Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OpenPGP Key Support #7551

Draft
wants to merge 3 commits into
base: master
Choose a base branch
from
Draft

OpenPGP Key Support #7551

wants to merge 3 commits into from
+43 −2

Conversation

Sam-Cordry
Copy link

OpenPGP Key Support

Note: this is currently a draft PR, will be updated as progress and decisions are made.

Overview

I would like to implement OpenPGP key storage and related encryption features into FreeIPA. Started from Pagure Issue 9592.

Short feature list:

  • PGP Public Key Storage
  • escrow for PGP backup keys and encryption keys
  • support for PGP keys generated by hardware tokens (like Yubikeys)
  • basic keyserver functionality

Use Cases

Walk through one or more full examples of how the feature will be used. These should not all be the simplest cases.

How to Use

This a starting point for design discussions.

Easy to follow instructions how to use the new feature according to the use cases described above. FreeIPA user needs to be able to follow the steps and demonstrate the new features.

The chapter may be divided in sub-sections per Use Case.

Design

This feature would require the following additions to LDAP schema.

dn: cn=schema
attributeTypes: (1.3.6.1.4.1.3401.8.2.8 NAME 'pgpBaseKeySpaceDN' DESC 'Points to DN of the object that will store the GPG keys' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE)
attributeTypes: (1.3.6.1.4.1.3401.8.2.9 NAME 'pgpSoftware' DESC 'Origin of the schema' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE)
attributeTypes: (1.3.6.1.4.1.3401.8.2.10 NAME 'pgpVersion' DESC 'Version of the schema' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE)
attributeTypes: (1.3.6.1.4.1.3401.8.2.11 NAME 'pgpKey' DESC 'OpenPGP public key block' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE)
attributeTypes: (1.3.6.1.4.1.3401.8.2.12 NAME 'pgpCertID' DESC 'OpenPGP long key id' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE)
attributeTypes: (1.3.6.1.4.1.3401.8.2.13 NAME 'pgpDisabled' DESC 'pgpDisabled attribute for PGP' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE)
attributeTypes: (1.3.6.1.4.1.3401.8.2.14 NAME 'pgpKeyID' DESC 'OpenPGP short key id' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE)
attributeTypes: (1.3.6.1.4.1.3401.8.2.15 NAME 'pgpKeyType' DESC 'pgpKeyType attribute for PGP' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE)
attributeTypes: (1.3.6.1.4.1.3401.8.2.16 NAME 'pgpUserID' DESC 'User ID(s) associated with the key' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15)
attributeTypes: (1.3.6.1.4.1.3401.8.2.17 NAME 'pgpKeyCreateTime' DESC 'Primary key creation time' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE)
attributeTypes: (1.3.6.1.4.1.3401.8.2.18 NAME 'pgpSignerID' DESC 'pgpSignerID attribute for PGP' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15)
attributeTypes: (1.3.6.1.4.1.3401.8.2.19 NAME 'pgpRevoked' DESC 'pgpRevoked attribute for PGP' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE)
attributeTypes: (1.3.6.1.4.1.3401.8.2.20 NAME 'pgpSubKeyID' DESC 'OpenPGP long Subkey ID(s) of the PGP key' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15)
attributeTypes: (1.3.6.1.4.1.3401.8.2.21 NAME 'pgpKeySize' DESC 'pgpKeySize attribute for PGP' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15)
attributeTypes: (1.3.6.1.4.1.3401.8.2.22 NAME 'pgpKeyExpireTime' DESC 'pgpKeyExpireTime attribute for PGP' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE)
attributeTypes: (1.3.6.1.4.1.11591.2.4.1.1 NAME 'gpgFingerprint' DESC 'Fingerprint of the primary key' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE)
attributeTypes: (1.3.6.1.4.1.11591.2.4.1.2 NAME 'gpgSubFingerprint' DESC 'Fingerprints of the secondary keys' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15)
attributeTypes: (1.3.6.1.4.1.11591.2.4.1.3 NAME 'gpgMailbox' DESC 'The UTF-8 encoded addr-spec of a mailbox' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.15)
objectClasses: (1.3.6.1.4.1.3401.8.2.23 NAME 'pgpServerInfo' DESC 'An OpenPGP public keyblock store' SUP top STRUCTURAL MUST ( cn $ pgpBaseKeySpaceDN ) MAY ( pgpSoftware $ pgpVersion ) )
objectClasses: (1.3.6.1.4.1.3401.8.2.24 NAME 'pgpKeyInfo' DESC 'An OpenPGP public keyblock' SUP top STRUCTURAL MUST ( pgpCertID $ pgpKey ) MAY ( pgpDisabled $ pgpKeyID $ pgpKeyType $ pgpUserID $ pgpKeyCreateTime $ pgpSignerID $ pgpRevoked $ pgpSubKeyID $ pgpKeySize $ pgpKeyExpireTime $ gpgFingerprint $ gpgSubFingerprint $ gpgMailbox ) )

Implementation

This addition would not require any new dependencies or any new files in Backup and Restore.

Feature Management

UI

Add option under "Actions" dropdown for the entry of PGP keys and related information.

CLI

Note: This is not yet an extensive list and will be updated to reflect the most current proposal.

Command Options
gpg-add --user=Str
gpg-del --user=Str
gpg-find --user=Str
gpg-show --user=Str
gpg-create --user=Str

Configuration

Since storing private keys requires the use of vaults, KRA must be setup in order to store private keys, which is an optional feature.

Test plan

Test scenarios that will be transformed to test cases for FreeIPA Continuous Integration during implementation or review phase. This can be also link to source in pagure with the test, if appropriate.

Troubleshooting and debugging

The feature creates LDAP entries to store OpenPGP public keys and information about them, and relies upon them to fetch that same information on request.

@abbra
Copy link
Contributor

abbra commented Oct 2, 2024

@Sam-Cordry thank you for this PR. I have few general comments before looking at the code:

  • could you please combine all changes to the LDAP schema to a single commit? Also add information about the origin of the schema (e.g. "LDAP schema comes from GnuPG source, doc/ldap/gnupg-ldap-schema.ldif", etc)
  • Please do not put anything into cn=config. It is not replicated and is not readable to external LDAP users unless they use cn=Directory Manager permissions. We should never require that.

For ipa pgp command, please consider both client and server side. I think instead of adding a skeleton now, it is better to focus on a design document in doc/designs/ first -- see other documents there, doc/designs/passkeys.md was one of recently added features that introduced new user-visible field and commands. See

It would be good in that design document to cover concepts of what and how it is expected to work with GPG keys. You started well with this PR's description but that content needs to be in doc/designs/gpg.md (for example). Don't forget to add it to doc/designs/index.rst to be included into generated documentation. The latter will be handled by the CI -- see details for docs/readthedocs.org:freeipa CI check.

Finally, please do a rebase, not merge, of upstream tree. We do not want merge commits in the PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Sam-Cordry @abbra