Crypt::OpenPGP does not use encryption subkey, ignores key usage

[maertsen]

Crypt::OpenPGP does not use an encryption subkey if available and uses the primary (sign-only) key for encryption. This is unfortunate for those of us using the subkey mechanism to store the primary key offline; a Crypt::OpenPGP will consequently encrypt to a private key not available.
(And decrypting with a signing key would be unwise in any case)

I found out about this while trying to use the secure e-mail mechanism of Bugzilla (Mozilla's own instance). An independent bugreport was filed earlier [1]. A workaround consists of manually splitting public keys, but this is tedious and error-prone.

Is there any chance support for key usage could be implemented?

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=790487

[hsivonen]

Specifically, I'd expected Crypt::OpenPGP to encrypt to the non-revoked encryption subkey whose expiry time is the furthest in the future.

[sergeyromanov]

Is there any chance support for key usage could be implemented?

Patches are very welcome at the very least!

[isislovecruft]

For what it's worth, I think this bug stems from these lines:

my @valid = $pkg->all_props;
my %valid = map { $_ => 1 } @valid;

which map the key usage to the whether or not the key should be used according to subroutines like can_encrypt().

Since it appears that the Mozillians are too nice to say anything about it, this bug is blocking Mozilla bug 790487, which is causing the email report mechanism for security-critical bugs at Mozilla to not function correctly. Since I'm not a Mozillian, I don't mind pointing being the asshole who points out that you're fucking their shit up.

[towo]

FWIW, this is not entirely correct. The test e-mail gets sent successfully and to the right address, just other mails are an issue.

[towo]

Another FYI update - we assumed this was a partial bug related to this, but the most "recent" version of the securemail extension (https://github.com/bugzilla/extensions-SecureMail) solved our issues.

[sysrqb]

This is still a problem. I just received an email from bugzilla.mozilla.org encrypted using my primary public key. Has anyone looked at this? Is Isis' suggestion regarding what's causing this wrong or was it ignored?

Thanks.

[teythoon]

AFAICS Crypt::OpenPGP considers RSA keys encryption-capable without looking at the relevant binding signature's key flags subpacket:

 % git grep can_encrypt
lib/Crypt/OpenPGP/Certificate.pm:sub can_encrypt { $_[0]->{key}->can_encrypt }
lib/Crypt/OpenPGP/Certificate.pm:=head2 $cert->can_encrypt
lib/Crypt/OpenPGP/Key.pm:sub can_encrypt { 0 }
lib/Crypt/OpenPGP/Key.pm:=head2 $key->can_encrypt
lib/Crypt/OpenPGP/Key/Public/ElGamal.pm:sub can_encrypt { 1 }
lib/Crypt/OpenPGP/Key/Public/RSA.pm:sub can_encrypt { 1 }
lib/Crypt/OpenPGP/Key/Secret/ElGamal.pm:*can_encrypt = \&Crypt::OpenPGP::Key::Public::ElGamal::can_encrypt;
lib/Crypt/OpenPGP/Key/Secret/RSA.pm:*can_encrypt = \&Crypt::OpenPGP::Key::Public::RSA::can_encrypt;
lib/Crypt/OpenPGP/KeyBlock.pm:        return $key if $key->can_encrypt;