Check the SHA-1 checksum in PGPPacket._parse_generic_secret_key_packet

The previous commit added checks when the string-to-key usage was zero
or 255, but I'd forgotten about the case where the string-to-key usage
was 254.  This commit add handling for that case, where a SHA-1 digest
is used instead of the mod-65536 sum.  See the previous commit message
for RFC 4880 references.

diff --git a/gpg-migrate.py b/gpg-migrate.py
index 6d8f8f3eb92bf5253ed3d4cac1568cf0c0b5d3e7..3444982a39257b1948d30aabfca14dbe57509faa 100755 (executable)
--- a/gpg-migrate.py
+++ b/gpg-migrate.py
@@ -520,12 +520,19 @@ class PGPPacket (dict):
             offset += block_size
         if string_to_key_usage in [0, 255]:
             key_end = -2
+        elif string_to_key_usage == 254:
+            key_end = -20
         else:
             key_end = 0
         secret_key = data[offset:key_end]
         if key_end:
             secret_key_checksum = data[key_end:]
-            calculated_checksum = sum(secret_key) % 65536
+            if key_end == -2:
+                calculated_checksum = sum(secret_key) % 65536
+            else:
+                checksum_hash = _hashlib.sha1()
+                checksum_hash.update(secret_key)
+                calculated_checksum = checksum_hash.digest()
             if secret_key_checksum != calculated_checksum:
                 raise ValueError(
                     'corrupt secret key (checksum {} != expected {})'.format(