Fix #12: encryption keys shown 'not connected' when key usage lacks keyEncipherment bit#13
Open
TickoSpy wants to merge 1 commit into
Open
Conversation
…ent bit v1.3.4 (dc69662) gated CanKeyTransfer on an exact keyEncipherment bit and CanKeyAgree on an exact keyAgreement bit. Encryption smartcard certs that mark their key with dataEncipherment (or otherwise omit the exact bit) then failed CanEncryptCms/CanDecryptCms, so GetAllPivKeyPairs dropped the live card key. The unlock dialog fell back to the stale, un-refreshed authorized key from the EKF and showed it as "not connected", blocking database access. Gate encryption capability on any of keyEncipherment | dataEncipherment | keyAgreement and let the key algorithm (pubKeyInfo) pick transfer vs agreement. Pure signing certs stay excluded (PR episource#11 intent); certs without a key-usage extension keep all bits via DefaultIfEmpty. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Author
|
Patch was tested an does work with some certificates but not with others. Further testing is needed. |
Owner
|
Thanks for your contribution. After thinking about this, I got to the conclusion, that my initial filtering was to strict. It should only affect the dialog for creating/editing the key file. The decryption process should not be touched. Your PR follows the route of my initial attempt (v1.3.4). Within #14 I've implemented an alternative solution: I moved the filtering to the frontend. Also the filtering can be bypassed if needed by ticking the newly added checkbox "Ignore key usage restrictions (show all)". |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #12.
Problem
v1.3.4 (dc69662, "Exclude certificates with incompatible key usage flags") gated
CanKeyTransferon an exactkeyEnciphermentbit andCanKeyAgreeon an exactkeyAgreementbit.Encryption smartcard certificates that mark their key with
dataEncipherment(common on PIV/RSA cards) — or otherwise omit the exact bit — then failCanEncryptCms/CanDecryptCms.SmartcardKeyPairs.GetAllPivKeyPairs()drops the live card key, soDefaultKeyPairProvider.RefreshImplnever replaces the stale, un-refreshed key deserialized from the EKF. The unlock dialog renders it as "not connected", locking the user out of the database.Fix
Gate encryption capability on a single predicate — any of
keyEncipherment | dataEncipherment | keyAgreement— and let the key algorithm (pubKeyInfo) decide key-transfer vs key-agreement, instead of requiring an exact bit per primitive.Intent of the original change is preserved:
keyUsage = digitalSignature, no encryption bit) remain excluded.CanSignis unchanged (still requiresdigitalSignature).DefaultIfEmpty(~None)and continue to work.Only over-strict exact-bit matching is relaxed; no signing-only certificate is re-admitted.
Testing
Reasoned/static change only — I don't have Windows + the affected smartcard to exercise the CAPI path. Review of the key-usage truth table welcome.
🤖 Generated with Claude Code