Postgres Pro
Downloads
Home   >   mailing lists

Announcement: libpkixpq 0.3 - with limited OpenPGP support - Mailing list pgsql-hackers

From Bear Giles
Subject Announcement: libpkixpq 0.3 - with limited OpenPGP support
Date
Msg-id 200201060824.BAA06946@eris.coyotesong.com
Whole thread Raw
List pgsql-hackers
Tree view 
In response to multiple requests, libpkixpq 0.3 includes limited
OpenPGP (RFC2440) support.  It is available for download at 
http://www.dimensional.com/~bgiles/.  It should not be downloaded
contrary to US export or local law.

(It's not like this RFC is difficult to implement - I've done this
work in less than a day while doing other things.)

The key changes are:

1) Base64 encoding:

Two functions are defined which are wrappers to the OpenSSL
Base64 routines:
 function base64_encode(text) returns text;
 function base64_decode(text) returns text;

2) Cryptographic hashes:

A new type is defined, HASH, which can hold a cryptographic
hash value.  The standard hash format is a colon delimited list
of hexadecimal values, e.g, 01:23:45:67:89:ab:cd:ef.

To generate a hash, you should use the function
 function digest(text data, text digest) returns hash;

You can get a base-64 encoded hash with
 function base64_encode(hash) returns text;

This is different than the function described above since
the hash is against the underlying binary data, not the hexadecimal
representation.

Finally, you can explicitly cast a hash to a text object with
 function text(hash) returns text;

3) OpenPGP encryption:

PRELIMINARY support for OpenPGP(RFC2440) encryption is
provided with one new data type, CIPHERTEXT, and two 
functions:
  function encrypt(text data, text passphrase) returns ciphertext;
  function decrypt(ciphertext data, text passphrase) returns text;

No encrypted keys are stored in the ciphertext object - at the
current time the only key supported is generated from the passphrase
by computing the MD5 hash of the passphrase, then using it as the
key to the blowfish cipher.  (The RFC specifies the IDEA cipher,
but it is problematic due to European patents.)

Compression is not yet currently supported.  (Should I use
zlib, or is does the backend provide its own compression 
library?)

The ciphertext is stored as binary data, but displayed in base64
encoding instead of the full OpenPGP armor.

IMPORTANT REMINDER: This is not production quality code, do
NOT use it to store credit card information in your database!

IMPORTANT REMINDER 2: This code is not interoperable with
PGP or GPG, although that would be an obvious long-term goal.


Announcement cc'd to crypt@bxa.doc.gov.

pgsql-hackers by date:

Previous
From: Bear Giles
Date:
Subject: JDBC: why is PGobject class instead of interface?
Next
From: Tom Lane
Date:
Subject: Re: (void *) with shmat