Page MenuHome GnuPG
Create Task
Maniphest T1223

designated revoker signatures are not properly merged
Closed, ResolvedPublic
Actions

Description

Daniel Kahn Gillmor reported on gnupg-devel this bug:
[...]
At the bottom of this message are two copies of the same key. The first
copy has an indication that my key (D21739E9) is allowed to revoke
certifications by it. The second copy has a deliberately broken (that
is, not cryptographically-valid) revocation certification, indicating
that a key with fingerprint 0x000...001 is allowed to revoke it. I
created this bogus version by just swapping out the fingerprint bytes in
the signature made over the primary key.

If the local keyring has the bogus version installed, then importing the
good key will fail to update gpg's revoker information.

That is, save the two versions of the key below as bogus.key and
good.key compare the output of:

gpg --delete-key C108E83A
gpg --import bogus.key
gpg --import good.key
gpg --list-keys --with-colons C108E83A

with:

gpg --delete-key C108E83A
gpg --import good.key
gpg --import bogus.key
gpg --list-keys --with-colons C108E83A

The final versions should be identical, but (at least for me, with gpg
versions 1.4.10 and 2.0.14 on debian testing) the former shows no rvk:
line, while the latter shows an rvk: line.

Compare also the output of "gpg --export C108E83A | gpg --list-packets"
with these two states. It appears to be "first revocation certification
received wins", even if one of them is cryptographically unsound.

This is a potential security problem, because it suggests that a
malicious user could block the distribution of revocation indicators. A
user who relies on published revocation certifications may not have them
treated properly if a malefactor produces a modified or simply corrupt
revocation certification that somehow overrides the first.

It appears that fetching the good key material from the keyservers does
not fix the problem either.

Details

Version
all

Event Timeline

werner added projects: In Progress, gnupg, Bug Report.May 7 2010, 11:38 AM
werner set Version to all.
werner added subscribers: dkg, werner.
werner added a comment.May 7 2010, 1:37 PM

We did not checked the direct key signature during import. The problem is that
during the import we try to detect duplicate signatures by comparing the
signature but not the signed material. With the bogus signature already in the
keyring, importing a good signature will sort the latter out as a duplicate.

The implemented solution is to check the direct signature on import. To detect
problems from the past we also check the existing key for bad direct key
signatures during import and delete them.

Fixed in 1.4, 2.0 and trunk. Added a test case to trunk.

Because gpg --desig-revoke includes a copy of the key in question, the import of
this revocation certificate would delete any bogus direct key signatures and
insert a correct one.

werner added a project: Restricted Project.May 7 2010, 1:37 PM
werner removed a project: In Progress.
werner closed this task as Resolved.May 12 2010, 10:35 AM
werner claimed this task.
werner removed a project: Restricted Project.