Internal error returned from within gnutls_certificate_set_openpgp_key()

Nikos Mavrogiannopoulos nmav at gnutls.org
Sun Sep 23 12:23:01 CEST 2012


On 09/22/2012 08:53 PM, Joke de Buhr wrote:

> the internal error occurs with "lib/openpgp/privkey.c" during reimporting the 
> private key "gnutls_openpgp_privkey_import()" line 111.
> the key is exported into memory and imported from memory later on. the buffer 
> created for the export is exactly as big as the binary format export from 
> gnupg2. i did a memory dump via gdb and discovered the dumped key and the 
> original gnupg key differ in some places. the differences are locate within 
> the 
> files. gnupg seems to be able to import the dumped key again.
> i trace the origin of the error value back to read_subpkt() origination from
> 
> #0 read_subpkt() at opencdk/read-packet.c:609
> #1 read_signature() at opencdk/read-packet.c:788
> #2 cdk_pkt_read() at opencdk/read-packet.c:1076
> #3 cdk_keydb_get_keyblock() at opencdk/keydb.c:1820
> #4 cdk_kbnode_read_from_mem() at opencdk/kbnode.c:426
> #5 gnutls_openpgp_privkey_import() at openpgp/privkey.c:184
> #6 _gnutls_openpgp_privkey_cpy() at openpgp/privkey.c:110
> #7 gnutls_privkey_import_openpgp() at gnutls_privkey.c:590
> #8 gnutls_certificate_set_openpgp_key() at openpgp/gnutls_openpgp.c:106
> #9 main() at /dev/shm/test.c++:61
> read_subpkt sets nbytes in "read-paket.c:792". the nbytes is subtracted from 
> size.


I see this code expects size to get negative at some point,
so if you change the type of size to ssize_t does it help?

> if you need further information i need to know what i should be looking for.


Could you provide me with a scenario and the certificates needed to
reproduce it?

>> About the signing flags, you need them in order to use DHE-RSA and
>> ECDHE-RSA. Those two require RSA signatures. The RSA algorithm requires
>> an RSA encryption key. Does this explain what you notice?
> rfc6091 and the old rfc5081 both state in section 3.3 state:


Seeing that it seems some unfortunate mix of terminology. RFC4880 says
"Authentication via digital signatures", so authentication in this
context is signing, and from my discussions with OpenPGP people at that
time, I accepted that the term authentication key was used to mean the
signing key.

There is no big confusion (IMO) because RSA keys can be used for digital
signatures or encryption, and DSA keys for digital signatures (there is
no separate authentication usage).

> i don't know enough of openpgp certificate internals but the rfc doesn't 
> mention anything about a signing capable certificate. the gnutls documentation 
> on the other hand states in section 4 to use DHS_RSA the key must by capable 
> of signing.


This is correct.

regards,
Nikos

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 554 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20120923/8e56db08/attachment.pgp>


More information about the Gnutls-help mailing list