ietf-openpgp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [openpgp] v5 sample key

2019-04-23 03:30:29
from [Werner Koch] [Permanent Link] 
Hi!

On Mon, 22 Apr 2019 08:55, HeikoStamer(_at_)gmx(_dot_)net said:


There is no distinction between V3, V4, and V5 signatures resp. keys.
However, GnuPG computes the hash in function hash_public_key() for V5
keys in a different way: starting with octet 0x9a and a four-octet
length is given before the body of key packet is hashed.


That is because 12.2 (Key IDS and Fingerprints) has

   A V4 fingerprint is the 160-bit SHA-1 hash of the octet 0x99,
   followed by the two-octet packet length, followed by the entire
   [...]
   A V5 fingerprint is the 256-bit SHA2-256 hash of the octet 0x9A,
   followed by the four-octet packet length, followed by the entire

I think it makes sense to keep the signature computation in sync with
the fingerprint computation.  Using the four-octet length and thus 0x9a
is important because it remove ambiguities if the key material is larger
than 2^16.


Thus, either this part should be specified in RFC 4880bis with more


I would prefer to fix this flaw in rfc4880bis 5.2.4 (Computing
Signatures):

-When a signature is made over a key, the hash data starts with the
+When a V4 signature is made over a key, the hash data starts with the
 octet 0x99, followed by a two-octet length of the key, and then body
-of the key packet. (Note that this is an old-style packet header for a
-key packet with two-octet length.) A subkey binding signature (type
-0x18) or primary key binding signature (type 0x19) then hashes the
-subkey using the same format as the main key (also using 0x99 as the
-first octet).  Primary key revocation signatures (type 0x20) hash only
-the key being revoked.  Subkey revocation signature (type 0x28) hash
-first the primary key and then the subkey being revoked.
+of the key packet; when a V5 signature is made over a key, the hash
+data starts with the octet 0x9a, followed by a four-octet length of
+the key, and then body of the key packet.  A subkey binding signature
+(type 0x18) or primary key binding signature (type 0x19) then hashes
+the subkey using the same format as the main key (also using 0x99 or
+0x9a as the first octet).  Primary key revocation signatures (type
+0x20) hash only the key being revoked.  Subkey revocation signature
+(type 0x28) hash first the primary key and then the subkey being
+revoked.



PS. Taking the above issue into account the given V5 sample key is
recognized by LibTMCG as required:


Thanks for testing.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

Attachment: signature.asc
Description: PGP signature

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [openpgp] AEAD Chunk Size, Werner Koch
Next by Date:  Re: [openpgp] v5 sample key, Heiko Stamer
Previous by Thread:  Re: [openpgp] v5 sample key, Heiko Stamer
Next by Thread:  Re: [openpgp] v5 sample key, Heiko Stamer
Indexes:  [Date] [Thread] [Top] [All Lists]