[v6] crypto-refresh: add support for Ed448/X448

[larabr]

This addition is backwards compatible. We offer no way to generate v4 keys in the new format, since existing implementations might not support them.

TODO:

• update kdf to include public key
• merge after crypto-refresh: add support for new Ed25519/X25519 keys, signatures and messages #1620
• fork Ed448 library to support BigInteger fallback (needed for Safari < 14, which does not support native bigint)
• enforce using AES (https://gitlab.com/openpgp-wg/rfc4880bis/-/merge_requests/276)
• change base branch (to be merged into v6?) -- only if we cannot avoid breaking changes due to e.g. ESM support
• merge after [v6] Update packet versions to the latest crypto refresh #1630
• add v6 keys and PKESK tests
• add key generation (in generateKey) done in [v6] crypto-refresh: support generating Curve448 and Curve25519 keys (new format) #1676
• point to released @openpgp/noble-curves
• reject weak hashes on signature verification (need to update the tests too, since the keys use sha256)
• add Node Crypto support (TODO in separate PR, as it's not a priority nor a breaking change)

[paulmillr]

What is your policy with regards to browser versions? I notice you support Safari 13. The browser is used by 0.38%+0.77% of users globally, as per caniuse.

v13 was last updated with 13.1.2 on July 15, 2020 - around 3 years ago. Safari 13 has following vulnerabilities:

• Fixed in Safari 14: CVE-2020-9993, CVE-2020-9987 (address bar spoofing), CVE-2020-9948, CVE-2020-9947, CVE-2020-9950, CVE-2020-9951 (RCE), CVE-2020-9952 (XSS), CVE-2020-9983 (RCE)
• Fixed in Safari 14.0.1: CVE-2020-9945 (address bar spoofing), CVE-2020-27918 (RCE)
• Fixed in Safari 14.0.2: CVE-2020-15969 (RCE)
• Fixed in Safari 14.0.3: CVE-2021-1788 (RCE), CVE-2021-1789 (RCE), CVE-2021-1799 (access restricted ports), CVE-2021-1844 (RCE)
• Fixed in Safari 14.1: CVE-2021-1825 (XSS), CVE-2021-30661 (RCE), CVE-2020-7463 (corrupt kernel memory), actively exploited CVE-2021-30665 (RCE), CVE-2021-30663 (RCE)
• Fixed in Safari 14.1.1: CVE-2021-30749 / CVE-2021-30734 (RCE), CVE-2021-30744 (XSS), CVE-2021-30720 (port access), CVE-2021-30682 (sensitive information leak), CVE-2021-21779 (RCE), CVE-2021-30689 (XSS), CVE-2021-30663 (RCE), CVE-2021-23841 / CVE-2021-30698 (DoS)
• Fixed in Safari 14.1.2: CVE-2021-30758 (RCE), CVE-2021-30795 (RCE), CVE-2021-30797 (RCE)
• Fixed in Safari 15: CVE-2021-30836 (revealing RAM content), CVE-2021-30861 (bypass Gatekeeper), CVE-2021-30818 (RCE), CVE-2021-30823 (bypass HSTS), CVE-2021-30809 (RCE), CVE-2021-30846 (RCE), CVE-2021-30848 (RCE), CVE-2021-30849 (RCE), CVE-2021-30851 (RCE), CVE-2021-30930 (IP leak)
• Fixed in Safari 15.1: CVE-2021-31008 (RCE), CVE-2021-30887 (bypass CSP), CVE-2021-30888 (leak via redirect), CVE-2021-30889 (RCE), CVE-2021-30890 (XSS)
• Fixed in Safari 15.2: CVE-2021-30934 (RCE), CVE-2021-30936 / CVE-2021-30951 (RCE), CVE-2021-30952 (RCE), CVE-2021-30984 (RCE), CVE-2021-30953 (RCE), CVE-2021-30954 (RCE)
• Fixed in Safari 15.3: CVE-2022-22590 (RCE), CVE-2022-22592 (CSP bypass), CVE-2022-22589 (RCE), CVE-2022-22594 (leaking info), actively exploited CVE-2022-22620 (RCE)
• Fixed in Safari 15.4: CVE-2022-22654 (address bar spoofing), CVE-2022-22610 (RCE), CVE-2022-22624 / CVE-2022-22628 (RCE), CVE-2022-22629 (RCE), CVE-2022-22637 (XSS)
• Fixed in Safari 15.5: CVE-2022-26700 (RCE), CVE-2022-26709 / CVE-2022-26717 (RCE), CVE-2022-26716 / CVE-2022-26719 (RCE)
• Fixed in Safari 15.6: CVE-2022-32784 (data leak), CVE-2022-32885 (RCE), CVE-2022-32861 (IP leak), CVE-2022-32863 (RCE), CVE-2022-32792 (RCE), CVE-2022-2294 (RCE)
• Fixed in Safari 15.6.1: actively exploited CVE-2022-32893 (RCE)
• A bunch of Safari 16 RCEs, including actively exploited CVE-2022-42856, CVE-2023-28205

Also, the bn.js shim has likely not been audited and fuzzed properly.

[larabr]

Hey @paulmillr , we've confirmed with internal stats that around 1% of our end users are on Safari 13 (desktop or mobile), and that's too large a chunk for us to drop support, considering that BigInt cannot be polyfilled. Hopefully the usage goes down enough in the next year and we can require BigInt in OpenPGP.js v7.

As for bn.js, it's a library that OpenPGP.js has used for a while, both directly and as part of elliptic.js, and while this is certainly no guarantee of security, we are positive about its stability. Unlike previous versions of OpenPGP.js, once we switch to noble-curves, bn.js will only be used as fallback for legacy browsers and the Brainpool curves. Plus, thanks to the design of the BigInteger interface, if we find a better fallback library it'll be easy to switch out bn.js for that.

[paulmillr]

Understood. Thanks for clarification.