This documents the implementation status of various standards in Sequoia as of 2024-10-02 . Sequoia has not been audited yet, due to a lack of funding.
Please also see the OpenPGP Interoperability Test Suite for an automated assessment of Sequoia’s and other implementations’ capabilities and how compatible they are.
This document does not describe the status of high-level features like smartcard support. See the individual projects on Gitlab or on GitHub for those details.
OpenPGP
RFC4880bis-06 | RFC4880 | Content | Status | Notes |
---|---|---|---|---|
2 | 2 | General functions | ✓ | |
2.1 | 2.1 | Confidentiality via Encryption | ✓ | |
2.2 | 2.2 | Authentication via Digital Signature | ✓ | |
2.3 | 2.3 | Compression | ✓ | See below for supported algorithms. |
2.4 | 2.4 | Conversion to Radix-64 | ✓ | |
2.5 | 2.5 | Signature-Only Applications | ✓ | |
3.2 | 3.2 | Multiprecision Integers | ✓ | |
3.3 | 3.3 | Key IDs | ✓ | |
3.6 | 3.6 | Keyrings | ✓ | |
3.7.1 | 3.7.1 | String-to-Key (S2K) Specifier Types | ✓ | |
3.7.2 | 3.7.2 | String-to-Key Usage | ✓ | |
4.2.1 | 4.2.1 | Old Format Packet Lengths | ✓ | |
4.2.2 | 4.2.2 | New Format Packet Lengths | ✓ | |
4.3 | 4.3 | Packet Tags | ✓ | |
5.1 | 5.1 | Public-Key Encrypted Session Key Packets (Tag 1) | ✓ | |
5.2.1 | 5.2.1 | Signature Types | ✓ | |
5.2.2 | 5.2.2 | Version 3 Signature Packet Format | ✓ | Since sequoia-openpgp 1.11.0. |
5.2.3 | 5.2.3 | Version 4 Signature Packet Format | ✓ | |
5.2.3 | Version 5 Signature Packet Format | ✗ | ||
5.2.3.1 | 5.2.3.1 | Signature Subpacket Specification | ✓ | |
5.2.3.4 | 5.2.3.4 | Signature Creation Time | ✓ | |
5.2.3.5 | 5.2.3.5 | Issuer | ✓ | |
5.2.3.6 | 5.2.3.6 | Key Expiration Time | ✓ | |
5.2.3.7 | 5.2.3.7 | Preferred Symmetric Algorithms | ✓ | |
5.2.3.8 | Preferred AEAD Algorithms | ✓ | ||
5.2.3.9 | 5.2.3.8 | Preferred Hash Algorithms | ✓ | |
5.2.3.10 | 5.2.3.9 | Preferred Compression Algorithms | ✓ | |
5.2.3.11 | 5.2.3.10 | Signature Expiration Time | ✓ | |
5.2.3.12 | 5.2.3.11 | Exportable Certification | ✓ | |
5.2.3.13 | 5.2.3.12 | Revocable | ✓ | |
5.2.3.14 | 5.2.3.13 | Trust Signature | ✓ | |
5.2.3.15 | 5.2.3.14 | Regular Expression | ✓ | |
5.2.3.16 | 5.2.3.15 | Revocation Key | ✓ | |
5.2.3.17 | 5.2.3.16 | Notation Data | ✓ | |
5.2.3.17.1 | The ‘charset’ Notation | |||
5.2.3.17.2 | The ‘manu’ Notation | |||
5.2.3.17.3 | The ‘make’ Notation | |||
5.2.3.17.4 | The ‘model’ Notation | |||
5.2.3.17.5 | The ‘prodid’ Notation | |||
5.2.3.17.6 | The ‘pvers’ Notation | |||
5.2.3.17.7 | The ’lot’ Notation | |||
5.2.3.17.8 | The ‘qty’ Notation | |||
5.2.3.17.9 | The ’loc’ and ‘dest’ Notations | |||
5.2.3.17.10 | The ‘hash’ Notation | |||
5.2.3.18 | 5.2.3.17 | Key Server Preferences | ✓ | |
5.2.3.19 | 5.2.3.18 | Preferred Key Server | ✓ | |
5.2.3.20 | 5.2.3.19 | Primary User ID | ✓ | |
5.2.3.21 | 5.2.3.20 | Policy URI | ✓ | |
5.2.3.22 | 5.2.3.21 | Key Flags | ✓ | |
5.2.3.23 | 5.2.3.22 | Signer’s User ID | ✓ | |
5.2.3.24 | 5.2.3.23 | Reason for Revocation | ✓ | |
5.2.3.25 | 5.2.3.24 | Features | ✓ | |
5.2.3.26 | 5.2.3.25 | Signature Target | ✓ | |
5.2.3.27 | 5.2.3.26 | Embedded Signature | ✓ | |
5.2.3.28 | Issuer Fingerprint | ✓ | ||
Intended Recipient | ✓ | Proposed. | ||
5.2.4 | 5.2.4 | Computing Signatures | ✓ | |
5.3 | 5.3 | Symmetric-Key Encrypted Session Key Packets (Tag 3) V4 | ✓ | |
5.3 | Symmetric-Key Encrypted Session Key Packets (Tag 3) V5 | ✓ | ||
5.4 | 5.4 | One-Pass Signature Packets (Tag 4) | ✓ | |
5.5.2 | 5.5.2 | Public-Key Packet Format V2 | ✗ | Obsolete. |
5.5.2 | 5.5.2 | Public-Key Packet Format V3 | ✗ | Obsolete. |
5.5.2 | 5.5.2 | Public-Key Packet Format V4 | ✓ | |
5.5.2 | Public-Key Packet Format V5 | ✗ | ||
5.5.3 | 5.5.3 | Secret-Key Packet Format V2 | ✗ | Obsolete. |
5.5.3 | 5.5.3 | Secret-Key Packet Format V3 | ✗ | Obsolete. |
5.5.3 | 5.5.3 | Secret-Key Packet Format V4 | ✓ | |
5.5.3 | Secret-Key Packet Format V5 | ✗ | ||
5.6.1 | Algorithm-Specific Part for RSA Keys | ✓ | ||
5.6.2 | Algorithm-Specific Part for DSA Keys | ✓ | ||
5.6.3 | Algorithm-Specific Part for Elgamal Keys | ✓ | ||
5.6.4 | Algorithm-Specific Part for ECDSA Keys | ✓ | ||
5.6.5 | Algorithm-Specific Part for EdDSA Keys | ✓ | ||
5.6.6 | Algorithm-Specific Part for ECDH Keys | ✓ | ||
5.7 | 5.6 | Compressed Data Packet (Tag 8) | ✓ | |
5.8 | 5.7 | Symmetrically Encrypted Data Packet (Tag 9) | ✗ | Insecure. |
5.9 | 5.8 | Marker Packet (Obsolete Literal Packet) (Tag 10) | ✓ | |
5.10 | 5.9 | Literal Data Packet (Tag 11) | ✓ | |
5.11 | 5.10 | Trust Packet (Tag 12) | ✓ | Implementation defined. |
5.12 | 5.11 | User ID Packet (Tag 13) | ✓ | |
5.13 | 5.12 | User Attribute Packet (Tag 17) | ✓ | |
5.13.1 | 5.12.1 | The Image Attribute Subpacket | ✓ | |
5.13.2 | User ID Attribute Subpacket | ✗ | ||
5.14 | 5.13 | Sym. Encrypted Integrity Protected Data Packet (Tag 18) | ✓ | |
5.15 | 5.14 | Modification Detection Code Packet (Tag 19) | ✓ | |
5.16 | AEAD Encrypted Data Packet (Tag 20) | ✓ | ||
5.16.1 | EAX Mode | ✓ | ||
5.16.2 | OCB Mode | ✗ | ||
6.2 | 6.2 | Forming ASCII Armor | ✓ | |
7 | 7 | Cleartext Signature Framework | ✓ | |
8 | 8 | Regular Expressions | ✓ | |
9.1 | 9.1 | Public-Key Algorithms | ✓ | See below for supported algorithms. |
9.2 | ECC Curve OID | ✓ | See below for supported algorithms. | |
9.3 | 9.2 | Symmetric-Key Algorithms | ✓ | See below for supported algorithms. |
9.4 | 9.3 | Compression Algorithms | ✓ | See below for supported algorithms. |
9.5 | 9.4 | Hash Algorithms | ✓ | See below for supported algorithms. |
9.6 | AEAD Algorithms | ✓ | See below for supported algorithms. | |
11 | 11 | Packet Composition | ✓ | |
11.1 | 11.1 | Transferable Public Keys | ✓ | We use a formal grammar. |
11.2 | 11.2 | Transferable Secret Keys | ✓ | We use a formal grammar. |
11.3 | 11.3 | OpenPGP Messages | ✓ | We use a formal grammar. |
11.4 | 11.4 | Detached Signatures | ✓ | |
12.1 | 12.1 | Key Structures V3 | ✗ | Obsolete. |
12.1 | 12.1 | Key Structures V4 | ✓ | |
12.2 | 12.2 | Key IDs and Fingerprints V3 | ✗ | Obsolete. |
12.2 | 12.2 | Key IDs and Fingerprints V4 | ✓ | |
12.2 | Key IDs and Fingerprints V5 | ✗ | ||
13 | Elliptic Curve Cryptography | ✓ | ||
13.1 | Supported ECC Curves | ∂ | See below for supported algorithms. | |
13.2 | ECDSA and ECDH Conversion Primitives | ✓ | ||
13.3 | EdDSA Point Format | ✓ | ||
13.4 | Key Derivation Function | ✓ | ||
13.5 | EC DH Algorithm (ECDH) | ✓ |
Algorithms
We gracefully handle unknown algorithms during parsing and serialization even if we do not support them. This is important for roundtripping OpenPGP packets.
What algorithms are supported by Sequoia depends on the cryptographic backend selected at compile time. Currently, the following backends are available:
- Nettle: Using the Nettle cryptographic library
- OpenSSL: Using the OpenSSL cryptographic library
- Botan: Using the Botan cryptographic library
- CNG: Using Windows’ Cryptography API: Next Generation (only available on Windows)
- RustCrypto: Using cryptographic algorithms implemented in pure Rust
Public-Key Algorithms
ID | Algorithm | Nettle | OpenSSL | Botan | CNG | RustCrypto | Notes |
---|---|---|---|---|---|---|---|
1 | RSA (Encrypt or Sign) | ✓ | ✓ | ✓ | ✓ | ✓ | |
2 | RSA Encrypt-Only | ✓ | ✓ | ✓ | ✓ | ✓ | |
3 | RSA Sign-Only | ✓ | ✓ | ✓ | ✓ | ✓ | |
16 | Elgamal (Encrypt-Only) | ✗ | ✗ | ✓ | ✗ | ✗ | |
17 | DSA (Digital Signature Algorithm) | ✓ | ✓ | ✓ | ✓ | ✗ | |
18 | ECDH public key algorithm | ✓ | ✓ | ✓ | ✓ | ✓ | See below for the supported curves. |
19 | ECDSA public key algorithm | ✓ | ✓ | ✓ | ✓ | ✓ | See below for the supported curves. |
20 | Reserved (formerly Elgamal Encrypt or Sign) | ✗ | ✗ | ✗ | ✗ | ✗ | Insecure. |
21 | Reserved for Diffie-Hellman (X9.42, as defined for IETF-S/MIME) | ✗ | ✗ | ✗ | ✗ | ✗ | |
22 | EdDSA | ✓ | ✓ | ✓ | ✓ | ✓ | See below for the supported curves. |
23 | Reserved for AEDH | ✗ | ✗ | ✗ | ✗ | ✗ | |
24 | Reserved for AEDSA | ✗ | ✗ | ✗ | ✗ | ✗ |
ECDH
Curve name | Nettle | OpenSSL | Botan | CNG | RustCrypto | Notes |
---|---|---|---|---|---|---|
NIST P-256 | ✓ | ✓ | ✓ | ✓ | ✓ | |
NIST P-384 | ✓ | ✓ | ✓ | ✓ | ✗ | |
NIST P-521 | ✓ | ✓ | ✓ | ✓ | ✗ | |
brainpoolP256r1 | ✗ | ✓ | ✓ | ✗ | ✗ | |
brainpoolP384r1 | ✗ | ✓ | ✓ | ✗ | ✗ | Missing from enum Curve
✗
|
brainpoolP512r1 | ✗ | ✓ | ✓ | ✗ | ✗ | |
Curve25519 | ✓ | ✓ | ✓ | ✓ | ✓ |
ECDSA
Curve name | Nettle | OpenSSL | Botan | CNG | RustCrypto | Notes |
---|---|---|---|---|---|---|
NIST P-256 | ✓ | ✓ | ✓ | ✓ | ✓ | |
NIST P-384 | ✓ | ✓ | ✓ | ✓ | ✗ | |
NIST P-521 | ✓ | ✓ | ✓ | ✓ | ✗ | |
brainpoolP256r1 | ✗ | ✓ | ✓ | ✗ | ✗ | |
brainpoolP384r1 | ✗ | ✓ | ✓ | ✗ | ✗ | Missing from enum Curve
✗
|
brainpoolP512r1 | ✗ | ✓ | ✓ | ✗ | ✗ |
EdDSA
Curve name | Nettle | OpenSSL | Botan | CNG | RustCrypto | Notes |
---|---|---|---|---|---|---|
Ed25519 | ✓ | ✓ | ✓ | ✓ | ✓ | Implemented via ed25519-dalek when the CNG backend is selected. |
Symmetric-Key Algorithms
ID | Algorithm | Nettle | OpenSSL | Botan | CNG | RustCrypto | Notes |
---|---|---|---|---|---|---|---|
1 | IDEA | ✗ | ✗ | ✓ | ✗ | ✓ | |
2 | TripleDES (DES-EDE) | ✓ | ✓ | ✓ | ✓ | ✓ | |
3 | CAST5 (128 bit key) | ✓ | ✗ | ✓ | ✗ | ✓ | |
4 | Blowfish (128 bit key, 16 rounds) | ✓ | ✗ | ✓ | ✗ | ✓ | |
7 | AES with 128-bit key | ✓ | ✓ | ✓ | ✓ | ✓ | |
8 | AES with 192-bit key | ✓ | ✓ | ✓ | ✓ | ✓ | |
9 | AES with 256-bit key | ✓ | ✓ | ✓ | ✓ | ✓ | |
10 | Twofish with 256-bit key | ✓ | ✗ | ✓ | ✗ | ✓ | |
11 | Camellia with 128-bit key | ✓ | ✓ | ✓ | ✗ | ✗ | |
12 | Camellia with 192-bit key | ✓ | ✓ | ✓ | ✗ | ✗ | |
13 | Camellia with 256-bit key | ✓ | ✓ | ✓ | ✗ | ✗ |
Note: OpenSSL’s supported algorithms reflect the ones available in the system’s library. If system’s OpenSSL supports all algorithms in this table all of them will be exposed and available. Twofish is never available since OpenSSL does not support it.
Hash Algorithms
ID | Algorithm | Nettle | OpenSSL | Botan | CNG | RustCrypto | Notes |
---|---|---|---|---|---|---|---|
1 | MD5 | ✓ | ✓ | ✓ | ✓ | ✓ | See below. |
2 | SHA1 | ✓ | ✓ | ✓ | ✓ | ✓ | Replaced by SHA1CD. See below. |
3 | RIPEMD160 | ✓ | ✓ | ✓ | ✗ | ✓ | See below. |
8 | SHA2-256 | ✓ | ✓ | ✓ | ✓ | ✓ | |
9 | SHA2-384 | ✓ | ✓ | ✓ | ✓ | ✓ | |
10 | SHA2-512 | ✓ | ✓ | ✓ | ✓ | ✓ | |
11 | SHA2-224 | ✓ | ✓ | ✓ | ✗ | ✓ |
Weak algorithms are disallowed by default for contemporary messages by the StandardPolicy. Furthermore, Sequoia uses a modified version of SHA1 that mitigates known (and likely unknown attacks) on SHA1 called SHA1CD.
Compression Algorithms
Support for compression algorithms is independent of the selected cryptographic backend.
ID | Algorithm | Status | Notes |
---|---|---|---|
0 | Uncompressed | ✓ | |
1 | ZIP | ✓ | |
2 | ZLIB | ✓ | |
3 | BZip2 | ✓ |
Related Functionality
Streaming Operation
Safe processing of OpenPGP data requires streaming operation, which we support on all levels.
Public Key Store
Basic prototype exists. Supports refreshing keys in the background.
Key Server
Aspect | Status | Notes |
---|---|---|
HKP(S) get | ✓ | |
HKP(S) send | ✓ |
Web Key Directory
Aspect | Status | Notes |
---|---|---|
Querying (direct) | ✓ | |
Querying (advanced) | ✓ | |
Creating (direct) | ✓ | |
Creating (advanced) | ✓ |
Autocrypt
Aspect | Status | Notes |
---|---|---|
header parsing | ✓ | |
keygen V1 | ✓ | |
keygen V1.1 | ✓ | |
peer state | ✗ | |
header inject | ✗ | |
recommend | ✗ | |
encrypt | ✗ | |
setup message | ✓ | |
setup process | ✗ | |
gossip | ∂ | Parsing is supported. |
uid decorative | ✓ |