我想使用OpenPGP authentication over TLS,但缺乏实现使我使用临时解决方案:OpenPGP / X.509桥接证书.
该方法与Foaf中使用的方法非常相似:
https://svn.java.net/svn/sommer~svn/trunk/misc/FoafServer/pgpx509/src/net/java/dev/sommer/foafserver/utils/PgpX509Bridge.java
Basically, you create a certificate request starting from a converted PGP private key, including your converted PGP public key into the certificate request. Then you sign the request with your converted PGP private key.
我使用“转换”一词,因为OpenPGP和OpenSSL密钥格式不兼容:我必须从OpenPGP密钥中提取关键参数,并使用它们形成新的X.509兼容(OpenSSL)密钥.然而,它按预期工作.
结果是X.509证书,其中包含在X.509证书的公钥中使用的PGP公钥参数,但没有用户ID和公钥签名,因此无法用于身份验证.
缺少的部分是服务器身份验证.服务器先前已签署用户的PGP公钥,但如何通过X.509桥接证书验证?
即使我使用我的PGP用户ID作为我的CN(公用名),我如何证明它与原始OpenPGP密钥中使用的用户ID相同?
X.509网桥证书上没有公钥签名,只有相同的密钥参数.我能安全地检查一下吗?
虽然我必须在Python中执行此操作,但有关如何继续进行的任何建议都会非常有用.
解决方法:
我得到了关于加密的答案:
https://crypto.stackexchange.com/a/11709/9284
If you can put the entire PGP certificate in a proprietary non-critical extension then you don’t need to find the PGP certificate in a store. This solution depends on the condition that you are able to create your own OID and insert the PGP certificate in the extension. Furthermore, the server should accept such a certificate and contain methods of validating the PGP certificate as well.
The CA can accept or refuse requests containing a PGP certificate. It should at least check that the key in the PGP certificate matches the one in the signed request. One method of doing this is to validate that the modulus of the PGP and X5.09 public key match.