search

toofishes / python-pgpdump

PGP packet parser library
Other
55 stars 26 forks source link

Support for parsing smartcard/HSM related fields (mode 1002, gnu-divert-to-card S2K) #12

Open hiviah opened 11 years ago

hiviah commented 11 years ago

The patch allows parsing SecretKeyPacket and SecretSubkeyPacket that are tied to smartcard reader.

Sample keyfile generated by gpg --export-secret-key is here.

toofishes commented 11 years ago

Hey! Thanks for looking into this. I did a quick spike to see the minimum changes necessary to support mode 1002 packets and came up with this commit- 9f41365f5e63f64. I also used your provided sample keyfile to write a test case included in that commit, the test data landed in f3020bc5. Thanks for providing this; all tests are passing in the supported python platforms.

I'm definitely interested in the rest of what your commit did, but couldn't find any resources out there with regards to the afterkey_offset stuff you added. Nothing at all dealing with secret key fingerprints or key IDs seems to be out there- from what I can tell you usually identify a secret key by the public key fingerprint anywhere. Do you have a better source of info than what I could (not) find?

hiviah commented 11 years ago

The afterkey_offset stuff follows from the fact that public key is substring of private key - by combination of RFC 4880 section 12.2 with sections 5.5.1.3 and 5.5.1.4:

A Secret-Key packet contains all the information that is found in a
Public-Key packet, including the public-key material, but also
includes the secret-key material after all the public-key fields.

I added also an ElGamal and DSA test keys which I used for testing. With the afterkey_offset, the fingerprints and key_ids are consistent with identically-named fields of public key.

BTW this is a great project, it was quite challenging to find a decent parser of pgp packet format.

toofishes commented 11 years ago

Thanks for the follow-up info. I'm a bit busy this week but can incorporate these keys into more test cases and then see where that takes us.

No problem on providing the project, I also found parsers were hard to come by so decided to take a stab at it. Thanks to you and others for contributing code for many more of the packet types that I didn't implement for my own needs. If you don't mind me asking, what kind of project are you using it in?

hiviah commented 11 years ago

I wanted to fix gnupg-pkcs11-scd to allow importing existing GPG keys to PKCS11 token/smartcard. Currently it seems that the only way to do it is quite hackish: