Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add config.rejectCurves and prevent generating keys using blacklisted algos #1395

Merged
merged 4 commits into from Aug 19, 2021
Merged

Add config.rejectCurves and prevent generating keys using blacklisted algos #1395

merged 4 commits into from Aug 19, 2021

Conversation

larabr
Copy link
Collaborator

@larabr larabr commented Aug 6, 2021
edited

Breaking changes:

  • throw error on key generation if the requested public key algorithm is included in config.rejectPublicKeyAlgorithms;
  • add config.rejectCurves to blacklist a set of ECC curves, to prevent keys using those curves from being generated, or being used to encrypt/decrypt/sign/verify messages.
    By default, config.rejectCurves includes the brainpool curves (brainpoolP256r1, brainpoolP384r1, brainpoolP512r1) and the Bitcoin curve (secp256k1). This is because it's unclear whether these curves will be standardised, and we prefer to blacklist them already, rather than introduce a breaking change after release.

larabr
larabr commented Aug 6, 2021
View reviewed changes
src/openpgp.js Outdated Show resolved Hide resolved
@larabr larabr requested a review from twiss August 19, 2021 13:58
twiss
twiss reviewed Aug 19, 2021
View reviewed changes
src/config/config.js Outdated Show resolved Hide resolved
src/config/config.js Outdated Show resolved Hide resolved
src/openpgp.js Outdated Show resolved Hide resolved
@larabr larabr merged commit 3fa778a into openpgpjs:master Aug 19, 2021
@larabr larabr mentioned this pull request Oct 19, 2021
Merged
larabr added a commit that referenced this pull request Dec 1, 2021
@larabr
Check key requirements in PrivateKey.addSubkey() (#1423)
6fc005f 
Breaking change:
when generating new subkeys through `key.addSubkey()`, we now check
`config.rejectCurves` and prevent adding subkeys using the corresponding
curves.
By default, `config.rejectCurves` includes the brainpool curves
(`brainpoolP256r1`, `brainpoolP384r1`, `brainpoolP512r1`) and the Bitcoin curve
(`secp256k1`).

This is a follow up to #1395 , which introduced the same check to
`openpgp.generateKey`.
This was referenced Jun 23, 2022
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@twiss twiss twiss approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@larabr @twiss