Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/crypto/openpgp: Cannot encrypt when subkey has no key flags specified #32464

Closed
ianlopshire opened this issue Jun 6, 2019 · 1 comment
Closed

Comments

@ianlopshire
Copy link

@ianlopshire ianlopshire commented Jun 6, 2019

What version of Go are you using (go version)?

$ go version
go version go1.12 darwin/amd64

Does this issue reproduce with the latest release?

yes

What operating system and processor architecture are you using (go env)?

go env Output
GOARCH="amd64"
GOBIN=""
GOCACHE="/Users/ilopshire/Library/Caches/go-build"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="darwin"
GOOS="darwin"
GOPATH="/Users/ilopshire/go"
GOPROXY=""
GORACE=""
GOROOT="/usr/local/Cellar/go/1.12/libexec"
GOTMPDIR=""
GOTOOLDIR="/usr/local/Cellar/go/1.12/libexec/pkg/tool/darwin_amd64"
GCCGO="gccgo"
CC="clang"
CXX="clang++"
CGO_ENABLED="1"
GOMOD=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/8w/307zd5sd2bg_5jgf8tcqvlps3hc0zx/T/go-build381813307=/tmp/go-build -gno-record-gcc-switches -fno-common"

What did you do?

I have been given a PGP public key by a third party where the sub-key signature contains no key flag sub-packet (see FRC 4880 5.2.3.21).

When the key flag sub-packet is missing the current implementation of x/crypto/openpgp assumes that the key shouldn't be used for anything. I've not been able to find anything in the OpenPGP spec that defines how this case should be handled, but I believe the GnuPG implementation assumes the key can be used for all of its capabilities.

pubKey := `-----BEGIN PGP PUBLIC KEY BLOCK-----
Version:   v1.2.1 (GNU/Linux)

mQ... (omitted for privacy)
-----END PGP PUBLIC KEY BLOCK-----`


entityList, err := openpgp.ReadArmoredKeyRing(strings.NewReader(pubKey))

in := strings.NewReader("hello world")
out := new(bytes.Buffer)

pt, err := openpgp.Encrypt(out, entityList, nil, &openpgp.FileHints{IsBinary: true}, nil)
if err != nil {
	log.Fatal(err)
}

if _, err := io.Copy(pt, in); err != nil {
	log.Fatal(err)
}

fmt.Println(out.Bytes())

I've omitted the actual public key in the above snippet to preserve the privacy of the third party I am working with. I am admittedly not an expert, but I have not had any luck generating a test key that has the key usage subpacket omitted.

What did you expect to see?

The encrypted output.

What did you see instead?

openpgp: invalid argument: cannot encrypt a message to key id [omitted] because it has no encryption keys
@gopherbot gopherbot added this to the Unreleased milestone Jun 6, 2019
@FiloSottile
Copy link
Contributor

@FiloSottile FiloSottile commented Mar 29, 2021

Per the accepted #44226 proposal and due to lack of maintenance, the golang.org/x/crypto/openpgp package is now frozen and deprecated. No new changes will be accepted except for security fixes. The package will not be removed.

If this is a security issue, please email security@golang.org and we will assess it and provide a fix.

If you're looking for alternatives, consider the crypto/ed25519 package for simple signatures, golang.org/x/mod/sumdb/note for inline signatures, or filippo.io/age for encryption. You can read a summary of OpenPGP issues and alternatives here.

If you are required to interoperate with OpenPGP systems and need a maintained package, we suggest considering one of multiple community forks of golang.org/x/crypto/openpgp. We don't endorse any specific one.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
4 participants