Mailing List Archive: GnuPG: devel

cacheid and preset_passphrase

Index | Next | Previous | View Threaded

bjk at luxsci

Aug 1, 2008, 7:22 PM

Post #1 of 6 (259 views)
Permalink

cacheid and preset_passphrase

I have a couple of questions about gpg-agent. First, how do I determine
an unused cache ID? Another application may be using a specified cache
ID and I wouldn't want to meddle with it or retrieve an invalid value.

Second, is there an equivalent PRESET_PASSPHRASE to update an existing
cache ID rather than a key grip?

--
Benjamin J. Kibbey bjk[at]luxsci.net/jabber/freenode
3019 F5FC AA33 5BC7 BE9F 09D2 393E DBD2 40D5 FA7E

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel[at]gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-devel

bjk at luxsci

Aug 6, 2008, 5:16 PM

Post #2 of 6 (232 views)
Permalink

Re: cacheid and preset_passphrase [In reply to]

On Fri, Aug 01, 2008 at 10:22:20PM -0400, Ben Kibbey wrote:
> I have a couple of questions about gpg-agent. First, how do I determine
> an unused cache ID? Another application may be using a specified cache
> ID and I wouldn't want to meddle with it or retrieve an invalid value.
>
> Second, is there an equivalent PRESET_PASSPHRASE to update an existing
> cache ID rather than a key grip?

Anyone working on gpg-agent have comments about this? I could write a
patch if whoever is maintaining gpg-agent is willing to include it. I
need this feature for my app which doesn't use a key grip. I'd rather
use gpg-agent and not my own pinentry method because it's well tested
and probably more secure.

--
Benjamin J. Kibbey bjk[at]luxsci.net/jabber/freenode
3019 F5FC AA33 5BC7 BE9F 09D2 393E DBD2 40D5 FA7E

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel[at]gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-devel

wk at gnupg

Aug 6, 2008, 11:42 PM

Post #3 of 6 (227 views)
Permalink

Re: cacheid and preset_passphrase [In reply to]

On Thu, 7 Aug 2008 02:16, bjk[at]luxsci.net said:

> On Fri, Aug 01, 2008 at 10:22:20PM -0400, Ben Kibbey wrote:
>> I have a couple of questions about gpg-agent. First, how do I determine
>> an unused cache ID? Another application may be using a specified cache
>> ID and I wouldn't want to meddle with it or retrieve an invalid value.

The cache ID is currently just a hash and as such there is virtually no
chance that you get into problems. Weel, unless you assign severeal
passphrases to a keygrip.

>> Second, is there an equivalent PRESET_PASSPHRASE to update an existing
>> cache ID rather than a key grip?

As of now any hex string will do as cache ID.

> Anyone working on gpg-agent have comments about this? I could write a
> patch if whoever is maintaining gpg-agent is willing to include it. I
> need this feature for my app which doesn't use a key grip. I'd rather

There is definitely room to extend the caching system. My id would be
to use a namespaces in the form of:

gnupg:hexdigits

foo:any_kind_of_string_without_spaces_or_control_characters.

That is pretty simple and implementation will be pretty easy. I won't
object to a command creating a new cache ID, however a cache ID created
by the client from a timestamp and some other data should always work.

Just let me know and I implement it; you my also send a patch as long as
you do the FSF paperwork.

Shalom-Salam,

Werner

--
Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz.

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel[at]gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-devel

bjk at luxsci

Aug 7, 2008, 3:30 AM

Post #4 of 6 (226 views)
Permalink

Re: cacheid and preset_passphrase [In reply to]

On Thu, Aug 07, 2008 at 08:42:55AM +0200, Werner Koch wrote:
> On Thu, 7 Aug 2008 02:16, bjk[at]luxsci.net said:
>
> > On Fri, Aug 01, 2008 at 10:22:20PM -0400, Ben Kibbey wrote:
> >> I have a couple of questions about gpg-agent. First, how do I determine
> >> an unused cache ID? Another application may be using a specified cache
> >> ID and I wouldn't want to meddle with it or retrieve an invalid value.
>
> The cache ID is currently just a hash and as such there is virtually no
> chance that you get into problems. Weel, unless you assign severeal
> passphrases to a keygrip.

What I'm trying to do is use gpg-agent to cache a passphrase with the
GET_PASSPHRASE command. The command needs a cache ID to use but how do I
know I won't overwrite an existing cache ID that was previously used by
the command?

>
> >> Second, is there an equivalent PRESET_PASSPHRASE to update an existing
> >> cache ID rather than a key grip?
>
> As of now any hex string will do as cache ID.

I was meaning to update a cache ID that was used with GET_PASSPHRASE.
For example, to change a passphrase associated with a cache ID.
Something like SET_PASSPHRASE <cache id> <hex string>.

--
Benjamin J. Kibbey bjk[at]luxsci.net/jabber/freenode
3019 F5FC AA33 5BC7 BE9F 09D2 393E DBD2 40D5 FA7E

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel[at]gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-devel

wk at gnupg

Aug 7, 2008, 7:46 AM

Post #5 of 6 (228 views)
Permalink

Re: cacheid and preset_passphrase [In reply to]

On Thu, 7 Aug 2008 12:30, bjk[at]luxsci.net said:

> What I'm trying to do is use gpg-agent to cache a passphrase with the
> GET_PASSPHRASE command. The command needs a cache ID to use but how do I
> know I won't overwrite an existing cache ID that was previously used by

Than you need your onw namespace.

> For example, to change a passphrase associated with a cache ID.
> Something like SET_PASSPHRASE <cache id> <hex string>.

This command may be used:

PRESET_PASSPHRASE <hexstring_with_keygrip> <timeout> <hexstring>

Set the cached passphrase/PIN for the key identified by the keygrip
to passwd for the given time, where -1 means infinite and 0 means
the default (currently only a timeout of -1 is allowed, which means
to never expire it). If passwd is not provided, ask for it via the
pinentry module.

The ony problem uis that it checks that the first agruments is actualy a
hexstring. So it is not usable right now to you.

My proposal ist to allow an arbitrary string instead of
hexstring_with_keygrip. The only required code change should be for
this command. The other commands CLEAR_PASSPHRASE and GET_PASSPHRASE
should accept any string as a cache ID.

You would then use

<myapp>:<astring_without_space>

Do not use GNUPG or similar for <myapp>. For example: To cache a login
passphrase for user "joe", use this cache ID:

GNOMOVISION:login_joe

It is really up to you.

A well, we need to implement a default timeout.

Shalom-Salam,

Werner

--
Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz.

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel[at]gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-devel

bjk at luxsci

Aug 7, 2008, 4:41 PM

Post #6 of 6 (225 views)
Permalink

Re: cacheid and preset_passphrase [In reply to]

On Thu, Aug 07, 2008 at 04:46:14PM +0200, Werner Koch wrote:

[...]

> My proposal ist to allow an arbitrary string instead of
> hexstring_with_keygrip. The only required code change should be for
> this command. The other commands CLEAR_PASSPHRASE and GET_PASSPHRASE
> should accept any string as a cache ID.
>
> You would then use
>
> <myapp>:<astring_without_space>
>
> Do not use GNUPG or similar for <myapp>. For example: To cache a login
> passphrase for user "joe", use this cache ID:
>
> GNOMOVISION:login_joe

This is what I need. This would be great to have added. Thanks for the
help.

--
Benjamin J. Kibbey bjk[at]luxsci.net/jabber/freenode
3019 F5FC AA33 5BC7 BE9F 09D2 393E DBD2 40D5 FA7E

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel[at]gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-devel

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact lists@gossamer-threads.com