OpenPGP/X.509网桥:如何验证公钥?

2024-05-18 17:42:20 发布

您现在位置:Python中文网/ 问答频道 /正文
6790 3

我想使用OpenPGP authentication over TLS,但由于缺乏实现,我使用了一个临时解决方案:OpenPGP/X.509网桥证书。在

该方法与Foaf中使用的方法非常相似:
https://svn.java.net/svn/sommer~svn/trunk/misc/FoafServer/pgpx509/src/net/java/dev/sommer/foafserver/utils/PgpX509Bridge.java

Basically, you create a certificate request starting from a converted PGP private key, including your converted PGP public key into the certificate request. Then you sign the request with your converted PGP private key.

我使用“converted”这个词是因为OpenPGP和OpenSSL密钥格式不兼容:我必须从OpenPGP密钥中提取密钥参数并使用它们来形成一个新的X.509兼容(OpenSSL)密钥。尽管如此,它还是如预期的那样工作。在

结果是一个带有PGP公钥参数的X.509证书,但没有用户id和公钥签名,因此无法用于身份验证。在

这里缺少的是服务器身份验证。服务器以前已经对用户的PGP公钥进行了签名,但是如何通过X.509网桥证书进行验证?在

即使我使用我的PGP用户ID作为我的CN(公共名称),我如何证明它与原始OpenPGP密钥中使用的用户ID相同?
X.509网桥证书上没有公钥签名,只有相同的密钥参数。我能安全地检查一下吗?在

尽管我必须用Python来做这件事,但是关于如何继续进行的任何建议都会非常有用。在


Tags: 方法key用户参数netrequest密钥svn
1条回答
网友
1楼 · 发布于 2024-05-18 17:42:20

我得到了密码的答案: https://crypto.stackexchange.com/a/11709/9284

If you can put the entire PGP certificate in a proprietary non-critical extension then you don't need to find the PGP certificate in a store. This solution depends on the condition that you are able to create your own OID and insert the PGP certificate in the extension. Furthermore, the server should accept such a certificate and contain methods of validating the PGP certificate as well.

The CA can accept or refuse requests containing a PGP certificate. It should at least check that the key in the PGP certificate matches the one in the signed request. One method of doing this is to validate that the modulus of the PGP and X5.09 public key match.

相关问题 更多 >

    编程相关推荐

    热门问题