Authenticating with OpenPGP certificates with primary keys marked S2K_GNU_EXT fails

Nikos Mavrogiannopoulos nmav at
Mon Jan 30 22:07:17 CET 2012

On 01/30/2012 06:31 AM, Sean Buckheister wrote:

> Hello,
> today I stumbled across a (from my point of view) major problem with
> OpenPGP certificate handling: it doesn't work when a certificate has no
> private keying material in it's primary key.
> Apparently, the ability to read such keys was added to the library in
> late 2008 [0], but only the loader was touched. Loading such a key fails
> when used for TLS authentication, even when there is at least one
> unencrypted, active subkey with Sign/Authenticate capabilities.
> This finally fails, reading the S2K. Somehow the packet gets shortened

> by two bytes during export. This is due to the exporter not knowing

> about S2K_GNU_EXT, telling it how long one of those S2Ks is fixes the
> problem nicely. A patch that does this (three lines in total, but about
> a day worth of digging through code) is attached.

Thank you! The patch has been applied.


More information about the Gnutls-devel mailing list