Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade to OpenPGP.js v6 #190

Merged
merged 30 commits into from
Nov 7, 2024
Merged

Upgrade to OpenPGP.js v6 #190

merged 30 commits into from
Nov 7, 2024

Conversation

larabr
Copy link
Collaborator

@larabr larabr commented Nov 23, 2023
edited
Loading

Non-breaking changes:

  • added support for RFC9580 (new OpenPGP spec), including:
    • reading and generating v6 packet versions
    • processing and generating Curve448 keys, and Curve25519 in new format
    • ...

Breaking changes:

  • for downstream TS compiler, using the new "node16" or "Bundler" module resolution is required, as e.g. the noble-hashes lib uses exports only (if this is too problematic, we could temporarily add legacy entrypoints to that dependency, since we currently use a fork).
  • limited support for (legacy, non-standardized) AEAD-encrypted v4 keys as per draft4880bis
  • checkKeyCompatibility will reject v5 keys
  • enum name changes related to legacy curve25519, eddsa, and nist curves
  • ...

TODO:

  • rebase on top of TS fix for lightweight build (to be released in next openpgpjs v6 pre-release)
  • release protontech/v6 and point to it
  • test integration with web-clients, esp. TS config
  • post-canary:
    • we currently reject keys in new eddsa/xecdh format (in checkKeyStrength) (allow for v6 keys only)
    • accept sha3 in generated key prefs (v6 keys only)
    • make explicit date inputs mandatory?
  • ...

@larabr larabr force-pushed the openpgpjs-v6 branch 2 times, most recently from 1edf643 to 280d91c Compare November 28, 2023 13:30
@larabr larabr force-pushed the openpgpjs-v6 branch 3 times, most recently from 00afbcb to f876d28 Compare December 5, 2023 16:02
@larabr larabr force-pushed the openpgpjs-v6 branch 3 times, most recently from 53fde95 to c4f1cde Compare December 12, 2023 10:25
larabr
larabr commented Dec 19, 2023
View reviewed changes
lib/key/forwarding.ts Outdated Show resolved Hide resolved
@larabr larabr force-pushed the openpgpjs-v6 branch 2 times, most recently from 0571f71 to af77e43 Compare March 4, 2024 12:34
@larabr larabr force-pushed the openpgpjs-v6 branch 4 times, most recently from 7d94613 to 02e3c15 Compare March 13, 2024 14:32
@larabr larabr force-pushed the openpgpjs-v6 branch 3 times, most recently from 3445257 to eb8e9f6 Compare April 18, 2024 08:29
@larabr larabr force-pushed the openpgpjs-v6 branch 2 times, most recently from 53e68ef to 0d033a1 Compare May 17, 2024 15:33
@larabr
Upgrade to OpenPGP.js v6
cfd0370 
This commit only points to the new version, making sure the module and test compiles,
but makes no logic changes to e.g. add support to new key algos/formats.
@larabr
Drop BigInt fallback code
340a293 
OpenPGP.js v6 drops support for platforms without native BigInts
@larabr
Update ESLint and plugins, fix errors
5f892b2 
Adding support for TS v5.
@larabr
Fix/update compatibility test rejecting v6 keys
6f02480
@larabr
Test (temp, canary version only): guard against including sha3 in gen…
bc9bfb3 
…erated key prefs

OpenPGP.js v5 does not support sha3, so we should not include it in the key prefs
until the full v6 integration in the webapps and mobile.
@larabr
Align web-stream-tools version with OpenPGP.js, fix test-type-definit…
bffb3ff 
…ions

Also, rename `MaybeStream` to `MaybeWebStream` to help differentiate it from
`openpgpjs.MaybeStream`, which can also be a NodeStream.
@larabr
Do not automatically generate SEIPDv2 messages when encrypting to pub…
3ed72ad 
…lic keys (default to `config.ignoreSEIPDv2FeatureFlag: true`)

We want to avoid generating SEIPDv2 messages until support is rolled out to other platforms,
in case e.g. some users have already imported v4 keys with SEIPDv2 feature flags.

This change affects `encryptMessage` and `generateSessionKeys` when `encryptionKeys` are given
(rather than `passwords`).
@larabr
Run npm update
a4c2b7b
@larabr
8.0.0-canary.3.patch.0
ab2a71c
@larabr larabr force-pushed the openpgpjs-v6 branch 5 times, most recently from d449e8b to d4a1039 Compare October 24, 2024 17:59
@larabr
Test: expect SHA3 to be included in generated key prefs for v6
0016a46 
We still guard against inclusion for v4 keys, since not all clients support the algorithm
@larabr
checkKeyCompatibility: add v6 key support through new `v6KeysAllowe…
a2161b2 
…d` argument
@larabr larabr marked this pull request as ready for review November 6, 2024 21:33
@larabr
Set config.enableParsingV5Entities = true to log whether v5 keys ar…
d1cb40f 
…e being used at all

Through `checkKeyCompatibility` errors.
@larabr larabr force-pushed the openpgpjs-v6 branch 2 times, most recently from e595994 to 7919a1a Compare November 7, 2024 13:33
@larabr larabr force-pushed the openpgpjs-v6 branch 2 times, most recently from c22147b to 04ba4b2 Compare November 7, 2024 13:39
@larabr larabr requested a review from twiss November 7, 2024 13:41
@larabr larabr merged commit 7d12b22 into main Nov 7, 2024
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@twiss twiss twiss approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@larabr @twiss