From 3e9fd04d34bed8a8c6b43bf111a8b8bbbbe8663f Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Thu, 5 Feb 2009 14:24:49 -0500 Subject: updated pem2openpgp invocation in m-h import-key --- src/share/mh/import_key | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) (limited to 'src/share/mh') diff --git a/src/share/mh/import_key b/src/share/mh/import_key index 2e73a8c..93afb0a 100644 --- a/src/share/mh/import_key +++ b/src/share/mh/import_key @@ -17,7 +17,7 @@ local hostName local userID local fingerprint -# check for presense of secret key +# check for presence of secret key # FIXME: is this the proper test to be doing here? fingerprint_host_key >/dev/null \ && failure "An OpenPGP host key already exists." @@ -32,8 +32,7 @@ chmod 700 "$GNUPGHOME_HOST" log verbose "importing ssh key..." # translate ssh key to a private key -(umask 077 && \ - pem2openpgp "$userID" | gpg_host --import) +PEM2OPENPGP_USAGE_FLAGS=authenticate pem2openpgp "$userID" | gpg_host --import # find the key fingerprint of the newly converted key fingerprint=$(fingerprint_host_key) -- cgit v1.2.3 From 9cc92238a9a9b21d37b983932d5a6a012cf80aba Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Sun, 8 Feb 2009 23:55:28 -0500 Subject: Some rearragement/cleanup in the monkeysphere-host: - define exported variable to hold host key fingerprint (HOST_FINGERPRINT) - broke out some common commands into simpler functions - rename the 'extend_key' function to be 'set_expire', since function is more generically offered now. --- src/monkeysphere-host | 76 ++++++++++++++++++++++++++++++++------------ src/share/mh/add_hostname | 16 ++-------- src/share/mh/extend_key | 35 -------------------- src/share/mh/revoke_hostname | 24 +++----------- src/share/mh/set_expire | 34 ++++++++++++++++++++ 5 files changed, 97 insertions(+), 88 deletions(-) delete mode 100644 src/share/mh/extend_key create mode 100644 src/share/mh/set_expire (limited to 'src/share/mh') diff --git a/src/monkeysphere-host b/src/monkeysphere-host index a6fa62f..aa764db 100755 --- a/src/monkeysphere-host +++ b/src/monkeysphere-host @@ -80,16 +80,21 @@ su_monkeysphere_user() { # function to interact with the gpg keyring gpg_host() { - local returnCode + GNUPGHOME="$GNUPGHOME_HOST" gpg "$@" +} + +# command to list the info about the host key, in colon format +gpg_host_list() { + gpg_host --list-keys --with-colons --fixed-list-mode \ + --with-fingerprint --with-fingerprint \ + "0x${HOST_FINGERPRINT}!" - GNUPGHOME="$GNUPGHOME_HOST" - export GNUPGHOME +} - # NOTE: we supress this warning because we need the monkeysphere - # user to be able to read the host pubring. we realize this might - # be problematic, but it's the simplest solution, without too much - # loss of security. - gpg "$@" +# command for edit key scripts, takes scripts on stdin +gpg_host_edit() { + gpg_host --quiet --command-fd 0 --edit-key \ + "0x${HOST_FINGERPRINT}!" "$@" } # output just key fingerprint @@ -102,23 +107,48 @@ fingerprint_host_key() { grep '^fpr:' | head -1 | cut -d: -f10 2>/dev/null } +# output the index of a user ID on the host key +# return 1 if user ID not found +find_host_userid() { + local userID="$1" + local tmpuidMatch + local line + + # match to only ultimately trusted user IDs + tmpuidMatch="u:$(echo $userID | gpg_escape)" + + # find the index of the requsted user ID + # NOTE: this is based on circumstantial evidence that the order of + # this output is the appropriate index + line=$(gpg_host_list | egrep '^(uid|uat):' | cut -f2,10 -d: | \ + grep -n -x -F "$tmpuidMatch" 2>/dev/null) + + if [ "$line" ] ; then + echo ${line%%:*} + return 0 + else + return 1 + fi +} + # function to check for host secret key -check_host_keyring() { - fingerprint_host_key >/dev/null \ - || failure "You don't appear to have a Monkeysphere host key on this server. Please run 'monkeysphere-host import-key' first." +check_host_fail() { + [ "$HOST_FINGERPRINT" ] || \ + failure "You don't appear to have a Monkeysphere host key on this server. Please run 'monkeysphere-host expert import-key' first." } # show info about the host key show_key() { - local fingerprintPGP local fingerprintSSH - # FIXME: you shouldn't have to be root to see the host key fingerprint - check_host_keyring - fingerprintPGP=$(fingerprint_host_key) + # FIXME: should not have to be priviledged user to see this info. + # should be taken from publicly accessible key files, instead of + # the keyring. + + gpg_host --fingerprint --list-key --list-options show-unusable-uids \ + "0x${HOST_FINGERPRINT}!" 2>/dev/null - gpg_host --fingerprint --list-key --list-options show-unusable-uids "0x${fingerprintPGP}!" 2>/dev/null - echo "OpenPGP fingerprint: $fingerprintPGP" + echo "OpenPGP fingerprint: $HOST_FINGERPRINT" if [ -f "${MHDATADIR}/ssh_host_rsa_key.pub" ] ; then fingerprintSSH=$(ssh-keygen -l -f "${MHDATADIR}/ssh_host_rsa_key.pub" | \ @@ -155,6 +185,9 @@ MONKEYSPHERE_USER=${MONKEYSPHERE_MONKEYSPHERE_USER:=${MONKEYSPHERE_USER:="monkey CHECK_KEYSERVER=${MONKEYSPHERE_CHECK_KEYSERVER:="true"} GNUPGHOME_HOST=${MONKEYSPHERE_GNUPGHOME_HOST:="${MHDATADIR}"} +# host key fingerprint +HOST_FINGERPRINT=$(fingerprint_host_key) + # export variables needed in su invocation export DATE export MODE @@ -163,23 +196,24 @@ export MONKEYSPHERE_USER export KEYSERVER export GNUPGHOME_HOST export GNUPGHOME +export HOST_FINGERPRINT # get subcommand COMMAND="$1" [ "$COMMAND" ] || failure "Type '$PGRM help' for usage." shift + case $COMMAND in 'show-key'|'show'|'s') check_host_keyring show_key ;; - # FIXME: what should we call this command? 'set-expire'|'extend-key'|'e') check_host_keyring - source "${MHSHAREDIR}/extend_key" - extend_key "$@" + source "${MHSHAREDIR}/set_expire" + set_expire "$@" ;; 'add-hostname'|'add-name'|'n+') @@ -212,7 +246,7 @@ case $COMMAND in publish_key ;; - 'expert'|'e') + 'expert') SUBCOMMAND="$1" shift case "$SUBCOMMAND" in diff --git a/src/share/mh/add_hostname b/src/share/mh/add_hostname index 267f109..46326bb 100644 --- a/src/share/mh/add_hostname +++ b/src/share/mh/add_hostname @@ -27,18 +27,9 @@ fi userID="ssh://${1}" -fingerprint=$(fingerprint_host_key) - -# match to only ultimately trusted user IDs -tmpuidMatch="u:$(echo $userID | gpg_escape)" - -# find the index of the requsted user ID -# NOTE: this is based on circumstantial evidence that the order of -# this output is the appropriate index -if line=$(gpg_host --list-keys --with-colons --fixed-list-mode "0x${fingerprint}!" \ - | egrep '^(uid|uat):' | cut -f2,10 -d: | grep -n -x -F "$tmpuidMatch") ; then +# test that the desired user ID does not already exist +find_host_userid > /dev/null && \ failure "Host userID '$userID' already exists." -fi echo "The following user ID will be added to the host key:" echo " $userID" @@ -58,8 +49,7 @@ EOF ) # execute edit-key script -if echo "$adduidCommand" | \ - gpg_host --quiet --command-fd 0 --edit-key "0x${fingerprint}!" ; then +if echo "$adduidCommand" | gpg_host_edit ; then show_key diff --git a/src/share/mh/extend_key b/src/share/mh/extend_key deleted file mode 100644 index 79ee267..0000000 --- a/src/share/mh/extend_key +++ /dev/null @@ -1,35 +0,0 @@ -# -*-shell-script-*- -# This should be sourced by bash (though we welcome changes to make it POSIX sh compliant) - -# Monkeysphere host extend-key subcommand -# -# The monkeysphere scripts are written by: -# Jameson Rollins -# Jamie McClelland -# Daniel Kahn Gillmor -# -# They are Copyright 2008-2009, and are all released under the GPL, -# version 3 or later. - -# extend the lifetime of a host key: - -extend_key() { - -local fpr=$(fingerprint_host_key) -local extendTo="$1" - -# get the new expiration date -extendTo=$(get_gpg_expiration "$extendTo") - -gpg_host --quiet --command-fd 0 --edit-key "$fpr" < +# Jamie McClelland +# Daniel Kahn Gillmor +# +# They are Copyright 2008-2009, and are all released under the GPL, +# version 3 or later. + +set-expire() { + +local extendTo + +# get the new expiration date +extendTo=$(get_gpg_expiration "$1") + +gpg_host_edit expire < Date: Mon, 9 Feb 2009 00:21:40 -0500 Subject: Break out host export commands into gpg_host_export and gpg_host_export_to_ssh_file functions, and update the {gen,import}_key functions accordingly. --- src/monkeysphere-host | 13 +++++++++++++ src/share/mh/gen_key | 12 ++++++------ src/share/mh/import_key | 10 +++++----- 3 files changed, 24 insertions(+), 11 deletions(-) (limited to 'src/share/mh') diff --git a/src/monkeysphere-host b/src/monkeysphere-host index aa764db..bcb570b 100755 --- a/src/monkeysphere-host +++ b/src/monkeysphere-host @@ -97,6 +97,19 @@ gpg_host_edit() { "0x${HOST_FINGERPRINT}!" "$@" } +# export the host key to stdout +gpg_host_export() { + gpg_host --export --armor --export-options export-minimal \ + "0x${HOST_FINGERPRINT}!" +} + +# export the host key to the monkeysphere host file key +gpg_host_export_to_ssh_file() { + log debug "exporting openpgp public key..." + gpg_host_export > "${MHDATADIR}/ssh_host_rsa_key.pub.gpg" + log info "SSH host public key in OpenPGP form: ${MHDATADIR}/ssh_host_rsa_key.pub.gpg" +} + # output just key fingerprint fingerprint_host_key() { # set the pipefail option so functions fails if can't read sec key diff --git a/src/share/mh/gen_key b/src/share/mh/gen_key index eb951cf..c75ad65 100644 --- a/src/share/mh/gen_key +++ b/src/share/mh/gen_key @@ -79,15 +79,16 @@ chmod 700 "$GNUPGHOME_HOST" log verbose "generating host key..." echo "$keyParameters" | gpg_host --batch --gen-key -# find the key fingerprint of the newly generated key -fingerprint=$(fingerprint_host_key) +# find the key fingerprint of the newly converted key +HOST_FINGERPRINT=$(fingerprint_host_key) +export HOST_FINGERPRINT # translate the private key to ssh format, and export to a file # for sshs usage. # NOTE: assumes that the primary key is the proper key to use log debug "exporting new secret key to ssh format..." (umask 077 && \ - gpg_host --export-secret-key "$fingerprint" | \ + gpg_host --export-secret-key "$HOST_FINGERPRINT" | \ openpgp2ssh "$fingerprint" > "${MHDATADIR}/ssh_host_rsa_key") log info "SSH host private key output to file: ${MHDATADIR}/ssh_host_rsa_key" @@ -95,9 +96,8 @@ log debug "creating ssh public key..." ssh-keygen -y -f "${MHDATADIR}/ssh_host_rsa_key" > "${MHDATADIR}/ssh_host_rsa_key.pub" log info "SSH host public key output to file: ${MHDATADIR}/ssh_host_rsa_key.pub" -log debug "exporting openpgp public key..." -gpg_host --export-options export-minimal --armor --export "0x${fingerprint}!" > "${MHDATADIR}/ssh_host_rsa_key.pub.gpg" -log info "SSH host public key in OpenPGP form: ${MHDATADIR}/ssh_host_rsa_key.pub.gpg" +# export public key to file +gpg_host_export_to_ssh_file # show info about new key show_key diff --git a/src/share/mh/import_key b/src/share/mh/import_key index 93afb0a..6a897b6 100644 --- a/src/share/mh/import_key +++ b/src/share/mh/import_key @@ -32,15 +32,15 @@ chmod 700 "$GNUPGHOME_HOST" log verbose "importing ssh key..." # translate ssh key to a private key -PEM2OPENPGP_USAGE_FLAGS=authenticate pem2openpgp "$userID" | gpg_host --import +PEM2OPENPGP_USAGE_FLAGS=authenticate pem2openpgp "$userID" | \ + gpg_host --import # find the key fingerprint of the newly converted key -fingerprint=$(fingerprint_host_key) +HOST_FINGERPRINT=$(fingerprint_host_key) +export HOST_FINGERPRINT # export public key to file -log debug "exporting openpgp public key..." -gpg_host --export-options export-minimal --armor --export "0x${fingerprint}!" > "${MHDATADIR}/ssh_host_rsa_key.pub.gpg" -log info "SSH host public key in OpenPGP form: ${MHDATADIR}/ssh_host_rsa_key.pub.gpg" +gpg_host_export_to_ssh_file # show info about new key show_key -- cgit v1.2.3 From c0ab14d9df7959057a04f2ebd837c50e169c1c01 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Mon, 9 Feb 2009 00:30:04 -0500 Subject: a couple of small fixes to the {gen,import}_key functions --- src/share/mh/gen_key | 56 +++++++++++++++++-------------------------------- src/share/mh/import_key | 8 +++---- 2 files changed, 22 insertions(+), 42 deletions(-) (limited to 'src/share/mh') diff --git a/src/share/mh/gen_key b/src/share/mh/gen_key index c75ad65..1f8e97e 100644 --- a/src/share/mh/gen_key +++ b/src/share/mh/gen_key @@ -13,19 +13,16 @@ gen_key() { +local hostName=$(hostname -f) local keyType="RSA" local keyLength="2048" local keyUsage="auth" local keyExpire="0" -local hostName=$(hostname -f) local userID -local keyParameters -local fingerprint -# check for presense of secret key -# FIXME: is this the proper test to be doing here? -fingerprint_host_key >/dev/null \ - && failure "An OpenPGP host key already exists." +# check for presense of a key +[ "$FINGERPRINT" ] && \ + failure "An OpenPGP host key already exists." # get options while true ; do @@ -39,45 +36,30 @@ while true ; do failure "Unknown option '$1'. Type '$PGRM help' for usage." fi - hostName="$1" - shift break ;; esac done +hostName="$1" userID="ssh://${hostName}" -# set key parameters -keyParameters=\ -"Key-Type: $keyType +# create host home +mkdir -p "$GNUPGHOME_HOST" +chmod 700 "$GNUPGHOME_HOST" + +log debug "generating host key..." +gpg_host --batch --gen-key < "${MHDATADIR}/ssh_host_rsa_key") + openpgp2ssh "$HOST_FINGERPRINT" > "${MHDATADIR}/ssh_host_rsa_key") log info "SSH host private key output to file: ${MHDATADIR}/ssh_host_rsa_key" log debug "creating ssh public key..." -ssh-keygen -y -f "${MHDATADIR}/ssh_host_rsa_key" > "${MHDATADIR}/ssh_host_rsa_key.pub" -log info "SSH host public key output to file: ${MHDATADIR}/ssh_host_rsa_key.pub" +ssh-keygen -y -f "${MHDATADIR}/ssh_host_rsa_key" > "${SYSDATADIR}/ssh_host_rsa_key.pub" +log info "SSH host public key output to file: ${SYSDATADIR}/ssh_host_rsa_key.pub" # export public key to file gpg_host_export_to_ssh_file diff --git a/src/share/mh/import_key b/src/share/mh/import_key index 6a897b6..1efb1ac 100644 --- a/src/share/mh/import_key +++ b/src/share/mh/import_key @@ -15,12 +15,10 @@ import_key() { local hostName local userID -local fingerprint -# check for presence of secret key -# FIXME: is this the proper test to be doing here? -fingerprint_host_key >/dev/null \ - && failure "An OpenPGP host key already exists." +# check for presense of a key +[ "$FINGERPRINT" ] && \ + failure "An OpenPGP host key already exists." hostName=${1:-$(hostname -f)} -- cgit v1.2.3 From 69354c87864076343793fb270b296ccb89bf3759 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Mon, 9 Feb 2009 00:42:16 -0500 Subject: define variable for public key files (HOST_KEY_PUB, HOST_KEY_PUB_GPG). also, fix some function calls to check_host_fail function. --- src/monkeysphere-host | 36 +++++++++++++++++++++--------------- src/share/mh/gen_key | 4 ++-- 2 files changed, 23 insertions(+), 17 deletions(-) (limited to 'src/share/mh') diff --git a/src/monkeysphere-host b/src/monkeysphere-host index bcb570b..3c2e3ee 100755 --- a/src/monkeysphere-host +++ b/src/monkeysphere-host @@ -14,6 +14,9 @@ ######################################################################## set -e +# set the pipefail option so pipelines fail on first command failure +set -o pipefail + PGRM=$(basename $0) SYSSHAREDIR=${MONKEYSPHERE_SYSSHAREDIR:-"/usr/share/monkeysphere"} @@ -106,15 +109,13 @@ gpg_host_export() { # export the host key to the monkeysphere host file key gpg_host_export_to_ssh_file() { log debug "exporting openpgp public key..." - gpg_host_export > "${MHDATADIR}/ssh_host_rsa_key.pub.gpg" - log info "SSH host public key in OpenPGP form: ${MHDATADIR}/ssh_host_rsa_key.pub.gpg" + + gpg_host_export > "$HOST_KEY_PUB_GPG" + log info "SSH host public key in OpenPGP form: $HOST_KEY_PUB_GPG" } # output just key fingerprint fingerprint_host_key() { - # set the pipefail option so functions fails if can't read sec key - set -o pipefail - gpg_host --list-secret-keys --fingerprint \ --with-colons --fixed-list-mode 2> /dev/null | \ grep '^fpr:' | head -1 | cut -d: -f10 2>/dev/null @@ -163,12 +164,13 @@ show_key() { echo "OpenPGP fingerprint: $HOST_FINGERPRINT" - if [ -f "${MHDATADIR}/ssh_host_rsa_key.pub" ] ; then - fingerprintSSH=$(ssh-keygen -l -f "${MHDATADIR}/ssh_host_rsa_key.pub" | \ + if [ -f "$HOST_KEY_PUB" ] ; then + fingerprintSSH=$(ssh-keygen -l -f "$HOST_KEY_PUB" | \ awk '{ print $1, $2, $4 }') + echo "ssh fingerprint: $fingerprintSSH" else - log info "SSH host key not found." + log error "SSH host key not found." fi # FIXME: show expiration date @@ -201,6 +203,10 @@ GNUPGHOME_HOST=${MONKEYSPHERE_GNUPGHOME_HOST:="${MHDATADIR}"} # host key fingerprint HOST_FINGERPRINT=$(fingerprint_host_key) +# host pub key files +HOST_KEY_PUB="${SYSDATADIR}/ssh_host_rsa_key.pub" +HOST_KEY_PUB_GPG="${SYSDATADIR}/ssh_host_rsa_key.pub.gpg" + # export variables needed in su invocation export DATE export MODE @@ -219,42 +225,42 @@ shift case $COMMAND in 'show-key'|'show'|'s') - check_host_keyring + check_host_fail show_key ;; 'set-expire'|'extend-key'|'e') - check_host_keyring + check_host_fail source "${MHSHAREDIR}/set_expire" set_expire "$@" ;; 'add-hostname'|'add-name'|'n+') - check_host_keyring + check_host_fail source "${MHSHAREDIR}/add_hostname" add_hostname "$@" ;; 'revoke-hostname'|'revoke-name'|'n-') - check_host_keyring + check_host_fail source "${MHSHAREDIR}/revoke_hostname" revoke_hostname "$@" ;; 'add-revoker'|'o') - check_host_keyring + check_host_fail source "${MHSHAREDIR}/add_revoker" add_revoker "$@" ;; 'revoke-key'|'r') - check_host_keyring + check_host_fail source "${MHSHAREDIR}/revoke_key" revoke_key "$@" ;; 'publish-key'|'publish'|'p') - check_host_keyring + check_host_fail source "${MHSHAREDIR}/publish_key" publish_key ;; diff --git a/src/share/mh/gen_key b/src/share/mh/gen_key index 1f8e97e..44109bb 100644 --- a/src/share/mh/gen_key +++ b/src/share/mh/gen_key @@ -75,8 +75,8 @@ log debug "exporting ssh secret key..." log info "SSH host private key output to file: ${MHDATADIR}/ssh_host_rsa_key" log debug "creating ssh public key..." -ssh-keygen -y -f "${MHDATADIR}/ssh_host_rsa_key" > "${SYSDATADIR}/ssh_host_rsa_key.pub" -log info "SSH host public key output to file: ${SYSDATADIR}/ssh_host_rsa_key.pub" +ssh-keygen -y -f "${MHDATADIR}/ssh_host_rsa_key" > "$HOST_KEY_PUB" +log info "SSH host public key output to file: $HOST_KEY_PUB" # export public key to file gpg_host_export_to_ssh_file -- cgit v1.2.3 From 02edd9b326a8c8ac99b132c4989d117e18394924 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Mon, 9 Feb 2009 01:39:50 -0500 Subject: fix name of set_expire function --- src/share/mh/set_expire | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src/share/mh') diff --git a/src/share/mh/set_expire b/src/share/mh/set_expire index 2389e57..653149f 100644 --- a/src/share/mh/set_expire +++ b/src/share/mh/set_expire @@ -14,7 +14,7 @@ # They are Copyright 2008-2009, and are all released under the GPL, # version 3 or later. -set-expire() { +set_expire() { local extendTo -- cgit v1.2.3 From 563800612b54203d5cd68aedfd9d482215d9289d Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Mon, 9 Feb 2009 01:41:30 -0500 Subject: rename function to get the host fingerprint, and fix some HOST_FINGERPRINT variables. --- src/monkeysphere-host | 15 +++++++-------- src/share/mh/gen_key | 4 ++-- src/share/mh/import_key | 4 ++-- 3 files changed, 11 insertions(+), 12 deletions(-) (limited to 'src/share/mh') diff --git a/src/monkeysphere-host b/src/monkeysphere-host index 506dcf9..be398b1 100755 --- a/src/monkeysphere-host +++ b/src/monkeysphere-host @@ -102,10 +102,13 @@ gpg_host_export_to_ssh_file() { } # output just key fingerprint -fingerprint_host_key() { +# FIXME: should not have to be priviledged user to get host +# fingerprint. should be taken from publicly accessible key files, +# instead of the keyring. +get_host_fingerprint() { gpg_host --list-secret-keys --fingerprint \ --with-colons --fixed-list-mode 2> /dev/null | \ - grep '^fpr:' | head -1 | cut -d: -f10 2>/dev/null + grep '^fpr:' | head -1 | cut -d: -f10 2>/dev/null || true } # output the index of a user ID on the host key @@ -142,12 +145,9 @@ check_host_fail() { show_key() { local fingerprintSSH - # FIXME: should not have to be priviledged user to see this info. - # should be taken from publicly accessible key files, instead of - # the keyring. - gpg_host --fingerprint --list-key --list-options show-unusable-uids \ "0x${HOST_FINGERPRINT}!" 2>/dev/null + # FIXME: make sure expiration date is shown echo "OpenPGP fingerprint: $HOST_FINGERPRINT" @@ -160,7 +160,6 @@ show_key() { log error "SSH host key not found." fi - # FIXME: show expiration date # FIXME: other relevant key parameters? } @@ -188,7 +187,7 @@ CHECK_KEYSERVER=${MONKEYSPHERE_CHECK_KEYSERVER:="true"} GNUPGHOME_HOST=${MONKEYSPHERE_GNUPGHOME_HOST:="${MHDATADIR}"} # host key fingerprint -HOST_FINGERPRINT=$(fingerprint_host_key) +HOST_FINGERPRINT=$(get_host_fingerprint) # host pub key files HOST_KEY_PUB="${SYSDATADIR}/ssh_host_rsa_key.pub" diff --git a/src/share/mh/gen_key b/src/share/mh/gen_key index 44109bb..7b427e4 100644 --- a/src/share/mh/gen_key +++ b/src/share/mh/gen_key @@ -21,7 +21,7 @@ local keyExpire="0" local userID # check for presense of a key -[ "$FINGERPRINT" ] && \ +[ "$HOST_FINGERPRINT" ] && \ failure "An OpenPGP host key already exists." # get options @@ -62,7 +62,7 @@ Expire-Date: $keyExpire EOF # find the key fingerprint of the newly converted key -HOST_FINGERPRINT=$(fingerprint_host_key) +HOST_FINGERPRINT=$(get_host_fingerprint) export HOST_FINGERPRINT # translate the private key to ssh format, and export to a file diff --git a/src/share/mh/import_key b/src/share/mh/import_key index 1efb1ac..99511a8 100644 --- a/src/share/mh/import_key +++ b/src/share/mh/import_key @@ -17,7 +17,7 @@ local hostName local userID # check for presense of a key -[ "$FINGERPRINT" ] && \ +[ "$HOST_FINGERPRINT" ] && \ failure "An OpenPGP host key already exists." hostName=${1:-$(hostname -f)} @@ -34,7 +34,7 @@ PEM2OPENPGP_USAGE_FLAGS=authenticate pem2openpgp "$userID" | \ gpg_host --import # find the key fingerprint of the newly converted key -HOST_FINGERPRINT=$(fingerprint_host_key) +HOST_FINGERPRINT=$(get_host_fingerprint) export HOST_FINGERPRINT # export public key to file -- cgit v1.2.3 From d71cf8d24bd9357a016b1ead375a67ccd955c130 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Mon, 9 Feb 2009 01:52:00 -0500 Subject: add much of an add_revoker function. still needs to be fleshed out and tested, though, so it's not "active" yet. --- src/share/mh/add_revoker | 85 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 85 insertions(+) (limited to 'src/share/mh') diff --git a/src/share/mh/add_revoker b/src/share/mh/add_revoker index f9d0bb6..39dfaca 100644 --- a/src/share/mh/add_revoker +++ b/src/share/mh/add_revoker @@ -15,7 +15,92 @@ add_revoker() { +local domain= +local trust=full +local depth=1 +local keyID +local importinfo +local fingerprint +local ltsignCommand +local trustval + +keyID="$1" +if [ -z "$keyID" ] ; then + failure "You must specify the key ID of a revoker key, or specify a file to read the key from." +fi +if [ -f "$keyID" ] ; then + log info "Reading key from file '$keyID':" + importinfo=$(gpg_host --import < "$keyID" 2>&1) || failure "could not read key from '$keyID'" + # FIXME: if this is tried when the key database is not + # up-to-date, i got these errors (using set -x): + + # ++ su -m monkeysphere -c '\''gpg --import'\'' + # Warning: using insecure memory! + # gpg: key D21739E9: public key "Daniel Kahn Gillmor " imported + # gpg: Total number processed: 1 + # gpg: imported: 1 (RSA: 1) + # gpg: can'\''t create `/var/monkeysphere/gnupg-host/pubring.gpg.tmp'\'': Permission denied + # gpg: failed to rebuild keyring cache: Permission denied + # gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model + # gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u + # gpg: next trustdb check due at 2009-01-10' + # + failure 'could not read key from '\''/root/dkg.gpg'\''' + # + echo 'could not read key from '\''/root/dkg.gpg'\''' + + keyID=$(echo "$importinfo" | grep '^gpg: key ' | cut -f2 -d: | cut -f3 -d\ ) + if [ -z "$keyID" ] || [ $(echo "$keyID" | wc -l) -ne 1 ] ; then + failure "There was not exactly one gpg key in the file." + fi +else + # create a temporary directory for storing the downloaded key + TMPLOC=$(mktemp -d ${MHTMPDIR}/tmp.XXXXXXXXXX) || failure "Could not create temporary directory!" + + # download the key from the keyserver as the monkeysphere user + su_monkeysphere_user \ + "GNUPGHOME=$TMPLOC gpg --keyserver $KEYSERVER --recv-key 0x${keyID}!" + + # export the new key to the host keyring + su_monkeysphere_user "GNUPGHOME=$TMPLOC gpg --export 0x${keyID}!" \ + | gpg_host --import +fi + +export keyID + +# get the full fingerprint of the revoker key ID +fingerprint=$(gpg_host --list-key --with-colons --with-fingerprint "0x${keyID}!" \ + | grep '^fpr:' | grep "$keyID" | cut -d: -f10) + +if [ -z "$fingerprint" ] ; then + failure "Key '$keyID' not found." +fi + +log info -e "\nkey found:" +gpg_host --fingerprint "0x${fingerprint}!" + +echo "Are you sure you want to add the above key as a" +read -p "revoker of the host key? (y/N) " OK; OK=${OK:-N} +if [ "${OK/y/Y}" != 'Y' ] ; then + failure "Revoker not added." +fi + +# edit-key script to add revoker +# NOTE: *all* user IDs will be ltsigned +addrevokerCommand=$(cat <