Bad, possibly insecure key usage flags on new keys
- From: nobled <nobled dreamwidth org>
- To: seahorse-list gnome org
- Subject: Bad, possibly insecure key usage flags on new keys
- Date: Thu, 10 Sep 2009 00:39:50 -0400
Like it says in Bugzilla [1], when Seahorse generates new keys it
gives RSA (sign only) keys *all* capabilities (encryption etc.)
instead of just signing/certifying. GnuPG normally doesn't give the
option of using the same RSA key for signing *and* encryption (I'm
guessing for security reasons like this: [2]), so Seahorse shouldn't
either.
Fixing it is really simple; I attached a patch, can anyone test it?
[1] https://bugzilla.gnome.org/show_bug.cgi?id=555205
[2] http://www.di-mgt.com.au/rsa_alg.html#weaknesses
From 258fcbaebe3f5fbb585d485ac001cc2d5ed9e5a7 Mon Sep 17 00:00:00 2001
From: nobled <nobled dreamwidth org>
Date: Thu, 10 Sep 2009 00:07:45 -0400
Subject: [PATCH] [gpgme] Set usage flags on batch-generated keys (closes: bgo#555205)
Added lines for "Key-Usage:" and "Subkey-Usage:" to the standard input
to `gpg --batch --gen-key`.
---
pgp/seahorse-gpgme-key-op.c | 6 +++---
1 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/pgp/seahorse-gpgme-key-op.c b/pgp/seahorse-gpgme-key-op.c
index c059494..f67cc5f 100644
--- a/pgp/seahorse-gpgme-key-op.c
+++ b/pgp/seahorse-gpgme-key-op.c
@@ -135,15 +135,15 @@ seahorse_gpgme_key_op_generate (SeahorseGpgmeSource *psrc, const gchar *name,
common = g_strdup_printf ("Name-Comment: %s\n%s", comment, common);
if (type == RSA_SIGN)
- key_type = "Key-Type: RSA";
+ key_type = "Key-Type: RSA\nKey-Usage: sign";
else
- key_type = "Key-Type: DSA";
+ key_type = "Key-Type: DSA\nKey-Usage: sign";
start = g_strdup_printf ("<GnupgKeyParms format=\"internal\">\n%s\nKey-Length: ", key_type);
/* Subkey xml */
if (type == DSA_ELGAMAL)
- parms = g_strdup_printf ("%s%d\nSubkey-Type: ELG-E\nSubkey-Length: %d\n%s",
+ parms = g_strdup_printf ("%s%d\nSubkey-Type: ELG-E\nSubkey-Length: %d\nSubkey-Usage: encrypt\n%s",
start, DSA_MAX, length, common);
else
parms = g_strdup_printf ("%s%d\n%s", start, length, common);
--
1.5.4.3
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]