Socket interface to Curve25519 ECDH from an OpenPGP card.
Project description
OpenPGP Card X25519 Agent
Socket interface to Curve25519 ECDH from an OpenPGP card, using the SSH agent protocol. It's intended to be used with the OpenPGP Card WireGuard Go client, allowing a WireGuard private key to be stored on an OpenPGP card.
See the OpenPGP Card WireGuard Guide for a complete walkthrough of installation and usage of both agent and client.
Development
Prerequisites
Requires Python 3.8 or newer, and the pcsc-lite daemon.
Install prerequisites on Debian with the following packages:
apt install gcc libpcsclite-dev make pcscd python3-dev python3-venv swig
Or on Fedora:
dnf install findutils gcc make pcsc-lite pcsc-lite-devel python3-devel swig
Set up dev env
-
Create a virtualenv with pyenv:
pyenv virtualenv 3.8.16 openpgpcard-x25519-agent -
Activate the virtualenv:
pyenv local openpgpcard-x25519-agent -
Install tox:
pip install tox -
Install pre-commit and pre-push hooks:
tox exec -e lint -- pre-commit install
Dev tasks
List all tox tasks you can run:
tox list
Run unit tests in watch mode:
tox -e watch
Run linting:
tox -e lint
Dev usage
Run agent listening at /var/run/wireguard/agent0:
sudo mkdir -p /var/run/wireguard && sudo chown $USER /var/run/wireguard
tox -e agent -- -l -vv
Or run agent listening on test socket:
tox -e agent -- -l -s test.socket -vv
Prompt to cache PIN on agent:
tox -e client -- -p -t -vv
Clear PIN from agent listening on test socket:
tox -e client -- -c -s test.socket -vv
Beware
- Any client with access to the socket on which the agent is listening has full use of your OpenPGP card's decryption key when the agent has the card's PIN cached. An adversary with access to the socket can easily decrypt your WireGuard traffic, or impersonate your WireGuard identity; she also can decrypt regular OpenPGP messages encrypted for your card's decryption key.
- Use of the agent requires the OpenPGP card's PIN to be cached in memory. After the card's PIN has been cached, if an adversary is able to dump your computer's memory, she will be able to recover the PIN.
- Even after you clear the PIN or shut down the agent, there still may be copies of the PIN in memory that an adversary could recover.
Contributing
- Ask questions or send patches to https://lists.sr.ht/~arx10/openpgpcard-x25519-agent
- File issues at https://todo.sr.ht/~arx10/openpgpcard-x25519-agent
- Sync the latest source code with https://git.sr.ht/~arx10/openpgpcard-x25519-agent
- Install the latest release from https://pypi.org/project/openpgpcard-x25519-agent/
License
Copyright (c) 2023 Arcem Tene, Inc.
This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this program. If not, see https://www.gnu.org/licenses/.
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for openpgpcard-x25519-agent-1.0.1.tar.gz
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | dce0e95d00761e08ca0aed2de2626092f62a4fda5c9e5c1d9bef0d0e03c5659d |
|
| MD5 | b4c5ffaeac3da249a910f555fadf9201 |
|
| BLAKE2b-256 | 8f4f0ff6d4e3d392e4ce3e08d8e796c7c74322f8a5568ad14a43b3446eb5276a |
Hashes for openpgpcard_x25519_agent-1.0.1-py3-none-any.whl
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 28c6ddddfc4f77b0c3057c195fe27dd7d5e591941e3f07699828c860abda6ecb |
|
| MD5 | d10a909094178adb4a3614291663a796 |
|
| BLAKE2b-256 | 79999df09b8bd39aac82311e95dd8115bdb1946d10a486fbaad5e3c3141dfdfa |
