X509 CSR signed with card key

[Dubravszky József]

Hello,

 

I was not able to find a solution in the archives, so I post it here.

 

I need to generate X509 Certificate Signing Requests for one of my GnuPG
subkeys stored on an OpenPGP card. Now I need a mediator tool (openpgp2ssh
from The Monkeysphere Project) to convert my private key to PEM format that
can be used to make CSR with OpenSSL. It is rather tedious and I need to use
a special separated environment to access private keys. 

Is there any way to create an X509 CSR signed with the private key stored on
the card? Or any means where OpenSSL creates the CSR and asks the card to
sign the request with the card key?

 

I know these are different worlds, but I need to make them meet somehow.

 

Thanks.

 

 

Dubravszky József

  m...@joed.hu

+36 30 435 7816

 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Please remove MacGPG from gnupg.org due to serious security concerns

[Lukas Pitschl | Dressy Vagabonds]

Hi Jonathan,

yes, we've created a quick prototype today which is only a start at looking how 
it ould best be done. We pushed it to github only, so that our other team 
members could have a look at it.
After we decide how to go forward from hear, we'll split up the commits with 
proper comments.

Thanks for the comments, we'll have a look and incorporate those as we continue.

Best,

Lukas

Von meinem iPhone gesendet

> Am 22.02.2015 um 01:25 schrieb Jonathan Schleifer 
> :
> 
>> Am 20.02.2015 um 11:48 schrieb Lukas Pitschl :
>> 
>> Pinentry-mac is one project we’ve „revived“ and thus only added stuff on top 
>> of the old code instead of refactoring it.
>> We’ve been planning to do that for a long time now though, so we’ll 
>> definitely look into that and check out how other UIs do it, like GTK.
> 
> It seems there's http://github.com/GPGTools/pinentry now, which is based on 
> the original pinentry. Unfortunately, as of now, it's just one huge commit on 
> top of it. Still, I did a *very* quick review (so don't blame me if I 
> overlooked something :P) and left a few comments.
> 
> --
> Jonathan
> 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Integrate pinentry-mac into pinentry

[Roman Zechmeister]

Hello!

> It seems there's http://github.com/GPGTools/pinentry now, which is based on 
> the original pinentry.

This repo is my quick check, if it's possible to integrate pinentry-mac into 
pinentry.
It's more or less our code for pinentry-mac, copied into the sub-dir macosx.
The most of the code is old and ugly, but it works. So i'm thinking about a 
complete rewrite.


There are some points, i want to clear, before i start to work on this:

1. On Mac OS X it's standard to use Xcode for builds and we're using it for 
pinentry-mac and all of our other tools.
Is it okay for you, if we're using an Xcode-Project and Xcode, instead of plain 
automake, to build pinentry for Mac OS X?

2. Should we compile the required source-code from pinentry direct into 
pinentry-mac (as we do actually) or
should we link against the libs?

3. pinentry-mac allows the user to store the passphrase in the Mac OS X 
keychain, by selecting a checkbox.
To make this possible, we're patching gpg-agent, to pass the cacheid to 
pinentry. (OPTION cache-id=xxx)
Without this option – e.g. upstream gpg-agent – pinentry-mac doesn't allow the 
user to store the passphrase.
How should we solve this in the future?

4. pinentry-mac allows the calling app to define a custom message to show.
This is implemented using PINENTRY_USER_DATA. We allow placeholders like %KEYID 
and %USERID.
To fill the placeholders, we parse the description from pinentry. This works in 
the most cases.
The reason for this feature is, to allow some more informative and readable 
messages. e.g. We can tell the
user for which email/file, he enters the passphrase.
What do you think about that? Is this a desirable feature for pinentry?

5. Using PINENTRY_USER_DATA we also allow to set a custom icon to be shown, 
like the standard
Mac OS X security dialog. Opinions?


Regards, Mento



signature.asc
Description: Message signed with OpenPGP using GPGMail
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Integrate pinentry-mac into pinentry

[Jonathan Schleifer]

Am 22.02.2015 um 13:17 schrieb Roman Zechmeister :

> 1. On Mac OS X it's standard to use Xcode for builds and we're using it for 
> pinentry-mac and all of our other tools.
> Is it okay for you, if we're using an Xcode-Project and Xcode, instead of 
> plain automake, to build pinentry for Mac OS X?

I've seen a lot of projects where the Mac-specific part is nicely integrated 
into automake. The huge disadvantage of Xcode project files is that they are 
huge, can't make much use of the results from configure which often results in 
basically needing a different .xcproj file per combination of OS version and 
architecture (or at least different targets) and do not support cross-compiling 
at all. automake OTOH has none of these problems and is hardly any more work. 
Plus it's possible to edit build rules with an editor instead of a GUI that is 
only available for OS X. Oh, and then of course there's the problem that it's 
not possible to do reproducible builds with .xcproj files!

I think Walter mentioned that he never touched OS X, so I'm guessing he'd 
prefer something that he can read and modify ;).

> 4. pinentry-mac allows the calling app to define a custom message to show.
> This is implemented using PINENTRY_USER_DATA. We allow placeholders like 
> %KEYID and %USERID.
> To fill the placeholders, we parse the description from pinentry. This works 
> in the most cases.
> The reason for this feature is, to allow some more informative and readable 
> messages. e.g. We can tell the
> user for which email/file, he enters the passphrase.
> What do you think about that? Is this a desirable feature for pinentry?

Hm, this sounds good at first, but after some thought, there are several 
issues. This could be used to trick the user into thinking he's doing the right 
thing when in fact he's not. What if you just don't use %KEYID, but write 
another key ID there that the user expects, when in fact you sign for something 
else? I think it would be better to have a dialog that shows all these 
information and then maybe a free form text for the justification, where no 
replacing takes place?

> 5. Using PINENTRY_USER_DATA we also allow to set a custom icon to be shown, 
> like the standard
> Mac OS X security dialog. Opinions?

I can't think of any problem with that and this sounds indeed like a good 
addition.

--
Jonathan


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Question about group line use in GnuPG

[MFPA]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512



On Sunday 22 February 2015 at 12:32:56 AM, in
, Anthony Papillion wrote:


> Basically, when I use Enigmail
> for the group line, it needs it in the form of

> group = [snipped]

My email client, The Bat!, requires that as well. It seems The Bat!
(at least in the version I use) passes the email address complete with
surrounding angle brackets to GnuPG to search for a key.



> But when I do it from the terminal, it needs to be in
> the form of

> group pgp...@yahoogroups.com= [snipped]

If I encrypt from the command line (in Windows XP), including the
angle brackets allows GnuPG to match on the group name:-

gpg -ear  filename



> Copying the group line in my gpg.conf file and removing
> the brackets made if work as expected.

The second copy of the group line that I keep for matching when
using GnuPG in a command window begins "group PGPNET = ". That way I
only need type "gpg -ear PGPNET filename" for the command.

- --
Best regards

MFPAmailto:2014-667rhzu3dc-lists-gro...@riseup.net

Virtual workspace, Virtual Office, Virtual Job
-BEGIN PGP SIGNATURE-

iQF8BAEBCgBmBQJU6eMLXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2
QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwlwcH+wbJaB7zuxb2UKWODYa6d3Pf
+FJwVbX0CL2yrnVMRKmTnx/NRu6MFNg0/xmSkyyAsDH8l+P2B31kE/OEWJp+S1Cz
mK2CLZjDHc47lOnEawTH/9WLEA2bfD24RAatWnMmsdGnUo6l6EbQ6qekbSweyoyz
XTw3x02Jd0WmBICYSIFt2oSGZL/C/3Kg/7OphJPPTLmSJNHjb52NWVso3YvIqziV
loD0ba/TPgEL4Wab4gGcc4Mn0L234uAfjTmB/CEwC5IuX5tO+DyRg/SyYSG3oW95
x6rceqUZCUMssoHFiHbYwITCRy16PML4nKfJY7F6lWQ7zsG8mzLgYqAtutP3p/+I
vgQBFgoAZgUCVOnjEl8UgAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx
MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45PkyAQBJd44XDv6ztrG40xSdVoJVwUBc
mjIU256eoa231q1cdQEA5tTi7tCXWiCIgnvsYMMFSWbcQnb75NEvVEVRc+DyQQE=
=wk5m
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Question about group line use in GnuPG

[Patrick Brunschwig]

On 22.02.15 09:29, Ludwig Hügelschäfer wrote:
> Hi Anthony,
> 
> On 22.02.15 01:32, Anthony Papillion wrote:
> 
>> Thanks for your quick response. It looks like I may have fixed
>> the problem. Basically, when I use Enigmail for the group line,
>> it needs it in the form of
> 
>> group =key1,key2,key3
> 
>> But when I do it from the terminal, it needs to be in the form
>> of
> 
>> group pgp...@yahoogroups.com=key1,key2,key3
> 
>> Copying the group line in my gpg.conf file and removing the 
>> brackets made if work as expected.
> 
> Which Enigmail version are you using?

As far as I know, group entries should be space-separated, not by comma.
I.e. group =key1 key2 key3

Furthermore, the current release version of Enigmail cannot handle <>
as part of the group name.

-Patrick

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Integrate pinentry-mac into pinentry

[Roman Zechmeister]

Hello!

> It seems there's http://github.com/GPGTools/pinentry now, which is based on 
> the original pinentry.

This repo is my quick check, if it's possible to integrate pinentry-mac into 
pinentry.
It's more or less our code for pinentry-mac, copied into the sub-dir macosx.
The most of the code is old and ugly, but it works. So i'm thinking about a 
complete rewrite.


There are some points, i want to clear, before i start to work on this:

1. On Mac OS X it's standard to use Xcode for builds and we're using it for 
pinentry-mac and all of our other tools.
Is it okay for you, if we're using an Xcode-Project and Xcode, instead of plain 
automake, to build pinentry for Mac OS X?

2. Should we compile the required source-code from pinentry direct into 
pinentry-mac (as we do actually) or
should we link against the libs?

3. pinentry-mac allows the user to store the passphrase in the Mac OS X 
keychain, by selecting a checkbox.
To make this possible, we're patching gpg-agent, to pass the cacheid to 
pinentry. (OPTION cache-id=xxx)
Without this option – e.g. upstream gpg-agent – pinentry-mac doesn't allow the 
user to store the passphrase.
How should we solve this in the future?

4. pinentry-mac allows the calling app to define a custom message to show.
This is implemented using PINENTRY_USER_DATA. We allow placeholders like %KEYID 
and %USERID.
To fill the placeholders, we parse the description from pinentry. This works in 
the most cases.
The reason for this feature is, to allow some more informative and readable 
messages. e.g. We can tell the
user for which email/file, he enters the passphrase.
What do you think about that? Is this a desirable feature for pinentry?

5. Using PINENTRY_USER_DATA we also allow to set a custom icon to be shown, 
like the standard
Mac OS X security dialog. Opinions?


Regards, Mento



signature.asc
Description: Message signed with OpenPGP using GPGMail
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Whishlist for next-gen card

[NdK]

Il 22/02/2015 01:46, Yuji -UG- Imai ha scritto:

> For token type card, how about appending one more usb port to connect
> keyboard? It's just for inputing PIN/passphrase or out-of-bound auth
> by hitting the Enter key. USB ten keys like V7 KP0N1-7N0P Numeric keypad
> looks suitable for this purpose. Micro USB plug may be prefarable
> for compact board design.
The problem with off-the-shelf keyboards is that they usually radiate a
pattern that's recognizeable from some distance.
The usual scan on a matrix keyboard activates one column at a time in
fixed order, then checks the rows (possibly one at a time). A safer scan
activates all columns at once, senses the rows, then changes columns to
inputs and rows to outputs activating only the one where the pressed key
is and finally determining the corresponding column. This doesn't
generate a recognizeable pattern.

> I don't like wireless features by two reasons.
Uh? Neither do I. I never understood the reasoning behind IR receiver
for FST-01.

> It may introduce complexity for middleware
> of the card. I like KISS. Another is break visibility to check HSM
> composition validness.
Yup. And it's easily snoopable.

> For FST-01 spesific request, I ask gniibe to consider about case
> design with physical hole
> to tightly bind a token with keyring. 
That's good. But I'd avoid plastic in favour of aluminium :)

BYtE,
 Diego.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Question about group line use in GnuPG

[Ludwig Hügelschäfer]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi Anthony,

On 22.02.15 01:32, Anthony Papillion wrote:

> Thanks for your quick response. It looks like I may have fixed the 
> problem. Basically, when I use Enigmail for the group line, it
> needs it in the form of
> 
> group =key1,key2,key3
> 
> But when I do it from the terminal, it needs to be in the form of
> 
> group pgp...@yahoogroups.com=key1,key2,key3
> 
> Copying the group line in my gpg.conf file and removing the
> brackets made if work as expected.

Which Enigmail version are you using?

Ludwig

-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBCgAGBQJU6ZNfAAoJEDrb+m0Aoeb+KRsP/iWPAGA5trEZ3GniSDrTVwC8
3g9b3gtN9whV/nwd/LikM5MbzzqjTnVvoETKo2HwWzxRhuS3sCzfwMQZwxjwxGO/
GHFNyRXgvBEbTf8vTCNasLMGracnZZ/iGhFP066sbfRmoxhrf6bqcMzqMec2YGP7
UIWFJXuFjRBWeKSxXDToWbST9VXqyEybZbZVa8fKxjqZTCqMe11wk+pUo+k7dJkt
dHUasD5j2BXQOjabS67n+85rqEhS9B4g+x03jTJ5kbJmf7SQHnx2MWnt3dOUWhbq
f5Qxw9eLGeIXmFDF5o9TET+wK3OiumHLZl9NJEL5Cgc0APdgtk6gDQ2y2WFtiEYL
kaVvkpRZf/Y18B3vQl4pJX+327d4bTMc9s096j4dL0gixBxCjk3E3tccQsLH09HS
L3Ei5eF9Qd/gnQ0Q6u6oluM9jldPs45gjImKPq/QfHHXt6HUzV8hBG6DymW9jOy1
KeyIoWxziyEReB0LPMP/9dznyEf8a4Rm+SIVftufxXZ9033gETyUrjQ9CfmnBrxt
5+PTNfy0ZmWir7KAKgwh+O2nAm8S3yKgiunHTGqwiqc9Yh+kd23Q8tyRtl7WGOo0
s1ZWYX9UeN5zFLQOUA/MhahD2IafjX2s13eW6I8Y4WxJlACTFV5GHsZsvBuSjCsW
Mq3brP/0NTwSU4oozPMe
=mWCU
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users