search

C3S / redmine_openpgp

Redmine plugin for email encryption with the OpenPGP standard
GNU General Public License v3.0
19 stars 10 forks source link

Validation fails for keys with non-standard subkey layouts #11

Open garrettr opened 8 years ago

garrettr commented 8 years ago

redmine_openpgp validates signed messages, and then checks that the signature was made by the key corresponding to the sender. In lib/decrypt_mails.rb:

# compare identity of signature with sender
      if valid
        valid = false
        sender_email = email.from.to_a.first.to_s.strip
        user = User.find_by_mail sender_email if sender_email.present?
        key = Pgpkey.find_by user_id: user.id
        signatures.each do |s|
          valid = true if key.fpr == s.fpr
        end if not signatures.empty?
      end

This works for most but not _all GPG keys. By default, when GPG creates a new key, it actually creates two subkeys: one for certification (signing other keys, including your own subkeys) and signing (signing data), and one for encryption. Because the certification and the signing subkey are the same, the check valid = true if key.fpr == s.fpr works: the certify subkey (from which the key's fingerprint is derived) and the signing subkey are the same.

However, it is possible to use a different subkey layout for your GPG keys. A common alternative is to have separate subkeys for all capabilities: separate and dedicated keys for certification, signatures, encryption, and authentication. This is commonly seen among users of GPG smartcards, who often put their "every-day usage" (for signing and encrypting data, and authenticating) subkeys on one smartcard, but store their certification key elsewhere, and only bring it out when they want to sign other's keys.

This provides a security benefit: if one's "every-day" subkeys are lost or compromised, they can be rotated, signed with the same certify subkey. This allows you to maintain your position in the web of trust (since when you sign a key, you sign its certify key with your certify key) while rotating your potentially compromised subkeys.

The issue here is that the certification and signing subkey are different, so the check comparing the key.fpr (the fingerprint of the certify subkey) to the s.fpr (the fingerprint of the signing subkey) no longer works. The email is still validly signed, but redmine_openpgp will fail to detect this, and will erroneously reject it if "Valid signature only" is enabled.

timegrid commented 7 years ago

I see, thanks for clarification. As I understand, this issue is resolved with your pull request, which seems fine at first glance. I'll do some further testing and will try to catch up with your fork next month.