Enigma: Cannot delete key pair with authorization subkey.

[TeknikalDomain]

While trying to delete my existing key pair (part of going through #6380), I'm given a "Unable to delete selected keys" message. Further checking into the logs shows this line:

<n8ht9n3c> PHP Error: Enigma plugin: Private key must be deleted before public key can be deleted. in /srv/www/html/plugins/enigma/lib/enigma_engine.php on line 1049 (POST /?_task=settings&_action=plugin.enigmakeys)

I'm not given an option to remove them separately, and since adding a public and a private automatically consolidates them into a key pair, I'm forced to manually remove the keys from the Enigma keyrings in order to delete a key pair.

[alecpl]

What Roundcube/Enigma version? What gpg version? Could you enable enigma_debug and provide the log?

[TeknikalDomain]

Server gpg (From armored mail header): GnuPG v2.0.22 (GNU/Linux)

Roundcube: 1.3.6

Enigma (from composer.json): 0.7

enigma_debug: enigma.txt

[alecpl]

GnuPG 2.0 is not the best version to use. 1.4 or 2.1 is much better. The log does not reveal much unfortunately. It looks like the code does not recognize that the subkey is not public and uses --delete-key instead of --delete-secret-key.

How did you generate the keypair? Could you share your keyring for testing?

[TeknikalDomain]

Generated with my personal computer by gpg2 --full-gen-key, RSA and RSA, 4096 bits, then added a second subkey for authorization usage. Public key for that is pubkey.txt.
The second (and not used anywhere) keypair I generated was done through Roundcube itself: 692F57F84AE9148C.txt, password "TestKeypairPassword". Unsecure, but for my testing purposes I didn't find that relevant.

CentOS 7 has 2.0 listed as the latest version, so no 2.1 yet. Nothing before that either.

[alecpl]

I was unable to reproduce the issue with your keyring on gnupg 2.1.15. Anyway, I think I know how we can workaround this issue. We could fallback to --delete-secret-key if --delete-key fails and vice versa.

[alecpl]

I have another idea. Could you check this patch?

--- a/plugins/enigma/lib/enigma_driver_gnupg.php
+++ b/plugins/enigma/lib/enigma_driver_gnupg.php
@@ -390,8 +390,10 @@ class enigma_driver_gnupg extends enigma_driver
             else if ($code == enigma_error::DELKEY) {
                 $key = $this->get_key($keyid);
                 for ($i = count($key->subkeys) - 1; $i >= 0; $i--) {
-                    $type = ($key->subkeys[$i]->usage & enigma_key::CAN_ENCRYPT) ? 'priv' : 'pub';
-                    $result = $this->{'delete_' . $type . 'key'}($key->subkeys[$i]->id);
+                    $subkey  = $key->subkeys[$i];
+                    $is_priv = ($subkey->usage & enigma_key::CAN_ENCRYPT) || ($subkey->usage & enigma_key::CAN_AUTHENTICATE);
+                    $type    = $is_priv ? 'priv' : 'pub';
+                    $result  = $this->{'delete_' . $type . 'key'}($subkey->id);
                     if ($result !== true) {
                         break;
                     }

[TeknikalDomain]

patching file plugins/enigma/lib/enigma_driver_gnupg.php
Hunk #1 succeeded at 366 with fuzz 2 (offset -24 lines).

No success. Generated keypairs work fine but my normal still fails to delete.

[TeknikalDomain]

Reading into that does make me realize one key (no pun intended) difference between my normal keypair and testing keypair. Normal keypair had a separate subkey for authorization, testing didn't.

Note: running tests again, just to double check.

[alecpl]

Yeah, I think that subkey makes the difference, so it would be nice to test that scenario.

[TeknikalDomain]

Well, keyring.txt already contains an auth subkey. Pass "TestKeyRing". As expected, once imported it can't be deleted.

[alecpl]

Thanks, I don't understand why yet, but I can at least reproduce the issue now.

[alecpl]

Fixed.