Re: [openpgp] v5 sample key

Werner Koch <wk@gnupg.org> Tue, 23 April 2019 08:30 UTC

Return-Path: <wk@gnupg.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E1FF512023F for <openpgp@ietfa.amsl.com>; Tue, 23 Apr 2019 01:30:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.001
X-Spam-Level:
X-Spam-Status: No, score=-7.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=gnupg.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zW4itmf3nFs1 for <openpgp@ietfa.amsl.com>; Tue, 23 Apr 2019 01:30:10 -0700 (PDT)
Received: from kerckhoffs.g10code.com (kerckhoffs.g10code.com [IPv6:2001:aa8:fff1:100::22]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A4D2912023C for <openpgp@ietf.org>; Tue, 23 Apr 2019 01:30:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnupg.org; s=20181017; h=Content-Type:MIME-Version:Message-ID:In-Reply-To:Date: References:Subject:Cc:To:From:Sender:Reply-To:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=WdntgiOt2NQHMwm6Hxs6o8sF6W1CyOB+Y+EPQ6mfBJA=; b=PQrPytbbOr/jutp5V9L3aZv95t TZCtVFYIxRJDPhnxeayjGxr7BnDK5qAJgzh8OcwWCGbpVLfRFMohHwRQ94/v5dBEbSKxU1cpN6ZEo xowITnmZo7/GZe7wKqpNCF2Mx/grfoQ1QuWxbnDXOIkfcxnatcicZcGKzUwJrQP3s8cs=;
Received: from uucp by kerckhoffs.g10code.com with local-rmail (Exim 4.89 #1 (Debian)) id 1hIqoa-00007J-SH for <openpgp@ietf.org>; Tue, 23 Apr 2019 10:30:08 +0200
Received: from wk by wheatstone.g10code.de with local (Exim 4.84 #3 (Debian)) id 1hIqmx-00020A-0Y; Tue, 23 Apr 2019 10:28:27 +0200
From: Werner Koch <wk@gnupg.org>
To: Heiko Stamer <HeikoStamer@gmx.net>
Cc: openpgp@ietf.org
References: <87sgvh1ugy.fsf@wheatstone.g10code.de> <aef8c02b-b672-83ce-57d3-1203179cc209@gmx.net>
Organisation: GnuPG e.V.
X-message-flag: Mails containing HTML will not be read! Please send only plain text.
Mail-Followup-To: Heiko Stamer <HeikoStamer@gmx.net>, openpgp@ietf.org
Date: Tue, 23 Apr 2019 10:28:26 +0200
In-Reply-To: <aef8c02b-b672-83ce-57d3-1203179cc209@gmx.net> (Heiko Stamer's message of "Mon, 22 Apr 2019 08:55:20 +0200")
Message-ID: <871s1tyvkl.fsf@wheatstone.g10code.de>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=PBX_UTU_Plague_Wackenhut_outage_Flu_rs9512c_Public_Health_FCIC_ASLET"; micalg="pgp-sha256"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/HwoEHzNaheBupbCtQxtnjOPpYSY>
Subject: Re: [openpgp] v5 sample key
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Apr 2019 08:30:12 -0000

Hi!

On Mon, 22 Apr 2019 08:55, HeikoStamer@gmx.net said:

> There is no distinction between V3, V4, and V5 signatures resp. keys.
> However, GnuPG computes the hash in function hash_public_key() for V5
> keys in a different way: starting with octet 0x9a and a four-octet
> length is given before the body of key packet is hashed.

That is because 12.2 (Key IDS and Fingerprints) has

   A V4 fingerprint is the 160-bit SHA-1 hash of the octet 0x99,
   followed by the two-octet packet length, followed by the entire
   [...]
   A V5 fingerprint is the 256-bit SHA2-256 hash of the octet 0x9A,
   followed by the four-octet packet length, followed by the entire

I think it makes sense to keep the signature computation in sync with
the fingerprint computation.  Using the four-octet length and thus 0x9a
is important because it remove ambiguities if the key material is larger
than 2^16.

> Thus, either this part should be specified in RFC 4880bis with more

I would prefer to fix this flaw in rfc4880bis 5.2.4 (Computing
Signatures):

-When a signature is made over a key, the hash data starts with the
+When a V4 signature is made over a key, the hash data starts with the
 octet 0x99, followed by a two-octet length of the key, and then body
-of the key packet. (Note that this is an old-style packet header for a
-key packet with two-octet length.) A subkey binding signature (type
-0x18) or primary key binding signature (type 0x19) then hashes the
-subkey using the same format as the main key (also using 0x99 as the
-first octet).  Primary key revocation signatures (type 0x20) hash only
-the key being revoked.  Subkey revocation signature (type 0x28) hash
-first the primary key and then the subkey being revoked.
+of the key packet; when a V5 signature is made over a key, the hash
+data starts with the octet 0x9a, followed by a four-octet length of
+the key, and then body of the key packet.  A subkey binding signature
+(type 0x18) or primary key binding signature (type 0x19) then hashes
+the subkey using the same format as the main key (also using 0x99 or
+0x9a as the first octet).  Primary key revocation signatures (type
+0x20) hash only the key being revoked.  Subkey revocation signature
+(type 0x28) hash first the primary key and then the subkey being
+revoked.


> PS. Taking the above issue into account the given V5 sample key is
> recognized by LibTMCG as required:

Thanks for testing.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.