Cleartext signing with CR character.

alex abc3def at gmail.com
Tue Feb 4 23:57:42 CET 2014 

Hello.

I am trying to generate a cleartext signed message using BouncyCastle. And
I validate results using GnuPGP. I have a problem with CR (\r) characters.

The data on input
    "A\rB"

I write such text into cleartext section
    "-----BEGIN PGP SIGNED MESSAGE-----\r\n"
    "Hash: SHA1\r\n"
    "A\rB\r\n"
    "-----BEGIN PGP SIGNATURE-----\r\n"

Then I compute signature from string
    "A\rB"
and write the remaining of the "PGP SIGNATURE" section...

Then I try to validate result message using
    "gpg2 --verify 01.asc"

but I get this error:
    "BAD signature"

The main question that I have is: "If I ask GnuPGP to sign/verify "A\rB"
text, what bytes will it send to signature generator?"

I have found a function
    copy_clearsig_text

in
    gnupg-2.0.20\g10\textfilter.c

that seems to be computing signature for cleartext signed messages. And, if
I've understood code correctly, there is no difference for GnuPGP between
\r or \t or just white space ' '. But when I create myself a message from
"A B", and then validate using "gpg2" it succeeds saying "Good signature".

There is a number of tests I've done so far like this:

    assert("Hola\r\n", "Hola");

The first argument is a text as I want it to be written into cleatext
section (notice, that I explicitly specify last CRLF before "BEGIN PGP
SIGNATURE").

The second argument specifies the the data *as is* to compute signature
from them. I.e. there is no normalization done for this argument. I exactly
specify what to be used for signature generation.

The "assert" function takes that arguments, generates cleartext signed
message (with help of the BouncyCastle), and then asks "gpg2" to verify
signature.

Here are my results:

    assert("A\r\n", "A"); // OK
    assert("A\nB\r\n", "A\r\nB"); // OK
    assert("A\r\r\r\r\n", "A"); // OK
    assert("A\r\r\r\nB\r\n", "A\r\nB"); // OK

    assertClearSign(null, "A\tB\r\n", "A\tB"); // OK

    assert("A\rB\r\n", "A\rB"); // BAD
    assert("A\rB\r\n", "A\r\nB"); // BAD
    assert("A\rB\r\n", "A\nB"); // BAD
    assert("A\rB\r\n", "AB"); // BAD
    assert("A\rB\r\n", "A B"); // BAD

So I've done a bunch of test trying to figure out how to compute signature
from "A\rB" but no luck...

Can you explain, how does GnuPGP works with "\r" chars in text.

BTW, my version is:

    gpg (GnuPG) 2.0.20 (Gpg4win 2.1.1)
    libgcrypt 1.5.2
    Copyright (C) 2013 Free Software Foundation, Inc.
    License GPLv3+: GNU GPL version 3 or later <
http://gnu.org/licenses/gpl.html>
    This is free software: you are free to change and redistribute it.
    There is NO WARRANTY, to the extent permitted by law.

    Home: C:/Users/Sasha/AppData/Roaming/gnupg
    Supported algorithms:
    Pubkey: RSA, ELG, DSA
    Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
            CAMELLIA128, CAMELLIA192, CAMELLIA256
    Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
    Compression: Uncompressed, ZIP, ZLIB, BZIP2

- Alex
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20140205/1209dcff/attachment.html>

More information about the Gnupg-devel mailing list