OpenPGP interoperability test suite

These are the results of running the OpenPGP interoperability test suite version 0.1.0 (5f33e85) on 2021-05-10T16:27.

This test suite has been very successful in identifying problems in many OpenPGP implementations. If you want to see your implementation included in these results, please implement the Stateless OpenPGP Command Line Interface and open an issue in our tracker. Note: The implementation doesn't have to be complete to be useful.

Test Summary

These charts summarize the results. Reducing the wealth of information to a set of numbers necessarily loses information, so take them with a grain of salt. Nevertheless, these number provide an indication to what degree an implementation agrees with the expectations of this test suite.

The first chart shows the percentage of tests where an implementation agrees with the test suite's expectations on all individual test vectors.

100% 75% 50% 25% 0%
  • Sequoia/1.1.0
  • PGPainlessCLI/0.2.0-alpha10
  • dkg/1.2.0
  • OpenPGP.js/v4.10.10
  • GPGME/2.2.27
  • GPGME/2.3.0
  • GopenPGP/v2.1.1
  • RNP/0.0.0+git20210301.ffcfb63
  • GPGME/1.4.23
  • SOPGPy/0.1.0/0.5.3

The second chart shows the percentage of individual test vectors where an implementation agrees with the test suite's expectations.

100% 75% 50% 25% 0%
  • Sequoia/1.1.0
  • PGPainlessCLI/0.2.0-alpha10
  • dkg/1.2.0
  • OpenPGP.js/v4.10.10
  • GPGME/2.2.27
  • GPGME/2.3.0
  • GopenPGP/v2.1.1
  • RNP/0.0.0+git20210301.ffcfb63
  • GPGME/1.4.23
  • SOPGPy/0.1.0/0.5.3

How to read the test results

Tests are loosely coupled in categories. Both tests and categories have anchors and can be linked to. The anchors should be stable enough to be included in commit messages and documentation. Every test describes the setup, and may introduce terminology used in the test results. Additional resources (e.g. certificates) required by the test can be inspected by clicking on the inspect button (). The results are in tabular form. The producers are on the left going down, the consumers on the top going right.

There are two kinds of tests. In producer-consumer tests, the OpenPGP implementations being tested produce an artifact (e.g. they encrypt a message), and every implementation is used to consume the artifact (e.g. to decrypt the encrypted message). In consumer tests, the artifacts are produced by the test suite, and consumed by every OpenPGP implementation. In either case, the artifact that is consumed can be inspected by clicking on the inspect button () in the second column in every row. If a producer failed to produce an artifact, or the artifact did not conform to the expectation, a cross mark (✗) is displayed. Hovering over it with the mouse pointer reveals the error message in a tooltip.

Each row now contains the result of consuming the row's artifact using the different OpenPGP implementations. Here, a check mark (✓) indicates that the operation was successful. The resulting output (e.g. the decrypted message) can be found in the tooltip. Like before, a cross mark (✗) indicates that the operation was not successful, or the produced artifact did not meet expectations. Again, details can be found in the tooltip.

Up to this point, we did not judge whether or not a operation should be successful or not, we merely recorded the facts. This answers the question of how implementations react to certain inputs, and we can quantify that and have an informed conversation about the consequences. But, we observed that the bare results were hard to interpret, a problem exacerbated by the vastness of the results due to combinatorial effects.

To address this, most tests now have an expectation for the outcome, and an explanation for the expected outcome. (If one of these expectations disagree with you, please get in touch!) If the result of an operation agrees with the expectation, the result has a green background and has a diagonal line in the top-left corner. If they disagree, the background is red and the line is in the top-right corner.

Example test

This is an example.

Additional artifacts:

Consumer
FooPGP/1
BarPGP/2
BazPGP/3
Expectation
Comment
Producer Artifact
Base case
Interoperability concern.
Well-formed variant
Interoperability concern.
Malformed variant
Message is malformed.
Weird variant
Producer failure Should work (TM).
An example consumer test result

Test Results

Asymmetric Encryption

Encrypt-Decrypt roundtrip with key 'Alice'

Encrypt-Decrypt roundtrip using the 'Alice' key from draft-bre-openpgp-samples-00.

Additional artifacts:

Consumer
Sequoia/1.1.0
dkg/1.2.0
GopenPGP/v2.1.1
OpenPGP.js/v4.10.10
PGPainlessCLI/0.2.0-alpha10
RNP/0.0.0+git20210301.ffcfb63
SOPGPy/0.1.0/0.5.3
GPGME/2.3.0
GPGME/2.2.27
GPGME/1.4.23
Expectation
Comment
Producer Artifact
Sequoia/1.1.0
Interoperability concern.
dkg/1.2.0 Interoperability concern.
GopenPGP/v2.1.1
Interoperability concern.
OpenPGP.js/v4.10.10
Interoperability concern.
PGPainlessCLI/0.2.0-alpha10
Interoperability concern.
RNP/0.0.0+git20210301.ffcfb63
Interoperability concern.
SOPGPy/0.1.0/0.5.3
Interoperability concern.
GPGME/2.3.0
Interoperability concern.
GPGME/2.2.27
Interoperability concern.
GPGME/1.4.23 Interoperability concern.

Encrypt-Decrypt roundtrip with key 'Bob'

Encrypt-Decrypt roundtrip using the 'Bob' key from draft-bre-openpgp-samples-00.

Additional artifacts:

Consumer
Sequoia/1.1.0
dkg/1.2.0
GopenPGP/v2.1.1
OpenPGP.js/v4.10.10
PGPainlessCLI/0.2.0-alpha10
RNP/0.0.0+git20210301.ffcfb63
SOPGPy/0.1.0/0.5.3
GPGME/2.3.0
GPGME/2.2.27
GPGME/1.4.23
Expectation
Comment
Producer Artifact
Sequoia/1.1.0
Interoperability concern.
dkg/1.2.0
Interoperability concern.
GopenPGP/v2.1.1
Interoperability concern.
OpenPGP.js/v4.10.10
Interoperability concern.
PGPainlessCLI/0.2.0-alpha10
Interoperability concern.
RNP/0.0.0+git20210301.ffcfb63
Interoperability concern.
SOPGPy/0.1.0/0.5.3
Interoperability concern.
GPGME/2.3.0
Interoperability concern.
GPGME/2.2.27
Interoperability concern.
GPGME/1.4.23
Interoperability concern.

Recipient IDs

Tests variations of recipient ids.

Additional artifacts:

Consumer
Sequoia/1.1.0
dkg/1.2.0
GopenPGP/v2.1.1
OpenPGP.js/v4.10.10
PGPainlessCLI/0.2.0-alpha10
RNP/0.0.0+git20210301.ffcfb63
SOPGPy/0.1.0/0.5.3
GPGME/2.3.0
GPGME/2.2.27
GPGME/1.4.23
Expectation
Comment
Producer Artifact
Encryption subkey's KeyID
Base case
Wildcard KeyID
Interoperability concern
Certificate KeyID
Fictitious KeyID

Symmetric Encryption

Symmetric Encryption Algorithm support

This tests support for the different symmetric encryption algorithms using Sequoia to generate the artifacts.

Additional artifacts:

Consumer
Sequoia/1.1.0
dkg/1.2.0
GopenPGP/v2.1.1
OpenPGP.js/v4.10.10
PGPainlessCLI/0.2.0-alpha10
RNP/0.0.0+git20210301.ffcfb63
SOPGPy/0.1.0/0.5.3
GPGME/2.3.0
GPGME/2.2.27
GPGME/1.4.23
Expectation
Comment
Producer Artifact
IDEA
TripleDES
CAST5
Blowfish
AES128
AES-128 is a MUST according to RFC4880bis8.
AES192
AES should be supported
AES256
AES should be supported
Twofish
Camellia128
Camellia192
Camellia256
Unencrypted
Unencrypted cipher must not be used

Encrypt-Decrypt roundtrip with key 'Bob', IDEA

Encrypt-Decrypt roundtrip using the 'Bob' key from draft-bre-openpgp-samples-00, modified with the symmetric algorithm preference [IDEA].

Additional artifacts:

Consumer
Sequoia/1.1.0
dkg/1.2.0
GopenPGP/v2.1.1
OpenPGP.js/v4.10.10
PGPainlessCLI/0.2.0-alpha10
RNP/0.0.0+git20210301.ffcfb63
SOPGPy/0.1.0/0.5.3
GPGME/2.3.0
GPGME/2.2.27
GPGME/1.4.23
Expectation
Comment
Producer Artifact
Sequoia/1.1.0 Algorithm should be avoided.
dkg/1.2.0
Algorithm should be avoided.
GopenPGP/v2.1.1 Algorithm should be avoided.
OpenPGP.js/v4.10.10
Algorithm should be avoided.
PGPainlessCLI/0.2.0-alpha10
Algorithm should be avoided.
RNP/0.0.0+git20210301.ffcfb63
Algorithm should be avoided.
SOPGPy/0.1.0/0.5.3 Algorithm should be avoided.
GPGME/2.3.0
Algorithm should be avoided.
GPGME/2.2.27
Algorithm should be avoided.
GPGME/1.4.23
Algorithm should be avoided.

Encrypt-Decrypt roundtrip with key 'Bob', TripleDES

Encrypt-Decrypt roundtrip using the 'Bob' key from draft-bre-openpgp-samples-00, modified with the symmetric algorithm preference [TripleDES].

Additional artifacts:

Consumer
Sequoia/1.1.0
dkg/1.2.0
GopenPGP/v2.1.1
OpenPGP.js/v4.10.10
PGPainlessCLI/0.2.0-alpha10
RNP/0.0.0+git20210301.ffcfb63
SOPGPy/0.1.0/0.5.3
GPGME/2.3.0
GPGME/2.2.27
GPGME/1.4.23
Expectation
Comment
Producer Artifact
Sequoia/1.1.0
dkg/1.2.0
GopenPGP/v2.1.1
OpenPGP.js/v4.10.10
PGPainlessCLI/0.2.0-alpha10
RNP/0.0.0+git20210301.ffcfb63
SOPGPy/0.1.0/0.5.3
GPGME/2.3.0
GPGME/2.2.27
GPGME/1.4.23

Encrypt-Decrypt roundtrip with key 'Bob', CAST5

Encrypt-Decrypt roundtrip using the 'Bob' key from draft-bre-openpgp-samples-00, modified with the symmetric algorithm preference [CAST5].

Additional artifacts:

Consumer
Sequoia/1.1.0
dkg/1.2.0
GopenPGP/v2.1.1
OpenPGP.js/v4.10.10
PGPainlessCLI/0.2.0-alpha10
RNP/0.0.0+git20210301.ffcfb63
SOPGPy/0.1.0/0.5.3
GPGME/2.3.0
GPGME/2.2.27
GPGME/1.4.23
Expectation
Comment
Producer Artifact
Sequoia/1.1.0
Algorithm should be avoided.
dkg/1.2.0
Algorithm should be avoided.
GopenPGP/v2.1.1
Algorithm should be avoided.
OpenPGP.js/v4.10.10
Algorithm should be avoided.
PGPainlessCLI/0.2.0-alpha10
Algorithm should be avoided.
RNP/0.0.0+git20210301.ffcfb63
Algorithm should be avoided.
SOPGPy/0.1.0/0.5.3
Algorithm should be avoided.
GPGME/2.3.0
Algorithm should be avoided.
GPGME/2.2.27
Algorithm should be avoided.
GPGME/1.4.23
Algorithm should be avoided.

Encrypt-Decrypt roundtrip with key 'Bob', Blowfish

Encrypt-Decrypt roundtrip using the 'Bob' key from draft-bre-openpgp-samples-00, modified with the symmetric algorithm preference [Blowfish].

Additional artifacts:

Consumer
Sequoia/1.1.0
dkg/1.2.0
GopenPGP/v2.1.1
OpenPGP.js/v4.10.10
PGPainlessCLI/0.2.0-alpha10
RNP/0.0.0+git20210301.ffcfb63
SOPGPy/0.1.0/0.5.3
GPGME/2.3.0
GPGME/2.2.27
GPGME/1.4.23
Expectation
Comment
Producer Artifact
Sequoia/1.1.0
Interoperability concern.
dkg/1.2.0
Interoperability concern.
GopenPGP/v2.1.1 Interoperability concern.
OpenPGP.js/v4.10.10
Interoperability concern.
PGPainlessCLI/0.2.0-alpha10
Interoperability concern.
RNP/0.0.0+git20210301.ffcfb63
Interoperability concern.
SOPGPy/0.1.0/0.5.3
Interoperability concern.
GPGME/2.3.0
Interoperability concern.
GPGME/2.2.27
Interoperability concern.
GPGME/1.4.23
Interoperability concern.

Encrypt-Decrypt roundtrip with key 'Bob', AES128

Encrypt-Decrypt roundtrip using the 'Bob' key from draft-bre-openpgp-samples-00, modified with the symmetric algorithm preference [AES128].

Additional artifacts:

Consumer
Sequoia/1.1.0
dkg/1.2.0
GopenPGP/v2.1.1
OpenPGP.js/v4.10.10
PGPainlessCLI/0.2.0-alpha10
RNP/0.0.0+git20210301.ffcfb63
SOPGPy/0.1.0/0.5.3
GPGME/2.3.0
GPGME/2.2.27
GPGME/1.4.23
Expectation
Comment
Producer Artifact
Sequoia/1.1.0
AES-128 is a MUST according to RFC4880bis8.
dkg/1.2.0
AES-128 is a MUST according to RFC4880bis8.
GopenPGP/v2.1.1
AES-128 is a MUST according to RFC4880bis8.
OpenPGP.js/v4.10.10
AES-128 is a MUST according to RFC4880bis8.
PGPainlessCLI/0.2.0-alpha10
AES-128 is a MUST according to RFC4880bis8.
RNP/0.0.0+git20210301.ffcfb63
AES-128 is a MUST according to RFC4880bis8.
SOPGPy/0.1.0/0.5.3
AES-128 is a MUST according to RFC4880bis8.
GPGME/2.3.0
AES-128 is a MUST according to RFC4880bis8.
GPGME/2.2.27
AES-128 is a MUST according to RFC4880bis8.
GPGME/1.4.23
AES-128 is a MUST according to RFC4880bis8.

Encrypt-Decrypt roundtrip with key 'Bob', AES192

Encrypt-Decrypt roundtrip using the 'Bob' key from draft-bre-openpgp-samples-00, modified with the symmetric algorithm preference [AES192].

Additional artifacts:

Consumer
Sequoia/1.1.0
dkg/1.2.0
GopenPGP/v2.1.1
OpenPGP.js/v4.10.10
PGPainlessCLI/0.2.0-alpha10
RNP/0.0.0+git20210301.ffcfb63
SOPGPy/0.1.0/0.5.3
GPGME/2.3.0
GPGME/2.2.27
GPGME/1.4.23
Expectation
Comment
Producer Artifact
Sequoia/1.1.0
AES should be supported
dkg/1.2.0
AES should be supported
GopenPGP/v2.1.1 AES should be supported
OpenPGP.js/v4.10.10
AES should be supported
PGPainlessCLI/0.2.0-alpha10
AES should be supported
RNP/0.0.0+git20210301.ffcfb63
AES should be supported
SOPGPy/0.1.0/0.5.3
AES should be supported
GPGME/2.3.0
AES should be supported
GPGME/2.2.27
AES should be supported
GPGME/1.4.23
AES should be supported

Encrypt-Decrypt roundtrip with key 'Bob', AES256

Encrypt-Decrypt roundtrip using the 'Bob' key from draft-bre-openpgp-samples-00, modified with the symmetric algorithm preference [AES256].

Additional artifacts:

Consumer
Sequoia/1.1.0
dkg/1.2.0
GopenPGP/v2.1.1
OpenPGP.js/v4.10.10
PGPainlessCLI/0.2.0-alpha10
RNP/0.0.0+git20210301.ffcfb63
SOPGPy/0.1.0/0.5.3
GPGME/2.3.0
GPGME/2.2.27
GPGME/1.4.23
Expectation
Comment
Producer Artifact
Sequoia/1.1.0
AES should be supported
dkg/1.2.0
AES should be supported
GopenPGP/v2.1.1
AES should be supported
OpenPGP.js/v4.10.10
AES should be supported
PGPainlessCLI/0.2.0-alpha10
AES should be supported
RNP/0.0.0+git20210301.ffcfb63
AES should be supported
SOPGPy/0.1.0/0.5.3
AES should be supported
GPGME/2.3.0
AES should be supported
GPGME/2.2.27
AES should be supported
GPGME/1.4.23
AES should be supported

Encrypt-Decrypt roundtrip with key 'Bob', Twofish

Encrypt-Decrypt roundtrip using the 'Bob' key from draft-bre-openpgp-samples-00, modified with the symmetric algorithm preference [Twofish].

Additional artifacts:

Consumer
Sequoia/1.1.0
dkg/1.2.0
GopenPGP/v2.1.1
OpenPGP.js/v4.10.10
PGPainlessCLI/0.2.0-alpha10
RNP/0.0.0+git20210301.ffcfb63
SOPGPy/0.1.0/0.5.3
GPGME/2.3.0
GPGME/2.2.27
GPGME/1.4.23
Expectation
Comment
Producer Artifact
Sequoia/1.1.0
Interoperability concern.
dkg/1.2.0
Interoperability concern.
GopenPGP/v2.1.1 Interoperability concern.
OpenPGP.js/v4.10.10
Interoperability concern.
PGPainlessCLI/0.2.0-alpha10
Interoperability concern.
RNP/0.0.0+git20210301.ffcfb63
Interoperability concern.
SOPGPy/0.1.0/0.5.3 Interoperability concern.
GPGME/2.3.0
Interoperability concern.
GPGME/2.2.27
Interoperability concern.
GPGME/1.4.23
Interoperability concern.

Encrypt-Decrypt roundtrip with key 'Bob', Camellia128

Encrypt-Decrypt roundtrip using the 'Bob' key from draft-bre-openpgp-samples-00, modified with the symmetric algorithm preference [Camellia128].

Additional artifacts:

Consumer
Sequoia/1.1.0
dkg/1.2.0
GopenPGP/v2.1.1
OpenPGP.js/v4.10.10
PGPainlessCLI/0.2.0-alpha10
RNP/0.0.0+git20210301.ffcfb63
SOPGPy/0.1.0/0.5.3
GPGME/2.3.0
GPGME/2.2.27
GPGME/1.4.23
Expectation
Comment
Producer Artifact
Sequoia/1.1.0
Interoperability concern.
dkg/1.2.0
Interoperability concern.
GopenPGP/v2.1.1 Interoperability concern.
OpenPGP.js/v4.10.10
Interoperability concern.
PGPainlessCLI/0.2.0-alpha10
Interoperability concern.
RNP/0.0.0+git20210301.ffcfb63
Interoperability concern.
SOPGPy/0.1.0/0.5.3
Interoperability concern.
GPGME/2.3.0
Interoperability concern.
GPGME/2.2.27
Interoperability concern.
GPGME/1.4.23
Interoperability concern.

Encrypt-Decrypt roundtrip with key 'Bob', Camellia192

Encrypt-Decrypt roundtrip using the 'Bob' key from draft-bre-openpgp-samples-00, modified with the symmetric algorithm preference [Camellia192].

Additional artifacts:

Consumer
Sequoia/1.1.0
dkg/1.2.0
GopenPGP/v2.1.1
OpenPGP.js/v4.10.10
PGPainlessCLI/0.2.0-alpha10
RNP/0.0.0+git20210301.ffcfb63
SOPGPy/0.1.0/0.5.3
GPGME/2.3.0
GPGME/2.2.27
GPGME/1.4.23
Expectation
Comment
Producer Artifact
Sequoia/1.1.0
Interoperability concern.
dkg/1.2.0
Interoperability concern.
GopenPGP/v2.1.1 Interoperability concern.
OpenPGP.js/v4.10.10
Interoperability concern.
PGPainlessCLI/0.2.0-alpha10
Interoperability concern.
RNP/0.0.0+git20210301.ffcfb63
Interoperability concern.
SOPGPy/0.1.0/0.5.3
Interoperability concern.
GPGME/2.3.0
Interoperability concern.
GPGME/2.2.27
Interoperability concern.
GPGME/1.4.23
Interoperability concern.

Encrypt-Decrypt roundtrip with key 'Bob', Camellia256

Encrypt-Decrypt roundtrip using the 'Bob' key from draft-bre-openpgp-samples-00, modified with the symmetric algorithm preference [Camellia256].

Additional artifacts:

Consumer
Sequoia/1.1.0
dkg/1.2.0
GopenPGP/v2.1.1
OpenPGP.js/v4.10.10
PGPainlessCLI/0.2.0-alpha10
RNP/0.0.0+git20210301.ffcfb63
SOPGPy/0.1.0/0.5.3
GPGME/2.3.0
GPGME/2.2.27
GPGME/1.4.23
Expectation
Comment
Producer Artifact
Sequoia/1.1.0
Interoperability concern.
dkg/1.2.0
Interoperability concern.
GopenPGP/v2.1.1 Interoperability concern.
OpenPGP.js/v4.10.10
Interoperability concern.
PGPainlessCLI/0.2.0-alpha10
Interoperability concern.
RNP/0.0.0+git20210301.ffcfb63
Interoperability concern.
SOPGPy/0.1.0/0.5.3
Interoperability concern.
GPGME/2.3.0
Interoperability concern.
GPGME/2.2.27
Interoperability concern.
GPGME/1.4.23
Interoperability concern.

Encrypt-Decrypt roundtrip with key 'Bob', EAX

Encrypt-Decrypt roundtrip using the 'Bob' key from draft-bre-openpgp-samples-00, modified with the symmetric algorithm preference [AES256], AEAD algorithm preference [EAX].

Additional artifacts:

Consumer
Sequoia/1.1.0
dkg/1.2.0
GopenPGP/v2.1.1
OpenPGP.js/v4.10.10
PGPainlessCLI/0.2.0-alpha10
RNP/0.0.0+git20210301.ffcfb63
SOPGPy/0.1.0/0.5.3
GPGME/2.3.0
GPGME/2.2.27
GPGME/1.4.23
Expectation
Comment
Producer Artifact
Sequoia/1.1.0
EAX is a MUST according to RFC4880bis8.
dkg/1.2.0
EAX is a MUST according to RFC4880bis8.
GopenPGP/v2.1.1
EAX is a MUST according to RFC4880bis8.
OpenPGP.js/v4.10.10
EAX is a MUST according to RFC4880bis8.
PGPainlessCLI/0.2.0-alpha10
EAX is a MUST according to RFC4880bis8.
RNP/0.0.0+git20210301.ffcfb63
EAX is a MUST according to RFC4880bis8.
SOPGPy/0.1.0/0.5.3
EAX is a MUST according to RFC4880bis8.
GPGME/2.3.0
EAX is a MUST according to RFC4880bis8.
GPGME/2.2.27
EAX is a MUST according to RFC4880bis8.
GPGME/1.4.23
EAX is a MUST according to RFC4880bis8.

Encrypt-Decrypt roundtrip with key 'Bob', OCB

Encrypt-Decrypt roundtrip using the 'Bob' key from draft-bre-openpgp-samples-00, modified with the symmetric algorithm preference [AES256], AEAD algorithm preference [OCB].

Additional artifacts:

Consumer
Sequoia/1.1.0
dkg/1.2.0
GopenPGP/v2.1.1
OpenPGP.js/v4.10.10
PGPainlessCLI/0.2.0-alpha10
RNP/0.0.0+git20210301.ffcfb63
SOPGPy/0.1.0/0.5.3
GPGME/2.3.0
GPGME/2.2.27
GPGME/1.4.23
Expectation
Comment
Producer Artifact
Sequoia/1.1.0
Interoperability concern.
dkg/1.2.0
Interoperability concern.
GopenPGP/v2.1.1
Interoperability concern.
OpenPGP.js/v4.10.10
Interoperability concern.
PGPainlessCLI/0.2.0-alpha10
Interoperability concern.
RNP/0.0.0+git20210301.ffcfb63
Interoperability concern.
SOPGPy/0.1.0/0.5.3
Interoperability concern.
GPGME/2.3.0
Interoperability concern.
GPGME/2.2.27
Interoperability concern.
GPGME/1.4.23
Interoperability concern.

SEIP packet support

This tests support for the Symmetrically Encrypted Integrity Protected Data Packet (Tag 18) and verifies that modifications to the ciphertext are detected. To avoid creating a decryption oracle, implementations must respond with a uniform error message to tampering.

Additional artifacts:

Consumer
Sequoia/1.1.0
dkg/1.2.0
GopenPGP/v2.1.1
OpenPGP.js/v4.10.10
PGPainlessCLI/0.2.0-alpha10
RNP/0.0.0+git20210301.ffcfb63
SOPGPy/0.1.0/0.5.3
GPGME/2.3.0
GPGME/2.2.27
GPGME/1.4.23
Expectation
Comment
Producer Artifact
Base case
SEIP is a MUST according to RFC4880.
Missing MDC
Missing MDC must abort processing.
Downgrade to SED
Security concern: Downgrade must be prevented.
Tampered ciphertext
Security concern: Tampering must be prevented.
Tampered MDC
Security concern: Tampering must be prevented.
Truncated MDC
Security concern: Tampering must be prevented.
MDC with bad CTB
Security concern: Tampering must be prevented.
MDC with bad length
Security concern: Tampering must be prevented.

Detached Signatures

Detached Sign-Verify roundtrip with key 'Alice'

Detached Sign-Verify roundtrip using the 'Alice' key from draft-bre-openpgp-samples-00.

Additional artifacts:

Consumer
Sequoia/1.1.0
dkg/1.2.0
GopenPGP/v2.1.1
OpenPGP.js/v4.10.10
PGPainlessCLI/0.2.0-alpha10
RNP/0.0.0+git20210301.ffcfb63
SOPGPy/0.1.0/0.5.3
GPGME/2.3.0
GPGME/2.2.27
GPGME/1.4.23
Expectation
Comment
Producer Artifact
Sequoia/1.1.0
Interoperability concern.
dkg/1.2.0
Interoperability concern.
GopenPGP/v2.1.1
Interoperability concern.
OpenPGP.js/v4.10.10
Interoperability concern.
PGPainlessCLI/0.2.0-alpha10
Interoperability concern.
RNP/0.0.0+git20210301.ffcfb63
Interoperability concern.
SOPGPy/0.1.0/0.5.3
Interoperability concern.
GPGME/2.3.0
Interoperability concern.
GPGME/2.2.27
Interoperability concern.
GPGME/1.4.23 Interoperability concern.

Detached Sign-Verify roundtrip with key 'Bob'

Detached Sign-Verify roundtrip using the 'Bob' key from draft-bre-openpgp-samples-00.

Additional artifacts:

Consumer
Sequoia/1.1.0
dkg/1.2.0
GopenPGP/v2.1.1
OpenPGP.js/v4.10.10
PGPainlessCLI/0.2.0-alpha10
RNP/0.0.0+git20210301.ffcfb63
SOPGPy/0.1.0/0.5.3
GPGME/2.3.0
GPGME/2.2.27
GPGME/1.4.23
Expectation
Comment
Producer Artifact
Sequoia/1.1.0
Interoperability concern.
dkg/1.2.0
Interoperability concern.
GopenPGP/v2.1.1
Interoperability concern.
OpenPGP.js/v4.10.10
Interoperability concern.
PGPainlessCLI/0.2.0-alpha10
Interoperability concern.
RNP/0.0.0+git20210301.ffcfb63
Interoperability concern.
SOPGPy/0.1.0/0.5.3
Interoperability concern.
GPGME/2.3.0
Interoperability concern.
GPGME/2.2.27
Interoperability concern.
GPGME/1.4.23
Interoperability concern.

Detached signature with Subpackets

Tests how implementations constrain the validity of signatures depending on the given subpackets.

Additional artifacts:

Consumer
Sequoia/1.1.0
dkg/1.2.0
GopenPGP/v2.1.1
OpenPGP.js/v4.10.10
PGPainlessCLI/0.2.0-alpha10
RNP/0.0.0+git20210301.ffcfb63
SOPGPy/0.1.0/0.5.3
GPGME/2.3.0
GPGME/2.2.27
GPGME/1.4.23
Expectation
Comment
Producer Artifact
Base case
Interoperability concern.
Base case, unhashed issuer fingerprint
Interoperability concern.
Base case, hashed issuer
Interoperability concern.
No issuer fingerprint
Interoperability concern.
No issuer fingerprint, hashed issuer
Interoperability concern.
No issuer
Issuer fingerprint ought to be enough.
No issuer, unhashed issuer fingerprint
Issuer fingerprint ought to be enough.
No issuer, no issuer fingerprint
Issuer, fake issuer
Interoperability concern.
Fake issuer, issuer
Interoperability concern.
Issuer, fake issuer, V6 issuer FP
Interoperability concern.
Fake issuer, issuer, V6 issuer FP
Interoperability concern.
Unhashed creation time
Creation time must be hashed.
No creation time
Creation time must exist.
Creation time given twice
Uniqueness of subpackets is not required.
Future creation time
Creation time is in the future.
Future creation time given twice
Creation time is in the future.
Future creation time, backdated
Creation time is in the future.
Unknown subpacket
Interoperability concern.
Critical unknown subpacket
Critical unknown subpacket invalidates signature.
Unknown subpacket, unhashed
Interoperability concern.
Critical unknown subpacket, unhashed
Unknown notation
Interoperability concern.
Critical unknown notation
Critical unknown notation invalidates signature.
Unknown notation, unhashed
Interoperability concern.
Critical unknown notation, unhashed

Detached signatures: Linebreak normalization

Tests how implementations normalize line breaks when verifying text signatures. Section 5.2.1 of RFC4880 says: The signature is calculated over the text data with its line endings converted to <CR><LF>.

This test creates two signatures, a binary and a text signature, over the message one\r\ntwo\r\nthree, and checks whether variants of the message with different line endings can be verified using these signatures.

Additional artifacts:

Consumer
Sequoia/1.1.0
dkg/1.2.0
GopenPGP/v2.1.1
OpenPGP.js/v4.10.10
PGPainlessCLI/0.2.0-alpha10
RNP/0.0.0+git20210301.ffcfb63
SOPGPy/0.1.0/0.5.3
GPGME/2.3.0
GPGME/2.2.27
GPGME/1.4.23
Expectation
Comment
Producer Artifact
"one\r\ntwo\r\nthree"
Base case (b)
"one\r\ntwo\r\nthree"
Base case (t)
"one\ntwo\nthree"
Binary signature must not be valid (b)
"one\ntwo\nthree"
Line endings must be normalized (t)
"one\ntwo\r\nthree"
Binary signature must not be valid (b)
"one\ntwo\r\nthree"
Line endings must be normalized (t)
"one\r\ntwo\nthree"
Binary signature must not be valid (b)
"one\r\ntwo\nthree"
Line endings must be normalized (t)
"one\rtwo\rthree"
Binary signature must not be valid (b)
"one\rtwo\rthree"
"one\n\rtwo\n\rthree"
Binary signature must not be valid (b)
"one\n\rtwo\n\rthree"
"one\u{1e}two\u{1e}three"
Binary signature must not be valid (b)
"one\u{1e}two\u{1e}three"
"one\u{b}two\u{b}three"
Binary signature must not be valid (b)
"one\u{b}two\u{b}three"
"one\u{c}two\u{c}three"
Binary signature must not be valid (b)
"one\u{c}two\u{c}three"
"one\u{85}two\u{85}three"
Binary signature must not be valid (b)
"one\u{85}two\u{85}three"
"one\u{2028}two\u{2028}three"
Binary signature must not be valid (b)
"one\u{2028}two\u{2028}three"
"one\u{2029}two\u{2029}three"
Binary signature must not be valid (b)
"one\u{2029}two\u{2029}three"
"one \ntwo\nthree"
Binary signature must not be valid (b)
"one \ntwo\nthree"
Erroneous normalization (e.g. trailing whitespace) (t)
"one\ntwo \nthree"
Binary signature must not be valid (b)
"one\ntwo \nthree"
Erroneous normalization (e.g. trailing whitespace) (t)
"one\ntwo\nthree "
Binary signature must not be valid (b)
"one\ntwo\nthree "
Erroneous normalization (e.g. trailing whitespace) (t)
"one\ntwo\nthree\n"
Binary signature must not be valid (b)
"one\ntwo\nthree\n"
Erroneous normalization (e.g. trailing whitespace) (t)
"\none\ntwo\nthree"
Binary signature must not be valid (b)
"\none\ntwo\nthree"
Erroneous normalization (e.g. trailing whitespace) (t)
"one\t\ntwo\nthree"
Binary signature must not be valid (b)
"one\t\ntwo\nthree"
Erroneous normalization (e.g. trailing whitespace) (t)
"one\u{a0}\ntwo\nthree"
Binary signature must not be valid (b)
"one\u{a0}\ntwo\nthree"
Erroneous normalization (e.g. trailing whitespace) (t)
"one\u{1680}\ntwo\nthree"
Binary signature must not be valid (b)
"one\u{1680}\ntwo\nthree"
Erroneous normalization (e.g. trailing whitespace) (t)
"one\u{2000}\ntwo\nthree"
Binary signature must not be valid (b)
"one\u{2000}\ntwo\nthree"
Erroneous normalization (e.g. trailing whitespace) (t)

Detached signatures with unknown packets

This tests whether detached signatures with unknown versions of Signature packets are still verified. This is important for the evolution of the message format.

Additional artifacts:

Consumer
Sequoia/1.1.0
dkg/1.2.0
GopenPGP/v2.1.1
OpenPGP.js/v4.10.10
PGPainlessCLI/0.2.0-alpha10
RNP/0.0.0+git20210301.ffcfb63
SOPGPy/0.1.0/0.5.3
GPGME/2.3.0
GPGME/2.2.27
GPGME/1.4.23
Expectation
Comment
Producer Artifact
SIG4 SIG4
Base case
SIG4 SIG23
Unknown versions should be ignored
SIG23 SIG4
Unknown versions should be ignored

Hash Algorithms

Detached Sign-Verify roundtrip with key 'Bob', MD5

Detached Sign-Verify roundtrip using the 'Bob' key from draft-bre-openpgp-samples-00, modified with the hash algorithm preference [MD5].

Additional artifacts:

Consumer
Sequoia/1.1.0
dkg/1.2.0
GopenPGP/v2.1.1
OpenPGP.js/v4.10.10
PGPainlessCLI/0.2.0-alpha10
RNP/0.0.0+git20210301.ffcfb63
SOPGPy/0.1.0/0.5.3
GPGME/2.3.0
GPGME/2.2.27
GPGME/1.4.23
Expectation
Comment
Producer Artifact
Sequoia/1.1.0
Hash should not be used anymore.
dkg/1.2.0
Hash should not be used anymore.
GopenPGP/v2.1.1
Hash should not be used anymore.
OpenPGP.js/v4.10.10
Hash should not be used anymore.
PGPainlessCLI/0.2.0-alpha10
Hash should not be used anymore.
RNP/0.0.0+git20210301.ffcfb63
Hash should not be used anymore.
SOPGPy/0.1.0/0.5.3
Hash should not be used anymore.
GPGME/2.3.0
Hash should not be used anymore.
GPGME/2.2.27
Hash should not be used anymore.
GPGME/1.4.23
Hash should not be used anymore.

Detached Sign-Verify roundtrip with key 'Bob', SHA1

Detached Sign-Verify roundtrip using the 'Bob' key from draft-bre-openpgp-samples-00, modified with the hash algorithm preference [SHA1].

Additional artifacts:

Consumer
Sequoia/1.1.0
dkg/1.2.0
GopenPGP/v2.1.1
OpenPGP.js/v4.10.10
PGPainlessCLI/0.2.0-alpha10
RNP/0.0.0+git20210301.ffcfb63
SOPGPy/0.1.0/0.5.3
GPGME/2.3.0
GPGME/2.2.27
GPGME/1.4.23
Expectation
Comment
Producer Artifact
Sequoia/1.1.0
Hash should not be used anymore.
dkg/1.2.0
Hash should not be used anymore.
GopenPGP/v2.1.1
Hash should not be used anymore.
OpenPGP.js/v4.10.10
Hash should not be used anymore.
PGPainlessCLI/0.2.0-alpha10
Hash should not be used anymore.
RNP/0.0.0+git20210301.ffcfb63
Hash should not be used anymore.
SOPGPy/0.1.0/0.5.3
Hash should not be used anymore.
GPGME/2.3.0
Hash should not be used anymore.
GPGME/2.2.27
Hash should not be used anymore.
GPGME/1.4.23
Hash should not be used anymore.

Detached Sign-Verify roundtrip with key 'Bob', RipeMD

Detached Sign-Verify roundtrip using the 'Bob' key from draft-bre-openpgp-samples-00, modified with the hash algorithm preference [RipeMD].

Additional artifacts:

Consumer
Sequoia/1.1.0
dkg/1.2.0
GopenPGP/v2.1.1
OpenPGP.js/v4.10.10
PGPainlessCLI/0.2.0-alpha10
RNP/0.0.0+git20210301.ffcfb63
SOPGPy/0.1.0/0.5.3
GPGME/2.3.0
GPGME/2.2.27
GPGME/1.4.23
Expectation
Comment
Producer Artifact
Sequoia/1.1.0
Hash should not be used anymore.
dkg/1.2.0
Hash should not be used anymore.
GopenPGP/v2.1.1
Hash should not be used anymore.
OpenPGP.js/v4.10.10
Hash should not be used anymore.
PGPainlessCLI/0.2.0-alpha10
Hash should not be used anymore.
RNP/0.0.0+git20210301.ffcfb63
Hash should not be used anymore.
SOPGPy/0.1.0/0.5.3 Hash should not be used anymore.
GPGME/2.3.0
Hash should not be used anymore.
GPGME/2.2.27
Hash should not be used anymore.
GPGME/1.4.23
Hash should not be used anymore.

Detached Sign-Verify roundtrip with key 'Bob', SHA256

Detached Sign-Verify roundtrip using the 'Bob' key from draft-bre-openpgp-samples-00, modified with the hash algorithm preference [SHA256].

Additional artifacts:

Consumer
Sequoia/1.1.0
dkg/1.2.0
GopenPGP/v2.1.1
OpenPGP.js/v4.10.10
PGPainlessCLI/0.2.0-alpha10
RNP/0.0.0+git20210301.ffcfb63
SOPGPy/0.1.0/0.5.3
GPGME/2.3.0
GPGME/2.2.27
GPGME/1.4.23
Expectation
Comment
Producer Artifact
Sequoia/1.1.0
MUST be implemented according to RFC4880bis8.
dkg/1.2.0
MUST be implemented according to RFC4880bis8.
GopenPGP/v2.1.1
MUST be implemented according to RFC4880bis8.
OpenPGP.js/v4.10.10
MUST be implemented according to RFC4880bis8.
PGPainlessCLI/0.2.0-alpha10
MUST be implemented according to RFC4880bis8.
RNP/0.0.0+git20210301.ffcfb63
MUST be implemented according to RFC4880bis8.
SOPGPy/0.1.0/0.5.3
MUST be implemented according to RFC4880bis8.
GPGME/2.3.0
MUST be implemented according to RFC4880bis8.
GPGME/2.2.27
MUST be implemented according to RFC4880bis8.
GPGME/1.4.23
MUST be implemented according to RFC4880bis8.

Detached Sign-Verify roundtrip with key 'Bob', SHA384

Detached Sign-Verify roundtrip using the 'Bob' key from draft-bre-openpgp-samples-00, modified with the hash algorithm preference [SHA384].

Additional artifacts:

Consumer
Sequoia/1.1.0
dkg/1.2.0
GopenPGP/v2.1.1
OpenPGP.js/v4.10.10
PGPainlessCLI/0.2.0-alpha10
RNP/0.0.0+git20210301.ffcfb63
SOPGPy/0.1.0/0.5.3
GPGME/2.3.0
GPGME/2.2.27
GPGME/1.4.23
Expectation
Comment
Producer Artifact
Sequoia/1.1.0
Should be supported.
dkg/1.2.0
Should be supported.
GopenPGP/v2.1.1
Should be supported.
OpenPGP.js/v4.10.10
Should be supported.
PGPainlessCLI/0.2.0-alpha10
Should be supported.
RNP/0.0.0+git20210301.ffcfb63
Should be supported.
SOPGPy/0.1.0/0.5.3
Should be supported.
GPGME/2.3.0
Should be supported.
GPGME/2.2.27
Should be supported.
GPGME/1.4.23
Should be supported.

Detached Sign-Verify roundtrip with key 'Bob', SHA512

Detached Sign-Verify roundtrip using the 'Bob' key from draft-bre-openpgp-samples-00, modified with the hash algorithm preference [SHA512].

Additional artifacts:

Consumer
Sequoia/1.1.0
dkg/1.2.0
GopenPGP/v2.1.1
OpenPGP.js/v4.10.10
PGPainlessCLI/0.2.0-alpha10
RNP/0.0.0+git20210301.ffcfb63
SOPGPy/0.1.0/0.5.3
GPGME/2.3.0
GPGME/2.2.27
GPGME/1.4.23
Expectation
Comment
Producer Artifact
Sequoia/1.1.0
Should be supported.
dkg/1.2.0
Should be supported.
GopenPGP/v2.1.1
Should be supported.
OpenPGP.js/v4.10.10
Should be supported.
PGPainlessCLI/0.2.0-alpha10
Should be supported.
RNP/0.0.0+git20210301.ffcfb63
Should be supported.
SOPGPy/0.1.0/0.5.3
Should be supported.
GPGME/2.3.0
Should be supported.
GPGME/2.2.27
Should be supported.
GPGME/1.4.23
Should be supported.

Detached Sign-Verify roundtrip with key 'Bob', SHA224

Detached Sign-Verify roundtrip using the 'Bob' key from draft-bre-openpgp-samples-00, modified with the hash algorithm preference [SHA224].

Additional artifacts:

Consumer
Sequoia/1.1.0
dkg/1.2.0
GopenPGP/v2.1.1
OpenPGP.js/v4.10.10
PGPainlessCLI/0.2.0-alpha10
RNP/0.0.0+git20210301.ffcfb63
SOPGPy/0.1.0/0.5.3
GPGME/2.3.0
GPGME/2.2.27
GPGME/1.4.23
Expectation
Comment
Producer Artifact
Sequoia/1.1.0
Interoperability concern.
dkg/1.2.0
Interoperability concern.
GopenPGP/v2.1.1
Interoperability concern.
OpenPGP.js/v4.10.10
Interoperability concern.
PGPainlessCLI/0.2.0-alpha10
Interoperability concern.
RNP/0.0.0+git20210301.ffcfb63
Interoperability concern.
SOPGPy/0.1.0/0.5.3
Interoperability concern.
GPGME/2.3.0
Interoperability concern.
GPGME/2.2.27
Interoperability concern.
GPGME/1.4.23
Interoperability concern.

Signature over the shattered collision

This tests whether detached signatures using SHA-1 over the collision from the paper The first collision for full SHA-1 are considered valid.

The first test establishes a baseline. It is a SHA-1 signature over the text Hello World :)

Additional artifacts:

Consumer
Sequoia/1.1.0
dkg/1.2.0
GopenPGP/v2.1.1
OpenPGP.js/v4.10.10
PGPainlessCLI/0.2.0-alpha10
RNP/0.0.0+git20210301.ffcfb63
SOPGPy/0.1.0/0.5.3
GPGME/2.3.0
GPGME/2.2.27
GPGME/1.4.23
Expectation
Comment
Producer Artifact
Baseline
Data signatures using SHA-1 should be considered invalid
SIG-1 over PDF-1
Attack must be mitigated
SIG-1 over PDF-2
Attack must be mitigated
SIG-2 over PDF-1
Attack must be mitigated
SIG-2 over PDF-2
Attack must be mitigated

Compression Algorithms

Compression Algorithm support

This tests support for the different compression algorithms using Sequoia to generate the artifacts.

Additional artifacts:

Consumer
Sequoia/1.1.0
dkg/1.2.0
GopenPGP/v2.1.1
OpenPGP.js/v4.10.10
PGPainlessCLI/0.2.0-alpha10
RNP/0.0.0+git20210301.ffcfb63
SOPGPy/0.1.0/0.5.3
GPGME/2.3.0
GPGME/2.2.27
GPGME/1.4.23
Expectation
Comment
Producer Artifact
Uncompressed
Uncompressed MUST be supported.
ZIP
SHOULD be able to decompress ZIP.
ZLIB
Zlib SHOULD be supported.
BZip2

Key Generation

Default key generation, encrypt-decrypt roundtrip

This models key generation, distribution, and encrypted message exchange. Generates a default key with the producer P, then extracts the certificate from the key and uses it to encrypt a message using the consumer C, and finally P to decrypt the message.
Consumer
Sequoia/1.1.0
dkg/1.2.0
GopenPGP/v2.1.1
OpenPGP.js/v4.10.10
PGPainlessCLI/0.2.0-alpha10
RNP/0.0.0+git20210301.ffcfb63
SOPGPy/0.1.0/0.5.3
GPGME/2.3.0
GPGME/2.2.27
GPGME/1.4.23
Expectation
Comment
Producer Artifact
Sequoia/1.1.0
Interoperability concern.
dkg/1.2.0
Interoperability concern.
GopenPGP/v2.1.1
Interoperability concern.
OpenPGP.js/v4.10.10
Interoperability concern.
PGPainlessCLI/0.2.0-alpha10
Interoperability concern.
RNP/0.0.0+git20210301.ffcfb63
Interoperability concern.
SOPGPy/0.1.0/0.5.3
Interoperability concern.
GPGME/2.3.0
Interoperability concern.
GPGME/2.2.27
Interoperability concern.
GPGME/1.4.23 Interoperability concern.

Default key generation, encrypt-decrypt roundtrip, 2 UIDs

This models key generation, distribution, and encrypted message exchange. Generates a default key with the producer P, then extracts the certificate from the key and uses it to encrypt a message using the consumer C, and finally P to decrypt the message.
Consumer
Sequoia/1.1.0
dkg/1.2.0
GopenPGP/v2.1.1
OpenPGP.js/v4.10.10
PGPainlessCLI/0.2.0-alpha10
RNP/0.0.0+git20210301.ffcfb63
SOPGPy/0.1.0/0.5.3
GPGME/2.3.0
GPGME/2.2.27
GPGME/1.4.23
Expectation
Comment
Producer Artifact
Sequoia/1.1.0
Interoperability concern.
dkg/1.2.0
Interoperability concern.
GopenPGP/v2.1.1
Interoperability concern.
OpenPGP.js/v4.10.10
Interoperability concern.
PGPainlessCLI/0.2.0-alpha10
Interoperability concern.
RNP/0.0.0+git20210301.ffcfb63
Interoperability concern.
SOPGPy/0.1.0/0.5.3
Interoperability concern.
GPGME/2.3.0
Interoperability concern.
GPGME/2.2.27
Interoperability concern.
GPGME/1.4.23 Interoperability concern.

Default key generation, encrypt-decrypt roundtrip, no UIDs

This models key generation, distribution, and encrypted message exchange. Generates a default key with the producer P, then extracts the certificate from the key and uses it to encrypt a message using the consumer C, and finally P to decrypt the message.
Consumer
Sequoia/1.1.0
dkg/1.2.0
GopenPGP/v2.1.1
OpenPGP.js/v4.10.10
PGPainlessCLI/0.2.0-alpha10
RNP/0.0.0+git20210301.ffcfb63
SOPGPy/0.1.0/0.5.3
GPGME/2.3.0
GPGME/2.2.27
GPGME/1.4.23
Expectation
Comment
Producer Artifact
Sequoia/1.1.0
Interoperability concern.
dkg/1.2.0
Interoperability concern.
GopenPGP/v2.1.1 Interoperability concern.
OpenPGP.js/v4.10.10 Interoperability concern.
PGPainlessCLI/0.2.0-alpha10 Interoperability concern.
RNP/0.0.0+git20210301.ffcfb63
Interoperability concern.
SOPGPy/0.1.0/0.5.3 Interoperability concern.
GPGME/2.3.0 Interoperability concern.
GPGME/2.2.27 Interoperability concern.
GPGME/1.4.23 Interoperability concern.

Certificates

Interpretation of encryption keyflags

OpenPGP has two kinds of key usage flags that cover encryption: 0x04 - This key may be used to encrypt communications. 0x08 - This key may be used to encrypt storage. This tests how implementation interpret these flags.This test uses two encryption subkeys, A (7C2F AA4D F93C 37B2) and B (DA08 007F 39B3 0088).
Consumer
Sequoia/1.1.0
dkg/1.2.0
GopenPGP/v2.1.1
OpenPGP.js/v4.10.10
PGPainlessCLI/0.2.0-alpha10
RNP/0.0.0+git20210301.ffcfb63
SOPGPy/0.1.0/0.5.3
GPGME/2.3.0
GPGME/2.2.27
GPGME/1.4.23
Expectation
Comment
Producer Artifact
A 0x04
A 0x08
A 0x0c, B 0x0c
B 0x0c, A 0x0c
A 0x04, B 0x08
A 0x08, B 0x04
B 0x04, A 0x08
B 0x08, A 0x04

Interpretation of primary key flags

This tests various ways of specifying the primary key's flags. Key flags can be provided using direct key signatures, as well as binding signatures on userids.

Notation: p[flags-on-direct-key-sig] u[flags-on-uid-binding] s[flags-on-binding], where CSEA refer to certification, signing, encryption, and authentication capabilities, and 0 refers to an explicit empty set (the subpacket is present, but empty). The key is then used to do an encrypt-decrypt roundtrip.

Consumer
Sequoia/1.1.0
dkg/1.2.0
GopenPGP/v2.1.1
OpenPGP.js/v4.10.10
PGPainlessCLI/0.2.0-alpha10
RNP/0.0.0+git20210301.ffcfb63
SOPGPy/0.1.0/0.5.3
GPGME/2.3.0
GPGME/2.2.27
GPGME/1.4.23
Expectation
Comment
Producer Artifact
p uC sE (basecase)
pC uC sE
pC u sE
pC uS sE
pC u0 sE
p uS sE
p u sE
p u

Primary key binding signatures

A subkey binding signature indicating signing capabilities must carry an embedded primary key signature from the subkey over the primary key. This tests whether implementations pay attention to that signature.

The signature is over the string Hello World :).

Additional artifacts:

Consumer
Sequoia/1.1.0
dkg/1.2.0
GopenPGP/v2.1.1
OpenPGP.js/v4.10.10
PGPainlessCLI/0.2.0-alpha10
RNP/0.0.0+git20210301.ffcfb63
SOPGPy/0.1.0/0.5.3
GPGME/2.3.0
GPGME/2.2.27
GPGME/1.4.23
Expectation
Comment
Producer Artifact
Base case
Base case
Hashed backsig
Embedded signature may be hashed
No backsig
Missing primary key binding signature
MD5 backsig
SHA1 backsig
Old backsig
Expired backsig
Expired primary key binding signature
Fake backsig
Signed using the primary key

Key Flags Composition

Explores how key flags sets are looked up and composed. Key flags are stored in key flags subpackets on subkey binding signatures and direct key signatures. Furthermore, there could be more than one of such subpackets on a signature. This test explores whether key flags subpackets on direct key signatures are honored, and if multiple subpackets are given, what their precedence relation is, and how they are composed (e.g. is a union or intersection computed, or first or last subpacket wins, etc.), and whether a default value is used if the subpacket is not present (e.g., GnuPG appears to default to CSEA).

The notation used in the rows is as follows. First, a letter identifies a certificate component: p for primary key, u for userid, and s for subkey. Each component is followed by any number of key flag sets, enclosed in square brackets. The letters CSEA refer to certification, signing, encryption, and authentication capabilities. For example, p u[C] s[S] denotes a certificate with the primary key capable of certification, and the sole subkey capable of signing. This is the base case. A test like p u[C] s[][S] explores how an empty flag set followed by one denoting signing capabilities is handled.

The signature is over the string Hello World :).

Additional artifacts:

Consumer
Sequoia/1.1.0
dkg/1.2.0
GopenPGP/v2.1.1
OpenPGP.js/v4.10.10
PGPainlessCLI/0.2.0-alpha10
RNP/0.0.0+git20210301.ffcfb63
SOPGPy/0.1.0/0.5.3
GPGME/2.3.0
GPGME/2.2.27
GPGME/1.4.23
Expectation
Comment
Producer Artifact
p u[C] s[S]
Base case
p u[C] s[E]
Base case, encryption subkey
p u[C] s[][S]
p u[C] s[S][]
p[CS] u[C] s
[S]ubpackets on the direct-key signature apply to the entire key
p[CE] u[C] s
Encryption subkey
p[C][CS] u[C] s
p[CS][C] u[C] s
p[] u[C] s[]
p[] u[C] s[S]
p[S] u[C] s[]

Perturbed certificates

Explores how robust the certificate canonicalization is to perturbations and permutations. While these certificates may not strictly adhere to the structure outlined in Section 12.1 of RFC4880, handling them gracefully improves the user experience.

Notation: Primary key, UserID, UserID Binding, Subkey, Subkey Binding, Marker, U*nbound UserID, unbound S*ubkey, Bad signature, Odd signature, Subkey version23, Subkey Binding version23, Xtremely unknown packet type.

Consumer
Sequoia/1.1.0
dkg/1.2.0
GopenPGP/v2.1.1
OpenPGP.js/v4.10.10
PGPainlessCLI/0.2.0-alpha10
RNP/0.0.0+git20210301.ffcfb63
SOPGPy/0.1.0/0.5.3
GPGME/2.3.0
GPGME/2.2.27
GPGME/1.4.23
Expectation
Comment
Producer Artifact
P U UB S SB
Base case
P U UB U UB S SB
Duplicated UserID
P U U UB S SB
Duplicated UserID
P U UB U S SB
Duplicated UserID
P U UB UB S SB
Duplicated UserID binding
P U UB S SB S SB
Duplicated subkey
P U UB S S SB
Duplicated subkey
P U UB S SB S
Duplicated subkey
P U UB S SB SB
Duplicated subkey binding
P U UB S
Subkey not bound
P U S SB
P S SB
P U UB U* S SB
Unbound UserID should be ignored
P U UB S SB S*
Unbound subkey should be ignored
P M U UB S SB
Marker packet MUST be ignored
P U M UB S SB
Marker packet MUST be ignored
P U UB S M SB
Marker packet MUST be ignored
P U S UB SB
P UB SB U S
P U UB S SB B
Bad signature should be ignored
P U UB S SB O
Bad signature should be ignored
P U UB S SB SB23
Unknown signature version should be ignored
P U UB S SB S23 B
Unknown key version should be ignored
P U UB S SB X B
Unknown components should be ignored

Certificate expiration

Explores how certificate expiration time is computed. Certificate expiration is implemented by expiring the primary key. Key expiration time subpackets can be stored on direct key signatures and binding signatures of the primary user id.

The test modifies the 'Bob' certificate so that it expires, then tries to encrypt and decrypt a message with it. Notation: P X U Y [U' Z] where Primary key, primary UserID, secondary U'serID, and X representing key expiration time subpackets on a direct key signature, Y on the primary userid binding signature, and Z on the secondaray userid binding signature. For the expiration, f means expiration in the future, p means expiration in the past, 0 is the value 0, which means it should not expire, and - means there is no subpacket.

Consumer
Sequoia/1.1.0
dkg/1.2.0
GopenPGP/v2.1.1
OpenPGP.js/v4.10.10
PGPainlessCLI/0.2.0-alpha10
RNP/0.0.0+git20210301.ffcfb63
SOPGPy/0.1.0/0.5.3
GPGME/2.3.0
GPGME/2.2.27
GPGME/1.4.23
Expectation
Comment
Producer Artifact
P _ U _
Base case
P _ U f
Base case
P _ U 0
Base case
P f U _
Base case
P 0 U _
Base case
P _ U _ U' f
Base case
P _ U p
Expired
P p U _
Expired
P p U f
P f U p
P p U 0
P 0 U p
P _ U _ U' p
Non-primary userid shouldn't expire cert
P _ U p U' f
Non-primary userid shouldn't override expiry
P p U _ U' f
Non-primary userid shouldn't override expiry

Detached primary key

Explores how detached primary keys are handled by the implementations. There seem to be at least two ways to do that, and neither is in full compliance of the RFC4880.

The first way is to encode the detached key using a secret key packet and a stub encrypted secret key part. This method is used by GnuPG.

The second way is to simply use a public key packet.

The test creates an OpenPGP key with a signing-capable subkey, detaches the primary key, and tries to create a signature with the resulting key structure. The signature is over the string Hello World :).

Additional artifacts:

Consumer
Sequoia/1.1.0
dkg/1.2.0
GopenPGP/v2.1.1
OpenPGP.js/v4.10.10
PGPainlessCLI/0.2.0-alpha10
RNP/0.0.0+git20210301.ffcfb63
SOPGPy/0.1.0/0.5.3
GPGME/2.3.0
GPGME/2.2.27
GPGME/1.4.23
Expectation
Comment
Producer Artifact
SecKey SecSubkey
Base case
SecKey[0xfe stub] SecSubkey
SecKey[0xff stub] SecSubkey
PubKey SecSubkey

Binding signature subpackets

Explores how subpackets on binding signatures are handled.

The test creates variations of OpenPGP certs with a signing-capable subkey, and tries to verify a signature with it. The certificate has a signing-capable subkey, and the subkey's binding signature (SKB) as well as the embedded primary key binding signature (PKB) are modified. The signature is over the string Hello World :).

Additional artifacts:

Consumer
Sequoia/1.1.0
dkg/1.2.0
GopenPGP/v2.1.1
OpenPGP.js/v4.10.10
PGPainlessCLI/0.2.0-alpha10
RNP/0.0.0+git20210301.ffcfb63
SOPGPy/0.1.0/0.5.3
GPGME/2.3.0
GPGME/2.2.27
GPGME/1.4.23
Expectation
Comment
Producer Artifact
Base case
Base case.
SKB: Issuer FP only
Interoperability concern.
SKB: Issuer, V6 issuer FP
Interoperability concern.
SKB: Issuer, fake issuer
Interoperability concern.
SKB: Fake issuer, issuer
Interoperability concern.
SKB: Fake issuer
SKB: No issuer at all
SKB: Unknown subpacket
Interoperability concern.
SKB: Critical unknown subpacket
Critical unknown subpacket invalidates signature.
SKB: Unknown subpacket, unhashed
Interoperability concern.
SKB: Critical unknown subpacket, unhashed
SKB: Unknown notation
Interoperability concern.
SKB: Critical unknown notation
Critical unknown notation invalidates signature.
SKB: Unknown notation, unhashed
Interoperability concern.
SKB: Critical unknown notation, unhashed
SKB: Backsig, fake backsig
Interoperability concern.
SKB: Fake backsig, backsig
Interoperability concern.
PKB: Issuer FP only
Interoperability concern.
PKB: Issuer, V6 issuer FP
Interoperability concern.
PKB: Issuer, fake issuer
Interoperability concern.
PKB: Fake issuer, issuer
Interoperability concern.
PKB: Fake issuer
PKB: No issuer at all
PKB: Unknown subpacket
Interoperability concern.
PKB: Critical unknown subpacket
Critical unknown subpacket invalidates signature.
PKB: Unknown subpacket, unhashed
Interoperability concern.
PKB: Critical unknown subpacket, unhashed
PKB: Unknown notation
Interoperability concern.
PKB: Critical unknown notation
Critical unknown notation invalidates signature.
PKB: Unknown notation, unhashed
Interoperability concern.
PKB: Critical unknown notation, unhashed

I'm My Own Grandpa

Explores a certificate corner case where a certificate includes its primary key as subkey. This is an oddball, supporting it is not necessary.

A certificate is constructed by taking Bob's subkey and using it as primary key as well as subkey. The test encrypts a short message, and tries to decrypt is using Bob's key.

Consumer
Sequoia/1.1.0
dkg/1.2.0
GopenPGP/v2.1.1
OpenPGP.js/v4.10.10
PGPainlessCLI/0.2.0-alpha10
RNP/0.0.0+git20210301.ffcfb63
SOPGPy/0.1.0/0.5.3
GPGME/2.3.0
GPGME/2.2.27
GPGME/1.4.23
Expectation
Comment
Producer Artifact
I'm My Own Grandpa

Temporary validity

This test uses a certificate with a signing capable primary key that is evolving over time. The certificate is constructed so that it is valid for a month, then not valid for a month, then valid for month again.

We then verify signatures made in these periods to probe whether implementations consider the certificate valid at this point in time.

There are three variants of this test. In the first variant A, we use expiring userid binding signatures. In the second variant B, the userid is bound for the whole time, but we temporarily revoke it using expiring revocation signatures. The third variant C is similar, but we temporarily revoke the certificate.

The signature is over the string Hello World :).

Timeline:
        v                                       A                 B, C
        |                              |                 |                    |
    t0 -| Creation of first signature  |                 |                    |
        |                              |                 |                    |
    t1 -| Certificate creation         |                 |                    |
        |                              |                 |                    |
 t1-t2 -| Creation of second signature |                 |                    |
        |                              |                 |                    |
    t2 -| Validity ends temporarily    | Binding expires | Revocation         |
        |                              |                 |                    |
 t2-t3 -| Creation of third signature  |                 |                    |
        |                              |                 |                    |
    t3 -| Validity restored            | New binding     | Revocation expires |
        |                              |                 |                    |
t3-now -| Creation of fourth signature |                 |                    |
        |                              |                 |                    |
   now -|                              |                 |                    |
        v

Additional artifacts:

Consumer
Sequoia/1.1.0
dkg/1.2.0
GopenPGP/v2.1.1
OpenPGP.js/v4.10.10
PGPainlessCLI/0.2.0-alpha10
RNP/0.0.0+git20210301.ffcfb63
SOPGPy/0.1.0/0.5.3
GPGME/2.3.0
GPGME/2.2.27
GPGME/1.4.23
Expectation
Comment
Producer Artifact
Cert A, sig t0
Signature predates key creation time
Cert A, sig t1-t2
Cert is valid
Cert A, sig t2-t3
Cert is not valid
Cert A, sig t2-now
Cert is valid again
Cert B, sig t0
Signature predates key creation time
Cert B, sig t1-t2
Cert is valid
Cert B, sig t2-t3
Primary key is not signing-capable
Cert B, sig t2-now
Cert is valid again
Cert C, sig t0
Signature predates key creation time
Cert C, sig t1-t2
Cert is valid
Cert C, sig t2-t3
Cert is revoked
Cert C, sig t2-now
Cert is valid again

Mock PQ subkey

Explores how robust the certificate canonicalization is to huge encryption subkeys that cannot be MPI encoded. While these keys are not functional, we can check whether they can coexist with classical keys so that we can have an upgrade path.

The test verifies a signature with a certificate containing a mock key using an unsupported algorithm or curve. The signature is made using the primary key over the message Hello World :). The mock subkey is not involved in any way, besides being present in the certificate.

The test explores two dimensions. On the one hand is the algorithm choice, on the other the parameter representation. The algorithms are:

  • Unknown asymmetric algorithm
  • ECDSA with an unknown curve
  • EdDSA with an unknown curve
  • ECDH with an unknown curve

The algorithm-specific data for each of these unknowable subkeys vary between:

  • a series of well-formed MPIs
  • reasonable-sized data (not in MPI format)
  • huge data (unrepresentable as MPI)

Additional artifacts:

Consumer
Sequoia/1.1.0
dkg/1.2.0
GopenPGP/v2.1.1
OpenPGP.js/v4.10.10
PGPainlessCLI/0.2.0-alpha10
RNP/0.0.0+git20210301.ffcfb63
SOPGPy/0.1.0/0.5.3
GPGME/2.3.0
GPGME/2.2.27
GPGME/1.4.23
Expectation
Comment
Producer Artifact
Bob's cert
Base case.
Unknown algo, MPI encoding
Interoperability concern.
Unknown algo, opaque encoding, small
Interoperability concern.
Unknown algo, opaque encoding, big Interoperability concern.
ECDSA, unknown curve, MPI encoding
Interoperability concern.
ECDSA, unknown curve, opaque encoding, small
Interoperability concern.
ECDSA, unknown curve, opaque encoding, big Interoperability concern.
EdDSA, unknown curve, MPI encoding
Interoperability concern.
EdDSA, unknown curve, opaque encoding, small
Interoperability concern.
EdDSA, unknown curve, opaque encoding, big Interoperability concern.
ECDH, unknown curve, MPI encoding
Interoperability concern.
ECDH, unknown curve, opaque encoding, small
Interoperability concern.
ECDH, unknown curve, opaque encoding, big Interoperability concern.

Revocations

Key revocation test: primary key signs and is not revoked (base case)

This test uses a certificate with a signing capable primary key that is evolving over time. Later on, the primary key is revoked and then re-legitimized using a new signature. We then ask implementations to verify a signature at different points in time. Hard revocations of the key invalidate the signature at any point in time, whereas in the case of soft revocations, the keys can be re-legitimized.

In this particular test, the primary key is not revoked. The signed message is Hello, World 

Timeline:   v
            |
        t0 -| - Creation time of first signature
            |
        t1 -| - Primary key creation
            |
            | - Subkey creation
            |
     t1-t2 -| - Creation time of second signature
            |
            | - Subkey is bound
            |
        t2 -| - Revocation of primary key
            |
     t2-t3 -| - Creation time of third signature
            |
        t3 -| - primary key is re-legitimized
            |
    t3-now -| - Creation time of fourth signature
            |
       now -|
            v

Additional artifacts:

Consumer
Sequoia/1.1.0
dkg/1.2.0
GopenPGP/v2.1.1
OpenPGP.js/v4.10.10
PGPainlessCLI/0.2.0-alpha10
RNP/0.0.0+git20210301.ffcfb63
SOPGPy/0.1.0/0.5.3
GPGME/2.3.0
GPGME/2.2.27
GPGME/1.4.23
Expectation
Comment
Producer Artifact
t0
Signature predates primary key.
t1-t2
Key is valid at this time.
t2-t3
Key is valid at this time.
t3-now
Key is valid at this time.

Key revocation test: subkey signs, primary key is not revoked (base case)

This test uses a certificate with a signing capable subkey that is evolving over time. Later on, the primary key is revoked and then re-legitimized using a new signature. We then ask implementations to verify a signature at different points in time. Hard revocations of the key invalidate the signature at any point in time, whereas in the case of soft revocations, the keys can be re-legitimized.

In this particular test, the primary key is not revoked. The signed message is Hello, World As extra subtlety, we bind the subkey *after* the t1-t2 signature. Therefore, the t1-t2 signature must be considered invalid. 

Timeline:   v
            |
        t0 -| - Creation time of first signature
            |
        t1 -| - Primary key creation
            |
            | - Subkey creation
            |
     t1-t2 -| - Creation time of second signature
            |
            | - Subkey is bound
            |
        t2 -| - Revocation of subkey
            |
     t2-t3 -| - Creation time of third signature
            |
        t3 -| - subkey is re-legitimized
            |
    t3-now -| - Creation time of fourth signature
            |
       now -|
            v

Additional artifacts:

Consumer
Sequoia/1.1.0
dkg/1.2.0
GopenPGP/v2.1.1
OpenPGP.js/v4.10.10
PGPainlessCLI/0.2.0-alpha10
RNP/0.0.0+git20210301.ffcfb63
SOPGPy/0.1.0/0.5.3
GPGME/2.3.0
GPGME/2.2.27
GPGME/1.4.23
Expectation
Comment
Producer Artifact
t0
Signature predates primary key.
t1-t2
Subkey is not bound at this time.
t2-t3
Key is valid at this time.
t3-now
Key is valid at this time.

Key revocation test: primary key signs and is revoked; revoked: no subpacket

This test uses a certificate with a signing capable primary key that is evolving over time. Later on, the primary key is revoked and then re-legitimized using a new signature. We then ask implementations to verify a signature at different points in time. Hard revocations of the key invalidate the signature at any point in time, whereas in the case of soft revocations, the keys can be re-legitimized. This is a hard revocation, all signatures must be considered invalid.

In this particular test, the primary key is revoked: no subpacket. The signed message is Hello, World 

Timeline:   v
            |
        t0 -| - Creation time of first signature
            |
        t1 -| - Primary key creation
            |
            | - Subkey creation
            |
     t1-t2 -| - Creation time of second signature
            |
            | - Subkey is bound
            |
        t2 -| - Revocation of primary key
            |
     t2-t3 -| - Creation time of third signature
            |
        t3 -| - primary key is re-legitimized
            |
    t3-now -| - Creation time of fourth signature
            |
       now -|
            v

Additional artifacts:

Consumer
Sequoia/1.1.0
dkg/1.2.0
GopenPGP/v2.1.1
OpenPGP.js/v4.10.10
PGPainlessCLI/0.2.0-alpha10
RNP/0.0.0+git20210301.ffcfb63
SOPGPy/0.1.0/0.5.3
GPGME/2.3.0
GPGME/2.2.27
GPGME/1.4.23
Expectation
Comment
Producer Artifact
t0
Signature predates primary key.
t1-t2
Hard revocations invalidate key at all times.
t2-t3
Hard revocations invalidate key at all times.
t3-now
Hard revocations invalidate key at all times.

Key revocation test: subkey signs, primary key is revoked; revoked: no subpacket

This test uses a certificate with a signing capable subkey that is evolving over time. Later on, the primary key is revoked and then re-legitimized using a new signature. We then ask implementations to verify a signature at different points in time. Hard revocations of the key invalidate the signature at any point in time, whereas in the case of soft revocations, the keys can be re-legitimized. This is a hard revocation, all signatures must be considered invalid.

In this particular test, the primary key is revoked: no subpacket. The signed message is Hello, World As extra subtlety, we bind the subkey *after* the t1-t2 signature. Therefore, the t1-t2 signature must be considered invalid. 

Timeline:   v
            |
        t0 -| - Creation time of first signature
            |
        t1 -| - Primary key creation
            |
            | - Subkey creation
            |
     t1-t2 -| - Creation time of second signature
            |
            | - Subkey is bound
            |
        t2 -| - Revocation of subkey
            |
     t2-t3 -| - Creation time of third signature
            |
        t3 -| - subkey is re-legitimized
            |
    t3-now -| - Creation time of fourth signature
            |
       now -|
            v

Additional artifacts:

Consumer
Sequoia/1.1.0
dkg/1.2.0
GopenPGP/v2.1.1
OpenPGP.js/v4.10.10
PGPainlessCLI/0.2.0-alpha10
RNP/0.0.0+git20210301.ffcfb63
SOPGPy/0.1.0/0.5.3
GPGME/2.3.0
GPGME/2.2.27
GPGME/1.4.23
Expectation
Comment
Producer Artifact
t0
Signature predates primary key.
t1-t2
Hard revocations invalidate key at all times.
t2-t3
Hard revocations invalidate key at all times.
t3-now
Hard revocations invalidate key at all times.

Key revocation test: subkey signs, subkey is revoked; revoked: no subpacket

This test uses a certificate with a signing capable subkey that is evolving over time. Later on, the subkey is revoked and then re-legitimized using a new signature. We then ask implementations to verify a signature at different points in time. Hard revocations of the key invalidate the signature at any point in time, whereas in the case of soft revocations, the keys can be re-legitimized. This is a hard revocation, all signatures must be considered invalid.

In this particular test, the subkey is revoked: no subpacket. The signed message is Hello, World As extra subtlety, we bind the subkey *after* the t1-t2 signature. Therefore, the t1-t2 signature must be considered invalid. 

Timeline:   v
            |
        t0 -| - Creation time of first signature
            |
        t1 -| - Primary key creation
            |
            | - Subkey creation
            |
     t1-t2 -| - Creation time of second signature
            |
            | - Subkey is bound
            |
        t2 -| - Revocation of subkey
            |
     t2-t3 -| - Creation time of third signature
            |
        t3 -| - subkey is re-legitimized
            |
    t3-now -| - Creation time of fourth signature
            |
       now -|
            v

Additional artifacts:

Consumer
Sequoia/1.1.0
dkg/1.2.0
GopenPGP/v2.1.1
OpenPGP.js/v4.10.10
PGPainlessCLI/0.2.0-alpha10
RNP/0.0.0+git20210301.ffcfb63
SOPGPy/0.1.0/0.5.3
GPGME/2.3.0
GPGME/2.2.27
GPGME/1.4.23
Expectation
Comment
Producer Artifact
t0
Signature predates primary key.
t1-t2
Hard revocations invalidate key at all times.
t2-t3
Hard revocations invalidate key at all times.
t3-now
Hard revocations invalidate key at all times.

Key revocation test: primary key signs and is revoked; revoked: unspecified

This test uses a certificate with a signing capable primary key that is evolving over time. Later on, the primary key is revoked and then re-legitimized using a new signature. We then ask implementations to verify a signature at different points in time. Hard revocations of the key invalidate the signature at any point in time, whereas in the case of soft revocations, the keys can be re-legitimized. This is a hard revocation, all signatures must be considered invalid.

In this particular test, the primary key is revoked: unspecified. The signed message is Hello, World 

Timeline:   v
            |
        t0 -| - Creation time of first signature
            |
        t1 -| - Primary key creation
            |
            | - Subkey creation
            |
     t1-t2 -| - Creation time of second signature
            |
            | - Subkey is bound
            |
        t2 -| - Revocation of primary key
            |
     t2-t3 -| - Creation time of third signature
            |
        t3 -| - primary key is re-legitimized
            |
    t3-now -| - Creation time of fourth signature
            |
       now -|
            v

Additional artifacts:

Consumer
Sequoia/1.1.0
dkg/1.2.0
GopenPGP/v2.1.1
OpenPGP.js/v4.10.10
PGPainlessCLI/0.2.0-alpha10
RNP/0.0.0+git20210301.ffcfb63
SOPGPy/0.1.0/0.5.3
GPGME/2.3.0
GPGME/2.2.27
GPGME/1.4.23
Expectation
Comment
Producer Artifact
t0
Signature predates primary key.
t1-t2
Hard revocations invalidate key at all times.
t2-t3
Hard revocations invalidate key at all times.
t3-now
Hard revocations invalidate key at all times.

Key revocation test: subkey signs, primary key is revoked; revoked: unspecified

This test uses a certificate with a signing capable subkey that is evolving over time. Later on, the primary key is revoked and then re-legitimized using a new signature. We then ask implementations to verify a signature at different points in time. Hard revocations of the key invalidate the signature at any point in time, whereas in the case of soft revocations, the keys can be re-legitimized. This is a hard revocation, all signatures must be considered invalid.

In this particular test, the primary key is revoked: unspecified. The signed message is Hello, World As extra subtlety, we bind the subkey *after* the t1-t2 signature. Therefore, the t1-t2 signature must be considered invalid. 

Timeline:   v
            |
        t0 -| - Creation time of first signature
            |
        t1 -| - Primary key creation
            |
            | - Subkey creation
            |
     t1-t2 -| - Creation time of second signature
            |
            | - Subkey is bound
            |
        t2 -| - Revocation of subkey
            |
     t2-t3 -| - Creation time of third signature
            |
        t3 -| - subkey is re-legitimized
            |
    t3-now -| - Creation time of fourth signature
            |
       now -|
            v

Additional artifacts:

Consumer
Sequoia/1.1.0
dkg/1.2.0
GopenPGP/v2.1.1
OpenPGP.js/v4.10.10
PGPainlessCLI/0.2.0-alpha10
RNP/0.0.0+git20210301.ffcfb63
SOPGPy/0.1.0/0.5.3
GPGME/2.3.0
GPGME/2.2.27
GPGME/1.4.23
Expectation
Comment
Producer Artifact
t0
Signature predates primary key.
t1-t2
Hard revocations invalidate key at all times.
t2-t3
Hard revocations invalidate key at all times.
t3-now
Hard revocations invalidate key at all times.

Key revocation test: subkey signs, subkey is revoked; revoked: unspecified

This test uses a certificate with a signing capable subkey that is evolving over time. Later on, the subkey is revoked and then re-legitimized using a new signature. We then ask implementations to verify a signature at different points in time. Hard revocations of the key invalidate the signature at any point in time, whereas in the case of soft revocations, the keys can be re-legitimized. This is a hard revocation, all signatures must be considered invalid.

In this particular test, the subkey is revoked: unspecified. The signed message is Hello, World As extra subtlety, we bind the subkey *after* the t1-t2 signature. Therefore, the t1-t2 signature must be considered invalid. 

Timeline:   v
            |
        t0 -| - Creation time of first signature
            |
        t1 -| - Primary key creation
            |
            | - Subkey creation
            |
     t1-t2 -| - Creation time of second signature
            |
            | - Subkey is bound
            |
        t2 -| - Revocation of subkey
            |
     t2-t3 -| - Creation time of third signature
            |
        t3 -| - subkey is re-legitimized
            |
    t3-now -| - Creation time of fourth signature
            |
       now -|
            v

Additional artifacts:

Consumer
Sequoia/1.1.0
dkg/1.2.0
GopenPGP/v2.1.1
OpenPGP.js/v4.10.10
PGPainlessCLI/0.2.0-alpha10
RNP/0.0.0+git20210301.ffcfb63
SOPGPy/0.1.0/0.5.3
GPGME/2.3.0
GPGME/2.2.27
GPGME/1.4.23
Expectation
Comment
Producer Artifact
t0
Signature predates primary key.
t1-t2
Hard revocations invalidate key at all times.
t2-t3
Hard revocations invalidate key at all times.
t3-now
Hard revocations invalidate key at all times.

Key revocation test: primary key signs and is revoked; revoked: compromised

This test uses a certificate with a signing capable primary key that is evolving over time. Later on, the primary key is revoked and then re-legitimized using a new signature. We then ask implementations to verify a signature at different points in time. Hard revocations of the key invalidate the signature at any point in time, whereas in the case of soft revocations, the keys can be re-legitimized. This is a hard revocation, all signatures must be considered invalid.

In this particular test, the primary key is revoked: compromised. The signed message is Hello, World 

Timeline:   v
            |
        t0 -| - Creation time of first signature
            |
        t1 -| - Primary key creation
            |
            | - Subkey creation
            |
     t1-t2 -| - Creation time of second signature
            |
            | - Subkey is bound
            |
        t2 -| - Revocation of primary key
            |
     t2-t3 -| - Creation time of third signature
            |
        t3 -| - primary key is re-legitimized
            |
    t3-now -| - Creation time of fourth signature
            |
       now -|
            v

Additional artifacts:

Consumer
Sequoia/1.1.0
dkg/1.2.0
GopenPGP/v2.1.1
OpenPGP.js/v4.10.10
PGPainlessCLI/0.2.0-alpha10
RNP/0.0.0+git20210301.ffcfb63
SOPGPy/0.1.0/0.5.3
GPGME/2.3.0
GPGME/2.2.27
GPGME/1.4.23
Expectation
Comment
Producer Artifact
t0
Signature predates primary key.
t1-t2
Hard revocations invalidate key at all times.
t2-t3
Hard revocations invalidate key at all times.
t3-now
Hard revocations invalidate key at all times.

Key revocation test: subkey signs, primary key is revoked; revoked: compromised

This test uses a certificate with a signing capable subkey that is evolving over time. Later on, the primary key is revoked and then re-legitimized using a new signature. We then ask implementations to verify a signature at different points in time. Hard revocations of the key invalidate the signature at any point in time, whereas in the case of soft revocations, the keys can be re-legitimized. This is a hard revocation, all signatures must be considered invalid.

In this particular test, the primary key is revoked: compromised. The signed message is Hello, World As extra subtlety, we bind the subkey *after* the t1-t2 signature. Therefore, the t1-t2 signature must be considered invalid. 

Timeline:   v
            |
        t0 -| - Creation time of first signature
            |
        t1 -| - Primary key creation
            |
            | - Subkey creation
            |
     t1-t2 -| - Creation time of second signature
            |
            | - Subkey is bound
            |
        t2 -| - Revocation of subkey
            |
     t2-t3 -| - Creation time of third signature
            |
        t3 -| - subkey is re-legitimized
            |
    t3-now -| - Creation time of fourth signature
            |
       now -|
            v

Additional artifacts:

Consumer
Sequoia/1.1.0
dkg/1.2.0
GopenPGP/v2.1.1
OpenPGP.js/v4.10.10
PGPainlessCLI/0.2.0-alpha10
RNP/0.0.0+git20210301.ffcfb63
SOPGPy/0.1.0/0.5.3
GPGME/2.3.0
GPGME/2.2.27
GPGME/1.4.23
Expectation
Comment
Producer Artifact
t0
Signature predates primary key.
t1-t2
Hard revocations invalidate key at all times.
t2-t3
Hard revocations invalidate key at all times.
t3-now
Hard revocations invalidate key at all times.

Key revocation test: subkey signs, subkey is revoked; revoked: compromised

This test uses a certificate with a signing capable subkey that is evolving over time. Later on, the subkey is revoked and then re-legitimized using a new signature. We then ask implementations to verify a signature at different points in time. Hard revocations of the key invalidate the signature at any point in time, whereas in the case of soft revocations, the keys can be re-legitimized. This is a hard revocation, all signatures must be considered invalid.

In this particular test, the subkey is revoked: compromised. The signed message is Hello, World As extra subtlety, we bind the subkey *after* the t1-t2 signature. Therefore, the t1-t2 signature must be considered invalid. 

Timeline:   v
            |
        t0 -| - Creation time of first signature
            |
        t1 -| - Primary key creation
            |
            | - Subkey creation
            |
     t1-t2 -| - Creation time of second signature
            |
            | - Subkey is bound
            |
        t2 -| - Revocation of subkey
            |
     t2-t3 -| - Creation time of third signature
            |
        t3 -| - subkey is re-legitimized
            |
    t3-now -| - Creation time of fourth signature
            |
       now -|
            v

Additional artifacts:

Consumer
Sequoia/1.1.0
dkg/1.2.0
GopenPGP/v2.1.1
OpenPGP.js/v4.10.10
PGPainlessCLI/0.2.0-alpha10
RNP/0.0.0+git20210301.ffcfb63
SOPGPy/0.1.0/0.5.3
GPGME/2.3.0
GPGME/2.2.27
GPGME/1.4.23
Expectation
Comment
Producer Artifact
t0
Signature predates primary key.
t1-t2
Hard revocations invalidate key at all times.
t2-t3
Hard revocations invalidate key at all times.
t3-now
Hard revocations invalidate key at all times.

Key revocation test: primary key signs and is revoked; revoked: private

This test uses a certificate with a signing capable primary key that is evolving over time. Later on, the primary key is revoked and then re-legitimized using a new signature. We then ask implementations to verify a signature at different points in time. Hard revocations of the key invalidate the signature at any point in time, whereas in the case of soft revocations, the keys can be re-legitimized. This is a hard revocation, all signatures must be considered invalid.

In this particular test, the primary key is revoked: private. The signed message is Hello, World 

Timeline:   v
            |
        t0 -| - Creation time of first signature
            |
        t1 -| - Primary key creation
            |
            | - Subkey creation
            |
     t1-t2 -| - Creation time of second signature
            |
            | - Subkey is bound
            |
        t2 -| - Revocation of primary key
            |
     t2-t3 -| - Creation time of third signature
            |
        t3 -| - primary key is re-legitimized
            |
    t3-now -| - Creation time of fourth signature
            |
       now -|
            v

Additional artifacts:

Consumer
Sequoia/1.1.0
dkg/1.2.0
GopenPGP/v2.1.1
OpenPGP.js/v4.10.10
PGPainlessCLI/0.2.0-alpha10
RNP/0.0.0+git20210301.ffcfb63
SOPGPy/0.1.0/0.5.3
GPGME/2.3.0
GPGME/2.2.27
GPGME/1.4.23
Expectation
Comment
Producer Artifact
t0
Signature predates primary key.
t1-t2
Hard revocations invalidate key at all times.
t2-t3
Hard revocations invalidate key at all times.
t3-now
Hard revocations invalidate key at all times.

Key revocation test: subkey signs, primary key is revoked; revoked: private

This test uses a certificate with a signing capable subkey that is evolving over time. Later on, the primary key is revoked and then re-legitimized using a new signature. We then ask implementations to verify a signature at different points in time. Hard revocations of the key invalidate the signature at any point in time, whereas in the case of soft revocations, the keys can be re-legitimized. This is a hard revocation, all signatures must be considered invalid.

In this particular test, the primary key is revoked: private. The signed message is Hello, World As extra subtlety, we bind the subkey *after* the t1-t2 signature. Therefore, the t1-t2 signature must be considered invalid. 

Timeline:   v
            |
        t0 -| - Creation time of first signature
            |
        t1 -| - Primary key creation
            |
            | - Subkey creation
            |
     t1-t2 -| - Creation time of second signature
            |
            | - Subkey is bound
            |
        t2 -| - Revocation of subkey
            |
     t2-t3 -| - Creation time of third signature
            |
        t3 -| - subkey is re-legitimized
            |
    t3-now -| - Creation time of fourth signature
            |
       now -|
            v

Additional artifacts:

Consumer
Sequoia/1.1.0
dkg/1.2.0
GopenPGP/v2.1.1
OpenPGP.js/v4.10.10
PGPainlessCLI/0.2.0-alpha10
RNP/0.0.0+git20210301.ffcfb63
SOPGPy/0.1.0/0.5.3
GPGME/2.3.0
GPGME/2.2.27
GPGME/1.4.23
Expectation
Comment
Producer Artifact
t0
Signature predates primary key.
t1-t2
Hard revocations invalidate key at all times.
t2-t3
Hard revocations invalidate key at all times.
t3-now
Hard revocations invalidate key at all times.

Key revocation test: subkey signs, subkey is revoked; revoked: private

This test uses a certificate with a signing capable subkey that is evolving over time. Later on, the subkey is revoked and then re-legitimized using a new signature. We then ask implementations to verify a signature at different points in time. Hard revocations of the key invalidate the signature at any point in time, whereas in the case of soft revocations, the keys can be re-legitimized. This is a hard revocation, all signatures must be considered invalid.

In this particular test, the subkey is revoked: private. The signed message is Hello, World As extra subtlety, we bind the subkey *after* the t1-t2 signature. Therefore, the t1-t2 signature must be considered invalid. 

Timeline:   v
            |
        t0 -| - Creation time of first signature
            |
        t1 -| - Primary key creation
            |
            | - Subkey creation
            |
     t1-t2 -| - Creation time of second signature
            |
            | - Subkey is bound
            |
        t2 -| - Revocation of subkey
            |
     t2-t3 -| - Creation time of third signature
            |
        t3 -| - subkey is re-legitimized
            |
    t3-now -| - Creation time of fourth signature
            |
       now -|
            v

Additional artifacts:

Consumer
Sequoia/1.1.0
dkg/1.2.0
GopenPGP/v2.1.1
OpenPGP.js/v4.10.10
PGPainlessCLI/0.2.0-alpha10
RNP/0.0.0+git20210301.ffcfb63
SOPGPy/0.1.0/0.5.3
GPGME/2.3.0
GPGME/2.2.27
GPGME/1.4.23
Expectation
Comment
Producer Artifact
t0
Signature predates primary key.
t1-t2
Hard revocations invalidate key at all times.
t2-t3
Hard revocations invalidate key at all times.
t3-now
Hard revocations invalidate key at all times.

Key revocation test: primary key signs and is revoked; revoked: unknown

This test uses a certificate with a signing capable primary key that is evolving over time. Later on, the primary key is revoked and then re-legitimized using a new signature. We then ask implementations to verify a signature at different points in time. Hard revocations of the key invalidate the signature at any point in time, whereas in the case of soft revocations, the keys can be re-legitimized. This is a hard revocation, all signatures must be considered invalid.

In this particular test, the primary key is revoked: unknown. The signed message is Hello, World 

Timeline:   v
            |
        t0 -| - Creation time of first signature
            |
        t1 -| - Primary key creation
            |
            | - Subkey creation
            |
     t1-t2 -| - Creation time of second signature
            |
            | - Subkey is bound
            |
        t2 -| - Revocation of primary key
            |
     t2-t3 -| - Creation time of third signature
            |
        t3 -| - primary key is re-legitimized
            |
    t3-now -| - Creation time of fourth signature
            |
       now -|
            v

Additional artifacts:

Consumer
Sequoia/1.1.0
dkg/1.2.0
GopenPGP/v2.1.1
OpenPGP.js/v4.10.10
PGPainlessCLI/0.2.0-alpha10
RNP/0.0.0+git20210301.ffcfb63
SOPGPy/0.1.0/0.5.3
GPGME/2.3.0
GPGME/2.2.27
GPGME/1.4.23
Expectation
Comment
Producer Artifact
t0
Signature predates primary key.
t1-t2
Hard revocations invalidate key at all times.
t2-t3
Hard revocations invalidate key at all times.
t3-now
Hard revocations invalidate key at all times.

Key revocation test: subkey signs, primary key is revoked; revoked: unknown

This test uses a certificate with a signing capable subkey that is evolving over time. Later on, the primary key is revoked and then re-legitimized using a new signature. We then ask implementations to verify a signature at different points in time. Hard revocations of the key invalidate the signature at any point in time, whereas in the case of soft revocations, the keys can be re-legitimized. This is a hard revocation, all signatures must be considered invalid.

In this particular test, the primary key is revoked: unknown. The signed message is Hello, World As extra subtlety, we bind the subkey *after* the t1-t2 signature. Therefore, the t1-t2 signature must be considered invalid. 

Timeline:   v
            |
        t0 -| - Creation time of first signature
            |
        t1 -| - Primary key creation
            |
            | - Subkey creation
            |
     t1-t2 -| - Creation time of second signature
            |
            | - Subkey is bound
            |
        t2 -| - Revocation of subkey
            |
     t2-t3 -| - Creation time of third signature
            |
        t3 -| - subkey is re-legitimized
            |
    t3-now -| - Creation time of fourth signature
            |
       now -|
            v

Additional artifacts:

Consumer
Sequoia/1.1.0
dkg/1.2.0
GopenPGP/v2.1.1
OpenPGP.js/v4.10.10
PGPainlessCLI/0.2.0-alpha10
RNP/0.0.0+git20210301.ffcfb63
SOPGPy/0.1.0/0.5.3
GPGME/2.3.0
GPGME/2.2.27
GPGME/1.4.23
Expectation
Comment
Producer Artifact
t0
Signature predates primary key.
t1-t2
Hard revocations invalidate key at all times.
t2-t3
Hard revocations invalidate key at all times.
t3-now
Hard revocations invalidate key at all times.

Key revocation test: subkey signs, subkey is revoked; revoked: unknown

This test uses a certificate with a signing capable subkey that is evolving over time. Later on, the subkey is revoked and then re-legitimized using a new signature. We then ask implementations to verify a signature at different points in time. Hard revocations of the key invalidate the signature at any point in time, whereas in the case of soft revocations, the keys can be re-legitimized. This is a hard revocation, all signatures must be considered invalid.

In this particular test, the subkey is revoked: unknown. The signed message is Hello, World As extra subtlety, we bind the subkey *after* the t1-t2 signature. Therefore, the t1-t2 signature must be considered invalid. 

Timeline:   v
            |
        t0 -| - Creation time of first signature
            |
        t1 -| - Primary key creation
            |
            | - Subkey creation
            |
     t1-t2 -| - Creation time of second signature
            |
            | - Subkey is bound
            |
        t2 -| - Revocation of subkey
            |
     t2-t3 -| - Creation time of third signature
            |
        t3 -| - subkey is re-legitimized
            |
    t3-now -| - Creation time of fourth signature
            |
       now -|
            v

Additional artifacts:

Consumer
Sequoia/1.1.0
dkg/1.2.0
GopenPGP/v2.1.1
OpenPGP.js/v4.10.10
PGPainlessCLI/0.2.0-alpha10
RNP/0.0.0+git20210301.ffcfb63
SOPGPy/0.1.0/0.5.3
GPGME/2.3.0
GPGME/2.2.27
GPGME/1.4.23
Expectation
Comment
Producer Artifact
t0
Signature predates primary key.
t1-t2
Hard revocations invalidate key at all times.
t2-t3
Hard revocations invalidate key at all times.
t3-now
Hard revocations invalidate key at all times.

Key revocation test: primary key signs and is revoked; revoked: superseded

This test uses a certificate with a signing capable primary key that is evolving over time. Later on, the primary key is revoked and then re-legitimized using a new signature. We then ask implementations to verify a signature at different points in time. Hard revocations of the key invalidate the signature at any point in time, whereas in the case of soft revocations, the keys can be re-legitimized. This is a soft revocation, so the key may be re-legitimized after which signatures should be considered valid again.

In this particular test, the primary key is revoked: superseded. The signed message is Hello, World 

Timeline:   v
            |
        t0 -| - Creation time of first signature
            |
        t1 -| - Primary key creation
            |
            | - Subkey creation
            |
     t1-t2 -| - Creation time of second signature
            |
            | - Subkey is bound
            |
        t2 -| - Revocation of primary key
            |
     t2-t3 -| - Creation time of third signature
            |
        t3 -| - primary key is re-legitimized
            |
    t3-now -| - Creation time of fourth signature
            |
       now -|
            v

Additional artifacts:

Consumer
Sequoia/1.1.0
dkg/1.2.0
GopenPGP/v2.1.1
OpenPGP.js/v4.10.10
PGPainlessCLI/0.2.0-alpha10
RNP/0.0.0+git20210301.ffcfb63
SOPGPy/0.1.0/0.5.3
GPGME/2.3.0
GPGME/2.2.27
GPGME/1.4.23
Expectation
Comment
Producer Artifact
t0
Signature predates primary key.
t1-t2
Key is valid at this time.
t2-t3
Key is revoked at this time.
t3-now
Key is valid at this time.

Key revocation test: subkey signs, primary key is revoked; revoked: superseded

This test uses a certificate with a signing capable subkey that is evolving over time. Later on, the primary key is revoked and then re-legitimized using a new signature. We then ask implementations to verify a signature at different points in time. Hard revocations of the key invalidate the signature at any point in time, whereas in the case of soft revocations, the keys can be re-legitimized. This is a soft revocation, so the key may be re-legitimized after which signatures should be considered valid again.

In this particular test, the primary key is revoked: superseded. The signed message is Hello, World As extra subtlety, we bind the subkey *after* the t1-t2 signature. Therefore, the t1-t2 signature must be considered invalid. 

Timeline:   v
            |
        t0 -| - Creation time of first signature
            |
        t1 -| - Primary key creation
            |
            | - Subkey creation
            |
     t1-t2 -| - Creation time of second signature
            |
            | - Subkey is bound
            |
        t2 -| - Revocation of subkey
            |
     t2-t3 -| - Creation time of third signature
            |
        t3 -| - subkey is re-legitimized
            |
    t3-now -| - Creation time of fourth signature
            |
       now -|
            v

Additional artifacts:

Consumer
Sequoia/1.1.0
dkg/1.2.0
GopenPGP/v2.1.1
OpenPGP.js/v4.10.10
PGPainlessCLI/0.2.0-alpha10
RNP/0.0.0+git20210301.ffcfb63
SOPGPy/0.1.0/0.5.3
GPGME/2.3.0
GPGME/2.2.27
GPGME/1.4.23
Expectation
Comment
Producer Artifact
t0
Signature predates primary key.
t1-t2
Subkey is not bound at this time.
t2-t3
Key is revoked at this time.
t3-now
Key is valid at this time.

Key revocation test: subkey signs, subkey is revoked; revoked: superseded

This test uses a certificate with a signing capable subkey that is evolving over time. Later on, the subkey is revoked and then re-legitimized using a new signature. We then ask implementations to verify a signature at different points in time. Hard revocations of the key invalidate the signature at any point in time, whereas in the case of soft revocations, the keys can be re-legitimized. This is a soft revocation, so the key may be re-legitimized after which signatures should be considered valid again.

In this particular test, the subkey is revoked: superseded. The signed message is Hello, World As extra subtlety, we bind the subkey *after* the t1-t2 signature. Therefore, the t1-t2 signature must be considered invalid. 

Timeline:   v
            |
        t0 -| - Creation time of first signature
            |
        t1 -| - Primary key creation
            |
            | - Subkey creation
            |
     t1-t2 -| - Creation time of second signature
            |
            | - Subkey is bound
            |
        t2 -| - Revocation of subkey
            |
     t2-t3 -| - Creation time of third signature
            |
        t3 -| - subkey is re-legitimized
            |
    t3-now -| - Creation time of fourth signature
            |
       now -|
            v

Additional artifacts:

Consumer
Sequoia/1.1.0
dkg/1.2.0
GopenPGP/v2.1.1
OpenPGP.js/v4.10.10
PGPainlessCLI/0.2.0-alpha10
RNP/0.0.0+git20210301.ffcfb63
SOPGPy/0.1.0/0.5.3
GPGME/2.3.0
GPGME/2.2.27
GPGME/1.4.23
Expectation
Comment
Producer Artifact
t0
Signature predates primary key.
t1-t2
Subkey is not bound at this time.
t2-t3
Key is revoked at this time.
t3-now
Key is valid at this time.

Key revocation test: primary key signs and is revoked; revoked: key retired

This test uses a certificate with a signing capable primary key that is evolving over time. Later on, the primary key is revoked and then re-legitimized using a new signature. We then ask implementations to verify a signature at different points in time. Hard revocations of the key invalidate the signature at any point in time, whereas in the case of soft revocations, the keys can be re-legitimized. This is a soft revocation, so the key may be re-legitimized after which signatures should be considered valid again.

In this particular test, the primary key is revoked: key retired. The signed message is Hello, World 

Timeline:   v
            |
        t0 -| - Creation time of first signature
            |
        t1 -| - Primary key creation
            |
            | - Subkey creation
            |
     t1-t2 -| - Creation time of second signature
            |
            | - Subkey is bound
            |
        t2 -| - Revocation of primary key
            |
     t2-t3 -| - Creation time of third signature
            |
        t3 -| - primary key is re-legitimized
            |
    t3-now -| - Creation time of fourth signature
            |
       now -|
            v

Additional artifacts:

Consumer
Sequoia/1.1.0
dkg/1.2.0
GopenPGP/v2.1.1
OpenPGP.js/v4.10.10
PGPainlessCLI/0.2.0-alpha10
RNP/0.0.0+git20210301.ffcfb63
SOPGPy/0.1.0/0.5.3
GPGME/2.3.0
GPGME/2.2.27
GPGME/1.4.23
Expectation
Comment
Producer Artifact
t0
Signature predates primary key.
t1-t2
Key is valid at this time.
t2-t3
Key is revoked at this time.
t3-now
Key is valid at this time.

Key revocation test: subkey signs, primary key is revoked; revoked: key retired

This test uses a certificate with a signing capable subkey that is evolving over time. Later on, the primary key is revoked and then re-legitimized using a new signature. We then ask implementations to verify a signature at different points in time. Hard revocations of the key invalidate the signature at any point in time, whereas in the case of soft revocations, the keys can be re-legitimized. This is a soft revocation, so the key may be re-legitimized after which signatures should be considered valid again.

In this particular test, the primary key is revoked: key retired. The signed message is Hello, World As extra subtlety, we bind the subkey *after* the t1-t2 signature. Therefore, the t1-t2 signature must be considered invalid. 

Timeline:   v
            |
        t0 -| - Creation time of first signature
            |
        t1 -| - Primary key creation
            |
            | - Subkey creation
            |
     t1-t2 -| - Creation time of second signature
            |
            | - Subkey is bound
            |
        t2 -| - Revocation of subkey
            |
     t2-t3 -| - Creation time of third signature
            |
        t3 -| - subkey is re-legitimized
            |
    t3-now -| - Creation time of fourth signature
            |
       now -|
            v

Additional artifacts:

Consumer
Sequoia/1.1.0
dkg/1.2.0
GopenPGP/v2.1.1
OpenPGP.js/v4.10.10
PGPainlessCLI/0.2.0-alpha10
RNP/0.0.0+git20210301.ffcfb63
SOPGPy/0.1.0/0.5.3
GPGME/2.3.0
GPGME/2.2.27
GPGME/1.4.23
Expectation
Comment
Producer Artifact
t0
Signature predates primary key.
t1-t2
Subkey is not bound at this time.
t2-t3
Key is revoked at this time.
t3-now
Key is valid at this time.

Key revocation test: subkey signs, subkey is revoked; revoked: key retired

This test uses a certificate with a signing capable subkey that is evolving over time. Later on, the subkey is revoked and then re-legitimized using a new signature. We then ask implementations to verify a signature at different points in time. Hard revocations of the key invalidate the signature at any point in time, whereas in the case of soft revocations, the keys can be re-legitimized. This is a soft revocation, so the key may be re-legitimized after which signatures should be considered valid again.

In this particular test, the subkey is revoked: key retired. The signed message is Hello, World As extra subtlety, we bind the subkey *after* the t1-t2 signature. Therefore, the t1-t2 signature must be considered invalid. 

Timeline:   v
            |
        t0 -| - Creation time of first signature
            |
        t1 -| - Primary key creation
            |
            | - Subkey creation
            |
     t1-t2 -| - Creation time of second signature
            |
            | - Subkey is bound
            |
        t2 -| - Revocation of subkey
            |
     t2-t3 -| - Creation time of third signature
            |
        t3 -| - subkey is re-legitimized
            |
    t3-now -| - Creation time of fourth signature
            |
       now -|
            v

Additional artifacts:

Consumer
Sequoia/1.1.0
dkg/1.2.0
GopenPGP/v2.1.1
OpenPGP.js/v4.10.10
PGPainlessCLI/0.2.0-alpha10
RNP/0.0.0+git20210301.ffcfb63
SOPGPy/0.1.0/0.5.3
GPGME/2.3.0
GPGME/2.2.27
GPGME/1.4.23
Expectation
Comment
Producer Artifact
t0
Signature predates primary key.
t1-t2
Subkey is not bound at this time.
t2-t3
Key is revoked at this time.
t3-now
Key is valid at this time.

Key revocation test: primary key signs and is revoked; revoked: uid retired

This test uses a certificate with a signing capable primary key that is evolving over time. Later on, the primary key is revoked and then re-legitimized using a new signature. We then ask implementations to verify a signature at different points in time. Hard revocations of the key invalidate the signature at any point in time, whereas in the case of soft revocations, the keys can be re-legitimized. This is a soft revocation, so the key may be re-legitimized after which signatures should be considered valid again.

In this particular test, the primary key is revoked: uid retired. The signed message is Hello, World 

Timeline:   v
            |
        t0 -| - Creation time of first signature
            |
        t1 -| - Primary key creation
            |
            | - Subkey creation
            |
     t1-t2 -| - Creation time of second signature
            |
            | - Subkey is bound
            |
        t2 -| - Revocation of primary key
            |
     t2-t3 -| - Creation time of third signature
            |
        t3 -| - primary key is re-legitimized
            |
    t3-now -| - Creation time of fourth signature
            |
       now -|
            v

Additional artifacts:

Consumer
Sequoia/1.1.0
dkg/1.2.0
GopenPGP/v2.1.1
OpenPGP.js/v4.10.10
PGPainlessCLI/0.2.0-alpha10
RNP/0.0.0+git20210301.ffcfb63
SOPGPy/0.1.0/0.5.3
GPGME/2.3.0
GPGME/2.2.27
GPGME/1.4.23
Expectation
Comment
Producer Artifact
t0
Signature predates primary key.
t1-t2
Key is valid at this time.
t2-t3
Key is revoked at this time.
t3-now
Key is valid at this time.

Key revocation test: subkey signs, primary key is revoked; revoked: uid retired

This test uses a certificate with a signing capable subkey that is evolving over time. Later on, the primary key is revoked and then re-legitimized using a new signature. We then ask implementations to verify a signature at different points in time. Hard revocations of the key invalidate the signature at any point in time, whereas in the case of soft revocations, the keys can be re-legitimized. This is a soft revocation, so the key may be re-legitimized after which signatures should be considered valid again.

In this particular test, the primary key is revoked: uid retired. The signed message is Hello, World As extra subtlety, we bind the subkey *after* the t1-t2 signature. Therefore, the t1-t2 signature must be considered invalid. 

Timeline:   v
            |
        t0 -| - Creation time of first signature
            |
        t1 -| - Primary key creation
            |
            | - Subkey creation
            |
     t1-t2 -| - Creation time of second signature
            |
            | - Subkey is bound
            |
        t2 -| - Revocation of subkey
            |
     t2-t3 -| - Creation time of third signature
            |
        t3 -| - subkey is re-legitimized
            |
    t3-now -| - Creation time of fourth signature
            |
       now -|
            v

Additional artifacts:

Consumer
Sequoia/1.1.0
dkg/1.2.0
GopenPGP/v2.1.1
OpenPGP.js/v4.10.10
PGPainlessCLI/0.2.0-alpha10
RNP/0.0.0+git20210301.ffcfb63
SOPGPy/0.1.0/0.5.3
GPGME/2.3.0
GPGME/2.2.27
GPGME/1.4.23
Expectation
Comment
Producer Artifact
t0
Signature predates primary key.
t1-t2
Subkey is not bound at this time.
t2-t3
Key is revoked at this time.
t3-now
Key is valid at this time.

Key revocation test: subkey signs, subkey is revoked; revoked: uid retired

This test uses a certificate with a signing capable subkey that is evolving over time. Later on, the subkey is revoked and then re-legitimized using a new signature. We then ask implementations to verify a signature at different points in time. Hard revocations of the key invalidate the signature at any point in time, whereas in the case of soft revocations, the keys can be re-legitimized. This is a soft revocation, so the key may be re-legitimized after which signatures should be considered valid again.

In this particular test, the subkey is revoked: uid retired. The signed message is Hello, World As extra subtlety, we bind the subkey *after* the t1-t2 signature. Therefore, the t1-t2 signature must be considered invalid. 

Timeline:   v
            |
        t0 -| - Creation time of first signature
            |
        t1 -| - Primary key creation
            |
            | - Subkey creation
            |
     t1-t2 -| - Creation time of second signature
            |
            | - Subkey is bound
            |
        t2 -| - Revocation of subkey
            |
     t2-t3 -| - Creation time of third signature
            |
        t3 -| - subkey is re-legitimized
            |
    t3-now -| - Creation time of fourth signature
            |
       now -|
            v

Additional artifacts:

Consumer
Sequoia/1.1.0
dkg/1.2.0
GopenPGP/v2.1.1
OpenPGP.js/v4.10.10
PGPainlessCLI/0.2.0-alpha10
RNP/0.0.0+git20210301.ffcfb63
SOPGPy/0.1.0/0.5.3
GPGME/2.3.0
GPGME/2.2.27
GPGME/1.4.23
Expectation
Comment
Producer Artifact
t0
Signature predates primary key.
t1-t2
Subkey is not bound at this time.
t2-t3
Key is revoked at this time.
t3-now
Key is valid at this time.

Message structure

Unusual Message Structure

This test generates valid messages with an unusual structure.

Additional artifacts:

Consumer
Sequoia/1.1.0
dkg/1.2.0
GopenPGP/v2.1.1
OpenPGP.js/v4.10.10
PGPainlessCLI/0.2.0-alpha10
RNP/0.0.0+git20210301.ffcfb63
SOPGPy/0.1.0/0.5.3
GPGME/2.3.0
GPGME/2.2.27
GPGME/1.4.23
Expectation
Comment
Producer Artifact
encrypt ∘ compress ∘ sign
encrypt ∘ sign ∘ compress
compress ∘ encrypt ∘ sign
compress ∘ sign ∘ encrypt
sign ∘ encrypt ∘ compress
sign ∘ compress ∘ encrypt
encrypt ∘ encrypt ∘ sign
encrypt ∘ sign ∘ encrypt
sign ∘ encrypt ∘ sign
encrypt ∘ compress ∘ compress
encrypt ∘ encrypt ∘ sign
encrypt ∘ sign ∘ sign
encrypt ∘ sign ∘ sign ∘ sign

Maximum recursion depth

This test encrypts messages, with the plaintext being compressed N times to evaluate the maximum recursion depth of implementations.

Additional artifacts:

Consumer
Sequoia/1.1.0
dkg/1.2.0
GopenPGP/v2.1.1
OpenPGP.js/v4.10.10
PGPainlessCLI/0.2.0-alpha10
RNP/0.0.0+git20210301.ffcfb63
SOPGPy/0.1.0/0.5.3
GPGME/2.3.0
GPGME/2.2.27
GPGME/1.4.23
Expectation
Comment
Producer Artifact
Depth 1
Maximum recursion depth too small
Depth 2
Maximum recursion depth too small
Depth 4
Maximum recursion depth too small
Depth 8
Depth 16
Depth 32
Maximum recursion depth too large
Depth 64
Maximum recursion depth too large

Marker Packet

Tests whether the Marker Packet is correctly ignored.

Additional artifacts:

Consumer
Sequoia/1.1.0
dkg/1.2.0
GopenPGP/v2.1.1
OpenPGP.js/v4.10.10
PGPainlessCLI/0.2.0-alpha10
RNP/0.0.0+git20210301.ffcfb63
SOPGPy/0.1.0/0.5.3
GPGME/2.3.0
GPGME/2.2.27
GPGME/1.4.23
Expectation
Comment
Producer Artifact
Marker + Detached signature
Marker packets MUST be ignored.
Marker + Encrypted Message
Marker packets MUST be ignored.
Marker + Certificate
Marker packets MUST be ignored.

Trust Packet

Tests whether the Trust Packet is ignored. According to Section 5.10 of RFC4880, [trust packets] SHOULD be ignored on any input other than local keyring files.

Additional artifacts:

Consumer
Sequoia/1.1.0
dkg/1.2.0
GopenPGP/v2.1.1
OpenPGP.js/v4.10.10
PGPainlessCLI/0.2.0-alpha10
RNP/0.0.0+git20210301.ffcfb63
SOPGPy/0.1.0/0.5.3
GPGME/2.3.0
GPGME/2.2.27
GPGME/1.4.23
Expectation
Comment
Producer Artifact
Trust + Detached signature
Trust + Encrypted Message
Trust + Certificate

Messages with unknown packets

This tests whether encrypted messages with unknown versions of PKESK and SKESK packets are still decrypted. This is important for the evolution of the message format.

Additional artifacts:

Consumer
Sequoia/1.1.0
dkg/1.2.0
GopenPGP/v2.1.1
OpenPGP.js/v4.10.10
PGPainlessCLI/0.2.0-alpha10
RNP/0.0.0+git20210301.ffcfb63
SOPGPy/0.1.0/0.5.3
GPGME/2.3.0
GPGME/2.2.27
GPGME/1.4.23
Expectation
Comment
Producer Artifact
Base case
SEIP is a MUST according to RFC4880.
PKESK3 PKESK23 SEIP
Unknown versions should be ignored
PKESK23 PKESK3 SEIP
Unknown versions should be ignored
PKESK3 SKESK23 SEIP
Unknown versions should be ignored
SKESK23 PKESK3 SEIP
Unknown versions should be ignored
PKESK3 SKESK4+S2K23 SEIP
Unknown versions should be ignored
SKESK4+S2K23 PKESK3 SEIP
Unknown versions should be ignored
PKESK3 SEIP [OPS3 Literal Sig4]
Signed, encrypted message.
PKESK3 SEIP [OPS23 Literal Sig23]
Unknown versions should be ignored

ASCII Armor

Concatenated ASCII Armor Keyring

Explores whether concatenated ASCII Armor blocks are recognized as keyring. This is not mandated by OpenPGP, but some implementations may chose to support this.

The signature is from Bob over the string Hello World :).

Additional artifacts:

Consumer
Sequoia/1.1.0
dkg/1.2.0
GopenPGP/v2.1.1
OpenPGP.js/v4.10.10
PGPainlessCLI/0.2.0-alpha10
RNP/0.0.0+git20210301.ffcfb63
SOPGPy/0.1.0/0.5.3
GPGME/2.3.0
GPGME/2.2.27
GPGME/1.4.23
Expectation
Comment
Producer Artifact
[Bob]
Base case
[Bob] [Alice]
[Alice] [Bob]
Text [Bob] Text [Alice] Text
Text [Alice] Text [Bob] Text

Mangled ASCII Armored Key

ASCII Armor is supposed to protect OpenPGP data in transit, but unfortunately it can be a source of brittleness if the Armor parser isn't sufficiently robust.

This test mangles Bob's ASCII Armored key, and tries to decrypt the text Hello World :).

Consumer
Sequoia/1.1.0
dkg/1.2.0
GopenPGP/v2.1.1
OpenPGP.js/v4.10.10
PGPainlessCLI/0.2.0-alpha10
RNP/0.0.0+git20210301.ffcfb63
SOPGPy/0.1.0/0.5.3
GPGME/2.3.0
GPGME/2.2.27
GPGME/1.4.23
Expectation
Comment
Producer Artifact
Not mangled
Base case
\r\n line endings
Interoperability concern
Blank line with space
Interoperability concern
Blank line with ' \t\r'
Interoperability concern
Blank line with ' \t\r\v\f'
Interoperability concern
Unknown header key
Interoperability concern
Very long header key
Interoperability concern
No checksum
Interoperability concern
No newlines in body
Spurious spaces in body
Leading space
Leading space, ends trimmed
Trailing space
Double spaced
Newlines replaced by spaces
Quoted with '> '
Quoted with '> ', ends trimmed
Quoted with '] } >>> '
Missing '-' in header
Unicode hyphens '‐'
No hyphens
Quoted-printable '=' -> '=3D'
Dash-escaped frames
Missing header
Missing blank line
Missing footer
Bare base64 body
Bad checksum

Mangled ASCII Armor

ASCII Armor is supposed to protect OpenPGP data in transit, but unfortunately it can be a source of brittleness if the Armor parser isn't sufficiently robust.

This test mangles Bob's ASCII Armored certificate, and tries to encrypt the text Hello World :).

Consumer
Sequoia/1.1.0
dkg/1.2.0
GopenPGP/v2.1.1
OpenPGP.js/v4.10.10
PGPainlessCLI/0.2.0-alpha10
RNP/0.0.0+git20210301.ffcfb63
SOPGPy/0.1.0/0.5.3
GPGME/2.3.0
GPGME/2.2.27
GPGME/1.4.23
Expectation
Comment
Producer Artifact
Not mangled
Base case
\r\n line endings
Interoperability concern
Blank line with space
Interoperability concern
Blank line with ' \t\r'
Interoperability concern
Blank line with ' \t\r\v\f'
Interoperability concern
Unknown header key
Interoperability concern
Very long header key
Interoperability concern
No checksum
Interoperability concern
No newlines in body
Spurious spaces in body
Leading space
Leading space, ends trimmed
Trailing space
Double spaced
Newlines replaced by spaces
Quoted with '> '
Quoted with '> ', ends trimmed
Quoted with '] } >>> '
Missing '-' in header
Unicode hyphens '‐'
No hyphens
Quoted-printable '=' -> '=3D'
Dash-escaped frames
Missing header
Missing blank line
Missing footer
Bare base64 body
Bad checksum

Mangled ASCII Armored Ciphertexts

ASCII Armor is supposed to protect OpenPGP data in transit, but unfortunately it can be a source of brittleness if the Armor parser isn't sufficiently robust.

This test mangles the ASCII Armored ciphertext decrypting to the text Hello World :).

Consumer
Sequoia/1.1.0
dkg/1.2.0
GopenPGP/v2.1.1
OpenPGP.js/v4.10.10
PGPainlessCLI/0.2.0-alpha10
RNP/0.0.0+git20210301.ffcfb63
SOPGPy/0.1.0/0.5.3
GPGME/2.3.0
GPGME/2.2.27
GPGME/1.4.23
Expectation
Comment
Producer Artifact
Not mangled
Base case
\r\n line endings
Interoperability concern
Blank line with space
Interoperability concern
Blank line with ' \t\r'
Interoperability concern
Blank line with ' \t\r\v\f'
Interoperability concern
Unknown header key
Interoperability concern
Very long header key
Interoperability concern
No checksum
Interoperability concern
No newlines in body
Spurious spaces in body
Leading space
Leading space, ends trimmed
Trailing space
Double spaced
Newlines replaced by spaces
Quoted with '> '
Quoted with '> ', ends trimmed
Quoted with '] } >>> '
Missing '-' in header
Unicode hyphens '‐'
No hyphens
Quoted-printable '=' -> '=3D'
Dash-escaped frames
Missing header
Missing blank line
Missing footer
Bare base64 body
Bad checksum

Mangled ASCII Armored Signatures

ASCII Armor is supposed to protect OpenPGP data in transit, but unfortunately it can be a source of brittleness if the Armor parser isn't sufficiently robust.

This test mangles the ASCII Armored signature over the text Hello World :).

Consumer
Sequoia/1.1.0
dkg/1.2.0
GopenPGP/v2.1.1
OpenPGP.js/v4.10.10
PGPainlessCLI/0.2.0-alpha10
RNP/0.0.0+git20210301.ffcfb63
SOPGPy/0.1.0/0.5.3
GPGME/2.3.0
GPGME/2.2.27
GPGME/1.4.23
Expectation
Comment
Producer Artifact
Not mangled
Base case
\r\n line endings
Interoperability concern
Blank line with space
Interoperability concern
Blank line with ' \t\r'
Interoperability concern
Blank line with ' \t\r\v\f'
Interoperability concern
Unknown header key
Interoperability concern
Very long header key
Interoperability concern
No checksum
Interoperability concern
No newlines in body
Spurious spaces in body
Leading space
Leading space, ends trimmed
Trailing space
Double spaced
Newlines replaced by spaces
Quoted with '> '
Quoted with '> ', ends trimmed
Quoted with '] } >>> '
Missing '-' in header
Unicode hyphens '‐'
No hyphens
Quoted-printable '=' -> '=3D'
Dash-escaped frames
Missing header
Missing blank line
Missing footer
Bare base64 body
Bad checksum

Elliptic Curve Cryptography

EdDSA signature encodings

OpenPGP mandates that leading zeros are stripped when encoding MPIs. This test tests whether leading zeros in S, and 0x40-prefixed R are accepted.

Additional artifacts:

Consumer
Sequoia/1.1.0
dkg/1.2.0
GopenPGP/v2.1.1
OpenPGP.js/v4.10.10
PGPainlessCLI/0.2.0-alpha10
RNP/0.0.0+git20210301.ffcfb63
SOPGPy/0.1.0/0.5.3
GPGME/2.3.0
GPGME/2.2.27
GPGME/1.4.23
Expectation
Comment
Producer Artifact
MPI encoding
MPI encoding must be supported.
S 0-padded
R 0x40-prefixed

Packet parser

Packet boundaries

Tests whether packet boundaries are properly enforced by creating a compressed data packet where the compressed data extends beyond the compressed data packet's boundaries.

Additional artifacts:

Consumer
Sequoia/1.1.0
dkg/1.2.0
GopenPGP/v2.1.1
OpenPGP.js/v4.10.10
PGPainlessCLI/0.2.0-alpha10
RNP/0.0.0+git20210301.ffcfb63
SOPGPy/0.1.0/0.5.3
GPGME/2.3.0
GPGME/2.2.27
GPGME/1.4.23
Expectation
Comment
Producer Artifact
Base case
Base case
+1 byte
Compressed data extends beyond packet
+4 bytes
Compressed data extends beyond packet
+22 bytes
Compressed data extends beyond packet
+23 bytes
Compressed data extends beyond packet
+100 bytes
Compressed data extends beyond packet
+8300 bytes
Compressed data extends beyond packet

Packet excess consumption

Tests whether excess bytes in a packet are correctly consumed. The compressed data packet presents the unique opportunity to test whether the packet parser actually consumes (i.e. advances the read cursor) all the bytes specified in a packet header, even though they are not consumed by the underlying decompression algorithm.

The plaintext message is the string Hello World :), padded by the specified number of bytes using excess data in the compression stream.

Additional artifacts:

Consumer
Sequoia/1.1.0
dkg/1.2.0
GopenPGP/v2.1.1
OpenPGP.js/v4.10.10
PGPainlessCLI/0.2.0-alpha10
RNP/0.0.0+git20210301.ffcfb63
SOPGPy/0.1.0/0.5.3
GPGME/2.3.0
GPGME/2.2.27
GPGME/1.4.23
Expectation
Comment
Producer Artifact
Base case
Base case
+1 byte
Excess data must be discarded
+10 bytes
Excess data must be discarded
+100 bytes
Excess data must be discarded
+1_000 bytes
Excess data must be discarded
+10_000 bytes
Excess data must be discarded
+100_000 bytes Excess data must be discarded
+1_000_000 bytes Excess data must be discarded
+10_000_000 bytes Excess data must be discarded

Hall of Fame

The OpenPGP interoperability test suite found the following bugs:

Sequoia

DKGPG

GopenPGP

OpenPGP.js

RNP

PGPainless

PGPy

GPGME

GnuPG

Configuration

This is the configuration used to produce this report: 

{
  "drivers": [
    {
      "env": {},
      "path": "/home/teythoon/.local/bin/sqop-0.22.2"
    },
    {
      "env": {},
      "path": "/home/teythoon/repos/pep/pgpzoo/bin/dkg-sop"
    },
    {
      "env": {},
      "path": "/home/teythoon/repos/go/bin/gosop"
    },
    {
      "env": {},
      "path": "/home/teythoon/repos/pep/sop-openpgp-js/sop-openpgp"
    },
    {
      "env": {},
      "path": "/home/teythoon/repos/pep/pgpzoo/bin/pgpainless-sop"
    },
    {
      "env": {},
      "path": "/home/teythoon/repos/pep/rnp-sop/target/debug/rnp-sop"
    },
    {
      "env": {},
      "path": "glue/sopgpy"
    },
    {
      "env": {
        "GNUPG_BIN": "/home/teythoon/repos/pep/pgpzoo/bin/gpg"
      },
      "path": "/home/teythoon/repos/pep/gpgme-sop/target/debug/gpgme-sop"
    },
    {
      "env": {
        "GNUPG_BIN": "/usr/bin/gpg"
      },
      "path": "/home/teythoon/repos/pep/gpgme-sop/target/debug/gpgme-sop"
    },
    {
      "env": {
        "GNUPG_BIN": "/usr/bin/gpg1"
      },
      "path": "/home/teythoon/repos/pep/gpgme-sop/target/debug/gpgme-sop"
    }
  ],
  "rlimits": {
    "DATA": 2147483648
  }
}