v6.0.0-beta.3.patch.1

What's Changed

Revert to not using the WebCrypto for X25519 (reverting part of #1782): due to missing support in WebKit and Chrome (without experimental flags), and issues in Firefox v130+ (resulting in errors on decryption and key generation), for now we go back to using a JS implementation.
NB: this change only affects encryption and decryption using X25519. For signing and verification using Ed25519 we keep relying on
WebCrypto when available (namely in WebKit, Firefox, and Node).

Full Changelog: v6.0.0-beta.3.patch.0...v6.0.0-beta.3.patch.1

For more context about the crypto-refresh changes introduced by OpenPGP.js v6, refer to the changelog of the initial prerelease.

v6.0.0-beta.3.patch.0

What's Changed

This patch fixes a minor regression in x25519 (legacy) key generation, introduced in v6.0.0.-beta.3 following the changes in #1782, as the spec requires that legacy x25519 keys should store the secret scalar already clamped.
Keys generated using v6.0.0-beta.3 are still expected to be functional, since the scalar is to be clamped before computing the ECDH shared secret.

Full Changelog: v6.0.0-beta.3...v6.0.0-beta.3.patch.0

For more context about the crypto-refresh changes introduced by OpenPGP.js v6, refer to the changelog of the initial prerelease.

v6.0.0-beta.3

What's Changed

The following only lists the changes from the previous v6 prerelease.
For more context about the crypto-refresh changes introduced by OpenPGP.js v6, refer to the changelog of the initial prerelease.

Breaking changes:

• PrivateKey.getDecryptionKeys will now throw if no decryption key is found (#1789). Previously, an empty array was returned. As a consequence of this change, some openpgp.decrypt errors will be more specific.

Main non-breaking changes:

• Use WebCrypto for ed25519 and x25519 when available (#1782)
• Try more AEAD ciphersuites for SEIPDv2 (#1781)
• Drop asmcrypto.js for AES fallbacks in favor of noble-ciphers (#1785)

Full Changelog: v6.0.0-beta.2...v6.0.0-beta.3

v6.0.0-beta.2

What's Changed

The following only lists the changes from the previous v6 prerelease.
For more context about the crypto-refresh changes introduced by OpenPGP.js v6, refer to the changelog of the initial prerelease.

Breaking changes:

• Fix ECDH encryption when using v6 keys (#1771): messages encrypted by OpenPGP.js v6 (up to beta.1) using v6 keys of type 'ecc', are not compliant with the crypto-refresh and will fail to decrypt in libraries other than OpenPGP.js v6 (up to beta.1) and gopenpgp v3. For a message to be affected, it must have been encrypted with keys generated using the config.v6Keys option, and manually setting type: 'ecc' and curve to a NIST or Brainpool curve option. x25519/x448 keys are not affected.

• Delay checking unknown critical signature subpackets (#1766): throw when verifying signatures with unknown critical subpackets, instead of when parsing them.

• Disallow using forbidden S2K modes (#1777)

• Disable support for parsing v5 entities by default (add config.enableParsingV5Entities) (#1774 and #1779)

• Fix legacy AEAD secret key encryption of v5 keys (#1775)

Main non-breaking changes:

• Use preferred AEAD mode for secret key encryption (#1776): previously, EAX mode was always used.
• openpgp.verify: fix bug preventing verification of detached signatures over streamed data (#1762)
• Better error messages for unexpected ECDSA, EdDSALegacy, ECDH param encodings in keys and PKESK (#1756)

Full Changelog: v6.0.0-beta.1...v6.0.0-beta.2

v5.11.2

What's Changed

• openpgp.verify: fix bug preventing verification of detached signatures over streamed data (#1762)

Full Changelog: v5.11.1...v5.11.2

v6.0.0-beta.1

What's Changed

The following only lists the changes from the previous v6 prerelease.
For more context about the crypto-refresh changes introduced by OpenPGP.js v6, refer to the changelog of the initial prerelease.

Breaking changes:

• Drop support for browsers without native BigInts (e.g. Safari <14) (#1754)
• read[Private]Key: support parsing key blocks (return first parsable key); previously, parsing would fail if a block with more than one key was given in input (#1755)

Full Changelog: v6.0.0-beta.0...v6.0.0-beta.1

v6.0.0-beta.0

What's Changed

The following only lists the changes from the previous v6 prerelease.
For more context about the crypto-refresh changes introduced by OpenPGP.js v6, refer to the changelog of the initial prerelease.

Breaking changes:

• Fix wrong serialization of PKESK v6 for x25519/x448 (#1734): invalid encrypted messages are generated by the alpha releases of OpenPGP.js v6 when using encryption keys of algorithms enums.publicKey.x25519/x448 with SEIPDv2 feature flag.
  Such encryption keys could be generated by OpenPGP.js v6 (but not by older versions) via generateKey by:

  • enabling config.aeadProtect (off by default) and
  • requesting type: 'curve448'|'curve25519' (which is the default only if config.v6Keys: true).
    The affected messages will fail to parse and decrypt in OpenPGP.js v6.0.0-beta.0+ as well as in other OpenPGP libraries.

• Drop config.revocationsExpire, always honour revocation expiration (#1736): the option used to default to false, and ignore revocation expirations. We now honour those expirations, namely match the behaviour resulting from setting the option to true.

• Add back armor checksum for non-v6 artifacts (#1741): the change is needed to work around a GnuPG decoding bug affecting some messages without the checksum. It causes a breaking change, limited to openpgp.armor, which takes an additional emitChecksum argument (defaults to false).

Main non-breaking changes:

• Randomise v4 and v5 signatures via custom notation (#1737): while this notation solution is interoperable, it will reveal that the signature has been generated using OpenPGP.js, which may not be desirable in some cases. For this reason, the option config.nonDeterministicSignaturesViaNotation (defaulting to true) has been added to turn off the feature.

• Fix email address validity check to still allow unicode values, and further relax constraints (#1739): this follows up to a change made in v6.0.0-alpha.1; previous versions already accepted unicode values.

Full Changelog: v6.0.0-alpha.1...v6.0.0-beta.0

v6.0.0-alpha.1

What's Changed

The following only lists the changes from the previous v6 prerelease.
For more context about the crypto-refresh changes introduced by OpenPGP.js v6, refer to the changelog of the initial prerelease.

Main non-breaking changes:

• Add config.parseAEADEncryptedV4KeysAsLegacy to support decrypting AEAD-encrypted v4 keys from OpenPGP.js v5 or older (#1672)
• Skip key validation for keys encrypted with non-legacy AEAD mechanism (#1713)
• Add sha3_256 and sha3_512 to preferred algorithms in newly generated keys (#1696)
• Relax constraints for UserID email address validity, to accept domains such as @localhost (#1641)
• Use WebCrypto for AES-KW, drop AES_ECB dependency (#1724)
• Use the Compression Stream API when available (#1717)
• Import legacy ciphers (CAST5, TwoFish, BlowFish, DES) only on demand, to optimise lightweight build (#1723)
• Node: drop asn1.js dependency (#1722)

Breaking changes:

• Throw if WebCrypto API is not available (before, it was already required, but it would not cause issues with operations that did not rely on it, such as RSA encryption)
• Drop support for native Node Readable stream: require passing Node Web Streams (#1716). Utils to convert from and to Web Streams in Node are available from v17.
• Ensure primary key meets strength and algo requirements when encrypting/verifying/signing using subkeys (#1719)
• Rename NIST curves to disambiguate the names with the Brainpool curves (#1721).:
  • the identifiers enums.curve.p256, .p384, .p521 are now marked as @deprecated (to be dropped in the main release)
  • the new identifiers are, respectively: enums.curve.nistP256, .nistP384, .nistP521.
  • the corresponding values have been changed from 'p256','p384','p521' to 'nistP256', 'nistP384', 'nistP521' (these new values are expected by generateKey, for the options.curve argument).
• Remove config.deflateLevel (#1717)

Full Changelog: v6.0.0-alpha.0...v6.0.0-alpha.1

v5.11.1

What's Changed

• Patch for Node v18.19.1+, 20.11.1+ and 21.6.2+: use JS fallback code for RSA decryption on Node when PKCS#1 is not supported (see #1728).

Full Changelog: v5.11.0...v5.11.1

v6.0.0-alpha.0

What's Changed

OpenPGP.js v6 includes only minor API changes while adding full support for the OpenPGP crypto refresh.

Main non-breaking changes:

• Implement crypto refresh features (some behind flags, given the limited ecosystem support):
  • Add support for v6 keys, signatures and encrypted-session keys & more (behind feature flag openpgp.config.v6Keys)
  • Add support for AEAD-protected encrypted messages (new format, behind feature flag openpgp.config.aeadProtect)
  • Add support for Argon2 (#1597) (since WASM is used, it might require specific configurations in web apps, see note under "Breaking changes" below)
  • Add support for Ed448 & X448 (#1676)
  • Add support for generating Ed25519 & X25519 keys in new format (#1676, following up to #1620)
• Drop elliptic.js in favor of noble-curves (#1694)
• Add support for SHA3 (#1680)

Breaking changes:

• Drop support for Node 14 (EOL end of April '23)
• The library is now declared as a module, and declares exports, alongside the legacy package.json entrypoints, which should ensure backwards compatibility. Still, bundlers might be affected by the package.json changes depending on how they load the library.
• Remove embedded Web Streams ponyfill, since it's now supported in all browsers (applications can load a polyfill themselves instead, if they need to support older browser versions: see README).
• The crypto refresh has updated parts of the draft RFC4880bis as implemented by OpenPGP.js v4 and v5. Related changes in v6 are:
  • Drop config.v5Keys flag and corresponding key generation. The flag is replaced by .v6Keys, and results in a different key format.
  • Keys generated without .v5Keys flag and encrypted with config.aeadProtect = true cannot be decrypted by OpenPGP.js v6 out-of-the-box. Support for decrypting these keys will be added in the next v6 prerelease (see #1672).
  • The config.aeadProtect flag has a different effect than in v5:
    • for private keys, a new encryption mechanism is used;
    • for password-encrypted messages, a new message format is used;
    • when encrypting messages to public keys, the flag is ignored (see #1678).
• Argon2 relies on a WASM module, thus web apps might need to make changes to their CSP policy in order to use the feature. Alternatively, since the Argon2 WASM module is only loaded if needed, apps can manually reject password-encrypted messages and private keys which use Argon2 by checking e.g. SymEncryptedSessionKeyPacket.s2k?.type === 'argon2' or SecretKeyPacket|SecretSubkeyPacket.keyPacket.s2k?.type === 'argon2'.
• Refuse to use keys without key flags, but add config.allowMissingKeyFlags to bypass the check if needed (see #1677)
• Drop config.minBytesForWebCrypto, and always use WebCrypto if available, since there is no longer a performance overhead for small messages.
• Rename EdDSA-related enums following the standardisation of new key formats:
  • Drop enums.publicKey.eddsa in favour of enums.publicKey.eddsaLegacy
  • Rename string value of enums.curve.ed25519Legacy to 'ed25519Legacy' (was: 'ed25519')
  • Rename string value of enums.curve.curve25519Legacy to 'curve25519Legacy' (was: 'curve25519')
• Rename config.useIndutnyElliptic to .useEllipticFallback, to reflect the change of underlying library.
• Remove enums.symmetric.plaintext (internally unused)

Full Changelog: v5.11.0...v6.0.0-alpha.0