keyfork-derive-openpgp: fix encryption keys
This commit is contained in:
parent
ee258ac115
commit
01fce410a5
|
@ -21,6 +21,9 @@ pub enum Error {
|
||||||
#[error("{0}")]
|
#[error("{0}")]
|
||||||
Anyhow(#[from] anyhow::Error),
|
Anyhow(#[from] anyhow::Error),
|
||||||
|
|
||||||
|
#[error("Key configured with both encryption and non-encryption key flags: {0:?}")]
|
||||||
|
InvalidKeyFlags(KeyFlags),
|
||||||
|
|
||||||
#[error("Incorrect derived data: {0}")]
|
#[error("Incorrect derived data: {0}")]
|
||||||
IncorrectDerivedData(#[from] TryFromDerivationResponseError),
|
IncorrectDerivedData(#[from] TryFromDerivationResponseError),
|
||||||
|
|
||||||
|
@ -79,13 +82,32 @@ pub fn derive(data: DerivationResponse, keys: &[KeyFlags], userid: UserID) -> Re
|
||||||
// Generate subkey
|
// Generate subkey
|
||||||
let index = u32::try_from(index)?;
|
let index = u32::try_from(index)?;
|
||||||
let derived_key = xprv.derive_child(&DerivationIndex::new(index, true)?)?;
|
let derived_key = xprv.derive_child(&DerivationIndex::new(index, true)?)?;
|
||||||
let subkey = Key::from(
|
let is_enc =
|
||||||
|
subkey_flags.for_transport_encryption() || subkey_flags.for_storage_encryption();
|
||||||
|
let is_non_enc = subkey_flags.for_certification()
|
||||||
|
|| subkey_flags.for_signing()
|
||||||
|
|| subkey_flags.for_authentication();
|
||||||
|
let subkey = if is_enc && is_non_enc {
|
||||||
|
return Err(Error::InvalidKeyFlags(subkey_flags.clone()));
|
||||||
|
} else if is_enc {
|
||||||
|
Key::from(
|
||||||
|
Key4::<_, SubordinateRole>::import_secret_cv25519(
|
||||||
|
&PrivateKey::to_bytes(derived_key.private_key()),
|
||||||
|
None,
|
||||||
|
None,
|
||||||
|
epoch,
|
||||||
|
)
|
||||||
|
.expect("keyforkd gave invalid cv25519 key"),
|
||||||
|
)
|
||||||
|
} else {
|
||||||
|
Key::from(
|
||||||
Key4::<_, SubordinateRole>::import_secret_ed25519(
|
Key4::<_, SubordinateRole>::import_secret_ed25519(
|
||||||
&PrivateKey::to_bytes(derived_key.private_key()),
|
&PrivateKey::to_bytes(derived_key.private_key()),
|
||||||
epoch,
|
epoch,
|
||||||
)
|
)
|
||||||
.unwrap(),
|
.expect("keyforkd gave invalid ed25519 key"),
|
||||||
);
|
)
|
||||||
|
};
|
||||||
|
|
||||||
// As per OpenPGP spec, signing keys must backsig the primary key
|
// As per OpenPGP spec, signing keys must backsig the primary key
|
||||||
let builder = if subkey_flags.for_signing() {
|
let builder = if subkey_flags.for_signing() {
|
||||||
|
|
Loading…
Reference in New Issue