的OpenPGP / X.509桥:如何验证公钥? [英] OpenPGP/X.509 bridge: how to verify public key?
问题描述
我想使用的OpenPGP认证通过TLS ,但缺乏实现的让我使用一个临时解决方案:一个的OpenPGP / X.509证书桥
I'd like to use OpenPGP authentication over TLS, but lack of implementations made me use a temporary solution: an OpenPGP/X.509 bridge certificate.
的方法非常类似于在FOAF使用的方法:搜索
<一href=\"https://svn.java.net/svn/sommer~svn/trunk/misc/FoafServer/pgpx509/src/net/java/dev/sommer/foafserver/utils/PgpX509Bridge.java\" rel=\"nofollow\">https://svn.java.net/svn/sommer~svn/trunk/misc/FoafServer/pgpx509/src/net/java/dev/sommer/foafserver/utils/PgpX509Bridge.java
The approach is very similar to the approach used in Foaf:
https://svn.java.net/svn/sommer~svn/trunk/misc/FoafServer/pgpx509/src/net/java/dev/sommer/foafserver/utils/PgpX509Bridge.java
基本上,你创建从转换后的PGP私钥,包括您的转换PGP公钥到证书请求开始证书申请。然后你签订的转换PGP私钥的要求。
Basically, you create a certificate request starting from a converted PGP private key, including your converted PGP public key into the certificate request. Then you sign the request with your converted PGP private key.
我用这个词的转换的,因为的OpenPGP和OpenSSL密钥格式是不兼容的:我来提取的OpenPGP密钥的密钥参数,并利用它们来形成一个新的X.509-兼容(OpenSSL的)关键。尽管如此,它按预期工作。
I'm using the word "converted" because OpenPGP and OpenSSL key formats are incompatible: I have to extract the key parameters from the OpenPGP key and use them to form a new X.509-compatible (OpenSSL) key. Nevertheless, it works as expected.
其结果是在X.509证书的公钥使用PGP公钥参数的X.509证书,但无需用户ID和公共密钥签名,从而使它不能用于认证目的。
The result is a X.509 certificate with the PGP public key parameters used in the public key of the X.509 certificate, but without the user IDs and the public key signatures, thus making it unusable for authentication purposes.
在这里缺少的部分是服务器身份验证。该服务器有previously签署了用户的PGP公钥,但我如何验证通过X.509证书的桥?
The missing piece here is server authentication. The server has previously signed the user's PGP public key, but how do I verify that through the X.509 bridge certificate?
即使我用我的PGP用户ID作为我的CN(通用名),我怎么证明它是在原始的OpenPGP键使用相同的用户ID?结果
上有X.509证书桥上没有公钥的签名,只有相同的关键参数。我可以放心地只是检查对那些?
Even if I use my PGP user ID as my CN (Common Name), how do I certify that it's the same user ID used in the originating OpenPGP key?
There are no public key signatures on the X.509 bridge certificate, only the same key parameters. Can I safely just check against those?
虽然我不得不这样做在Python中,如何在普遍进行任何建议将是很有益的。
Although I have to do this in Python, any suggestions on how to proceed in general would be really helpful.
推荐答案
我得到了密码的答案:
<一href=\"http://crypto.stackexchange.com/a/11709/9284\">http://crypto.stackexchange.com/a/11709/9284
如果你可以把整个PGP证书专有的非关键的扩展,那么你并不需要找到在一家商店的PGP证书。这个解决方案取决于你能够创建自己的OID和插入扩展中的PGP证书的条件。此外,服务器应该接受这样一个证书,包含验证PGP证书以及方法。
If you can put the entire PGP certificate in a proprietary non-critical extension then you don't need to find the PGP certificate in a store. This solution depends on the condition that you are able to create your own OID and insert the PGP certificate in the extension. Furthermore, the server should accept such a certificate and contain methods of validating the PGP certificate as well.
CA可以接受或拒绝包含PGP证书请求。它至少应该检查PGP证书中的密钥相匹配的一个在签名的请求。这样做的一种方法是,以验证PGP和X5.09公钥匹配的模量。
The CA can accept or refuse requests containing a PGP certificate. It should at least check that the key in the PGP certificate matches the one in the signed request. One method of doing this is to validate that the modulus of the PGP and X5.09 public key match.
这篇关于的OpenPGP / X.509桥:如何验证公钥?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
