Bad, possibly insecure key usage flags on new keys

From: nobled <nobled dreamwidth org>
To: seahorse-list gnome org
Subject: Bad, possibly insecure key usage flags on new keys
Date: Thu, 10 Sep 2009 00:39:50 -0400

Like it says in Bugzilla [1], when Seahorse generates new keys it
gives RSA (sign only) keys *all* capabilities (encryption etc.)
instead of just signing/certifying. GnuPG normally doesn't give the
option of using the same RSA key for signing *and* encryption (I'm
guessing for security reasons like this: [2]), so Seahorse shouldn't
either.

Fixing it is really simple; I attached a patch, can anyone test it?

[1] https://bugzilla.gnome.org/show_bug.cgi?id=555205
[2] http://www.di-mgt.com.au/rsa_alg.html#weaknesses

From 258fcbaebe3f5fbb585d485ac001cc2d5ed9e5a7 Mon Sep 17 00:00:00 2001
From: nobled <nobled dreamwidth org>
Date: Thu, 10 Sep 2009 00:07:45 -0400
Subject: [PATCH] [gpgme] Set usage flags on batch-generated keys (closes: bgo#555205)

Added lines for "Key-Usage:" and "Subkey-Usage:" to the standard input
to `gpg --batch --gen-key`.
---
 pgp/seahorse-gpgme-key-op.c |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/pgp/seahorse-gpgme-key-op.c b/pgp/seahorse-gpgme-key-op.c
index c059494..f67cc5f 100644
--- a/pgp/seahorse-gpgme-key-op.c
+++ b/pgp/seahorse-gpgme-key-op.c
@@ -135,15 +135,15 @@ seahorse_gpgme_key_op_generate (SeahorseGpgmeSource *psrc, const gchar *name,
         common = g_strdup_printf ("Name-Comment: %s\n%s", comment, common);
 
     if (type == RSA_SIGN)
-        key_type = "Key-Type: RSA";
+        key_type = "Key-Type: RSA\nKey-Usage: sign";
     else
-        key_type = "Key-Type: DSA";
+        key_type = "Key-Type: DSA\nKey-Usage: sign";
 
     start = g_strdup_printf ("<GnupgKeyParms format=\"internal\">\n%s\nKey-Length: ", key_type);
 
     /* Subkey xml */
     if (type == DSA_ELGAMAL)
-        parms = g_strdup_printf ("%s%d\nSubkey-Type: ELG-E\nSubkey-Length: %d\n%s",
+        parms = g_strdup_printf ("%s%d\nSubkey-Type: ELG-E\nSubkey-Length: %d\nSubkey-Usage: encrypt\n%s",
                                  start, DSA_MAX, length, common);
     else
         parms = g_strdup_printf ("%s%d\n%s", start, length, common);
-- 
1.5.4.3

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]