New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Verifying user revocation certificate (DSA) fails #765
Comments
OpenPGP.js currently doesn't support non-self revocation signatures, and never has. However, versions before 3.0.0 had a Ideally we should provide a way to pass the "authorized revocation key", and use it to check the revocation signature. Another use case for passing "other keys" would be non-self key certifications, as e.g. discussed in the context of #740. |
Just to be clear to not mix up user revocation and key revocation: in the test keys above there is a user of a key that was signed by another key, and then later the other key also attached a revocation certificate to that user, thereby revoking the initial signature. But the other key could never revoke the first key itself. Except for the fact that https://tools.ietf.org/html/rfc4880#section-5.2.3.15 allows to specify a third-party revocation key. Non-self user revocation signatures are not relevant for So verify shouldn't have been called for the non-self user revoke certificate in the test key above in the first place, but when it is called it shouldn't throw an exception. Non-self user revocation certificates are then only relevant for User.prototype.verifyAllCertifications, but this feature is not supported in OpenPGP.js v2-4.
I see "authorized revocation key" only in the context of https://tools.ietf.org/html/rfc4880#section-5.2.3.15. Had only a brief look at #740 but my tendency here is to implement such features on the application level and not in the library. |
Unrelated: would be good to have the info about deprecation of V3 keys in OpenPGP.js in the v4 release notes. |
Thanks for the clarification. You're right that in this case the revocation signature is irrelevant and should be ignored.
Revocation signatures from authorized keys are, right? AFAICT those could revoke the user binding self-signature, and they would have the same signature type and appear in the same place. Hopefully those would have a Signature Target subpacket, otherwise I don't quite see how to easily distinguish them. I'm also curious what GPG does when it encounters such a signature but doesn't have the signing key. (I know this is a bit out of scope for this issue, I'm just trying to make sure we don't accidentally accept keys which GPG would reject, for example.)
Thanks, done. |
Right, authorized keys are mentioned here:
Interesting, I would say if you are not able to verify the revoke signature then it should not be seen as valid. But I can try to find out how this is handled in GPG. Thanks for adding v3 keys to the release notes! |
|
Thanks for looking into it. I think we should do the same thing, mainly because if someone uploads a revocation certificate like that to a keyserver, they'd expect the user ID to no longer be used. I'd personally be fine with simply throwing "Authorized revocation keys are currently not supported" in Off topic, but another interesting comment from getkey.c is:
AFAICT we don't do that, so there are probably some keys out there which GPG accepts and we reject. |
I'm wondering, at the time you are able to throw the exception you have almost done everything required to support this feature: 1. detect Revocation Key subpacket, 2. check issuerKeyId equals revocation key, 3. verify revocation signature. Given that you have the revocation key to verify, if not then the revocation would be ignored.
Yes, I think this could be implemented in the course of a revised getLatestSignature method as described in #762 |
The Revocation Key subpacket only contains the fingerprint of the revocation key, not the key itself. So we'd also need a way to pass additional keys, and then select the revocation key from those by fingerprint (we already have |
But you have already the key parameter in isDataRevoked that is used to verify the revocation signature and this is also the key that corresponds to the the fingerprint of the revocation key in the subpacket, no? |
Currently, |
Hi, just catching up on this issue. When evaluating a non-self revocation signature:
|
@sanjanarajan I think 2. we can only implement if we have the issuer key. Any information in a signature should not be seen as valid unless the signature has been verified. So the issuer keyid in the signature is not a valid information if we don't have the corresponding key. I would propose to not throwing an error here, because we can't verify the claim of the revocation signature. |
Any information in a signature should not be seen as valid unless the signature has been verified, but it is also dangerous to not even provide the user the opportunity to verify this signature. So I agree that we should just implement the full 2. solution allowing other issuer keys to be passed in. If, however, we implement this full solution and a user does not pass in the issuer key, then I do think we need to throw an error here. Otherwise, this completely defeats the purpose of authorized revocation keys. |
Not sure what this means for the interfaces. So let's say we add the issuer key parameter to It gets worse when these errors are propagated to So overall, this feature adds quite some complexity. Probably it would be good to have a more fine grained error system in OpenPGP.js than the binary success/exception for such cases. Do we have a real world requirement for this feature? I don't know of any PGP UI applications that allows to generate a key with a revocation key subpacket or a signature target subpacket. Also the initial problem reported in this issue was related to the problem that if another person signs one user of my key, then they can also revoke such a signature, which would be much easier to implement than the revocation key subpacket feature. |
As far as a "real world requirement", I don't know of one off-hand, but given that this is specified in the RFC as a valid method of revocation and the same case is handled in GPG by throwing an error, it's certainly the safer choice not to accept these keys. Anyway, while I agree that this feature adds some complexity (though this complexity is inherent in the RFC), it could be as simple as allowing an optional array of verification keys to be passed in and used whenever necessary. The checks could simply be done in the same places in the code as the current self certificate verifications.
I'm not sure exactly what you mean here. What I proposed in my previous comment for a case like this (Case 1) is that these certifications be ignored when determining user validity, as whether or not they verify is irrelevant to user validity anyway. Is this not the desired behavior? |
I talked to Werner from the GnuPG team how this situation is handled and he said that it's a very rarely used feature. It could happen that the designated revocation key is missing and this situation should trigger a warning.
This would spread out to all consumers of
Yes, they are not relevant for the user validity. I just wanted to point out that my initial post (#765 (comment)) in this issue is neither about Case 1 or 2 and what I described as "non-self user revoke certificate" is a certificate from a person that revokes a previous certificate of that same person on a user id. |
One of my old test keys throws an exception in v4.0.1 with
key.getPrimaryUser
:"TypeError: Cannot read property 'toBN' of undefined" at https://github.com/openpgpjs/openpgpjs/blob/master/src/crypto/signature.js#L49 when verifying a non-self user revoke certificate:
Here is the key in question and the key that signed it:
Passwort äÄ??^^12 2 µ (DA0BDE5C) – public.asc.txt
Signing key public.asc.txt
The text was updated successfully, but these errors were encountered: