openpgp unsupported feature

[apiote]

hydroxide auth … results in openpgp: unsupported feature: public key algorithm 22

[emersion]

Seems like a public key not supported by Go's OpenPGP library. Would you be willing to share your public key so that it can be reported upstream?

[yesnomaybeyes]

Hi!

I'm getting the same issue with a brand new protonmail account, am I doing something wrong? :(

[apiote]

My public key is vanilla — generated by ProtonMail and resides on their keyserver. It’s standard 2048b RSA — never changed.

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: OpenPGP.js v3.1.3
Comment: https://openpgpjs.org

xsBNBFambncBCAC6+jFaReHRLmMSVk5nKBDsAeJIxzbcQQRxTHHGLyxu0Wr1
7GEOf9GI4nnN2qheMSaxswU9CtTCa0noKQU7mt6J+yUQFpzZteRbQ/7WWmtR
SwDmr3kq/7rMIwIe7aCWzNL6bZAsWfwOnAgx1mm5Ugwm3hBohDJZGnAulFIN
QMJoP/fH2Ym7n2AFka+zTFE/NGnpJTgd6Hu3XS9lbeGBoY4/7K8cjIYrXuaI
MeOk/hsIWGKtKqE1uYrvoVEI731c/KI7sh3QZjxFVXgOdO6H+Sp+Y5KLkT5O
gIrVgblrwkUqBhVhvWeqN5jAQErPGcocKRALjBbSIPk6qh3O4k4+BSKDABEB
AAHNO2FkYW0ucGlvdGVyZWtAcHJvdG9ubWFpbC5jb20gPGFkYW0ucGlvdGVy
ZWtAcHJvdG9ubWFpbC5jb20+wsB1BBABCAApBQJY3pUlBgsJBwgDAgkQJELi
d3bgpXgEFQgKAgMWAgECGQECGwMCHgEAAA9hB/9d0BfRtZXUcoGVgPMh/BEK
SVfAS4dMJNevE6Xzst5bQee7b49RU0NZgpFGSLjWXTli0B8rfq9X9ZYFqi+i
/3aDObubA9Xo/djrqEMgvHBiLCD6WxoBWeXooKTlcTIx4h+mMk0KrGWpou0X
k6wdFBPFSH3Jro8pPLXS5ODrBjSpczNkmW1RuMyKdPjBT+9FN31W2xs4KPyn
fCnxK3GS/m/+H9i7hz45rmN5AXzmiSt1zcUCgD6aqt+rzUEvgduqAxF37LUD
WwsyH4MamWK+YxEawIreBrsKM3u6ia3mEyO1XYmMnkIhJflohw05v59/5Iwk
OcrBU2N/pEd/sUuXbH8zzsBNBFambncBCACzlkqfiOChnjkj0QZJqrWEgbu4
X2C8YuLfSjyhUzFjSkcC5JatkR3+9K0KX7X/Izlj36kzGy6EXATTUHKZpYZ3
YEYqD3NbWcVbEJ8ByT5/gyHq1luUrWcm41g69y8uzutjniMz/qTL/bsaRB9L
fM0O0n6X1UHIePWp9uTcMOIkmESO9py6fvTWlb15Mr4DVmY93z7cyIFSR0u7
2ZBwnMm3dEyc6MH4JijbavdXleerhmzedri6FKz3mCRbz4Z8TgDyGf5NcXD5
XEibLIePX99kMYPzhDnFqucRlt2gDLj/yCXkE7rTv8sBjdXJwkv6ZECM/PEm
8Eb4SiJVhjp2vl5TABEBAAHCwF8EGAEIABMFAljelSYJECRC4nd24KV4AhsM
AADBzAgAkL0NwTAjD+tKtwsO4mPTb5TN1UiU6DIFV2XeTmozUywnCdJjDlH1
DCZ5m3p7k8Q0HCdb5R/QPc+J8QOuqWH0YHCHaZW3qBf9tRe8PT/At14WviVq
uapLPOm4VplsQrP20D/KZPdWyDsepJNzBodhOnXSF4cfsJbg/DSygp+4txIc
vdQunZh7gL17TL6M2JI5suFhu0nmVZhOjdrqAiN6CYqPxItRIQH/DGPKfcsm
jovdDarfn/xCEoTQNSvtxD4cxN6gXEtOUXDt/wd9PK6wUr3CXdvLK189o59h
5khILLQgQOyKt8IMySGDwD8l87kpFiZc9SRvS2hSh6xd2EUs5w==
=hvEC
-----END PGP PUBLIC KEY BLOCK-----

[emersion]

All right, this seems related to this issue: golang/go#18576

[emersion]

FWIW, ProtonMail has a fork with support for ECC signatures. I'm not convinced this is high-quality enough for us to switch to it, it would be a lot better if they/someone upstreamed it. However one could try to use it instead of x/crypto/openpgp.

[emersion]

Maybe we could check if the Keybase fork supports it.

[d4hines]

At this risk of betraying how ignorant I am of these cryptographic matters, I'm curious: how did this change out from under us? This was working just a week or two ago - what's the difference now? Is there anything I can do to get it working again or fix the problem?

[emersion]

@apiote I can load your public key without any issue. Here's the code I used: https://gist.github.com/emersion/c71522528309898e67594e259542bb0b

Also useful for debugging is this command: gpg --list-packets --verbose --armor.

Maybe the issue comes from another public key? Or maybe a private key?

@d4hines It would be useful to try to switch to ProtonMail's fork (or Keybase's) and see if it fixes the issue.

[apiote]

I tried the code with my private key (I exported some time ago from Protonmail) and it can be loaded without errors. All my public and private keys work with Your code.

I would have to check the key sent after successful authentication (but it should be the same as my exported key).

[DirectorX]

✘  ~/projects/hydroxide   master  ./hydroxide auth <redacted>@protonmail.com 
Password: 
2019/01/11 15:27:46 openpgp: unsupported feature: public key algorithm 22

I can confirm that too

[ghost]

I ran into this today. My key is just the one protonmail sets up for you.

Anything I can do to help figure this out?

edit: I just moved to self hosted

[emersion]

Try the ProtonMail fork, try the Keybase fork.

[mark-kubacki]

FYI, public key algorithm 22 is EdDSA. You need to verify your implementation with a eddsa signature. Using a RSA2048 key (from above) in this context is misleading.

Fastest way to get one is to generate a ed25519 keypair by gpg, and to sign sth. with it.

$ cat >/tmp/new-key.conf <<EOF
Key-Type: eddsa
Key-Curve: Ed25519
Key-Usage: sign
Name-Real: Some User
Name-Email: [email protected]
Subkey-Type: eddsa
Subkey-Curve: Ed25519
Subkey-Usage: sign
Expire-Date: 2022-02-22
Preferences: AES256 AES192 AES SHA256 Uncompressed
%commit
EOF

$ gpg --batch --gen-key /tmp/new-key.conf

[ispringle]

Having this issue as well on my end.

[simonfxr]

Any progress? I ran into the same problem. Is there anything I can do to help?

[emersion]

Yes. Please try the forks linked above and see if they support your key.

[cookiengineer]

@emersion Can you offer an instruction on how to do so for dummies that are not familiar with go programming?

• Where do I get my keys from, and how?
• What to compare against what?
• What tools to use to verify

Currently this issue is blurrish, because I have no effing clue where hydroxide stores the keys, and whether even it does or not, and what to do with them.

[mark-kubacki]

The keybase.io fork has what you need.

Please forgive me for not sharing a PR or the like—I don't use this project. Just happened upon the error message.

[emersion]

@wmark Thanks for the pointer.

@cookiengineer Can you try replacing golang.org/x/crypto with github.com/keybase/go-crypto? See this blog post for directions: https://research.swtch.com/vgo-tour#replacing

[liz-desartiges]

I tried to build with keybase fork
with replace golang.org/x/crypto => github.com/keybase/go-crypto v0.0.0-20181127160227-255a5089e85a inside the go.mod

with no luck I get go: github.com/keybase/[email protected] used for two different module paths (github.com/keybase/go-crypto and golang.org/x/crypto)
and it doesn't build

[emersion]

A quick fix would be to replace all occurrences of golang.org/x/crypto with github.com/keybase/go-crypto instead.

[ispringle]

I too attempted to replace /x/crypto/ with /keybase/go-crypto/. I also made sure to replace all calls to */x/crypto/* with the path to the keybase version as well.

$ hydroxide auth <username>
Password: *********
2FA: 123456

Still returns 2019/03/11 14:10:21 openpgp: unsupported feature: public key algorithm 22 so I don't believe this has anything to do with the dependency being used. Here's my fork

[mark-kubacki]

• https://github.com/keybase/go-crypto/blob/255a5089e85a475b944ad3c159af0de73fbe66b1/openpgp/packet/packet.go#L422
• https://github.com/keybase/go-crypto/blob/255a5089e85a475b944ad3c159af0de73fbe66b1/openpgp/packet/public_key.go#L307
• https://github.com/keybase/go-crypto/blob/255a5089e85a475b944ad3c159af0de73fbe66b1/openpgp/packet/signature.go#L207

… is why I claimed Keybase.io's fork had it.

[nast90210]

Hi all!
Protonmail has mirror of Golang crypto in github.com/ProtonMail/crypto. May be it can be used to fix that bug?

[emersion]

Yes, that's part of the suggestions above. Please try it.

[Thra11]

I tried some of the suggestions:
If I replace all occurrences of golang.org/x/crypto in this repo with github.com/ProtonMail/crypto, go build fails with

build github.com/emersion/hydroxide/cmd/hydroxide: cannot load golang.org/x/crypto/openpgp/ecdh: cannot find module providing package golang.org/x/crypto/openpgp/ecdh

(also, go get puts golang.org/x/crypto v0.0.0-20190325154230-a5d413f7728c // indirect in go.mod)

If I replace golang.org/x/crypto with github.com/keybase/go-crypto instead, go build fails with

# github.com/emersion/hydroxide/protonmail
../../protonmail/contacts.go:149:53: too few values in &openpgp.Key literal
../../protonmail/crypto.go:48:68: too few values in openpgp.Key literal
../../protonmail/crypto.go:57:54: too few values in openpgp.Key literal
../../protonmail/crypto.go:81:68: too few values in openpgp.Key literal
../../protonmail/crypto.go:88:54: too few values in openpgp.Key literal

[emersion]

I don't see the point in doing a Pre-release 0.2.1 as this bug make it nonfunctional.

Works for me. I'm not affected by this bug so it's not like I personally care. It you care, please investigate and send a patch.

I want to remind you that I'm a volunteer working on this project during my free time. My goal is not to make people use my software. I just share it so that it can be useful to other people too.

[ubergeek77]

With all due respect, I find it a bit alarming that the maintainer of this repository would say something like that.

There isn't a single comment above yours that comes off as self-entitled. Everyone is just trying to help. The community has tried your suggestions, and your suggestions have failed.

We are now turning to you asking what to do next. This is an open source project, but you understand this codebase more than anyone. It makes sense that people would ask you.

You mentioned that you "share it so it can be useful to other people too," but I'm in the same boat as everyone else here - this bug prevents this code from working for me, and therefore it is useless to me. "But it works on my machine" has never been a good enough answer in the history of software development.

I would like to use this software, and while you rightfully can't be compelled to do anything for us, I'm sure I speak for everyone when I say we would appreciate just a little enthusiasm.

[ddevault]

There isn't a single comment above yours that comes off as self-entitled

This is ridiculous. The only person who's acting entitled here is you - apparently you're entitled to @emersion's time and work for free. Is that any way to thank someone who's made a great project that you obviously find useful and important? That's sick.

You need to correct your attitude about open source. If you want something, it's up to you to do it. Not anyone else.

[DirectorX]

@nast90210 I've tested you latest version of the patch and got a segmentation violation

 /t/hydroxide   0.2.2 ±  ./hydroxide auth ****
Password:
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x28 pc=0x723174]

goroutine 1 [running]:
github.com/keybase/go-crypto/openpgp.checkDetachedSignature(0x0, 0x0, 0x94d120, 0xc0004aa2d0, 0x94d7c0, 0xc0004d2058, 0x3e, 0xc0000d9b08, 0x3, 0xc000030070)
	/home/void/projects/go/pkg/mod/github.com/keybase/[email protected]/openpgp/read.go:450 +0x1b4
github.com/keybase/go-crypto/openpgp.CheckDetachedSignature(...)
	/home/void/projects/go/pkg/mod/github.com/keybase/[email protected]/openpgp/read.go:411
github.com/emersion/hydroxide/protonmail.decodeModulus(0xc0004ce2c0, 0x282, 0xc0000d9b18, 0xc0000d9b40, 0x66c166, 0xc000176210, 0x0)
	/tmp/hydroxide/protonmail/srp.go:25 +0x138
github.com/emersion/hydroxide/protonmail.srp(0xc0000d9c08, 0x8, 0x20, 0xc0000d22d0, 0x8, 0x20, 0xc00009efc0)
	/tmp/hydroxide/protonmail/srp.go:151 +0x4d
github.com/emersion/hydroxide/protonmail.(*Client).Auth(0xc0000d9f00, 0x7ffc6af7fba2, 0x4, 0xc0000b0370, 0x8, 0x0, 0x0, 0xc0000d22d0, 0x8, 0x8, ...)
	/tmp/hydroxide/protonmail/auth.go:130 +0x9f
main.main()
	/tmp/hydroxide/cmd/hydroxide/hydroxide.go:98 +0xdb8

[emersion]

For some reason I've been able to reproduce today.

I've pushed a fix which shouldn't weaken security while still using the official Go library. It seems this public key algorithm which isn't yet implemented is only used for SRP. Unfortunately it seems using the Keybase fork doesn't help and introduces more bugs (#51).

[DirectorX]

@emersion i'm still getting error (v0.2.2, 139f392/HEAD)

 ~/p/hydroxide   master   ./hydroxide auth ****
Password:
2019/04/14 12:36:56 warning: failed to check SRP modulus signature: openpgp: unsupported feature: public key algorithm 22
2019/04/14 12:36:57 openpgp: unsupported feature: public key type: 22

[emersion]

Gah. Can you try to track down where this one is coming from? I wonder why the algorithm changes like this from user to user.

I'll try to improve error reporting tonight.

[DirectorX]

first we need to understand how your system is differ from my system

i'm using voidlinux (x86_64, glibc)

 ✘  ~  go version
go version go1.12.2 linux/amd64

what other factors can influence?

[emersion]

Because hydroxide is pure Go, the issue is unlikely to be related to our systems. It's probably a thing on ProtonMail's end.

[emersion]

Added more details to errors. Does that help?

Does anyone else have this issue?

[DirectorX]

 ✘  ~/p/hydroxide   master   ./hydroxide auth ****@protonmail.com
Password:
2019/04/14 20:45:08 warning: failed to check SRP modulus signature: openpgp: unsupported feature: public key algorithm 22
2019/04/14 20:45:09 failed to read key "****@pm.me": failed to read private key: openpgp: unsupported feature: public key type: 22

Pay attention to the pm.me thing. This may be the root of my problem and anyone else with multiple email addresses in his account.

[emersion]

Can you try again? I updated hydroxide to skip keys it can't read. It won't allow you to use keys the Go library doesn't support, but maybe it'll allow you to use other keys.

[DirectorX]

@emersion

 ~/p/hydroxide   master   ./hydroxide auth ****@protonmail.com
Password:
2019/04/14 21:08:01 warning: failed to check SRP modulus signature: openpgp: unsupported feature: public key algorithm 22
2019/04/14 21:08:02 warning: failed to read key "****@pm.me": failed to read private key: openpgp: unsupported feature: public key type: 22
Bridge password: ********************************************

👍

[emersion]

Good. Will publish a new release with this fix. Leaving this open since we still can't read some keys.

[panpansh]

warning: failed to check SRP modulus signature: openpgp: unsupported feature: public key algorithm 22
but I have the bridge password ..

[panpansh]

need to rewrite some code with her custom crypto lib (https://github.com/ProtonMail/crypto) :

pkg/mod/github.com/emersion/hydroxide@v0.2.4/protonmail/contacts.go:167:66: not enough arguments in call to openpgp.CheckArmoredDetachedSignature
        have (openpgp.KeyRing, *bytes.Buffer, io.Reader)
        want (openpgp.KeyRing, io.Reader, io.Reader, *packet.Config)
pkg/mod/github.com/emersion/hydroxide@v0.2.4/protonmail/contacts.go:193:55: not enough arguments in call to openpgp.CheckArmoredDetachedSignature
        have (openpgp.KeyRing, *strings.Reader, *strings.Reader)
        want (openpgp.KeyRing, io.Reader, io.Reader, *packet.Config)
pkg/mod/github.com/emersion/hydroxide@v0.2.4/protonmail/crypto.go:39:15: subkey.Sig.KeyExpired undefined (type *packet.Signature has no field or method KeyExpired)
pkg/mod/github.com/emersion/hydroxide@v0.2.4/protonmail/crypto.go:56:137: i.SelfSignature.KeyExpired undefined (type *packet.Signature has no field or method KeyExpired)
pkg/mod/github.com/emersion/hydroxide@v0.2.4/protonmail/crypto.go:73:15: subkey.Sig.KeyExpired undefined (type *packet.Signature has no field or method KeyExpired)
pkg/mod/github.com/emersion/hydroxide@v0.2.4/protonmail/crypto.go:87:80: i.SelfSignature.KeyExpired undefined (type *packet.Signature has no field or method KeyExpired)
pkg/mod/github.com/emersion/hydroxide@v0.2.4/protonmail/srp.go:28:42: not enough arguments in call to openpgp.CheckDetachedSignature
        have (nil, *bytes.Reader, io.Reader)
        want (openpgp.KeyRing, io.Reader, io.Reader, *packet.Config)

or try to use her custom openpgp : https://github.com/ProtonMail/gopenpgp

[emersion]

gopenpgp is very meh.

I wonder why they broke the crypto API. What is this extra parameter to CheckArmoredDetachedSignature? How to check whether a signature is expired?

[0x00031337]

I have exactly the same issue. Recompilation with Keybase fork failed due to library incompatibility. Is there any solution to the problem?

[emersion]

These should just be warnings. hydroxide should work fine even if these errors are printed.

[harleylang]

I encountered this error with one of my alias addresses and solved it by changing my security key to rsa 2048-bit in my protonmail setttings and making that key primary.

https://protonmail.com/support/knowledge-base/pgp-key-management/

[TLATER]

I've attempted what @harleylang suggests with both an rsa-4096 and an rsa-2048 key, but neither seem to work - is this all you did?

[harleylang]

@TLATER Yes, as well as making the rsa-2048 the primary key

[BertalanD]

I have an ed25519 key set up for my mails. I would like to try to make hydroxide work with it, using either the Protonmail or Keybase go-crypto fork, as suggested in this thread.

I would like to make my case for the Protonmail implementation. It is likely used server-side too, so even if it were the "weakest link", us using it would not further decrease security of the system. It's actively developed and is the most popular fork in terms of stars. We are also implicitly trusting that Protonmail developers do crypto correctly, as OpenPGPjs, the library used by the web client was also originally developed in-house. Furthermore, the recently open-sourced proton-bridge uses it, too.

@emersion Would you merge such a change?