gpg: replace TREZOR_GPG_USER_ID usage in gpg-agent mode

Use the keygrip to find the correct public key instead.
2026-04-17 19:55:58 +08:00 · 2016-10-18 15:32:29 +03:00
parent 34dc803856
commit bc64205a85
5 changed files with 77 additions and 90 deletions
--- a/trezor_agent/gpg/encode.py
+++ b/trezor_agent/gpg/encode.py
@@ -1,8 +1,9 @@
 """Create GPG ECDSA signatures and public keys using TREZOR device."""
+import io
 import logging
 import time

-from . import decode, device, keyring, protocol
+from . import decode, keyring, protocol
 from .. import util

 log = logging.getLogger(__name__)
@@ -21,7 +22,6 @@ def create_primary(user_id, pubkey, signer_func):
    data_to_sign = (pubkey.data_to_hash() +
                    user_id_packet[:1] +
                    util.prefix_len('>L', user_id.encode('ascii')))
-    log.info('creating primary GPG key "%s"', user_id)
    hashed_subpackets = [
        protocol.subpacket_time(pubkey.created),  # signature time
        # https://tools.ietf.org/html/rfc4880#section-5.2.3.7
@@ -40,7 +40,6 @@ def create_primary(user_id, pubkey, signer_func):
        protocol.subpacket(16, pubkey.key_id()),  # issuer key id
        protocol.CUSTOM_SUBPACKET]

-    log.info('confirm signing with primary key')
    signature = protocol.make_signature(
        signer_func=signer_func,
        public_algo=pubkey.algo_id,
@@ -53,26 +52,26 @@ def create_primary(user_id, pubkey, signer_func):
    return pubkey_packet + user_id_packet + sign_packet


-def create_subkey(primary_bytes, pubkey, signer_func):
+def create_subkey(primary_bytes, subkey, signer_func, user_id=None):
    """Export new subkey to GPG primary key."""
-    subkey_packet = protocol.packet(tag=14, blob=pubkey.data())
-    primary = decode.load_public_key(primary_bytes)
-    log.info('adding subkey to primary GPG key "%s"', primary['user_id'])
-    data_to_sign = primary['_to_hash'] + pubkey.data_to_hash()
+    subkey_packet = protocol.packet(tag=14, blob=subkey.data())
+    packets = list(decode.parse_packets(io.BytesIO(primary_bytes)))
+    primary, user_id, signature = packets[:3]

-    if pubkey.ecdh:
+    data_to_sign = primary['_to_hash'] + subkey.data_to_hash()
+
+    if subkey.ecdh:
        embedded_sig = None
    else:
        # Primary Key Binding Signature
        hashed_subpackets = [
-            protocol.subpacket_time(pubkey.created)]  # signature time
+            protocol.subpacket_time(subkey.created)]  # signature time
        unhashed_subpackets = [
-            protocol.subpacket(16, pubkey.key_id())]  # issuer key id
-        log.info('confirm signing with new subkey')
+            protocol.subpacket(16, subkey.key_id())]  # issuer key id
        embedded_sig = protocol.make_signature(
            signer_func=signer_func,
            data_to_sign=data_to_sign,
-            public_algo=pubkey.algo_id,
+            public_algo=subkey.algo_id,
            sig_type=0x19,
            hashed_subpackets=hashed_subpackets,
            unhashed_subpackets=unhashed_subpackets)
@@ -81,10 +80,10 @@ def create_subkey(primary_bytes, pubkey, signer_func):

    # Key flags: https://tools.ietf.org/html/rfc4880#section-5.2.3.21
    # (certify & sign)                   (encrypt)
-    flags = (2) if (not pubkey.ecdh) else (4 | 8)
+    flags = (2) if (not subkey.ecdh) else (4 | 8)

    hashed_subpackets = [
-        protocol.subpacket_time(pubkey.created),  # signature time
+        protocol.subpacket_time(subkey.created),  # signature time
        protocol.subpacket_byte(0x1B, flags)]

    unhashed_subpackets = []
@@ -93,9 +92,8 @@ def create_subkey(primary_bytes, pubkey, signer_func):
        unhashed_subpackets.append(protocol.subpacket(32, embedded_sig))
    unhashed_subpackets.append(protocol.CUSTOM_SUBPACKET)

-    log.info('confirm signing with primary key')
-    if not primary['_is_custom']:
-        signer_func = keyring.create_agent_signer(primary['user_id'])
+    if not signature['_is_custom']:
+        signer_func = keyring.create_agent_signer(user_id['value'])

    signature = protocol.make_signature(
        signer_func=signer_func,
@@ -106,22 +104,3 @@ def create_subkey(primary_bytes, pubkey, signer_func):
        unhashed_subpackets=unhashed_subpackets)
    sign_packet = protocol.packet(tag=2, blob=signature)
    return primary_bytes + subkey_packet + sign_packet
-
-
-def load_from_public_key(pubkey_dict):
-    """Load correct public key from the device."""
-    log.debug('pubkey_dict: %s', pubkey_dict)
-    user_id = pubkey_dict['user_id']
-    created = pubkey_dict['created']
-    curve_name = protocol.get_curve_name_by_oid(pubkey_dict['curve_oid'])
-    ecdh = (pubkey_dict['algo'] == protocol.ECDH_ALGO_ID)
-
-    conn = device.HardwareSigner(user_id, curve_name=curve_name)
-    pubkey = protocol.PublicKey(
-        curve_name=curve_name, created=created,
-        verifying_key=conn.pubkey(ecdh=ecdh), ecdh=ecdh)
-    assert pubkey.key_id() == pubkey_dict['key_id']
-    log.info('%s created at %s for "%s"',
-             pubkey, _time_format(pubkey.created), user_id)
-
-    return pubkey, conn