Bug #19482 for Crypt-OpenPGP: Does not handle public keys with multiple subkeys correctly

Thu May 25 14:54:40 2006 Guest - Ticket created

Subject:

Does not handle public keys with multiple subkeys correctly

The attached file is signed using the signing subkey of Key ID 0xB7A9E538D7398C2F. In commandline GnuPG, one can import that key from the keyserver, and verify the signature of the file. 1) Crypt::OpenPGP fails to import the key correctly. When the imported key is listed with GnuPG, one gets the error gpg: subpacket of type 32 too short 2) Using the correctly-imported key (imported using GnuPG), Crypt::OpenPGP fails to verify the signature on the above file. Results obtained using Perl 5.8.8 on MacOSX 10.4.6.

Subject:

frank.txt

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 As the whole interweb saw, I screwed up posting my public key previously. Jacques wrote to me to check if I had corrected my setup and offered some help-- what a guy! My key worked fine in that correspondence, and I've been able to import it successfully on a few different machines, so I'm hoping that this comment will verify using the public key on my website. Thanks for your help, Jacques! /au -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (Darwin) iD8DBQFEdektlHMl2/XbR4ERAtRUAJ9T1auCXUWRLDGaITjUOQd1enFrkQCgnl+d e13KUKxVXyOTxyEI66s7p7A= =zUfR -----END PGP SIGNATURE-----

Sat Dec 29 18:00:36 2012 sandals [...] crustytoothpaste.net - Correspondence added

From:

sandals [...] crustytoothpaste.net

On Thu May 25 14:54:40 2006, guest wrote: Show quoted text

> The attached file is signed using the signing subkey of Key ID > 0xB7A9E538D7398C2F. > > In commandline GnuPG, one can import that key from the keyserver, and > verify the signature of the file. > > 1) Crypt::OpenPGP fails to import the key correctly. When the imported > key is listed with GnuPG, one gets the error > > gpg: subpacket of type 32 too short

This is caused by Crypt::OpenPGP destroying subpackets it doesn't understand. Attached is a patch to get it to understand subpackets 30- 32 and fix its parsing of type 5. With this fix, the only non-private- use subpackets it will destroy are those of type 10 (additional decryption key), which one can argue is a feature. Show quoted text

> 2) Using the correctly-imported key (imported using GnuPG), > Crypt::OpenPGP fails to verify the signature on the above file.

Using Crypt::OpenPGP 1.06, it appears to verify correctly.

Subject:

sig-subpacket-fixes.patch

diff --git a/lib/Crypt/OpenPGP/Signature/SubPacket.pm b/lib/Crypt/OpenPGP/Signature/SubPacket.pm index 9e61392..7948136 100644 --- a/lib/Crypt/OpenPGP/Signature/SubPacket.pm +++ b/lib/Crypt/OpenPGP/Signature/SubPacket.pm @@ -19,8 +19,8 @@ use vars qw( %SUBPACKET_TYPES ); w => sub { $_[0]->put_int8($_[1]) } }, 5 => { name => 'Trust signature', - r => sub { $_[0]->get_int8 }, - w => sub { $_[0]->put_int8($_[1]) } }, + r => sub { $_[0]->get_bytes(2) }, + w => sub { $_[0]->put_bytes($_[1], 2) } }, 6 => { name => 'Regular expression', r => sub { $_[0]->bytes }, @@ -108,6 +108,18 @@ use vars qw( %SUBPACKET_TYPES ); w => sub { $_[0]->put_int8($_[1]->{code}); $_[0]->put_bytes($_[1]->{reason}) } }, + + 30 => { name => 'Features', + r => sub { $_[0]->bytes }, + w => sub { $_[0]->append($_[1]) } }, + + 31 => { name => 'Signature target', + r => sub { $_[0]->bytes }, + w => sub { $_[0]->append($_[1]) } }, + + 32 => { name => 'Embedded signature', + r => sub { $_[0]->bytes }, + w => sub { $_[0]->append($_[1]) } }, ); sub new { bless { }, $_[0] }

Sat Dec 29 18:00:37 2012 The RT System itself - Status changed from 'new' to 'open'