Re: Long Term Key Management With Hardware Tokens

[Brandon Anderson via Gnupg-users]

Whatever the merits of retired key slots for their intended use, there's
another use case for them which was probably not considered by NIST:
alternate certificates for X.509, SSH and similar authorization
applications to work around deficiencies in existing systems.

Examples:

   - Github allows associating one SSH public key with one account. If
 you need to operate multiple Github accounts, you need multiple SSH
 keys.

   - Support for EC certificates in the Samba KDC was broken at least as
 of version 4.10. If you need an EC certificate for SSH, you can't
 use the key associated with your AD/Kerberos X.509 certificate,
 since only RSA works for Kerberos.

   - Similarly, the OS on Mikrotik routers at least before version 7.x
 supports only RSA SSH keys.

Hence, having multiple key slots available for authorization keys is
quite convenient. It might be better to call these something else than
"retired" slots unless aiming for total terminological consistency with
PIV though.

I'm currently using pivy  with Yubikeys
and JavaCards with PivApplet PIV for this kind of multi-key
scenarios. It would be convenient if all external applications could go
through gpg-agent/scute in the future instead of having to deal with
pcsc-shared or similar workarounds.

  -Valtteri

Those are great points; I had not thought of those use-cases! I only 
used the term retirement slots because it was an existing term used in 
PIV smartcards, but we could just call them alternative slots, 
supplemental slots, auxiliary slots, peripheral slots, secondary slots, 
or anything really, so long they can hold old keys decryption keys; my 
use-case is met.


Thanks for posting about the PivApplet project. I was looking for 
something like that for either the basic cards or java cards as I wanted 
to tinker around with them. Do you have a specific Java card model you 
are using?


OpenPGP_0x255837AEF812E87E.asc
Description: OpenPGP public key


OpenPGP_signature
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Long Term Key Management With Hardware Tokens

[Valtteri Vuorikoski]

Werner Koch via Gnupg-users  writes:

> Frankly, I am not convinced about the retirement slots on the card.
> They are of course useful if you rotate you key.  But the question is
> why you want to do this given that the keys are anyway securely stored
> on a card.

Whatever the merits of retired key slots for their intended use, there's
another use case for them which was probably not considered by NIST:
alternate certificates for X.509, SSH and similar authorization
applications to work around deficiencies in existing systems.

Examples:

  - Github allows associating one SSH public key with one account. If
you need to operate multiple Github accounts, you need multiple SSH
keys.

  - Support for EC certificates in the Samba KDC was broken at least as
of version 4.10. If you need an EC certificate for SSH, you can't
use the key associated with your AD/Kerberos X.509 certificate,
since only RSA works for Kerberos.

  - Similarly, the OS on Mikrotik routers at least before version 7.x
supports only RSA SSH keys.

Hence, having multiple key slots available for authorization keys is
quite convenient. It might be better to call these something else than
"retired" slots unless aiming for total terminological consistency with
PIV though.

I'm currently using pivy  with Yubikeys
and JavaCards with PivApplet PIV for this kind of multi-key
scenarios. It would be convenient if all external applications could go
through gpg-agent/scute in the future instead of having to deal with
pcsc-shared or similar workarounds.

 -Valtteri
 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GPGME Cannot allocate memory on gpgme_op_decrypt_start (Werner Koch)

[Marco via Gnupg-users]

Il giorno ven 25 giu 2021 alle ore 16:55  ha
scritto:

> Send Gnupg-users mailing list submissions to
> gnupg-users@gnupg.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> or, via email, send a message with subject or body 'help' to
> gnupg-users-requ...@gnupg.org
>
> You can reach the person managing the list at
> gnupg-users-ow...@gnupg.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Gnupg-users digest..."
> Today's Topics:
>
>1. Re: GPGME Cannot allocate memory on gpgme_op_decrypt_start
>   (Werner Koch)
>2. Re: gpg: keyserver receive failed: No name - for gpg
>   --keyserver hkp://pool.sks-keyservers.net (Malte Gell)
>3. Re: GPGME Cannot allocate memory on gpgme_op_decrypt_start (Marco)
>4. Re: GPGME Cannot allocate memory on gpgme_op_decrypt_start (Marco)
>5. Re: GPGME Cannot allocate memory on gpgme_op_decrypt_start (Marco)
>6. Re: GPGME Cannot allocate memory on gpgme_op_decrypt_start
>   (Werner Koch)
>
>
>
> -- Forwarded message --
> From: Werner Koch 
> To: Marco via Gnupg-users 
> Cc: Marco 
> Bcc:
> Date: Fri, 25 Jun 2021 15:04:20 +0200
> Subject: Re: GPGME Cannot allocate memory on gpgme_op_decrypt_start
> On Fri, 25 Jun 2021 09:39, Marco said:
>
> >   err = gpgme_data_new_from_file(&in, input.string().c_str(), 1);
>
> The 1 means copy the data to an internal buffer.  Use 0 here to stream
> the data.
>
>
> Salam-Shalom,
>
>Werner
>
> --
> Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
>
>
>
> -- Forwarded message --
> From: Malte Gell 
> To: gnupg-users@gnupg.org
> Cc:
> Bcc:
> Date: Thu, 24 Jun 2021 22:33:49 +
> Subject: Re: gpg: keyserver receive failed: No name - for gpg --keyserver
> hkp://pool.sks-keyservers.net
> Am 25.06.21 um 00:14 schrieb Brandon Anderson via Gnupg-users:
> >
> >> The keyserver situation seems a bit difficult currently, maybe
> >> https://keys.openpgp.org/ is the best (easiest) workaround for now.
> >>
> >> But WKD is really worth looking at!
> >>
> >
> > My understanding is the Ubuntu Key-server is staying up, I could be
> > wrong, but https://keyserver.ubuntu.com/ seems to be functioning. It is
> > worth noting that the keys.openpgp.org keyserver is not web of trust but
> > explicitly trusting that keyserver to validate a person's identity.
>
> I think it´s good to distribute a key thru several channels,
> keys.openpgp.org is a good way to establish some trust in a key when
> fetching it for the first time. Afterwards you can still get the same
> key from a different source with WoT signatures added.
>
> If you have no fountain at all for a key to establish a chain(web) of
> trust, keys.openpgp.org is the only way to have some trust in a key. The
> WoT works only if you have some fountain for the trust.
>
>
>
>
>
> -- Forwarded message --
> From: Marco 
> To: Marco via Gnupg-users 
> Cc:
> Bcc:
> Date: Fri, 25 Jun 2021 15:15:04 +0200
> Subject: Re: GPGME Cannot allocate memory on gpgme_op_decrypt_start
> After reading the documentation I supposed it was not correct because
> says to be not implemented.
>
> I'll give a try immediately and I'll let you know (but I expect it will
> work!)
>
> Thank you!!!
>
> Il giorno ven 25 giu 2021 alle ore 15:05 Werner Koch  ha
> scritto:
>
>> On Fri, 25 Jun 2021 09:39, Marco said:
>>
>> >   err = gpgme_data_new_from_file(&in, input.string().c_str(), 1);
>>
>> The 1 means copy the data to an internal buffer.  Use 0 here to stream
>> the data.
>>
>>
>> Salam-Shalom,
>>
>>Werner
>>
>> --
>> Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
>>
>
>
>
> -- Forwarded message --
> From: Marco 
> To: Marco via Gnupg-users 
> Cc:
> Bcc:
> Date: Fri, 25 Jun 2021 15:26:24 +0200
> Subject: Re: GPGME Cannot allocate memory on gpgme_op_decrypt_start
> I've switched 1 to 0 for
>
> >   err = gpgme_data_new_from_file(&in, input.string().c_str(), 1);
>
> as suggested.
> The error is:
> Failed to set input file with error: 117440567 --> Invalid value
>
>
>
>
> Il giorno ven 25 giu 2021 alle ore 15:15 Marco  ha
> scritto:
>
>> After reading the documentation I supposed it was not correct because
>> says to be not implemented.
>>
>> I'll give a try immediately and I'll let you know (but I expect it will
>> work!)
>>
>> Thank you!!!
>>
>> Il giorno ven 25 giu 2021 alle ore 15:05 Werner Koch  ha
>> scritto:
>>
>>> On Fri, 25 Jun 2021 09:39, Marco said:
>>>
>>> >   err = gpgme_data_new_from_file(&in, input.string().c_str(), 1);
>>>
>>> The 1 means copy the data to an internal buffer.  Use 0 here to stream
>>> the data.
>>>
>>>
>>> Salam-Shalom,
>>>
>>>Werner
>>>
>>> --
>>> Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
>>>
>>
>
>
> -- Forwarded message --
> From: Marco 
> To: Marco via Gnupg-users 
> Cc:
> Bcc:
> Date: Fri, 25 Jun 2021 1

Re: GPGME Cannot allocate memory on gpgme_op_decrypt_start

[Werner Koch via Gnupg-users]

On Fri, 25 Jun 2021 15:26, Marco said:

> Failed to set input file with error: 117440567 --> Invalid value

Sorry.  I missed that we did not implement that (because it is actually
a legacy compatibility function).  Thus I can't offer you any function
which takes a file name.  You need to open the file yourself and use one
of these functions:

  gpgme_error_t gpgme_data_new_from_cbs (gpgme_data_t *dh,
 gpgme_data_cbs_t cbs,
 void *handle);

That is the most flexible one.  But there are some convenience functions
which relieves you from implementing the callbacks:

  gpgme_error_t gpgme_data_new_from_fd (gpgme_data_t *dh, int fd);

This takes a file descriptior; i.e. open(3).

  gpgme_error_t gpgme_data_new_from_stream (gpgme_data_t *dh, FILE *stream);

This takes an stdio stream; i.e. fopen(3).

  gpgme_error_t gpgme_data_new_from_estream (gpgme_data_t *r_dh,
 gpgrt_stream_t stream);

This takes a estream_t, i.e. gpgrt_fopen (aka es_fopen).

For an example how to use the see gpgme/tests/run-decrypt.c


Shalom-Salam,

   Werner


-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GPGME Cannot allocate memory on gpgme_op_decrypt_start

[Marco via Gnupg-users]

I've found a  workaround using gpgme_data_cbs implementing my own read and
write functions.

If any other way is available or you have any suggestions please let me
know!

Thanks,
Marco

Il giorno ven 25 giu 2021 alle ore 15:26 Marco  ha
scritto:

> I've switched 1 to 0 for
>
> >   err = gpgme_data_new_from_file(&in, input.string().c_str(), 1);
>
> as suggested.
> The error is:
> Failed to set input file with error: 117440567 --> Invalid value
>
>
>
>
> Il giorno ven 25 giu 2021 alle ore 15:15 Marco  ha
> scritto:
>
>> After reading the documentation I supposed it was not correct because
>> says to be not implemented.
>>
>> I'll give a try immediately and I'll let you know (but I expect it will
>> work!)
>>
>> Thank you!!!
>>
>> Il giorno ven 25 giu 2021 alle ore 15:05 Werner Koch  ha
>> scritto:
>>
>>> On Fri, 25 Jun 2021 09:39, Marco said:
>>>
>>> >   err = gpgme_data_new_from_file(&in, input.string().c_str(), 1);
>>>
>>> The 1 means copy the data to an internal buffer.  Use 0 here to stream
>>> the data.
>>>
>>>
>>> Salam-Shalom,
>>>
>>>Werner
>>>
>>> --
>>> Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
>>>
>>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GPGME Cannot allocate memory on gpgme_op_decrypt_start

[Marco via Gnupg-users]

I've switched 1 to 0 for

>   err = gpgme_data_new_from_file(&in, input.string().c_str(), 1);

as suggested.
The error is:
Failed to set input file with error: 117440567 --> Invalid value




Il giorno ven 25 giu 2021 alle ore 15:15 Marco  ha
scritto:

> After reading the documentation I supposed it was not correct because
> says to be not implemented.
>
> I'll give a try immediately and I'll let you know (but I expect it will
> work!)
>
> Thank you!!!
>
> Il giorno ven 25 giu 2021 alle ore 15:05 Werner Koch  ha
> scritto:
>
>> On Fri, 25 Jun 2021 09:39, Marco said:
>>
>> >   err = gpgme_data_new_from_file(&in, input.string().c_str(), 1);
>>
>> The 1 means copy the data to an internal buffer.  Use 0 here to stream
>> the data.
>>
>>
>> Salam-Shalom,
>>
>>Werner
>>
>> --
>> Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
>>
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GPGME Cannot allocate memory on gpgme_op_decrypt_start

[Marco via Gnupg-users]

After reading the documentation I supposed it was not correct because
says to be not implemented.

I'll give a try immediately and I'll let you know (but I expect it will
work!)

Thank you!!!

Il giorno ven 25 giu 2021 alle ore 15:05 Werner Koch  ha
scritto:

> On Fri, 25 Jun 2021 09:39, Marco said:
>
> >   err = gpgme_data_new_from_file(&in, input.string().c_str(), 1);
>
> The 1 means copy the data to an internal buffer.  Use 0 here to stream
> the data.
>
>
> Salam-Shalom,
>
>Werner
>
> --
> Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg: keyserver receive failed: No name - for gpg --keyserver hkp://pool.sks-keyservers.net

[Malte Gell via Gnupg-users]

Am 25.06.21 um 00:14 schrieb Brandon Anderson via Gnupg-users:
> 
>> The keyserver situation seems a bit difficult currently, maybe
>> https://keys.openpgp.org/ is the best (easiest) workaround for now.
>>
>> But WKD is really worth looking at!
>>
> 
> My understanding is the Ubuntu Key-server is staying up, I could be
> wrong, but https://keyserver.ubuntu.com/ seems to be functioning. It is
> worth noting that the keys.openpgp.org keyserver is not web of trust but
> explicitly trusting that keyserver to validate a person's identity.

I think it´s good to distribute a key thru several channels,
keys.openpgp.org is a good way to establish some trust in a key when
fetching it for the first time. Afterwards you can still get the same
key from a different source with WoT signatures added.

If you have no fountain at all for a key to establish a chain(web) of
trust, keys.openpgp.org is the only way to have some trust in a key. The
WoT works only if you have some fountain for the trust.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GPGME Cannot allocate memory on gpgme_op_decrypt_start

[Werner Koch via Gnupg-users]

On Fri, 25 Jun 2021 09:39, Marco said:

>   err = gpgme_data_new_from_file(&in, input.string().c_str(), 1);

The 1 means copy the data to an internal buffer.  Use 0 here to stream
the data.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

GPGME Cannot allocate memory on gpgme_op_decrypt_start

[Marco via Gnupg-users]

Hi all.



I’m having this problem with code that would like to decrypt a large gpg
file (252 MB) which is password protected!

I set the environment which works whit smaller files but in this case I face



117473366 --> Cannot allocate memory



Is there any option that I can set to use something similar
auto-expand-secmem? Is there any other way to solve the problem?



Thank you very much for your attention!



*Code sample below:*

*---*


bool res(false);

  gpgme_ctx_t ctx;
  gpgme_error_t err(GPG_ERR_NO_ERROR);
  gpgme_data_t in;
  gpgme_data_t out;
  gpgme_engine_info_t engineInfo;

  size_t inFileSize(fs::file_size(input));
  std::ostringstream oss;
  oss << std::dec << inFileSize;
  std::string fileSizeStr(oss.str());

  VCIUpdaterWrapper wrap;
  wrap.setObj(const_cast(this));
  wrap.setFileSize(fs::file_size(input));

  memset(&ctx, 0, sizeof(ctx));
  memset(&in, 0, sizeof(in));
  memset(&out, 0, sizeof(out));
  memset(&engineInfo, 0, sizeof(engineInfo));

  setlocale(LC_ALL, "");
  gpgme_check_version(NULL);

  gpgme_set_locale(NULL, LC_CTYPE, setlocale(LC_CTYPE, NULL));

  err = gpgme_new(&ctx);
  if (err) {
GENERIC_LOG_MESSAGE(LogLevel::error,
(boost::format("Failed to create GPG context with
error: %1% --> %2%") % err % gpgme_strerror(err)).str())
return res;
  }

  engineInfo = gpgme_ctx_get_engine_info(ctx);
  err = gpgme_ctx_set_engine_info(ctx, engineInfo->protocol,
engineInfo->file_name,

VCIUpdateConfigurations::getInstance().getVciUpdateBaseFolder().c_str());
  if (err) {
GENERIC_LOG_MESSAGE(LogLevel::error,
(boost::format("Failed to set engine info with
error: %1% --> %2%") % err % gpgme_strerror(err)).str())
return res;
  }

  gpgme_set_armor(ctx, 0);
  gpgme_set_pinentry_mode(ctx, GPGME_PINENTRY_MODE_LOOPBACK);
  gpgme_set_passphrase_cb(ctx, &passwfFuncCb, NULL);

  err = gpgme_data_new_from_file(&in, input.string().c_str(), 1);
  if (err) {
GENERIC_LOG_MESSAGE(
LogLevel::error,
(boost::format("Failed to set input file %1% for GPG with error:
%2% --> %3%") % input.string() % err % gpgme_strerror(err)).str())
return res;
  }
//  else {
//err = gpgme_data_set_flag(in, "size-hint", fileSizeStr.c_str());
//
//if (err) {
//  GENERIC_LOG_MESSAGE(
//  LogLevel::error,
//  (boost::format("Failed to set size hint for input file %1% for
GPG with error: %2% --> %3%") % input.string() % err
//  % gpgme_strerror(err)).str())
//  return res;
//}
//  }

  FILE *outFile(::fopen(output.string().c_str(), "w+"));

  if (outFile) {
err = gpgme_data_new_from_stream(&out, outFile);
if (err) {
  GENERIC_LOG_MESSAGE(
  LogLevel::error,
  (boost::format("Failed to set output file %1% for GPG with error:
%2% --> %3%") % output.string() % err % gpgme_strerror(err)).str())
  return res;
}
//else {
//  err = gpgme_data_set_flag(out, "size-hint", fileSizeStr.c_str());
//
//  if (err) {
//GENERIC_LOG_MESSAGE(
//LogLevel::error,
//(boost::format("Failed to set size hint for output file %1%
for GPG with error: %2% --> %3%") % output.string() % err
//% gpgme_strerror(err)).str())
//return res;
//  }
//}
  } else {
GENERIC_LOG_MESSAGE(LogLevel::error, "Failed to open out file " +
output.string());
return res;
  }

  gpgme_set_progress_cb(ctx, &VCIUpdaterWrapper::progress, NULL);

  gpgme_decrypt_result_t dec_result;
  err = gpgme_op_decrypt_start(ctx, in, out);
  if (err) {
GENERIC_LOG_MESSAGE(LogLevel::error,
(boost::format("Failed to execute GPG decryption:
%1% --> %2%") % err % gpgme_strerror(err)).str())

dec_result = gpgme_op_decrypt_result(ctx);

return res;
  } else {
gpgme_wait(ctx, &err, 1);

if (err) {
  GENERIC_LOG_MESSAGE(LogLevel::error,
  (boost::format("Failed to execute GPG decryption:
%1% --> %2%") % err % gpgme_strerror(err)).str())

  dec_result = gpgme_op_decrypt_result(ctx);

  return res;
}

dec_result = gpgme_op_decrypt_result(ctx);
if (dec_result->unsupported_algorithm) {
  GENERIC_LOG_MESSAGE(LogLevel::error,
dec_result->unsupported_algorithm);
  return res;
}
  }

  gpgme_data_release(in);
  gpgme_data_release(out);

  ::fclose(outFile);

  gpgme_release(ctx);

  mSignalUpdateProgress(mWholeUpdatePackages, mDoneUpdates + 1, 100,
UpdatePhase::gpg_decripth);

  res = true;
  return res;


*---*



*Marco Bna’*
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Long Term Key Management With Hardware Tokens

[Brandon Anderson via Gnupg-users]

Thanks for your offer.  However, it is mainly a spec and hardware thing
and the software part is minor.

If you are a vendor of an OpenPGp comliant card, you are likely already
in contact with Achin Pietig, who is responsible for the specs.

Yea, I am not a vendor of an OpenPGP card, just an interested user. Have 
the old GPGcard 2.1, but I want to wait until 25519 support and more 
slots are available before I buy new ones. That being said, please reach 
out if you need help.


OpenPGP_0x255837AEF812E87E.asc
Description: OpenPGP public key


OpenPGP_signature
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users