Bump openpgp from 5.0.1 to 5.1.0

[dependabot]

Bumps openpgp from 5.0.1 to 5.1.0.

Release notes

Sourced from openpgp's releases.

v5.1.0

• Add support for constant-time decryption of PKCS#1 v1.5-encoded session keys (#1445)

  Implement optional constant-time decryption flow to hinder Bleichenbacher-like attacks against RSA- and ElGamal public-key encrypted session keys.

  Changes:

  • Add config.constantTimePKCS1Decryption to enable the constant-time processing (defaults to false). The constant-time option is off by default since it has measurable performance impact on message decryption, and it is only helpful in specific application scenarios (more info below).
  • Add config.constantTimePKCS1DecryptionSupportedSymmetricAlgorithms (defaults to the AES algorithms). The set of supported ciphers is restricted by default since the number of algorithms negatively affects performance.

  Bleichenbacher-like attacks are of concern for applications where both of the following conditions are met:

  1. New/incoming messages are automatically decrypted (without user interaction);
  2. An attacker can determine how long it takes to decrypt each message (e.g. due to decryption errors being logged remotely).

• Check key requirements in PrivateKey.addSubkey() (#1423)

  Breaking change: when generating new subkeys through key.addSubkey(), we now check config.rejectCurves and prevent adding subkeys using the corresponding curves. By default, config.rejectCurves includes the brainpool curves (brainpoolP256r1, brainpoolP384r1, brainpoolP512r1) and the Bitcoin curve (secp256k1).

  This is a follow up to #1395, which introduced the same check to openpgp.generateKey.

• Initial Deno support (#1448)

• Replace strings with integer algorithm identifiers in packet classes (#1410)

  In several packet classes, we used to store string identifiers for public-key, aead, cipher or hash algorithms. To make the code consistent and to avoid having to convert to/from string values, we now always store integer values instead, e.g. enums.symmetric.aes128 is used instead of 'aes128'.

  This is not expected to be a breaking change for most library users. Note that the type of Key.getAlgorithmInfo() and of the session key objects returned and accepted by top-level functions remain unchanged.

  Affected classes (type changes for some properties and method's arguments):

  • PublicKeyPacket, PublicSubkeyPacket, SecretKeyPacket, SecretSubkeyPacket
  • SymEncryptedIntegrityProtectedDataPacket, AEADEncryptedDataPacket, SymmetricallyEncryptedDataPacket
  • LiteralDataPacket, CompressedDataPacket
  • PublicKeyEncryptedSessionKey, SymEncryptedSessionKeyPacket
  • SignaturePacket

  Other potentially breaking changes:

  • Removed property AEADEncryptedDataPacket.aeadAlgo, since it was redudant given .aeadAlgorithm.
  • Renamed AEADEncryptedDataPacket.cipherAlgo -> .cipherAlgorithm

• CI: create annotations on performance regression warnings/errors (#1441)

• CI: use Node v16 instead of v15

• Update documentation link (#1455)

• Rename master branch to main

Commits

• bd13edf 5.1.0
• 22a6887 Add support for constant-time decryption of PKCS#1 v1.5-encoded session keys ...
• a6c8491 Update documentation link (#1455)
• ce5174d Initial Deno support (#1448)
• d6139da CI: use Node v16 instead of v15
• 6fc005f Check key requirements in PrivateKey.addSubkey() (#1423)
• 2894b35 Create CNAME
• 9e547bf Rename master branch to main
• 6da1c53 Replace strings with integer algorithm identifiers in packet classes (#1410)
• 03fa68d CI: create annotations on performance regression warnings/errors (#1441)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[codecov]

Codecov Report

Merging #120 (1dac7f1) into master (2d28688) will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##           master     #120   +/-   ##
=======================================
  Coverage   81.30%   81.30%           
=======================================
  Files           3        3           
  Lines         107      107           
  Branches       23       23           
=======================================
  Hits           87       87           
  Misses         11       11           
  Partials        9        9           

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 2d28688...1dac7f1. Read the comment docs.