> On Feb 2, 2015, at 6:51 AM, srinivasan j v <srinivasanj...@gmail.com> wrote: > > Hello all, > > Does RPM supports x509 format ? >
Short answer: No. All depends on what is meant by “support”. RPM crypto is/was based on BeeCrypt which has no dependency on format. (These days NSS/OpenSSL/libgcyrpt/libtomcrypt are also used algorithmically with no dependence on format, either OpenPGP/C509). There is a parser for OpenPGP format that extracts parameters from pubkeys and signatures, can calculate a fingerprint given OpenPGP public key packets, and can handle base64 armor with cry checks. Equivalently functional parser/fingerprint/armor would be needed for X509 certificates and signatures. The harder problems have to do with verifying pubkey certification signatures and revocations and keyservers and CA certs and other associated semantics. The underlying signature algorithms are of course identical. > RPM has signatures in PGP format, is there any conversion utilities available > between X509 and PGP formats ? > Inter-converting OpenPGP <-> X509 signatures is non-trivial because of differences of how the pubkey fingerprint (in the signature) is defined. There isn’t a one-to-one mapping of the data items within the differing pubkey formats, and so fingerprints (which are digests on plaintext) cannot be trivially interconverted. The monkeysphere project likely has some certificate interconversion utilities too. There have been attempts to do X509 -> OpenPGP conversions on pubkeys/privkeys. E.g. PGP (but not gnupg) can do the conversions since 2005. So one could redefine the macro that invokes an external helper to use PGP and achieve some semblance of “support” (caveat: untested). However these days RPM generates a non-repudiable signature on every package in every build using 5 different libraries. The format happens to be OpenPGP, but the non-repudiable signature need not be imported/exported/configured outside of RPM itself. The better approach to using X509 (and also OpenPGP) tools external to RPM would be generating/verifying a certification signature on the non-repudiable pubkey/signature material that RPM generates, rather than implementing X509 parallel to OpenPGP throughout RPM. JMHO, YMMV. 73 de Jeff______________________________________________________________________ RPM Package Manager http://rpm5.org User Communication List rpm-users@rpm5.org
