diff options
author | Jameson Graef Rollins <jrollins@finestructure.net> | 2009-02-01 21:14:22 -0500 |
---|---|---|
committer | Jameson Graef Rollins <jrollins@finestructure.net> | 2009-02-01 21:14:22 -0500 |
commit | 0655d5cbf24a29da4aff7e272e82bfa258b2ceed (patch) | |
tree | 6e462df5ff450ddd67ddf3fdf686ddcbcfcd4668 /src | |
parent | 7548a859412f10e68f90ee68f330593d85b090fc (diff) |
new function to export signatures from core to sphere keyrings. this
is so that the sphere does not have to read the core pubring to get
the certifier ltsigs, and we can therefore keep tighter permissions on
the core keyring files. updated some comments/documentation as well.
Diffstat (limited to 'src')
-rwxr-xr-x | src/monkeysphere-authentication | 18 | ||||
-rw-r--r-- | src/share/ma/add_certifier | 58 | ||||
-rw-r--r-- | src/share/ma/remove_certifier | 8 | ||||
-rw-r--r-- | src/share/ma/setup | 6 |
4 files changed, 51 insertions, 39 deletions
diff --git a/src/monkeysphere-authentication b/src/monkeysphere-authentication index 7c43aa8..2316183 100755 --- a/src/monkeysphere-authentication +++ b/src/monkeysphere-authentication @@ -85,8 +85,6 @@ su_monkeysphere_user() { # function to interact with the gpg core keyring gpg_core() { - local returnCode - GNUPGHOME="$GNUPGHOME_CORE" export GNUPGHOME @@ -94,15 +92,7 @@ gpg_core() { # user to be able to read the host pubring. we realize this might # be problematic, but it's the simplest solution, without too much # loss of security. - gpg --no-permission-warning "$@" - returnCode="$?" - - # always reset the permissions on the host pubring so that the - # monkeysphere user can read the trust signatures - chgrp "$MONKEYSPHERE_USER" "${GNUPGHOME_CORE}/pubring.gpg" - chmod g+r "${GNUPGHOME_CORE}/pubring.gpg" - - return "$returnCode" + gpg "$@" } # function to interact with the gpg sphere keyring @@ -116,6 +106,12 @@ gpg_sphere() { su_monkeysphere_user "gpg $@" } +# export signatures from core to sphere +gpg_core_sphere_sig_transfer() { + gpg_core --export-options export-local-sigs --export | \ + gpg_sphere --import-options import-local-sigs --import +} + ######################################################################## # MAIN ######################################################################## diff --git a/src/share/ma/add_certifier b/src/share/ma/add_certifier index 0c3c647..60a4f9d 100644 --- a/src/share/ma/add_certifier +++ b/src/share/ma/add_certifier @@ -3,6 +3,20 @@ # Monkeysphere authentication add-certifier subcommand # +# This function adds a certifier whose signatures will be used to +# calculate validity of keys used to connect to user accounts on the +# server. The specified certifier key is first retrieved from the Web +# of Trust with the monkeysphere-user-controlled gpg_sphere keyring. +# Once then new key is retrieved, it is imported into the core +# keyring. The gpg_core then ltsigns the key with the desired trust +# level, and then the key is exported back to the gpg_sphere keyring. +# The gpg_sphere has ultimate owner trust of the core key, so the core +# ltsigs on the new certifier key can then be used by gpg_sphere +# calculate validity for keys inserted in the authorized_keys file. +# +# This is all to keep the monkeysphere user that connects to the +# keyservers from accessing the core secret key. +# # The monkeysphere scripts are written by: # Jameson Rollins <jrollins@finestructure.net> # Jamie McClelland <jm@mayfirst.org> @@ -11,9 +25,6 @@ # They are Copyright 2008-2009, and are all released under the GPL, # version 3 or later. -# retrieve key from web of trust, import it into the host keyring, and -# ltsign the key in the host keyring so that it may certify other keys - add_certifier() { local domain @@ -59,7 +70,7 @@ if [ -z "$keyID" ] ; then failure "You must specify the key ID of a key to add, or specify a file to read the key from." fi if [ -f "$keyID" ] ; then - echo "Reading key from file '$keyID':" + log info "Reading key from file '$keyID':" importinfo=$(gpg_sphere "--import" < "$keyID" 2>&1) || failure "could not read key from '$keyID'" # FIXME: if this is tried when the key database is not # up-to-date, i got these errors (using set -x): @@ -96,8 +107,7 @@ if [ -z "$fingerprint" ] ; then failure "Key '$keyID' not found." fi -echo -echo "key found:" +log info -e "\nkey found:" gpg_sphere "--fingerprint 0x${fingerprint}!" echo "Are you sure you want to add the above key as a" @@ -106,18 +116,24 @@ if [ "${OK/y/Y}" != 'Y' ] ; then failure "Identity certifier not added." fi -# export the key to the host keyring +# export the key to the core keyring so that the core can sign the +# new certifier key gpg_sphere "--export 0x${fingerprint}!" | gpg_core --import -if [ "$trust" = marginal ]; then - trustval=1 -elif [ "$trust" = full ]; then - trustval=2 -else - failure "Trust value requested ('$trust') was unclear (only 'marginal' or 'full' are supported)." -fi - -# ltsign command +case "$trust" in + 'marginal') + trustval=1 + ;; + 'full') + trustval=2 + ;; + *) + failure "Trust value requested ('$trust') was unclear (only 'marginal' or 'full' are supported)." + ;; +esac + +# this is the gpg "script" that gpg --edit-key will execute for the +# core to sign certifier. # NOTE: *all* user IDs will be ltsigned ltsignCommand=$(cat <<EOF ltsign @@ -130,15 +146,17 @@ save EOF ) -# ltsign the key +# core ltsigns the newly imported certifier key if echo "$ltsignCommand" | \ gpg_core --quiet --command-fd 0 --edit-key "0x${fingerprint}!" ; then - # update the trustdb for the authentication keyring + # transfer the new sigs back to the sphere keyring + gpg_core_sphere_sig_transfer + + # update the sphere trustdb gpg_sphere "--check-trustdb" - echo - echo "Identity certifier added." + log info -e "\nIdentity certifier added." else failure "Problem adding identify certifier." fi diff --git a/src/share/ma/remove_certifier b/src/share/ma/remove_certifier index 560281d..1164162 100644 --- a/src/share/ma/remove_certifier +++ b/src/share/ma/remove_certifier @@ -32,16 +32,16 @@ else failure fi -# delete the requested key +# delete the requested key from the sphere keyring +# FIXME: should this be a revokation instead of a removal? if gpg_sphere "--delete-key --batch --yes 0x${keyID}!" ; then - # delete key from host keyring as well + # delete key from core keyring as well gpg_core --delete-key --batch --yes "0x${keyID}!" # update the trustdb for the authentication keyring gpg_sphere "--check-trustdb" - echo - echo "Identity certifier removed." + log info -e "\nIdentity certifier removed." else failure "Problem removing identity certifier." fi diff --git a/src/share/ma/setup b/src/share/ma/setup index 672a960..229166b 100644 --- a/src/share/ma/setup +++ b/src/share/ma/setup @@ -34,12 +34,10 @@ EOF # Edits will be overwritten. no-greeting primary-keyring ${GNUPGHOME_SPHERE}/pubring.gpg -keyring ${GNUPGHOME_CORE}/pubring.gpg - list-options show-uid-validity EOF - # fingerprint of core key. this should be empty on unconfigured systems. + # get fingerprint of core key. this should be empty on unconfigured systems. local CORE_FPR=$(gpg_core --with-colons --fixed-list-mode --fingerprint --list-secret-key | grep ^fpr: | cut -f10 -d: ) if [ -z "$CORE_FPR" ] ; then @@ -57,7 +55,7 @@ EOF # date. < "${TMPLOC}/authkey" pem2openpgp "$CORE_UID" | gpg --import || failure "Could not import new key for Monkeysphere authentication trust core" - gpg_core --with-colons --fixed-list-mode --fingerprint --list-secret-key + # get fingerprint of core key. should definitely not be empty at this point CORE_FPR=$(gpg_core --with-colons --fixed-list-mode --fingerprint --list-secret-key | grep ^fpr: | cut -f10 -d: ) if [ -z "$CORE_FPR" ] ; then failure "Failed to create Monkeysphere authentication trust core!" |