Authorize a key to issue EPTs (notes from successful EpointSystem tests)
Létrehoztunk egy nyilvános tesztkulcsot:
pub 1024R/674B5D29 2009-11-01 Key fingerprint = FC10 B1E9 24AD 5549 5199 3822 6441 204D 674B 5D29 testissuer (test issuer) <test@issuer.com>
akinek joga van 800000 EPT-t kibocsátani a teszt-szerveren (mert az /updateAI?A=... parancsot már a master kulccsal aláírva lefuttattuk). JÁTSSZATOK VELE, TESZTELJÉTEK !
- A teljes kulcspárt megtaláljátok a File Galleries/Pénz/EpointSystemIssuerTest01.zip fileban (csak regisztrált felhasználók látják). A passhphrase "test".
- jegyzetek ugyanott. Pl. a file-ok formátumáról, mi hogyan bocsátottunk ki, lásd Emit.notes, egyébként ezen oldal alapján csináltuk, és az EpointSystem specifikáció alapján.
*.PUB: public key
*.FPR: key fingerprint
ISSUER.*: the issuer's key
ROOT.*: the issuer's authorization master key
USER.*: the user's key (who wants to create EPTs)
The steps in general:
- (optional) create new keypair, or secret and it's SHA1 hash
- format the command
- urlencode the command. This step should not be needed before --clearsign. But it is always needed (likely historical reasons). This cgi is useful.
- optional: encrypt it with the issuer server's public key. This should be possible (needed for some commands if the channel is not secure, eg http instead of https) but we were NOT able to. Negotiations / investigation needed. For some commands this is not needed even in production
- gpg -a --clearsign
- send to server. We created this simple form
First USER.PUB is added to the trusted keys of the server. Then the /emit rights are granted to USER by making him Authorized Issuer with the updateAI command:
/updateAI?A=$USER.FPR&KEY=$USER.PUB&H=$AMOUNT&K=$ISSUER.FPR
for example:
/updateAI?A=D608EDEE172CE6450E24DAC47C673E22147387FF&KEY=-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.2.2 (MingW32)
mIsESpQmoAEEALkOs9DeDv02NY1tOSGbuChsNGOlLNikpQvDIGagxHc48l3K730Y
UtiZ4XW2ny493zoGf+UZ7uyq689VIzPXcH2SvEJyJ8Xa5a4a0ubhcjeWxpq4FYaB
NHyKOh5HHWso7e5WxSl1pxlhk2HJRp+z5y3GHWS/Nb3AKtXKr645uKLnAAYptCZG
ZWxmwpRsZGkgWnNvbHQgPHpzZmVsZm9sZGlAZ21haWwuY29tPoi0BBMBAgAeBQJK
lCagAhsDBgsJCAcDAgMVAgMDFgIBAh4BAheAAAoJEHxnPiIUc4f/WHgD/RDMuRKK
gYPIf2PL4mU+yT/p/m0/xSJHEas1U1yau5O1pBgP+8gm407agqWFcWxIUR/IRe8Y
SuH6lo41eN14d1zSAydx/8W21YUrAR7s+soO5TER5sV44An0r/VxCG2lnK686eBI
tx7zf1Ly5vPr9myZJaz5ZPuKLeZUvbd6hVCs
=G4Sx
-----END PGP PUBLIC KEY BLOCK-----&H=1000000&K=01F5EF6BD69B23F7115CC83894953D7D7E309FBF
We URL-encode the command: (I used http://meyerweb.com/eric/tools/dencoder/ for this purpose)
%2FupdateAI%3FA%3DD608EDEE172CE6450E24DAC47C673E22147387FF%26KEY%3D-----BEGIN%20PGP%20PUBLIC%20KEY%20BLOCK-----%0AVersion%3A%20GnuPG%20v1.2.2%20(MingW32)%0A%0AmIsESpQmoAEEALkOs9DeDv02NY1tOSGbuChsNGOlLNikpQvDIGagxHc48l3K730Y%0AUtiZ4XW2ny493zoGf%2BUZ7uyq689VIzPXcH2SvEJyJ8Xa5a4a0ubhcjeWxpq4FYaB%0ANHyKOh5HHWso7e5WxSl1pxlhk2HJRp%2Bz5y3GHWS%2FNb3AKtXKr645uKLnAAYptCZG%0AZWxmwpRsZGkgWnNvbHQgPHpzZmVsZm9sZGlAZ21haWwuY29tPoi0BBMBAgAeBQJK%0AlCagAhsDBgsJCAcDAgMVAgMDFgIBAh4BAheAAAoJEHxnPiIUc4f%2FWHgD%2FRDMuRKK%0AgYPIf2PL4mU%2ByT%2Fp%2Fm0%2FxSJHEas1U1yau5O1pBgP%2B8gm407agqWFcWxIUR%2FIRe8Y%0ASuH6lo41eN14d1zSAydx%2F8W21YUrAR7s%2BsoO5TER5sV44An0r%2FVxCG2lnK686eBI%0Atx7zf1Ly5vPr9myZJaz5ZPuKLeZUvbd6hVCs%0A%3DG4Sx%0A-----END%20PGP%20PUBLIC%20KEY%20BLOCK-----%26H%3D1000000%26K%3D01F5EF6BD69B23F7115CC83894953D7D7E309FBF
Then sign is with the ROOT key:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
%2FupdateAI%3FA%3DD608EDEE172CE6450E24DAC47C673E22147387FF%26KEY%3D-----BEGIN%20PGP%20PUBLIC%20KEY%20BLOCK-----%0AVersion%3A%20GnuPG%20v1.2.2%20(MingW32)%0A%0AmIsESpQmoAEEALkOs9DeDv02NY1tOSGbuChsNGOlLNikpQvDIGagxHc48l3K730Y%0AUtiZ4XW2ny493zoGf%2BUZ7uyq689VIzPXcH2SvEJyJ8Xa5a4a0ubhcjeWxpq4FYaB%0ANHyKOh5HHWso7e5WxSl1pxlhk2HJRp%2Bz5y3GHWS%2FNb3AKtXKr645uKLnAAYptCZG%0AZWxmwpRsZGkgWnNvbHQgPHpzZmVsZm9sZGlAZ21haWwuY29tPoi0BBMBAgAeBQJK%0AlCagAhsDBgsJCAcDAgMVAgMDFgIBAh4BAheAAAoJEHxnPiIUc4f%2FWHgD%2FRDMuRKK%0AgYPIf2PL4mU%2ByT%2Fp%2Fm0%2FxSJHEas1U1yau5O1pBgP%2B8gm407agqWFcWxIUR%2FIRe8Y%0ASuH6lo41eN14d1zSAydx%2F8W21YUrAR7s%2BsoO5TER5sV44An0r%2FVxCG2lnK686eBI%0Atx7zf1Ly5vPr9myZJaz5ZPuKLeZUvbd6hVCs%0A%3DG4Sx%0A-----END%20PGP%20PUBLIC%20KEY%20BLOCK-----%26H%3D1000000%26K%3D01F5EF6BD69B23F7115CC83894953D7D7E309FBF
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (MingW32)
iD8DBQFK6jMKmnvWv5gdiYMRAp8qAKCZh6nnJrfLRsY1A+/Wtc+GHNKd8gCgkVql
t3sqGaUOjUzuU689O8ZckXg=
=t8D1
-----END PGP SIGNATURE-----
Finally we post it as a secureMessage command to the server. This can be done by URL-encoding it again and posting M=<message> to http://epoint.vems.hu:8180/letsTest/secureMessage. For more convenience I've created a small html file:
<form action="http://epoint.vems.hu:8180/letsTest/secureMessage" method="post">
<p><textarea name="M" rows="20" cols="66"></textarea></p>
<p><input type="reset" value="T÷rlΘs"><input type="submit" value="Felt÷ltΘs"></p>
</form>
"M=" is not needed here, just copy/paste the message WITHOUT URL-encoding it (the browser does this for us) and press upload.
We receive an "OK" message if the action was successful. As a result, the database will have a new record:
select ukey,fingerprint,publickey,publickeyids,emissionlimitlowerbound,emissionlimitupperbound,balance,hasnotaryrights from authorizedIssuer ;.
Issuing new EPTs
The /emit command works like this: (it is carried out and signed by the USER, not ROOT like above)
/emit?D=<SHA1 hash of the binary RAND of the newly created EPTs>&F=<amount>&K=<ISSUER.FPR>
note:
- the specification does not mention the K parameter but it is needed now
- D is SHA1 hash of the binary RAND of the newly created EPTs. It is NOT the fingerprint of the issuing key (might be misleading in the zip examples). The server knows the issuer from the --clearsign signature "envelope".
Example:
/emit?D=800BCBAD370B7EED51EEB22C10DA7850B77E8786&F=200&K=01F5EF6BD69B23F7115CC83894953D7D7E309FBF
Then USER signs it (url-encoding doesn't seem necessary):
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
/emit?D=800BCBAD370B7EED51EEB22C10DA7850B77E8786&F=200&K=01F5EF6BD69B23F7115CC83894953D7D7E309FBF
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (MingW32)
iQCVAwUBSuo0zXxnPiIUc4f/AQJodAQApo/FRNKLhoxWoG98oPsmcP+7TTKHNLdj
IIk2+4JHPRw8rz9nGe9V7f4fm9llndVI9N7g4Loi8JLueeYJnYLidM+fxlNFFg0d
rW3YEumzoAbuY+ASnv/DW3Np/TiHDRNVb+2+PEHlw3vKrmqWFo85FihvmPDupUXk
/AJda8/KNOg=
=cYj7
-----END PGP SIGNATURE-----
and posts the secureMessage like above.
Finding when a RAND was used:
- http://www.epointsystem.org/issuer/info?ID=ed4d955b4efe32ca913e2245c0c2558ca6044692&USED=true
- shows the certificate when the given MD (ID) was used (exchanged). The certificate includes the RAND: SCBo+VLARBqd
- verify: echo SCBo+VLARBqd | ./GenHash.sh