Re: [openpgp] SHA1 Linter & Fixer

"Neal H. Walfield" <neal@walfield.org> Wed, 18 November 2020 13:06 UTC

Return-Path: <neal@walfield.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7EC083A1878 for <openpgp@ietfa.amsl.com>; Wed, 18 Nov 2020 05:06:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uRWm_sW-XMaA for <openpgp@ietfa.amsl.com>; Wed, 18 Nov 2020 05:06:02 -0800 (PST)
Received: from mail.dasr.de (mail.dasr.de [217.69.77.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5B7423A1884 for <openpgp@ietf.org>; Wed, 18 Nov 2020 05:06:02 -0800 (PST)
Received: from pd9e79cc0.dip0.t-ipconnect.de ([217.231.156.192] helo=forster.huenfield.org) by mail.dasr.de with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.86_2) (envelope-from <neal@walfield.org>) id 1kfN9r-0007N5-C8; Wed, 18 Nov 2020 13:05:59 +0000
Received: from grit.huenfield.org ([192.168.20.9] helo=grit.walfield.org) by forster.huenfield.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <neal@walfield.org>) id 1kfN9q-0003Am-R9; Wed, 18 Nov 2020 14:05:59 +0100
Date: Wed, 18 Nov 2020 14:05:58 +0100
Message-ID: <87tutm3jd5.wl-neal@walfield.org>
From: "Neal H. Walfield" <neal@walfield.org>
To: openpgp@ietf.org, devel@lists.sequoia-pgp.org
In-Reply-To: <20201025010343.GA1089002@fullerene.field.pennock-tech.net>
References: <87sga5xg03.wl-neal@walfield.org> <20201023192317.GA444398@fullerene.field.pennock-tech.net> <87lffvy6kf.wl-neal@walfield.org> <20201025010343.GA1089002@fullerene.field.pennock-tech.net>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI-EPG/1.14.7 (Harue) FLIM/1.14.9 (=?ISO-8859-4?Q?Goj=F2?=) APEL/10.8 EasyPG/1.0.0 Emacs/26 (x86_64-pc-linux-gnu) MULE/6.0 (HANACHIRUSATO)
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset=US-ASCII
X-SA-Exim-Connect-IP: 192.168.20.9
X-SA-Exim-Mail-From: neal@walfield.org
X-SA-Exim-Scanned: No (on forster.huenfield.org); SAEximRunCond expanded to false
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/FNIBDsLJAtZ9rQHmi_PCuIJ0FJs>
Subject: Re: [openpgp] SHA1 Linter & Fixer
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Nov 2020 13:06:04 -0000

Hi Phil,

On Sun, 25 Oct 2020 02:03:43 +0100,
Phil Pennock wrote:
> I held off on "asking others to write software for me" in the previous
> post, keeping it to "this exists now".  This time around, I'm throwing
> out a "Hey, pgpkey-sanitycheck would be a nice tool to have, folks" and
> running away.

I've written a certificate linter and fixer that does what you want, I
think.  You can find it here:

  https://gitlab.com/sequoia-pgp/keyring-linter
  https://crates.io/crates/sequoia-keyring-linter

It detects and optionally fixes the following three types of issues:

  - A User ID's current self signature relies on SHA-1;
  - A Subkey's current binding signature relies on SHA-1; and,
  - A Signing-capable subkey's current primary key binding signature
    (backsig) relies on SHA-1.

To just lint a key, one would do:

  $ sq-keyring-linter microsoft.asc
  Certificate 6CC73355668F7B75 is not valid under the standard policy
  Certificate 6CC73355668F7B75 contains a User ID ("Microsoft Security Notifications <securitynotifications@e-mail.microsoft.com>") protected by SHA-1
  Examined 1 certificate.
    0 certificates are invalid and were not linted. (GOOD)
    1 certificate was linted.
    1 of the 1 linted certificates (100%) has at least one issue. (BAD)
  1 certificate has at least one non-revoked User IDs:
    1 has at least one User IDs protected by SHA-1. (BAD)
    1 has all User IDs protected by SHA-1. (BAD)
  0 certificates have at least one non-revoked, live subkeys:
    0 have at least one non-revoked, live subkeys with a binding signature that uses SHA-1. (GOOD)
  0 certificates have at least one non-revoked, live, signing-capable subkeys:
    0 certificates have at least one non-revoked, live, signing-capable subkeys with a strong binding signature, but a backsig that uses SHA-1. (GOOD)

The tool lists the specific issues that it finds and then prints show
statistics.  The statistics are more useful when examining a keyring:

  $ sq-keyring-linter  /usr/share/keyrings/debian-keyring.gpg
  ...
  Examined 885 certificates.
    1 certificate is invalid and was not linted. (BAD)
    884 certificates were linted.
    207 of the 884 linted certificates (23%) have at least one issue. (BAD)
  884 certificates have at least one non-revoked User IDs:
    169 have at least one User IDs protected by SHA-1. (BAD)
    106 have all User IDs protected by SHA-1. (BAD)
  836 certificates have at least one non-revoked, live subkeys:
    160 have at least one non-revoked, live subkeys with a binding signature that uses SHA-1. (BAD)
  230 certificates have at least one non-revoked, live, signing-capable subkeys:
    10 certificates have at least one non-revoked, live, signing-capable subkeys with a strong binding signature, but a backsig that uses SHA-1. (BAD)


To fix a key, you need the secret key material.  If that's available,
it's straightforward:

  $ gpg --export-secret-key 4BE50C526C743502 | sq-keyring-linter --fix | gpg --import
  Certificate 4BE50C526C743502 is not valid under the standard policy
  Certificate 4BE50C526C743502 contains a User ID ("SHA1 User ID, SHA256 Subkeys <sha1-user-id-sha256-subkeys@example.org>") protected by SHA-1
  Certificate 4BE50C526C743502, key CC6387BFA4D9263D uses a SHA-1-protected binding signature.
  Examined 1 certificate.
    0 certificates are invalid and were not linted. (GOOD)
    1 certificate was linted.
    1 of the 1 linted certificates (100%) has at least one issue. (BAD)
  1 certificate has at least one non-revoked User IDs:
    1 has at least one User IDs protected by SHA-1. (BAD)
    1 has all User IDs protected by SHA-1. (BAD)
  1 certificate has at least one non-revoked, live subkeys:
    1 has at least one non-revoked, live subkeys with a binding signature that uses SHA-1. (BAD)
  1 certificate has at least one non-revoked, live, signing-capable subkeys:
    0 certificates have at least one non-revoked, live, signing-capable subkeys with a strong binding signature, but a backsig that uses SHA-1. (GOOD)
  gpg: key 4BE50C526C743502: "SHA1 User ID, SHA256 Subkeys <sha1-user-id-sha256-subkeys@example.org>" 2 new signatures
  gpg: Total number processed: 1
  gpg:         new signatures: 2

Looking at the output, we see that two issues were corrected.


Although you can build from source, if you are on Debian, the latest
version of the tool, 0.3.0, should hit Debian unstable in the next few
days (thanks dkg!).  (The current version, 0.1.0, in Debian only
includes the linter functionality.)

  https://packages.debian.org/sid/sq-keyring-linter

If you have any feedback on the concept, I suspect that replying here
would be okay.  But tool-specific issues are probably off topic and
should go to the tool's issue tracker or our mailing list
(devel@sequoia-pgp.org, cc'ed):

  https://gitlab.com/sequoia-pgp/keyring-linter/-/issues

Thanks!

:) Neal