Skip to content

chore(deps): update dependency openpgpjs/openpgpjs to v5.1.0

Botaniker (Bot) requested to merge renovate/openpgpjs-openpgpjs-5.x into deploy

This MR contains the following updates:

Package Update Change
openpgpjs/openpgpjs minor v5.0.1 -> v5.1.0

Release Notes

openpgpjs/openpgpjs

v5.1.0

Compare Source

  • Add support for constant-time decryption of PKCS#​1 v1.5-encoded session keys (#​1445)

    Implement optional constant-time decryption flow to hinder Bleichenbacher-like attacks against RSA- and ElGamal public-key encrypted session keys.

    Changes:

    • Add config.constantTimePKCS1Decryption to enable the constant-time processing (defaults to false). The constant-time option is off by default since it has measurable performance impact on message decryption, and it is only helpful in specific application scenarios (more info below).
    • Add config.constantTimePKCS1DecryptionSupportedSymmetricAlgorithms (defaults to the AES algorithms). The set of supported ciphers is restricted by default since the number of algorithms negatively affects performance.

    Bleichenbacher-like attacks are of concern for applications where both of the following conditions are met:

    1. New/incoming messages are automatically decrypted (without user interaction);
    2. An attacker can determine how long it takes to decrypt each message (e.g. due to decryption errors being logged remotely).

  • Check key requirements in PrivateKey.addSubkey() (#​1423)

    Breaking change: when generating new subkeys through key.addSubkey(), we now check config.rejectCurves and prevent adding subkeys using the corresponding curves. By default, config.rejectCurves includes the brainpool curves (brainpoolP256r1, brainpoolP384r1, brainpoolP512r1) and the Bitcoin curve (secp256k1).

    This is a follow up to #​1395, which introduced the same check to openpgp.generateKey.

  • Initial Deno support (#​1448)

  • Replace strings with integer algorithm identifiers in packet classes (#​1410)

    In several packet classes, we used to store string identifiers for public-key, aead, cipher or hash algorithms. To make the code consistent and to avoid having to convert to/from string values, we now always store integer values instead, e.g. enums.symmetric.aes128 is used instead of 'aes128'.

    This is not expected to be a breaking change for most library users. Note that the type of Key.getAlgorithmInfo() and of the session key objects returned and accepted by top-level functions remain unchanged.

    Affected classes (type changes for some properties and method's arguments):

    • PublicKeyPacket, PublicSubkeyPacket, SecretKeyPacket, SecretSubkeyPacket
    • SymEncryptedIntegrityProtectedDataPacket, AEADEncryptedDataPacket, SymmetricallyEncryptedDataPacket
    • LiteralDataPacket, CompressedDataPacket
    • PublicKeyEncryptedSessionKey, SymEncryptedSessionKeyPacket
    • SignaturePacket

    Other potentially breaking changes:

    • Removed property AEADEncryptedDataPacket.aeadAlgo, since it was redudant given .aeadAlgorithm.
    • Renamed AEADEncryptedDataPacket.cipherAlgo -> .cipherAlgorithm

  • CI: create annotations on performance regression warnings/errors (#​1441)

  • CI: use Node v16 instead of v15

  • Update documentation link (#​1455)

  • Rename master branch to main

Configuration

📅 Schedule: At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this MR and you won't be reminded about this update again.

  • If you want to rebase/retry this MR, click this checkbox.

This MR has been generated by Renovate Bot. The local configuration can be found in the SI Renovate Bot repository.

Merge request reports