fix: Read real value of the RSA modulus instead of using a hardcoded one

Previous implementation assumed the moduli of 65537 instead of reading the real value from the public key. Adjust the code and test it against a key using 257 for the modulus. Fixes: #72 See: https://github.com/wiktor-k/gen-rsa-exp-pgp Signed-off-by: Wiktor Kwapisiewicz <wiktor@metacode.biz>

fix: Read real value of the RSA modulus instead of using a hardcoded one
1217a944 · Wiktor Kwapisiewicz · 38be71bf · 1217a944 · 1217a944 · 1217a944
Verified Commit 1217a944 authored 6 months ago by Wiktor Kwapisiewicz
--- a/.codespellrc
+++ b/.codespellrc
 [codespell]
-skip = .cargo,.git,target,.env,Cargo.lock
+skip = .cargo,.git,target,.env,Cargo.lock,*.asc
 ignore-words-list = crate,passt,ser
--- a/REUSE.toml
+++ b/REUSE.toml
@@ -26,7 +26,7 @@ path = [
    "justfile",
    "lychee.toml",
    ".lycheeignore",
-    "nethsm/tests/*.asc",
+    "nethsm/tests/fixtures/*.asc",
 ]
 precedence = "aggregate"
 SPDX-FileCopyrightText = "Signstar Contributors"

--- a/nethsm/src/openpgp.rs
+++ b/nethsm/src/openpgp.rs
@@ -79,6 +79,10 @@ pub enum Error {
    /// Multiple component keys are unsupported
    #[error("Unsupported multiple component keys")]
    UnsupportedMultipleComponentKeys,
+
+    /// The key format used is unsupported
+    #[error("Unsupported key format: {public_params:?}")]
+    UnsupportedKeyFormat { public_params: Box<PublicParams> },
 }

 /// PGP-adapter for a NetHSM key.
@@ -335,16 +339,21 @@ pub fn tsk_to_private_key_import(
    let SecretParams::Plain(secret) = key.primary_key.secret_params() else {
        return Err(crate::Error::OpenPgp(Error::PrivateKeyPassphraseProtected));
    };
-    // ensure, that we have sufficient bit length
-    if let PublicParams::RSA { n, .. } = key.public_params() {
-        key_type_matches_length(KeyType::Rsa, Some(n.as_bytes().len() as u32 * 8))?
-    }
-    Ok(match secret {
-        PlainSecretParams::RSA { p, q, .. } => (
-            PrivateKeyImport::from_rsa(p.as_bytes().to_vec(), q.as_bytes().to_vec(), vec![1, 0, 1]),
-            KeyMechanism::RsaSignaturePkcs1,
-        ),
-        PlainSecretParams::ECDSA(bytes) => {
+    Ok(match (secret, key.public_params()) {
+        (PlainSecretParams::RSA { p, q, .. }, PublicParams::RSA { n, e }) => {
+            // ensure, that we have sufficient bit length
+            key_type_matches_length(KeyType::Rsa, Some(n.as_bytes().len() as u32 * 8))?;
+
+            (
+                PrivateKeyImport::from_rsa(
+                    p.as_bytes().to_vec(),
+                    q.as_bytes().to_vec(),
+                    e.as_bytes().to_vec(),
+                ),
+                KeyMechanism::RsaSignaturePkcs1,
+            )
+        }
+        (PlainSecretParams::ECDSA(bytes), _) => {
            let ec = if let PublicParams::ECDSA(pp) = key.primary_key.public_params() {
                pp.try_into()?
            } else {
@@ -356,14 +365,14 @@ pub fn tsk_to_private_key_import(
                KeyMechanism::EcdsaSignature,
            )
        }
-        PlainSecretParams::EdDSA(bytes) => (
+        (PlainSecretParams::EdDSA(bytes), _) => (
            PrivateKeyImport::from_raw_bytes(crate::KeyType::Curve25519, bytes)?,
            KeyMechanism::EdDsaSignature,
        ),
-        params => {
-            return Err(crate::Error::OpenPgp(Error::KeyData(format!(
-                "Unsupported key data: {params:?}"
-            ))))
+        (_, public_params) => {
+            return Err(crate::Error::OpenPgp(Error::UnsupportedKeyFormat {
+                public_params: Box::new(public_params.clone()),
+            }))
        }
    })
 }
@@ -891,10 +900,10 @@ mod tests {
    }

    #[test]
-    fn private_key_import_zero_padding() -> TestResult {
+    fn private_key_import_ed25199_is_correctly_zero_padded() -> TestResult {
        let mut key_data = vec![];
        SignedSecretKey::from_armor_single(std::fs::File::open(
-            "tests/ed25519-key-with-31-byte-private-key-scalar.asc",
+            "tests/fixtures/ed25519-key-with-31-byte-private-key-scalar.asc",
        )?)?
        .0
        .to_writer(&mut key_data)?;
@@ -911,4 +920,24 @@ mod tests {

        Ok(())
    }
+
+    #[test]
+    fn private_key_import_rsa_key_with_nonstandard_moduli_is_read_correctly() -> TestResult {
+        let mut key_data = vec![];
+        SignedSecretKey::from_armor_single(std::fs::File::open(
+            "tests/fixtures/rsa-key-with-modulus-e-257.asc",
+        )?)?
+        .0
+        .to_writer(&mut key_data)?;
+
+        let import: nethsm_sdk_rs::models::KeyPrivateData =
+            tsk_to_private_key_import(&key_data)?.0.into();
+
+        let data = Base64::decode_vec(&import.public_exponent.unwrap())?;
+
+        // this key used a non-standard modulus (e) of 257
+        assert_eq!(data, vec![0x01, 0x01]); // 257 in hex
+
+        Ok(())
+    }
 }
--- a/nethsm/tests/ed25519-key-with-31-byte-private-key-scalar.asc
+++ b/nethsm/tests/ed25519-key-with-31-byte-private-key-scalar.asc
--- a/nethsm/tests/fixtures/rsa-key-with-modulus-e-257.asc
+++ b/nethsm/tests/fixtures/rsa-key-with-modulus-e-257.asc
+-----BEGIN PGP PRIVATE KEY BLOCK-----
+
+xcLXBGbhhXUBCACWSZ4x8aDxUtkQe90x4r7pE75fcJoIRH7JZdWRe3pQ/XKxfY2u
+LFP+iQBBufPu6X27Zbg+JDSQFWNKbeix8fT/sGXu1KcUeLsBO8cGP7ljSJZ9vlR7
+LpqfOjayAAN8sQeJjyIQU0etOwnm+Q0SnKCzCsgL2GbKlGMan4uNaVp5QyzHJHO9
+4SpwQCeXROdfJpXV5Jlb2ZbyFz1+6IjChTMjWJSVLTpbHlzsP32g81dSk344UUEi
+Pa2zhQLCfyS3Lm64NZ5AlnW6hB9B6+fJJ3rMBlNXmuNcXoRuOWg0GfVPsgahV84+
+YakOH0uU7E9pCXoWGp72gsJpRQAXVN80OR+zAAkBAQAH/1l4hwTUlJue5NYEAy+g
+4zYWthD5Urw0uwtSihnY8ydAOVLBSGSzymi3Kf1K1/HXtHCPO+FCYQkTtKLY1zse
+fO/gjF9duiEbDLcFtD59mDQiP7F1SzJsbfsunBRNtGEkqNheLS6TMqPkZIaEVHuj
+BLugwwITSHwvnxs7XoJ7SVS6GTPklHL4JTHYs3d0xOMzVVPdJf+2hy4JP+G4VZ+
+N+JVXVZAM/G3167k2ZYml6lYrmJbFPlkvXfkJCc/5mAXzzYP9FgvKDN/09QTJYkH
+qI2h0Dnkg923ZTSujtr83mU0Rv6a8ROOcbg6uRRjQMB8T0ZTNyC7p03Fcpv0q6bp
+8rEEAMMahKUA6AliFmgUPiG46STRrBU45Ef2NPcIkYmhKsktSLwObjjEr/IBDe6d
+SDBHnOBhVXr1ndsk2/pwKtzV4bJI0H59Ipv250ad9nvVyLyolEpVWLHkpT4PrWnP
+7PQzWBMoWJsz1NiTplh3MZHjpjD0CfzDCzMpnUi0Z3WxGjTLBADFMiNZy9aJszUv
+TFyfVODTgk6o3V75teQtICDF4GGW91791hOUlVK1VVAa1UIrozYm7tfni2GwvpTm
+XV4R4IQdckimyu8Yvxgd0UwOyJgnMjG1SFWW5S42TgC3bM3fNHI+T9Ygmw9StssE
+La30uohwT+k+6GfanTqXgBmKb8TLuQP/au05u8AztOsfA5fAB+gb68yAH3FqSTHD
+nkq87qC+mP3DKyxzpgUE0nkb+xQxhGtouwCxSjEFt694uTTR6UlMMGCvuBHxaq80
+M8R6GSGvJy3vJJwQztICksdG4ls6e+ZrXIwyQmewHiPSiVTBjHR7wBHCTV3pUUtc
+IT1E+DFg82w/as0EdGVzdMLAgQQQAQgAKwIZAQUCZuGFdQIbAwELARUBFgEnFiEE
+Qw7stYV7s5SGuIQk3janGljeSR8ACgkQ3janGljeSR+pKggAiAG0ONm33eNUmPP/
+vhLbMo6CocbxU9swuei7tBZj5QCo+8AXlBDBgjRIM5vtXh7gFZNb/HW/jBcX2rkm
+GgyH+5L/iZ05cwQEWzQyuPncUjcRqQzDiE49suh5gig2m2Ux4M0czh46MV3/fn7b
+WVuLvqBilqQYVkZvUpouJHc8JvWNqQ39YnPwP9fbb9Xlot0pRLb17sw8XGHMuuQZ
+vWG9K/gV7XOyFgZbWeMFFzlTz2l8+ZlCRfbwFRcfcJLVkpMwzjBl9Vd1aCZ7MaMz
+EcXCCPrBjLfl05FHWTBIUxF7+8ezzhqV+itei+1l0Sf1950U5iiL8dEdSZa5HlM7
+4qQrYA==
+=ZDbJ
+-----END PGP PRIVATE KEY BLOCK-----