gpg: support more digests (with larger output than 256 bits)

NIST256 signs the prefix of a longer digest. Ed25519 signs the whole one.
8 years ago · 921e2954c1
parent 3f784289d8
commit 921e2954c1
2 changed files with 4 additions and 2 deletions
--- a/trezor_agent/gpg/agent.py
+++ b/trezor_agent/gpg/agent.py
@ -65,8 +65,7 @@ def open_connection(keygrip_bytes):

 def pksign(keygrip, digest, algo):
    """Sign a message digest using a private EC key."""
-    assert algo == b'8', 'Unsupported hash algorithm ID {}'.format(algo)
-    assert len(digest) == 64  # SHA-256 bits (in hex digits)
+    log.debug('signing %r digest (algo #%s)', digest, algo)
    keygrip_bytes = binascii.unhexlify(keygrip)
    with open_connection(keygrip_bytes) as conn:
        r, s = conn.sign(binascii.unhexlify(digest))
--- a/trezor_agent/gpg/device.py
+++ b/trezor_agent/gpg/device.py
@ -37,6 +37,9 @@ class HardwareSigner(object):
        """Sign the digest and return a serialized signature."""
        log.info('please confirm GPG signature on %s for "%s"...',
                 self.client_wrapper.device_name, self.user_id)
+        if self.curve_name == formats.CURVE_NIST256:
+            digest = digest[:32]  # sign the first 256 bits
+        log.debug('signing digest: %s', util.hexlify(digest))
        result = self.client_wrapper.connection.sign_identity(
            identity=self.identity,
            challenge_hidden=digest,