char userid[10240];
size_t uidsz = sizeof(userid);
+ const gnutls_datum_t* all[5];
+ int pipefd;
+ pid_t child_pid;
+ char* const args[] = {"/usr/bin/base64", "--wrap=0", NULL};
+ const char* algoname;
+ int mpicount;
+ int pipestatus;
+
init_gnutls();
init_datum(&data);
GNUTLS_OPENPGP_FMT_BASE64; if MONKEYSPHERE_RAW is set, use RAW,
otherwise, use BASE64: */
+ /* FIXME: we should be auto-detecting the input format, and
+ translating it as needed. */
+
if (getenv("MONKEYSPHERE_RAW")) {
err("assuming RAW formatted certificate\n");
if (ret = gnutls_openpgp_crt_import(openpgp_crt, &data, GNUTLS_OPENPGP_FMT_RAW), ret) {
return 1;
}
+ /* FIXME: We're currently looking at the primary key or maybe the
+ first authentication-capable subkey.
+
+ Instead, we should be iterating through the primary key and all
+ subkeys: for each one with the authentication usage flag set of a
+ algorithm we can handle, we should output matching UserIDs and
+ the SSH version of the key. */
+
+
if (ret = gnutls_openpgp_crt_get_key_usage(openpgp_crt, &usage), ret) {
err("failed to get the usage flags for the primary key (error: %d)\n", ret);
return ret;
} else {
err("primary key is only good for: 0x%08x. Trying subkeys...\n", usage);
- if (ret = gnutls_openpgp_crt_get_auth_subkey(openpgp_crt, keyid), ret) {
+ if (ret = gnutls_openpgp_crt_get_auth_subkey(openpgp_crt, keyid, 0), ret) {
err("failed to find a subkey capable of authentication (error: %d)\n", ret);
return ret;
}
uidsz--;
/* FIXME: we're just choosing the first UserID from the certificate:
- instead, we should be choosing the one that's adequately signed,
- and matches the monkeysphere specification. */
+ instead, we should be selecting every User ID that is adequately
+ signed and matches the spec, and aggregating them with commas for
+ known_hosts output */
if (ret = gnutls_openpgp_crt_get_name(openpgp_crt, 0, userid, &uidsz), ret) {
err("Failed to fetch the first UserID (error: %d)\n", ret);
externally through coreutils' /usr/bin/base64 */
if (algo == GNUTLS_PK_RSA) {
- const gnutls_datum_t* all[3];
- int pipefd;
- pid_t child_pid;
- char* const args[] = {"/usr/bin/base64", "--wrap=0", NULL};
- const char* algoname = "ssh-rsa";
-
- snprintf(output_data, sizeof(output_data), "%s %s ", userid, algoname);
+ algoname = "ssh-rsa";
+ mpicount = 3;
- write(1, output_data, strlen(output_data));
-
- pipefd = create_writing_pipe(&child_pid, args[0], args);
- if (pipefd < 0) {
- err("failed to create a writing pipe (returned %d)\n", pipefd);
- return pipefd;
- }
-
- if (ret = datum_from_string(&algolabel, algoname), ret) {
- err("couldn't label string (error: %d)\n", ret);
- return ret;
- }
all[0] = &algolabel;
all[1] = &e;
all[2] = &m;
+ } else if (algo == GNUTLS_PK_DSA) {
+ algoname = "ssh-dss";
+ mpicount = 5;
- if (0 != write_data_fd_with_length(pipefd, all, 3)) {
- err("was not able to write out RSA key data\n");
- return 1;
- }
- close(pipefd);
- if (child_pid != waitpid(child_pid, NULL, 0)) {
- err("could not wait for child process to return for some reason.\n");
- return 1;
- }
+ all[0] = &algolabel;
+ all[1] = &p;
+ all[2] = &q;
+ all[3] = &g;
+ all[4] = &y;
+ } else {
+ err("no idea what this algorithm is: %d\n", algo);
+ return 1;
+ }
- write(1, "\n", 1);
+ if (ret = datum_from_string(&algolabel, algoname), ret) {
+ err("couldn't label string (error: %d)\n", ret);
+ return ret;
+ }
- } else if (algo == GNUTLS_PK_DSA) {
- err("Don't know how to export DSA ssh pubkeys yet.\n");
+ snprintf(output_data, sizeof(output_data), "%s %s ", userid, algoname);
+
+ pipefd = create_writing_pipe(&child_pid, args[0], args);
+ if (pipefd < 0) {
+ err("failed to create a writing pipe (returned %d)\n", pipefd);
+ return pipefd;
+ }
+
+ write(1, output_data, strlen(output_data));
+
+ if (0 != write_data_fd_with_length(pipefd, all, mpicount)) {
+ err("was not able to write out RSA key data\n");
return 1;
- } else {
- err("no idea what this algorithm is: %d\n", algo);
+ }
+ close(pipefd);
+ if (child_pid != waitpid(child_pid, &pipestatus, 0)) {
+ err("could not wait for child process to return for some reason.\n");
return 1;
}
+ if (pipestatus != 0) {
+ err("base64 pipe died with return code %d\n", pipestatus);
+ return pipestatus;
+ }
+
+ write(1, "\n", 1);
+
+
gnutls_openpgp_crt_deinit(openpgp_crt);
gnutls_global_deinit();