forked from toolshed/abra
chore: make deps, go mod vendor
This commit is contained in:
170
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/config.go
generated
vendored
170
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/config.go
generated
vendored
@ -14,6 +14,34 @@ import (
|
||||
"github.com/ProtonMail/go-crypto/openpgp/s2k"
|
||||
)
|
||||
|
||||
var (
|
||||
defaultRejectPublicKeyAlgorithms = map[PublicKeyAlgorithm]bool{
|
||||
PubKeyAlgoElGamal: true,
|
||||
PubKeyAlgoDSA: true,
|
||||
}
|
||||
defaultRejectHashAlgorithms = map[crypto.Hash]bool{
|
||||
crypto.MD5: true,
|
||||
crypto.RIPEMD160: true,
|
||||
}
|
||||
defaultRejectMessageHashAlgorithms = map[crypto.Hash]bool{
|
||||
crypto.SHA1: true,
|
||||
crypto.MD5: true,
|
||||
crypto.RIPEMD160: true,
|
||||
}
|
||||
defaultRejectCurves = map[Curve]bool{
|
||||
CurveSecP256k1: true,
|
||||
}
|
||||
)
|
||||
|
||||
// A global feature flag to indicate v5 support.
|
||||
// Can be set via a build tag, e.g.: `go build -tags v5 ./...`
|
||||
// If the build tag is missing config_v5.go will set it to true.
|
||||
//
|
||||
// Disables parsing of v5 keys and v5 signatures.
|
||||
// These are non-standard entities, which in the crypto-refresh have been superseded
|
||||
// by v6 keys, v6 signatures and SEIPDv2 encrypted data, respectively.
|
||||
var V5Disabled = false
|
||||
|
||||
// Config collects a number of parameters along with sensible defaults.
|
||||
// A nil *Config is valid and results in all default values.
|
||||
type Config struct {
|
||||
@ -73,9 +101,16 @@ type Config struct {
|
||||
// **Note: using this option may break compatibility with other OpenPGP
|
||||
// implementations, as well as future versions of this library.**
|
||||
AEADConfig *AEADConfig
|
||||
// V5Keys configures version 5 key generation. If false, this package still
|
||||
// supports version 5 keys, but produces version 4 keys.
|
||||
V5Keys bool
|
||||
// V6Keys configures version 6 key generation. If false, this package still
|
||||
// supports version 6 keys, but produces version 4 keys.
|
||||
V6Keys bool
|
||||
// Minimum RSA key size allowed for key generation and message signing, verification and encryption.
|
||||
MinRSABits uint16
|
||||
// Reject insecure algorithms, only works with v2 api
|
||||
RejectPublicKeyAlgorithms map[PublicKeyAlgorithm]bool
|
||||
RejectHashAlgorithms map[crypto.Hash]bool
|
||||
RejectMessageHashAlgorithms map[crypto.Hash]bool
|
||||
RejectCurves map[Curve]bool
|
||||
// "The validity period of the key. This is the number of seconds after
|
||||
// the key creation time that the key expires. If this is not present
|
||||
// or has a value of zero, the key never expires. This is found only on
|
||||
@ -104,12 +139,40 @@ type Config struct {
|
||||
// might be no other way than to tolerate the missing MDC. Setting this flag, allows this
|
||||
// mode of operation. It should be considered a measure of last resort.
|
||||
InsecureAllowUnauthenticatedMessages bool
|
||||
// InsecureAllowDecryptionWithSigningKeys allows decryption with keys marked as signing keys in the v2 API.
|
||||
// This setting is potentially insecure, but it is needed as some libraries
|
||||
// ignored key flags when selecting a key for encryption.
|
||||
// Not relevant for the v1 API, as all keys were allowed in decryption.
|
||||
InsecureAllowDecryptionWithSigningKeys bool
|
||||
// KnownNotations is a map of Notation Data names to bools, which controls
|
||||
// the notation names that are allowed to be present in critical Notation Data
|
||||
// signature subpackets.
|
||||
KnownNotations map[string]bool
|
||||
// SignatureNotations is a list of Notations to be added to any signatures.
|
||||
SignatureNotations []*Notation
|
||||
// CheckIntendedRecipients controls, whether the OpenPGP Intended Recipient Fingerprint feature
|
||||
// should be enabled for encryption and decryption.
|
||||
// (See https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#name-intended-recipient-fingerpr).
|
||||
// When the flag is set, encryption produces Intended Recipient Fingerprint signature sub-packets and decryption
|
||||
// checks whether the key it was encrypted to is one of the included fingerprints in the signature.
|
||||
// If the flag is disabled, no Intended Recipient Fingerprint sub-packets are created or checked.
|
||||
// The default behavior, when the config or flag is nil, is to enable the feature.
|
||||
CheckIntendedRecipients *bool
|
||||
// CacheSessionKey controls if decryption should return the session key used for decryption.
|
||||
// If the flag is set, the session key is cached in the message details struct.
|
||||
CacheSessionKey bool
|
||||
// CheckPacketSequence is a flag that controls if the pgp message reader should strictly check
|
||||
// that the packet sequence conforms with the grammar mandated by rfc4880.
|
||||
// The default behavior, when the config or flag is nil, is to check the packet sequence.
|
||||
CheckPacketSequence *bool
|
||||
// NonDeterministicSignaturesViaNotation is a flag to enable randomization of signatures.
|
||||
// If true, a salt notation is used to randomize signatures generated by v4 and v5 keys
|
||||
// (v6 signatures are always non-deterministic, by design).
|
||||
// This protects EdDSA signatures from potentially leaking the secret key in case of faults (i.e. bitflips) which, in principle, could occur
|
||||
// during the signing computation. It is added to signatures of any algo for simplicity, and as it may also serve as protection in case of
|
||||
// weaknesses in the hash algo, potentially hindering e.g. some chosen-prefix attacks.
|
||||
// The default behavior, when the config or flag is nil, is to enable the feature.
|
||||
NonDeterministicSignaturesViaNotation *bool
|
||||
}
|
||||
|
||||
func (c *Config) Random() io.Reader {
|
||||
@ -197,7 +260,7 @@ func (c *Config) S2K() *s2k.Config {
|
||||
return nil
|
||||
}
|
||||
// for backwards compatibility
|
||||
if c != nil && c.S2KCount > 0 && c.S2KConfig == nil {
|
||||
if c.S2KCount > 0 && c.S2KConfig == nil {
|
||||
return &s2k.Config{
|
||||
S2KCount: c.S2KCount,
|
||||
}
|
||||
@ -233,6 +296,13 @@ func (c *Config) AllowUnauthenticatedMessages() bool {
|
||||
return c.InsecureAllowUnauthenticatedMessages
|
||||
}
|
||||
|
||||
func (c *Config) AllowDecryptionWithSigningKeys() bool {
|
||||
if c == nil {
|
||||
return false
|
||||
}
|
||||
return c.InsecureAllowDecryptionWithSigningKeys
|
||||
}
|
||||
|
||||
func (c *Config) KnownNotation(notationName string) bool {
|
||||
if c == nil {
|
||||
return false
|
||||
@ -246,3 +316,95 @@ func (c *Config) Notations() []*Notation {
|
||||
}
|
||||
return c.SignatureNotations
|
||||
}
|
||||
|
||||
func (c *Config) V6() bool {
|
||||
if c == nil {
|
||||
return false
|
||||
}
|
||||
return c.V6Keys
|
||||
}
|
||||
|
||||
func (c *Config) IntendedRecipients() bool {
|
||||
if c == nil || c.CheckIntendedRecipients == nil {
|
||||
return true
|
||||
}
|
||||
return *c.CheckIntendedRecipients
|
||||
}
|
||||
|
||||
func (c *Config) RetrieveSessionKey() bool {
|
||||
if c == nil {
|
||||
return false
|
||||
}
|
||||
return c.CacheSessionKey
|
||||
}
|
||||
|
||||
func (c *Config) MinimumRSABits() uint16 {
|
||||
if c == nil || c.MinRSABits == 0 {
|
||||
return 2047
|
||||
}
|
||||
return c.MinRSABits
|
||||
}
|
||||
|
||||
func (c *Config) RejectPublicKeyAlgorithm(alg PublicKeyAlgorithm) bool {
|
||||
var rejectedAlgorithms map[PublicKeyAlgorithm]bool
|
||||
if c == nil || c.RejectPublicKeyAlgorithms == nil {
|
||||
// Default
|
||||
rejectedAlgorithms = defaultRejectPublicKeyAlgorithms
|
||||
} else {
|
||||
rejectedAlgorithms = c.RejectPublicKeyAlgorithms
|
||||
}
|
||||
return rejectedAlgorithms[alg]
|
||||
}
|
||||
|
||||
func (c *Config) RejectHashAlgorithm(hash crypto.Hash) bool {
|
||||
var rejectedAlgorithms map[crypto.Hash]bool
|
||||
if c == nil || c.RejectHashAlgorithms == nil {
|
||||
// Default
|
||||
rejectedAlgorithms = defaultRejectHashAlgorithms
|
||||
} else {
|
||||
rejectedAlgorithms = c.RejectHashAlgorithms
|
||||
}
|
||||
return rejectedAlgorithms[hash]
|
||||
}
|
||||
|
||||
func (c *Config) RejectMessageHashAlgorithm(hash crypto.Hash) bool {
|
||||
var rejectedAlgorithms map[crypto.Hash]bool
|
||||
if c == nil || c.RejectMessageHashAlgorithms == nil {
|
||||
// Default
|
||||
rejectedAlgorithms = defaultRejectMessageHashAlgorithms
|
||||
} else {
|
||||
rejectedAlgorithms = c.RejectMessageHashAlgorithms
|
||||
}
|
||||
return rejectedAlgorithms[hash]
|
||||
}
|
||||
|
||||
func (c *Config) RejectCurve(curve Curve) bool {
|
||||
var rejectedCurve map[Curve]bool
|
||||
if c == nil || c.RejectCurves == nil {
|
||||
// Default
|
||||
rejectedCurve = defaultRejectCurves
|
||||
} else {
|
||||
rejectedCurve = c.RejectCurves
|
||||
}
|
||||
return rejectedCurve[curve]
|
||||
}
|
||||
|
||||
func (c *Config) StrictPacketSequence() bool {
|
||||
if c == nil || c.CheckPacketSequence == nil {
|
||||
return true
|
||||
}
|
||||
return *c.CheckPacketSequence
|
||||
}
|
||||
|
||||
func (c *Config) RandomizeSignaturesViaNotation() bool {
|
||||
if c == nil || c.NonDeterministicSignaturesViaNotation == nil {
|
||||
return true
|
||||
}
|
||||
return *c.NonDeterministicSignaturesViaNotation
|
||||
}
|
||||
|
||||
// BoolPointer is a helper function to set a boolean pointer in the Config.
|
||||
// e.g., config.CheckPacketSequence = BoolPointer(true)
|
||||
func BoolPointer(value bool) *bool {
|
||||
return &value
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user