PQC: Implement draft RFC for ML-DSA with Ed25519

.github/.dependabot.yml

@@ -0,0 +1,29 @@
+version: 2
+updates:
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    allow:
+      - dependency-name: "playwright"
+    versioning-strategy: increase
+
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    allow:
+      - dependency-name: "@noble*"
+      - dependency-name: "fflate"
+    versioning-strategy: increase
+    groups:
+      # Any packages matching the pattern @noble* where the highest resolvable
+      # version is minor or patch will be grouped together.
+      # Grouping rules apply to version updates only.
+      noble:
+        applies-to: version-updates
+        patterns:
+        - "@noble*"
+        update-types:
+        - "minor"
+        - "patch"

.github/test-suite/config.json.template

@@ -4,7 +4,8 @@
         "id": "sop-openpgpjs-branch",
         "path": "__SOP_OPENPGPJS__",
         "env": {
-          "OPENPGPJS_PATH": "__OPENPGPJS_BRANCH__"
+          "OPENPGPJS_PATH": "__OPENPGPJS_BRANCH__",
+          "OPENPGPJS_CUSTOM_PROFILES": "{\"generate-key\": { \"post-quantum\": { \"description\": \"generate post-quantum v6 keys (relying on ML-DSA + ML-KEM)\", \"options\": { \"type\": \"pqc\", \"config\": { \"v6Keys\": true } } } } }"
         }
       },
       {

.github/workflows/benchmark.yml

@@ -2,7 +2,7 @@ name: Performance Regression Test
 
 on:
   pull_request:
-    branches: [main, v6]
+    branches: [main]
 
 jobs:
   benchmark:

.github/workflows/docs.yml

@@ -4,7 +4,7 @@ on:
   push:
     branches: [main]
   pull_request:
-    branches: [main, v6]
+    branches: [main]
 
 jobs:
   lint:

.github/workflows/sop-test-suite.yml

@@ -2,15 +2,15 @@ name: SOP interoperability test suite
 
 on:
   pull_request:
-    branches: [ main, v6 ]
+    branches: [ main ]
 
 jobs:
 
   test-suite:
     name: Run interoperability test suite
     runs-on: ubuntu-latest
     container: 
-      image: ghcr.io/protonmail/openpgp-interop-test-docker:v1.1.10
+      image: ghcr.io/protonmail/openpgp-interop-test-docker:v1.1.12
       credentials:
         username: ${{ github.actor }}
         password: ${{ secrets.github_token }}

.github/workflows/tests.yml

@@ -4,7 +4,7 @@ on:
   push:
     branches: [main]
   pull_request:
-    branches: [main, v6]
+    branches: [main]
 
 jobs:
   build: # cache both dist and tests (non-lightweight only), based on commit hash
@@ -57,8 +57,15 @@ jobs:
 
   test-browsers-latest:
     name: Browsers (latest)
-    runs-on: ubuntu-latest
     needs: build
+    strategy:
+      fail-fast: false # if tests for one version fail, continue with the rest
+      matrix:
+        # run on all main platforms to test platform-specific code, if present
+        # (e.g. webkit's WebCrypto API implementation is different in macOS vs Linux)
+        # TODO: windows-latest fails to fetch resources from the wtr server; investigate if the problem is with path declaration or permissions
+        runner: ['ubuntu-latest', 'macos-latest']
+    runs-on: ${{ matrix.runner }}
 
     steps:
       - uses: actions/checkout@v4
@@ -79,17 +86,19 @@ jobs:
           npm pkg delete scripts.prepare
           npm ci
 
-      - name: Get Playwright version
+      - name: Get Playwright version and cache location
         id: playwright-version
         run: |
-          PLAYWRIGHT_VERSION=$(npm ls playwright | grep playwright | sed 's/.*@//')
+          PLAYWRIGHT_VERSION=$(npm ls playwright --depth=0 | grep playwright | sed 's/.*@//')
           echo "version=$PLAYWRIGHT_VERSION" >> $GITHUB_OUTPUT
+          PLAYWRIGHT_CACHE=${{ fromJSON('{"ubuntu-latest": "~/.cache/ms-playwright", "macos-latest": "~/Library/Caches/ms-playwright"}')[matrix.runner] }}
+          echo "playwright_cache=$PLAYWRIGHT_CACHE" >> $GITHUB_OUTPUT
       - name: Check for cached browsers
         id: cache-playwright-browsers
         uses: actions/cache@v4
         with:
-          path: ~/.cache/ms-playwright
-          key: playwright-browsers-${{ steps.playwright-version.outputs.version }}
+          path: ${{ steps.playwright-version.outputs.playwright_cache }}
+          key: playwright-browsers-${{ matrix.runner }}-${{ steps.playwright-version.outputs.version }}
       - name: Install browsers
         if: steps.cache-playwright-browsers.outputs.cache-hit != 'true'
         run: |
@@ -100,12 +109,12 @@ jobs:
         run: npx playwright install --with-deps webkit
 
       - name: Run browser tests
-        run: npm run test-browser
+        run: npm run test-browser:ci -- --static-logging
 
       - name: Run browser tests (lightweight) # overwrite test/lib
         run: |
           npm run build-test --lightweight
-          npm run test-browser
+          npm run test-browser:ci -- --static-logging
 
   test-browsers-compatibility:
     name: Browsers (older, on Browserstack)
@@ -119,6 +128,15 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
 
+      - name: Generate self-signed HTTPS certificates for web-test-runner server
+        uses: kofemann/[email protected]
+        with:
+          hostcert: '127.0.0.1.pem'
+          hostkey:  '127.0.0.1-key.pem'
+          cachain:  'ca-chain.pem'
+      - name: Adjust HTTPS certificates permissions
+        run: sudo chown runner:docker *.pem
+
       - name: Install dependencies
         run: npm ci --ignore-scripts
 
@@ -139,12 +157,12 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: Run browserstack tests
-        run: npm run test-browserstack
+        run: npm run test-browserstack -- --static-logging
 
       - name: Run browserstack tests (lightweight) # overwrite test/lib
         run: |
           npm run build-test --lightweight
-          npm run test-browserstack
+          npm run test-browserstack -- --static-logging
         env:
           LIGHTWEIGHT: true
 

README.md

@@ -1,7 +1,7 @@
-OpenPGP.js [![BrowserStack Status](https://automate.browserstack.com/badge.svg?badge_key=N1l2eHFOanVBMU9wYWxJM3ZnWERnc1lidkt5UkRqa3BralV3SWVhOGpGTT0tLVljSjE4Z3dzVmdiQjl6RWgxb2c3T2c9PQ==--5864052cd523f751b6b907d547ac9c4c5f88c8a3)](https://automate.browserstack.com/public-build/N1l2eHFOanVBMU9wYWxJM3ZnWERnc1lidkt5UkRqa3BralV3SWVhOGpGTT0tLVljSjE4Z3dzVmdiQjl6RWgxb2c3T2c9PQ==--5864052cd523f751b6b907d547ac9c4c5f88c8a3) [![Join the chat on Gitter](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/openpgpjs/openpgpjs?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)
+OpenPGP.js [![Join the chat on Gitter](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/openpgpjs/openpgpjs?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)
 ==========
 
-[OpenPGP.js](https://openpgpjs.org/) is a JavaScript implementation of the OpenPGP protocol. It implements the [crypto-refresh](https://datatracker.ietf.org/doc/draft-ietf-openpgp-crypto-refresh) (superseding [RFC4880](https://tools.ietf.org/html/rfc4880) and [RFC4880bis](https://tools.ietf.org/html/draft-ietf-openpgp-rfc4880bis-10)).
+[OpenPGP.js](https://openpgpjs.org/) is a JavaScript implementation of the OpenPGP protocol. It implements [RFC 9580](https://datatracker.ietf.org/doc/rfc9580/) (superseding [RFC 4880](https://tools.ietf.org/html/rfc4880) and [RFC 4880bis](https://tools.ietf.org/html/draft-ietf-openpgp-rfc4880bis-10)).
 
 **Table of Contents**
 
@@ -35,29 +35,35 @@ OpenPGP.js [![BrowserStack Status](https://automate.browserstack.com/badge.svg?b
 
 * The `dist/openpgp.min.js` (or `.mjs`) bundle works with recent versions of Chrome, Firefox, Edge and Safari 14+.
 
-* The `dist/node/openpgp.min.mjs` (or `.cjs`) bundle works in Node.js v18+: it is used by default when you `import ... from 'openpgp'` (resp. `require('openpgp')`).
-
-* Streaming support: the latest versions of Chrome, Firefox, Edge and Safari implement the
-[Streams specification](https://streams.spec.whatwg.org/), including `TransformStream`s.
-These are needed if you use the library with streamed inputs.
-In previous versions of OpenPGP.js, WebStreams were automatically polyfilled by the library,
-but from v6 this task is left up to the library user, due to the more extensive browser support, and the
-polyfilling side-effects. If you're working with [older browsers versions which do not implement e.g. TransformStreams](https://developer.mozilla.org/en-US/docs/Web/API/TransformStream), you can manually
-load [WebStream polyfill](https://github.com/MattiasBuelens/web-streams-polyfills).
-Please note that when you load the polyfills, the global `ReadableStream` property (if it exists) gets overwritten with the polyfill version.
-In some edge cases, you might need to use the native
-`ReadableStream` (for example when using it to create a `Response`
-object), in which case you should store a reference to it before loading
-the polyfills. There is also the [web-streams-adapter](https://github.com/MattiasBuelens/web-streams-adapter)
-library to convert back and forth between them.
+* The `dist/node/openpgp.min.mjs` (or `.cjs`) bundle works in Node.js v18+: it is used by default when you `import ... from 'openpgp'` (or `require('openpgp')`, respectively).
+
+* Support for the [Web Cryptography API](https://w3c.github.io/webcrypto/)'s `SubtleCrypto` is required.
+  * In browsers, `SubtleCrypto` is only available in [secure contexts](https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts).
+  * In supported versions of Node.js, `SubtleCrypto` is always available.
+
+* Support for the [Web Streams API](https://streams.spec.whatwg.org/) is required.
+  * In browsers: the latest versions of Chrome, Firefox, Edge and Safari support Streams, including `TransformStream`s.
+    These are needed if you use the library with stream inputs.
+    In previous versions of OpenPGP.js, Web Streams were automatically polyfilled by the library,
+    but from v6 this task is left up to the library user, due to the more extensive browser support, and the
+    polyfilling side-effects. If you're working with [older browsers versions which do not implement e.g. TransformStreams](https://developer.mozilla.org/en-US/docs/Web/API/TransformStream#browser_compatibility), you can manually
+    load the [Web Streams polyfill](https://github.com/MattiasBuelens/web-streams-polyfills).
+    Please note that when you load the polyfills, the global `ReadableStream` property (if it exists) gets overwritten with the polyfill version.
+    In some edge cases, you might need to use the native
+    `ReadableStream` (for example when using it to create a `Response`
+    object), in which case you should store a reference to it before loading
+    the polyfills. There is also the [web-streams-adapter](https://github.com/MattiasBuelens/web-streams-adapter)
+    library to convert back and forth between them.
+  * In Node.js: OpenPGP.js v6 no longer supports native Node `Readable` streams in inputs, and instead expects (and outputs) [Node's Web Streams](https://nodejs.org/api/webstreams.html#class-readablestream). [Node v17+ includes utilities to convert from and to Web Streams](https://nodejs.org/api/stream.html#streamreadabletowebstreamreadable-options).
+
 
 ### Performance
 
-* Version 3.0.0 of the library introduces support for public-key cryptography using [elliptic curves](https://wiki.gnupg.org/ECC). We use native implementations on browsers and Node.js when available. Elliptic curve cryptography provides stronger security per bits of key, which allows for much faster operations. Currently the following curves are supported:
+* Version 3.0.0 of the library introduced support for public-key cryptography using [elliptic curves](https://wiki.gnupg.org/ECC). We use native implementations on browsers and Node.js when available. Compared to RSA, elliptic curve cryptography provides stronger security per bits of key, which allows for much faster operations. Currently the following curves are supported:
 
     | Curve           | Encryption | Signature | NodeCrypto | WebCrypto | Constant-Time     |
     |:---------------:|:----------:|:---------:|:----------:|:---------:|:-----------------:|
-    | curve25519      | ECDH       | N/A       | No         | Yes*      | If native**      |
+    | curve25519      | ECDH       | N/A       | No         | No        | Algorithmically  |
     | ed25519         | N/A        | EdDSA     | No         | Yes*      | If native**      |
     | nistP256        | ECDH       | ECDSA     | Yes*       | Yes*      | If native**      |
     | nistP384        | ECDH       | ECDSA     | Yes*       | Yes*      | If native**      |
@@ -67,25 +73,22 @@ library to convert back and forth between them.
     | brainpoolP512r1 | ECDH       | ECDSA     | Yes*       | No        | If native**      |
     | secp256k1       | ECDH       | ECDSA     | Yes*       | No        | If native**      |
 
-   \* when available
+   \* when available  
    \** these curves are only constant-time if the underlying native implementation is available and constant-time
 
-* If the user's browser supports [native WebCrypto](https://caniuse.com/#feat=cryptography) via the `window.crypto.subtle` API, this will be used. Under Node.js the native [crypto module](https://nodejs.org/api/crypto.html#crypto_crypto) is used.
+* The platform's [native Web Crypto API](https://w3c.github.io/webcrypto/) is used for performance. On Node.js the native [crypto module](https://nodejs.org/api/crypto.html#crypto_crypto) is also used, in cases where it offers additional functionality.
 
-* The library implements authenticated encryption (AEAD) as per the ["crypto refresh" draft standard](https://datatracker.ietf.org/doc/draft-ietf-openpgp-crypto-refresh) using AES-OCB, EAX, or GCM. This makes symmetric encryption faster on platforms with native implementations. However, since the specification is very recent and other OpenPGP implementations are in the process of adopting it, the feature is currently behind a flag. **Note: activating this setting can break compatibility with other OpenPGP implementations which have yet to implement the feature.** You can enable it by setting `openpgp.config.aeadProtect = true`.
-Note that this setting has a different effect from the one in OpenPGP.js v6, which implemented support for a provisional version of AEAD from [RFC4880bis](https://tools.ietf.org/html/draft-ietf-openpgp-rfc4880bis-10), which was modified in a later draft of the crypto refresh.
+* The library implements authenticated encryption (AEAD) as per [RFC 9580](https://datatracker.ietf.org/doc/rfc9580/) using AES-GCM, OCB, or EAX. This makes symmetric encryption faster on platforms with native implementations. However, since the specification is very recent and other OpenPGP implementations are in the process of adopting it, the feature is currently behind a flag. **Note: activating this setting can break compatibility with other OpenPGP implementations which have yet to implement the feature.** You can enable it by setting `openpgp.config.aeadProtect = true`.
+  Note that this setting has a different effect from the one in OpenPGP.js v5, which implemented support for a provisional version of AEAD from [RFC 4880bis](https://tools.ietf.org/html/draft-ietf-openpgp-rfc4880bis-10), which was modified in RFC 9580.
 
   You can change the AEAD mode by setting one of the following options:
 
   ```
-  openpgp.config.preferredAEADAlgorithm = openpgp.enums.aead.ocb; // Default (widest ecosystem support), non-native
-  openpgp.config.preferredAEADAlgorithm = openpgp.enums.aead.gcm; // Native in WebCrypto and Node.js
+  openpgp.config.preferredAEADAlgorithm = openpgp.enums.aead.gcm; // Default, native in WebCrypto and Node.js
+  openpgp.config.preferredAEADAlgorithm = openpgp.enums.aead.ocb; // Non-native, but supported across RFC 9580 implementations
   openpgp.config.preferredAEADAlgorithm = openpgp.enums.aead.eax; // Native in Node.js
   ```
 
-* For environments that don't provide native crypto, the library falls back to [asm.js](https://caniuse.com/#feat=asmjs) AES and AEAD implementations.
-
-
 ### Getting started
 
 #### Node.js
@@ -386,14 +389,8 @@ Where the value can be any of:
 })();
 ```
 
-For more information on using ReadableStreams, see [the MDN Documentation on the
-Streams API](https://developer.mozilla.org/en-US/docs/Web/API/Streams_API).
-
-You can also pass a [Node.js `Readable`
-stream](https://nodejs.org/api/stream.html#stream_class_stream_readable), in
-which case OpenPGP.js will return a Node.js `Readable` stream as well, which you
-can `.pipe()` to a `Writable` stream, for example.
-
+For more information on using ReadableStreams (both in browsers and Node.js), see [the MDN Documentation on the
+Streams API](https://developer.mozilla.org/en-US/docs/Web/API/Streams_API) .
 
 #### Streaming encrypt and decrypt *String* data with PGP keys
 
@@ -667,7 +664,7 @@ To create your own build of the library, just run the following command after cl
 
     npm install && npm test
 
-For debugging browser errors, you can run `npm start` and open [`http://localhost:8080/test/unittests.html`](http://localhost:8080/test/unittests.html) in a browser, or run the following command:
+For debugging browser errors, run the following command:
 
     npm run browsertest