Red Hat Bugzilla – Bug 1233182
RSA-{E,S} public keys cannot be imported
Last modified: 2016-11-03 21:30:34 EDT
Description of problem: RSA-{E,S} public keys cannot be imported using --import. gpg throws error "no valid user IDs". Using -v gpg says: "unsupported public key algorithm". --list-packets can't handle it either. Version-Release number of selected component (if applicable): 2.0.22-3.el7 How reproducible: always Steps to Reproduce: 1. try to import an RSA-E or RSA-S public key Actual results: the key does not get imported Expected results: the key gets imported Additional info: libgcrypt in RHEL 7 does not support RSA-{E,S}. This has been addressed later in libgcrypt's upstream commit 773e23698218755e9172d2507031a8263c47cc0b. Before that, the issue was addressed in gnupg in upstream commit 30ec869b8c63f1edcc58110ed20b83b0e77248f8.
Using --allow-non-selfsigned-uid works around the issue.
You're referencing commits from different upstream branches of gnupg and libgcrypt and they probably would not be easily backportable.
See also: https://lists.gnupg.org/pipermail/gnupg-devel/2009-September/025364.html
Created attachment 1040457 [details] proposed patch for RHEL 7.1 The attached patch solves the issue.
The patch needs some work - you're duplicating the mapping in the map_pk_openpgp_to_gcry and the individual callers, and there are other places where the map is not called and which you're not patching - such as pubkey_nbits(). This is upstream patch from the 2.0 branch, which on the other hand does not patch the map_pk_openpgp_to_gcry() so it might be incomplete. http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blobdiff;f=g10/misc.c;h=82a13aa9a4e41897aae4b4fe8138504c4cf7cf03;hp=9b7c8ab4e6b75d766d729b4eb87fb23264897f8d;hb=efecbb7a3f0c32ea40db3a050c89f288550b05c2;hpb=dc941bdaec29d2fc60e2bddf85e11568367f531c
(In reply to Tomas Mraz from comment #7) > The patch needs some work - you're duplicating the mapping in the > map_pk_openpgp_to_gcry and the individual callers, and there are other > places where the map is not called and which you're not patching - such as > pubkey_nbits(). You seem to be right. Thanks for pointing that out! I have missed that. The reason is that I first followed the approach in the upstream commit 30ec869b8c63f1edcc58110ed20b83b0e77248f8. That made --list-packets working. --import, however, did not work yet, so I have studied where it needs fixing yet and looking at where it keeps failing and what functions are called from there, I have concluded that map_pk_openpgp_to_gcry() is the best place to perform the mapping. While I confirmed that --import works after introducing the mapping in map_pk_openpgp_to_gcry(), I have not checked whether the previously added mappings in pubkey_get_n*() are still necessary. And they do not seem to be necessary, as all pubkey_get_n*() functions call map_pk_openpgp_to_gcry() right after the mapping I have added. I'll fix the patch later today.
Created attachment 1040931 [details] proposed patch for RHEL 7.1 This patch addresses the issues mentioned in comment #7.
Comment on attachment 1040931 [details] proposed patch for RHEL 7.1 Yes, this looks OK.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2238.html