Re: Key Storage Abstraction?

2017-10-16 Thread Werner Koch
Hello!

On Sun, 15 Oct 2017 22:35, gnupg-users@gnupg.org said:

> I've been looking for a way to provide GNUPGP with a custom

I assume you mean GnuPG.

> implementation of a key ring, as I gather there is such a thing as
> WKS, but I cannot find any documentation on how I can implement this

The Web Key Directory is a way to discovery a key belonging to a mail
address.  It is not a local ley storage or interface format.

> 1.) Sign Messages with a private key (of my choosing)

  $ gpg --batch -u YOURKEYID 

> 2.) Encrypt messages with a public key (of my choosing)
>   - ideally to multiple recipients.

  $ gpg --batch -e -f KEYFILE1 -f KEYFILE2 

Note that the option -f is not yet supported by GPGME.

> 3.) Verify a message was signed by whoever owns a public key I have.
>   - I don't care about GPG's "Trust levels" and would like to disregard them.

  $ gpgv --keyring TRUSTEDKEYS  FILETOVERIFY

> 4.) Decrypt messages using a private key that I specify.

For what do you need this?  The OpenPGP format specifies the key
required for decryption.  Hidden recipients?

> Unrelated: This is in python, I see some GPG libraries, they all seem
> overly complicated, I'd like to actually access GPG *as* a library,

Use gpgme which has a maintained Python binding.

GnuPG is made up of several components which uses the process barrier to
separate tasks.  In case you really have overhead problems invoking gpg
it is possible to modify gpg and gpgme to run gpg as a co-process (we
already use gpgsm this way).


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgpYPWrQRZF3g.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: Key Storage Abstraction?

2017-10-15 Thread listo factor via Gnupg-users

On 10/15/2017 08:35 PM, Jamie H. via Gnupg-users wrote:
> ...I'd like to actually access GPG*as*  a library, but all the tools 
I see seem to invoke GPG as a program and then operate on its standard 
output...


What you need is GPG as a pure crypto-engine; completely divorced from 
all key management and user interface functionality, so that both of 
these tasks can be performed by applications that are tailored to meet 
specific user population operational requirements.


This ("GPG crypto-engine" ?) would be a software package of significant 
general utility.


In addition to the requirements you outlined, I would add one more: it 
should abandon all attempts to protect the secrets (private key or 
plaintext) from other users and processes running on the computer on 
which it is running, and it should sacrifice the execution efficiency 
whenever it significantly impacts the code. This would reduce the 
complexity of the code, so that it could be more easily audited and made 
platform independent. Ideally, it would be a BSD or similarly licensed, 
so that it could be included in source form into applications such as yours.





___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Key Storage Abstraction?

2017-10-15 Thread Jamie H. via Gnupg-users
Hello,

I've been looking for a way to provide GNUPGP with a custom implementation of a 
key ring, as I gather there is such a thing as WKS, but I cannot find any 
documentation on how I can implement this myself.

What I need from GPG is a tool that does this:

1.) Sign Messages with a private key (of my choosing)

2.) Encrypt messages with a public key (of my choosing)
  - ideally to multiple recipients.

3.) Verify a message was signed by whoever owns a public key I have.
  - I don't care about GPG's "Trust levels" and would like to disregard them.

4.) Decrypt messages using a private key that I specify.

If things go the way I'd like, there may be several of these operations taking 
place in parallel.

There may be thousands, or even millions of keys in my own database, I don't 
want to (and indeed, I would have to scrap the open source project) import 
anything into GPG's keyring. I don't particularly want to implement WKS, and if 
I did it would be read-only, I don't ever want PGP to "upload" anything or 
change the system in any way. The idea is, this application manages the keys 
(it needs to for other reasons not really related to GPG)

So, I'm looking for a way to just feed GPG the keys it needs when it needs 
them. It'd be nice if I could just give it a shell script that takes an 
argument (whatever key it's looking for) and GPG reads the key on its standard 
input, but that doesn't seem possible.

Any ideas? and any pointers on where I might look if I had to implement a 
subset of WKS?

Unrelated: This is in python, I see some GPG libraries, they all seem overly 
complicated, I'd like to actually access GPG *as* a library, but all the tools 
I see seem to invoke GPG as a program and then operate on its standard output. 
Is there a recommended python library that, perhaps, uses GPG in a way that's 
more efficient? Maybe as a server mode or something? (I'd like it if there were 
capable of processing, mostly "verify", dozens of messages pr. second, ideally) 

Thanks!

Jamie

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users