tag: use new filippo.io/hpke API

Author: FiloSottile

go.mod

@@ -4,15 +4,13 @@ go 1.24.0
 
 require (
 	filippo.io/edwards25519 v1.1.0
-	filippo.io/hpke v0.2.0
+	filippo.io/hpke v0.3.2
 	filippo.io/nistec v0.0.3
-	golang.org/x/crypto v0.41.0
-	golang.org/x/sys v0.35.0
-	golang.org/x/term v0.34.0
+	golang.org/x/crypto v0.44.0
+	golang.org/x/sys v0.38.0
+	golang.org/x/term v0.37.0
 )
 
-require filippo.io/bigmod v0.1.0 // indirect
-
 // Test dependencies.
 require (
 	c2sp.org/CCTV/age v0.0.0-20240306222714-3ec4d716e805

go.sum

@@ -1,20 +1,18 @@
 c2sp.org/CCTV/age v0.0.0-20240306222714-3ec4d716e805 h1:u2qwJeEvnypw+OCPUHmoZE3IqwfuN5kgDfo5MLzpNM0=
 c2sp.org/CCTV/age v0.0.0-20240306222714-3ec4d716e805/go.mod h1:FomMrUJ2Lxt5jCLmZkG3FHa72zUprnhd3v/Z18Snm4w=
-filippo.io/bigmod v0.1.0 h1:UNzDk7y9ADKST+axd9skUpBQeW7fG2KrTZyOE4uGQy8=
-filippo.io/bigmod v0.1.0/go.mod h1:OjOXDNlClLblvXdwgFFOQFJEocLhhtai8vGLy0JCZlI=
 filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA=
 filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4=
-filippo.io/hpke v0.2.0 h1:CyMUXx5gHxxCciek5DtzCXDGy2+kOag0GFxXSH0nD0I=
-filippo.io/hpke v0.2.0/go.mod h1:Kn5Q71LEUiHIGCCdOm3JXhj2taQWEnAJUKFnO8OzSKs=
+filippo.io/hpke v0.3.2 h1:qKabTApzDPuylJ36fxpck0DBlgzG1dk5fIENbyoE/FY=
+filippo.io/hpke v0.3.2/go.mod h1:EmAN849/P3qdeK+PCMkDpDm83vRHM5cDipBJ8xbQLVY=
 filippo.io/nistec v0.0.3 h1:h336Je2jRDZdBCLy2fLDUd9E2unG32JLwcJi0JQE9Cw=
 filippo.io/nistec v0.0.3/go.mod h1:84fxC9mi+MhC2AERXI4LSa8cmSVOzrFikg6hZ4IfCyw=
 github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8=
 github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4=
-golang.org/x/crypto v0.41.0 h1:WKYxWedPGCTVVl5+WHSSrOBT0O8lx32+zxmHxijgXp4=
-golang.org/x/crypto v0.41.0/go.mod h1:pO5AFd7FA68rFak7rOAGVuygIISepHftHnr8dr6+sUc=
-golang.org/x/sys v0.35.0 h1:vz1N37gP5bs89s7He8XuIYXpyY0+QlsKmzipCbUtyxI=
-golang.org/x/sys v0.35.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
-golang.org/x/term v0.34.0 h1:O/2T7POpk0ZZ7MAzMeWFSg6S5IpWd/RXDlM9hgM3DR4=
-golang.org/x/term v0.34.0/go.mod h1:5jC53AEywhIVebHgPVeg0mj8OD3VO9OzclacVrqpaAw=
+golang.org/x/crypto v0.44.0 h1:A97SsFvM3AIwEEmTBiaxPPTYpDC47w720rdiiUvgoAU=
+golang.org/x/crypto v0.44.0/go.mod h1:013i+Nw79BMiQiMsOPcVCB5ZIJbYkerPrGnOa00tvmc=
+golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
+golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/term v0.37.0 h1:8EGAD0qCmHYZg6J17DvsMy9/wJ7/D/4pV/wfnld5lTU=
+golang.org/x/term v0.37.0/go.mod h1:5pB4lxRNYYVZuTLmy8oR2BH8dflOR+IbTYFD8fi3254=
 golang.org/x/tools v0.22.0 h1:gqSGLZqv+AI9lIQzniJ0nZDRG5GBPsSi+DRNHWNz6yA=
 golang.org/x/tools v0.22.0/go.mod h1:aCwcsjqvq7Yqt6TNyX7QMU2enbQ/Gt0bo6krSeEri+c=

tag/tag.go

@@ -2,6 +2,14 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+// Package tag implements tagged P-256 or hybrid P-256 + ML-KEM-768 recipients,
+// which can be used with identities stored on hardware keys, usually supported
+// by dedicated plugins.
+//
+// The tag reduces privacy, by allowing an observer to correlate files with a
+// recipient (but not files amongst them without knowledge of the recipient),
+// but this is also a desirable property for hardware keys that require user
+// interaction for each decryption operation.
 package tag
 
 import (
@@ -18,12 +26,9 @@ import (
 	"filippo.io/nistec"
 )
 
+// Recipient is a tagged P-256 or hybrid P-256 + ML-KEM-768 recipient.
 type Recipient struct {
-	kem hpke.KEMSender
-
-	mlkem        *mlkem.EncapsulationKey768
-	compressed   [compressedPointSize]byte
-	uncompressed [uncompressedPointSize]byte
+	kem hpke.PublicKey
 }
 
 var _ age.Recipient = &Recipient{}
@@ -54,9 +59,8 @@ func ParseRecipient(s string) (*Recipient, error) {
 }
 
 const compressedPointSize = 1 + 32
-const uncompressedPointSize = 1 + 32 + 32
 
-// NewRecipient returns a new [Recipient] from a raw public key.
+// NewRecipient returns a new P-256 [Recipient] from a raw public key.
 func NewRecipient(publicKey []byte) (*Recipient, error) {
 	if len(publicKey) != compressedPointSize {
 		return nil, fmt.Errorf("invalid tag recipient public key size %d", len(publicKey))
@@ -65,58 +69,30 @@ func NewRecipient(publicKey []byte) (*Recipient, error) {
 	if err != nil {
 		return nil, fmt.Errorf("invalid tag recipient public key: %v", err)
 	}
-	k, err := ecdh.P256().NewPublicKey(p.Bytes())
+	k, err := hpke.DHKEM(ecdh.P256()).NewPublicKey(p.Bytes())
 	if err != nil {
 		return nil, fmt.Errorf("invalid tag recipient public key: %v", err)
 	}
-	kem, err := hpke.DHKEMSender(k)
-	if err != nil {
-		return nil, fmt.Errorf("failed to create DHKEM sender: %v", err)
-	}
-	r := &Recipient{kem: kem}
-	copy(r.compressed[:], publicKey)
-	copy(r.uncompressed[:], p.Bytes())
-	return r, nil
+	return &Recipient{k}, nil
 }
 
-// NewHybridRecipient returns a new [Recipient] from raw concatenated public keys.
+// NewHybridRecipient returns a new hybrid P-256 + ML-KEM-768 [Recipient] from
+// raw concatenated public keys.
 func NewHybridRecipient(publicKey []byte) (*Recipient, error) {
-	if len(publicKey) != compressedPointSize+mlkem.EncapsulationKeySize768 {
-		return nil, fmt.Errorf("invalid tagpq recipient public key size %d", len(publicKey))
-	}
-	p, err := nistec.NewP256Point().SetBytes(publicKey)
-	if err != nil {
-		return nil, fmt.Errorf("invalid tagpq recipient DH public key: %v", err)
-	}
-	k, err := ecdh.P256().NewPublicKey(p.Bytes())
+	k, err := hpke.MLKEM768P256().NewPublicKey(publicKey)
 	if err != nil {
-		return nil, fmt.Errorf("invalid tagpq recipient DH public key: %v", err)
+		return nil, fmt.Errorf("invalid tagpq recipient public key: %v", err)
 	}
-	pq, err := mlkem.NewEncapsulationKey768(publicKey[compressedPointSize:])
-	if err != nil {
-		return nil, fmt.Errorf("invalid tagpq recipient PQ public key: %v", err)
-	}
-	kem, err := hpke.QSFSender(k, pq)
-	if err != nil {
-		return nil, fmt.Errorf("failed to create DHKEM sender: %v", err)
-	}
-	r := &Recipient{kem: kem, mlkem: pq}
-	copy(r.compressed[:], publicKey[:compressedPointSize])
-	copy(r.uncompressed[:], p.Bytes())
-	return r, nil
+	return &Recipient{k}, nil
 }
 
-var p256TagLabel = []byte("age-encryption.org/p256tag")
-var p256MLKEM768TagLabel = []byte("age-encryption.org/p256mlkem768tag")
-
 func (r *Recipient) Wrap(fileKey []byte) ([]*age.Stanza, error) {
-	label, arg := p256TagLabel, "p256tag"
-	if r.mlkem != nil {
-		label, arg = p256MLKEM768TagLabel, "p256mlkem768tag"
+	label, arg := "age-encryption.org/p256tag", "p256tag"
+	if r.kem.KEM().ID() == hpke.MLKEM768P256().ID() {
+		label, arg = "age-encryption.org/mlkem768p256tag", "p256mlkem768tag"
 	}
 
-	enc, s, err := hpke.NewSender(r.kem,
-		hpke.HKDFSHA256(), hpke.ChaCha20Poly1305(), label)
+	enc, s, err := hpke.NewSender(r.kem, hpke.HKDFSHA256(), hpke.ChaCha20Poly1305(), []byte(label))
 	if err != nil {
 		return nil, fmt.Errorf("failed to set up HPKE sender: %v", err)
 	}
@@ -125,8 +101,13 @@ func (r *Recipient) Wrap(fileKey []byte) ([]*age.Stanza, error) {
 		return nil, fmt.Errorf("failed to encrypt file key: %v", err)
 	}
 
-	tag, err := hkdf.Extract(sha256.New,
-		append(enc[:uncompressedPointSize], r.uncompressed[:]...), label)
+	tagEnc, tagRecipient := enc, r.kem.Bytes()
+	if r.kem.KEM().ID() == hpke.MLKEM768P256().ID() {
+		// In hybrid mode, the tag is computed over just the P-256 part.
+		tagEnc = enc[mlkem.CiphertextSize768:]
+		tagRecipient = tagRecipient[mlkem.EncapsulationKeySize768:]
+	}
+	tag, err := hkdf.Extract(sha256.New, append(tagEnc, tagRecipient...), []byte(label))
 	if err != nil {
 		return nil, fmt.Errorf("failed to compute tag: %v", err)
 	}
@@ -145,8 +126,8 @@ func (r *Recipient) Wrap(fileKey []byte) ([]*age.Stanza, error) {
 
 // String returns the Bech32 public key encoding of r.
 func (r *Recipient) String() string {
-	if r.mlkem != nil {
-		return plugin.EncodeRecipient("tagpq", append(r.compressed[:], r.mlkem.Bytes()...))
+	if r.kem.KEM().ID() == hpke.MLKEM768P256().ID() {
+		return plugin.EncodeRecipient("tagpq", r.kem.Bytes())
 	}
-	return plugin.EncodeRecipient("tag", r.compressed[:])
+	return plugin.EncodeRecipient("tag", r.kem.Bytes())
 }