keyfork-derive-openpgp: fix encryption keys

This commit is contained in:
Ryan Heywood 2023-11-05 23:57:41 -06:00
parent ee258ac115
commit 01fce410a5
Signed by: ryan
GPG Key ID: 8E401478A3FBEF72
1 changed files with 28 additions and 6 deletions

View File

@ -21,6 +21,9 @@ pub enum Error {
#[error("{0}")] #[error("{0}")]
Anyhow(#[from] anyhow::Error), Anyhow(#[from] anyhow::Error),
#[error("Key configured with both encryption and non-encryption key flags: {0:?}")]
InvalidKeyFlags(KeyFlags),
#[error("Incorrect derived data: {0}")] #[error("Incorrect derived data: {0}")]
IncorrectDerivedData(#[from] TryFromDerivationResponseError), IncorrectDerivedData(#[from] TryFromDerivationResponseError),
@ -79,13 +82,32 @@ pub fn derive(data: DerivationResponse, keys: &[KeyFlags], userid: UserID) -> Re
// Generate subkey // Generate subkey
let index = u32::try_from(index)?; let index = u32::try_from(index)?;
let derived_key = xprv.derive_child(&DerivationIndex::new(index, true)?)?; let derived_key = xprv.derive_child(&DerivationIndex::new(index, true)?)?;
let subkey = Key::from( let is_enc =
Key4::<_, SubordinateRole>::import_secret_ed25519( subkey_flags.for_transport_encryption() || subkey_flags.for_storage_encryption();
&PrivateKey::to_bytes(derived_key.private_key()), let is_non_enc = subkey_flags.for_certification()
epoch, || subkey_flags.for_signing()
|| subkey_flags.for_authentication();
let subkey = if is_enc && is_non_enc {
return Err(Error::InvalidKeyFlags(subkey_flags.clone()));
} else if is_enc {
Key::from(
Key4::<_, SubordinateRole>::import_secret_cv25519(
&PrivateKey::to_bytes(derived_key.private_key()),
None,
None,
epoch,
)
.expect("keyforkd gave invalid cv25519 key"),
) )
.unwrap(), } else {
); Key::from(
Key4::<_, SubordinateRole>::import_secret_ed25519(
&PrivateKey::to_bytes(derived_key.private_key()),
epoch,
)
.expect("keyforkd gave invalid ed25519 key"),
)
};
// As per OpenPGP spec, signing keys must backsig the primary key // As per OpenPGP spec, signing keys must backsig the primary key
let builder = if subkey_flags.for_signing() { let builder = if subkey_flags.for_signing() {