sm: Allow decryption using dhSinglePass-stdDH-sha1kdf-scheme.
* sm/decrypt.c (ecdh_decrypt): Support dhSinglePass-stdDH-sha1kdf-scheme. Factor key derive code out to ... (ecdh_derive_kek): new global function. Allow for hashs shorter than the key. (hash_ecc_cms_shared_info): Make file-only. * sm/encrypt.c (ecdh_encrypt): Replace derive code by a call to the new ecdh_derive_kek. Add test code to create data using dhSinglePass-stdDH-sha1kdf-scheme. * sm/gpgsm.h (opt): Add member force_ecdh_sha1kdf. * sm/gpgsm.c: Add option --debug-force-ecdh-sha1kdf.
I did some test against
Governikus_Signer: 2.9.2.0 MCard security Provider: 2.4.0 Algorithm catalog from: 05.12.2019
using a Signature Card v2.0 and a nistp256 certificate. Encrypting
with Governikus used the stdDH-sha1kdf scheme which we can now
decrypt. Encrypting with GPGSM uses for that curve the recommended
scheme sha256kdf but Governikus was not able to decrypt this (no
usable error message). Encrypting using stdDH-sha1kdf with GPGSM by
using the new --debug-force-ecdh-sha1kdf option showed that
Governikus was able to decrypt this.
FWIW: RFC5753 (Use of Elliptic Curve Cryptography (ECC) Algorithms)
has this requirement:
Implementations that support EnvelopedData with the ephemeral-static ECDH standard primitive: - MUST support the dhSinglePass-stdDH-sha256kdf-scheme key agreement algorithm, the id-aes128-wrap key wrap algorithm, and the id-aes128-cbc content encryption algorithm; and
which Governikus seems not to fulfill.
- GnuPG-bug-id: T4098
- Signed-off-by: Werner Koch <wk@gnupg.org>