gopenpgp
gopenpgp copied to clipboard

Published 20 hours ago •

Reame
Issues

GopenPGP fails to verify detached signatures with unknown packet versions

Open teythoon opened this issue 5 years ago • 0 comments

trafficstars

Unknown versions of Signature packets should be ignored to allow for a smooth evolution of the OpenPGP message format.

https://tests.sequoia-pgp.org/#Detached_signatures_with_unknown_packets

Reproducer:

This is a fictitious v23 signature followed by a v4 signature:

-----BEGIN PGP SIGNATURE-----

wsDzFwABCgAGBYJfM9pFACEJEPv8yCoBXnMwFiEE0aZuGiOxgsmYD3iM+/zIKgFe
czBW7gwAjobe0/8MVxpRNBQc9/OFcpWacD6F8y4f+R9hBZ7aGxZduBOsr35i2I0d
Ujba+EyWKjtnACT5AgDI1iG0n4qMMXKT5s8SIQsJk9u9JZ0A2mdDBQgxgdHSM4X5
Yh42APTj+fHDyWzh5VKWVCMRIvdc+xW5E1nuBA9Oa9pgJSF/+W8DzBixAnX8/BpR
pjHUkoyZDr5BakiWPAWHGM9MAWL/pP7GgiUnWAsWoREWFHzk/q8oxyve1hcf8j6d
1ux7764ynaxLrMXgVHebAYKVBCirnG6BO2FvCTZXy42omokHz/UEXroc+/QT2ul9
pZuYJt+/X9oOAkK55kQ0jh+aa2F9wLHEQ+Gq11pqjfhQidR4iGxB8D+buxjSMuXG
23T2DkQlVZXu4XIZIFEn0MH+2pF8bMhfMyM/gKtnUpgfRI6uyx+1aazKRymuJci6
/QxL4l57Ih/DR4LnA9B0iNr7I3ces0kYbL9ZcPxgv2b3SwwJDTxcrUWqZLl3RKU4
+fzYyy1VwsDzBAABCgAGBYJfM9pFACEJEPv8yCoBXnMwFiEE0aZuGiOxgsmYD3iM
+/zIKgFeczBW7gwAjobe0/8MVxpRNBQc9/OFcpWacD6F8y4f+R9hBZ7aGxZduBOs
r35i2I0dUjba+EyWKjtnACT5AgDI1iG0n4qMMXKT5s8SIQsJk9u9JZ0A2mdDBQgx
gdHSM4X5Yh42APTj+fHDyWzh5VKWVCMRIvdc+xW5E1nuBA9Oa9pgJSF/+W8DzBix
AnX8/BpRpjHUkoyZDr5BakiWPAWHGM9MAWL/pP7GgiUnWAsWoREWFHzk/q8oxyve
1hcf8j6d1ux7764ynaxLrMXgVHebAYKVBCirnG6BO2FvCTZXy42omokHz/UEXroc
+/QT2ul9pZuYJt+/X9oOAkK55kQ0jh+aa2F9wLHEQ+Gq11pqjfhQidR4iGxB8D+b
uxjSMuXG23T2DkQlVZXu4XIZIFEn0MH+2pF8bMhfMyM/gKtnUpgfRI6uyx+1aazK
RymuJci6/QxL4l57Ih/DR4LnA9B0iNr7I3ces0kYbL9ZcPxgv2b3SwwJDTxcrUWq
ZLl3RKU4+fzYyy1V
=pV3Y
-----END PGP SIGNATURE-----

This is the certificate to verify the v4 signature:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Comment: Bob's OpenPGP certificate

mQGNBF2lnPIBDAC5cL9PQoQLTMuhjbYvb4Ncuuo0bfmgPRFywX53jPhoFf4Zg6mv
/seOXpgecTdOcVttfzC8ycIKrt3aQTiwOG/ctaR4Bk/t6ayNFfdUNxHWk4WCKzdz
/56fW2O0F23qIRd8UUJp5IIlN4RDdRCtdhVQIAuzvp2oVy/LaS2kxQoKvph/5pQ/
5whqsyroEWDJoSV0yOb25B/iwk/pLUFoyhDG9bj0kIzDxrEqW+7Ba8nocQlecMF3
X5KMN5kp2zraLv9dlBBpWW43XktjcCZgMy20SouraVma8Je/ECwUWYUiAZxLIlMv
9CurEOtxUw6N3RdOtLmYZS9uEnn5y1UkF88o8Nku890uk6BrewFzJyLAx5wRZ4F0
qV/yq36UWQ0JB/AUGhHVPdFf6pl6eaxBwT5GXvbBUibtf8YI2og5RsgTWtXfU7eb
SGXrl5ZMpbA6mbfhd0R8aPxWfmDWiIOhBufhMCvUHh1sApMKVZnvIff9/0Dca3wb
vLIwa3T4CyshfT0AEQEAAbQhQm9iIEJhYmJhZ2UgPGJvYkBvcGVucGdwLmV4YW1w
bGU+iQHOBBMBCgA4AhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAFiEE0aZuGiOx
gsmYD3iM+/zIKgFeczAFAl2lnvoACgkQ+/zIKgFeczBvbAv/VNk90a6hG8Od9xTz
XxH5YRFUSGfIA1yjPIVOnKqhMwps2U+sWE3urL+MvjyQRlyRV8oY9IOhQ5Esm6DO
ZYrTnE7qVETm1ajIAP2OFChEc55uH88x/anpPOXOJY7S8jbn3naC9qad75BrZ+3g
9EBUWiy5p8TykP05WSnSxNRt7vFKLfEB4nGkehpwHXOVF0CRNwYle42bg8lpmdXF
DcCZCi+qEbafmTQzkAqyzS3nCh3IAqq6Y0kBuaKLm2tSNUOlZbD+OHYQNZ5Jix7c
ZUzs6Xh4+I55NRWl5smrLq66yOQoFPy9jot/Qxikx/wP3MsAzeGaZSEPc0fHp5G1
6rlGbxQ3vl8/usUV7W+TMEMljgwd5x8POR6HC8EaCDfVnUBCPi/Gv+egLjsIbPJZ
ZEroiE40e6/UoCiQtlpQB5exPJYSd1Q1txCwueih99PHepsDhmUQKiACszNU+RRo
zAYau2VdHqnRJ7QYdxHDiH49jPK4NTMyb/tJh2TiIwcmsIpGuQGNBF2lnPIBDADW
ML9cbGMrp12CtF9b2P6z9TTT74S8iyBOzaSvdGDQY/sUtZXRg21HWamXnn9sSXvI
DEINOQ6A9QxdxoqWdCHrOuW3ofneYXoG+zeKc4dC86wa1TR2q9vW+RMXSO4uImA+
Uzula/6k1DogDf28qhCxMwG/i/m9g1c/0aApuDyKdQ1PXsHHNlgd/Dn6rrd5y2AO
baifV7wIhEJnvqgFXDN2RXGjLeCOHV4Q2WTYPg/S4k1nMXVDwZXrvIsA0YwIMgIT
86Rafp1qKlgPNbiIlC1g9RY/iFaGN2b4Ir6GDohBQSfZW2+LXoPZuVE/wGlQ01rh
827KVZW4lXvqsge+wtnWlszcselGATyzqOK9LdHPdZGzROZYI2e8c+paLNDdVPL6
vdRBUnkCaEkOtl1mr2JpQi5nTU+gTX4IeInC7E+1a9UDF/Y85ybUz8XV8rUnR76U
qVC7KidNepdHbZjjXCt8/Zo+Tec9JNbYNQB/e9ExmDntmlHEsSEQzFwzj8sxH48A
EQEAAYkBtgQYAQoAIBYhBNGmbhojsYLJmA94jPv8yCoBXnMwBQJdpZzyAhsMAAoJ
EPv8yCoBXnMw6f8L/26C34dkjBffTzMj5Bdzm8MtF67OYneJ4TQMw7+41IL4rVcS
KhIhk/3Ud5knaRtP2ef1+5F66h9/RPQOJ5+tvBwhBAcUWSupKnUrdVaZQanYmtSx
cVV2PL9+QEiNN3tzluhaWO//rACxJ+K/ZXQlIzwQVTpNhfGzAaMVV9zpf3u0k14i
tcv6alKY8+rLZvO1wIIeRZLmU0tZDD5HtWDvUV7rIFI1WuoLb+KZgbYn3OWjCPHV
dTrdZ2CqnZbG3SXw6awH9bzRLV9EXkbhIMez0deCVdeo+wFFklh8/5VK2b0vk/+w
qMJxfpa1lHvJLobzOP9fvrswsr92MA2+k901WeISR7qEzcI0Fdg8AyFAExaEK6Vy
jP7SXGLwvfisw34OxuZr3qmx1Sufu4toH3XrB7QJN8XyqqbsGxUCBqWif9RSK4xj
zRTe56iPeiSJJOIciMP9i2ldI+KgLycyeDvGoBj0HCLO3gVaBe4ubVrj5KjhX2PV
NEJd3XZRzaXZE2aAMQ==
=NXei
-----END PGP PUBLIC KEY BLOCK-----

Interestingly, the verification succeeds if the v4 signature comes first, so it might just be a problem with detecting the kind of data:

-----BEGIN PGP SIGNATURE-----

wsDzBAABCgAGBYJfM9pFACEJEPv8yCoBXnMwFiEE0aZuGiOxgsmYD3iM+/zIKgFe
czBW7gwAjobe0/8MVxpRNBQc9/OFcpWacD6F8y4f+R9hBZ7aGxZduBOsr35i2I0d
Ujba+EyWKjtnACT5AgDI1iG0n4qMMXKT5s8SIQsJk9u9JZ0A2mdDBQgxgdHSM4X5
Yh42APTj+fHDyWzh5VKWVCMRIvdc+xW5E1nuBA9Oa9pgJSF/+W8DzBixAnX8/BpR
pjHUkoyZDr5BakiWPAWHGM9MAWL/pP7GgiUnWAsWoREWFHzk/q8oxyve1hcf8j6d
1ux7764ynaxLrMXgVHebAYKVBCirnG6BO2FvCTZXy42omokHz/UEXroc+/QT2ul9
pZuYJt+/X9oOAkK55kQ0jh+aa2F9wLHEQ+Gq11pqjfhQidR4iGxB8D+buxjSMuXG
23T2DkQlVZXu4XIZIFEn0MH+2pF8bMhfMyM/gKtnUpgfRI6uyx+1aazKRymuJci6
/QxL4l57Ih/DR4LnA9B0iNr7I3ces0kYbL9ZcPxgv2b3SwwJDTxcrUWqZLl3RKU4
+fzYyy1VwsDzFwABCgAGBYJfM9pFACEJEPv8yCoBXnMwFiEE0aZuGiOxgsmYD3iM
+/zIKgFeczBW7gwAjobe0/8MVxpRNBQc9/OFcpWacD6F8y4f+R9hBZ7aGxZduBOs
r35i2I0dUjba+EyWKjtnACT5AgDI1iG0n4qMMXKT5s8SIQsJk9u9JZ0A2mdDBQgx
gdHSM4X5Yh42APTj+fHDyWzh5VKWVCMRIvdc+xW5E1nuBA9Oa9pgJSF/+W8DzBix
AnX8/BpRpjHUkoyZDr5BakiWPAWHGM9MAWL/pP7GgiUnWAsWoREWFHzk/q8oxyve
1hcf8j6d1ux7764ynaxLrMXgVHebAYKVBCirnG6BO2FvCTZXy42omokHz/UEXroc
+/QT2ul9pZuYJt+/X9oOAkK55kQ0jh+aa2F9wLHEQ+Gq11pqjfhQidR4iGxB8D+b
uxjSMuXG23T2DkQlVZXu4XIZIFEn0MH+2pF8bMhfMyM/gKtnUpgfRI6uyx+1aazK
RymuJci6/QxL4l57Ih/DR4LnA9B0iNr7I3ces0kYbL9ZcPxgv2b3SwwJDTxcrUWq
ZLl3RKU4+fzYyy1V
=6vh8
-----END PGP SIGNATURE-----

Aug 12 '20 12:08 teythoon