-
Notifications
You must be signed in to change notification settings - Fork 17.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
x/crypto/openpgp: silently fail to read keyring when smartcard stub is present #9312
Comments
Can I do anything to help with the resolution of this issue? It's blocking some of my users... |
I took a peek at it, but this is my first dive into RFC4880 so some things are still unclear to me.
I could do the analysis, but I'm afraid writing a patch is beyond my understand of the OpenPGP standard at this point... [1] https://github.com/golang/crypto/blob/master/openpgp/packet/private_key.go#L67-L80 |
The hexdump from @jvehent is an example of a gnupg extension S2K type, which can be identified by the |
Per the accepted #44226 proposal and due to lack of maintenance, the golang.org/x/crypto/openpgp package is now frozen and deprecated. No new changes will be accepted except for security fixes. The package will not be removed. If this is a security issue, please email [email protected] and we will assess it and provide a fix. If you're looking for alternatives, consider the crypto/ed25519 package for simple signatures, golang.org/x/mod/sumdb/note for inline signatures, or filippo.io/age for encryption. You can read a summary of OpenPGP issues and alternatives here. If you are required to interoperate with OpenPGP systems and need a maintained package, we suggest considering one of multiple community forks of golang.org/x/crypto/openpgp. We don't endorse any specific one. |
When a GPG secring contains a smartcard stub, the openpgp package fails to read the keyring correctly and does not return an error. A call to
openpgp.ReadKeyRing()
will returns the entities that precedes the stub, excluding the entity located right before the stub.For example, if a secring contains 3 entities and the smartcard stub is in position 3, then
openpgp.ReadKeyRing()
will only return the first entity. The second entity and the stub are ignored. No error is returned.Steps to reproduce:
1. Create a keyring with two regular 1024 bits RSA keys
2. Import a smartcard stub from a yubikey into the keyring
3. Attempt to read the entities in the keyring. Only the first entity is returned.
$ go run readkeyring.go found 1 entities in keyring reading entity with fingerprint 2FA49C2800342153CA439C90ADC366D34BACAA9F
source code:
The text was updated successfully, but these errors were encountered: