- #include "gnutls-helpers.h"
- #include <gnutls/openpgp.h>
- #include <gnutls/x509.h>
- /* for waitpid() */
- #include <sys/types.h>
- #include <sys/wait.h>
- /*
- Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
- Date: 2008-06-12 13:47:41-0400
- License: GPL v3 or later
- monkeysphere key translator: execute this with an OpenPGP key on
- stdin, (please indicate the specific keyid that you want as the
- first argument if there are subkeys). At the moment, only public
- keys and passphraseless secret keys work.
- For secret keys, it will spit out a PEM-encoded version of the key
- on stdout, which can be fed into ssh-add like this:
- gpg --export-secret-keys $KEYID | openpgp2ssh $KEYID | ssh-add -c /dev/stdin
- For public keys, it will spit out a single line of text that can
- (with some massaging) be used in an openssh known_hosts or
- authorized_keys file. For example:
- echo server.example.org $(gpg --export $KEYID | openpgp2ssh $KEYID) >> ~/.ssh/known_hosts
- Requirements: I've only built this so far with GnuTLS v2.3.x.
- GnuTLS 2.2.x does not contain the appropriate functionality.
- */
- /* FIXME: keyid should be const as well */
- int convert_private_pgp_to_x509(gnutls_x509_privkey_t* output, const gnutls_openpgp_privkey_t* pgp_privkey, const unsigned char* keyfpr, unsigned int fprlen) {
- gnutls_datum_t m, e, d, p, q, u, g, y, x;
- gnutls_pk_algorithm_t pgp_algo;
- unsigned int pgp_bits;
- int ret;
- int subkeyidx;
- int subkeycount;
- int found = 0;
- unsigned char fingerprint[20];
- size_t fingerprint_length = sizeof(fingerprint);
- init_datum(&m);
- init_datum(&e);
- init_datum(&d);
- init_datum(&p);
- init_datum(&q);
- init_datum(&u);
- init_datum(&g);
- init_datum(&y);
- init_datum(&x);
- subkeycount = gnutls_openpgp_privkey_get_subkey_count(*pgp_privkey);
- if (subkeycount < 0) {
- err(0,"Could not determine subkey count (got value %d)\n", subkeycount);
- return 1;
- }
- if ((keyfpr == NULL) &&
- (subkeycount > 0)) {
- err(0,"No key identifier passed in, but there were %d keys to choose from\n", subkeycount + 1);
- return 1;
- }
- if (keyfpr != NULL) {
- ret = gnutls_openpgp_privkey_get_fingerprint(*pgp_privkey, fingerprint, &fingerprint_length);
- if (ret) {
- err(0,"Could not get fingerprint (error: %d)\n", ret);
- return 1;
- }
- if (fprlen > fingerprint_length) {
- err(0, "Requested key identifier is longer than computed fingerprint\n");
- return 1;
- }
- if (fingerprint_length > fprlen) {
- err(0, "Only comparing last %d bits of key fingerprint\n", fprlen*8);
- }
- }
- if ((keyfpr == NULL) || (memcmp(fingerprint + (fingerprint_length - fprlen), keyfpr, fprlen) == 0)) {
- /* we want to export the primary key: */
- err(0,"exporting primary key\n");
- /* FIXME: this is almost identical to the block below for subkeys.
- This clumsiness seems inherent in the gnutls OpenPGP API,
- though. ugh. */
- pgp_algo = gnutls_openpgp_privkey_get_pk_algorithm(*pgp_privkey, &pgp_bits);
- if (pgp_algo < 0) {
- err(0, "failed to get OpenPGP key algorithm (error: %d)\n", pgp_algo);
- return 1;
- }
- if (pgp_algo == GNUTLS_PK_RSA) {
- err(0,"OpenPGP RSA Key, with %d bits\n", pgp_bits);
- ret = gnutls_openpgp_privkey_export_rsa_raw(*pgp_privkey, &m, &e, &d, &p, &q, &u);
- if (GNUTLS_E_SUCCESS != ret) {
- err(0, "failed to export RSA key parameters (error: %d)\n", ret);
- return 1;
- }
-
- } else if (pgp_algo == GNUTLS_PK_DSA) {
- err(0,"OpenPGP DSA Key, with %d bits\n", pgp_bits);
- ret = gnutls_openpgp_privkey_export_dsa_raw(*pgp_privkey, &p, &q, &g, &y, &x);
- if (GNUTLS_E_SUCCESS != ret) {
- err(0,"failed to export DSA key parameters (error: %d)\n", ret);
- return 1;
- }
- }
- found = 1;
- } else {
- /* lets trawl through the subkeys until we find the one we want: */
- for (subkeyidx = 0; (subkeyidx < subkeycount) && !found; subkeyidx++) {
- ret = gnutls_openpgp_privkey_get_subkey_fingerprint(*pgp_privkey, subkeyidx, fingerprint, &fingerprint_length);
- if (ret) {
- err(0,"Could not get fingerprint of subkey with index %d (error: %d)\n", subkeyidx, ret);
- return 1;
- }
- if (fprlen > fingerprint_length) {
- err(0, "Requested key identifier is longer than computed fingerprint\n");
- return 1;
- }
- if (fingerprint_length > fprlen) {
- err(1, "Only comparing last %d bits of key fingerprint\n", fprlen*8);
- }
- if (memcmp(fingerprint + (fingerprint_length - fprlen), keyfpr, fprlen) == 0) {
- err(0,"exporting subkey index %d\n", subkeyidx);
- /* FIXME: this is almost identical to the block above for the
- primary key. */
- pgp_algo = gnutls_openpgp_privkey_get_subkey_pk_algorithm(*pgp_privkey, subkeyidx, &pgp_bits);
- if (pgp_algo < 0) {
- err(0,"failed to get the algorithm of the OpenPGP public key (error: %d)\n", pgp_algo);
- return pgp_algo;
- } else if (pgp_algo == GNUTLS_PK_RSA) {
- err(0,"OpenPGP RSA key, with %d bits\n", pgp_bits);
- ret = gnutls_openpgp_privkey_export_subkey_rsa_raw(*pgp_privkey, subkeyidx, &m, &e, &d, &p, &q, &u);
- if (GNUTLS_E_SUCCESS != ret) {
- err(0,"failed to export RSA key parameters (error: %d)\n", ret);
- return 1;
- }
- } else if (pgp_algo == GNUTLS_PK_DSA) {
- err(0,"OpenPGP DSA Key, with %d bits\n", pgp_bits);
- ret = gnutls_openpgp_privkey_export_subkey_dsa_raw(*pgp_privkey, subkeyidx, &p, &q, &g, &y, &x);
- if (GNUTLS_E_SUCCESS != ret) {
- err(0,"failed to export DSA key parameters (error: %d)\n", ret);
- return 1;
- }
- }
- found = 1;
- }
- }
- }
- if (!found) {
- err(0,"Could not find key in input\n");
- return 1;
- }
- if (pgp_algo == GNUTLS_PK_RSA) {
- ret = gnutls_x509_privkey_import_rsa_raw (*output, &m, &e, &d, &p, &q, &u);
- if (GNUTLS_E_SUCCESS != ret) {
- err(0, "failed to import RSA key parameters (error: %d)\n", ret);
- return 1;
- }
- } else if (pgp_algo == GNUTLS_PK_DSA) {
- ret = gnutls_x509_privkey_import_dsa_raw (*output, &p, &q, &g, &y, &x);
- if (GNUTLS_E_SUCCESS != ret) {
- err(0,"failed to import DSA key parameters (error: %d)\n", ret);
- return 1;
- }
- } else {
- err(0,"OpenPGP Key was not RSA or DSA -- can't deal! (actual algorithm was: %d)\n", pgp_algo);
- return 1;
- }
-
- ret = gnutls_x509_privkey_fix(*output);
- if (ret != 0) {
- err(0,"failed to fix up the private key in X.509 format (error: %d)\n", ret);
- return 1;
- }
- return 0;
- }
- /* FIXME: keyid should be const also */
- int emit_public_openssh_from_pgp(const gnutls_openpgp_crt_t* pgp_crt, const unsigned char* keyfpr, size_t fprlen) {
- int ret;
- int subkeyidx;
- int subkeycount;
- int found = 0;
- gnutls_datum_t m, e, p, q, g, y, algolabel;
- unsigned int bits;
- gnutls_pk_algorithm_t algo;
- const gnutls_datum_t* all[5];
- const char* algoname;
- int mpicount;
- /* output_data must be at least 2 chars longer than the maximum possible
- algorithm name: */
- char output_data[20];
- unsigned char fingerprint[20];
- size_t fingerprint_length = sizeof(fingerprint);
- /* variables for the output conversion: */
- int pipestatus;
- int pipefd, child_pid;
- char* const b64args[] = {"/usr/bin/base64", "--wrap=0", NULL};
- init_datum(&m);
- init_datum(&e);
- init_datum(&p);
- init_datum(&q);
- init_datum(&g);
- init_datum(&algolabel);
- /* figure out if we've got the right thing: */
- subkeycount = gnutls_openpgp_crt_get_subkey_count(*pgp_crt);
- if (subkeycount < 0) {
- err(0,"Could not determine subkey count (got value %d)\n", subkeycount);
- return 1;
- }
- if ((keyfpr == NULL) &&
- (subkeycount > 0)) {
- err(0,"No key identifier passed in, but there were %d keys to choose from\n", subkeycount + 1);
- return 1;
- }
- if (keyfpr != NULL) {
- ret = gnutls_openpgp_crt_get_fingerprint(*pgp_crt, fingerprint, &fingerprint_length);
- if (ret) {
- err(0,"Could not get key fingerprint (error: %d)\n", ret);
- return 1;
- }
- if (fprlen > fingerprint_length) {
- err(0, "Requested key identifier is longer than computed fingerprint\n");
- return 1;
- }
- if (fingerprint_length > fprlen) {
- err(0, "Only comparing last %d bits of key fingerprint\n", fprlen*8);
- }
- }
- if ((keyfpr == NULL) || (memcmp(fingerprint + (fingerprint_length - fprlen), keyfpr, fprlen) == 0)) {
- /* we want to export the primary key: */
- err(0,"exporting primary key\n");
- /* FIXME: this is almost identical to the block below for subkeys.
- This clumsiness seems inherent in the gnutls OpenPGP API,
- though. ugh. */
- algo = gnutls_openpgp_crt_get_pk_algorithm(*pgp_crt, &bits);
- if (algo < 0) {
- err(0,"failed to get the algorithm of the OpenPGP public key (error: %d)\n", algo);
- return algo;
- } else if (algo == GNUTLS_PK_RSA) {
- err(0,"OpenPGP RSA certificate, with %d bits\n", bits);
- ret = gnutls_openpgp_crt_get_pk_rsa_raw(*pgp_crt, &m, &e);
- if (GNUTLS_E_SUCCESS != ret) {
- err(0,"failed to export RSA certificate parameters (error: %d)\n", ret);
- return 1;
- }
- } else if (algo == GNUTLS_PK_DSA) {
- err(0,"OpenPGP DSA certificate, with %d bits\n", bits);
- ret = gnutls_openpgp_crt_get_pk_dsa_raw(*pgp_crt, &p, &q, &g, &y);
- if (GNUTLS_E_SUCCESS != ret) {
- err(0,"failed to export DSA certificate parameters (error: %d)\n", ret);
- return 1;
- }
- }
- found = 1;
- } else {
- /* lets trawl through the subkeys until we find the one we want: */
- for (subkeyidx = 0; (subkeyidx < subkeycount) && !found; subkeyidx++) {
- ret = gnutls_openpgp_crt_get_subkey_fingerprint(*pgp_crt, subkeyidx, fingerprint, &fingerprint_length);
- if (ret) {
- err(0,"Could not get fingerprint of subkey with index %d (error: %d)\n", subkeyidx, ret);
- return 1;
- }
- if (fprlen > fingerprint_length) {
- err(0, "Requested key identifier is longer than computed fingerprint\n");
- return 1;
- }
- if (fingerprint_length > fprlen) {
- err(1, "Only comparing last %d bits of key fingerprint\n", fprlen*8);
- }
- if (memcmp(fingerprint + (fingerprint_length - fprlen), keyfpr, fprlen) == 0) {
- err(0,"exporting subkey index %d\n", subkeyidx);
- /* FIXME: this is almost identical to the block above for the
- primary key. */
- algo = gnutls_openpgp_crt_get_subkey_pk_algorithm(*pgp_crt, subkeyidx, &bits);
- if (algo < 0) {
- err(0,"failed to get the algorithm of the OpenPGP public key (error: %d)\n", algo);
- return algo;
- } else if (algo == GNUTLS_PK_RSA) {
- err(0,"OpenPGP RSA certificate, with %d bits\n", bits);
- ret = gnutls_openpgp_crt_get_subkey_pk_rsa_raw(*pgp_crt, subkeyidx, &m, &e);
- if (GNUTLS_E_SUCCESS != ret) {
- err(0,"failed to export RSA certificate parameters (error: %d)\n", ret);
- return 1;
- }
- } else if (algo == GNUTLS_PK_DSA) {
- err(0,"OpenPGP DSA certificate, with %d bits\n", bits);
- ret = gnutls_openpgp_crt_get_subkey_pk_dsa_raw(*pgp_crt, subkeyidx, &p, &q, &g, &y);
- if (GNUTLS_E_SUCCESS != ret) {
- err(0,"failed to export DSA certificate parameters (error: %d)\n", ret);
- return 1;
- }
- }
- found = 1;
-
- }
- }
- }
- if (!found) {
- err(0,"Could not find key in input\n");
- return 1;
- }
- /* if we made it this far, we've got MPIs, and we've got the
- algorithm, so we just need to emit the info */
- if (algo == GNUTLS_PK_RSA) {
- algoname = "ssh-rsa";
- mpicount = 3;
- all[0] = &algolabel;
- all[1] = &e;
- all[2] = &m;
- } else if (algo == GNUTLS_PK_DSA) {
- algoname = "ssh-dss";
- mpicount = 5;
- all[0] = &algolabel;
- all[1] = &p;
- all[2] = &q;
- all[3] = &g;
- all[4] = &y;
- } else {
- err(0,"Key algorithm was neither DSA nor RSA (it was %d). Can't deal. Sorry!\n", algo);
- return 1;
- }
- if (ret = datum_from_string(&algolabel, algoname), ret) {
- err(0,"couldn't label string (error: %d)\n", ret);
- return ret;
- }
- snprintf(output_data, sizeof(output_data), "%s ", algoname);
- pipefd = create_writing_pipe(&child_pid, b64args[0], b64args);
- if (pipefd < 0) {
- err(0,"failed to create a writing pipe (returned %d)\n", pipefd);
- return pipefd;
- }
-
- write(1, output_data, strlen(output_data));
- if (0 != write_data_fd_with_length(pipefd, all, mpicount)) {
- err(0,"was not able to write out RSA key data\n");
- return 1;
- }
- close(pipefd);
- if (child_pid != waitpid(child_pid, &pipestatus, 0)) {
- err(0,"could not wait for child process to return for some reason.\n");
- return 1;
- }
- if (pipestatus != 0) {
- err(0,"base64 pipe died with return code %d\n", pipestatus);
- return pipestatus;
- }
- write(1, "\n", 1);
-
- return 0;
- }
- int main(int argc, char* argv[]) {
- gnutls_datum_t data;
- int ret = 0;
- gnutls_x509_privkey_t x509_privkey;
- gnutls_openpgp_privkey_t pgp_privkey;
- gnutls_openpgp_crt_t pgp_crt;
- char output_data[10240];
- size_t ods = sizeof(output_data);
-
- unsigned char * fingerprint = NULL;
- size_t fpr_size;
- char * prettyfpr = NULL;
- init_gnutls();
- /* figure out what key we should be looking for: */
- if (argv[1] != NULL) {
- if (strlen(argv[1]) > 81) {
- /* safety check to avoid some sort of wacky overflow situation:
- there's no reason that the key id should be longer than twice
- a sane fingerprint (one byte between chars, and then another
- two at the beginning and end) */
- err(0, "Key identifier is way too long. Please use at most 40 hex digits.\n");
- return 1;
- }
- fpr_size = hexstring2bin(NULL, argv[1]);
- if (fpr_size > 40*4) {
- err(0, "Key identifier is longer than 40 hex digits\n");
- return 1;
- }
- /* since fpr_size is initially in bits: */
- if (fpr_size % 8 != 0) {
- err(0, "Please provide an even number of hex digits for the key identifier\n");
- return 1;
- }
- fpr_size /= 8;
- fingerprint = malloc(sizeof(unsigned char) * fpr_size);
- bzero(fingerprint, sizeof(unsigned char) * fpr_size);
- hexstring2bin(fingerprint, argv[1]);
- prettyfpr = malloc(sizeof(unsigned char)*fpr_size*2 + 1);
- if (prettyfpr != NULL) {
- hex_print_data(prettyfpr, fingerprint, fpr_size);
- prettyfpr[sizeof(unsigned char)*fpr_size*2] = '\0';
- err(1, "searching for key with fingerprint '%s'\n", prettyfpr);
- free(prettyfpr);
- }
- if (fpr_size < 4) {
- err(0, "You MUST provide at least 8 hex digits in any key identifier\n");
- return 1;
- }
- if (fpr_size < 8)
- err(0, "You should provide at least 16 hex digits in any key identifier (proceeding with %d digits anyway)\n", fpr_size*2);
-
- }
-
- init_datum(&data);
- /* slurp in the key from stdin */
- if (ret = set_datum_fd(&data, 0), ret) {
- err(0,"didn't read file descriptor 0\n");
- return 1;
- }
- if (ret = gnutls_openpgp_privkey_init(&pgp_privkey), ret) {
- err(0,"Failed to initialized OpenPGP private key (error: %d)\n", ret);
- return 1;
- }
- /* check whether it's a private key or a public key, by trying them: */
- if ((gnutls_openpgp_privkey_import(pgp_privkey, &data, GNUTLS_OPENPGP_FMT_RAW, NULL, 0) == 0) ||
- (gnutls_openpgp_privkey_import(pgp_privkey, &data, GNUTLS_OPENPGP_FMT_BASE64, NULL, 0) == 0)) {
- /* we're dealing with a private key */
- err(0,"Translating private key\n");
- if (ret = gnutls_x509_privkey_init(&x509_privkey), ret) {
- err(0,"Failed to initialize X.509 private key for output (error: %d)\n", ret);
- return 1;
- }
-
- ret = convert_private_pgp_to_x509(&x509_privkey, &pgp_privkey, fingerprint, fpr_size);
- gnutls_openpgp_privkey_deinit(pgp_privkey);
- if (ret)
- return ret;
- ret = gnutls_x509_privkey_export (x509_privkey,
- GNUTLS_X509_FMT_PEM,
- output_data,
- &ods);
- if (ret == 0) {
- write(1, output_data, ods);
- }
- gnutls_x509_privkey_deinit(x509_privkey);
-
- } else {
- if (ret = gnutls_openpgp_crt_init(&pgp_crt), ret) {
- err(0,"Failed to initialized OpenPGP certificate (error: %d)\n", ret);
- return 1;
- }
-
- if ((gnutls_openpgp_crt_import(pgp_crt, &data, GNUTLS_OPENPGP_FMT_RAW) == 0) ||
- (gnutls_openpgp_crt_import(pgp_crt, &data, GNUTLS_OPENPGP_FMT_BASE64) == 0)) {
- /* we're dealing with a public key */
- err(0,"Translating public key\n");
- ret = emit_public_openssh_from_pgp(&pgp_crt, fingerprint, fpr_size);
- if (ret != 0)
- return ret;
-
- } else {
- /* we have no idea what kind of key this is at all anyway! */
- err(0,"Input does not contain any form of OpenPGP key I recognize.\n");
- return 1;
- }
- }
- gnutls_global_deinit();
- free(fingerprint);
- return 0;
- }
|