gpg ca-cert-file=[which file???]

gpg ca-cert-file=[which file???]

[Lee]

It seems a bit silly to be downloading pgp keys 'in the clear', so
after a bit of searching I think I want
  keyserver hkps://whatever
in my ~/.gnupg/gpg.conf so I can do auto-key-retrieve securely ... or
at least over an encrypted channel.  But what file should I be using
as the ca-cert file?

What I ended up doing is
$ cd /etc
$ find . -name \*pem
./pki/ca-trust/extracted/pem
./pki/ca-trust/extracted/pem/email-ca-bundle.pem
./pki/ca-trust/extracted/pem/objsign-ca-bundle.pem
./pki/ca-trust/extracted/pem/tls-ca-bundle.pem
./pki/tls/cert.pem

and trying each file until I finally got one that worked:
$ grep "^keyserver" ~/.gnupg/gpg.conf
keyserver hkps://pgp.mit.edu/
keyserver-options check-cert=on
keyserver-options ca-cert-file=/etc/pki/tls/cert.pem

$ gpg --auto-key-locate keyserver --keyserver-options
auto-key-retrieve --verify BIND9.9.10-P1.x64.zip.asc
gpg: assuming signed data in `BIND9.9.10-P1.x64.zip'
gpg: Signature made Mon, Jun  5, 2017  2:31:57 PM EDT
gpg:                using RSA key 0xF1B11BF05CF02E57
gpg: requesting key 0xF1B11BF05CF02E57 from hkps server pgp.mit.edu
gpg: key 0xF1B11BF05CF02E57: public key "Internet Systems Consortium,
Inc. (Signing key, 2017-2018) <codesign@isc.org>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
gpg: Good signature from "Internet Systems Consortium, Inc. (Signing
key, 2017-2018) <codesign@isc.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: BE0E 9748 B718 253A 28BB  89FF F1B1 1BF0 5CF0 2E57


Is there a better/more-correct file to use for the ca-cert-file= parameter?

How hard would it be to add hkps:// usage examples to the default gpg.conf file?

Thanks,
Lee

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: gpg ca-cert-file=[which file???]

[Jim Garrison via cygwin]

On 7/15/2017 11:40 AM, Lee wrote:
> It seems a bit silly to be downloading pgp keys 'in the clear', so
> after a bit of searching I think I want
>   keyserver hkps://whatever

Public keys are intended to be public. Why do you think you need
to encrypt them when downloading?


-- 
Jim Garrison (jhg@acm.org)
PGP Keys at http://www.jhmg.net RSA 0x04B73B7F DH 0x70738D88

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: gpg ca-cert-file=[which file???]

[Lee]

On 7/15/17, Jim Garrison wrote:
> On 7/15/2017 11:40 AM, Lee wrote:
>> It seems a bit silly to be downloading pgp keys 'in the clear', so
>> after a bit of searching I think I want
>>   keyserver hkps://whatever
>
> Public keys are intended to be public. Why do you think you need
> to encrypt them when downloading?

I had wireshark running when I got a new key via hpk:// and it was
straight http.  What does that open me up to?  I dunno, but it seems
like using TLS would be better than clear-text http.

So while I don't need to encrypt the public key when downloading, I do
want to have some confidence that the key I requested is the key I
got, that the server I specified is the server gpg was talking to,
that nothing was modified in transit, etc.


This is what got me started on the topic:
https://lists.torproject.org/pipermail/tor-project/2017-July/001289.html

What can I do to reduce the chances of getting a fake key?
 - keyid-format 0xlong
 - use hkps:// and check the cert (keyserver-options check-cert=on)
 - what else?

Regards,
Lee

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: gpg ca-cert-file=[which file???]

[René Berber]

On 7/15/2017 1:40 PM, Lee wrote:

[snip]
> in my ~/.gnupg/gpg.conf so I can do auto-key-retrieve securely ... or
> at least over an encrypted channel.  But what file should I be using
> as the ca-cert file?

You should be using the "system" files.

On Cygwin that means installing the ca-certificates package (currently
version 2.14-1).  They are installed in a location where the SSL package
expects them, you don't have to go look for them, and shouldn't need to
specify its location (a directory) on your gpg.conf

[snip]
> $ grep "^keyserver" ~/.gnupg/gpg.conf
> keyserver hkps://pgp.mit.edu/
> keyserver-options check-cert=on
> keyserver-options ca-cert-file=/etc/pki/tls/cert.pem

Wrong cert actually, I don't know why you say it worked.

The cert that should have matched is the one used by the key server, not
by you.
-- 
R. Berber


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: gpg ca-cert-file=[which file???]

[Lee]

On 7/15/17, René Berber wrote:
> On 7/15/2017 1:40 PM, Lee wrote:
>
> [snip]
>> in my ~/.gnupg/gpg.conf so I can do auto-key-retrieve securely ... or
>> at least over an encrypted channel.  But what file should I be using
>> as the ca-cert file?
>
> You should be using the "system" files.
>
> On Cygwin that means installing the ca-certificates package (currently
> version 2.14-1).  They are installed in a location where the SSL package
> expects them, you don't have to go look for them, and shouldn't need to
> specify its location (a directory) on your gpg.conf

Where does the ca-certificates package put the certs?  gpg didn't find them :(
$ cygcheck -c ca-certificates
Cygwin Package Information
Package              Version        Status
ca-certificates      2.14-1         OK


>> $ grep "^keyserver" ~/.gnupg/gpg.conf
>> keyserver hkps://pgp.mit.edu/
>> keyserver-options check-cert=on
>> keyserver-options ca-cert-file=/etc/pki/tls/cert.pem
>
> Wrong cert actually, I don't know why you say it worked.

Because it did work.

I didn't have the public key needed to verify the package, so gpg
--verify would complain about
gpg: Can't check signature: public key not found

gpg  --auto-key-locate keyserver --keyserver-options auto-key-retrieve
--verify ...
would complain about various things - I didn't save any of the error msgs
until I finally hit on the combination of
  keyserver hkps://pgp.mit.edu/
  keyserver-options ca-cert-file=/etc/pki/tls/cert.pem
in my gpg.conf, at which point gpg verified the file.

and I no longer have the 'public key not found' problem:
$ gpg --verify BIND9.9.10-P1.x64.zip.asc
gpg: assuming signed data in `BIND9.9.10-P1.x64.zip'
gpg: Signature made Mon, Jun  5, 2017  2:31:57 PM EDT
gpg:                using RSA key 0xF1B11BF05CF02E57
gpg: Good signature from "Internet Systems Consortium, Inc. (Signing
key, 2017-2018) <codesign@isc.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: BE0E 9748 B718 253A 28BB  89FF F1B1 1BF0 5CF0 2E57

> The cert that should have matched is the one used by the key server, not
> by you.

I'm guessing the "keyserver-options ca-cert-file=" needs to be
pointing at the ca-certificate package root store - but damnifiknow
where it is :(

Lee

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: gpg ca-cert-file=[which file???]

[René Berber]

On 7/15/2017 11:56 PM, Lee wrote:
[snip]
> I'm guessing the "keyserver-options ca-cert-file=" needs to be
> pointing at the ca-certificate package root store - but damnifiknow
> where it is :(

https://cygwin.com/cgi-bin2/package-cat.cgi?file=x86_64%2Fca-certificates%2Fca-certificates-2.14-1&grep=cacert

That lists what is being installed, and where.

The tls-ca-bundle files contain the root certificates.
-- 
R. Berber


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: gpg ca-cert-file=[which file???]

[Lee]

On 7/16/17, René Berber wrote:
> On 7/15/2017 11:56 PM, Lee wrote:
> [snip]
>> I'm guessing the "keyserver-options ca-cert-file=" needs to be
>> pointing at the ca-certificate package root store - but damnifiknow
>> where it is :(
>
> https://cygwin.com/cgi-bin2/package-cat.cgi?file=x86_64%2Fca-certificates%2Fca-certificates-2.14-1&grep=cacert
>
> That lists what is being installed, and where.
>
> The tls-ca-bundle files contain the root certificates.

Thanks - that gets me a bit further down the rabbit hole.

I used
keyserver-options ca-cert-file=/etc/pki/tls/cert.pem

which the ca-certificates bundle shows as a 0 byte file pointing to
  /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
which is also a 0 byte file??

but there's several README files, so let's take a look
/etc/pki/ca-trust/extracted/pem/README
  Distrust information cannot be represented in this file format,
  and distrusted certificates are missing from these files.

  oops. distrusted certs are missing, so I probably don't want to use
  keyserver-options ca-cert-file=/etc/pki/tls/cert.pem


/etc/pki/ca-trust/source/README
  Please refer to the update-ca-trust(8) manual page for additional information.

  ok... man update-ca-trust
  FILES
     /etc/pki/tls/certs/ca-bundle.trust.crt
        Classic filename, file contains a list of CA certificates in
the extended BEGIN/END TRUSTED CERTIFICATE file format,
        which includes trust (and/or distrust) flags specific to
certificate usage. This file is a symbolic link that refers
        to the consolidated output created by the update-ca-trust command.

cool.. that sounds like what I want
  /etc/pki/tls/certs/ca-bundle.trust.crt is a link to
    /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
so let's fix my gpg.conf:
$ grep "^keyserver" ~/.gnupg/gpg.conf
keyserver hkps://pgp.mit.edu/
keyserver-options check-cert=on
keyserver-options
ca-cert-file=/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt

temporarily remove my list of public keys
$ mv ~/.gnupg/pubring.gpg ~/.gnupg/orig-pubring.gpg

start wireshark & give it a try
$ gpg --auto-key-locate keyserver --keyserver-options
auto-key-retrieve --verify BIND9.9.10-P1.x64.zip.asc
gpg: keyring `/home/Lee/.gnupg/pubring.gpg' created
gpg: assuming signed data in `BIND9.9.10-P1.x64.zip'
gpg: Signature made Mon, Jun  5, 2017  2:31:57 PM EDT
gpg:                using RSA key 0xF1B11BF05CF02E57
gpg: requesting key 0xF1B11BF05CF02E57 from hkps server pgp.mit.edu
gpg: key 0xF1B11BF05CF02E57: public key "Internet Systems Consortium,
Inc. (Signing key, 2017-2018) <codesign@isc.org>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
gpg: Good signature from "Internet Systems Consortium, Inc. (Signing
key, 2017-2018) <codesign@isc.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: BE0E 9748 B718 253A 28BB  89FF F1B1 1BF0 5CF0 2E57

yay!  I got the public key using TLS

$ cd /etc/pki/ca-trust/extracted/openssl
$ grep DigiNotar ca-bundle.trust.crt
# Explicitly Distrust DigiNotar Cyber CA
# Explicitly Distrust DigiNotar Cyber CA 2nd
# Explicitly Distrust DigiNotar Root CA
# Explicitly Distrust DigiNotar Services 1024 CA
# Explicitly Distrusted DigiNotar PKIoverheid
# Explicitly Distrusted DigiNotar PKIoverheid G2

yay!

$ grep CNNIC ca-bundle.trust.crt
# CNNIC ROOT

oops..

https://wiki.mozilla.org/CA/Additional_Trust_Changes
  CNNIC
  Mozilla currently recommends not trusting any certificates issued by
this CA after 1st April 2015. This covers two roots in our store -
"CNNIC ROOT" and "China Internet Network Information Center EV
Certificates Root".

back to man update-ca-trust
... and I'm lost :(

It looks like there's some certs in
/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt that I don't
want to trust.. but how to tell which ones & how to set
distrust/blacklist trust flags on them?  or maybe I need to copy them
to /etc/pki/ca-trust/source/blacklist/ ???

Anyone have any pointers on how to distrust certs in
ca-bundle.trust.crt (assuming that _is_ the file I should be using) or
even how to show exactly what's in there?
$ grep "#" ca-bundle.trust.crt
 shows lots of comments but
$ openssl x509  -in ca-bundle.trust.crt -noout -subject -dates
 just shows me the first cert :(

Thanks
Lee

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: gpg ca-cert-file=[which file???]

[René Berber]

On 7/16/2017 11:38 AM, Lee wrote:

[snip]
>   ok... man update-ca-trust
>   FILES
>      /etc/pki/tls/certs/ca-bundle.trust.crt
>         Classic filename, file contains a list of CA certificates in
> the extended BEGIN/END TRUSTED CERTIFICATE file format,
>         which includes trust (and/or distrust) flags specific to
> certificate usage. This file is a symbolic link that refers
>         to the consolidated output created by the update-ca-trust command.
[snip]
> It looks like there's some certs in
> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt that I don't
> want to trust.. but how to tell which ones & how to set
> distrust/blacklist trust flags on them?  or maybe I need to copy them
> to /etc/pki/ca-trust/source/blacklist/ ???
> 
> Anyone have any pointers on how to distrust certs in
> ca-bundle.trust.crt (assuming that _is_ the file I should be using) or
> even how to show exactly what's in there?
> $ grep "#" ca-bundle.trust.crt
>  shows lots of comments but
> $ openssl x509  -in ca-bundle.trust.crt -noout -subject -dates
>  just shows me the first cert :(

You should refer to the package announcement, and direct any questions
about the package (not about its use) to its maintainer.

As I understand the package is just a bundle of the files distributed by
Mozilla (which is the maintainer of the root certs).  For questions
about those files, its contents, or its use... refer to Mozilla.

Actually Mozilla distributes one file, which is then processed to create
all the files that you see.

The link you show to Mozilla about the trust on CNNIC also points out
that the exception is made in code (i.e. hard-coded), and if you look
above it clearly states: "The status of whether a root is approved to
issue EV certificates or not is stored in PSM rather than certdata.txt",
this certdata.txt is precisely the file I'm talking about above, so
don't expect any of those Extended Validation changes to be present (and
you can ask Mozilla why they do it in code, instead of in the certs).
-- 
R. Berber


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: gpg ca-cert-file=[which file???]

[Lee]

On 7/16/17, René Berber wrote:
> On 7/16/2017 11:38 AM, Lee wrote:
>
> [snip]
>>   ok... man update-ca-trust
>>   FILES
>>      /etc/pki/tls/certs/ca-bundle.trust.crt
>>         Classic filename, file contains a list of CA certificates in
>> the extended BEGIN/END TRUSTED CERTIFICATE file format,
>>         which includes trust (and/or distrust) flags specific to
>> certificate usage. This file is a symbolic link that refers
>>         to the consolidated output created by the update-ca-trust
>> command.
> [snip]
>> It looks like there's some certs in
>> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt that I don't
>> want to trust.. but how to tell which ones & how to set
>> distrust/blacklist trust flags on them?  or maybe I need to copy them
>> to /etc/pki/ca-trust/source/blacklist/ ???
>>
>> Anyone have any pointers on how to distrust certs in
>> ca-bundle.trust.crt (assuming that _is_ the file I should be using) or
>> even how to show exactly what's in there?
>> $ grep "#" ca-bundle.trust.crt
>>  shows lots of comments but
>> $ openssl x509  -in ca-bundle.trust.crt -noout -subject -dates
>>  just shows me the first cert :(
>
> You should refer to the package announcement, and direct any questions
> about the package (not about its use) to its maintainer.

I came across this when looking for the ca-certificates package announcement:
  https://cygwin.com/ml/cygwin/2013-05/msg00385.html
it's from 2013:
    It has been brought to my attention that gnutls does not seem to be
    configured to use ca-certificates by default. This can be enabled by
    adding --with-default-trust-store-file=/usr/ssl/certs/ca-bundle.crt to
    configure flags

I'm still not clear about which trust store I should be using -
ca-bundle.crt or ca-bundle.trust.crt

> As I understand the package is just a bundle of the files distributed by
> Mozilla (which is the maintainer of the root certs).  For questions
> about those files, its contents, or its use... refer to Mozilla.

As far as I can tell, Mozilla thinks using their trust store for
anything other than firefox is out of scope - eg:
  https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/NHW4JA6xoAY
    mozilla.dev.security.policy ›
    Configuring Graduated Trust for Non-Browser Consumption


> Actually Mozilla distributes one file, which is then processed to create
> all the files that you see.
>
> The link you show to Mozilla about the trust on CNNIC also points out
> that the exception is made in code (i.e. hard-coded), and if you look
> above it clearly states: "The status of whether a root is approved to
> issue EV certificates or not is stored in PSM rather than certdata.txt",
> this certdata.txt is precisely the file I'm talking about above, so
> don't expect any of those Extended Validation changes to be present (and
> you can ask Mozilla why they do it in code, instead of in the certs).

I don't care about EV right now.  I don't want to trust any
certificate issued by CNNIC & a few other CAs.  How do I do that?

Thanks
Lee

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: gpg ca-cert-file=[which file???]

[Lee]

On 7/17/17, Lee  wrote:
>
> I don't care about EV right now.  I don't want to trust any
> certificate issued by CNNIC & a few other CAs.  How do I do that?

I didn't realize just how big a can of worms I'd opened.  But I'm
close enuf to where I wanted to be that I'm done for now.

https://bugzilla.redhat.com/show_bug.cgi?id=873373#c3
  Feedback from people who know would be good.

Which is why I've been so verbose - I was hoping for feedback from
Someone Who Knows :)

My code auditor skillz leave much to be desired, so my gpg.conf now has
  keyserver-options ca-cert-file=/usr/ssl/certs/ca-bundle.crt
  ## keyserver-options ca-cert-file=/usr/ssl/certs/ca-bundle.trust.crt
  ##   ca-bundle.crt       = trusted root certs
  ##   ca-bundle.trust.crt = trusted root certs + explicitly UNtrusted
root certs
  ## does gpg check the trust bits in the certs??? need to figure that out
  ## before using ca-bundle.trust.crt

To see all the certificates in a bundle:
$ ./listcerts.sh | head -5
subject= /CN=ACCVRAIZ1/OU=PKIACCV/O=ACCV/C=ES
subject= /CN=ACEDICOM Root/OU=PKI/O=EDICOM/C=ES
subject= /C=ES/O=FNMT-RCM/OU=AC RAIZ FNMT-RCM
subject= /C=IT/L=Milan/O=Actalis S.p.A./03358520967/CN=Actalis
Authentication Root CA
subject= /C=SE/O=AddTrust AB/OU=AddTrust External TTP
Network/CN=AddTrust External CA Root

$ cat listcerts.sh
#!/bin/sh
# ref: https://serverfault.com/questions/590870/how-to-view-all-ssl-certificates-in-a-bundle

FILE="/etc/pki/tls/certs/ca-bundle.crt"
# FILE="/etc/pki/tls/certs/ca-bundle.trust.crt"

cat $FILE |\
awk -v cmd="openssl x509 -noout -subject " '
/^-----BEGIN/ { c = $0; next }
{ c = c "\n" $0 }
/^-----END/ { print c|cmd; close(cmd); c = "" }
'

# openssl x509 -noout -text
#  to see all the certificate info

$

to blacklist a cert - in this case
$ ./listcerts.sh | grep CNNIC
subject= /C=CN/O=CNNIC/CN=CNNIC ROOT

- find the specific cert in the bundle
- extract just that cert and save it to a file
- verify you extracted the right cert
$ openssl x509 -noout -text -in ~/t/CNNIC.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1228079105 (0x49330001)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=CN, O=CNNIC, CN=CNNIC ROOT
        Validity
            Not Before: Apr 16 07:09:14 2007 GMT
            Not After : Apr 16 07:09:14 2027 GMT
        Subject: C=CN, O=CNNIC, CN=CNNIC ROOT
        Subject Public Key Info:
  <.. snip ..>

- copy the cert to /etc/pki/ca-trust/source/blacklist
$ mv ~/t/CNNIC.pem /etc/pki/ca-trust/source/blacklist/

- update the trust db
$ update-ca-trust

- verify the unstrusted cert has been blacklisted:
$ ./listcerts.sh | grep CNNIC

- make an oopsie?
$ mv /etc/pki/ca-trust/source/blacklist/CNNIC.pem ~/t
$ update-ca-trust
$ ./listcerts.sh | grep CNNIC
subject= /C=CN/O=CNNIC/CN=CNNIC ROOT

Regards,
Lee

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple