--raw-sign, --raw-verify

Anthony Carrico acarrico at memebeam.org
Thu Mar 23 03:15:29 CET 2006 

I'm working on a raw signature patch in a local svk branch of GnuPG's
svn repository. Here is my design document. If I am successful, I
intend to provide this as a public domain patch, which I hope might be
accepted into the official sources.

Please provide any feedback, especially if I have missed something
obvious. Thank you!

                               SUMMARY

The OpenPGP key infrastructure is a very valuable resource, but
OpenPGP packets are not the appropriate container in every
authentication protocol. Raw sign and verify commands would allow
other authentication protocols to capitalize on the OpenPGP key
infrastructure and the GnuPG implementation.

                              MOTIVATION

Our motivating case was xmldsig (http://www.w3.org/TR/xmldsig-core/).
Xmldsig is an authentication protocol, like OpenPGP, but it uses an
XML syntax instead of the OpenPGP packet syntax.

Briefly, the xmldsig syntax has SignedInfo and SignatureValue
elements. The SignedInfo is transformed (hashed, etc.) and then
signed to create the SignatureValue.

Like OpenPGP, xmldsig is flexible about which algorithms it can use,
and so we originally attempted to define the OpenPGP packet as a
signature algorithm for xmldsig.

In this initial attempt, we canonicalized the SignedInfo and passed it
to GnuPG and deemed the resulting OpenPGP packet to be our
SignatureValue--we defined OpenPGP packets to be a SignatureMethod.

One problem with this method was that the OpenPGP packet would
actually be a signature over more data than would be apparent in the
SignedInfo. In particular, a timestamp and other data specified in the
OpenPGP spec would also be signed. This would be a semantic error,
since all of the signed data should be apparent in the SignedInfo
element.

A cleaner, more correct, solution would be to use a DSA key (for
example) from an OpenPGP key to produce a raw DSA signature (for
example). The only "patch free" way to accomplish this with GnuPG
would be to export a key and run the algorithm(s) externally. This
seemed to be unwise, since it would bypass and duplicate the most
important aspects of the GnuPG and GnuPG-agent implementations. A -raw
patch seemed to be the best option.

                                DESIGN

We desire simpler subsets of the "--detach-sign" and "--verify"
command pair. This is the existing v3 "--detach-sign" command:

  create-V3-sig-packet(
   sig-algo(
     hash-algo(
       concatenate(MESSAGE-DATA, signature type, creation time))),
   ...) -> DETACHED-SIGNATURE

Where MESSAGE-DATA is user input and DETACHED-SIGNATURE is user
output.

We desire the following new "--raw-sign" signature command:

   hash-algo(MESSAGE-DATA) -> MESSAGE-DIGEST
   sig-algo(MESSAGE-DIGEST) -> RAW-SIGNATURE

Where MESSAGE-DATA is user input and both MESSAGE-DIGEST and
RAW-SIGNATURE are user output.

We also desire the following "--raw-sign-md" command:

   sig-algo(MESSAGE-DIGEST) -> RAW-SIGNATURE

Where MESSAGE-DIGEST is user input and RAW-SIGNATURE is user output.

We also desire the corresponding "--raw-verify" and "--raw-verify-md"
commands.

In some sense, the desired new commands are similar to the existing
"--print-md" command which exposes the raw hash algorithms.

                            USER INTERFACE

The raw commands could be implemented as options of the
--detach-sign/--verify pair, or with new commands. The GnuPG manual's
"kludge" comment about the --textmode option, prompted us to choose
new commands rather than adding options.

The first command pair correspond to the existing --detach-sign and
--verify commands:

  --raw-sign file [files]

  Make a raw signature of the given message data. The output is a raw
  signature, defined by the signature algorithm, and not an OpenPGP
  packet. The message digest is also available on the status fd.

  --raw-verify sigfile [signed-files]

   Assume that sigfile is a raw signature and verify it without
   generating any output. If only a sigfile is given then the message
   data is expected in a file without the final extension. With more
   than 1 argument, the first should be a raw signature and the
   remaining files are the message data. To read the message data from
   stdin, use - as the second filename.  For security reasons, a raw
   signature cannot read the message data from stdin without denoting
   it in the above way. The message digest is also available on the
   status fd.

The second pair differ in that they work with a message digest instead
of message data:

   --raw-sign-md md-file

   Make a raw signature of the given message digest. The output is a
   raw signature, defined by the signature algorithm, and not an
   OpenPGP packet. The message digest must be compatible with the
   signature algorithm.

   --raw-verify-md sigfile [md-file]

   Assume that sigfile is a raw signature and verify it without
   generating any output. If only a sigfile is given then the message
   digest is expected in a file without the final extension. With two
   arguments, the first should be a raw signature and the second the
   message digest. To read the message digest from stdin, use - as the
   second filename.  For security reasons a raw signature cannot read
   the message digest from stdin without denoting it in the above way.

-- 
Anthony Carrico
http://giftfile.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : /pipermail/attachments/20060322/87012994/attachment.pgp

More information about the Gnupg-devel mailing list