For ECC, it is better to use KEM API, so that the implementation is more coherent.
I looked into the code and figured out that we don't need to change the protocol between gpgsm and gpg-agent much (the KDF parameters are sent to gpg-agent too as well as the encrypted session key).
Simply it is enough to move the work of ECDH KDF things from gpgsm to gpg-agent; The return value will be decrypted session key.
| rG GnuPG | |||
| rG9c61a8cca6b4 agent: Rename the internal function for ECC KEM. | |||
| rG035d0dd4adf3 gpgsm: Use KEM API for decryption. | |||
| rG2a221b83545d gpgsm: Rearrange the cases for decryption. | |||
| rG06f993dc0ece agent,common,gpg: Clean up for S/MIME decryption with KEM API. | |||
| Status | Assigned | Task | ||
|---|---|---|---|---|
| Testing | • gniibe | T7649 gnupg: Use KEM interface for encryption/decryption | ||
| Testing | • gniibe | T7811 gpgsm: Use KEM interface for decryption |
This is current work of mine:
I realized that there is no test for ECC encryption/decryption with gpgsm.
We need to write those tests before pushing this change.
Reading the commit log message in rG6dc3846d7819: sm: Support creation of EdDSA certificates.
I created a file to keygen.
Key-Type: ECDSA Key-Length: 1024 Key-Grip: 0286DCA85E771F64AB9FD9C89717369524D55471 Key-Usage: sign,encrypt Hash-Algo: sha384 Serial: random Name-DN: CN=dummy test nistp384
Then, test with a certificate.
I needed a bit of fix over the patch t7811-patch.diff.
I'm going to commit the changes with fix.