rnp
rnp copied to clipboard
Published
20 hours ago •
rnpgp
rnpgp
`rnpkeys --import` rejects an OpenPGP certificate with a signature with an unknown subpacket unless i use `--permissive`
This OpenPGP certificate contains a "1st party approved 3rd party certifications" (1pa3pc) signature over its User ID:
-----BEGIN PGP PUBLIC KEY BLOCK-----
xjMEZXEJyxYJKwYBBAHaRw8BAQdA5BpbW0bpl5qCng/RiqwhQINrplDMSS5JsO/Y
O+5Zi7HCiQQfFgoAMQWCZadnIAUJBdtHCwMLCQcDFQoIApsBAh4BFiEE1HcEDHDC
FWpcKYVJu36RAUlea/cACgkQu36RAUlea/edDQD+M2QjnoEyu/TjI+gRXBpXQ5jC
snnp9FdYhaSSUW/vZ8kBAJByWljA9aMfVaVrmvgcYw7jzJz+gmZspBRB++5LZ20N
zRA8ZGtnQGRlYmlhbi5vcmc+wsARBBMWCgB5AwsJB0cUAAAAAAAeACBzYWx0QG5v
dGF0aW9ucy5zZXF1b2lhLXBncC5vcmeJfmd4tfVMI8Nwn0zRQg40bKLnzKDzjO7z
PB6DhHZ/7wMVCggCmwECHgEWIQTUdwQMcMIValwphUm7fpEBSV5r9wUCZadfkAUJ
BdnwRQAKCRC7fpEBSV5r9+owAP93bFzEmTyUj+lmhrot7LSQg3q939MHqd6TlUd/
iPPgfAEA7nf3V5/WPTDhsc2L1cgPVcANe42j/KZFWKuTYsnt0wrCwQAEFhYKAXIF
gmXD0MIJELt+kQFJXmv3RxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNlcXVvaWEt
cGdwLm9yZxSzeD6OCTQUteGo38Ue9DSic5eOjZ8oeSlQQ2UNjGDqFiEE1HcEDHDC
FWpcKYVJu36RAUlea/fAQaUW7nLWeB0XnOSQDsDyATT23t6kDcfNXwjXVYoSdrZD
HwvDA4IgZ+2YOx8h6t4UWxgdbptKy0MDoKpDj4N536WCc3kzvfuSzdirrt5eD6H0
hCoFh7MeVLvFeWodAXaTNJQMv3tUH8F4R8fbp92a1bm50FkJowd9c3boOuGbeGlz
UsDFLyMSw0H04PMlRHraE6voIIwPvcsv0AMADV+O+AkBsWCMYGFONn8+x13GeReN
2PUY7rpBJmljiO3Ol9e7PKLdvqQJhs68CgKgsW9tPSj/KCsCPcdLtXU7l4LpJw7i
zfAXUtL61Ce+LDs2qVtpxAbMIBdmM5DHJcjcFk0B4rwSAAAgmwEAuWxVaeAc1GmV
iBn26LX1pkbcVuMdsQW1Vjy4I6kBHl0BAJ5w+OaUAX9ubO8Wznwr7kEyizXTgnIu
e5ka9/f4TAMB
=56Jp
-----END PGP PUBLIC KEY BLOCK-----
When i try to import it with rnpkeys, i get a failure:
$ rnpkeys --import test.cert
[parse() ./src/librepgp/stream-sig.cpp:405] unknown subpacket : 37
[parse_v4() ./src/librepgp/stream-sig.cpp:1290] failed to parse hashed subpackets
[process_pgp_key_signatures() ./src/librepgp/stream-key.cpp:243] failed to parse signature at 422
failed to import key(s) from -, stopping.
Import finished: 0 keys processed, 0 new public keys, 0 new secret keys, 0 updated, 0 unchanged.
$ rnpkeys --version
rnp 0.17.0-3
Ribose Inc. <[email protected]>
Backend: Botan
Backend version: 2.19.4
Supported algorithms:
Public key: RSA, ELGAMAL, DSA, ECDH, ECDSA, EDDSA, SM2
Encryption: IDEA, TRIPLEDES, CAST5, BLOWFISH, AES128, AES192, AES256, TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256, SM4
AEAD: None, EAX, OCB
Key protection: CFB
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224, SHA3-256, SHA3-512, SM3
Compression: Uncompressed, ZIP, ZLIB, BZip2
Curves: NIST P-256, NIST P-384, NIST P-521, Ed25519, Curve25519, brainpoolP256r1, brainpoolP384r1, brainpoolP512r1, secp256k1, SM2 P-256
Please report security issues at (https://www.rnpgp.org/feedback) and
general bugs at https://github.com/rnpgp/rnp/issues.
$
If i try to import it without the 1pa3pc selfsig, rnpkeys imports it just fine. Likewise, if i import it with rnpkeys --import --permissive test.cert it also
rnpkeys being brittle here presents a challenge to the whole ecosystem for deploying any new kind of signature or subpacket.
I think this is related to #2204 -- it is almost certainly a similar policy issue.
