Skip to content

Fix #12: encryption keys shown 'not connected' when key usage lacks keyEncipherment bit#13

Open
TickoSpy wants to merge 1 commit into
episource:masterfrom
TickoSpy:fix/issue-12-key-usage-decrypt-lockout
Open

Fix #12: encryption keys shown 'not connected' when key usage lacks keyEncipherment bit#13
TickoSpy wants to merge 1 commit into
episource:masterfrom
TickoSpy:fix/issue-12-key-usage-decrypt-lockout

Conversation

@TickoSpy

Copy link
Copy Markdown

Fixes #12.

Problem

v1.3.4 (dc69662, "Exclude certificates with incompatible key usage flags") gated CanKeyTransfer on an exact keyEncipherment bit and CanKeyAgree on an exact keyAgreement bit.

Encryption smartcard certificates that mark their key with dataEncipherment (common on PIV/RSA cards) — or otherwise omit the exact bit — then fail CanEncryptCms/CanDecryptCms. SmartcardKeyPairs.GetAllPivKeyPairs() drops the live card key, so DefaultKeyPairProvider.RefreshImpl never replaces the stale, un-refreshed key deserialized from the EKF. The unlock dialog renders it as "not connected", locking the user out of the database.

Fix

Gate encryption capability on a single predicate — any of keyEncipherment | dataEncipherment | keyAgreement — and let the key algorithm (pubKeyInfo) decide key-transfer vs key-agreement, instead of requiring an exact bit per primitive.

Intent of the original change is preserved:

  • Signing-only certificates (keyUsage = digitalSignature, no encryption bit) remain excluded.
  • CanSign is unchanged (still requires digitalSignature).
  • Certificates without a key-usage extension keep all bits via the existing DefaultIfEmpty(~None) and continue to work.

Only over-strict exact-bit matching is relaxed; no signing-only certificate is re-admitted.

Testing

Reasoned/static change only — I don't have Windows + the affected smartcard to exercise the CAPI path. Review of the key-usage truth table welcome.

🤖 Generated with Claude Code

…ent bit

v1.3.4 (dc69662) gated CanKeyTransfer on an exact keyEncipherment bit
and CanKeyAgree on an exact keyAgreement bit. Encryption smartcard certs
that mark their key with dataEncipherment (or otherwise omit the exact
bit) then failed CanEncryptCms/CanDecryptCms, so GetAllPivKeyPairs
dropped the live card key. The unlock dialog fell back to the stale,
un-refreshed authorized key from the EKF and showed it as "not
connected", blocking database access.

Gate encryption capability on any of keyEncipherment | dataEncipherment
| keyAgreement and let the key algorithm (pubKeyInfo) pick transfer vs
agreement. Pure signing certs stay excluded (PR episource#11 intent); certs
without a key-usage extension keep all bits via DefaultIfEmpty.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@TickoSpy

TickoSpy commented Jul 13, 2026

Copy link
Copy Markdown
Author

Patch was tested an does work with some certificates but not with others. Further testing is needed.

@episource

Copy link
Copy Markdown
Owner

Thanks for your contribution.

After thinking about this, I got to the conclusion, that my initial filtering was to strict. It should only affect the dialog for creating/editing the key file. The decryption process should not be touched. Your PR follows the route of my initial attempt (v1.3.4).

Within #14 I've implemented an alternative solution: I moved the filtering to the frontend. Also the filtering can be bypassed if needed by ticking the newly added checkbox "Ignore key usage restrictions (show all)".

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Public Key shows "not connected" when opening the database

2 participants