Skip Menu |
 

This queue is for tickets about the Crypt-OpenPGP CPAN distribution.

Report information
The Basics
Id: 19482
Status: open
Priority: 0/
Queue: Crypt-OpenPGP

People
Owner: Nobody in particular
Requestors: distler [...] golem.ph.utexas.edu
Cc:
AdminCc:

Bug Information
Severity: Critical
Broken in: 1.03
Fixed in: (no value)



Subject: Does not handle public keys with multiple subkeys correctly
Download (untitled) / with headers
text/plain 519b
The attached file is signed using the signing subkey of Key ID 0xB7A9E538D7398C2F. In commandline GnuPG, one can import that key from the keyserver, and verify the signature of the file. 1) Crypt::OpenPGP fails to import the key correctly. When the imported key is listed with GnuPG, one gets the error gpg: subpacket of type 32 too short 2) Using the correctly-imported key (imported using GnuPG), Crypt::OpenPGP fails to verify the signature on the above file. Results obtained using Perl 5.8.8 on MacOSX 10.4.6.
Subject: frank.txt
Download frank.txt
text/plain 636b
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 As the whole interweb saw, I screwed up posting my public key previously. Jacques wrote to me to check if I had corrected my setup and offered some help-- what a guy! My key worked fine in that correspondence, and I've been able to import it successfully on a few different machines, so I'm hoping that this comment will verify using the public key on my website. Thanks for your help, Jacques! /au -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (Darwin) iD8DBQFEdektlHMl2/XbR4ERAtRUAJ9T1auCXUWRLDGaITjUOQd1enFrkQCgnl+d e13KUKxVXyOTxyEI66s7p7A= =zUfR -----END PGP SIGNATURE-----
From: sandals [...] crustytoothpaste.net
Download (untitled) / with headers
text/plain 921b
On Thu May 25 14:54:40 2006, guest wrote: Show quoted text
> The attached file is signed using the signing subkey of Key ID > 0xB7A9E538D7398C2F. > > In commandline GnuPG, one can import that key from the keyserver, and > verify the signature of the file. > > 1) Crypt::OpenPGP fails to import the key correctly. When the imported > key is listed with GnuPG, one gets the error > > gpg: subpacket of type 32 too short
This is caused by Crypt::OpenPGP destroying subpackets it doesn't understand. Attached is a patch to get it to understand subpackets 30- 32 and fix its parsing of type 5. With this fix, the only non-private- use subpackets it will destroy are those of type 10 (additional decryption key), which one can argue is a feature. Show quoted text
> 2) Using the correctly-imported key (imported using GnuPG), > Crypt::OpenPGP fails to verify the signature on the above file.
Using Crypt::OpenPGP 1.06, it appears to verify correctly.
Subject: sig-subpacket-fixes.patch
diff --git a/lib/Crypt/OpenPGP/Signature/SubPacket.pm b/lib/Crypt/OpenPGP/Signature/SubPacket.pm index 9e61392..7948136 100644 --- a/lib/Crypt/OpenPGP/Signature/SubPacket.pm +++ b/lib/Crypt/OpenPGP/Signature/SubPacket.pm @@ -19,8 +19,8 @@ use vars qw( %SUBPACKET_TYPES ); w => sub { $_[0]->put_int8($_[1]) } }, 5 => { name => 'Trust signature', - r => sub { $_[0]->get_int8 }, - w => sub { $_[0]->put_int8($_[1]) } }, + r => sub { $_[0]->get_bytes(2) }, + w => sub { $_[0]->put_bytes($_[1], 2) } }, 6 => { name => 'Regular expression', r => sub { $_[0]->bytes }, @@ -108,6 +108,18 @@ use vars qw( %SUBPACKET_TYPES ); w => sub { $_[0]->put_int8($_[1]->{code}); $_[0]->put_bytes($_[1]->{reason}) } }, + + 30 => { name => 'Features', + r => sub { $_[0]->bytes }, + w => sub { $_[0]->append($_[1]) } }, + + 31 => { name => 'Signature target', + r => sub { $_[0]->bytes }, + w => sub { $_[0]->append($_[1]) } }, + + 32 => { name => 'Embedded signature', + r => sub { $_[0]->bytes }, + w => sub { $_[0]->append($_[1]) } }, ); sub new { bless { }, $_[0] }


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.