python-pgpdump icon indicating copy to clipboard operation
python-pgpdump copied to clipboard

Published 20 hours ago verified publisher icon toofishes

Support for parsing smartcard/HSM related fields (mode 1002, gnu-divert-to-card S2K)

Open hiviah opened this issue 12 years ago • 4 comments

The patch allows parsing SecretKeyPacket and SecretSubkeyPacket that are tied to smartcard reader.

Sample keyfile generated by gpg --export-secret-key is here.

hiviah avatar Feb 03 '13 14:02 hiviah

Hey! Thanks for looking into this. I did a quick spike to see the minimum changes necessary to support mode 1002 packets and came up with this commit- 9f41365f5e63f64. I also used your provided sample keyfile to write a test case included in that commit, the test data landed in f3020bc5. Thanks for providing this; all tests are passing in the supported python platforms.

I'm definitely interested in the rest of what your commit did, but couldn't find any resources out there with regards to the afterkey_offset stuff you added. Nothing at all dealing with secret key fingerprints or key IDs seems to be out there- from what I can tell you usually identify a secret key by the public key fingerprint anywhere. Do you have a better source of info than what I could (not) find?

toofishes avatar Feb 03 '13 17:02 toofishes

The afterkey_offset stuff follows from the fact that public key is substring of private key - by combination of RFC 4880 section 12.2 with sections 5.5.1.3 and 5.5.1.4:

A Secret-Key packet contains all the information that is found in a
Public-Key packet, including the public-key material, but also
includes the secret-key material after all the public-key fields.

I added also an ElGamal and DSA test keys which I used for testing. With the afterkey_offset, the fingerprints and key_ids are consistent with identically-named fields of public key.

BTW this is a great project, it was quite challenging to find a decent parser of pgp packet format.

hiviah avatar Feb 04 '13 02:02 hiviah

Thanks for the follow-up info. I'm a bit busy this week but can incorporate these keys into more test cases and then see where that takes us.

No problem on providing the project, I also found parsers were hard to come by so decided to take a stab at it. Thanks to you and others for contributing code for many more of the packet types that I didn't implement for my own needs. If you don't mind me asking, what kind of project are you using it in?

toofishes avatar Feb 04 '13 14:02 toofishes

I wanted to fix gnupg-pkcs11-scd to allow importing existing GPG keys to PKCS11 token/smartcard. Currently it seems that the only way to do it is quite hackish:

  • export the GPG secret key
  • convert actual private keys/subkeys to PEM and move to smartcard
  • augment the packet structure of exported GPG key by adding the divert-to-smartcard S2K, strip private-key parts
  • reimport back to gnupg

hiviah avatar Feb 04 '13 16:02 hiviah