Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

openpgp: Entity.SignIdentity uses wrong signature type, PublicKey.VerifyUserIdSignature #7371

Closed
gopherbot opened this issue Feb 20, 2014 · 5 comments

Comments

@gopherbot
Copy link

by damien@commerceguys.com:

What steps will reproduce the problem?

`Entity.SignIdentity()` uses `Signature.SignKey()` (which is the algorithm for subkey
binding signature - type 0x18) instead of `Signature.SignUserId()` (which is the
algorithm for certification signature - type 0x10).

As a consequence, the signatures generates by Go fail validation in `gpg`.

In addition, `PublicKey.VerifyUserIdSignature()` is implemented in such a way that it
can only check self-signed certification signature. It builds the signed hash using the
public key of the *signer entity* instead of the public key of the *signed entity* (that
it doesn't have).

Attached is a partial test program for this. I cannot actually verify the signature
because of the above.

Which version are you using?  (run 'go version')

1.2

Attachments:

  1. openpgp-sign-entity-bug.go (779 bytes)
@gopherbot
Copy link
Author

Comment 1 by damien@commerceguys.com:

Attached patch that fixes the issue with Entity.SignIdentity(). The second requires a
API break, so I'm not sure how to proceed from there.

Attachments:

  1. openpgp-sign-identity.patch (488 bytes)

@bradfitz
Copy link
Contributor

Comment 2:

Labels changed: added repo-crypto.

Owner changed to @agl.

Status changed to Accepted.

@agl
Copy link
Contributor

agl commented Feb 28, 2014

Comment 3:

I've not had a chance to look at this yet and I'm traveling next week. I'm afraid it'll
probably be a couple of weeks until I can now.

@gopherbot
Copy link
Author

Comment 4:

CL https://golang.org/cl/96240043 mentions this issue.

@agl
Copy link
Contributor

agl commented May 12, 2014

Comment 5:

This issue was closed by revision golang/crypto@84ca184.

Status changed to Fixed.

@mikioh mikioh changed the title go.crypto/openpgp: Entity.SignIdentity uses wrong signature type, PublicKey.VerifyUserIdSignature openpgp: Entity.SignIdentity uses wrong signature type, PublicKey.VerifyUserIdSignature Jan 8, 2015
cheffo pushed a commit to cheffo/crypto that referenced this issue Mar 4, 2015
Entity.SignIdentity used the wrong signature function and produced invalid
certification signatures. Fixed.

VerifyUserIdSignature was used for checking the self-signature on an identity,
but didn't support anything but a self-signature. This change alters the
low-level API so that checking cross-signatures is possible.

Fixes golang/go#7371.

LGTM=bradfitz
R=bradfitz
CC=golang-codereviews
https://golang.org/cl/96240043
benburkert pushed a commit to benburkert/openpgp that referenced this issue Feb 29, 2016
Entity.SignIdentity used the wrong signature function and produced invalid
certification signatures. Fixed.

VerifyUserIdSignature was used for checking the self-signature on an identity,
but didn't support anything but a self-signature. This change alters the
low-level API so that checking cross-signatures is possible.

Fixes golang/go#7371.

LGTM=bradfitz
R=bradfitz
CC=golang-codereviews
https://golang.org/cl/96240043
@golang golang locked and limited conversation to collaborators Jun 25, 2016
c-expert-zigbee pushed a commit to c-expert-zigbee/crypto_go that referenced this issue Mar 28, 2022
Entity.SignIdentity used the wrong signature function and produced invalid
certification signatures. Fixed.

VerifyUserIdSignature was used for checking the self-signature on an identity,
but didn't support anything but a self-signature. This change alters the
low-level API so that checking cross-signatures is possible.

Fixes golang/go#7371.

LGTM=bradfitz
R=bradfitz
CC=golang-codereviews
https://golang.org/cl/96240043
c-expert-zigbee added a commit to c-expert-zigbee/crypto_go that referenced this issue Mar 29, 2022
Entity.SignIdentity used the wrong signature function and produced invalid
certification signatures. Fixed.

VerifyUserIdSignature was used for checking the self-signature on an identity,
but didn't support anything but a self-signature. This change alters the
low-level API so that checking cross-signatures is possible.

Fixes golang/go#7371.

LGTM=bradfitz
R=bradfitz
CC=golang-codereviews
https://golang.org/cl/96240043
BiiChris pushed a commit to BiiChris/crypto that referenced this issue Sep 15, 2023
Entity.SignIdentity used the wrong signature function and produced invalid
certification signatures. Fixed.

VerifyUserIdSignature was used for checking the self-signature on an identity,
but didn't support anything but a self-signature. This change alters the
low-level API so that checking cross-signatures is possible.

Fixes golang/go#7371.

LGTM=bradfitz
R=bradfitz
CC=golang-codereviews
https://golang.org/cl/96240043
This issue was closed.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

3 participants