summaryrefslogtreecommitdiff
path: root/gpg2ssh/gpg2ssh.c
blob: c99f03fe25fbc20ca4fe490791a4b8bac2416cc8 (plain) 
    

  1. #include "gnutls-helpers.h"
    2. 

  2. 

  3. #include <gnutls/openpgp.h>
    4. 

  4. #include <gnutls/x509.h>
    5. 

  5. 

  6. /* for waitpid() */
    7. 

  7. #include <sys/types.h>
    8. 

  8. #include <sys/wait.h>
    9. 

  9. 

  10. /* 
    11. 

  11.    Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
    12. 

  12.    Date: Tue, 08 Apr 2008
    13. 

  13.    License: GPL v3 or later
    14. 

    15. 

  15.    monkeysphere public key translator: execute this with an GPG
    16. 

  16.    certificate (public key(s) + userid(s)) on stdin.  It currently
    17. 

  17.    only works with RSA keys.
    18. 

    19. 

  19.    It will spit out a version of the first key capable of being used
    20. 

  20.    for authentication on stdout.  The output format should be suitable
    21. 

  21.    for appending a known_hosts file.
    22. 

    23. 

  23.    Requirements: I've only built this so far with GnuTLS v2.3.4 --
    24. 

  24.    version 2.2.0 does not contain the appropriate pieces.
    25. 

    26. 

  26.  */
    27. 

  27. 

  28. int main(int argc, char* argv[]) {
    29. 

  29.   gnutls_datum_t data;
    30. 

  30.   int ret;
    31. 

  31.   gnutls_openpgp_crt_t openpgp_crt;
    32. 

  32.   gnutls_openpgp_keyid_t keyid;
    33. 

  33.   printable_keyid p_keyid;
    34. 

  34.   unsigned int keyidx;
    35. 

  35.   unsigned int usage, bits;
    36. 

  36.   gnutls_pk_algorithm_t algo;
    37. 

  37. 

  38.   gnutls_datum_t m, e, p, q, g, y;
    39. 

  39.   gnutls_datum_t algolabel;
    40. 

  40. 

  41.   char output_data[10240];
    42. 

  42.   char userid[10240];
    43. 

  43.   size_t uidsz = sizeof(userid);
    44. 

  44. 

  45.   const gnutls_datum_t* all[5];
    46. 

  46.   int pipefd;
    47. 

  47.   pid_t child_pid;
    48. 

  48.   char* const args[] = {"/usr/bin/base64", "--wrap=0", NULL};
    49. 

  49.   const char* algoname;
    50. 

  50.   int mpicount;
    51. 

  51.   int pipestatus;
    52. 

  52. 

  53.   init_gnutls();
    54. 

  54.   
    55. 

  55.   init_datum(&data);
    56. 

  56. 

  57.   init_datum(&m);
    58. 

  58.   init_datum(&e);
    59. 

  59.   init_datum(&p);
    60. 

  60.   init_datum(&q);
    61. 

  61.   init_datum(&g);
    62. 

  62.   init_datum(&y);
    63. 

  63. 

  64.   init_datum(&algolabel);
    65. 

  65. 

  66.   init_keyid(keyid);
    67. 

  67. 

  68.   /* slurp in the private key from stdin */
    69. 

  69.   if (ret = set_datum_fd(&data, 0), ret) {
    70. 

  70.     err("didn't read file descriptor 0\n");
    71. 

  71.     return 1;
    72. 

  72.   }
    73. 

  73. 

  74. 

  75.   if (ret = gnutls_openpgp_crt_init(&openpgp_crt), ret) {
    76. 

  76.     err("Failed to initialize OpenPGP certificate (error: %d)\n", ret);
    77. 

  77.     return 1;
    78. 

  78.   }
    79. 

  79. 

  80.   /* format could be either: GNUTLS_OPENPGP_FMT_RAW,
    81. 

  81.      GNUTLS_OPENPGP_FMT_BASE64; if MONKEYSPHERE_RAW is set, use RAW,
    82. 

  82.      otherwise, use BASE64: */
    83. 

  83. 

  84.   /* FIXME: we should be auto-detecting the input format, and
    85. 

  85.      translating it as needed. */
    86. 

  86. 

  87.   if (getenv("MONKEYSPHERE_RAW")) {
    88. 

  88.     err("assuming RAW formatted certificate\n");
    89. 

  89.     if (ret = gnutls_openpgp_crt_import(openpgp_crt, &data, GNUTLS_OPENPGP_FMT_RAW), ret) {
    90. 

  90.       err("failed to import the OpenPGP certificate in RAW format (error: %d)\n", ret);
    91. 

  91.       return ret;
    92. 

  92.     }
    93. 

  93.   } else {
    94. 

  94.     err("assuming BASE64 formatted certificate\n");
    95. 

  95.     if (ret = gnutls_openpgp_crt_import (openpgp_crt, &data, GNUTLS_OPENPGP_FMT_BASE64), ret) {
    96. 

  96.       err("failed to import the OpenPGP certificate in BASE64 format (error: %d)\n", ret);
    97. 

  97.       return ret;
    98. 

  98.     }
    99. 

  99.   }
    100. 

  100. 

  101.   if (gnutls_openpgp_crt_get_revoked_status(openpgp_crt)) {
    102. 

  102.     err("the primary key was revoked!\n");
    103. 

  103.     return 1;
    104. 

  104.   }
    105. 

  105. 

  106.   /* FIXME: We're currently looking at the primary key or maybe the
    107. 

  107.      first authentication-capable subkey.  
    108. 

    109. 

  109.      Instead, we should be iterating through the primary key and all
    110. 

  110.      subkeys: for each one with the authentication usage flag set of a
    111. 

  111.      algorithm we can handle, we should output matching UserIDs and
    112. 

  112.      the SSH version of the key. */
    113. 

  113.      
    114. 

  114. 

  115.   if (ret = gnutls_openpgp_crt_get_key_usage(openpgp_crt, &usage), ret) {
    116. 

  116.     err("failed to get the usage flags for the primary key (error: %d)\n", ret);
    117. 

  117.     return ret;
    118. 

  118.   }
    119. 

  119.   if (usage & GNUTLS_KEY_KEY_AGREEMENT &&
    120. 

  120.       usage & GNUTLS_KEY_KEY_ENCIPHERMENT) {
    121. 

  121.     err("the primary key can be used for authentication and communication encryption!\n");
    122. 

  122. 

  123.     algo = gnutls_openpgp_crt_get_pk_algorithm(openpgp_crt, &bits);
    124. 

  124.     if (algo < 0) {
    125. 

  125.       err("failed to get the algorithm of the OpenPGP public key (error: %d)\n", algo);
    126. 

  126.       return algo;
    127. 

  127.     } else if (algo == GNUTLS_PK_RSA) {
    128. 

  128.       
    129. 

  129.       err("OpenPGP RSA certificate, with %d bits\n", bits);
    130. 

  130.       ret = gnutls_openpgp_crt_get_pk_rsa_raw(openpgp_crt, &m, &e);
    131. 

  131.       if (GNUTLS_E_SUCCESS != ret) {
    132. 

  132.     err ("failed to export RSA key parameters (error: %d)\n", ret);
    133. 

  133.     return 1;
    134. 

  134.       }
    135. 

  135.     } else if (algo == GNUTLS_PK_DSA) {
    136. 

  136.       err("OpenPGP DSA Key, with %d bits\n", bits);
    137. 

  137.       ret = gnutls_openpgp_crt_get_pk_dsa_raw(openpgp_crt, &p, &q, &g, &y);
    138. 

  138.       if (GNUTLS_E_SUCCESS != ret) {
    139. 

  139.     err ("failed to export DSA key parameters (error: %d)\n", ret);
    140. 

  140.     return 1;
    141. 

  141.       }
    142. 

  142.     } else {
    143. 

  143.       err("OpenPGP Key was not RSA or DSA -- can't deal! (actual algorithm was: %d)\n", algo);
    144. 

  144.       return 1;
    145. 

  145.     }
    146. 

  146.     
    147. 

  147.   } else {
    148. 

  148.     err("primary key is not good for authentication and communication encryption.  Trying subkeys...\n");
    149. 

  149.     
    150. 

  150.     if (ret = gnutls_openpgp_crt_get_auth_subkey(openpgp_crt, keyid, 0), ret) {
    151. 

  151.       err("failed to find a subkey capable of authentication and communication encryption (error: %d)\n", ret);
    152. 

  152.       return ret;
    153. 

  153.     }
    154. 

  154.     make_keyid_printable(p_keyid, keyid);
    155. 

  155.     err("found authentication subkey %.16s\n", p_keyid);
    156. 

  156. 

  157.     ret = gnutls_openpgp_crt_get_subkey_idx(openpgp_crt, keyid);
    158. 

  158.     if (ret < 0) {
    159. 

  159.       err("could not get the index of subkey %.16s (error: %d)\n", ret);
    160. 

  160.       return ret;
    161. 

  161.     }
    162. 

  162.     keyidx = ret;
    163. 

  163. 

  164.     if (gnutls_openpgp_crt_get_subkey_revoked_status(openpgp_crt, keyidx)) {
    165. 

  165.       err("The authentication subkey was revoked!\n");
    166. 

  166.       return 1;
    167. 

  167.     }
    168. 

  168. 

  169.     if (ret = gnutls_openpgp_crt_get_subkey_usage(openpgp_crt, keyidx, &usage), ret) {
    170. 

  170.       err("could not figure out usage of subkey %.16s (error: %d)\n", p_keyid, ret);
    171. 

  171.       return ret;
    172. 

  172.     }
    173. 

  173.     if ((usage & GNUTLS_KEY_KEY_AGREEMENT) == 0 &&
    174. 

  174.     usage & GNUTLS_KEY_KEY_ENCIPHERMENT) {
    175. 

  175.       err("could not find a subkey with authentication and communication encryption.\n");
    176. 

  176.       return 1;
    177. 

  177.     }
    178. 

  178. 

  179.     /* switch, based on the algorithm in question, to extract the MPI
    180. 

  180.        components: */
    181. 

  181. 

  182.     algo = gnutls_openpgp_crt_get_subkey_pk_algorithm(openpgp_crt, keyidx, &bits);
    183. 

  183.     if (algo < 0) {
    184. 

  184.       err("failed to get the algorithm of the authentication subkey (error: %d)\n", algo);
    185. 

  185.       return algo;
    186. 

  186.     } else if (algo == GNUTLS_PK_RSA) {
    187. 

  187.       
    188. 

  188.       err("OpenPGP RSA subkey, with %d bits\n", bits);
    189. 

  189.       ret = gnutls_openpgp_crt_get_subkey_pk_rsa_raw(openpgp_crt, keyidx, &m, &e);
    190. 

  190.       if (GNUTLS_E_SUCCESS != ret) {
    191. 

  191.     err ("failed to export RSA subkey parameters (error: %d)\n", ret);
    192. 

  192.     return 1;
    193. 

  193.       }
    194. 

  194.     } else if (algo == GNUTLS_PK_DSA) {
    195. 

  195.       err("OpenPGP DSA subkey, with %d bits\n", bits);
    196. 

  196.       ret = gnutls_openpgp_crt_get_subkey_pk_dsa_raw(openpgp_crt, keyidx, &p, &q, &g, &y);
    197. 

  197.       if (GNUTLS_E_SUCCESS != ret) {
    198. 

  198.     err ("failed to export DSA subkey parameters (error: %d)\n", ret);
    199. 

  199.     return 1;
    200. 

  200.       }
    201. 

  201.     } else {
    202. 

  202.       err("OpenPGP subkey was not RSA or DSA -- can't deal! (actual algorithm was: %d)\n", algo);
    203. 

  203.       return 1;
    204. 

  204.     }
    205. 

  205.   } 
    206. 

  206. 

  207.   /* make sure userid is NULL-terminated */
    208. 

  208.   userid[sizeof(userid) - 1] = 0;
    209. 

  209.   uidsz--;
    210. 

  210. 

  211.   /* FIXME: we're just choosing the first UserID from the certificate:
    212. 

  212.      instead, we should be selecting every User ID that is adequately
    213. 

  213.      signed and matches the spec, and aggregating them with commas for
    214. 

  214.      known_hosts output */
    215. 

  215. 

  216.   if (ret = gnutls_openpgp_crt_get_name(openpgp_crt, 0, userid, &uidsz), ret) {
    217. 

  217.     err("Failed to fetch the first UserID (error: %d)\n", ret);
    218. 

  218.     return ret;
    219. 

  219.   }
    220. 

  220. 

  221.   if (ret = validate_ssh_host_userid(userid), ret) {
    222. 

  222.     err("bad userid: not a valid ssh host.\n");
    223. 

  223.     return ret;
    224. 

  224.   }
    225. 

  225. 

  226.   /* remove ssh:// from the beginning of userid */
    227. 

  227.   memmove(userid, userid + strlen("ssh://"), 1 + strlen(userid) - strlen("ssh://"));
    228. 

  228.   
    229. 

  229. 

  230.   /* now we have algo, and the various MPI data are set.  Can we
    231. 

  231.      export them cleanly? */
    232. 

  232. 

  233.   /* for the moment, we'll just dump the info raw, and pipe it
    234. 

  234.      externally through coreutils' /usr/bin/base64 */
    235. 

  235. 

  236.   if (algo == GNUTLS_PK_RSA) {
    237. 

  237.     algoname = "ssh-rsa";
    238. 

  238.     mpicount = 3;
    239. 

  239. 

  240.     all[0] = &algolabel;
    241. 

  241.     all[1] = &e;
    242. 

  242.     all[2] = &m;
    243. 

  243.   } else if (algo == GNUTLS_PK_DSA) {
    244. 

  244.     algoname = "ssh-dss";
    245. 

  245.     mpicount = 5;
    246. 

  246. 

  247.     all[0] = &algolabel;
    248. 

  248.     all[1] = &p;
    249. 

  249.     all[2] = &q;
    250. 

  250.     all[3] = &g;
    251. 

  251.     all[4] = &y;
    252. 

  252.   } else {
    253. 

  253.     err("no idea what this algorithm is: %d\n", algo);
    254. 

  254.     return 1;
    255. 

  255.   }
    256. 

  256. 

  257.   if (ret = datum_from_string(&algolabel, algoname), ret) {
    258. 

  258.     err("couldn't label string (error: %d)\n", ret);
    259. 

  259.     return ret;
    260. 

  260.   }
    261. 

  261. 

  262.   snprintf(output_data, sizeof(output_data), "%s %s ", userid, algoname);
    263. 

  263. 

  264.   pipefd = create_writing_pipe(&child_pid, args[0], args);
    265. 

  265.   if (pipefd < 0) {
    266. 

  266.     err("failed to create a writing pipe (returned %d)\n", pipefd);
    267. 

  267.     return pipefd;
    268. 

  268.   }
    269. 

  269.     
    270. 

  270.   write(1, output_data, strlen(output_data));
    271. 

  271. 

  272.   if (0 != write_data_fd_with_length(pipefd, all, mpicount)) {
    273. 

  273.     err("was not able to write out RSA key data\n");
    274. 

  274.     return 1;
    275. 

  275.   }
    276. 

  276.   close(pipefd);
    277. 

  277.   if (child_pid != waitpid(child_pid, &pipestatus, 0)) {
    278. 

  278.     err("could not wait for child process to return for some reason.\n");
    279. 

  279.     return 1;
    280. 

  280.   }
    281. 

  281.   if (pipestatus != 0) {
    282. 

  282.     err("base64 pipe died with return code %d\n", pipestatus);
    283. 

  283.     return pipestatus;
    284. 

  284.   }
    285. 

  285. 

  286.   write(1, "\n", 1);
    287. 

  287. 

  288. 

  289. 

  290.   gnutls_openpgp_crt_deinit(openpgp_crt);
    291. 

  291.   gnutls_global_deinit();
    292. 

  292.   return 0;
    293. 

  293. }
    294.
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-23 03:22:26 +0000