As mandated by the new crypto-refresh spec.
This applies to both the new and legacy EdDSA format.
For the legacy signatures, it is not expected to be a breaking change, since the spec
already mandated the use SHA-256 (or stronger).
As specified in openpgp-crypto-refresh-09.
Instead of encoding the symmetric key algorithm in the PKESK ciphertext (requiring padding),
the symmetric key algorithm is left unencrypted.
Co-authored-by: Lukas Burkhalter <lukas.burkhalter@proton.ch>
- Use PascalCase for classes, with uppercase acronyms.
- Use camelCase for function and variables. First word/acronym is always
lowercase, otherwise acronyms are uppercase.
Also, make the packet classes' `tag` properties `static`.
- Rename `config.compression` to `config.preferredCompressionAlgorithm`
- Rename `config.encryptionCipher` to `config.preferredSymmetricAlgorithm`
- Rename `config.preferHashAlgorithm` to `config.preferredHashAlgorithm`
- Rename `config.aeadMode` to `config.preferredAeadAlgorithm`
- When encrypting to public keys, the compression/aead/symmetric algorithm is selected by:
- taking the preferred algorithm specified in config, if it is supported by all recipients
- otherwise, taking the "MUST implement" algorithm specified by rfc4880bis
- When encrypting to passphrases only (no public keys), the preferred algorithms from `config` are always used
- EdDSA signing with a hash algorithm weaker than sha256 is explicitly disallowed (https://tools.ietf.org/id/draft-ietf-openpgp-rfc4880bis-10.html#section-15-7.2)
- Store private and public params separately and by name in objects,
instead of as an array
- Do not keep params in MPI form, but convert them to Uint8Arrays when
generating/parsing the key
- Modify low-level crypto functions to always accept and return
Uint8Arrays instead of BigIntegers
- Move PKCS1 padding to lower level functions
* Various FIXME tags are removed
* In curve.js:
- webCrypto/nodeCrypto fallback bug is fixed
- Curve25519 has keyType ecdsa (won't be used for signing, but technically can be)
- webGenKeyPair is simplifed
* In base64.js:
- documentation added and arguments simplified
* In ecdsa.js and eddsa.js:
- hash_algo is now at least as strong as the default curve hash
- simplified the code by moving webSign/nodeSign and webVerify/nodeVerify to live in key.js (ht @ismaelbej)
* In message.js:
- in decryptSessionKey, loops break once a key packet is decrypted
* In key.js:
- getPreferredHashAlgorithm returns the best hash algorithm
- enums are used for curve selection
