Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for parsing smartcard/HSM related fields (mode 1002, gnu-divert-to-card S2K) #12

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Support for parsing smartcard/HSM related fields (mode 1002, gnu-divert-to-card S2K) #12

wants to merge 1 commit into from

Conversation

hiviah
Copy link
Contributor

@hiviah hiviah commented Feb 3, 2013

The patch allows parsing SecretKeyPacket and SecretSubkeyPacket that are tied to smartcard reader.

Sample keyfile generated by gpg --export-secret-key is here.

@toofishes
Copy link
Owner

Hey! Thanks for looking into this. I did a quick spike to see the minimum changes necessary to support mode 1002 packets and came up with this commit- 9f41365. I also used your provided sample keyfile to write a test case included in that commit, the test data landed in f3020bc. Thanks for providing this; all tests are passing in the supported python platforms.

I'm definitely interested in the rest of what your commit did, but couldn't find any resources out there with regards to the afterkey_offset stuff you added. Nothing at all dealing with secret key fingerprints or key IDs seems to be out there- from what I can tell you usually identify a secret key by the public key fingerprint anywhere. Do you have a better source of info than what I could (not) find?

@hiviah
Copy link
Contributor Author

hiviah commented Feb 4, 2013

The afterkey_offset stuff follows from the fact that public key is substring of private key - by combination of RFC 4880 section 12.2 with sections 5.5.1.3 and 5.5.1.4:

A Secret-Key packet contains all the information that is found in a
Public-Key packet, including the public-key material, but also
includes the secret-key material after all the public-key fields.

I added also an ElGamal and DSA test keys which I used for testing. With the afterkey_offset, the fingerprints and key_ids are consistent with identically-named fields of public key.

BTW this is a great project, it was quite challenging to find a decent parser of pgp packet format.

@toofishes
Copy link
Owner

Thanks for the follow-up info. I'm a bit busy this week but can incorporate these keys into more test cases and then see where that takes us.

No problem on providing the project, I also found parsers were hard to come by so decided to take a stab at it. Thanks to you and others for contributing code for many more of the packet types that I didn't implement for my own needs. If you don't mind me asking, what kind of project are you using it in?

@hiviah
Copy link
Contributor Author

hiviah commented Feb 4, 2013

I wanted to fix gnupg-pkcs11-scd to allow importing existing GPG keys to PKCS11 token/smartcard. Currently it seems that the only way to do it is quite hackish:

  • export the GPG secret key
  • convert actual private keys/subkeys to PEM and move to smartcard
  • augment the packet structure of exported GPG key by adding the divert-to-smartcard S2K, strip private-key parts
  • reimport back to gnupg

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@hiviah @toofishes