symbol Asset 1

RNP version 0.16.1 released

Author’s picture Nickolay Olshevsky on 06 Sep 2022

RNP 0.16.1 brings significant improvements in security policies, operational flexibility, and platform support.

Introduction

The release marks a major milestone in RNP’s evolution with comprehensive support for OpenSSL 3.0, enabling seamless integration with the latest enterprise Linux distributions.

Additionally, it introduces more nuanced security policies and several user-requested features that improve flexibility and ease of use.

Key highlights:

Other highlights:

  • Configurable timestamp override functionality

  • Improved handling of unknown packet versions

  • Automatic backend feature detection during build

  • Base64-encoded key import/export for Autocrypt

  • Two-year default key expiration time

Platform support improvements

OpenSSL 3.0 compatibility

OpenSSL 3.0 has been recently released and RNP 0.16.1 is the only OpenPGP implementation that fully supports it.

This feature enables:

  • Native compatibility with RHEL 9, CentOS Stream 9, and Fedora 36

  • Support for OpenSSL’s new provider architecture

  • Improved FIPS compatibility through OpenSSL 3.0’s FIPS provider

  • Enhanced performance through OpenSSL 3.0’s optimizations

The implementation ensures that RNP works seamlessly with these platforms' default cryptographic backends, eliminating the need for custom builds or external dependencies.

Security policy enhancements

SHA1 signature handling improvements

This release introduces a more sophisticated approach to SHA1 signatures:

  • Allows distinguishing between data and key signatures

  • Extended support for SHA1 key signatures until January 19, 2024 (2024-01-19)

  • More granular control over signature acceptance policies

  • Better compatibility with existing key infrastructure

This change allows organizations to maintain compatibility with legacy systems while gradually transitioning to stronger algorithms.

Key expiration defaults

A new security-focused default has been implemented:

  • Automatic 2-year expiration time for newly generated keys

  • Encourages regular key rotation practices

  • Aligns with modern security recommendations

  • Helps prevent the use of outdated keys

Operational improvements

Raw encryption support

The addition of raw encryption capabilities provides:

  • Ability to encrypt already-signed data

  • More flexible processing pipelines

  • Better integration with existing workflows

  • Improved performance for certain use cases

Timestamp control

New timestamp override functionality enables:

  • Testing of time-dependent operations

  • Reproduction of specific scenarios

  • Validation of expiration handling

  • Better debugging capabilities

Enhanced format handling

Several improvements make RNP more robust when dealing with various OpenPGP implementations:

  • Graceful handling of unknown packet versions

  • Support for base64-encoded keys in Autocrypt headers

  • More flexible packet processing

  • Improved interoperability

Developer improvements

Build system feature detection

The new automatic backend feature detection during build:

  • Simplifies configuration

  • Ensures optimal use of available crypto features

  • Reduces build-time errors

  • Improves portability

API enhancements

New FFI capabilities have been added:

  • rnp_op_encrypt_set_flags() with RNP_ENCRYPT_NOWRAP for raw encryption

  • Base64 encoding options for key import/export

  • Timestamp override functionality

  • Updated security rule functions

Looking ahead

RNP 0.16.1 sets a strong foundation for future development with its improved platform support and security policies. The changes demonstrate RNP’s commitment to:

  • Maintaining broad platform compatibility

  • Implementing flexible security policies

  • Improving usability and integration capabilities

  • Supporting modern cryptographic practices

For detailed technical information and the complete list of changes, please visit the RNP v0.16.1 release page.