few questions about PGP key rings

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

few questions about PGP key rings

Lou Wynn

Hi,

I've written part of my first BC application, and I have few questions about using PGP key rings. I've attached a test program to the email to better illustrate my questions.

1. I create a PGPPublicKeyRingCollection instance and add two key rings in it at line 71 and 107. I can import the output key ring file PublicRing.pkr into GnuPG key ring, but the public key of the encryption subkey is missing. The output is as follows:

$ gpg2 --import PublicRing.pkr
gpg: key A2E69E5F: public key "id" imported
gpg: key A907F032: public key "id" imported
gpg: key E414A6EB: no user ID
gpg: Total number processed: 3
gpg:               imported: 2
gpg: no ultimately trusted keys found


It seems that the output file does contain three keys, but for some reason the E414A6EB subkey is not imported. I can verify it with gpg2 --list-sigs output.

However, if I create a PGPSecretKeyRing object at line 106 and import it with GPG, I can import the subkey.

I spent some time to trace through the code but failed to find a clue to fix it.


2. Current secret and public key ring constructors that accept a list are protected. I found it convenient to use them if they are public as demoed at line 106. The code works with my compiled org.bouncycastle.openpgp package. Is there any concern to make them public?

There might be better ways to do things that I'd like to do between 76-108. I feel little awkward to create keys first and then create certificates and then update the keys, although it seems logic. But I appreciate if someone can show or point me to some direction to do this in one pass.


3. What's the best way to use a single password to protect a key ring collection? I'd like to use a single password to protect all master secret keys it contains. I assume that I can do this by adding no-password-protected secret key ring into a key ring collection and then encrypt it with a PBE method on the output of the key ring collection. But I want to reuse the salted and iterated password protection mechanism in BC. Any suggestion on this?


4. Is it possible in BC to export a secret subkey without revealing the secret part of the master key? Something like in GnuPG with the --export-secret-subkeys option:


   The second form of the command has the special property to render the
   secret  part  of  the primary key useless; this is a GNU extension to
   OpenPGP and other implementations can not be expected to successfully
   import  such a key.  Its intended use is to generated a full key with
   an additional signing subkey on a dedicated machine  and  then  using
   this  command  to  export the key without the primary key to the main
   machine.

--
Thanks,
Lou

PublicRing.java (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: few questions about PGP key rings

Lou Wynn

I figured out that went wrong with my first question. In PGP's key system, I should not have signed a subkey. Only the master key can be signed.

Can someone help answer question 2, 3, and 4?

Thanks very much,


On 01/02/2017 03:53 PM, Lou Wynn wrote:

Hi,

I've written part of my first BC application, and I have few questions about using PGP key rings. I've attached a test program to the email to better illustrate my questions.

1. I create a PGPPublicKeyRingCollection instance and add two key rings in it at line 71 and 107. I can import the output key ring file PublicRing.pkr into GnuPG key ring, but the public key of the encryption subkey is missing. The output is as follows:

$ gpg2 --import PublicRing.pkr
gpg: key A2E69E5F: public key "id" imported
gpg: key A907F032: public key "id" imported
gpg: key E414A6EB: no user ID
gpg: Total number processed: 3
gpg:               imported: 2
gpg: no ultimately trusted keys found


It seems that the output file does contain three keys, but for some reason the E414A6EB subkey is not imported. I can verify it with gpg2 --list-sigs output.

However, if I create a PGPSecretKeyRing object at line 106 and import it with GPG, I can import the subkey.

I spent some time to trace through the code but failed to find a clue to fix it.


2. Current secret and public key ring constructors that accept a list are protected. I found it convenient to use them if they are public as demoed at line 106. The code works with my compiled org.bouncycastle.openpgp package. Is there any concern to make them public?

There might be better ways to do things that I'd like to do between 76-108. I feel little awkward to create keys first and then create certificates and then update the keys, although it seems logic. But I appreciate if someone can show or point me to some direction to do this in one pass.


3. What's the best way to use a single password to protect a key ring collection? I'd like to use a single password to protect all master secret keys it contains. I assume that I can do this by adding no-password-protected secret key ring into a key ring collection and then encrypt it with a PBE method on the output of the key ring collection. But I want to reuse the salted and iterated password protection mechanism in BC. Any suggestion on this?


4. Is it possible in BC to export a secret subkey without revealing the secret part of the master key? Something like in GnuPG with the --export-secret-subkeys option:


   The second form of the command has the special property to render the
   secret  part  of  the primary key useless; this is a GNU extension to
   OpenPGP and other implementations can not be expected to successfully
   import  such a key.  Its intended use is to generated a full key with
   an additional signing subkey on a dedicated machine  and  then  using
   this  command  to  export the key without the primary key to the main
   machine.

--
Thanks,
Lou

-- 
Thanks,
Lou
Loading...