turnkey/openpgp-card
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

openpgp-card-sequoia: cleanup internal ptf() hack

Browse source 
This fixes the generation of a mismatching Fingerprint on the card and OpenPGP public key when using generate_key(), which may have been cause by inconsistent kek/kdf parameter use for some ECC decryption subkeys.
This commit is contained in:
Heiko Schaefer 2023-09-05 18:31:21 +02:00
parent 01cc2caafc
commit 52a145528e
No known key found for this signature in database
GPG key ID: 4A849A1904CCBD7D
3 changed files with 9 additions and 36 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
card-functionality/src/tests.rs
View file

@ -18,7 +18,6 @@ use openpgp_card_sequoia::Card;
use sequoia_openpgp::parse::Parse; use sequoia_openpgp::parse::Parse;
use sequoia_openpgp::policy::StandardPolicy; use sequoia_openpgp::policy::StandardPolicy;
use sequoia_openpgp::serialize::SerializeInto; use sequoia_openpgp::serialize::SerializeInto;
use sequoia_openpgp::types::{HashAlgorithm, SymmetricAlgorithm};
use sequoia_openpgp::Cert; use sequoia_openpgp::Cert;
use thiserror; use thiserror;
@ -225,13 +224,7 @@ pub fn test_keygen(tx: &mut Card<Transaction>, param: &[&str]) -> Result<TestOut
println!(" Generate subkey for Decryption"); println!(" Generate subkey for Decryption");
admin.set_algorithm(KeyType::Decryption, alg)?; admin.set_algorithm(KeyType::Decryption, alg)?;
let (pkm, ts) = admin.generate_key(KeyType::Decryption)?; let (pkm, ts) = admin.generate_key(KeyType::Decryption)?;
let key_dec = public_key_material_to_key( let key_dec = public_key_material_to_key(&pkm, KeyType::Decryption, &ts, None, None)?;
&pkm,
KeyType::Decryption,
&ts,
Some(HashAlgorithm::SHA256),
Some(SymmetricAlgorithm::AES128),
)?;
println!(" Generate subkey for Authentication"); println!(" Generate subkey for Authentication");
admin.set_algorithm(KeyType::Authentication, alg)?; admin.set_algorithm(KeyType::Authentication, alg)?;

26
openpgp-card-sequoia/src/lib.rs
View file

@ -151,14 +151,11 @@ use openpgp_card::{Error, KeyType};
use sequoia_openpgp::cert::prelude::ValidErasedKeyAmalgamation; use sequoia_openpgp::cert::prelude::ValidErasedKeyAmalgamation;
use sequoia_openpgp::packet::key::SecretParts; use sequoia_openpgp::packet::key::SecretParts;
use sequoia_openpgp::packet::{key, Key}; use sequoia_openpgp::packet::{key, Key};
use sequoia_openpgp::types::{HashAlgorithm, SymmetricAlgorithm};
use crate::decryptor::CardDecryptor; use crate::decryptor::CardDecryptor;
use crate::signer::CardSigner; use crate::signer::CardSigner;
use crate::state::{Admin, Open, Sign, State, Transaction, User}; use crate::state::{Admin, Open, Sign, State, Transaction, User};
use crate::util::{ use crate::util::{public_key_material_and_fp_to_key, vka_as_uploadable_key};
public_key_material_and_fp_to_key, public_to_fingerprint, vka_as_uploadable_key,
};
mod decryptor; mod decryptor;
mod privkey; mod privkey;
@ -1185,24 +1182,6 @@ impl Card<Admin<'_, '_>> {
self.card().key_import(key, key_type) self.card().key_import(key, key_type)
} }
/// Wrapper fn for `public_to_fingerprint` that uses SHA256/AES128 as default parameters.
///
/// FIXME: This is a hack.
/// These parameters should probably be automatically determined based on the algorithm used?
fn ptf(
pkm: &PublicKeyMaterial,
time: KeyGenerationTime,
key_type: KeyType,
) -> Result<Fingerprint, Error> {
public_to_fingerprint(
pkm,
&time,
key_type,
Some(HashAlgorithm::SHA256), // FIXME
Some(SymmetricAlgorithm::AES128), // FIXME
)
}
/// Configure the `algorithm_attributes` for key slot `key_type` based on /// Configure the `algorithm_attributes` for key slot `key_type` based on
/// the algorithm `algo`. /// the algorithm `algo`.
/// This can be useful in preparation for [`Self::generate_key`]. /// This can be useful in preparation for [`Self::generate_key`].
@ -1241,6 +1220,7 @@ impl Card<Admin<'_, '_>> {
&mut self, &mut self,
key_type: KeyType, key_type: KeyType,
) -> Result<(PublicKeyMaterial, KeyGenerationTime), Error> { ) -> Result<(PublicKeyMaterial, KeyGenerationTime), Error> {
self.card().generate_key(Self::ptf, key_type) self.card()
.generate_key(crate::util::public_to_fingerprint, key_type)
} }
} }

10
openpgp-card-sequoia/src/util.rs
View file

@ -321,16 +321,16 @@ pub fn public_key_material_to_key(
/// Mapping function to get a fingerprint from "PublicKeyMaterial + /// Mapping function to get a fingerprint from "PublicKeyMaterial +
/// timestamp + KeyType" (intended for use with `CardApp.generate_key()`). /// timestamp + KeyType" (intended for use with `CardApp.generate_key()`).
/// ///
/// For ECC decryption keys, `hash` and `sym` can be optionally specified. /// For ECC decryption keys, `hash` and `sym` are set by Sequoia.
/// This fingerprint calculation is based on the parameters that get
/// selected in [`public_key_material_to_key`].
pub(crate) fn public_to_fingerprint( pub(crate) fn public_to_fingerprint(
pkm: &PublicKeyMaterial, pkm: &PublicKeyMaterial,
time: &KeyGenerationTime, time: KeyGenerationTime,
kt: KeyType, kt: KeyType,
hash: Option<HashAlgorithm>,
sym: Option<SymmetricAlgorithm>,
) -> Result<Fingerprint, Error> { ) -> Result<Fingerprint, Error> {
// Transform PublicKeyMaterial into a Sequoia Key // Transform PublicKeyMaterial into a Sequoia Key
let key = public_key_material_to_key(pkm, kt, time, hash, sym)?; let key = public_key_material_to_key(pkm, kt, &time, None, None)?;
// Get fingerprint from the Sequoia Key // Get fingerprint from the Sequoia Key
let fp = key.fingerprint(); let fp = key.fingerprint();