How to test gpgsm
Werner Koch
wk@gnupg.org
Fri Dec 14 14:58:01 2001
Hi!
Some short notes on how to test the current CVS version of GpgSM.
Preparation after building gpgsm (no need for make install):
$ cd /my/testbench/newpg/sm
$ mkdir ~/.gnupg-test
$ mkdir ~/.gnupg-test/private-keys-v1.d
$ cp ../tests/567064FE6D14A17B2D811ABB407728BC558AA455 ~/.gnupg-test/private-keys-v1.d/
$ ./gpgsm --import ../tests/cert_g10code_test1.pem
See what keys (certificates are now available):
$ ./gpgsm --list-keys
You should get this output:
/home/wk/.gnupg-test/pubcerts.kbx
---------------------------------
crt:?:1024:82::2001-11-11:2001-11-12:::::escESC:
fpr:::::::::3CF405464F66ED4A7DF45BBDD1E4282E33BDB76E:
grp:::::::::567064FE6D14A17B2D811ABB407728BC558AA455:
uid:?::::::::CN=test cert 1,OU=Aegypten Project,O=g10 Code GmbH,L=Düsseldorf,C=DE::
Now let's encrypt the text "foobar\n" for this testkey:
$ echo foobar | ./gpgsm -ea
You should get an outbut similar to this:
-----BEGIN CMS OBJECT-----
MIAGCSqGSIb3DQEHA6CAMIACAQAxggEJMIIBBQIBADBwMGsxCzAJBgNVBAYTAkRF
MRMwEQYDVQQHFApE/HNzZWxkb3JmMRYwFAYDVQQKEw1nMTAgQ29kZSBHbWJIMRkw
FwYDVQQLExBBZWd5cHRlbiBQcm9qZWN0MRQwEgYDVQQDEwt0ZXN0IGNlcnQgMQIB
ADALBgkqhkiG9w0BAQEEgYBrUM56Xd+6Zvogw9XwP6llGUc5vUV+Iql55r+0iJTC
/aO0lmqgWES8lIJLMKa02BpekJNJyByz3pHTZBm8AK/RjyjJ9TAGy1Q2Yza3YYTw
ibTnJ03hiJDjXuifg1YoI6YL4skmTYbCRuE2xvWYu4N27kP0EkmxdPa/B6x1nVwW
rzCABgkqhkiG9w0BBwEwFAYIKoZIhvcNAwcECMCqX8rLU8XDoIAECFQ7+zV6V5Ou
AAA=
-----END CMS OBJECT-----
The option -a (--armor) produces this PEM format, the option --base64
would produce a plain base64 encoding and no option returns the raw
CMS object (which is BER encoded). As you have guessed -e stands for
encrytion. Using the command this way uses a default recipient (this
is only testing behaviour). The correct way to specify a recipient is
by using this:
-r '/CN=test cert 1,OU=Aegypten Project,O=g10 Code GmbH,L=Düsseldorf,C=DE'
I have recently posted a description on how to specify the
certificates, all this may be given for -r. well, in theory, most
stuff is not implemented, giving more than one -r does currently
return an error.
Okay, lets see how to decrypt it again. We assume that the above
output is in "msg.pem"
$ ./gpgsm --decrypt <msg.pem
A window should pop up (sorry console users) and ask for a PIN, you
have to enter just 4 to 8 digits and hit return or click the button.
Here is what you should see:
gpgsm: DBG: recp 0 - issuer: `CN=test cert 1,OU=Aegypten Project,O=g10 Code GmbH,L=Düsseldorf,C=DE'
gpgsm: DBG: recp 0 - serial: 00
gpgsm: DBG: recp 0 - enc-val: `(enc-val(rsa(a #6B50CE7A5DDFBA66FA20C3D5F03FA965194739BD457E22A979E6BFB48894C2FDA3B4966AA05844BC94824B30A6B4D81A5E909349C81CB3DE91D36419BC00AFD18F28C9F53006CB54366336B76184F089B4E7274DE18890E35EE89F83562823A60BE2C9264D86C246E136C6F598BB8376EE43F41249B174F6BF07AC759D5C16AF#)))'
gpgsm: no running gpg-agent - starting one
gpgsm: DBG: connection to agent established
gpg-agent[10396]: DBG: no running PIN Entry - starting it
gpg-agent[10396]: DBG: connection to PIN entry established
Warning: using insecure memory!
OK button clicked
got PIN `1212'
passphrase=`1212'
calling gtk_main_quit
foobar
Well the last line is what we want. I am using gpinentry as the
pinentry, if you are using kpinentry, the debug output is different.
Ohhh, it didn't work for you? Try to set the paths into the
configuration files, I use these:
$ cat ~/.gnupg-test/gpgsm.conf
no-secmem-warning
agent-program /usr/local/kde/bin/gpg-agent
$ cat ~/.gnupg-test/gpg-agent.conf
verbose
pinentry-program /usr/local/kde/bin/gpinentry
Now lets apply a signature to some data:
$ echo foobar >foobar
$ ./gpgsm -sba foobar >msg.pem
You will find the signed message in msg.pem and see this output:
gpgsm: no running gpg-agent - starting one
gpgsm: DBG: connection to agent established
gpg-agent[10876]: DBG: no running PIN Entry - starting it
gpg-agent[10876]: DBG: connection to PIN entry established
Warning: using insecure memory!
OK button clicked
got PIN `12121'
passphrase=`12121'
calling gtk_main_quit
gpgsm: signature created
As usual with not-yet-so-secret key operations, the PIN entry pops up
and you enter some arbitrary digits. BTW, we can only do deatched
signatures for now (-b).
To check this signature do this:
$ ./gpgsm --verify msg.pem foobar
The output should look like this:
gpgsm: DBG: Detached signature
gpgsm: DBG: signer 0 - issuer: `CN=test cert 1,OU=Aegypten Project,O=g10 Code GmbH,L=Düsseldorf,C=DE'
gpgsm: DBG: signer 0 - serial: 00
gpgsm: DBG: signer 0 - sigtime: none
gpgsm: DBG: signer 0 - digest algo: 2
gpgsm: DBG: signer 0 - signature: `(sig-val(rsa(s #009D9633CD7B544199B62F893E979C96F6BFD9B8510E6DB4DB2EBDF0C31FD4181451BFA62E6B998247887BD777996FA137BBAADF80E2886751902DECAAC7255766D3CEAE5933E97C02F6C0B56B7A7302D9BEBEAEDCAE58DCC6DDBDD2F7BA940CF6DD441B8B0D0A5DF632CBC9B3E5E45B1A8DAD690ABB32F1A8D277583AFB5FB577#)))'
gpgsm: DBG: signature okay - checking certs
gpgsm: DBG: BEGIN Certificate `subject':
gpgsm: DBG: serial: 00
gpgsm: DBG: notBefore: 2001-12-03 09:36:38
gpgsm: DBG: notAfter: 2002-12-03 09:36:38
gpgsm: DBG: issuer: `CN=test cert 1,OU=Aegypten Project,O=g10 Code GmbH,L=Düsseldorf,C=DE'
gpgsm: DBG: subject: `CN=test cert 1,OU=Aegypten Project,O=g10 Code GmbH,L=Düsseldorf,C=DE'
gpgsm: DBG: hash algo: 1.2.840.113549.1.1.4
gpgsm: DBG: SHA1 Fingerprint: 3C:F4:05:46:4F:66:ED:4A:7D:F4:5B:BD:D1:E4:28:2E:33:BD:B7:6E
gpgsm: DBG: END Certificate
gpgsm: DBG: selfsigned certificate is good
gpgsm: signature is good
You can do signature verification with any detached CMS signature, you
might need to import the certificates first, but in most cases S/MIME
messages have all certificates included. To import a signature, just
do a gpgsm --import.
gpgsm always tries to figure out the format of the input, if this does
not work, you can give the options --assume-binary, --assume-base64 or
--assume-armor.
Server mode (gpgsm --server) does also work, See the assuan-gpgsm.txt
document on how to do it.
I hope this gives some clues on how to test the new stuff.
Ciao,
Werner