Page MenuHome GnuPG
Create Task
Maniphest T7316

Curve25519/v5 key cannot be exported
Open, NormalPublic
Actions

Description

The change in rG84ddb24e30c5: gpg: Make Kyber creation more flexible. introduced incompatible key for Curve25519/v5:

modified   g10/keygen.c
@@ -1362,6 +1362,10 @@ ecckey_from_sexp (gcry_mpi_t *array, gcry_sexp_t sexp,
       err = gpg_error (GPG_ERR_INV_OBJ);
       goto leave;
     }
+  /* For v5 keys we prefer the modern OID for cv25519.  */
+  if (pkversion > 4 && !strcmp (oidstr, "1.3.6.1.4.1.3029.1.5.1"))
+    oidstr = "1.3.101.110";
+
   err = openpgp_oid_from_str (oidstr, &array[0]);
   if (err)
     goto leave;

And because of this, the key cannot be exported (other places, old OID is still used) by an error.

Related Objects
Search...

StatusAssignedTask
 OpenNoneT6636 PQC Implementation
 OpenNoneT6638 PQC for GnuPG
 TestingNoneT6815 PQC encryption for GnuPG
 OpenNoneT7315 Allow exporting of PQC keys.
 Open gniibeT7316 Curve25519/v5 key cannot be exported

Event Timeline

gniibe triaged this task as Normal priority.Wed, Oct 2, 7:20 AM
gniibe created this task.
gniibe created this object with edit policy "Contributor (Project)".
werner added a comment.Wed, Oct 2, 8:36 AM

Using the shorter OID for v5 is on purpose; thus we need to fix the export.

gniibe claimed this task.Thu, Oct 3, 2:43 AM
gniibe added a comment.Thu, Oct 3, 7:37 AM

The OID is used for fingerprint computation, which complicates things.

This is my initial attempt to identify possible places for changes:

gnupg-x25519-new-old.diff11 KBDownload

Basically, we need to know the version number of the OpenPGP specification, to select the OID in question.
Export into OpenPGP key format can be done, because we have the version, when exporting a private key.

Problems are:

  • gpg UI to show supported OID: possibly show two OIDs (both)
  • scdaemon
    • keytocard: we need to ask version, perhaps
    • fpr: showing version 4 fpr and version 5 fpr, BOTH
    • other places...