Updates the parsing and serialization methods to support v6 keys.
Adds the AEAD s2k type for secret key encryption but does not implement the feature
yet.

This change implements the necessary updates for parsing and serializing v6 signature
packets. Further it implements the v6 signature salt. V6 signatures require that a salt is
prepended to the signing content before creating the signature hash. In this commit, we
add this feature, which requires a change in the API for signing content.
The Sign API takes an externally created hasher object as an argument to sign.
To ensure that the salt is hashed before the conten in v6 singatures, we introduce a
PrepareSignature method that creates a hasher object with prepended salt.

This commit introduces support for direct-key signatures and ensures that version 6 keys
store their properties in it. Instead of calling PrimaryIdentity to access a keys properties,
one should now call PrimarySelfSignature to get the primary self-signature of a key.

This commit implements version 6 one-pass-signatures. Further, it updates the read/write
API to support v6 signatures with salt and fingerprints.

This change removes armor checksums and removes checks accordingly.

All these constants should have the type
SignatureType and not int.

The OpenPGP crypto refresh allows to encrypt secret keys with AEAD encryption.
In this commit, we add AEAD secret key encryption and the addtional HKDF step in
key derivation. The packet.Config contains a new field to configure the type of secret
key encryption.

…ersion

The aead secret key encrypton mode is now enabled by setting the aead config in config.

Added a test case for v6 Argon2-AEAD encrypted secret keys, which was
freshly included in the crypto refresh rfc:
https://gitlab.com/openpgp-wg/rfc4880bis/-/merge_requests/274

This commit, updates the cleartext signature api to support v6 signatures.
Cleartext messages with v6 signatures require a new header, which specifies
the used hash function in combination with the used salt. It now checks that the
salt and hash matches with the contained v6 signature.

This commit ensures that cleatext messages with v6 signatures
contain a salted hash header with the matching hash and salt.
Allows for both v4 and v6 signatures in the same message with mixed headers.

…gnatures

Ensures that a v6 key contains a valid direct-key signature for the primary key
that stores its properties. On parsing a v6 key, the newest direct-key signature
is selected and checked for validity while other signatures are stored but ignored.

This commit changes the PKESK parsing and serialization methods to the
updated encodings of x25519 and x488 ciphertexts for v3 PKESK. Instead
of encoding the symmetric key algorithm in the ciphertext with padding, the
symmetric key algorithm is now encoded unencrypted.
Further, the commit refactors the checksum handling and enforces AES with v3 PKESK
for the above algorithms.

One-pass-signature parsing now directly returns an error if an unsuported
version is parsed.

Addresses #107.

The input to the HKDF function now includes the ephemeral public key and
the recipient public key as described in the latest version of the crypto refresh.
https://gitlab.com/openpgp-wg/rfc4880bis/-/merge_requests/278

When forming ASCII Armor, the CRC24 footer should not be generated according
to the crypto refresh. However, due to a compatibility issue with GnuPG, we
generate them for now and pospone the removal to version 2 of go-crypto.

Fixes an issue in EncryptPrivateKeys, where the hkdf was applied
to the last hkdf derived key instead of the s2k dervided key.

Adds a testcase for the following crypto refresh test vector:
https://gitlab.com/openpgp-wg/rfc4880bis/-/merge_requests/302

This commit updates PKESKv6 serialization/parsing to the newest version
of the standart, see:
https://gitlab.com/openpgp-wg/rfc4880bis/-/merge_requests/304

This commit updates the serialization/parse methods of one-pass signature packets
to the latest updated version of the crypto refresh. See:
https://gitlab.com/openpgp-wg/rfc4880bis/-/merge_requests/305

The salted hash header in cleartext messages was removed from the crypto refresh:
https://gitlab.com/openpgp-wg/rfc4880bis/-/merge_requests/313
This commit adds the following changes to cleartext messages:
- removes the salted hash header logic
- only produces ''Hash" headers if no v6 signatures are present
- ignores any parsed headers in signature verification

… hashed area in v6

… match

In the case that no signature canidate verifies successfuly, the md.SignatureError should
not point to the last candidate error in the list but rather to the last candidate error with a key match (if any).

This commit adds an EncryptionTime time field to the EncryptParams struct.
If provided in encryption, it overrides the time for key selection. It allows to
disable expiration ckecks by setting the time to zero.

Implementations MUST NOT accept or generate v6 key material using the deprecated OIDs.

…ning algorithms

…arnings

Co-authored-by: Aron Wussler <[email protected]>