Implement V5 keys and signatures (#58)

Add support for parsing and generating V5 keys, but still generate V4 keys by
default, and add a Config.V5Keys option to generate V5 keys.

Also, add support for the Issuer Fingerprint subpacket, and generate it for
all signatures (both V4 and V5).

Author: zugzwang

openpgp/ecdh/ecdh.go

@@ -126,7 +126,8 @@ func buildKey(pub *PublicKey, zb []byte, curveOID, fingerprint []byte, stripLead
 	if _, err := param.Write([]byte("Anonymous Sender    ")); err != nil {
 		return nil, err
 	}
-	if _, err := param.Write(fingerprint); err != nil {
+	// For v5 keys, the 20 leftmost octets of the fingerprint are used.
+	if _, err := param.Write(fingerprint[:20]); err != nil {
 		return nil, err
 	}
 	if param.Len() - len(curveOID) != 45 {

openpgp/integration_tests/end_to_end_test.go

@@ -153,15 +153,16 @@ func encDecTest(t *testing.T, from testVector, testVectors []testVector) {
 			pkTo := readArmoredPk(t, to.PublicKey)
 			skTo := readArmoredSk(t, to.PrivateKey, to.Password)
 			message := randMessage()
+			hints := randFileHints()
 
 			// Encrypt message
-			signed := skFrom[0]
-			errDec := signed.PrivateKey.Decrypt([]byte(from.Password))
+			signer := skFrom[0]
+			errDec := signer.PrivateKey.Decrypt([]byte(from.Password))
 			if errDec != nil {
 				t.Error(errDec)
 			}
 			buf := new(bytes.Buffer)
-			w, err := openpgp.Encrypt(buf, pkTo[:1], signed, nil, from.config)
+			w, err := openpgp.Encrypt(buf, pkTo[:1], signer, hints, from.config)
 			if err != nil {
 				t.Fatalf("Error in Encrypt: %s", err)
 			}
@@ -199,7 +200,7 @@ func encDecTest(t *testing.T, from testVector, testVectors []testVector) {
 			if !md.IsEncrypted {
 				t.Fatal("The message should be encrypted")
 			}
-			signKey, _ := signed.SigningKey(time.Now())
+			signKey, _ := signer.SigningKey(time.Now())
 			expectedKeyID := signKey.PublicKey.KeyId
 			if md.SignedByKeyId != expectedKeyID {
 				t.Fatalf(
@@ -227,7 +228,7 @@ func encDecTest(t *testing.T, from testVector, testVectors []testVector) {
 			}
 
 			if md.SignatureError != nil {
-				t.Errorf("Signature error: %s", md.SignatureError)
+				t.Fatalf("Signature error: %s", md.SignatureError)
 			}
 			if md.Signature == nil {
 				t.Error("Signature missing")
@@ -245,8 +246,7 @@ func signVerifyTest(
 	skFrom, pkFrom openpgp.EntityList,
 	binary bool,
 ) {
-	signed := skFrom[0]
-	if err := signed.PrivateKey.Decrypt([]byte(from.Password)); err != nil {
+	if err := skFrom[0].PrivateKey.Decrypt([]byte(from.Password)); err != nil {
 		t.Error(err)
 	}
 
@@ -268,9 +268,9 @@ func signVerifyTest(
 	buf := new(bytes.Buffer)
 	var errSign error
 	if binary {
-		errSign = openpgp.ArmoredDetachSign(buf, signed, message, nil)
+		errSign = openpgp.ArmoredDetachSign(buf, skFrom[0], message, nil)
 	} else {
-		errSign = openpgp.ArmoredDetachSignText(buf, signed, message, nil)
+		errSign = openpgp.ArmoredDetachSignText(buf, skFrom[0], message, nil)
 	}
 	if errSign != nil {
 		t.Error(errSign)
@@ -306,7 +306,7 @@ func signVerifyTest(
 		if otherSigner == nil {
 			t.Fatalf("signer is nil")
 		}
-		if otherSigner.PrimaryKey.KeyId != signed.PrimaryKey.KeyId {
+		if otherSigner.PrimaryKey.KeyId != skFrom[0].PrimaryKey.KeyId {
 			t.Errorf(
 				"wrong signer got:%x want:%x", otherSigner.PrimaryKey.KeyId, 0)
 		}
@@ -322,17 +322,21 @@ func signVerifyTest(
 		t.Error(errSeek)
 	}
 
-	signer, err := openpgp.CheckArmoredDetachedSignature(
+	otherSigner, err = openpgp.CheckArmoredDetachedSignature(
 		pkFrom, message, signatureReader, nil)
 
 	if err != nil {
 		t.Fatalf("signature error: %s", err)
 	}
-	if signer == nil {
+	if otherSigner == nil {
 		t.Fatalf("signer is nil")
 	}
-	if signer.PrimaryKey.KeyId != signed.PrimaryKey.KeyId {
-		t.Errorf("wrong signer got:%x want:%x", signer.PrimaryKey.KeyId, 0)
+	if otherSigner.PrimaryKey.KeyId != skFrom[0].PrimaryKey.KeyId {
+		t.Errorf(
+			"wrong signer got:%x want:%x",
+			skFrom[0].PrimaryKey.KeyId,
+			skFrom[0].PrimaryKey.KeyId,
+		)
 	}
 }
 

openpgp/integration_tests/utils_test.go

@@ -1,18 +1,18 @@
 package integrationtests
 
 import (
-	"time"
 	"bytes"
 	"crypto"
 	"crypto/rand"
+	mathrand "math/rand"
+	"strings"
+	"time"
+
 	"golang.org/x/crypto/openpgp"
 	"golang.org/x/crypto/openpgp/armor"
 	"golang.org/x/crypto/openpgp/packet"
-	mathrand "math/rand"
-	"strings"
 )
 
-
 // This function produces random test vectors: generates keys according to the
 // given settings, associates a random message for each key. It returns the
 // test vectors.
@@ -24,9 +24,13 @@ func generateFreshTestVectors() (vectors []testVector, err error) {
 		name, email, comment, password, message := randEntityData()
 
 		// Only for verbose display
-		pkAlgoNames := map[packet.PublicKeyAlgorithm]string {
-			packet.PubKeyAlgoRSA: "rsa_fresh",
-			packet.PubKeyAlgoEdDSA: "ed25519_fresh",
+		v := "v4"
+		if config.V5Keys {
+			v = "v5"
+		}
+		pkAlgoNames := map[packet.PublicKeyAlgorithm]string{
+			packet.PubKeyAlgoRSA:   "rsa_" + v,
+			packet.PubKeyAlgoEdDSA: "ed25519_" + v,
 		}
 
 		newVector := testVector{
@@ -69,7 +73,6 @@ func generateFreshTestVectors() (vectors []testVector, err error) {
 		privateKey, _ := armorWithType(serialized, "PGP PRIVATE KEY BLOCK")
 		newVector.PrivateKey = privateKey
 		newVector.PublicKey, _ = publicKey(privateKey)
-
 		vectors = append(vectors, newVector)
 	}
 	return vectors, err
@@ -114,7 +117,7 @@ func publicKey(privateKey string) (string, error) {
 	return outString, nil
 }
 
-var runes = []rune("abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKMNOPQRSTUVWXYZ.:;?/!@#$%^&*{}[]_'\"-+~()<>")
+var runes = []rune("abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKMNOPQRSTUVWXYZ.@-_:;?/!#$%^&*{}[]'\"+~()<>")
 
 func randName() string {
 	firstName := make([]rune, 8)
@@ -132,6 +135,20 @@ func randName() string {
 	return string(firstName) + " " + string(lastName)
 }
 
+func randFileHints() *openpgp.FileHints {
+	fileNameRunes := runes[:66]
+	fileName := make([]rune, 1+mathrand.Intn(255))
+	for i := range fileName {
+		fileName[i] = fileNameRunes[mathrand.Intn(len(fileNameRunes))]
+	}
+
+	return &openpgp.FileHints{
+		IsBinary: mathrand.Intn(2) == 0,
+		FileName: string(fileName),
+		ModTime: time.Now(),
+	}
+}
+
 func randEmail() string {
 	address := make([]rune, 20)
 	addressRunes := runes[:38]
@@ -206,20 +223,20 @@ func randConfig() *packet.Config {
 	}
 	ciph := ciphers[mathrand.Intn(len(ciphers))]
 
-	compAlgos := []packet.CompressionAlgo {
+	compAlgos := []packet.CompressionAlgo{
 		packet.CompressionNone,
 		packet.CompressionZIP,
 		packet.CompressionZLIB,
 	}
 	compAlgo := compAlgos[mathrand.Intn(len(compAlgos))]
 
-	pkAlgos := []packet.PublicKeyAlgorithm {
+	pkAlgos := []packet.PublicKeyAlgorithm{
 		packet.PubKeyAlgoRSA,
 		packet.PubKeyAlgoEdDSA,
 	}
 	pkAlgo := pkAlgos[mathrand.Intn(len(pkAlgos))]
 
-	aeadModes := []packet.AEADMode {
+	aeadModes := []packet.AEADMode{
 		packet.AEADModeEAX,
 		packet.AEADModeOCB,
 		packet.AEADModeExperimentalGCM,
@@ -242,18 +259,24 @@ func randConfig() *packet.Config {
 		}
 	}
 
-	level := mathrand.Intn(11)-1
+	level := mathrand.Intn(11) - 1
 	compConf := &packet.CompressionConfig{level}
 
+	var v5 bool
+	if mathrand.Int()%2 == 0 {
+		v5 = true
+	}
+
 	return &packet.Config{
-		Rand: rand.Reader,
-		DefaultHash: hash,
-		DefaultCipher: ciph,
+		V5Keys:                 v5,
+		Rand:                   rand.Reader,
+		DefaultHash:            hash,
+		DefaultCipher:          ciph,
 		DefaultCompressionAlgo: compAlgo,
-		CompressionConfig: compConf,
-		S2KCount: 1024 + mathrand.Intn(65010689),
-		RSABits: rsaBits,
-		Algorithm: pkAlgo,
-		AEADConfig: &aeadConf,
+		CompressionConfig:      compConf,
+		S2KCount:               1024 + mathrand.Intn(65010689),
+		RSABits:                rsaBits,
+		Algorithm:              pkAlgo,
+		AEADConfig:             &aeadConf,
 	}
 }

openpgp/key_generation.go

@@ -34,20 +34,26 @@ func NewEntity(name, comment, email string, config *packet.Config) (*Entity, err
 		return nil, err
 	}
 	primary := packet.NewSignerPrivateKey(creationTime, primaryPrivRaw)
+	if config != nil && config.V5Keys {
+		primary.UpgradeToV5()
+	}
 
 	isPrimaryId := true
 	selfSignature := &packet.Signature{
-		SigType:      packet.SigTypePositiveCert,
-		PubKeyAlgo:   primary.PublicKey.PubKeyAlgo,
-		Hash:         config.Hash(),
-		CreationTime: creationTime,
-		IssuerKeyId:  &primary.PublicKey.KeyId,
-		IsPrimaryId:  &isPrimaryId,
-		FlagsValid:   true,
-		FlagSign:     true,
-		FlagCertify:  true,
-		MDC:          true, // true by default, see 5.8 vs. 5.14
-		AEAD:         config.AEAD() != nil,
+		Version:           primary.PublicKey.Version,
+		SigType:           packet.SigTypePositiveCert,
+		PubKeyAlgo:        primary.PublicKey.PubKeyAlgo,
+		Hash:              config.Hash(),
+		CreationTime:      creationTime,
+		IssuerKeyId:       &primary.PublicKey.KeyId,
+		IssuerFingerprint: primary.PublicKey.Fingerprint,
+		IsPrimaryId:       &isPrimaryId,
+		FlagsValid:        true,
+		FlagSign:          true,
+		FlagCertify:       true,
+		MDC:               true, // true by default, see 5.8 vs. 5.14
+		AEAD:              config.AEAD() != nil,
+		V5Keys:            config != nil && config.V5Keys,
 	}
 
 	// Set the PreferredHash for the SelfSignature from the packet.Config.
@@ -83,11 +89,15 @@ func NewEntity(name, comment, email string, config *packet.Config) (*Entity, err
 	sub := packet.NewDecrypterPrivateKey(creationTime, subPrivRaw)
 	sub.IsSubkey = true
 	sub.PublicKey.IsSubkey = true
+	if config != nil && config.V5Keys {
+		sub.UpgradeToV5()
+	}
 
 	subKey := Subkey{
 		PublicKey:  &sub.PublicKey,
 		PrivateKey: sub,
 		Sig: &packet.Signature{
+			Version:                   primary.PublicKey.Version,
 			CreationTime:              creationTime,
 			SigType:                   packet.SigTypeSubkeyBinding,
 			PubKeyAlgo:                primary.PublicKey.PubKeyAlgo,
@@ -136,6 +146,7 @@ func (e *Entity) AddSigningSubkey(config *packet.Config) error {
 		PublicKey:  &sub.PublicKey,
 		PrivateKey: sub,
 		Sig: &packet.Signature{
+			Version:         e.PrimaryKey.Version,
 			CreationTime:    creationTime,
 			KeyLifetimeSecs: &keyLifetimeSecs,
 			SigType:         packet.SigTypeSubkeyBinding,
@@ -145,6 +156,7 @@ func (e *Entity) AddSigningSubkey(config *packet.Config) error {
 			FlagSign:        true,
 			IssuerKeyId:     &e.PrimaryKey.KeyId,
 			EmbeddedSignature: &packet.Signature{
+				Version:      e.PrimaryKey.Version,
 				CreationTime: creationTime,
 				SigType:      packet.SigTypePrimaryKeyBinding,
 				PubKeyAlgo:   sub.PublicKey.PubKeyAlgo,
@@ -153,6 +165,9 @@ func (e *Entity) AddSigningSubkey(config *packet.Config) error {
 			},
 		},
 	}
+	if config != nil && config.V5Keys {
+		subkey.PublicKey.UpgradeToV5()
+	}
 
 	err = subkey.Sig.EmbeddedSignature.CrossSignKey(subkey.PublicKey, e.PrimaryKey, subkey.PrivateKey, config)
 	if err != nil {
@@ -185,6 +200,7 @@ func (e *Entity) AddEncryptionSubkey(config *packet.Config) error {
 		PublicKey:  &sub.PublicKey,
 		PrivateKey: sub,
 		Sig: &packet.Signature{
+			Version:                   e.PrimaryKey.Version,
 			CreationTime:              creationTime,
 			KeyLifetimeSecs:           &keyLifetimeSecs,
 			SigType:                   packet.SigTypeSubkeyBinding,
@@ -196,6 +212,9 @@ func (e *Entity) AddEncryptionSubkey(config *packet.Config) error {
 			IssuerKeyId:               &e.PrimaryKey.KeyId,
 		},
 	}
+	if config != nil && config.V5Keys {
+		subkey.PublicKey.UpgradeToV5()
+	}
 
 	subkey.PublicKey.IsSubkey = true
 	subkey.PrivateKey.IsSubkey = true

openpgp/keys.go

@@ -420,7 +420,7 @@ func addUserID(e *Entity, packets *packet.Reader, pkt *packet.UserId) error {
 			break
 		}
 
-		if (sig.SigType == packet.SigTypePositiveCert || sig.SigType == packet.SigTypeGenericCert) && sig.IssuerKeyId != nil && *sig.IssuerKeyId == e.PrimaryKey.KeyId {
+		if (sig.SigType == packet.SigTypePositiveCert || sig.SigType == packet.SigTypeGenericCert) && sig.CheckKeyIdOrFingerprint(e.PrimaryKey) {
 			if err = e.PrimaryKey.VerifyUserIdSignature(pkt.Id, e.PrimaryKey, sig); err != nil {
 				return errors.StructuralError("user ID self-signature invalid: " + err.Error())
 			}
@@ -468,7 +468,6 @@ func addSubkey(e *Entity, packets *packet.Reader, pub *packet.PublicKey, priv *p
 		case packet.SigTypeSubkeyRevocation:
 			subKey.Sig = sig
 		case packet.SigTypeSubkeyBinding:
-
 			if shouldReplaceSubkeySig(subKey.Sig, sig) {
 				subKey.Sig = sig
 			}
@@ -620,6 +619,7 @@ func (e *Entity) SignIdentity(identity string, signer *Entity, config *packet.Co
 	}
 
 	sig := &packet.Signature{
+		Version:      signer.PrivateKey.Version,
 		SigType:      packet.SigTypeGenericCert,
 		PubKeyAlgo:   signer.PrivateKey.PubKeyAlgo,
 		Hash:         config.Hash(),
@@ -639,6 +639,7 @@ func (e *Entity) SignIdentity(identity string, signer *Entity, config *packet.Co
 func (e *Entity) RevokeKey(reason packet.ReasonForRevocation, reasonText string, config *packet.Config) error {
 	reasonCode := uint8(reason)
 	revSig := &packet.Signature{
+		Version:              e.PrimaryKey.Version,
 		CreationTime:         config.Now(),
 		SigType:              packet.SigTypeKeyRevocation,
 		PubKeyAlgo:           packet.PubKeyAlgoRSA,
@@ -665,6 +666,7 @@ func (e *Entity) RevokeSubkey(sk *Subkey, reason packet.ReasonForRevocation, rea
 
 	reasonCode := uint8(reason)
 	revSig := &packet.Signature{
+		Version:              e.PrimaryKey.Version,
 		CreationTime:         config.Now(),
 		SigType:              packet.SigTypeSubkeyRevocation,
 		PubKeyAlgo:           packet.PubKeyAlgoRSA,

openpgp/keys_test.go

@@ -965,7 +965,7 @@ func TestRevokeSubkeyWithInvalidSignature(t *testing.T) {
 	}
 
 	sk := entity.Subkeys[0]
-	sk.Sig = &packet.Signature{}
+	sk.Sig = &packet.Signature{Version: 4}
 
 	err = entity.RevokeSubkey(&sk, packet.NoReason, "Key revocation", nil)
 	if err == nil {