From 921e2954c1ef358fbfffda24c16c9c283dc0d4f8 Mon Sep 17 00:00:00 2001 From: Roman Zeyde Date: Sun, 23 Oct 2016 21:14:26 +0300 Subject: [PATCH] gpg: support more digests (with larger output than 256 bits) NIST256 signs the prefix of a longer digest. Ed25519 signs the whole one. --- trezor_agent/gpg/agent.py | 3 +-- trezor_agent/gpg/device.py | 3 +++ 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/trezor_agent/gpg/agent.py b/trezor_agent/gpg/agent.py index ca23391..e1d3f9c 100644 --- a/trezor_agent/gpg/agent.py +++ b/trezor_agent/gpg/agent.py @@ -65,8 +65,7 @@ def open_connection(keygrip_bytes): def pksign(keygrip, digest, algo): """Sign a message digest using a private EC key.""" - assert algo == b'8', 'Unsupported hash algorithm ID {}'.format(algo) - assert len(digest) == 64 # SHA-256 bits (in hex digits) + log.debug('signing %r digest (algo #%s)', digest, algo) keygrip_bytes = binascii.unhexlify(keygrip) with open_connection(keygrip_bytes) as conn: r, s = conn.sign(binascii.unhexlify(digest)) diff --git a/trezor_agent/gpg/device.py b/trezor_agent/gpg/device.py index 56dad12..123f7f8 100644 --- a/trezor_agent/gpg/device.py +++ b/trezor_agent/gpg/device.py @@ -37,6 +37,9 @@ class HardwareSigner(object): """Sign the digest and return a serialized signature.""" log.info('please confirm GPG signature on %s for "%s"...', self.client_wrapper.device_name, self.user_id) + if self.curve_name == formats.CURVE_NIST256: + digest = digest[:32] # sign the first 256 bits + log.debug('signing digest: %s', util.hexlify(digest)) result = self.client_wrapper.connection.sign_identity( identity=self.identity, challenge_hidden=digest,