feat: Add symmetric keys to v2

openpgp/forwarding.go

@@ -134,10 +134,10 @@ func (e *Entity) NewForwardingEntity(
 		instance.ForwardeeFingerprint = forwardeeSubKey.PublicKey.Fingerprint
 
 		// 0x04 - This key may be used to encrypt communications.
-		forwardeeSubKey.Sig.FlagEncryptCommunications = true
+		forwardeeSubKey.Sig.FlagEncryptCommunications = false
 
 		// 0x08 - This key may be used to encrypt storage.
-		forwardeeSubKey.Sig.FlagEncryptStorage = true
+		forwardeeSubKey.Sig.FlagEncryptStorage = false
 
 		// 0x10 - The private component of this key may have been split by a secret-sharing mechanism.
 		forwardeeSubKey.Sig.FlagSplitKey = true

openpgp/packet/encrypted_key.go

@@ -223,7 +223,7 @@ func (e *EncryptedKey) Decrypt(priv *PrivateKey, config *Config) error {
 
 	var key []byte
 	switch priv.PubKeyAlgo {
-	case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly, PubKeyAlgoElGamal, PubKeyAlgoECDH:
+	case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly, PubKeyAlgoElGamal, PubKeyAlgoECDH, ExperimentalPubKeyAlgoAEAD:
 		keyOffset := 0
 		if e.Version < 6 {
 			e.CipherFunc = CipherFunction(b[0])

openpgp/v2/forwarding.go

@@ -131,10 +131,10 @@ func (e *Entity) NewForwardingEntity(
 		instance.ForwardeeFingerprint = forwardeeSubKey.PublicKey.Fingerprint
 
 		// 0x04 - This key may be used to encrypt communications.
-		forwardeeSubKeySelfSig.FlagEncryptCommunications = true
+		forwardeeSubKeySelfSig.FlagEncryptCommunications = false
 
 		// 0x08 - This key may be used to encrypt storage.
-		forwardeeSubKeySelfSig.FlagEncryptStorage = true
+		forwardeeSubKeySelfSig.FlagEncryptStorage = false
 
 		// 0x10 - The private component of this key may have been split by a secret-sharing mechanism.
 		forwardeeSubKeySelfSig.FlagSplitKey = true

openpgp/v2/key_generation.go

@@ -22,6 +22,7 @@ import (
 	"github.com/ProtonMail/go-crypto/openpgp/internal/algorithm"
 	"github.com/ProtonMail/go-crypto/openpgp/internal/ecc"
 	"github.com/ProtonMail/go-crypto/openpgp/packet"
+	"github.com/ProtonMail/go-crypto/openpgp/symmetric"
 	"github.com/ProtonMail/go-crypto/openpgp/x25519"
 	"github.com/ProtonMail/go-crypto/openpgp/x448"
 )
@@ -387,6 +388,9 @@ func newSigner(config *packet.Config) (signer interface{}, err error) {
 			return nil, err
 		}
 		return priv, nil
+	case packet.ExperimentalPubKeyAlgoHMAC:
+		hash := algorithm.HashById[hashToHashId(config.Hash())]
+		return symmetric.HMACGenerateKey(config.Random(), hash)
 	default:
 		return nil, errors.InvalidArgumentError("unsupported public key algorithm")
 	}
@@ -429,6 +433,9 @@ func newDecrypter(config *packet.Config) (decrypter interface{}, err error) {
 		return x25519.GenerateKey(config.Random())
 	case packet.PubKeyAlgoEd448, packet.PubKeyAlgoX448: // When passing Ed448, we generate an x448 subkey
 		return x448.GenerateKey(config.Random())
+	case packet.ExperimentalPubKeyAlgoAEAD:
+		cipher := algorithm.CipherFunction(config.Cipher())
+		return symmetric.AEADGenerateKey(config.Random(), cipher)
 	default:
 		return nil, errors.InvalidArgumentError("unsupported public key algorithm")
 	}

openpgp/v2/keys.go

@@ -61,7 +61,7 @@ func (e *Entity) PrimaryIdentity(date time.Time, config *packet.Config) (*packet
 	var primaryIdentityCandidatesSelfSigs []*packet.Signature
 	for _, identity := range e.Identities {
 		selfSig, err := identity.Verify(date, config) // identity must be valid at date
-		if err == nil {                       // verification is successful
+		if err == nil {                               // verification is successful
 			primaryIdentityCandidates = append(primaryIdentityCandidates, identity)
 			primaryIdentityCandidatesSelfSigs = append(primaryIdentityCandidatesSelfSigs, selfSig)
 		}
@@ -608,6 +608,10 @@ func (e *Entity) serializePrivate(w io.Writer, config *packet.Config, reSign boo
 // Serialize writes the public part of the given Entity to w, including
 // signatures from other entities. No private key material will be output.
 func (e *Entity) Serialize(w io.Writer) error {
+	if e.PrimaryKey.PubKeyAlgo == packet.ExperimentalPubKeyAlgoHMAC ||
+		e.PrimaryKey.PubKeyAlgo == packet.ExperimentalPubKeyAlgoAEAD {
+		return errors.InvalidArgumentError("Can't serialize symmetric primary key")
+	}
 	if err := e.PrimaryKey.Serialize(w); err != nil {
 		return err
 	}
@@ -628,6 +632,16 @@ func (e *Entity) Serialize(w io.Writer) error {
 		}
 	}
 	for _, subkey := range e.Subkeys {
+		// The types of keys below are only useful as private keys. Thus, the
+		// public key packets contain no meaningful information and do not need
+		// to be serialized.
+		// Prevent public key export for forwarding keys, see forwarding section 4.1.
+		subKeySelfSig, err := subkey.LatestValidBindingSignature(time.Time{})
+		if subkey.PublicKey.PubKeyAlgo == packet.ExperimentalPubKeyAlgoHMAC ||
+			subkey.PublicKey.PubKeyAlgo == packet.ExperimentalPubKeyAlgoAEAD ||
+			(err == nil && subKeySelfSig.FlagForward) {
+			continue
+		}
 		if err := subkey.Serialize(w, false); err != nil {
 			return err
 		}
@@ -784,5 +798,5 @@ func isValidCertificationKey(signature *packet.Signature, algo packet.PublicKeyA
 func isValidEncryptionKey(signature *packet.Signature, algo packet.PublicKeyAlgorithm) bool {
 	return algo.CanEncrypt() &&
 		signature.FlagsValid &&
-		(signature.FlagEncryptCommunications || signature.FlagEncryptStorage)
+		(signature.FlagEncryptCommunications || signature.FlagForward || signature.FlagEncryptStorage)
 }

openpgp/v2/keys_test.go

@@ -22,6 +22,7 @@ import (
 	"github.com/ProtonMail/go-crypto/openpgp/internal/algorithm"
 	"github.com/ProtonMail/go-crypto/openpgp/packet"
 	"github.com/ProtonMail/go-crypto/openpgp/s2k"
+	"github.com/ProtonMail/go-crypto/openpgp/symmetric"
 )
 
 var hashes = []crypto.Hash{
@@ -2022,3 +2023,222 @@ NciH07RTRuMS/aRhRg4OB8PQROmTnZ+iZS0=
 		t.Fatal(err)
 	}
 }
+
+func TestAddHMACSubkey(t *testing.T) {
+	c := &packet.Config{
+		RSABits:   512,
+		Algorithm: packet.ExperimentalPubKeyAlgoHMAC,
+	}
+
+	entity, err := NewEntity("Golang Gopher", "Test Key", "[email protected]", &packet.Config{RSABits: 1024})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	err = entity.AddSigningSubkey(c)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	buf := bytes.NewBuffer(nil)
+	w, _ := armor.Encode(buf, "PGP PRIVATE KEY BLOCK", nil)
+	if err := entity.SerializePrivate(w, nil); err != nil {
+		t.Errorf("failed to serialize entity: %s", err)
+	}
+	w.Close()
+
+	key, err := ReadArmoredKeyRing(buf)
+	if err != nil {
+		t.Error("could not read keyring", err)
+	}
+
+	generatedPrivateKey := entity.Subkeys[1].PrivateKey.PrivateKey.(*symmetric.HMACPrivateKey)
+	parsedPrivateKey := key[0].Subkeys[1].PrivateKey.PrivateKey.(*symmetric.HMACPrivateKey)
+
+	generatedPublicKey := entity.Subkeys[1].PublicKey.PublicKey.(*symmetric.HMACPublicKey)
+	parsedPublicKey := key[0].Subkeys[1].PublicKey.PublicKey.(*symmetric.HMACPublicKey)
+
+	if !bytes.Equal(parsedPrivateKey.Key, generatedPrivateKey.Key) {
+		t.Error("parsed wrong key")
+	}
+	if !bytes.Equal(parsedPublicKey.Key, generatedPrivateKey.Key) {
+		t.Error("parsed wrong key in public part")
+	}
+	if !bytes.Equal(generatedPublicKey.Key, generatedPrivateKey.Key) {
+		t.Error("generated Public and Private Key differ")
+	}
+
+	if !bytes.Equal(parsedPrivateKey.HashSeed[:], generatedPrivateKey.HashSeed[:]) {
+		t.Error("parsed wrong hash seed")
+	}
+
+	if parsedPrivateKey.PublicKey.Hash != generatedPrivateKey.PublicKey.Hash {
+		t.Error("parsed wrong cipher id")
+	}
+	if !bytes.Equal(parsedPrivateKey.PublicKey.BindingHash[:], generatedPrivateKey.PublicKey.BindingHash[:]) {
+		t.Error("parsed wrong binding hash")
+	}
+}
+
+func TestSerializeSymmetricSubkeyError(t *testing.T) {
+	entity, err := NewEntity("Golang Gopher", "Test Key", "[email protected]", &packet.Config{RSABits: 1024})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	buf := bytes.NewBuffer(nil)
+	w, _ := armor.Encode(buf, "PGP PRIVATE KEY BLOCK", nil)
+
+	entity.PrimaryKey.PubKeyAlgo = 100
+	err = entity.Serialize(w)
+	if err == nil {
+		t.Fatal(err)
+	}
+
+	entity.PrimaryKey.PubKeyAlgo = 101
+	err = entity.Serialize(w)
+	if err == nil {
+		t.Fatal(err)
+	}
+}
+
+func TestAddAEADSubkey(t *testing.T) {
+	c := &packet.Config{
+		RSABits:   512,
+		Algorithm: packet.ExperimentalPubKeyAlgoAEAD,
+	}
+	entity, err := NewEntity("Golang Gopher", "Test Key", "[email protected]", &packet.Config{RSABits: 1024})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	err = entity.AddEncryptionSubkey(c)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	generatedPrivateKey := entity.Subkeys[1].PrivateKey.PrivateKey.(*symmetric.AEADPrivateKey)
+
+	buf := bytes.NewBuffer(nil)
+	w, _ := armor.Encode(buf, "PGP PRIVATE KEY BLOCK", nil)
+	if err := entity.SerializePrivate(w, nil); err != nil {
+		t.Errorf("failed to serialize entity: %s", err)
+	}
+	w.Close()
+
+	key, err := ReadArmoredKeyRing(buf)
+	if err != nil {
+		t.Error("could not read keyring", err)
+	}
+
+	parsedPrivateKey := key[0].Subkeys[1].PrivateKey.PrivateKey.(*symmetric.AEADPrivateKey)
+
+	generatedPublicKey := entity.Subkeys[1].PublicKey.PublicKey.(*symmetric.AEADPublicKey)
+	parsedPublicKey := key[0].Subkeys[1].PublicKey.PublicKey.(*symmetric.AEADPublicKey)
+
+	if !bytes.Equal(parsedPrivateKey.Key, generatedPrivateKey.Key) {
+		t.Error("parsed wrong key")
+	}
+	if !bytes.Equal(parsedPublicKey.Key, generatedPrivateKey.Key) {
+		t.Error("parsed wrong key in public part")
+	}
+	if !bytes.Equal(generatedPublicKey.Key, generatedPrivateKey.Key) {
+		t.Error("generated Public and Private Key differ")
+	}
+
+	if !bytes.Equal(parsedPrivateKey.HashSeed[:], generatedPrivateKey.HashSeed[:]) {
+		t.Error("parsed wrong hash seed")
+	}
+
+	if parsedPrivateKey.PublicKey.Cipher.Id() != generatedPrivateKey.PublicKey.Cipher.Id() {
+		t.Error("parsed wrong cipher id")
+	}
+	if !bytes.Equal(parsedPrivateKey.PublicKey.BindingHash[:], generatedPrivateKey.PublicKey.BindingHash[:]) {
+		t.Error("parsed wrong binding hash")
+	}
+}
+
+func TestNoSymmetricKeySerialized(t *testing.T) {
+	aeadConfig := &packet.Config{
+		RSABits:       512,
+		DefaultHash:   crypto.SHA512,
+		Algorithm:     packet.ExperimentalPubKeyAlgoAEAD,
+		DefaultCipher: packet.CipherAES256,
+	}
+	hmacConfig := &packet.Config{
+		RSABits:       512,
+		DefaultHash:   crypto.SHA512,
+		Algorithm:     packet.ExperimentalPubKeyAlgoHMAC,
+		DefaultCipher: packet.CipherAES256,
+	}
+	entity, err := NewEntity("Golang Gopher", "Test Key", "[email protected]", &packet.Config{RSABits: 1024})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	err = entity.AddEncryptionSubkey(aeadConfig)
+	if err != nil {
+		t.Fatal(err)
+	}
+	err = entity.AddSigningSubkey(hmacConfig)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	w := bytes.NewBuffer(nil)
+	entity.Serialize(w)
+
+	firstSymKey := entity.Subkeys[1].PrivateKey.PrivateKey.(*symmetric.AEADPrivateKey).Key
+	i := bytes.Index(w.Bytes(), firstSymKey)
+
+	secondSymKey := entity.Subkeys[2].PrivateKey.PrivateKey.(*symmetric.HMACPrivateKey).Key
+	k := bytes.Index(w.Bytes(), secondSymKey)
+
+	if (i > 0) || (k > 0) {
+		t.Error("Private key was serialized with public")
+	}
+
+	firstBindingHash := entity.Subkeys[1].PublicKey.PublicKey.(*symmetric.AEADPublicKey).BindingHash
+	i = bytes.Index(w.Bytes(), firstBindingHash[:])
+
+	secondBindingHash := entity.Subkeys[2].PublicKey.PublicKey.(*symmetric.HMACPublicKey).BindingHash
+	k = bytes.Index(w.Bytes(), secondBindingHash[:])
+	if (i > 0) || (k > 0) {
+		t.Errorf("Symmetric public key metadata exported %d %d", i, k)
+	}
+
+}
+
+func TestSymmetricKeys(t *testing.T) {
+	data := `-----BEGIN PGP PRIVATE KEY BLOCK-----
+	
+xWoEYs7w5mUIcFvlmkuricX26x138uvHGlwIaxWIbRnx1+ggPcveTcwA4zSZ
+n6XcD0Q5aLe6dTEBwCyfUecZ/nA0W8Pl9xBHfjIjQuxcUBnIqxZ061RZPjef
+D/XIQga1ftLDelhylQwL7R3TzQ1TeW1tZXRyaWMgS2V5wmkEEGUIAB0FAmLO
+8OYECwkHCAMVCAoEFgACAQIZAQIbAwIeAQAhCRCRTKq2ObiQKxYhBMHTTXXF
+ULQ2M2bYNJFMqrY5uJArIawgJ+5RSsN8VNuZTKJbG88TIedU05wwKjW3wqvT
+X6Z7yfbHagRizvDmZAluL/kJo6hZ1kFENpQkWD/Kfv1vAG3nbxhsVEzBQ6a1
+OAD24BaKJz6gWgj4lASUNK5OuXnLc3J79Bt1iRGkSbiPzRs/bplB4TwbILeC
+ZLeDy9kngZDosgsIk5sBgGEqS9y5HiHCVQQYZQgACQUCYs7w5gIbDAAhCRCR
+TKq2ObiQKxYhBMHTTXXFULQ2M2bYNJFMqrY5uJArENkgL0Bc+OI/1na0XWqB
+TxGVotQ4A/0u0VbOMEUfnrI8Fms=
+=RdCW
+-----END PGP PRIVATE KEY BLOCK-----
+`
+	keys, err := ReadArmoredKeyRing(strings.NewReader(data))
+	if err != nil {
+		t.Fatal(err)
+	}
+	if len(keys) != 1 {
+		t.Errorf("Expected 1 symmetric key, got %d", len(keys))
+	}
+	if keys[0].PrivateKey.PubKeyAlgo != packet.ExperimentalPubKeyAlgoHMAC {
+		t.Errorf("Expected HMAC primary key")
+	}
+	if len(keys[0].Subkeys) != 1 {
+		t.Errorf("Expected 1 symmetric subkey, got %d", len(keys[0].Subkeys))
+	}
+	if keys[0].Subkeys[0].PrivateKey.PubKeyAlgo != packet.ExperimentalPubKeyAlgoAEAD {
+		t.Errorf("Expected AEAD subkey")
+	}
+}

openpgp/v2/read.go

@@ -138,7 +138,7 @@ ParsePackets:
 			switch p.Algo {
 			case packet.PubKeyAlgoRSA, packet.PubKeyAlgoRSAEncryptOnly,
 				packet.PubKeyAlgoElGamal, packet.PubKeyAlgoECDH,
-				packet.PubKeyAlgoX25519, packet.PubKeyAlgoX448:
+				packet.PubKeyAlgoX25519, packet.PubKeyAlgoX448, packet.ExperimentalPubKeyAlgoAEAD:
 				break
 			default:
 				continue

openpgp/v2/read_test.go

@@ -1002,3 +1002,10 @@ func testMalformedMessage(t *testing.T, keyring EntityList, message string) {
 		return
 	}
 }
+
+func TestReadKeyRingWithSymmetricSubkey(t *testing.T) {
+	_, err := ReadArmoredKeyRing(strings.NewReader(keyWithAEADSubkey))
+	if err != nil {
+		t.Error("could not read keyring", err)
+	}
+}

openpgp/v2/read_write_test_data.go

@@ -740,3 +740,21 @@ NVniEke6hM3CNBXYPAMhQBMWhCulcoz+0lxi8L34rMN+Dsbma96psdUrn7uLaB91
 xqAY9Bwizt4FWgXuLm1a4+So4V9j1TRCXd12Uc2l2RNmgDE=
 =miES
 -----END PGP PRIVATE KEY BLOCK-----`
+
+// A key that contains a persistent AEAD subkey
+const keyWithAEADSubkey = `-----BEGIN PGP PRIVATE KEY BLOCK-----
+
+xVgEYs/4KxYJKwYBBAHaRw8BAQdA7tIsntXluwloh/H62PJMqasjP00M86fv
+/Pof9A968q8AAQDYcgkPKUdWAxsDjDHJfouPS4q5Me3ks+umlo5RJdwLZw4k
+zQ1TeW1tZXRyaWMgS2V5wowEEBYKAB0FAmLP+CsECwkHCAMVCAoEFgACAQIZ
+AQIbAwIeAQAhCRDkNhFDvaU8vxYhBDJNoyEFquVOCf99d+Q2EUO9pTy/5XQA
+/1F2YPouv0ydBDJU3EOS/4bmPt7yqvzciWzeKVEOkzYuAP9OsP7q/5ccqOPX
+mmRUKwd82/cNjdzdnWZ8Tq89XMwMAMdqBGLP+CtkCfFyZxOMF0BWLwAE8pLy
+RVj2n2K7k6VvrhyuTqDkFDUFALiSLrEfnmTKlsPYS3/YzsODF354ccR63q73
+3lmCrvFRyaf6AHvVrBYPbJR+VhuTjZTwZKvPPKv0zVdSqi5JDEQiocJ4BBgW
+CAAJBQJiz/grAhsMACEJEOQ2EUO9pTy/FiEEMk2jIQWq5U4J/3135DYRQ72l
+PL+fEQEA7RaRbfa+AtiRN7a4GuqVEDZi3qtQZ2/Qcb27/LkAD0sA/3r9drYv
+jyu46h1fdHHyo0HS2MiShZDZ8u60JnDltloD
+=8TxH
+-----END PGP PRIVATE KEY BLOCK-----
+`