OpenPGP v6 Implementation

[vanitasvitae]

This issue is to track the status of implementation support for OpenPGP v6.
The latest specification draft crypto-refresh-09 provides the following section to help guide implementers:

---

This subsection offers a concise, non-normative summary of the substantial additions to and departures from [RFC4880] and [RFC6637]. It is intended to help implementers who are augmenting an existing implementation from those standards to this standard. Cryptographic algorithms marked with an asterisk (*) are mandatory to implement.

Public Key signing algorithms:

• * Ed25519 (Section 5.5.5.9 and Section 5.2.3.4): OpenPGP v6 elliptic curve key formats #1411
• Ed448 (Section 5.5.5.10 and Section 5.2.3.5): OpenPGP v6 elliptic curve key formats #1411
• EdDSALegacy with Ed25519Legacy (Section 5.5.5.5 and Section 5.2.3.3)
• ECDSA with Brainpool curves (Section 9.2)

Public Key encryption algorithms:

• * X25519 (Section 5.5.5.7 and Section 5.1.6): OpenPGP v6 elliptic curve key formats #1411
• X448 (Section 5.5.5.8 and Section 5.1.7): OpenPGP v6 elliptic curve key formats #1411
• ECDH with Curve25519Legacy (Section 9.2)
• ECDH with Brainpool curves (Section 9.2)

AEAD Encryption:

• Version 2 SEIPD (Section 5.13.2):
  • SKESKv6+SEIPDv2: Add support for AEAD encryption via SEIPD-v2 and SKESK-v6 #1346
  • PKESKv6+SEIPDv2

AEAD modes:

• * OCB mode (Section 5.13.4): Support AEAD encryption for OpenPGP #1140, Add support for AEAD encryption via SEIPD-v2 and SKESK-v6 #1346
• EAX mode (Section 5.13.3): Support AEAD encryption for OpenPGP #1140, Add support for AEAD encryption via SEIPD-v2 and SKESK-v6 #1346
• GCM mode (Section 5.13.5): Support AEAD encryption for OpenPGP #1140, Add support for AEAD encryption via SEIPD-v2 and SKESK-v6 #1346
• Version 6 PKESK (Section 5.1.2): Backport latest changes to the PKESK v6 packet #1412
• Version 6 SKESK (Section 5.3.2): Add support for AEAD encryption via SEIPD-v2 and SKESK-v6 #1346
• Features subpacket: add flag for SEIPDv2 (Section 5.2.3.32): OpenPGP: add feature FEATURE_SEIPD_V2 #1398
• Subpacket: Preferred AEAD Ciphersuites (Section 5.2.3.15): Add support for crypto-refresh style PreferredAEADCiphersuites signat… #1410
• Secret key encryption: AEAD "S2K usage octet" (Section 3.7.2 and Section 5.5.3)

Version 6 Keys and Signatures:

• Version 6 Public keys (Section 5.5.2.3): OpenPGP v6 elliptic curve key formats #1411, Properly parse v6 secret keys and implement unlocking AEAD protected keys #1427
• Version 6 Fingerprint and Key ID (Section 5.5.4.3): V6 fingerprint calculation #1413
• Version 6 Secret keys (Section 5.5.3): OpenPGP v6 elliptic curve key formats #1411, Properly parse v6 secret keys and implement unlocking AEAD protected keys #1427
• Version 6 Signatures (Section 5.2.3): OpenPGP: Support for parsing v6 Signatures #1409
• Version 6 One-Pass Signatures (Section 5.4): OpenPGP: Support for parsing v6 Signatures #1409

Certificate (Transferable Public Key) Structure:

• Preferences subpackets in Direct-Key Signatures (Section 5.2.3.10)
• Self-verifying revocation certificate (Section 10.1.2)
• User ID is explicitly optional (Section 10.1.1): Create PGPKeyRingGenerator constructor for key rings without user-id #1055
• S2K: Argon2 (Section 3.7.1.4): Implement Argon2 S2K mechanism #1132
• Subpacket: Intended Recipient Fingerprint (Section 5.2.3.36)
• Digest algorithms: SHA3-256 and SHA3-512 (Section 9.5): Add missing SHA3 digests to BcImplProvider.createDigest() #1219
• Packet: Padding (Section 5.14): Add support for AEAD encryption via SEIPD-v2 and SKESK-v6 #1346
• Message structure: Packet Criticality (Section 4.3.1): Implement OpenPGP Packet Criticality #1422

Deprecations:

Public Key Algorithms:

• Avoid RSA weak keys (Section 12.4)
• Avoid DSA (Section 12.5)
• Avoid ElGamal (Section 12.6, Section 5.1.4)
• For Version 6 Keys: Avoid EdDSA25519Legacy, Curve25519Legacy (Section 9.2)

Digest Algorithms:

• Avoid MD5, SHA1, RIPEMD160 (Section 9.5)

Symmetric Key Algorithms:

• Avoid IDEA, TripleDES, CAST5 (Section 9.3)

S2K Specifier:

• Avoid Simple S2K (Section 3.7.1.1)

Secret Key protections (a.k.a. S2K Usage):

• Avoid MalleableCFB (Section 3.7.2.1)

Packet Types:

• Avoid Symmetrically-Encrypted Data (Section 5.7, Section 13.7): OpenPGP: Switch on integrity protection by default #1406

Literal Data packet metadata:

• Avoid Filename and Date fields (Section 5.9)
• Avoid Special _CONSOLE "filename" (Section 5.9.1)

Packet Versions:

• Avoid Version 3 Public Keys (Section 5.5.2.1)
• Avoid Version 3 Signatures (Section 5.2)

Signature Types:

• Avoid Reserved Signature Type 0xFF (Section 5.2.1.16, Section 5.2.4.1)

Signature Subpackets:

• For Version 6 Signatures: Avoid Issuer Key ID (Section 5.2.3.12)
• Avoid Revocation Key (Section 5.2.3.23)

ASCII Armor:

• Ignore, do not emit CRC (Section 6.1): ArmoredInputStream: Make CRC calculation optional #1423
• Do not emit "Version" armor header (Section 6.2.2.1): ArmoredOutputStream: Do not include a Version: header by default #1424

Cleartext Signature Framework:

• Ignore, avoid emitting unnecessary Hash: headers (Section 6.2.2.3)

[vanitasvitae]

While #1411 added very some support for parsing v6 public keys, as well as parser support for Ed448/Ed25519, X448/X25519 key packets, it did not yet add support for actually generating v6 keys. Also, support for advanced parsing of v6 public keys, as well as basic parsing of v6 secret key packets is still not implemented.

Especially the new S2K AEAD mode is missing. I'm working on another patch.