OpenPGP Authentication Guile Example

Next: Importing OpenPGP Keys Guile Example, Previous: Anonymous Authentication Guile Example, Up: Guile Examples

11.3.2 OpenPGP Authentication Guile Example

GnuTLS allows users to authenticate using OpenPGP certificates. The relevant procedures are provided by the (gnutls extra) module. Using OpenPGP-based authentication is not more complicated than using anonymous authentication. It requires a bit of extra work, though, to import the OpenPGP public and private key of the client/server. Key import is omitted here and is left as an exercise to the reader (see Importing OpenPGP Keys Guile Example).

Assuming some-socket is bound to an open socket port and pub and sec are bound to the client's OpenPGP public and secret key, respectively, client-side code would look like this:

     ;; Client-side.
     
     (define %certs (list certificate-type/openpgp))
     
     (let ((client (make-session connection-end/client))
           (cred   (make-certificate-credentials)))
       (set-session-default-priority! client)
     
       ;; Choose OpenPGP certificates.
       (set-session-certificate-type-priority! client %certs)
     
       ;; Prepare appropriate client credentials.
       (set-certificate-credentials-openpgp-keys! cred pub sec)
       (set-session-credentials! client cred)
     
       ;; Specify the underlying transport socket.
       (set-session-transport-fd! client (fileno some-socket))
     
       (handshake client)
       (write "hello, world!" (session-record-port client))
       (bye client close-request/rdwr))

Similarly, server-side code would be along these lines:

     ;; Server-side.
     
     (define %certs (list certificate-type/openpgp))
     
     (let ((server (make-session connection-end/server))
           (rsa    (make-rsa-parameters 1024))
           (dh     (make-dh-parameters 1024)))
       (set-session-default-priority! server)
     
       ;; Choose OpenPGP certificates.
       (set-session-certificate-type-priority! server %certs)
     
       (let ((cred (make-certificate-credentials)))
         ;; Prepare credentials with RSA and Diffie-Hellman parameters.
         (set-certificate-credentials-dh-parameters! cred dh)
         (set-certificate-credentials-rsa-export-parameters! cred rsa)
         (set-certificate-credentials-openpgp-keys! cred pub sec)
         (set-session-credentials! server cred))
     
       (set-session-transport-fd! server (fileno some-socket))
     
       (handshake server)
       (let ((msg (read (session-record-port server))))
         (format #t "received: ~a~%" msg)
     
         (bye server close-request/rdwr)))

In practice, generating RSA parameters (and Diffie-Hellman parameters) can time a long time. Thus, you may want to generate them once and store them in a file for future re-use (see pkcs1-export-rsa-parameters and pkcs1-import-rsa-parameters).