RPM Community Forums

Mailing List Message of <rpm-users>

Re: RPM support for x509 format

From: Jeffrey Johnson <n3npq@me.com>
Date: Tue 03 Feb 2015 - 11:04:10 CET
Message-id: <8EDC7A9F-E838-4EBC-8441-E9C4A3104D06@me.com>

> On Feb 2, 2015, at 6:51 AM, srinivasan j v <srinivasanjvs8@gmail.com> wrote:
> 
> Hello all,
> 
> Does RPM supports x509 format ?
> 

Short answer: No.

All depends on what is meant by “support”.

RPM crypto is/was based on BeeCrypt which has no dependency on format.
(These days NSS/OpenSSL/libgcyrpt/libtomcrypt are also used algorithmically
with no dependence on format, either OpenPGP/C509).

There is a parser for OpenPGP format that extracts parameters from
pubkeys and signatures, can calculate a fingerprint given OpenPGP
public key packets, and can handle base64 armor with cry checks.

Equivalently functional parser/fingerprint/armor  would be needed for
X509 certificates and signatures.

The harder problems have to do with verifying pubkey certification signatures
and revocations and keyservers and CA certs and other associated semantics.

The underlying signature algorithms are of course identical.

> RPM has signatures in PGP format, is there any conversion utilities available between X509 and PGP formats ?
> 

Inter-converting OpenPGP <-> X509 signatures is non-trivial because
of differences of how the pubkey fingerprint (in the signature) is
defined. There isn’t a one-to-one mapping of the data items within
the differing pubkey formats, and so fingerprints (which are digests on plaintext)
cannot be trivially interconverted.

The monkeysphere project likely has some certificate interconversion utilities too.

There have been attempts to do X509 -> OpenPGP conversions
on pubkeys/privkeys. E.g. PGP (but not gnupg) can do the conversions
since 2005. So one could redefine the macro that invokes an external
helper to use PGP and achieve some semblance of “support” (caveat: untested).

However these days RPM generates a non-repudiable signature
on every package in every build using 5 different libraries. The
format happens to be OpenPGP, but the non-repudiable signature
need not be imported/exported/configured outside of RPM itself.

The better approach to using X509 (and also OpenPGP) tools
external to RPM would be generating/verifying a certification signature
on the non-repudiable pubkey/signature material that RPM generates,
rather than implementing X509 parallel to OpenPGP throughout RPM.

JMHO, YMMV.

73 de Jeff
Received on Tue Feb 3 12:05:31 2015
Driven by Jeff Johnson and the RPM project team.
Hosted by OpenPKG and Ralf S. Engelschall.
Powered by FreeBSD and OpenPKG.