ietf-openpgp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [openpgp] SHA1 Linter & Fixer

2020-11-18 07:06:20
from [Neal H. Walfield] [Permanent Link] 
Hi Phil,

On Sun, 25 Oct 2020 02:03:43 +0100,
Phil Pennock wrote:

I held off on "asking others to write software for me" in the previous
post, keeping it to "this exists now".  This time around, I'm throwing
out a "Hey, pgpkey-sanitycheck would be a nice tool to have, folks" and
running away.


I've written a certificate linter and fixer that does what you want, I
think.  You can find it here:

  https://gitlab.com/sequoia-pgp/keyring-linter
  https://crates.io/crates/sequoia-keyring-linter

It detects and optionally fixes the following three types of issues:

  - A User ID's current self signature relies on SHA-1;
  - A Subkey's current binding signature relies on SHA-1; and,
  - A Signing-capable subkey's current primary key binding signature
    (backsig) relies on SHA-1.

To just lint a key, one would do:

  $ sq-keyring-linter microsoft.asc
  Certificate 6CC73355668F7B75 is not valid under the standard policy
  Certificate 6CC73355668F7B75 contains a User ID ("Microsoft Security 
Notifications <securitynotifications(_at_)e-mail(_dot_)microsoft(_dot_)com>") 
protected by SHA-1
  Examined 1 certificate.
    0 certificates are invalid and were not linted. (GOOD)
    1 certificate was linted.
    1 of the 1 linted certificates (100%) has at least one issue. (BAD)
  1 certificate has at least one non-revoked User IDs:
    1 has at least one User IDs protected by SHA-1. (BAD)
    1 has all User IDs protected by SHA-1. (BAD)
  0 certificates have at least one non-revoked, live subkeys:
    0 have at least one non-revoked, live subkeys with a binding signature that 
uses SHA-1. (GOOD)
  0 certificates have at least one non-revoked, live, signing-capable subkeys:
    0 certificates have at least one non-revoked, live, signing-capable subkeys 
with a strong binding signature, but a backsig that uses SHA-1. (GOOD)

The tool lists the specific issues that it finds and then prints show
statistics.  The statistics are more useful when examining a keyring:

  $ sq-keyring-linter  /usr/share/keyrings/debian-keyring.gpg
  ...
  Examined 885 certificates.
    1 certificate is invalid and was not linted. (BAD)
    884 certificates were linted.
    207 of the 884 linted certificates (23%) have at least one issue. (BAD)
  884 certificates have at least one non-revoked User IDs:
    169 have at least one User IDs protected by SHA-1. (BAD)
    106 have all User IDs protected by SHA-1. (BAD)
  836 certificates have at least one non-revoked, live subkeys:
    160 have at least one non-revoked, live subkeys with a binding signature 
that uses SHA-1. (BAD)
  230 certificates have at least one non-revoked, live, signing-capable subkeys:
    10 certificates have at least one non-revoked, live, signing-capable 
subkeys with a strong binding signature, but a backsig that uses SHA-1. (BAD)


To fix a key, you need the secret key material.  If that's available,
it's straightforward:

  $ gpg --export-secret-key 4BE50C526C743502 | sq-keyring-linter --fix | gpg 
--import
  Certificate 4BE50C526C743502 is not valid under the standard policy
  Certificate 4BE50C526C743502 contains a User ID ("SHA1 User ID, SHA256 
Subkeys <sha1-user-id-sha256-subkeys(_at_)example(_dot_)org>") protected by 
SHA-1
  Certificate 4BE50C526C743502, key CC6387BFA4D9263D uses a SHA-1-protected 
binding signature.
  Examined 1 certificate.
    0 certificates are invalid and were not linted. (GOOD)
    1 certificate was linted.
    1 of the 1 linted certificates (100%) has at least one issue. (BAD)
  1 certificate has at least one non-revoked User IDs:
    1 has at least one User IDs protected by SHA-1. (BAD)
    1 has all User IDs protected by SHA-1. (BAD)
  1 certificate has at least one non-revoked, live subkeys:
    1 has at least one non-revoked, live subkeys with a binding signature that 
uses SHA-1. (BAD)
  1 certificate has at least one non-revoked, live, signing-capable subkeys:
    0 certificates have at least one non-revoked, live, signing-capable subkeys 
with a strong binding signature, but a backsig that uses SHA-1. (GOOD)
  gpg: key 4BE50C526C743502: "SHA1 User ID, SHA256 Subkeys 
<sha1-user-id-sha256-subkeys(_at_)example(_dot_)org>" 2 new signatures
  gpg: Total number processed: 1
  gpg:         new signatures: 2

Looking at the output, we see that two issues were corrected.


Although you can build from source, if you are on Debian, the latest
version of the tool, 0.3.0, should hit Debian unstable in the next few
days (thanks dkg!).  (The current version, 0.1.0, in Debian only
includes the linter functionality.)

  https://packages.debian.org/sid/sq-keyring-linter

If you have any feedback on the concept, I suspect that replying here
would be okay.  But tool-specific issues are probably off topic and
should go to the tool's issue tracker or our mailing list
(devel(_at_)sequoia-pgp(_dot_)org, cc'ed):

  https://gitlab.com/sequoia-pgp/keyring-linter/-/issues

Thanks!

:) Neal

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • Re: [openpgp] SHA1 Linter & Fixer, Neal H. Walfield <=
Previous by Date:  Re: [openpgp] Mitigation of Attacks on Email End-to-End Encryption, Daniel Kahn Gillmor
Next by Date:  [openpgp] OpenPGP wg notes for saag, Stephen Farrell
Previous by Thread:  [openpgp] Robert Wilton's No Objection on charter-ietf-openpgp-02-02: (with COMMENT), Robert Wilton via Datatracker
Next by Thread:  [openpgp] OpenPGP wg notes for saag, Stephen Farrell
Indexes:  [Date] [Thread] [Top] [All Lists]