No v6 ECC keys with legacy OIDs (#234)

This PR addresses a compliance issue with RFC 9580, which mandates:

"Implementations MUST NOT accept or generate version 6 key material 
using the deprecated OIDs."

Currently, the implementation allows generation of v6 keys with deprecated OIDs, 
which violates the specification. This MR resolves the issue by introducing an error during 
key generation and parsing when deprecated OIDs are detected.

Author: lubux

openpgp/internal/ecc/curve_info.go

@@ -10,6 +10,8 @@ import (
 	"github.com/ProtonMail/go-crypto/openpgp/internal/encoding"
 )
 
+const Curve25519GenName = "Curve25519"
+
 type CurveInfo struct {
 	GenName string
 	Oid     *encoding.OID
@@ -43,7 +45,7 @@ var Curves = []CurveInfo{
 	},
 	{
 		// Curve25519
-		GenName: "Curve25519",
+		GenName: Curve25519GenName,
 		Oid:     encoding.NewOID([]byte{0x2B, 0x06, 0x01, 0x04, 0x01, 0x97, 0x55, 0x01, 0x05, 0x01}),
 		Curve:   NewCurve25519(),
 	},
@@ -55,7 +57,7 @@ var Curves = []CurveInfo{
 	},
 	{
 		// Ed25519
-		GenName: "Curve25519",
+		GenName: Curve25519GenName,
 		Oid:     encoding.NewOID([]byte{0x2B, 0x06, 0x01, 0x04, 0x01, 0xDA, 0x47, 0x0F, 0x01}),
 		Curve:   NewEd25519(),
 	},

openpgp/key_generation.go

@@ -41,7 +41,9 @@ func NewEntity(name, comment, email string, config *packet.Config) (*Entity, err
 	}
 	primary := packet.NewSignerPrivateKey(creationTime, primaryPrivRaw)
 	if config.V6() {
-		primary.UpgradeToV6()
+		if err := primary.UpgradeToV6(); err != nil {
+			return nil, err
+		}
 	}
 
 	e := &Entity{
@@ -187,7 +189,9 @@ func (e *Entity) AddSigningSubkey(config *packet.Config) error {
 	sub := packet.NewSignerPrivateKey(creationTime, subPrivRaw)
 	sub.IsSubkey = true
 	if config.V6() {
-		sub.UpgradeToV6()
+		if err := sub.UpgradeToV6(); err != nil {
+			return err
+		}
 	}
 
 	subkey := Subkey{
@@ -232,7 +236,9 @@ func (e *Entity) addEncryptionSubkey(config *packet.Config, creationTime time.Ti
 	sub := packet.NewDecrypterPrivateKey(creationTime, subPrivRaw)
 	sub.IsSubkey = true
 	if config.V6() {
-		sub.UpgradeToV6()
+		if err := sub.UpgradeToV6(); err != nil {
+			return err
+		}
 	}
 
 	subkey := Subkey{

openpgp/packet/public_key.go

@@ -63,9 +63,10 @@ func (pk *PublicKey) UpgradeToV5() {
 
 // UpgradeToV6 updates the version of the key to v6, and updates all necessary
 // fields.
-func (pk *PublicKey) UpgradeToV6() {
+func (pk *PublicKey) UpgradeToV6() error {
 	pk.Version = 6
 	pk.setFingerprintAndKeyId()
+	return pk.checkV6Compatibility()
 }
 
 // signingKey provides a convenient abstraction over signature verification
@@ -313,6 +314,23 @@ func (pk *PublicKey) setFingerprintAndKeyId() {
 	}
 }
 
+func (pk *PublicKey) checkV6Compatibility() error {
+	// Implementations MUST NOT accept or generate version 6 key material using the deprecated OIDs.
+	switch pk.PubKeyAlgo {
+	case PubKeyAlgoECDH:
+		curveInfo := ecc.FindByOid(pk.oid)
+		if curveInfo == nil {
+			return errors.UnsupportedError(fmt.Sprintf("unknown oid: %x", pk.oid))
+		}
+		if curveInfo.GenName == ecc.Curve25519GenName {
+			return errors.StructuralError("cannot generate v6 key with deprecated OID: Curve25519Legacy")
+		}
+	case PubKeyAlgoEdDSA:
+		return errors.StructuralError("cannot generate v6 key with deprecated algorithm: EdDSALegacy")
+	}
+	return nil
+}
+
 // parseRSA parses RSA public key material from the given Reader. See RFC 4880,
 // section 5.5.2.
 func (pk *PublicKey) parseRSA(r io.Reader) (err error) {
@@ -437,6 +455,11 @@ func (pk *PublicKey) parseECDH(r io.Reader) (err error) {
 		return errors.UnsupportedError(fmt.Sprintf("unknown oid: %x", pk.oid))
 	}
 
+	if pk.Version == 6 && curveInfo.GenName == ecc.Curve25519GenName {
+		// Implementations MUST NOT accept or generate version 6 key material using the deprecated OIDs.
+		return errors.StructuralError("cannot read v6 key with deprecated OID: Curve25519Legacy")
+	}
+
 	pk.p = new(encoding.MPI)
 	if _, err = pk.p.ReadFrom(r); err != nil {
 		return
@@ -474,6 +497,11 @@ func (pk *PublicKey) parseECDH(r io.Reader) (err error) {
 }
 
 func (pk *PublicKey) parseEdDSA(r io.Reader) (err error) {
+	if pk.Version == 6 {
+		// Implementations MUST NOT accept or generate version 6 key material using the deprecated OIDs.
+		return errors.StructuralError("cannot generate v6 key with deprecated algorithm: EdDSALegacy")
+	}
+
 	pk.oid = new(encoding.OID)
 	if _, err = pk.oid.ReadFrom(r); err != nil {
 		return

openpgp/v2/key_generation.go

@@ -83,7 +83,9 @@ func newEntity(uid *userIdData, config *packet.Config) (*Entity, error) {
 	}
 	primary := packet.NewSignerPrivateKey(creationTime, primaryPrivRaw)
 	if config.V6() {
-		primary.UpgradeToV6()
+		if err := primary.UpgradeToV6(); err != nil {
+			return nil, err
+		}
 	}
 
 	keyProperties := selectKeyProperties(creationTime, config, primary)
@@ -259,7 +261,9 @@ func (e *Entity) AddSigningSubkey(config *packet.Config) error {
 	sub.IsSubkey = true
 	// Every subkey for a v6 primary key MUST be a v6 subkey.
 	if e.PrimaryKey.Version == 6 {
-		sub.UpgradeToV6()
+		if err := sub.UpgradeToV6(); err != nil {
+			return err
+		}
 	}
 
 	subkey := Subkey{
@@ -308,7 +312,9 @@ func (e *Entity) addEncryptionSubkey(config *packet.Config, creationTime time.Ti
 	sub.IsSubkey = true
 	// Every subkey for a v6 primary key MUST be a v6 subkey.
 	if e.PrimaryKey.Version == 6 {
-		sub.UpgradeToV6()
+		if err := sub.UpgradeToV6(); err != nil {
+			return err
+		}
 	}
 
 	subkey := Subkey{

openpgp/v2/keys_test_data.go

@@ -536,3 +536,20 @@ VppQxdtxPvAA/34snHBX7Twnip1nMt7P4e2hDiw/hwQ7oqioOvc6jMkP
 =Z8YJ
 -----END PGP PRIVATE KEY BLOCK-----
 `
+
+const LegacyECCKeyV6 = `-----BEGIN PGP PRIVATE KEY BLOCK-----
+
+xVoGZtnEsRYAAAAtCSsGAQQB2kcPAQEHQJ8u3Y3xhq7vDoYgyIjhniUavG9lhqqn
+eoQLj08i1UyCAAEAnZMljJWA74axuVNrL6uhyBLGCwypSeWCXBRqKzR4yjzCswYf
+FgoAAABBBQJm2cSxAhsDAh4JCAsJCAcKDQwLBRUKCQgLAhYCIiEG6/BxiEOhwOXw
+t2eAShAq9G0keONgsN0KdQSyvNnuD3YAAAAAFEcgEheAMaYvmoAP4UKwK0hOPtFC
+wnuf7v+O9tpko93/9GQA9Am6sr0XTsa8RDRc49lm5k2WYwGx5yk2JgsFLX26RJAA
+/j0NorcLtTCV/uejDw26ZsWg2kF69ovLed4wF26iCaAHx18GZtnEsRIAAAAyCisG
+AQQBl1UBBQEBB0DavdPV3M/mAO5/IkYVdHu006uVFO3eIuZ2ffJPoe5KGQMBCAcA
+AP9V2OXFg/QewXMGMNol6S1DUbKhGuyKEK0hrmzUz224qMKZBhgWCAAAACwFAmbZ
+xLECGwwiIQbr8HGIQ6HA5fC3Z4BKECr0bSR442Cw3Qp1BLK82e4PdgAAAAoJEOvw
+cYhDocDl37EQls/BpUt572AJX8ZBqbsycgD/QfCjSRcPHelHFHkaAHMzXscDBaUS
+jiCm2KiM+33wOYYA/2Hu4xmHg7wN2prRcB4+2qkUIdEzMyFs5TYcOU7Hst0N
+=pm0Y
+-----END PGP PRIVATE KEY BLOCK-----
+`

openpgp/v2/keys_v6_test.go

@@ -224,3 +224,21 @@ func TestKeyGenerationHighSecurityLevel(t *testing.T) {
 	}
 
 }
+
+func TestKeyGenLegacyECC(t *testing.T) {
+	c := &packet.Config{
+		V6Keys:    true,
+		Algorithm: packet.PubKeyAlgoEdDSA,
+	}
+	_, err := NewEntity("V6 Key Owner", "V6 Key", "[email protected]", c)
+	if err == nil {
+		t.Fatal("should not be able to generate v6 keys with legacy OIDs")
+	}
+}
+
+func TestReadLegacyECC(t *testing.T) {
+	_, err := ReadArmoredKeyRing(strings.NewReader(LegacyECCKeyV6))
+	if err == nil {
+		t.Fatal("should not be able to read v6 legacy ECC key")
+	}
+}