9
0
Fork
You've already forked locksmith
0

fix: fall back to SHA-512 when cert declares no preferred hash #5

Open
vkobel wants to merge 1 commit from fix/preferred-hash-fallback into main
pull from: fix/preferred-hash-fallback
merge into: caution:main
caution:main
caution:feat/hosted-keymaker
caution:deploy/hosted
caution:deploy-tests
caution:anton/fix-error-handling

send-shard failed signing with "no hash algorithms were valid on certificate ...", rpgpie required certs to declare a Preferred Hash Algorithms subpacket, which keyfork-generated certs don't have → NoHashAlgo.

Fix: select_signing_hash() picks the cert's preferred accepted hash, else defaults to SHA-512 (applied to smartcard + TSK paths; drops unused NoHashAlgo).

Tests: 3 unit tests + verified end-to-end (shard accepted). Includes rustfmt-only changes to locksmithd.rs.

send-shard failed signing with "no hash algorithms were valid on certificate ...", rpgpie required certs to declare a Preferred Hash Algorithms subpacket, which keyfork-generated certs don't have → NoHashAlgo. Fix: select_signing_hash() picks the cert's preferred accepted hash, else defaults to SHA-512 (applied to smartcard + TSK paths; drops unused NoHashAlgo). Tests: 3 unit tests + verified end-to-end (shard accepted). Includes rustfmt-only changes to locksmithd.rs.
rpgpie rejected certs without a Preferred Hash Algorithms subpacket
 (e.g. keyfork-generated certs) with NoHashAlgo, breaking send-shard
 signing. Select the cert's preferred hash or default to SHA-512.
Author
Owner
Copy link

Optionally, we can fix this in keyfork too: https://git.distrust.co/public/keyfork/pulls/93

Optionally, we can fix this in keyfork too: https://git.distrust.co/public/keyfork/pulls/93
Author
Owner
Copy link

TODO: once merged, will need to update the pinned version of locksmith in platform

TODO: once merged, will need to update the pinned version of locksmith in platform
This pull request can be merged automatically.
You are not authorized to merge this pull request.
View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.
git fetch -u origin fix/preferred-hash-fallback:fix/preferred-hash-fallback
git switch fix/preferred-hash-fallback

Merge

Merge the changes and update on Forgejo.

Warning: The "Autodetect manual merge" setting is not enabled for this repository, you will have to mark this pull request as manually merged afterwards.

git switch main
git merge --no-ff fix/preferred-hash-fallback
git switch fix/preferred-hash-fallback
git rebase main
git switch main
git merge --ff-only fix/preferred-hash-fallback
git switch fix/preferred-hash-fallback
git rebase main
git switch main
git merge --no-ff fix/preferred-hash-fallback
git switch main
git merge --squash fix/preferred-hash-fallback
git switch main
git merge --ff-only fix/preferred-hash-fallback
git switch main
git merge fix/preferred-hash-fallback
git push origin main
Sign in to join this conversation.
No reviewers
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
caution/locksmith!5
Reference in a new issue
caution/locksmith
No description provided.
Delete branch "fix/preferred-hash-fallback"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?