2017-10-11 106 views
2

我正在使用OpenPGP在智能卡(Yubikey)上生成公鑰對的用例。如何在不使用密鑰服務器的情況下從OpenPGP智能卡獲取公鑰?

然後將智能卡交付給用戶。 試圖在本地模擬這種下面正在做:

  1. 智能卡上生成密鑰
  2. 刪除的GnuPG主目錄
  3. 訪問智能卡重新生成的GnuPG主目錄

的問題是我無法在執行上述步驟之後測試加密文件,因爲公鑰似乎缺失。 fetch似乎不起作用。

在這個階段,我不想在任何在線服務器上共享公鑰。 刪除鑰匙圈後,有什麼方法可以從智能卡中檢索公鑰?

下面是被遵循的步驟:

$ gpg --card-edit                                      

Reader ...........: 1050:0404:X:0 
Application ID ...: D2760001240102010006046314290000 
Version ..........: 2.1 
Manufacturer .....: Yubico 
Serial number ....: 04631429 
Name of cardholder: sm sm 
Language prefs ...: en 
Sex ..............: unspecified 
URL of public key : [not set] 
Login data .......: sm 
Signature PIN ....: not forced 
Key attributes ...: rsa4096 rsa4096 rsa4096 
Max. PIN lengths .: 127 127 127 
PIN retry counter : 3 0 3 
Signature counter : 0 
Signature key ....: 54D4 E469 7056 B390 AE72 CAA1 A507 3320 7876 0302 
     created ....: 2017-10-11 13:16:52 
Encryption key....: ADA3 2D7F 8D66 4F34 C04A 457C DFEB E3E4 A8F1 8611 
     created ....: 2017-10-11 11:14:18 
Authentication key: 18B9 7AB4 0723 46F4 C23A 3DD7 E5C0 6A93 049E F6A8 
     created ....: 2017-10-11 11:14:18 
General key info..: [none] 

gpg/card> admin 
Admin commands are allowed 

gpg/card> generate 
Make off-card backup of encryption key? (Y/n) n 

gpg: Note: keys are already stored on the card! 

Replace existing keys? (y/N) y 
What keysize do you want for the Signature key? (4096) 
What keysize do you want for the Encryption key? (4096) 
What keysize do you want for the Authentication key? (4096) 
Key is valid for? (0) 0 
Is this correct? (y/N) y 
Real name: john doe 
Email address: [email protected] 
Comment: 
You selected this USER-ID: 
    "john doe <<[email protected]>" 

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o 

gpg: /home/xxx/.gnupg/trustdb.gpg: trustdb created 
gpg: key 6825CB0EBDA94110 marked as ultimately trusted 
gpg: directory '/home/xxx/.gnupg/openpgp-revocs.d' created 
gpg: revocation certificate stored as '/home/xxx/.gnupg/openpgp-revocs.d/6858F119E93FB74BB561DE556825CB0EBDA94110.rev' 
public and secret key created and signed. 


gpg/card> list 

Reader ...........: 1050:0404:X:0 
Application ID ...: D2760001240102010006046314290000 
Version ..........: 2.1 
Manufacturer .....: Yubico 
Serial number ....: 04631429 
Name of cardholder: sm sm 
Language prefs ...: en 
Sex ..............: unspecified 
URL of public key : [not set] 
Login data .......: sm 
Signature PIN ....: not forced 
Key attributes ...: rsa4096 rsa4096 rsa4096 
Max. PIN lengths .: 127 127 127 
PIN retry counter : 3 0 3 
Signature counter : 4 
Signature key ....: 6858 F119 E93F B74B B561 DE55 6825 CB0E BDA9 4110 
     created ....: 2017-10-11 13:18:11 
Encryption key....: BE05 7FDF 9ACD 05F0 B75A 570F 4711 4B69 A622 C1DC 
     created ....: 2017-10-11 13:18:11 
Authentication key: 7275 2C47 B1EF BFB5 1E6D 0E65 31C7 7DBE 2D22 7E32 
     created ....: 2017-10-11 13:18:11 
General key info..: pub rsa4096/6825CB0EBDA94110 2017-10-11  john doe <<[email protected]> 
sec> rsa4096/6825CB0EBDA94110 created: 2017-10-11 expires: never  
           card-no: 0006 04631429 
ssb> rsa4096/31C77DBE2D227E32 created: 2017-10-11 expires: never  
           card-no: 0006 04631429 
ssb> rsa4096/47114B69A622C1DC created: 2017-10-11 expires: never  
           card-no: 0006 04631429 

gpg/card> quit 

$ rm -rf .gnupg/ 

$ gpg --card-status                                      
gpg: directory '/home/smalatho/.gnupg' created 
gpg: new configuration file '/home/smalatho/.gnupg/dirmngr.conf' created 
gpg: new configuration file '/home/smalatho/.gnupg/gpg.conf' created 
gpg: keybox '/home/smalatho/.gnupg/pubring.kbx' created 
Reader ...........: 1050:0404:X:0 
Application ID ...: D2760001240102010006046314290000 
Version ..........: 2.1 
Manufacturer .....: Yubico 
Serial number ....: 04631429 
Name of cardholder: sm sm 
Language prefs ...: en 
Sex ..............: unspecified 
URL of public key : [not set] 
Login data .......: sm 
Signature PIN ....: not forced 
Key attributes ...: rsa4096 rsa4096 rsa4096 
Max. PIN lengths .: 127 127 127 
PIN retry counter : 3 0 3 
Signature counter : 4 
Signature key ....: 6858 F119 E93F B74B B561 DE55 6825 CB0E BDA9 4110 
     created ....: 2017-10-11 13:18:11 
Encryption key....: BE05 7FDF 9ACD 05F0 B75A 570F 4711 4B69 A622 C1DC 
     created ....: 2017-10-11 13:18:11 
Authentication key: 7275 2C47 B1EF BFB5 1E6D 0E65 31C7 7DBE 2D22 7E32 
     created ....: 2017-10-11 13:18:11 
General key info..: [none] 

回答

1

OpenPGP智能卡沒有存儲足夠的信息來重建完整的OpenPGP公鑰。您必須單獨導入公鑰 - 在密鑰服務器上共享它是一種解決方案,但您也可以使用gpg --export密鑰以及之後的gpg --import再次進行測試。

+0

我認爲密鑰服務器存儲的信息與本地公鑰環相同嗎? – Stelios

+1

事實上,密鑰服務器只是提供基於密鑰ID或指紋(長密鑰ID和指紋定義給定密鑰的可能性很小的可能性)或用戶ID(根本沒有驗證,只需搜索密鑰服務器網絡)的未驗證/未驗證的密鑰'總統@ whitehouse.gov')。從這個意義上說,上傳到存儲庫的密鑰是一個更加強大的概念,因爲它允許上面討論的「首次使用時的信任」。無論您從哪個方式檢索密鑰(從存儲庫,從密鑰服務器),您仍然需要驗證密鑰。 –

+0

謝謝你的幫助Jens。 – Stelios

0

它要求用戶刪除GNUPGHOME目錄之前,需要手動導出公共密鑰,然後重新導入智能卡的公共密鑰。

$ gpg --armor --export [email protected] > public.asc 
$ rm -rf ~/.gnupg 
$ gpg --import public.asc 
相關問題