doc/Notes


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245

Add an infor page for watchgnupg.

> * How to mark a CA certificate as trusted.

There are two ways: 

  1. Let gpg-agent do this for you.  Since version 1.9.9 you need to
     add the option --allow-mark-trusted  gpg-agent.conf or when
     invoking gpg-agent.  Everytime gpgsm notices an untrusted root
     certificate gpg-agent will pop up a dialog to ask whether this
     certificate should be trusted.  This is similar to whatmost
     browsers do.

     The disadvantage of this method and the reason why
     --allow-mark-trusted is required is that the list of trusted root
     certificates will grow, because almost all user will just hit
     "yes, I trust" and "yes, I verified the fingerprint" without
     understanding that this is a very serious decision.

  2. Use your editor.  Edit the file ~/.gnupg/trustlist.txt and add
     the fingerprints of the trusted root certificates. There are
     comments on the top explaining the simple format.  The current
     CVS version allows for colons in the fingerprint, so you can
     easily cut and paste it from whereever you know that this is the
     correct fingerprint.

An example for an entry in the trustlist.txt is:

  # CN=PCA-1-Verwaltung,O=PKI-1-Verwaltung,C=de
  3EEE3D8BB7F0FE5C9F5804A3A7E51BCE98209DF9 S

This is in fact one that probably made its way into the file using the
first method.  As usual a # indicates a comment.  The trailing S means
that this is to be used for (X.509).

It is not possible to trust intermediate CA certificates; gpgsm always
checks the entire chain of certificates.

> * How to import a key and bind it to some certificate already
>   imported.  Alternatively, import key and certificate together, from
>   a pkcs12 blob, or pkcs8 + certificate blobs, or whatever.
>   Alternatively, don't import the key at all, but specify location of
>   key using a parameter when signing.

You always need to import the key; there is something similar to a
keyring (here called a keybox: ~/.gnupg/pubring.kbx).

Importing a key either from a binary or ascii armored (PEM) certificate
file or from a cert-only signature file is done using

  gpg --import FILE

or

  gpg --import < FILE

In general you should first import the root certificates and then down
to the end user certificate.  You may put all into one file and gpgsm
will do the right thing in this case independend of the order.  

While verifying a signature, all included certificates are
automagically imported.

To import from a pkcs#12 file you may use the same command; if a
private key is contained in that file, you will be asked for the
transport passphrases as well as for the new passphrase used to
protect it in gpg-agent's private key storage
(~/.gnupg/private-keys-v1.d/). Note that the pkcs#12 support is very
basic but sufficient for certificates exported from Mozilla, OpenSSL
and MS Outlook.

Background info on private keys:

If you want to look at the private key you first need to know the name
of the keyfile.  Run the command "gpgsm -K --with-key-data [KEYID]" and
you get an output like:

  crs::1024:1:CF8[..]6D:20040105T184908:2006[...]:09::CN=ZS[....]::esES:
  fpr:::::::::3B50BF2BDAF2[...]1AE6796D:::2812[...]508F21F065E65E44:
  grp:::::::::C92DB9CFD588ADE846BE3AC4E7A2E1B11A4A2ADB:
  uid:::::::::CN=Werner Koch,OU=test,O=g10 Code,C=de::
  uid:::::::::<wk@g10code.de>::

This should be familar to advanced gpg-users; see doc/DETAILS in gpg
1.3 (CVS HEAD) for a description of the records.  The value in the
"grp" tagged record is the so called keygrip and you should find a
file ~/.gnupg/private-keys-v1.d/C92DB9CFD588ADE846BE3AC4E7A2E1B11A4A2ADB.key
with the private and public key in an S-expression like format.  The
gpg-protect-tool may be used to display it in a human readable format:

  $ gpgsm --call-protect-tool ~/.gnupg/private-keys-v1.d/C9[...]B.key 
  (protected-private-key 
   (rsa 
    (n #00C16B6E807C47BB[...]10487#)
    (e #010001#)
    (protected openpgp-s2k3-sha1-aes-cbc 
     (
      (sha1 "Hvü9Qt^Ç" "96")
      #2B17DC766AEA2568EE0C688E18F9757E#)
     #65A4FF9F30750A1300[...]7#)
    )
   )
  
The current CVS version of gpgsm has a command --dump-keys which lists
more details of a key including the keygrip so you don't need to use
the colon format if you want to manually debug things.

  $ gpgsm --dump-keys
  Serial number: 01
         Issuer: CN=Trust Anchor,O=Test Certificates,C=US
        Subject: CN=Trust Anchor,O=Test Certificates,C=US
       sha1_fpr: 66:8A:47:56:A2:DC:88:FF:DA:B8:95:E1:3C:63:37:55:5F:0A:F7:BF
        md5_fpr: 03:01:3B:BB:EC:6C:5D:48:88:4C:95:63:99:84:ED:C0
        keygrip: 6A082B3063F6DA6D68B2994AB11B4328FD6206D2
      notBefore: 2001-04-19 14:57:20
       notAfter: 2011-04-19 14:57:20
       hashAlgo: 1.2.840.113549.1.1.5 (sha1WithRSAEncryption)
        keyType: 1024 bit RSA
      authKeyId: [none]
       keyUsage: certSign crlSign
    extKeyUsage: [none]
       policies: [none]
    chainLength: unlimited
          crlDP: [none]
       authInfo: [none]
       subjInfo: [none]
           extn: 2.5.29.14 (subjectKeyIdentifier)  [22 octets]
  
> * How to import a CRL

CRLs are managed by the dirmngr which is a separate package.  The idea
is to eventaully turn it into a system daemon, so that on a multi-user
machine CRLs are handled more efficiently.  As of now the dirmngr
needs service from gpgsm thus it is best to call it through gpgsm:

  gpgsm --call-dirmngr LOAD /absolute/filename/to/a/CRL/file

See the dirmngr README and manual for further details.

If you don't want to check CRLs, use the option --diable-crl-checks
with gpgsm.

> I'm trying to replace the S/MIME support in OpenSSL with gpgsm for the
> MUA Gnus.

Great; I'd love it.

> Perhaps I shouldn't be using gpgsm directly?  gpgme didn't seem to
> have a command line front end.

For Gnus it makes sense to use gpgsm directly.  Enhancing pgg to
support gpgsm should not be that hard.  Things you need to take care
off are: Warn if GPG_AGENT_INFO has not been set, because this will
call gpg-agent for each operation and obviously does not cache the
passphrase them. If GPG_AGENT_INFO has been set, also disable the
passphrase code for gpg and pass --use-agent to gpg - this way gpg
benefits from the passphrase caching and the pinentry.

You may want to look at gpgconf (tools/README.gpgconf) to provide a
customization interface for gpgsm, gpg-agent and dirmngr.


Module Overview
================ 

gpgsm 
        libgpg-error
        libgcrypt 
        libksba
        libassuan [statically linked]
        [Standard system libraries]

gpg-agent
        libgpg-error
        libgcrypt
        libassuan [statically linked]
        libpth    [system library]
        [Standard system libraries]

scdaemon 
        libgpg-error
        libgcrypt
        libksba
        libassuan [statically linked]
        libusb    [system library, optional]
        libopensc [system library, optional]
        [For reader access libpcsclite or a CT-API library may be
         linked at runtime (controllable by scdaemon.conf)]
        [Standard system libraries]

gpg-protect-tool 
        libgpg-error
        libgcrypt
        [Standard system libraries]

dirmngr 
        libgpg-error
        libgcrypt
        libksba
        libassuan [statically linked]
        libldap [system libary]
        liblber [system libary]
        libsasl [system libary, required by libldap]
        libdb2  [system libary, required by libsasl]
        libcrypt [system libary, required by libsasl - OOPS]
        libpam  [system libary, required by libsasl]
        [Standard system libraries]

pinentry-curses 
        libncurses
        [Standard system libraries]
        [Independent Assuan code is source included]

pinentry-gtk    
        libncurses
        [GTK+ and X libraries]
        [Standard system libraries]
        [Independent Assuan code is source included]

pinentry-qt 
        libncurses
        [QT and X libraries]
        [Standard system libraries]
        [Independent Assuan code is source included]

gpgme
        [Standard system libraries]
        [gpgsm is required at runtime]       
        [Independent Assuan code is source included]

libgpg-error
        [none]
        
libgcrypt 
        libgpg-error

libksba
        libgpg-error

libassuan 
        [none]