ietf-openpgp
[Top] [All Lists]

Re: [openpgp] v5 sample key

2019-04-23 03:30:29
Hi!

On Mon, 22 Apr 2019 08:55, HeikoStamer(_at_)gmx(_dot_)net said:

There is no distinction between V3, V4, and V5 signatures resp. keys.
However, GnuPG computes the hash in function hash_public_key() for V5
keys in a different way: starting with octet 0x9a and a four-octet
length is given before the body of key packet is hashed.

That is because 12.2 (Key IDS and Fingerprints) has

   A V4 fingerprint is the 160-bit SHA-1 hash of the octet 0x99,
   followed by the two-octet packet length, followed by the entire
   [...]
   A V5 fingerprint is the 256-bit SHA2-256 hash of the octet 0x9A,
   followed by the four-octet packet length, followed by the entire

I think it makes sense to keep the signature computation in sync with
the fingerprint computation.  Using the four-octet length and thus 0x9a
is important because it remove ambiguities if the key material is larger
than 2^16.

Thus, either this part should be specified in RFC 4880bis with more

I would prefer to fix this flaw in rfc4880bis 5.2.4 (Computing
Signatures):

-When a signature is made over a key, the hash data starts with the
+When a V4 signature is made over a key, the hash data starts with the
 octet 0x99, followed by a two-octet length of the key, and then body
-of the key packet. (Note that this is an old-style packet header for a
-key packet with two-octet length.) A subkey binding signature (type
-0x18) or primary key binding signature (type 0x19) then hashes the
-subkey using the same format as the main key (also using 0x99 as the
-first octet).  Primary key revocation signatures (type 0x20) hash only
-the key being revoked.  Subkey revocation signature (type 0x28) hash
-first the primary key and then the subkey being revoked.
+of the key packet; when a V5 signature is made over a key, the hash
+data starts with the octet 0x9a, followed by a four-octet length of
+the key, and then body of the key packet.  A subkey binding signature
+(type 0x18) or primary key binding signature (type 0x19) then hashes
+the subkey using the same format as the main key (also using 0x99 or
+0x9a as the first octet).  Primary key revocation signatures (type
+0x20) hash only the key being revoked.  Subkey revocation signature
+(type 0x28) hash first the primary key and then the subkey being
+revoked.


PS. Taking the above issue into account the given V5 sample key is
recognized by LibTMCG as required:

Thanks for testing.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

Attachment: signature.asc
Description: PGP signature

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp
<Prev in Thread] Current Thread [Next in Thread>