summaryrefslogtreecommitdiff
path: root/src/share/ma/add_certifier
blob: bd41f23966e2c46958ed150e9cc4e3450b0d28a7 (plain) 
    

  1. # -*-shell-script-*-
    2. 

  2. # This should be sourced by bash (though we welcome changes to make it POSIX sh compliant)
    3. 

  3. 

  4. # Monkeysphere authentication add-certifier subcommand
    5. 

  5. #
    6. 

  6. # This function adds a certifier whose signatures will be used to
    7. 

  7. # calculate validity of keys used to connect to user accounts on the
    8. 

  8. # server.  The specified certifier key is first retrieved from the Web
    9. 

  9. # of Trust with the monkeysphere-user-controlled gpg_sphere keyring.
    10. 

  10. # Once then new key is retrieved, it is imported into the core
    11. 

  11. # keyring.  The gpg_core then ltsigns the key with the desired trust
    12. 

  12. # level, and then the key is exported back to the gpg_sphere keyring.
    13. 

  13. # The gpg_sphere has ultimate owner trust of the core key, so the core
    14. 

  14. # ltsigs on the new certifier key can then be used by gpg_sphere
    15. 

  15. # calculate validity for keys inserted in the authorized_keys file.
    16. 

  16. #
    17. 

  17. # This is all to keep the monkeysphere user that connects to the
    18. 

  18. # keyservers from accessing the core secret key.
    19. 

  19. #
    20. 

  20. # The monkeysphere scripts are written by:
    21. 

  21. # Jameson Rollins <jrollins@finestructure.net>
    22. 

  22. # Jamie McClelland <jm@mayfirst.org>
    23. 

  23. # Daniel Kahn Gillmor <dkg@fifthhorseman.net>
    24. 

  24. #
    25. 

  25. # They are Copyright 2008-2009, and are all released under the GPL,
    26. 

  26. # version 3 or later.
    27. 

  27. 

  28. add_certifier() {
    29. 

  29. 

  30. local domain=
    31. 

  31. local trust=full
    32. 

  32. local depth=1
    33. 

  33. local keyID
    34. 

  34. local importinfo
    35. 

  35. local fingerprint
    36. 

  36. local ltsignCommand
    37. 

  37. local trustval
    38. 

  38. 

  39. # get options
    40. 

  40. while true ; do
    41. 

  41.     case "$1" in
    42. 

  42.     -n|--domain)
    43. 

  43.         domain="$2"
    44. 

  44.         shift 2
    45. 

  45.         ;;
    46. 

  46.     -t|--trust)
    47. 

  47.         trust="$2"
    48. 

  48.         shift 2
    49. 

  49.         ;;
    50. 

  50.     -d|--depth)
    51. 

  51.         depth="$2"
    52. 

  52.         shift 2
    53. 

  53.         ;;
    54. 

  54.     *)
    55. 

  55.         if [ "$(echo "$1" | cut -c 1)" = '-' ] ; then
    56. 

  56.         failure "Unknown option '$1'.
    57. 

  57. Type '$PGRM help' for usage."
    58. 

  58.         fi
    59. 

  59.         break
    60. 

  60.         ;;
    61. 

  61.     esac
    62. 

  62. done
    63. 

  63. 

  64. keyID="$1"
    65. 

  65. if [ -z "$keyID" ] ; then
    66. 

  66.     failure "You must specify the key ID of a key to add, or specify a file to read the key from."
    67. 

  67. fi
    68. 

  68. if [ -f "$keyID" ] ; then
    69. 

  69.     log info "Reading key from file '$keyID':"
    70. 

  70. 

  71.     fingerprints=$(su_monkeysphere_user \
    72. 

  72.     ". ${SYSSHAREDIR}/common; list_primary_fingerprints" < "$keyID")
    73. 

  73. 

  74.     if [ $(printf "%s" "$fingerprints" | egrep -c '^[A-F0-9]{40}$') -ne 1 ] ; then
    75. 

  75.     failure "There was not exactly one gpg key in the file."
    76. 

  76.     fi
    77. 

  77. 

  78.     gpg_sphere "--import" < "$keyID" || failure "could not read key from '$keyID'"
    79. 

  79. 

  80.     keyID="$fingerprints"
    81. 

  81. else
    82. 

  82.     # get the key from the key server
    83. 

  83.     log debug "retrieving key from keyserver..."
    84. 

  84.     gpg_sphere "--keyserver $KEYSERVER --recv-key '0x${keyID}!'" || failure "Could not receive a key with this ID from the '$KEYSERVER' keyserver."
    85. 

  85. fi
    86. 

  86. 

  87. export keyID
    88. 

  88. 

  89. # get the full fingerprint of new certifier key
    90. 

  90. log debug "getting fingerprint of certifier key..."
    91. 

  91. fingerprint=$(gpg_sphere "--list-key --with-colons --with-fingerprint 0x${keyID}!" \
    92. 

  92.     | grep '^fpr:' | grep "$keyID" | cut -d: -f10)
    93. 

  93. 

  94. if [ -z "$fingerprint" ] ; then
    95. 

  95.     failure "Key '$keyID' not found."
    96. 

  96. fi
    97. 

  97. 

  98. log info "key found:"
    99. 

  99. gpg_sphere "--fingerprint 0x${fingerprint}!"
    100. 

  100. 

  101. if [ "$PROMPT" = "true" ] ; then
    102. 

  102.     echo "Are you sure you want to add the above key as a"
    103. 

  103.     read -p "certifier of users on this system? (Y/n) " OK; OK=${OK:-Y}
    104. 

  104.     if [ "${OK/y/Y}" != 'Y' ] ; then
    105. 

  105.     failure "Identity certifier not added."
    106. 

  106.     fi
    107. 

  107. else
    108. 

  108.     log debug "adding key without prompting."
    109. 

  109. fi
    110. 

  110. 

  111. # export the key to the core keyring so that the core can sign the
    112. 

  112. # new certifier key
    113. 

  113. log debug "exporting retrieved certifier key to core keyring..."
    114. 

  114. gpg_sphere "--export 0x${fingerprint}!" | gpg_core --import
    115. 

  115. 

  116. case "$trust" in
    117. 

  117.     'marginal')
    118. 

  118.     trustval=1
    119. 

  119.     ;;
    120. 

  120.     'full')
    121. 

  121.     trustval=2
    122. 

  122.     ;;
    123. 

  123.     *)
    124. 

  124.     failure "Trust value requested ('$trust') was unclear (only 'marginal' or 'full' are supported)."
    125. 

  125.     ;;
    126. 

  126. esac
    127. 

  127. 

  128. # edit-key script to ltsign key
    129. 

  129. # NOTE: *all* user IDs will be ltsigned
    130. 

  130. ltsignCommand=$(cat <<EOF
    131. 

  131. ltsign
    132. 

  132. y
    133. 

  133. $trustval
    134. 

  134. $depth
    135. 

  135. $domain
    136. 

  136. y
    137. 

  137. save
    138. 

  138. EOF
    139. 

  139.     )
    140. 

  140. 

  141. # core ltsigns the newly imported certifier key
    142. 

  142. log debug "executing core ltsign script..."
    143. 

  143. if echo "$ltsignCommand" | \
    144. 

  144.     gpg_core --command-fd 0 --edit-key "0x${fingerprint}!" ; then
    145. 

  145. 

  146.     # transfer the new sigs back to the sphere keyring
    147. 

  147.     gpg_core_sphere_sig_transfer
    148. 

  148. 

  149.     # update the sphere trustdb
    150. 

  150.     log debug "updating sphere trustdb..."
    151. 

  151.     gpg_sphere "--check-trustdb" 2>&1 | log debug
    152. 

  152. 

  153.     log info "Identity certifier added."
    154. 

  154. else
    155. 

  155.     failure "Problem adding identify certifier."
    156. 

  156. fi
    157. 

  157. 

  158. }
    159.
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-03 01:46:28 +0000