README

@@ -24,4 +24,4 @@ Monkeysphere depends on:
  * Perl's Crypt::OpenSSL::RSA module
  * lockfile-progs or procmail's lockfile
  * Bash
- * OpenSSH's ssh-keygen utility (ideally >= 6.0)
+ * OpenSSH's ssh-keygen utility (>= 6.0)

examples/make-x509-certreqs

@@ -13,7 +13,7 @@
 
 # This script uses bashisms
 
-# It currently needs OpenSSL binaries to work properly
+# It currently needs OpenSSL binaries, gpg, and gpgsm to work properly
 
 # It assumes that the monkeysphere-host keyring is in
 # /var/lib/monkeysphere/host (which it is on debian)
@@ -67,23 +67,40 @@ EOF
 }
 
 gencertreq() {
-    keyid="$1"
+    local keyid="$1"
     
-    timestamp=$(gpg --fixed-list-mode --with-colons --list-keys "0x$keyid!" | grep ^pub: | cut -f6 -d:)
+    # It would be great to be able to do all of this with gpgsm
+    # directly.  See https://dev.gnupg.org/T4503 for why we need to
+    # use OpenSSL for now.
 
-    san=''
-    primary=''
+    local timestamp=$(gpg --fixed-list-mode --with-colons --list-keys "0x$keyid!" | awk -F: '/^pub:/{ print $6 }')
+    local keygrip=$(gpg --fixed-list-mode --with-keygrip --with-colons --list-keys "0x$keyid!" | awk -F: '/^grp:/{ print $10 }')
+    
+    local primary
 # find all the $proto-using User IDs:
-    uids=$(gpg --fixed-list-mode --with-colons --list-keys "0x$keyid!" | \
+    local uids=$(gpg --fixed-list-mode --with-colons --list-keys \&"$keygrip" | \
         grep '^uid:' | cut -f10 -d: | \
         grep '^'"${proto}"'\\x3a//' | \
         sed -r -e 's!^'"${proto}"'\\x3a//!!' -e 's!:[0-9]+$!!')
     primary=$(printf "%s" "$uids" | head -n1)
 
+    # does gpgsm know about this key?
+    if ! gpgsm --with-colons --with-keygrip --list-keys \&"$keygrip" | grep -q ^grp: ; then
+        # ensure that gpgsm has a dummy self-signed cert; otherwise, it
+        # cannot emit the secret key in the necessary form.
+        local batchcmd="Key-Type: RSA
+Key-Grip: $keygrip
+Name-DN: CN=$primary (monkeysphere dummy self-signed)
+Serial: $keygrip
+%commit"
+        local dummycert="$(gpgsm --armor --batch --generate-key <<<"$batchcmd")"
+        gpgsm --import <<<"$dummycert"
+   fi
+
     printf "Certificate Request for TLS WWW server %s\n[OpenPGP key %s]\n" "$primary" "$keyid"
     openssl req -text -new \
         -config <(get_openssl_config "$timestamp" "$uids") \
-        -key <(gpg --export-secret-key "$keyid" | openpgp2ssh "$keyid") \
+        -key <(gpgsm --armor --export-secret-key-raw \&"$keygrip") \
         -subj "/CN=${primary}/"
 }
 

man/man8/monkeysphere-host.8

@@ -29,7 +29,7 @@ be omitted, and \fBmonkeysphere\-host\fP will operate on it.
 .B import\-key FILE SCHEME://HOSTNAME[:PORT]
 Import an SSH host secret key from file FILE.  If FILE is
 `\-', then the key will be imported from stdin, and must be an
-RSA key in PEM\-encoded format.
+RSA key.
 SCHEME://HOSTNAME[:PORT] is used to specify
 the scheme (e.g. ssh or https), fully\-qualified hostname (and port)
 used in the user ID of the new OpenPGP key (e.g. ssh://example.net or

src/monkeysphere

@@ -246,8 +246,7 @@ case $COMMAND in
 	;;
 
     'import-subkey'|'import'|'i')
-	source "${MSHAREDIR}/import_subkey"
-	import_subkey "$@"
+        failure "import-subkey is not implemented yet. (see https://dev.gnupg.org/T4489)"
 	;;
 
     'gen-subkey'|'g')

src/share/keytrans

@@ -36,7 +36,7 @@
 # Example usage:
 
 # gpg --export-secret-subkeys --export-options export-reset-subkey-passwd $KEYID | \
-#  openpgp2ssh $KEYID | ssh-add /dev/stdin
+#  openpgp2ssh $KEYID | ssh-add -
 
 
 # Authors:

src/share/m/import_subkey

-# -*-shell-script-*-
-# This should be sourced by bash (though we welcome changes to make it POSIX sh compliant)
-
-# Monkeysphere import-subkey subcommand
-#
-# The monkeysphere scripts are written by:
-# Jameson Rollins <jrollins@finestructure.net>
-# Jamie McClelland <jm@mayfirst.org>
-# Daniel Kahn Gillmor <dkg@fifthhorseman.net>
-#
-# They are Copyright 2008-2009, and are all released under the GPL,
-# version 3 or later.
-
-# import an existing ssh key as a gpg subkey
-
-## 2009-02-20 00:49:11-0500: This is not implemented yet, because we
-## don't currently have a good way to manipulate the user's OpenPGP
-## secret key such that we could make a proper subkey binding
-## signature.
-
-import_subkey() {
-    local sshKeyFile
-    local keyID
-    local gpgSecOut
-    local fifoDir
-
-    # FIXME: implement!
-    failure "import-subkey is not implemented yet.  We welcome patches.  Sorry!"
-
-    sshKeyFile="$1"
-    shift
-
-    # check that key file specified
-    if [ -z "$sshKeyFile" ] ; then
-	failure "Must specify ssh key file to import, or specify '-' for stdin."
-    fi
-
-    # check that the keyID is unique
-    keyID=$(check_gpg_sec_key_id "$@")
-
-    # check that an authentication subkey does not already exist
-    check_gpg_authentication_subkey "$keyID"
-
-    # setup the temp fifo dir for retrieving the key password
-    log debug "creating password fifo..."
-    fifoDir=$(msmktempdir)
-    trap "rm -rf $fifoDir" EXIT
-    (umask 077 && mkfifo "$fifoDir/pass")
-
-    # import ssh key to as authentication subkey
-    if [ "$sshKeyFile" = '-' ] ; then
-	log verbose "importing ssh key from stdin..."
-	PEM2OPENPGP_USAGE_FLAGS=authenticate pem2openpgp "$userID" \
-	    | gpg_user --batch --passphrase-fd 3 3< "$fifoDir/pass" --expert --command-fd 0 --import &
-    else
-	log verbose "importing ssh key from file '$sshKeyFile'..."
-	PEM2OPENPGP_USAGE_FLAGS=authenticate pem2openpgp "$userID" <"$sshKeyFile" \
-	    | gpg_user --batch --passphrase-fd 3 3< "$fifoDir/pass" --expert --command-fd 0 --import &
-    fi
-
-    # get the password if needed
-    passphrase_prompt  "Please enter your passphrase for $keyID: " "$fifoDir/pass"
-
-    trap - EXIT
-    rm -rf "$fifoDir"
-    wait
-    log verbose "done."
-}

src/share/ma/setup

@@ -70,10 +70,8 @@ EOF
 
 	local CORE_UID=$(printf "Monkeysphere authentication trust core UID (random string: %s)" $(dd if=/dev/urandom bs=21 count=1 2>/dev/null | perl -MMIME::Base64 -ne 'print encode_base64($_)'))
     
-	printf "generating monkeysphere authentication trust core key:\nsize: %d bits\nuid: '%s'\n" "$CORE_KEYLENGTH" "$CORE_UID" | log debug
-	PEM2OPENPGP_USAGE_FLAGS=certify \
-	    PEM2OPENPGP_NEWKEY=$CORE_KEYLENGTH pem2openpgp "$CORE_UID" \
-	    | gpg_core --import \
+	printf "generating monkeysphere authentication trust core RSA key:\nsize: %d bits\nuid: '%s'\n" "$CORE_KEYLENGTH" "$CORE_UID" | log debug
+        gpg_core --pinentry-mode=loopback --passphrase '' --quick-generate-key "$CORE_UID" "rsa$CORE_KEYLENGTH" cert \
             || failure "Could not import new key for Monkeysphere authentication trust core"
 
 	# get fingerprint of core key.  should definitely not be empty at this point

src/share/mh/import_key

@@ -69,13 +69,15 @@ key_type_from_file() {
 
 
 if [ "$keyFile" = '-' ] ; then
-    # import PEM-encoded RSA stdin to an OpenPGP private key
-    log verbose "importing PEM-encoded RSA key from stdin..."
-    PEM2OPENPGP_USAGE_FLAGS=authenticate pem2openpgp "$serviceName" \
-	| gpg_host --import
+    # stdin we just assume is RSA, since we don't get a chance to scan it twice:
+    log verbose "importing RSA key from stdin..."
+    keyType=RSA
 else
-    # import some sort of file that OpenSSH's keygen can handle
-    if keyType=$(key_type_from_file "$keyFile"); then
+    # import some sort of file that OpenSSH's ssh-keygen can handle
+    # if it turns out that ssh-keygen can't handle it, this should fail, and we'll abort.
+    keyType=$(key_type_from_file "$keyFile")
+fi
+
 # we lock to avoid concurrent interactions with gpg-agent and
 # the sshcontrol file would be dubious
 lock create "$GNUPGHOME_HOST/importlock"
@@ -109,13 +111,6 @@ EOF
 fi
 rm -f "$GNUPGHOME_HOST/sshcontrol"
 lock remove "$GNUPGHOME_HOST/importlock"
-    else
-        log error "falling back to pem2openpgp (which will probably still fail)..."
-        PEM2OPENPGP_USAGE_FLAGS=authenticate pem2openpgp "$serviceName" \
-	                       <"$keyFile" \
-	    | gpg_host --import
-    fi
-fi
 
 # export to OpenPGP public key to file
 update_pgp_pub_file