RNP version 0.16.0 released
RNP 0.16.0 represents a major milestone in the project’s evolution, introducing OpenSSL backend support and customizable security profiles.
This release significantly enhances RNP’s flexibility, security, and compatibility with other OpenPGP implementations.
Introduction
This release marks a transformative moment for RNP, introducing two major features that expand its utility and security capabilities. The addition of OpenSSL backend support broadens deployment options, while the new security profiles system enables fine-grained control over cryptographic policies.
Key highlights:
-
OpenSSL backend support for flexible deployment options
-
Customizable security profiles for granular cryptographic control
-
Enhanced hash algorithm policies for improved security
Other highlights:
-
Configurable compile-time feature switches
-
Improved signature validation mechanisms
-
Enhanced cross-platform compatibility
-
Extended FFI capabilities
-
Optimized CLI tools with better usability
-
Performance improvements for large-scale operations
Major feature improvements
OpenSSL backend support
The introduction of OpenSSL backend support is a game-changing addition that offers several advantages.
OpenSSL is the most widely deployed and used cryptographic library in the world, powering the majority of HTTPS connections on the internet. It provides a robust, commercial-grade, full-featured toolkit for Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols, as well as a general-purpose cryptography library.
-
Eliminates the requirement for Botan installation
-
Enables RNP usage on systems with OpenSSL as the primary cryptographic library
-
Provides alternative implementation choices for different deployment scenarios
-
Improves integration with existing OpenSSL-based systems
This feature allows RNP to be built and used on systems without Botan installed, making it more accessible and easier to deploy in various environments.
Security profile system
The new security profiles system provides unprecedented control over cryptographic policies:
-
Customizable security rules for different usage scenarios
-
Fine-grained control over algorithm acceptance
-
Temporal validation of cryptographic algorithms
-
Configurable policy enforcement
This system helps organizations implement and maintain their specific security requirements while ensuring compliance with evolving cryptographic standards.
Security enhancements
Hash algorithm policy improvements
Stricter policies have been implemented for older hash algorithms:
-
SHA1 signatures produced after January 19, 2019 (2019-01-19), are now marked as invalid
-
MD5 signatures produced after January 1, 2012 (2012-01-01), are now marked as invalid
-
SHA1 and 3DES have been removed from default key preferences
-
SHA1 collision detection code has been implemented
Signature validation enhancements
Several enhancements to signature validation have been made:
-
Signatures with unknown critical notation are now marked as invalid
-
Secret key validation occurs before first operation
-
More robust key material validation procedures
-
Limited number of possible message recipients/signatures to 16k
Compatibility improvements
Cross-platform support enhancements
The release includes several important compatibility fixes:
-
Resolved x25519 secret key export compatibility with GnuPG
-
Fixed support for Gnu/Hurd systems lacking
PATH_MAX
-
Improved support for old RSA sign-only/encrypt-only keys
-
Enhanced ElGamal key support for sizes larger than 3072 bits
Build system improvements
New compile-time options provide better control over feature sets:
-
ENABLE_AEAD
for AEAD encryption support -
ENABLE_SM2
for SM2/SM3/SM4 algorithm support -
ENABLE_BRAINPOOL
for Brainpool curves -
ENABLE_TWOFISH
for Twofish algorithm
Developer improvements
FFI enhancements
New FFI functions have been added to support the latest features:
-
rnp_backend_string()
andrnp_backend_version()
-
rnp_key_25519_bits_tweaked()
andrnp_key_25519_bits_tweak()
-
Security profile manipulation functions
-
rnp_signature_get_expiration()
Command-line interface improvements
The CLI has been significantly improved:
-
New detailed help messages for both
rnp
andrnpkeys
-
Support for stdin/stdout/env input/output specifiers
-
New
--notty
option for batch processing -
Enhanced key editing capabilities with
--edit-key
Performance improvements
Several optimizations have been implemented:
-
Reduced memory usage for keys with many signatures
-
Improved key import performance
-
Better handling of large ElGamal keys
-
Optimized signature subpacket processing
Looking ahead
RNP 0.16.0 establishes a strong foundation for future development with its flexible backend support and customizable security policies. The improvements in this release demonstrate RNP’s commitment to:
-
Providing deployment flexibility
-
Maintaining strong security standards
-
Improving compatibility with other implementations
-
Enhancing developer experience
For detailed technical information and the complete list of changes, please visit the RNP v0.16.0 release page.