rnpkeys --import rejects an OpenPGP certificate with a signature with an unknown subpacket unless i use --permissive

[dkg]

This OpenPGP certificate contains a "1st party approved 3rd party certifications" (1pa3pc) signature over its User ID:

-----BEGIN PGP PUBLIC KEY BLOCK-----

xjMEZXEJyxYJKwYBBAHaRw8BAQdA5BpbW0bpl5qCng/RiqwhQINrplDMSS5JsO/Y
O+5Zi7HCiQQfFgoAMQWCZadnIAUJBdtHCwMLCQcDFQoIApsBAh4BFiEE1HcEDHDC
FWpcKYVJu36RAUlea/cACgkQu36RAUlea/edDQD+M2QjnoEyu/TjI+gRXBpXQ5jC
snnp9FdYhaSSUW/vZ8kBAJByWljA9aMfVaVrmvgcYw7jzJz+gmZspBRB++5LZ20N
zRA8ZGtnQGRlYmlhbi5vcmc+wsARBBMWCgB5AwsJB0cUAAAAAAAeACBzYWx0QG5v
dGF0aW9ucy5zZXF1b2lhLXBncC5vcmeJfmd4tfVMI8Nwn0zRQg40bKLnzKDzjO7z
PB6DhHZ/7wMVCggCmwECHgEWIQTUdwQMcMIValwphUm7fpEBSV5r9wUCZadfkAUJ
BdnwRQAKCRC7fpEBSV5r9+owAP93bFzEmTyUj+lmhrot7LSQg3q939MHqd6TlUd/
iPPgfAEA7nf3V5/WPTDhsc2L1cgPVcANe42j/KZFWKuTYsnt0wrCwQAEFhYKAXIF
gmXD0MIJELt+kQFJXmv3RxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNlcXVvaWEt
cGdwLm9yZxSzeD6OCTQUteGo38Ue9DSic5eOjZ8oeSlQQ2UNjGDqFiEE1HcEDHDC
FWpcKYVJu36RAUlea/fAQaUW7nLWeB0XnOSQDsDyATT23t6kDcfNXwjXVYoSdrZD
HwvDA4IgZ+2YOx8h6t4UWxgdbptKy0MDoKpDj4N536WCc3kzvfuSzdirrt5eD6H0
hCoFh7MeVLvFeWodAXaTNJQMv3tUH8F4R8fbp92a1bm50FkJowd9c3boOuGbeGlz
UsDFLyMSw0H04PMlRHraE6voIIwPvcsv0AMADV+O+AkBsWCMYGFONn8+x13GeReN
2PUY7rpBJmljiO3Ol9e7PKLdvqQJhs68CgKgsW9tPSj/KCsCPcdLtXU7l4LpJw7i
zfAXUtL61Ce+LDs2qVtpxAbMIBdmM5DHJcjcFk0B4rwSAAAgmwEAuWxVaeAc1GmV
iBn26LX1pkbcVuMdsQW1Vjy4I6kBHl0BAJ5w+OaUAX9ubO8Wznwr7kEyizXTgnIu
e5ka9/f4TAMB
=56Jp
-----END PGP PUBLIC KEY BLOCK-----

When i try to import it with rnpkeys, i get a failure:

$ rnpkeys --import test.cert
[parse() ./src/librepgp/stream-sig.cpp:405] unknown subpacket : 37
[parse_v4() ./src/librepgp/stream-sig.cpp:1290] failed to parse hashed subpackets
[process_pgp_key_signatures() ./src/librepgp/stream-key.cpp:243] failed to parse signature at 422
failed to import key(s) from -, stopping.
Import finished: 0 keys processed, 0 new public keys, 0 new secret keys, 0 updated, 0 unchanged.
$ rnpkeys --version
rnp 0.17.0-3
Ribose Inc. <[email protected]>
Backend: Botan
Backend version: 2.19.4
Supported algorithms:
Public key:  RSA, ELGAMAL, DSA, ECDH, ECDSA, EDDSA, SM2
Encryption:  IDEA, TRIPLEDES, CAST5, BLOWFISH, AES128, AES192, AES256, TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256, SM4
AEAD:  None, EAX, OCB
Key protection:  CFB
Hash:  MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224, SHA3-256, SHA3-512, SM3
Compression:  Uncompressed, ZIP, ZLIB, BZip2
Curves:  NIST P-256, NIST P-384, NIST P-521, Ed25519, Curve25519, brainpoolP256r1, brainpoolP384r1, brainpoolP512r1, secp256k1, SM2 P-256
Please report security issues at (https://www.rnpgp.org/feedback) and
general bugs at https://github.com/rnpgp/rnp/issues.
$ 

If i try to import it without the 1pa3pc selfsig, rnpkeys imports it just fine. Likewise, if i import it with rnpkeys --import --permissive test.cert it also

rnpkeys being brittle here presents a challenge to the whole ecosystem for deploying any new kind of signature or subpacket.

I think this is related to #2204 -- it is almost certainly a similar policy issue.

[ni4]

Hi, thanks for letting us know. Yeah, here by default we reject unknown subpacket and signature which includes it, being stricter by default. However user may ignore this error via the CLI (or FFI for API user).

[kaie]

Why is the subpacket type 37 marked as critical?
If you want it to be ignored by implementations that don't understand it, shouldn't it be marked non-critical?

[dkg]

The subpacket is marked as critical because if you don't understand that kind of subpacket, you should not be accepting that kind of signature.

But, if you ignore this signature (or treat it as invalid), the remaining certificate is still just fine. Rejecting the whole certificate because one signature in it is invalid -- even though you would have accepted the entire certificate had that signature not been there -- this is what makes the implementation unnecessarily brittle. And that brittleness makes it harder to improve the ecosystem as a whole, because implementations (including RNP!) can't deploy newer parts of OpenPGP without worrying that old versions of RNP will choke when they see these things.