This eslint version brings breaking changes related to the eslint config.
eslint-airbnb-config has yet to release a compatible version with the
new format, and it generally looks unmaintained, hence we drop the dependency
in favor of the built-in recommended configs.
Every submodule under the 'crypto' directory was exported-imported
even if a handful of functions where actually needed.
We now only export entire modules behind default exports if it makes
sense for readability and if the different submodules would be
imported together anyway (e.g. `cipherMode` exports are all needed
by the SEIPD class).
We've also dropped exports that are not used outside of the crypto modules,
e.g. pkcs5 helpers.
We now throw on unexpected leading byte.
This change is primarily intended to help with debugging, in case of malformed params.
In fact, in case of wrong point size, the operations would already fail anyway,
just in lower-level functions.
Remove BN.js fallback, and only keep native BigInteger interface
(for algorithmic constant-time functions).
Also, add support for TS modules, to move some over from the forked
noble repos.
asn1.js is a fairly large lib and was simply needed to handle DER encodings in
some NodeCrypto operations.
This change replaces the dependency by moving to:
- JWT encoding for RSA (support added in Node v15)
- a much lighter dependency (eckey-utils) for ECDSA, where JWT cannot be used
for now, as Node has yet to add decoding support for Brainpool curves.
The change also allows us to drop BN.js as a direct dependency, optimising the
BigInteger-related chunking in the lightweight build.
This is a breaking change, as NIST curves identifiers and values in
`enums.curves` have been renamed:
- the identifiers `enums.curve.p256`, `.p384`, `.p521` are now marked as
`@deprecated`
- the new identifiers are, respectively: `enums.curve.nistP256`, `.nistP384`,
`.nistP521`.
- the corresponding values have been changed from `'p256'`,`'p384'`,`'p521'` to
`'nistP256'`, `'nistP384'`, `'nistP521'`.
Affected high-level API functions:
- in `generateKey`, the `options.curve` argument will expect the updated string
values
- `Key.getAlgorithmInfo()` will return the updated `curve` values
This primarily affects the lightweight build, which will not include these
(fairly large) libs in the main bundle file. This allows fetching their code only if required:
- Noble-curves is only needed for curves other than curve25519.
- Noble-hashes is needed for streamed hashing and e.g. SHA3 on web.
- BN.js is used by the above libs, and it's also separately needed for platforms
without native BigInt support.
At some point we used to generate invalid ECDSA sigs with the js (non-native) elliptic lib,
if the signature digest had leading zeros: https://github.com/openpgpjs/openpgpjs/pull/948 .
Brainpool curves are the most likely to have been affected by the bug, since they do not
have WebCrypto support (unlike NIST curves).
This commit reintroduces support on web to verify such invalid signatures
(support for this was previously built-in in the indutny-elliptic library).
It also expands the fix to work in Node.
Unlike elliptic, noble-curves targets algorithmic constant time, and
it relies on the native BigInts when available, resulting in a smaller bundle
and improved performance.
Also, expand testing of fallback elliptic implementation.
Mocha v10 requires the lib to be esm compliant.
ESM mandates the use of file extensions in imports, so to minimize the
changes (for now), we rely on the flag `experimental-specifier-resolution=node`
and on `ts-node` (needed only for Node 20).
Breaking changes:
downstream bundlers might be affected by the package.json changes depending on
how they load the library.
NB: legacy package.json entrypoints are still available.
The changes do not affect the public API:
`RandomBuffer` was used internally for secure randomness generation before
`crypto.getRandomValues` was made available to WebWorkers, requiring
generating randomness in the main thread.
As a result of the change, the internal `getRandomBytes()` and some functions
that use it are no longer async.
- Make fingerprint and key ID computation async, and rely on Web Crypto
for hashing if available
- Always set fingerprint and keyID on key parsing / generation
- Introduce `*KeyPacket.computeFingerprint()` and
`*KeyPacket.computeFingerprintAndKeyID()`
- Change `getKeyID` and `getFingerprint*` functions to return the
pre-computed key ID and fingerprint, respectively
- Make `PublicKeyPacket.read` async
- Use PascalCase for classes, with uppercase acronyms.
- Use camelCase for function and variables. First word/acronym is always
lowercase, otherwise acronyms are uppercase.
Also, make the packet classes' `tag` properties `static`.
- Store private and public params separately and by name in objects,
instead of as an array
- Do not keep params in MPI form, but convert them to Uint8Arrays when
generating/parsing the key
- Modify low-level crypto functions to always accept and return
Uint8Arrays instead of BigIntegers
- Move PKCS1 padding to lower level functions
In the lightweight build, lazily load bn.js only when necessary.
Also, use Uint8Arrays instead of strings in PKCS1 padding functions, and
check that the leading zero is present when decoding EME-PKCS1 padding.
Use `key.keyPacket.validate` instead of `crypto.publicKey.validateParams`, see
https://github.com/openpgpjs/openpgpjs/pull/1116#discussion_r447781386.
Also, `key.decrypt` now only throws on error, no other value is returned.
Also, fix typo (rebase error) that caused tests to fail in Safari for p521.
Also, when generating RSA keys in JS, generate them with p < q, as per
the spec.
Also, when generating RSA keys using Web Crypto or Node crypto, swap the
generated p and q around, so that will satisfy p < q in most browsers
(but not old Microsoft Edge, 50% of the time) and so that we can use the
generated u coefficient (p^-1 mod q in OpenPGP, q^-1 mod p in RFC3447).
Then, when signing and verifying, swap p and q again, so that the key
hopefully satisfies Safari's requirement that p > q, and so that we can
keep using u again.
This PR adds four config options to configure whether and how to load
indutny/elliptic: use_indutny_elliptic, external_indutny_elliptic,
indutny_elliptic_path and indutny_elliptic_fetch_options.
Also:
- Use tweetnacl.js instead of indutny/elliptic for curve25519 key generation
- Don't initialize indutny's curve25519, improving performance when using that curve
- Verify NIST signatures using Web Crypto instead of indutny/elliptic when not streaming
- Move KeyPair.sign/verify to ecdsa.js
- Move KeyPair.derive to ecdh.js
- Move keyFromPrivate and keyFromPublic to a new indutnyKey.js file
* Various FIXME tags are removed
* In curve.js:
- webCrypto/nodeCrypto fallback bug is fixed
- Curve25519 has keyType ecdsa (won't be used for signing, but technically can be)
- webGenKeyPair is simplifed
* In base64.js:
- documentation added and arguments simplified
* In ecdsa.js and eddsa.js:
- hash_algo is now at least as strong as the default curve hash
- simplified the code by moving webSign/nodeSign and webVerify/nodeVerify to live in key.js (ht @ismaelbej)
* In message.js:
- in decryptSessionKey, loops break once a key packet is decrypted
* In key.js:
- getPreferredHashAlgorithm returns the best hash algorithm
- enums are used for curve selection
