commit | 0e37d006457bf46f9e6692014ba72ef82c33022c | [log] [tgz] |
---|---|---|
author | aviau <alexandre@alexandreviau.net> | Thu Jun 14 15:19:50 2018 -0400 |
committer | Filippo Valsorda <filippo@golang.org> | Mon Sep 10 18:16:07 2018 +0000 |
tree | ffa81b4366ad93237f772bda81cf98f89fca69f4 | |
parent | 0709b304e793a5edb4a2c0145f281ecdc20838a4 [diff] |
openpgp: don't treat extra subkey selfsigs as uid sigs Consider the following packet ordering scenario: PUBKEY UID SELFSIG SUBKEY REV SELFSIG In this scenario, addSubkey would only consume the REV signature after the subkey, leaving SELFSIG to be read by ReadEntity, which in turn would add the last SELFSIG to the UID's signatures, which is wrong to do because this is a SUBKEY SELFSIG, not a UID signature. Remove "current" from the ReadEntity scope, it should only be visible to the UserId packet handling code. Keep the warning about signature packets found before user id packets. Without it, I would not have found this bug. Modify addSubKey so that it consumes all signatures following the SUBKEY packet, keeping eithier the first valid signature (like we did before) or any valid revocation. In a follow-up patch, we can improve this further by keeping the most recent signature, as suggested by RFC4880: > An implementation that encounters multiple self-signatures on the > same object may resolve the ambiguity in any way it sees fit, but it > is RECOMMENDED that priority be given to the most recent self- > signature. Fixes golang/go#26449 Change-Id: Id992676ef2363779a7028f4799180efb027fcf47 Reviewed-on: https://go-review.googlesource.com/118957 Reviewed-by: Filippo Valsorda <filippo@golang.org>
This repository holds supplementary Go cryptography libraries.
The easiest way to install is to run go get -u golang.org/x/crypto/...
. You can also manually git clone the repository to $GOPATH/src/golang.org/x/crypto
.
This repository uses Gerrit for code changes. To learn how to submit changes to this repository, see https://golang.org/doc/contribute.html.
The main issue tracker for the crypto repository is located at https://github.com/golang/go/issues. Prefix your issue with “x/crypto:” in the subject line, so it is easy to find.
Note that contributions to the cryptography package receive additional scrutiny due to their sensitive nature. Patches may take longer than normal to receive feedback.