[Autocrypt] How to create the "raw key" part from an RSA key
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Fri May 26 16:42:31 EDT 2017
Hi Bjoern--
On Wed 2017-05-24 23:36:49 +0200, Bjoern wrote:
> Okay, I've fixed the issues:
>
> - Primary key can 'sign+cert', subkey can 'encrypt'
> - No hash/algo/encryption preferences for subkeys
> - Reorder hash preferences
> - Disable bzip2 preference (don't know if this will be supported by
> Delta Chat for now).
thanks! these all look good to me.
A handful more notes:
* the self-sig over the User ID appears to use SHA-1. I recommend
using SHA-256 at least by default.
* the subkey binding signature also appears to be using SHA-1. Use
SHA-256 at least.
* your Base64 encoding ("ASCII armoring") seems to lack the appropriate
number of trailing padding = signs (in the example presented, it
should have had one trailing equal sign. Se the section on padding
at the end of https://tools.ietf.org/html/rfc4880#section-6.3
* In addition, it lacks the ASCII-armor checksum Vincent mentioned
upthread. See "Armor checksum" here:
https://tools.ietf.org/html/rfc4880#section-6.2
* GnuPG normally puts the signature issuer packet in the *non-hashed*
subpackets of the signature. you're putting them in the hashed
subpackets. I think what you're doing is fine, but be aware that
it's not what GnuPG does. See the bit about "Unhashed subpackets" in
https://tools.ietf.org/html/rfc4880#section-5.2.3
* You're including a Features subpacket (with the "Modification
Detection" mark) in your subkey binding packet. This is usually only
placed in a self-sig over a User ID. I recommend leaving it out of
the subkey binding signature packet.
> Regarding the "bad" signature for the "subkey bindung": I could not
> reproduce this, eg. gpg imports the key without obvious errors.
gpg imports the certificate as a whole while dropping packets that do
not cryptographically validate.
so after importing, i see:
0 dkg at alice:/tmp/cdtemp.9VwqB1$ gpg --list-keys
/tmp/cdtemp.9VwqB1/pubring.kbx
------------------------------
pub rsa2048 2017-05-24 [SC]
6D91ED79D32F0653588007CBC5DAD320A62EEC75
uid [ unknown] <foo at bar.de>
0 dkg at alice:/tmp/cdtemp.9VwqB1$
Note that there is no subkey present! it's been stripped.
> Which program do you use to check the subkey binding signature?
I used gpg, as shown above, and i also used Python's PGPy
implementation, like so:
import pgpy
(key,res) = pgpy.PGPKey.from_file('example.key')
for keyid in key.subkeys:
print(test.verify(test.subkeys[keyid]))
This should produce something like:
<SignatureVerification(True)>
but when i use your public key it prints:
<SignatureVerification(False)>
> (NB: I've implemented the subkey bindung myself, didn't found it in
> Pep/Netpgp, here's the source
> https://github.com/r10s/deltachat-core/blob/master/src/mre2ee_driver_openssl.c#L152
> which is based upon Pep/Netpgp's selfsig here:
> https://github.com/r10s/deltachat-core/blob/master/libs/netpgp/src/keyring.c#L846
> )
When you get it working, you should submit the feature to netpgp-et
itself -- making a subkey binding is something that a standard OpenPGP
library should be able to do correctly, and it would be a nice
contribution to netpgp-et if the functionality isn't already there.
Thanks for working on this -- i hope this feedback is helpful!
-dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: <http://lists.mayfirst.org/pipermail/autocrypt/attachments/20170526/ad469d58/attachment.sig>
More information about the Autocrypt
mailing list