X-Git-Url: https://codewiz.org/gitweb?a=blobdiff_plain;f=gpg2ssh.c;h=a1e94df7998a55a56c88a97e9342abfe14153def;hb=f047b198433a0781e35b5ca0cea0bc532d9a64ce;hp=87b62a391e2a9d4abb6ce646dad40738fa9d6fcc;hpb=29b46325c50f7b767d1027c817c4e050806f2aa1;p=monkeysphere.git

diff --git a/gpg2ssh.c b/gpg2ssh.c
index 87b62a3..a1e94df 100644
--- a/gpg2ssh.c
+++ b/gpg2ssh.c
@@ -3,9 +3,9 @@
 #include <gnutls/openpgp.h>
 #include <gnutls/x509.h>
 
-/* for htonl() */
-#include <arpa/inet.h>
-
+/* for waitpid() */
+#include <sys/types.h>
+#include <sys/wait.h>
 
 /* 
    Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
@@ -36,9 +36,19 @@ int main(int argc, char* argv[]) {
   gnutls_pk_algorithm_t algo;
 
   gnutls_datum_t m, e, p, q, g, y;
+  gnutls_datum_t algolabel;
 
   char output_data[10240];
-  size_t ods = sizeof(output_data);
+  char userid[10240];
+  size_t uidsz = sizeof(userid);
+
+  const gnutls_datum_t* all[5];
+  int pipefd;
+  pid_t child_pid;
+  char* const args[] = {"/usr/bin/base64", "--wrap=0", NULL};
+  const char* algoname;
+  int mpicount;
+  int pipestatus;
 
   init_gnutls();
   
@@ -51,6 +61,8 @@ int main(int argc, char* argv[]) {
   init_datum(&g);
   init_datum(&y);
 
+  init_datum(&algolabel);
+
   init_keyid(keyid);
 
   /* slurp in the private key from stdin */
@@ -69,6 +81,9 @@ int main(int argc, char* argv[]) {
      GNUTLS_OPENPGP_FMT_BASE64; if MONKEYSPHERE_RAW is set, use RAW,
      otherwise, use BASE64: */
 
+  /* FIXME: we should be auto-detecting the input format, and
+     translating it as needed. */
+
   if (getenv("MONKEYSPHERE_RAW")) {
     err("assuming RAW formatted certificate\n");
     if (ret = gnutls_openpgp_crt_import(openpgp_crt, &data, GNUTLS_OPENPGP_FMT_RAW), ret) {
@@ -88,6 +103,15 @@ int main(int argc, char* argv[]) {
     return 1;
   }
 
+  /* FIXME: We're currently looking at the primary key or maybe the
+     first authentication-capable subkey.  
+
+     Instead, we should be iterating through the primary key and all
+     subkeys: for each one with the authentication usage flag set of a
+     algorithm we can handle, we should output matching UserIDs and
+     the SSH version of the key. */
+     
+
   if (ret = gnutls_openpgp_crt_get_key_usage(openpgp_crt, &usage), ret) {
     err("failed to get the usage flags for the primary key (error: %d)\n", ret);
     return ret;
@@ -122,7 +146,7 @@ int main(int argc, char* argv[]) {
   } else {
     err("primary key is only good for: 0x%08x.  Trying subkeys...\n", usage);
     
-    if (ret = gnutls_openpgp_crt_get_auth_subkey(openpgp_crt, keyid), ret) {
+    if (ret = gnutls_openpgp_crt_get_auth_subkey(openpgp_crt, keyid, 0), ret) {
       err("failed to find a subkey capable of authentication (error: %d)\n", ret);
       return ret;
     }
@@ -178,11 +202,89 @@ int main(int argc, char* argv[]) {
     }
   } 
 
-  /* now we have algo, and the various MPI data set.  Can we export
-     them cleanly? */
+  /* make sure userid is NULL-terminated */
+  userid[sizeof(userid) - 1] = 0;
+  uidsz--;
+
+  /* FIXME: we're just choosing the first UserID from the certificate:
+     instead, we should be selecting every User ID that is adequately
+     signed and matches the spec, and aggregating them with commas for
+     known_hosts output */
+
+  if (ret = gnutls_openpgp_crt_get_name(openpgp_crt, 0, userid, &uidsz), ret) {
+    err("Failed to fetch the first UserID (error: %d)\n", ret);
+    return ret;
+  }
 
+  if (ret = validate_ssh_host_userid(userid), ret) {
+    err("bad userid: not a valid ssh host.\n");
+    return ret;
+  }
+
+  /* remove ssh:// from the beginning of userid */
+  memmove(userid, userid + strlen("ssh://"), 1 + strlen(userid) - strlen("ssh://"));
   
 
+  /* now we have algo, and the various MPI data are set.  Can we
+     export them cleanly? */
+
+  /* for the moment, we'll just dump the info raw, and pipe it
+     externally through coreutils' /usr/bin/base64 */
+
+  if (algo == GNUTLS_PK_RSA) {
+    algoname = "ssh-rsa";
+    mpicount = 3;
+
+    all[0] = &algolabel;
+    all[1] = &e;
+    all[2] = &m;
+  } else if (algo == GNUTLS_PK_DSA) {
+    algoname = "ssh-dss";
+    mpicount = 5;
+
+    all[0] = &algolabel;
+    all[1] = &p;
+    all[2] = &q;
+    all[3] = &g;
+    all[4] = &y;
+  } else {
+    err("no idea what this algorithm is: %d\n", algo);
+    return 1;
+  }
+
+  if (ret = datum_from_string(&algolabel, algoname), ret) {
+    err("couldn't label string (error: %d)\n", ret);
+    return ret;
+  }
+
+  snprintf(output_data, sizeof(output_data), "%s %s ", userid, algoname);
+
+  pipefd = create_writing_pipe(&child_pid, args[0], args);
+  if (pipefd < 0) {
+    err("failed to create a writing pipe (returned %d)\n", pipefd);
+    return pipefd;
+  }
+    
+  write(1, output_data, strlen(output_data));
+
+  if (0 != write_data_fd_with_length(pipefd, all, mpicount)) {
+    err("was not able to write out RSA key data\n");
+    return 1;
+  }
+  close(pipefd);
+  if (child_pid != waitpid(child_pid, &pipestatus, 0)) {
+    err("could not wait for child process to return for some reason.\n");
+    return 1;
+  }
+  if (pipestatus != 0) {
+    err("base64 pipe died with return code %d\n", pipestatus);
+    return pipestatus;
+  }
+
+  write(1, "\n", 1);
+
+
+
   gnutls_openpgp_crt_deinit(openpgp_crt);
   gnutls_global_deinit();
   return 0;