key selection in GPGSM
Werner Koch
wk@gnupg.org
Tue Dec 11 12:09:01 2001
Hi!
Due to the way X.509 certificates are made up we need a few new ways
to specify a certificate (aka key in OpenPGP). In addition to the
ways a user ID can be specified with gpg, I have implemented 3 new
modes for gpgsm, here is the entire list of ways to specify a key:
* By keyID.
This format is deducded from the length of the string and its
content or "0x" prefix. For use with OpenPGP a exclamation mark may
be appended to force use of the specified (sub)key.
As with v34 OpenPGP keys, the keyID of an X509 certificate are the
low 64 bits of the SHA-1 fingerprint. The use of keyIDs is just a
shortcut, for all automated processing the fingerprint should be
used.
Examples:
234567C4
0F34E556E
01347A56A
0xAB123456
234AABBCC34567C4
0F323456784E56EAB
01AB3FED1347A5612
0x234AABBCC34567C4
* By fingerprint
This is format is deduced from the length of the string and its
content or "0x" prefix. Note, that only the 20 byte fingerprint is
used with GPGSM (SHA-1 hash of the certificate). For use with
OpenPGP a exclamation mark may be appended to force use of the
specified (sub)key.
Examples:
1234343434343434C434343434343434
123434343434343C3434343434343734349A3434
0E12343434343434343434EAB3484343434343434
0xE12343434343434343434EAB3484343434343434
* Exact match on OpenPGP user ID
This is denoted by a leading equal sign. It does not make much
sense for X.509.
Example:
=Heinrich Heine <heinrichh@uni-duesseldorf.de>
* Exact match on an email address.
This is indicated by enclosing the email address in the usual way
with left and right angles
Example:
<heinrichh@uni-duesseldorf.de>
* Word match
All words must match exactly (not case sensitive) but can appear in
any order in the user ID or a subjects name. Words are any
sequences of letters, digits, the underscore and all characters
with bit 7 set.
Example:
+Heinrich Heine duesseldorf
* [NEW] Exact match by subject's DN
This is indicated by a leading slash, directly followed by the
rfc2253 encoded DN of the subject.
Example:
/CN=Henrich Heine,O=Poets,L=Paris,C=FR
* [NEW] Excact match by issuer's DN
This is indicated by a leading hash mark, directly followed by a
slash and then directly followed by the rfc2253 encoded DN of the
issuer. This should return the Root cert of the issuer
Example:
#/CN=Root Cert,O=Poets,L=Paris,C=FR
* [NEW] Exact match by serial number and subject's DN
This is indicated by a hash mark, followed by the hexadecmal
representation of the serial number, the followed by a slahs and
the RFC2253 encoded DN of the issuer.
Example:
#4F03/CN=Root Cert,O=Poets,L=Paris,C=FR
* Substring match
By case insensitive substring matching. This is the default mode
but applications may want to explicitly indicate this by putting
the asterisk in front.
Example:
Heine
*Heine
Please note that we have reused the hash mark indentifier which was
used in old GnuPG versions to indicate the so called local-id. It is
not anymore used and there should be no conflict when used with X.509
stuff.
Using the rfc2253 format of DNs has the drawback that it is not
possible to map them back to the original encoding, however we don't
have to do this, because our key database stores this encoding as meta
data.
Some of the search modes are not yet implemented ;-)
Werner