Failure to import OpenPGP secret keys, if public key, with additional public subkey, is already present
Categories
(MailNews Core :: Security: OpenPGP, defect)
Tracking
(thunderbird_esr102+ fixed, thunderbird107 fixed)
People
(Reporter: KaiE, Assigned: KaiE)
Details
Attachments
(2 files)
|
48 bytes,
text/x-phabricator-request
|
wsmwk
:
approval-comm-beta+
wsmwk
:
approval-comm-esr102+
|
Details | Review |
|
48 bytes,
text/x-phabricator-request
|
wsmwk
:
approval-comm-beta+
wsmwk
:
approval-comm-esr102+
|
Details | Review |
Use GnuPG to create an advanced key.
In addition to the default [SC] and [E] keys, add another [E] key, as a result you have two [E] subkeys.
(In the test scenario, additional subkeys for [S] and [A] were added, but that probably doesn't matter.)
Export the PUBLIC key from GnuPG, store it as pubkey-1.asc
Import pubkey-1.asc into Thunderbird.
Go back to GnuPG, and use --edit-key, then delete the older [E] subkey.
(In the test scenario, in addition another used ID was added, but that probably doesn't matter.)
Export the SECRET key from GnuPG, store it as seckey-2.asc
Import seckey-2.asc as a secret key into Thunderbird.
Result: An exception is reported:
Error: rnp_key_get_protection_type failed
isSecretKeyMaterialAvailable chrome://openpgp/content/modules/RNPLib.jsm:393
protectKeyWithSubKeys chrome://openpgp/content/modules/RNPLib.jsm:468
_importKeyBlockWithAutoAccept chrome://openpgp/content/modules/RNP.jsm:2295
|
Assignee | |
Comment 1•3 years ago
|
||
The bug is in the Thunderbird code, which makes wrong assumptions about the combination of public keys and secret keys that are possible.
|
|
Assignee | |
Comment 2•3 years ago
|
||
|
||
Updated•3 years ago
|
|
|
||
Updated•3 years ago
|
|
|
Assignee | |
Comment 3•3 years ago
|
||
|
|
Assignee | |
Comment 4•3 years ago
|
||
The second patch adds a test.
Patch and test work on both comm-central and comm-esr102.
|
|
Assignee | |
Updated•3 years ago
|
|
|
Assignee | |
Updated•3 years ago
|
|
|
Assignee | |
Comment 5•3 years ago
|
||
Comment on attachment 9298854 [details]
Bug 1795698 - When protecting a secret OpenPGP key, don't assume secret keys for all subkeys are available. r=mkmelin
[Approval Request Comment]
Regression caused by (bug #): no
User impact if declined: Some advanced users of GnuPG cannot use their existing key with Thunderbird
Testing completed (on c-c, etc.):
Risk to taking this patch (and alternatives if risky): low risk
|
|
Assignee | |
Updated•3 years ago
|
|
|
Assignee | |
Comment 6•3 years ago
|
||
This should be safe for 102.5.0, too.
|
||
Updated•3 years ago
|
Pushed by mkmelin@iki.fi:
https://hg.mozilla.org/comm-central/rev/d7a504dc269e
When protecting a secret OpenPGP key, don't assume secret keys for all subkeys are available. r=mkmelin
https://hg.mozilla.org/comm-central/rev/a2eb61ecd28e
Test importing secret key with existing additional public subkey. r=mkmelin
|
||
Comment 8•3 years ago
|
||
Comment on attachment 9298854 [details]
Bug 1795698 - When protecting a secret OpenPGP key, don't assume secret keys for all subkeys are available. r=mkmelin
[Triage Comment]
Approved for beta
|
|
||
Comment 9•3 years ago
|
||
Comment on attachment 9299878 [details]
Bug 1795698 - Test importing secret key with existing additional public subkey. r=mkmelin
[Triage Comment]
Approved for beta
|
|
Assignee | |
Comment 10•3 years ago
|
||
Should get uplifted to esr102 in two weeks
|
||
Comment 11•3 years ago
|
||
| bugherder uplift | ||
|
|
Assignee | |
Updated•3 years ago
|
|
|
||
Comment 12•3 years ago
|
||
Comment on attachment 9298854 [details]
Bug 1795698 - When protecting a secret OpenPGP key, don't assume secret keys for all subkeys are available. r=mkmelin
[Triage Comment]
Approved for esr102
|
|
||
Comment 13•3 years ago
|
||
Comment on attachment 9299878 [details]
Bug 1795698 - Test importing secret key with existing additional public subkey. r=mkmelin
[Triage Comment]
Approved for esr102
|
||
Comment 14•3 years ago
|
||
| bugherder uplift | ||
Description
•