644 --- a/src/crypto/public_key/elliptic/oid_curves.js +++ b/src/crypto/public_key/elliptic/oid_curves.js @@ -92,7 +92,7 @@ const curves = { }, ed25519: { oid: [0x06, 0x09, 0x2B, 0x06, 0x01, 0x04, 0x01, 0xDA, 0x47, 0x0F, 0x01], - keyType: enums.publicKey.eddsa, + keyType: enums.publicKey.eddsaLegacy, hash: enums.hash.sha512, node: false, // nodeCurves.ed25519 TODO payloadSize: 32 diff --git a/src/crypto/signature.js b/src/crypto/signature.js index fcef95ae..b4d2aed3 100644 --- a/src/crypto/signature.js +++ b/src/crypto/signature.js @@ -46,8 +46,7 @@ export function parseSignatureParams(algo, signature) { // Algorithm-Specific Fields for legacy EdDSA signatures: // - MPI of an EC point r. // - EdDSA value s, in MPI, in the little endian representation - case enums.publicKey.eddsa: - case enums.publicKey.ed25519Legacy: { + case enums.publicKey.eddsaLegacy: { // When parsing little-endian MPI data, we always need to left-pad it, as done with big-endian values: // https://www.ietf.org/archive/id/draft-ietf-openpgp-rfc4880bis-10.html#section-3.2-9 let r = util.readMPI(signature.subarray(read)); read += r.length + 2; @@ -103,8 +102,7 @@ export async function verify(algo, hashAlgo, signature, publicParams, data, hash const s = util.leftPad(signature.s, curveSize); return publicKey.elliptic.ecdsa.verify(oid, hashAlgo, { r, s }, data, Q, hashed); } - case enums.publicKey.eddsa: - case enums.publicKey.ed25519Legacy: { + case enums.publicKey.eddsaLegacy: { const { oid, Q } = publicParams; // signature already padded on parsing return publicKey.elliptic.eddsaLegacy.verify(oid, hashAlgo, signature, data, Q, hashed); @@ -158,8 +156,7 @@ export async function sign(algo, hashAlgo, publicKeyParams, privateKeyParams, da const { d } = privateKeyParams; return publicKey.elliptic.ecdsa.sign(oid, hashAlgo, data, Q, d, hashed); } - case enums.publicKey.eddsa: - case enums.publicKey.ed25519Legacy: { + case enums.publicKey.eddsaLegacy: { const { oid, Q } = publicKeyParams; const { seed } = privateKeyParams; return publicKey.elliptic.eddsaLegacy.sign(oid, hashAlgo, data, Q, seed, hashed); diff --git a/src/enums.js b/src/enums.js index 1ac86d53..ad7ec96d 100644 --- a/src/enums.js +++ b/src/enums.js @@ -111,8 +111,11 @@ export default { ecdsa: 19, /** EdDSA (Sign only) - deprecated by crypto-refresh (replaced by `ed25519` identifier below) * [{@link https://tools.ietf.org/html/draft-koch-eddsa-for-openpgp-04|Draft RFC}] */ - ed25519Legacy: 22, // NB: this is declared before `eddsa` to translate 22 to 'eddsa' for backwards compatibility - eddsa: 22, // to be deprecated in v6 + eddsaLegacy: 22, // NB: this is declared before `eddsa` to translate 22 to 'eddsa' for backwards compatibility + /** @deprecated use `eddsaLegacy` instead */ + ed25519Legacy: 22, + /** @deprecated use `eddsaLegacy` instead */ + eddsa: 22, /** Reserved for AEDH */ aedh: 23, /** Reserved for AEDSA */ diff --git a/src/key/helper.js b/src/key/helper.js index bb89a537..5eb7f442 100644 --- a/src/key/helper.js +++ b/src/key/helper.js @@ -137,7 +137,7 @@ export async function getPreferredHashAlgo(key, keyPacket, date = new Date(), us switch (keyPacket.algorithm) { case enums.publicKey.ecdh: case enums.publicKey.ecdsa: - case enums.publicKey.eddsa: + case enums.publicKey.eddsaLegacy: prefAlgo = crypto.publicKey.elliptic.getPreferredHashAlgo(keyPacket.publicParams.oid); } } @@ -348,7 +348,7 @@ export function sanitizeKeyOptions(options, subkeyDefaults = {}) { options.curve = options.sign ? enums.curve.ed25519 : enums.curve.curve25519; } if (options.sign) { - options.algorithm = options.curve === enums.curve.ed25519 ? enums.publicKey.eddsa : enums.publicKey.ecdsa; + options.algorithm = options.curve === enums.curve.ed25519 ? enums.publicKey.eddsaLegacy : enums.publicKey.ecdsa; } else { options.algorithm = enums.publicKey.ecdh; } @@ -377,7 +377,7 @@ export function isValidEncryptionKeyPacket(keyPacket, signature) { return keyAlgo !== enums.publicKey.dsa && keyAlgo !== enums.publicKey.rsaSign && keyAlgo !== enums.publicKey.ecdsa && - keyAlgo !== enums.publicKey.eddsa && + keyAlgo !== enums.publicKey.eddsaLegacy && keyAlgo !== enums.publicKey.ed25519 && (!signature.keyFlags || (signature.keyFlags[0] & enums.keyFlags.encryptCommunication) !== 0 || @@ -417,7 +417,7 @@ export function checkKeyRequirements(keyPacket, config) { } break; case enums.publicKey.ecdsa: - case enums.publicKey.eddsa: + case enums.publicKey.eddsaLegacy: case enums.publicKey.ecdh: if (config.rejectCurves.has(algoInfo.curve)) { throw new Error(`Support for ${algoInfo.algorithm} keys using curve ${algoInfo.curve} is disabled.`); diff --git a/test/general/config.js b/test/general/config.js index f36f7cc6..47f3dcb8 100644 --- a/test/general/config.js +++ b/test/general/config.js @@ -178,7 +178,7 @@ n9/quqtmyOtYOA6gXNCw0Fal3iANKBmsPmYI showComment: true, preferredCompressionAlgorithm: openpgp.enums.compression.zip, preferredHashAlgorithm: openpgp.enums.hash.sha512, - rejectPublicKeyAlgorithms: new Set([openpgp.enums.publicKey.eddsa]) // should not matter in this context + rejectPublicKeyAlgorithms: new Set([openpgp.enums.publicKey.eddsaLegacy]) // should not matter in this context }; const opt2 = { privateKey: origKey, userIDs, config }; const { privateKey: refKeyArmored2 } = await openpgp.reformatKey(opt2); @@ -366,7 +366,7 @@ n9/quqtmyOtYOA6gXNCw0Fal3iANKBmsPmYI await expect(openpgp.sign(opt2)).to.be.rejectedWith(/Insecure hash algorithm/); await expect(openpgp.sign({ - message, signingKeys: [key], config: { rejectPublicKeyAlgorithms: new Set([openpgp.enums.publicKey.eddsa]) } + message, signingKeys: [key], config: { rejectPublicKeyAlgorithms: new Set([openpgp.enums.publicKey.eddsaLegacy]) } })).to.be.eventually.rejectedWith(/eddsa keys are considered too weak/); await expect(openpgp.sign({ message, signingKeys: [key], config: { rejectCurves: new Set([openpgp.enums.curve.ed25519]) } @@ -411,7 +411,7 @@ n9/quqtmyOtYOA6gXNCw0Fal3iANKBmsPmYI const opt4 = { message: await openpgp.readMessage({ armoredMessage: signed }), verificationKeys: [key], - config: { rejectPublicKeyAlgorithms: new Set([openpgp.enums.publicKey.eddsa]) } + config: { rejectPublicKeyAlgorithms: new Set([openpgp.enums.publicKey.eddsaLegacy]) } }; const { signatures: [sig4] } = await openpgp.verify(opt4); await expect(sig4.verified).to.be.rejectedWith(/eddsa keys are considered too weak/); From 01b02d6092ce74dc3a63ad6bb2b20f46cb44da50 Mon Sep 17 00:00:00 2001 From: larabr <7375870+larabr@users.noreply.github.com> Date: Thu, 28 Sep 2023 19:58:35 +0200 Subject: [PATCH 2/7] Always select SHA-256 or longer hash for Ed25519 signatures (new format) Due to a bug, a shorter hash could be selected, and signing would throw as a result. This change fixes the issue by automatically picking SHA-256, if needed. The same was already done for legacy EdDSA signatures. --- src/crypto/crypto.js | 17 +++++++++++++++++ src/key/helper.js | 18 +++++------------- 2 files changed, 22 insertions(+), 13 deletions(-) diff --git a/src/crypto/crypto.js b/src/crypto/crypto.js index 35bf0bb0..088d0b15 100644 --- a/src/crypto/crypto.js +++ b/src/crypto/crypto.js @@ -468,3 +468,20 @@ function checkSupportedCurve(oid) { throw new UnsupportedError('Unknown curve OID'); } } + +/** + * Get preferred hash algo for a given elliptic algo + * @param {module:enums.publicKey} algo - alrogithm identifier + * @param {module:type/oid} [oid] - curve OID if needed by algo + */ +export function getPreferredCurveHashAlgo(algo, oid) { + switch (algo) { + case enums.publicKey.ecdsa: + case enums.publicKey.eddsaLegacy: + return publicKey.elliptic.getPreferredHashAlgo(oid); + case enums.publicKey.ed25519: + return enums.hash.sha256; + default: + throw new Error('Unknown elliptic signing algo'); + } +} diff --git a/src/key/helper.js b/src/key/helper.js index 5eb7f442..35a01e10 100644 --- a/src/key/helper.js +++ b/src/key/helper.js @@ -5,8 +5,6 @@ */ import { - PublicKeyPacket, - PublicSubkeyPacket, SecretKeyPacket, SecretSubkeyPacket, SignaturePacket @@ -129,17 +127,11 @@ export async function getPreferredHashAlgo(key, keyPacket, date = new Date(), us prefAlgo : hashAlgo; } } - switch (Object.getPrototypeOf(keyPacket)) { - case SecretKeyPacket.prototype: - case PublicKeyPacket.prototype: - case SecretSubkeyPacket.prototype: - case PublicSubkeyPacket.prototype: - switch (keyPacket.algorithm) { - case enums.publicKey.ecdh: - case enums.publicKey.ecdsa: - case enums.publicKey.eddsaLegacy: - prefAlgo = crypto.publicKey.elliptic.getPreferredHashAlgo(keyPacket.publicParams.oid); - } + switch (keyPacket.algorithm) { + case enums.publicKey.ecdsa: + case enums.publicKey.eddsaLegacy: + case enums.publicKey.ed25519: + prefAlgo = crypto.getPreferredCurveHashAlgo(keyPacket.algorithm, keyPacket.publicParams.oid); } return crypto.hash.getHashByteLength(hashAlgo) <= crypto.hash.getHashByteLength(prefAlgo) ? prefAlgo : hashAlgo; From 1fd9d2f0c5571a82a03713a84d5a73f4f7f812a6 Mon Sep 17 00:00:00 2001 From: larabr <7375870+larabr@users.noreply.github.com> Date: Fri, 29 Sep 2023 12:58:51 +0200 Subject: [PATCH 3/7] Fix binding signature generation using shorter hash than expected for some ECDSA subkeys The required hash size was determined based on the subkey algo rather than the primary key. As a result, if the subkey being certified required a shorter hash size than the ECDSA primary key, the issued signature would include a shorter digest than expected. This issue is not expected to have practical security impact, and it only affected keys with ECDSA subkeys with smaller key sizes than their ECDSA primary key (e.g. NIST p521 primary key and NIST p256 subkey). --- src/key/helper.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/key/helper.js b/src/key/helper.js index 35a01e10..00ae8554 100644 --- a/src/key/helper.js +++ b/src/key/helper.js @@ -89,7 +89,7 @@ export async function createBindingSignature(subkey, primaryKey, options, config const subkeySignaturePacket = new SignaturePacket(); subkeySignaturePacket.signatureType = enums.signature.subkeyBinding; subkeySignaturePacket.publicKeyAlgorithm = primaryKey.algorithm; - subkeySignaturePacket.hashAlgorithm = await getPreferredHashAlgo(null, subkey, undefined, undefined, config); + subkeySignaturePacket.hashAlgorithm = await getPreferredHashAlgo(null, primaryKey, undefined, undefined, config); if (options.sign) { subkeySignaturePacket.keyFlags = [enums.keyFlags.signData]; subkeySignaturePacket.embeddedSignature = await createSignaturePacket(dataToSign, null, subkey, { From b6fbab044350bcba999b0e8eaca74c327f7518f6 Mon Sep 17 00:00:00 2001 From: larabr <7375870+larabr@users.noreply.github.com> Date: Fri, 29 Sep 2023 13:00:44 +0200 Subject: [PATCH 4/7] Internally use `createSignaturePacket` helper whenever possible --- src/key/factory.js | 34 +++++++++++++++++----------------- src/key/helper.js | 17 +++++++---------- 2 files changed, 24 insertions(+), 27 deletions(-) diff --git a/src/key/factory.js b/src/key/factory.js index b2477960..44d7462f 100644 --- a/src/key/factory.js +++ b/src/key/factory.js @@ -197,50 +197,50 @@ async function wrapKeyObject(secretKeyPacket, secretSubkeyPackets, options, conf const dataToSign = {}; dataToSign.userID = userIDPacket; dataToSign.key = secretKeyPacket; - const signaturePacket = new SignaturePacket(); - signaturePacket.signatureType = enums.signature.certGeneric; - signaturePacket.publicKeyAlgorithm = secretKeyPacket.algorithm; - signaturePacket.hashAlgorithm = await helper.getPreferredHashAlgo(null, secretKeyPacket, undefined, undefined, config); - signaturePacket.keyFlags = [enums.keyFlags.certifyKeys | enums.keyFlags.signData]; - signaturePacket.preferredSymmetricAlgorithms = createPreferredAlgos([ + + const signatureProperties = {}; + signatureProperties.signatureType = enums.signature.certGeneric; + signatureProperties.keyFlags = [enums.keyFlags.certifyKeys | enums.keyFlags.signData]; + signatureProperties.preferredSymmetricAlgorithms = createPreferredAlgos([ // prefer aes256, aes128, then aes192 (no WebCrypto support: https://www.chromium.org/blink/webcrypto#TOC-AES-support) enums.symmetric.aes256, enums.symmetric.aes128, enums.symmetric.aes192 ], config.preferredSymmetricAlgorithm); if (config.aeadProtect) { - signaturePacket.preferredAEADAlgorithms = createPreferredAlgos([ + signatureProperties.preferredAEADAlgorithms = createPreferredAlgos([ enums.aead.eax, enums.aead.ocb ], config.preferredAEADAlgorithm); } - signaturePacket.preferredHashAlgorithms = createPreferredAlgos([ + signatureProperties.preferredHashAlgorithms = createPreferredAlgos([ // prefer fast asm.js implementations (SHA-256) enums.hash.sha256, enums.hash.sha512 ], config.preferredHashAlgorithm); - signaturePacket.preferredCompressionAlgorithms = createPreferredAlgos([ + signatureProperties.preferredCompressionAlgorithms = createPreferredAlgos([ enums.compression.zlib, enums.compression.zip, enums.compression.uncompressed ], config.preferredCompressionAlgorithm); if (index === 0) { - signaturePacket.isPrimaryUserID = true; + signatureProperties.isPrimaryUserID = true; } // integrity protection always enabled - signaturePacket.features = [0]; - signaturePacket.features[0] |= enums.features.modificationDetection; + signatureProperties.features = [0]; + signatureProperties.features[0] |= enums.features.modificationDetection; if (config.aeadProtect) { - signaturePacket.features[0] |= enums.features.aead; + signatureProperties.features[0] |= enums.features.aead; } if (config.v5Keys) { - signaturePacket.features[0] |= enums.features.v5Keys; + signatureProperties.features[0] |= enums.features.v5Keys; } if (options.keyExpirationTime > 0) { - signaturePacket.keyExpirationTime = options.keyExpirationTime; - signaturePacket.keyNeverExpires = false; + signatureProperties.keyExpirationTime = options.keyExpirationTime; + signatureProperties.keyNeverExpires = false; } - await signaturePacket.sign(secretKeyPacket, dataToSign, options.date); + + const signaturePacket = await helper.createSignaturePacket(dataToSign, null, secretKeyPacket, signatureProperties, options.date, undefined, undefined, undefined, config); return { userIDPacket, signaturePacket }; })).then(list => { diff --git a/src/key/helper.js b/src/key/helper.js index 00ae8554..77507151 100644 --- a/src/key/helper.js +++ b/src/key/helper.js @@ -86,23 +86,20 @@ export async function createBindingSignature(subkey, primaryKey, options, config const dataToSign = {}; dataToSign.key = primaryKey; dataToSign.bind = subkey; - const subkeySignaturePacket = new SignaturePacket(); - subkeySignaturePacket.signatureType = enums.signature.subkeyBinding; - subkeySignaturePacket.publicKeyAlgorithm = primaryKey.algorithm; - subkeySignaturePacket.hashAlgorithm = await getPreferredHashAlgo(null, primaryKey, undefined, undefined, config); + const signatureProperties = { signatureType: enums.signature.subkeyBinding }; if (options.sign) { - subkeySignaturePacket.keyFlags = [enums.keyFlags.signData]; - subkeySignaturePacket.embeddedSignature = await createSignaturePacket(dataToSign, null, subkey, { + signatureProperties.keyFlags = [enums.keyFlags.signData]; + signatureProperties.embeddedSignature = await createSignaturePacket(dataToSign, null, subkey, { signatureType: enums.signature.keyBinding }, options.date, undefined, undefined, undefined, config); } else { - subkeySignaturePacket.keyFlags = [enums.keyFlags.encryptCommunication | enums.keyFlags.encryptStorage]; + signatureProperties.keyFlags = [enums.keyFlags.encryptCommunication | enums.keyFlags.encryptStorage]; } if (options.keyExpirationTime > 0) { - subkeySignaturePacket.keyExpirationTime = options.keyExpirationTime; - subkeySignaturePacket.keyNeverExpires = false; + signatureProperties.keyExpirationTime = options.keyExpirationTime; + signatureProperties.keyNeverExpires = false; } - await subkeySignaturePacket.sign(primaryKey, dataToSign, options.date); + const subkeySignaturePacket = await createSignaturePacket(dataToSign, null, primaryKey, signatureProperties, options.date, undefined, undefined, undefined, config); return subkeySignaturePacket; } From c0f57dffb25d0e974320d05276c8bb0faaf55981 Mon Sep 17 00:00:00 2001 From: larabr <7375870+larabr@users.noreply.github.com> Date: Fri, 29 Sep 2023 16:13:31 +0200 Subject: [PATCH 5/7] Do not clamp generated private key in X25519 (new format) This was required by legacy ECDH over curve25519, but not for the new format. Relevant spec: https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-curve25519legacy-ecdh-secre --- src/crypto/public_key/elliptic/ecdh_x.js | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/crypto/public_key/elliptic/ecdh_x.js b/src/crypto/public_key/elliptic/ecdh_x.js index 136dc1c4..3b66c0c0 100644 --- a/src/crypto/public_key/elliptic/ecdh_x.js +++ b/src/crypto/public_key/elliptic/ecdh_x.js @@ -27,8 +27,6 @@ export async function generate(algo) { case enums.publicKey.x25519: { // k stays in little-endian, unlike legacy ECDH over curve25519 const k = getRandomBytes(32); - k[0] &= 248; - k[31] = (k[31] & 127) | 64; const { publicKey: A } = nacl.box.keyPair.fromSecretKey(k); return { A, k }; } From a12ca976a0da6d95e7a4b11e89356f11fe51d486 Mon Sep 17 00:00:00 2001 From: larabr <7375870+larabr@users.noreply.github.com> Date: Tue, 3 Oct 2023 18:07:49 +0200 Subject: [PATCH 6/7] Reject signatures with hash digest shorter than 256-bit for ed25519 As mandated by the new crypto-refresh spec. This applies to both the new and legacy EdDSA format. For the legacy signatures, it is not expected to be a breaking change, since the spec already mandated the use SHA-256 (or stronger). --- src/crypto/crypto.js | 2 +- src/crypto/public_key/elliptic/eddsa.js | 17 ++++++++++++++--- src/crypto/public_key/elliptic/eddsa_legacy.js | 5 ++++- 3 files changed, 19 insertions(+), 5 deletions(-) diff --git a/src/crypto/crypto.js b/src/crypto/crypto.js index 088d0b15..0cb86be1 100644 --- a/src/crypto/crypto.js +++ b/src/crypto/crypto.js @@ -480,7 +480,7 @@ export function getPreferredCurveHashAlgo(algo, oid) { case enums.publicKey.eddsaLegacy: return publicKey.elliptic.getPreferredHashAlgo(oid); case enums.publicKey.ed25519: - return enums.hash.sha256; + return publicKey.elliptic.eddsa.getPreferredHashAlgo(algo); default: throw new Error('Unknown elliptic signing algo'); } diff --git a/src/crypto/public_key/elliptic/eddsa.js b/src/crypto/public_key/elliptic/eddsa.js index 82ec956d..e38cbb96 100644 --- a/src/crypto/public_key/elliptic/eddsa.js +++ b/src/crypto/public_key/elliptic/eddsa.js @@ -61,9 +61,8 @@ export async function generate(algo) { * @async */ export async function sign(algo, hashAlgo, message, publicKey, privateKey, hashed) { - if (hash.getHashByteLength(hashAlgo) < hash.getHashByteLength(enums.hash.sha256)) { - // see https://tools.ietf.org/id/draft-ietf-openpgp-rfc4880bis-10.html#section-15-7.2 - throw new Error('Hash algorithm too weak: sha256 or stronger is required for EdDSA.'); + if (hash.getHashByteLength(hashAlgo) < hash.getHashByteLength(getPreferredHashAlgo(algo))) { + throw new Error('Hash algorithm too weak for EdDSA.'); } switch (algo) { case enums.publicKey.ed25519: { @@ -90,6 +89,9 @@ export async function sign(algo, hashAlgo, message, publicKey, privateKey, hashe * @async */ export async function verify(algo, hashAlgo, { RS }, m, publicKey, hashed) { + if (hash.getHashByteLength(hashAlgo) < hash.getHashByteLength(getPreferredHashAlgo(algo))) { + throw new Error('Hash algorithm too weak for EdDSA.'); + } switch (algo) { case enums.publicKey.ed25519: { return nacl.sign.detached.verify(hashed, RS, publicKey); @@ -124,3 +126,12 @@ export async function validateParams(algo, A, seed) { return false; } } + +export function getPreferredHashAlgo(algo) { + switch (algo) { + case enums.publicKey.ed25519: + return enums.hash.sha256; + default: + throw new Error('Unknown EdDSA algo'); + } +} diff --git a/src/crypto/public_key/elliptic/eddsa_legacy.js b/src/crypto/public_key/elliptic/eddsa_legacy.js index 7c348de1..63929ea7 100644 --- a/src/crypto/public_key/elliptic/eddsa_legacy.js +++ b/src/crypto/public_key/elliptic/eddsa_legacy.js @@ -47,7 +47,7 @@ nacl.hash = bytes => new Uint8Array(sha512().update(bytes).digest()); export async function sign(oid, hashAlgo, message, publicKey, privateKey, hashed) { if (hash.getHashByteLength(hashAlgo) < hash.getHashByteLength(enums.hash.sha256)) { // see https://tools.ietf.org/id/draft-ietf-openpgp-rfc4880bis-10.html#section-15-7.2 - throw new Error('Hash algorithm too weak: sha256 or stronger is required for EdDSA.'); + throw new Error('Hash algorithm too weak for EdDSA.'); } const secretKey = util.concatUint8Array([privateKey, publicKey.subarray(1)]); const signature = nacl.sign.detached(hashed, secretKey); @@ -71,6 +71,9 @@ export async function sign(oid, hashAlgo, message, publicKey, privateKey, hashed * @async */ export async function verify(oid, hashAlgo, { r, s }, m, publicKey, hashed) { + if (hash.getHashByteLength(hashAlgo) < hash.getHashByteLength(enums.hash.sha256)) { + throw new Error('Hash algorithm too weak for EdDSA.'); + } const signature = util.concatUint8Array([r, s]); return nacl.sign.detached.verify(hashed, signature, publicKey.subarray(1)); } From 99ba76c6959aa2c85a534817d4433a255922a4bb Mon Sep 17 00:00:00 2001 From: larabr <7375870+larabr@users.noreply.github.com> Date: Tue, 3 Oct 2023 18:47:39 +0200 Subject: [PATCH 7/7] Add `enums.curve.ed25519Legacy` and `.x25519Legacy` Set to replace `enums.curve.ed25519` (resp. `.curve25519`), which can still be used everywhere, but it will be dropped in v6. Deprecation notices have been added to ease transition. --- openpgp.d.ts | 4 ++++ src/enums.js | 8 ++++++-- src/key/helper.js | 6 +++--- test/general/config.js | 8 ++++---- test/general/key.js | 2 +- 5 files changed, 18 insertions(+), 10 deletions(-) diff --git a/openpgp.d.ts b/openpgp.d.ts index 9c8e2c98..df44c530 100644 --- a/openpgp.d.ts +++ b/openpgp.d.ts @@ -831,8 +831,12 @@ export namespace enums { p256 = 'p256', p384 = 'p384', p521 = 'p521', + /** @deprecated use `ed25519Legacy` instead */ ed25519 = 'ed25519', + ed25519Legacy = 'ed25519', + /** @deprecated use `x25519Legacy` instead */ curve25519 = 'curve25519', + x25519Legacy = 'curve25519', secp256k1 = 'secp256k1', brainpoolP256r1 = 'brainpoolP256r1', brainpoolP384r1 = 'brainpoolP384r1', diff --git a/src/enums.js b/src/enums.js index ad7ec96d..c6df0a9b 100644 --- a/src/enums.js +++ b/src/enums.js @@ -43,17 +43,21 @@ export default { '2b8104000a': 'secp256k1', '2B8104000A': 'secp256k1', - /** Ed25519 */ + /** Ed25519 - deprecated by crypto-refresh (replaced by standaone Ed25519 algo) */ + 'ed25519Legacy': 'ed25519', 'ED25519': 'ed25519', + /** @deprecated use `ed25519Legacy` instead */ 'ed25519': 'ed25519', 'Ed25519': 'ed25519', '1.3.6.1.4.1.11591.15.1': 'ed25519', '2b06010401da470f01': 'ed25519', '2B06010401DA470F01': 'ed25519', - /** Curve25519 */ + /** Curve25519 - deprecated by crypto-refresh (replaced by standaone X25519 algo) */ + 'x25519Legacy': 'curve25519', 'X25519': 'curve25519', 'cv25519': 'curve25519', + /** @deprecated use `x25519Legacy` instead */ 'curve25519': 'curve25519', 'Curve25519': 'curve25519', '1.3.6.1.4.1.3029.1.5.1': 'curve25519', diff --git a/src/key/helper.js b/src/key/helper.js index 77507151..a075cd48 100644 --- a/src/key/helper.js +++ b/src/key/helper.js @@ -333,11 +333,11 @@ export function sanitizeKeyOptions(options, subkeyDefaults = {}) { } catch (e) { throw new Error('Unknown curve'); } - if (options.curve === enums.curve.ed25519 || options.curve === enums.curve.curve25519) { - options.curve = options.sign ? enums.curve.ed25519 : enums.curve.curve25519; + if (options.curve === enums.curve.ed25519Legacy || options.curve === enums.curve.x25519Legacy) { + options.curve = options.sign ? enums.curve.ed25519Legacy : enums.curve.x25519Legacy; } if (options.sign) { - options.algorithm = options.curve === enums.curve.ed25519 ? enums.publicKey.eddsaLegacy : enums.publicKey.ecdsa; + options.algorithm = options.curve === enums.curve.ed25519Legacy ? enums.publicKey.eddsaLegacy : enums.publicKey.ecdsa; } else { options.algorithm = enums.publicKey.ecdh; } diff --git a/test/general/config.js b/test/general/config.js index 47f3dcb8..cff7ecc0 100644 --- a/test/general/config.js +++ b/test/general/config.js @@ -296,11 +296,11 @@ n9/quqtmyOtYOA6gXNCw0Fal3iANKBmsPmYI })).to.be.eventually.rejectedWith(/ecdh keys are considered too weak/); await expect(openpgp.encrypt({ - message, encryptionKeys: [key], config: { rejectCurves: new Set([openpgp.enums.curve.curve25519]) } + message, encryptionKeys: [key], config: { rejectCurves: new Set([openpgp.enums.curve.x25519Legacy]) } })).to.be.eventually.rejectedWith(/Support for ecdh keys using curve curve25519 is disabled/); const echdEncrypted = await openpgp.encrypt({ - message, encryptionKeys: [key], config: { rejectCurves: new Set([openpgp.enums.curve.ed25519]) } + message, encryptionKeys: [key], config: { rejectCurves: new Set([openpgp.enums.curve.ed25519Legacy]) } }); expect(echdEncrypted).to.match(/---BEGIN PGP MESSAGE---/); } finally { @@ -369,7 +369,7 @@ n9/quqtmyOtYOA6gXNCw0Fal3iANKBmsPmYI message, signingKeys: [key], config: { rejectPublicKeyAlgorithms: new Set([openpgp.enums.publicKey.eddsaLegacy]) } })).to.be.eventually.rejectedWith(/eddsa keys are considered too weak/); await expect(openpgp.sign({ - message, signingKeys: [key], config: { rejectCurves: new Set([openpgp.enums.curve.ed25519]) } + message, signingKeys: [key], config: { rejectCurves: new Set([openpgp.enums.curve.ed25519Legacy]) } })).to.be.eventually.rejectedWith(/Support for eddsa keys using curve ed25519 is disabled/); }); @@ -419,7 +419,7 @@ n9/quqtmyOtYOA6gXNCw0Fal3iANKBmsPmYI const opt5 = { message: await openpgp.readMessage({ armoredMessage: signed }), verificationKeys: [key], - config: { rejectCurves: new Set([openpgp.enums.curve.ed25519]) } + config: { rejectCurves: new Set([openpgp.enums.curve.ed25519Legacy]) } }; const { signatures: [sig5] } = await openpgp.verify(opt5); await expect(sig5.verified).to.be.eventually.rejectedWith(/Support for eddsa keys using curve ed25519 is disabled/); diff --git a/test/general/key.js b/test/general/key.js index 2b416def..e2bab875 100644 --- a/test/general/key.js +++ b/test/general/key.js @@ -4070,7 +4070,7 @@ XvmoLueOOShu01X/kaylMqaT8w== const subkey = newPrivateKey.subkeys[total]; expect(subkey).to.exist; expect(subkey.getAlgorithmInfo().algorithm).to.be.equal('ecdh'); - expect(subkey.getAlgorithmInfo().curve).to.be.equal(openpgp.enums.curve.curve25519); + expect(subkey.getAlgorithmInfo().curve).to.be.equal(openpgp.enums.curve.x25519Legacy); await subkey.verify(); });