[gnutls-dev] OpenPGP security for web servers, again

Werner Koch wk at gnupg.org
Wed Feb 4 13:58:26 CET 2004


On Tue, 03 Feb 2004 16:54:10 -0500, John Belmonte said:

> I would be interested in more details about how this works.

Well, we have use a simple IPC protocol named Assuan which has the
advantage that it is mostly plain text and easy to debug ala FTP.  It
is not yet implemented in gpg but it will be very similar on how we do
it in gpgsm.  The most straightforward use will be that Apache forks
and execs "gpg --server" and communicates like this:

 -> SIGNER 0x12345678
 <- OK
 -> INPUT FD=7
 <- OK
 -> OUTPUT FD=8
 <- OK
 -> SIGN

Apache has setup file descriptor 7 to write the to be signed data to
gpg and 8 to read the created signature.  Then it can continue with
more commands.  Instead of setting up the file descriptors in advance
we will very soon allow to use file decriptor passing; the code is
already available in libassuan but not yet in gpg[sm].  If the data to
be signed is short, we may also extend the protocol to pass the data
(e.g. a hash) directly without the need to read form file descriptors.
The protocol is quite flexible.  verification works similar; except
that you either get an OK or an ERR back.  There are also a lot of
status messages the caller can process, those are indicated by
responses starting with "S ".

Salam-Shalom,

   Werner

p.s
Here is a full dump of such a conversation.  Due to the missing
file descriptor passing feature, we still fire up gpgsm for each
opeations; this the BYE as the last command.

13:24:21 gpgsm[15812.0x80a5258] DBG: -> OK GNU Privacy Guard's S/M server ready
13:24:21 gpgsm[15812.0x80a5258] DBG: <- OPTION display=localhost:12.0
13:24:21 gpgsm[15812.0x80a5258] DBG: -> OK
13:24:21 gpgsm[15812.0x80a5258] DBG: <- OPTION ttyname=/dev/pts/1
13:24:21 gpgsm[15812.0x80a5258] DBG: -> OK
13:24:21 gpgsm[15812.0x80a5258] DBG: <- OPTION ttytype=xterm
13:24:21 gpgsm[15812.0x80a5258] DBG: -> OK
13:24:21 gpgsm[15812.0x80a5258] DBG: <- INPUT FD=12
13:24:21 gpgsm[15812.0x80a5258] DBG: -> OK
13:24:21 gpgsm[15812.0x80a5258] DBG: <- MESSAGE FD=18
13:24:21 gpgsm[15812.0x80a5258] DBG: -> OK
13:24:21 gpgsm[15812.0x80a5258] DBG: <- VERIFY
13:24:21 gpgsm[15812]: detached signature
13:24:21 gpgsm[15812]: Signature made 2004-02-04 12:18:08 using certificate ID 1A
13:24:21 gpgsm[15812]: certificate is good
13:24:21 gpgsm[15812]: certificate is good
13:24:21 gpgsm[15812.0x80a5258] DBG: -> S GOODSIG
13:24:21 gpgsm[15812.0x80a5258] DBG: -> S VALIDSIG 3B50BF2BDAF27C30949DBA3ACF8A782-04 20040204T121808 20060104T184908
13:24:21 gpgsm[15812]: Good signature from "/CN=Werner Koch/OU=test/O=g10 Code/C=
13:24:21 gpgsm[15812]:                 aka "wk at g10code.de"
13:24:21 gpgsm[15812.0x80a5258] DBG: -> S TRUST_FULLY
13:24:21 gpgsm[15812.0x80a5258] DBG: -> OK
13:24:21 gpgsm[15812.0x80a5258] DBG: <- BYE
13:24:21 gpgsm[15812.0x80a5258] DBG: -> OK closing connection






-- 
Werner Koch                                      <wk at gnupg.org>
The GnuPG Experts                                http://g10code.com
Free Software Foundation Europe                  http://fsfeurope.org





More information about the Gnutls-devel mailing list