5 files changed, 84 insertions, 29 deletions

diff --git a/src/share/mh/add_hostname b/src/share/mh/add_hostname
index 0da6a06..b08d688 100644
--- a/src/share/mh/add_hostname
+++ b/src/share/mh/add_hostname
@@ -32,9 +32,9 @@ find_host_userid > /dev/null && \
     failure "Host userID '$userID' already exists."
 
 if [ "$PROMPT" = "true" ] ; then
-    echo "The following user ID will be added to the host key:"
-    echo "  $userID"
-    read -p "Are you sure you would like to add this user ID? (Y/n) " OK; OK=${OK:=Y}
+    read -p "The following user ID will be added to the host key:
+  $userID
+Are you sure you would like to add this user ID? (Y/n) " OK; OK=${OK:=Y}
     if [ "${OK/y/Y}" != 'Y' ] ; then
 	failure "User ID not added."
     fi
diff --git a/src/share/mh/add_revoker b/src/share/mh/add_revoker
index 428b958..03ae56f 100644
--- a/src/share/mh/add_revoker
+++ b/src/share/mh/add_revoker
@@ -74,14 +74,24 @@ else
     # get the full fingerprint of new revoker key
     log debug "getting fingerprint of revoker key..."
     fingerprint=$(su_monkeysphere_user "GNUPGHOME=$tmpDir gpg --list-key --with-colons --with-fingerprint 0x${keyID}!" \
-	| grep '^fpr:' | grep "$keyID" | cut -d: -f10)
+	| grep '^fpr:' | cut -d: -f10)
+
+    # test that there is only a single fingerprint
+    if (( $(echo "$fingerprint" | wc -l) != 1 )) ; then
+	cat <<EOF
+More than one fingerprint found:
+$fingerprint
+Please use a more specific key ID.
+EOF
+	failure
+    fi
 
     log info "key found:"
     su_monkeysphere_user "GNUPGHOME=$tmpDir gpg --fingerprint 0x${fingerprint}!"
 
     if [ "$PROMPT" = "true" ] ; then
-	echo "Are you sure you want to add the above key as a"
-	read -p "revoker of the host key? (Y/n) " OK; OK=${OK:-Y}
+	read -p "Are you sure you want to add the above key as a revoker
+of the host key? (Y/n) " OK; OK=${OK:-Y}
 	if [ "${OK/y/Y}" != 'Y' ] ; then
 	    failure "revoker not added."
 	fi
diff --git a/src/share/mh/import_key b/src/share/mh/import_key
index 040b41c..f7c69c3 100644
--- a/src/share/mh/import_key
+++ b/src/share/mh/import_key
@@ -26,20 +26,9 @@ if [ -z "$sshKeyFile" ] ; then
     failure "Must specify ssh key file to import, or specify '-' for stdin."
 fi
 
-# use the default hostname if not specified
+# fail if hostname not specified
 if [ -z "$hostName" ] ; then
-    hostName=$(hostname -f) || failure "Could not determine hostname."
-    # test that the domain is not obviously illegitimate
-    domain=${foo##*.}
-    case $domain in
-	'local'|'localdomain')
-	    failure "Host domain '$domain' is not legitimate.  Aborting key import."
-	    ;;
-    esac
-    # test that there are at least two parts
-    if (( $(echo "$hostName" | tr . ' ' | wc -w) < 2 )) ; then
-	failure "Host name '$hostName' is not legitimate.  Aborting key import."
-    fi
+    failure "You must specify a fully-qualified domain name for use in the host certificate user ID."
 fi
 
 userID="ssh://${hostName}"
diff --git a/src/share/mh/revoke_hostname b/src/share/mh/revoke_hostname
index 71b56ed..2142af7 100644
--- a/src/share/mh/revoke_hostname
+++ b/src/share/mh/revoke_hostname
@@ -43,9 +43,9 @@ uidIndex=$(find_host_userid) || \
     failure "No non-revoked user ID found matching '$userID'."
 
 if [ "$PROMPT" = "true" ] ; then
-    echo "The following host key user ID will be revoked:"
-    echo "  $userID"
-    read -p "Are you sure you would like to revoke this user ID? (N/y) " OK; OK=${OK:=Y}
+    read -p "The following host key user ID will be revoked:
+  $userID
+Are you sure you would like to revoke this user ID? (Y/n) " OK; OK=${OK:=Y}
     if [ "${OK/y/Y}" != 'Y' ] ; then
 	failure "User ID not revoked."
     fi
diff --git a/src/share/mh/revoke_key b/src/share/mh/revoke_key
index 380236b..ad68d5f 100644
--- a/src/share/mh/revoke_key
+++ b/src/share/mh/revoke_key
@@ -18,6 +18,28 @@ revoke_key() {
 # Coming in here, we expect $HOST_FINGERPRINT to be set, and we
 # believe that there is in fact a key.
 
+    if [ "$PROMPT" = "false" ] ; then
+	publish=N
+    else
+	cat <<EOF >&2
+This will generate a revocation certificate for your host key
+(fingerprint: $HOST_FINGERPRINT) and
+dump the certificate to standard output.
+
+It can also directly publish the new revocation certificate
+to the public keyservers via $KEYSERVER if you want it to.
+
+Publishing this certificate will IMMEDIATELY and PERMANENTLY revoke
+your host key!
+
+EOF
+	read -p "Publish the certificate after generation? (y/n/Q) " publish
+	
+	if ! [ "${publish/y/Y}" = 'Y' -o "${publish/n/N}" = 'N' ] ; then
+	    failure "aborting at user request"
+	fi
+    fi
+    
     # our current implementation is very simple: we just want to
     # generate the revocation certificate on stdout.  This provides
     # for the two most likely (but hopefully not common) scenarios:
@@ -28,18 +50,52 @@ revoke_key() {
     # transcribe from the terminal.
 
     # Alternately, an admin might want to publish the revocation
-    # certificate immediately.  here's a quick way to do this:
+    # certificate immediately, which we can help them do as well.
+
+    if [ "$PROMPT" = 'false' ] ; then
+	# FIXME: allow the end user to choose something other than
+	# "key was compromised" (1) and to supply their own revocation
+	# string.
 
+	local revoke_commands="y
+1
+Monkeysphere host key revocation (automated) $(date '+%F_%T%z')
 
-    # tmp=$(mktemp -d)
-    # export GNUPGHOME="$tmp"
-    # gpg --import < /var/lib/monkeysphere/ssh_host_rsa_key.pub.gpg
-    # monkeysphere-host revoke-key | gpg --import
-    # gpg --keyserver pool.sks-keyservers.net --send $(hostname -f)
+y
 
+"
+	revcert=$(GNUPGHOME="$GNUPGHOME_HOST" gpg_host --command-fd 0 --armor --gen-revoke "0x${HOST_FINGERPRINT}!" <<<"$revoke_commands" ) \
+	    || failure "Failed to generate revocation certificate!"
 
+
+    else
     # note: we're not using the gpg_host function because we actually
     # want to use gpg's UI in this case, so we want to omit --no-tty
+	revcert=$(GNUPGHOME="$GNUPGHOME_HOST" gpg --no-greeting --quiet --armor --gen-revoke "0x${HOST_FINGERPRINT}!") \
+	    || failure "Failed to generate revocation certificate!"
+    fi
+
+    # if you run gpg --gen-revoke but cancel it or quit in the middle,
+    # it returns success, but emits no revocation certificate:
+    if ! [ "$revcert" ] ; then
+	failure "Revocation canceled."
+    fi
+
+    ## ok, now we have the revocation certificate.  Print it, and
+    ## offer to publish if originally requested:
+    printf "%s\n" "$revcert"
 
-    GNUPGHOME="$GNUPGHOME_HOST" gpg --no-greeting --quiet --armor --gen-revoke "0x${HOST_FINGERPRINT}!"
+    if [ "${publish/y/Y}" = 'Y' ] ; then
+	printf "\n" >&2
+	read -p "Really publish this cert to $KEYSERVER ? (Y/n) " really
+	if [ "${really/n/N}" = 'N' ] ; then
+	    printf "Not publishing.\n" >&2
+	else
+	    local newhome=$(mkmstempdir)
+	    GNUPGHOME="$newhome" gpg --no-tty --quiet --import < "$HOST_KEY_FILE"
+	    GNUPGHOME="$newhome" gpg --no-tty --quiet --import <<< "$revcert"
+	    GNUPGHOME="$newhome" gpg --keyserver "$KEYSERVER" --send "0x${HOST_FINGERPRINT}!"
+	    rm -rf "$newhome"
+	fi
+    fi
 }