Re: gnome-keyring A couple of questions about Gnome Keyring

[Stef Walter <stef-list memberwebs com>]

BTW, super sorry for the delayed response. I was away and am catching up
on things...

Groth Johan wrote:
> Thank you for your reply and I apologise for not supplying the web
> link. Here it is: http://live.gnome.org/GnomeKeyring/Cryptoki.
> 
> Perhaps I should describe the situation a bit more what we are
> actually trying to do. We are going to write a user application that
> downloads certificates from a web server, then connects to
> gnome-keyring-daemon and asks it store these certificates. What I'm
> having trouble finding out is where is the certificate stored
> (hopefully under ~/.gnome2/keyring), is the store file encrypted
> (hopefully yes) and if it is what encryption algorithm is used
> (hopefully AES)?

You can use the following command to import certificates into gnome-keyring:

gnome-keyring import /path/to/file

I use client certificates in this way with firefox, epiphany and
thunderbird. In addition the gnome-keyring SSH agent is implemented
using the same pkcs11 code.

However you'll find plenty of rough edges in this area of gnome-keyring.
There's a lot more work to complete.

The current focus for this release in gnome-keyring is on common
password storage between the KDE and GNOME Desktops, so this has slowed
the process on certificates and key storage.

> The security team told us that any algorithm that uses 128-bits keys
> or higher is acceptable so AES would be OK.

Yes, we encrypt the certificate keys when storing them:

http://git.gnome.org/cgit/gnome-keyring/tree/pkcs11/user-store/gck-user-private-key.c#n305

Currently we're writing keys pkcs12 password hashing with a 3DES cipher
and SHA1 hash. This is done for compatibility. But if you feel we should
switch to another algorithm, post your reasons we'll look into it.

Cheers,

Stef