From: W. Trevor King <wking@tremily.us>
Date: Sat, 21 Dec 2013 03:07:30 +0000 (-0800)
Subject: Check the SHA-1 checksum in PGPPacket._parse_generic_secret_key_packet
X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=a39cd92fd970ea0bbd2becca27c409c110c5a46c;p=gpg-migrate.git

Check the SHA-1 checksum in PGPPacket._parse_generic_secret_key_packet

The previous commit added checks when the string-to-key usage was zero
or 255, but I'd forgotten about the case where the string-to-key usage
was 254.  This commit add handling for that case, where a SHA-1 digest
is used instead of the mod-65536 sum.  See the previous commit message
for RFC 4880 references.
---

diff --git a/gpg-migrate.py b/gpg-migrate.py
index 6d8f8f3..3444982 100755
--- a/gpg-migrate.py
+++ b/gpg-migrate.py
@@ -520,12 +520,19 @@ class PGPPacket (dict):
             offset += block_size
         if string_to_key_usage in [0, 255]:
             key_end = -2
+        elif string_to_key_usage == 254:
+            key_end = -20
         else:
             key_end = 0
         secret_key = data[offset:key_end]
         if key_end:
             secret_key_checksum = data[key_end:]
-            calculated_checksum = sum(secret_key) % 65536
+            if key_end == -2:
+                calculated_checksum = sum(secret_key) % 65536
+            else:
+                checksum_hash = _hashlib.sha1()
+                checksum_hash.update(secret_key)
+                calculated_checksum = checksum_hash.digest()
             if secret_key_checksum != calculated_checksum:
                 raise ValueError(
                     'corrupt secret key (checksum {} != expected {})'.format(