Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OpenPGP Key Support #7551

Draft
wants to merge 7 commits into
base: master
Choose a base branch
from
Draft

OpenPGP Key Support #7551

wants to merge 7 commits into from

Conversation

Sam-Cordry
Copy link

@Sam-Cordry Sam-Cordry commented Oct 1, 2024
edited
Loading

OpenPGP Key Support

Overview

Implementation of OpenPGP key storage and related encryption features.

Short feature list:

  • PGP Public Key Storage
  • escrow for PGP backup keys and encryption keys
  • support for PGP keys generated by hardware tokens
  • basic keyserver functionality

Use Cases

  • The administrator or the user registers a public PGP key into IPA, associated with a user account. The registration process validates the public key in case of erroneous input.
  • The user can register a private PGP key into IPA, associated with a user account and inaccessible to parties excluding the user the key is associated with.
  • The user can use a registered private PGP key associated with their account to sign certificates and binaries.
  • The administrator or the user can enroll a hardware token, creating a public and a private key associated with a user.

How to Use

Registering Public PGP Key

  • The administrator or the user provides a public PGP key to be associated with a user account. This can be done as a part of user account creation or after as an addition to an existing account.
  • User accounts may have multiple public PGP keys associated with them.

Registering Private PGP Key

  • The user provides a private key to be associated with a user account.

Enrolling Hardware Token

  • The administrator or the user can enroll a hardware token, generating a public and private key associated with a user account.

Design

dn: cn=schema
attributeTypes: (1.3.6.1.4.1.3401.8.2.11 NAME 'pgpKey' DESC 'OpenPGP public key block' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE)

objectClasses: (1.3.6.1.4.1.3401.8.2.25 NAME 'ipaPgpGroupOfPubKeys' ABSTRACT MAY pgpKey)
objectClasses: (1.3.6.1.4.1.3401.8.2.26 NAME 'ipaPgpUser' SUP ipaPgpGroupOfPubKeys AUXILIARY)

Implementation

This feature does not require any new dependencies or any new files in Backup and Restore.

Feature Management

UI

This feature adds a multi-valued PGP key field to user management pages, similar to how SSH keys are presented and managed through the UI.

CLI

Additional flags added to some of the user-* subcommands and new commands are necessary to allow for signing and enrolling hardware tokens.

Command (Additional) Options
user-add --pgppubkey=STR
user-mod --pgppubkey=STR
pgp-enroll
pgp-sign

Configuration

KRA must be setup for PGP private key storage, escrow, and recovery.

Test plan

Test scenarios that will be transformed to test cases for FreeIPA Continuous Integration during implementation or review phase. This can be also link to source in pagure with the test, if appropriate.

  • Key is valid and parsed correctly
  • Key is invalid, raising a ValueError
  • Key is invalid,
  • Key is changed by a user with proper permissions, operation succeeds
  • Key is changed by a user without the proper permissions, operation fails

Troubleshooting and debugging

This feature creates LDAP entries to store OpenPGP public keys.

@abbra
Copy link
Contributor

abbra commented Oct 2, 2024

@Sam-Cordry thank you for this PR. I have few general comments before looking at the code:

  • could you please combine all changes to the LDAP schema to a single commit? Also add information about the origin of the schema (e.g. "LDAP schema comes from GnuPG source, doc/ldap/gnupg-ldap-schema.ldif", etc)
  • Please do not put anything into cn=config. It is not replicated and is not readable to external LDAP users unless they use cn=Directory Manager permissions. We should never require that.

For ipa pgp command, please consider both client and server side. I think instead of adding a skeleton now, it is better to focus on a design document in doc/designs/ first -- see other documents there, doc/designs/passkeys.md was one of recently added features that introduced new user-visible field and commands. See

It would be good in that design document to cover concepts of what and how it is expected to work with GPG keys. You started well with this PR's description but that content needs to be in doc/designs/gpg.md (for example). Don't forget to add it to doc/designs/index.rst to be included into generated documentation. The latter will be handled by the CI -- see details for docs/readthedocs.org:freeipa CI check.

Finally, please do a rebase, not merge, of upstream tree. We do not want merge commits in the PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Sam-Cordry @abbra