Skip to content
Snippets Groups Projects

Compare revisions

Changes are shown as if the source revision was being merged into the target revision. Learn more about comparing revisions.

Source

Select target project
No results found

Target

Select target project
  • jscott/monkeysphere
  • jvalleroy/monkeysphere
  • pkg-privacy-team/monkeysphere
3 results
Show changes
Commits on Source (4)
......@@ -24,4 +24,4 @@ Monkeysphere depends on:
* Perl's Crypt::OpenSSL::RSA module
* lockfile-progs or procmail's lockfile
* Bash
* OpenSSH's ssh-keygen utility (ideally >= 6.0)
* OpenSSH's ssh-keygen utility (>= 6.0)
......@@ -13,7 +13,7 @@
# This script uses bashisms
# It currently needs OpenSSL binaries to work properly
# It currently needs OpenSSL binaries, gpg, and gpgsm to work properly
# It assumes that the monkeysphere-host keyring is in
# /var/lib/monkeysphere/host (which it is on debian)
......@@ -67,23 +67,40 @@ EOF
}
gencertreq() {
keyid="$1"
local keyid="$1"
timestamp=$(gpg --fixed-list-mode --with-colons --list-keys "0x$keyid!" | grep ^pub: | cut -f6 -d:)
# It would be great to be able to do all of this with gpgsm
# directly. See https://dev.gnupg.org/T4503 for why we need to
# use OpenSSL for now.
local timestamp=$(gpg --fixed-list-mode --with-colons --list-keys "0x$keyid!" | awk -F: '/^pub:/{ print $6 }')
local keygrip=$(gpg --fixed-list-mode --with-keygrip --with-colons --list-keys "0x$keyid!" | awk -F: '/^grp:/{ print $10 }')
san=''
primary=''
local primary
# find all the $proto-using User IDs:
uids=$(gpg --fixed-list-mode --with-colons --list-keys "0x$keyid!" | \
local uids=$(gpg --fixed-list-mode --with-colons --list-keys \&"$keygrip" | \
grep '^uid:' | cut -f10 -d: | \
grep '^'"${proto}"'\\x3a//' | \
sed -r -e 's!^'"${proto}"'\\x3a//!!' -e 's!:[0-9]+$!!')
primary=$(printf "%s" "$uids" | head -n1)
# does gpgsm know about this key?
if ! gpgsm --with-colons --with-keygrip --list-keys \&"$keygrip" | grep -q ^grp: ; then
# ensure that gpgsm has a dummy self-signed cert; otherwise, it
# cannot emit the secret key in the necessary form.
local batchcmd="Key-Type: RSA
Key-Grip: $keygrip
Name-DN: CN=$primary (monkeysphere dummy self-signed)
Serial: $keygrip
%commit"
local dummycert="$(gpgsm --armor --batch --generate-key <<<"$batchcmd")"
gpgsm --import <<<"$dummycert"
fi
printf "Certificate Request for TLS WWW server %s\n[OpenPGP key %s]\n" "$primary" "$keyid"
openssl req -text -new \
-config <(get_openssl_config "$timestamp" "$uids") \
-key <(gpg --export-secret-key "$keyid" | openpgp2ssh "$keyid") \
-key <(gpgsm --armor --export-secret-key-raw \&"$keygrip") \
-subj "/CN=${primary}/"
}
......
......@@ -29,7 +29,7 @@ be omitted, and \fBmonkeysphere\-host\fP will operate on it.
.B import\-key FILE SCHEME://HOSTNAME[:PORT]
Import an SSH host secret key from file FILE. If FILE is
`\-', then the key will be imported from stdin, and must be an
RSA key in PEM\-encoded format.
RSA key.
SCHEME://HOSTNAME[:PORT] is used to specify
the scheme (e.g. ssh or https), fully\-qualified hostname (and port)
used in the user ID of the new OpenPGP key (e.g. ssh://example.net or
......
......@@ -246,8 +246,7 @@ case $COMMAND in
;;
'import-subkey'|'import'|'i')
source "${MSHAREDIR}/import_subkey"
import_subkey "$@"
failure "import-subkey is not implemented yet. (see https://dev.gnupg.org/T4489)"
;;
'gen-subkey'|'g')
......
......@@ -36,7 +36,7 @@
# Example usage:
# gpg --export-secret-subkeys --export-options export-reset-subkey-passwd $KEYID | \
# openpgp2ssh $KEYID | ssh-add /dev/stdin
# openpgp2ssh $KEYID | ssh-add -
# Authors:
......
# -*-shell-script-*-
# This should be sourced by bash (though we welcome changes to make it POSIX sh compliant)
# Monkeysphere import-subkey subcommand
#
# The monkeysphere scripts are written by:
# Jameson Rollins <jrollins@finestructure.net>
# Jamie McClelland <jm@mayfirst.org>
# Daniel Kahn Gillmor <dkg@fifthhorseman.net>
#
# They are Copyright 2008-2009, and are all released under the GPL,
# version 3 or later.
# import an existing ssh key as a gpg subkey
## 2009-02-20 00:49:11-0500: This is not implemented yet, because we
## don't currently have a good way to manipulate the user's OpenPGP
## secret key such that we could make a proper subkey binding
## signature.
import_subkey() {
local sshKeyFile
local keyID
local gpgSecOut
local fifoDir
# FIXME: implement!
failure "import-subkey is not implemented yet. We welcome patches. Sorry!"
sshKeyFile="$1"
shift
# check that key file specified
if [ -z "$sshKeyFile" ] ; then
failure "Must specify ssh key file to import, or specify '-' for stdin."
fi
# check that the keyID is unique
keyID=$(check_gpg_sec_key_id "$@")
# check that an authentication subkey does not already exist
check_gpg_authentication_subkey "$keyID"
# setup the temp fifo dir for retrieving the key password
log debug "creating password fifo..."
fifoDir=$(msmktempdir)
trap "rm -rf $fifoDir" EXIT
(umask 077 && mkfifo "$fifoDir/pass")
# import ssh key to as authentication subkey
if [ "$sshKeyFile" = '-' ] ; then
log verbose "importing ssh key from stdin..."
PEM2OPENPGP_USAGE_FLAGS=authenticate pem2openpgp "$userID" \
| gpg_user --batch --passphrase-fd 3 3< "$fifoDir/pass" --expert --command-fd 0 --import &
else
log verbose "importing ssh key from file '$sshKeyFile'..."
PEM2OPENPGP_USAGE_FLAGS=authenticate pem2openpgp "$userID" <"$sshKeyFile" \
| gpg_user --batch --passphrase-fd 3 3< "$fifoDir/pass" --expert --command-fd 0 --import &
fi
# get the password if needed
passphrase_prompt "Please enter your passphrase for $keyID: " "$fifoDir/pass"
trap - EXIT
rm -rf "$fifoDir"
wait
log verbose "done."
}
......@@ -70,11 +70,9 @@ EOF
local CORE_UID=$(printf "Monkeysphere authentication trust core UID (random string: %s)" $(dd if=/dev/urandom bs=21 count=1 2>/dev/null | perl -MMIME::Base64 -ne 'print encode_base64($_)'))
printf "generating monkeysphere authentication trust core key:\nsize: %d bits\nuid: '%s'\n" "$CORE_KEYLENGTH" "$CORE_UID" | log debug
PEM2OPENPGP_USAGE_FLAGS=certify \
PEM2OPENPGP_NEWKEY=$CORE_KEYLENGTH pem2openpgp "$CORE_UID" \
| gpg_core --import \
|| failure "Could not import new key for Monkeysphere authentication trust core"
printf "generating monkeysphere authentication trust core RSA key:\nsize: %d bits\nuid: '%s'\n" "$CORE_KEYLENGTH" "$CORE_UID" | log debug
gpg_core --pinentry-mode=loopback --passphrase '' --quick-generate-key "$CORE_UID" "rsa$CORE_KEYLENGTH" cert \
|| failure "Could not import new key for Monkeysphere authentication trust core"
# get fingerprint of core key. should definitely not be empty at this point
CORE_FPR=$(core_fingerprint)
......
......@@ -69,32 +69,34 @@ key_type_from_file() {
if [ "$keyFile" = '-' ] ; then
# import PEM-encoded RSA stdin to an OpenPGP private key
log verbose "importing PEM-encoded RSA key from stdin..."
PEM2OPENPGP_USAGE_FLAGS=authenticate pem2openpgp "$serviceName" \
| gpg_host --import
# stdin we just assume is RSA, since we don't get a chance to scan it twice:
log verbose "importing RSA key from stdin..."
keyType=RSA
else
# import some sort of file that OpenSSH's keygen can handle
if keyType=$(key_type_from_file "$keyFile"); then
# we lock to avoid concurrent interactions with gpg-agent and
# the sshcontrol file would be dubious
lock create "$GNUPGHOME_HOST/importlock"
if test -e "$GNUPGHOME_HOST/sshcontrol" && grep -q '^[0-9A-F]' "$GNUPGHOME_HOST/sshcontrol"; then
backupSshControl=$(mktemp "$GNUPGHOME_HOST/sshcontrol.XXXXXXXX")
log error "$GNUPGHOME_HOST/sshcontrol already contained a key, backing up to $backupSshControl"
mv -f "$GNUPGHOME_HOST/sshcontrol" "$backupSshControl"
fi
log verbose "importing $keyType key from file '$keyFile'..."
if ! { test -e "$GNUPGHOME_HOST/gpg-agent.conf" && grep -Fxq batch "$GNUPGHOME_HOST/gpg-agent.conf" ; }; then
echo batch >> "$GNUPGHOME_HOST/gpg-agent.conf"
GNUPGHOME="$GNUPGHOME_HOST" gpgconf --reload gpg-agent
GNUPGHOME="$GNUPGHOME_HOST" gpgconf --launch gpg-agent
fi
SSH_AUTH_SOCK=$(GNUPGHOME="$GNUPGHOME_HOST" gpgconf --list-dirs agent-ssh-socket) ssh-add "$keyFile"
if keyGrip=$(awk '/^[0-9A-F]/{print $1}' < "$GNUPGHOME_HOST/sshcontrol") &&
test -n "$keyGrip" && [ $(wc -l <<<"$keyGrip") -eq 1 ] ; then
gpg_host --batch --full-generate-key <<EOF
# import some sort of file that OpenSSH's ssh-keygen can handle
# if it turns out that ssh-keygen can't handle it, this should fail, and we'll abort.
keyType=$(key_type_from_file "$keyFile")
fi
# we lock to avoid concurrent interactions with gpg-agent and
# the sshcontrol file would be dubious
lock create "$GNUPGHOME_HOST/importlock"
if test -e "$GNUPGHOME_HOST/sshcontrol" && grep -q '^[0-9A-F]' "$GNUPGHOME_HOST/sshcontrol"; then
backupSshControl=$(mktemp "$GNUPGHOME_HOST/sshcontrol.XXXXXXXX")
log error "$GNUPGHOME_HOST/sshcontrol already contained a key, backing up to $backupSshControl"
mv -f "$GNUPGHOME_HOST/sshcontrol" "$backupSshControl"
fi
log verbose "importing $keyType key from file '$keyFile'..."
if ! { test -e "$GNUPGHOME_HOST/gpg-agent.conf" && grep -Fxq batch "$GNUPGHOME_HOST/gpg-agent.conf" ; }; then
echo batch >> "$GNUPGHOME_HOST/gpg-agent.conf"
GNUPGHOME="$GNUPGHOME_HOST" gpgconf --reload gpg-agent
GNUPGHOME="$GNUPGHOME_HOST" gpgconf --launch gpg-agent
fi
SSH_AUTH_SOCK=$(GNUPGHOME="$GNUPGHOME_HOST" gpgconf --list-dirs agent-ssh-socket) ssh-add "$keyFile"
if keyGrip=$(awk '/^[0-9A-F]/{print $1}' < "$GNUPGHOME_HOST/sshcontrol") &&
test -n "$keyGrip" && [ $(wc -l <<<"$keyGrip") -eq 1 ] ; then
gpg_host --batch --full-generate-key <<EOF
Key-Type: $keyType
Key-Grip: $keyGrip
Key-Usage: auth
......@@ -102,20 +104,13 @@ Name-Real: $serviceName
%no-protection
%commit
EOF
else
rm -f "$GNUPGHOME_HOST/sshcontrol"
lock remove "$GNUPGHOME_HOST/importlock"
failure "did not find a single keygrip in $GNUPGHOME_HOST/sshcontrol during import"
fi
rm -f "$GNUPGHOME_HOST/sshcontrol"
lock remove "$GNUPGHOME_HOST/importlock"
else
log error "falling back to pem2openpgp (which will probably still fail)..."
PEM2OPENPGP_USAGE_FLAGS=authenticate pem2openpgp "$serviceName" \
<"$keyFile" \
| gpg_host --import
fi
else
rm -f "$GNUPGHOME_HOST/sshcontrol"
lock remove "$GNUPGHOME_HOST/importlock"
failure "did not find a single keygrip in $GNUPGHOME_HOST/sshcontrol during import"
fi
rm -f "$GNUPGHOME_HOST/sshcontrol"
lock remove "$GNUPGHOME_HOST/importlock"
# export to OpenPGP public key to file
update_pgp_pub_file
......