X-Git-Url: https://codewiz.org/gitweb?a=blobdiff_plain;f=src%2Fmonkeysphere-host;h=4d3edf4f41bc40cdf290a33c9af9809c889ad475;hb=8e1bd67f860f921743237c3e83ec8d6dfeaa5315;hp=903e3335c8f34a6735defbda1b5cf05f9b28c132;hpb=0f6353059da451d3ed182cfb18e8eafea1348a85;p=monkeysphere.git

diff --git a/src/monkeysphere-host b/src/monkeysphere-host
index 903e333..4d3edf4 100755
--- a/src/monkeysphere-host
+++ b/src/monkeysphere-host
@@ -34,9 +34,7 @@ MHSHAREDIR="${SYSSHAREDIR}/mh"
 MHDATADIR="${SYSDATADIR}/host"
 
 # host pub key files
-HOST_KEY_FILE="${SYSDATADIR}/host_keys.pub.gpg"
-# host pub key fingerprints file
-HOST_KEY_FPR_FILE="${SYSDATADIR}/host_keys.fprs"
+HOST_KEY_FILE="${SYSDATADIR}/host_keys.pub.pgp"
 
 # UTC date in ISO 8601 format if needed
 DATE=$(date -u '+%FT%T')
@@ -81,9 +79,14 @@ gpg_host() {
 
 # list the info about the a key, in colon format, to stdout
 gpg_host_list_keys() {
-    gpg_host --list-keys --with-colons --fixed-list-mode \
-	--with-fingerprint --with-fingerprint \
-	"$1"
+    if [ "$1" ] ; then
+	gpg_host --list-keys --with-colons --fixed-list-mode \
+	    --with-fingerprint --with-fingerprint \
+	    "$1"
+    else
+	gpg_host --list-keys --with-colons --fixed-list-mode \
+	    --with-fingerprint --with-fingerprint
+    fi
 }
 
 # edit key scripts, takes scripts on stdin, and keyID as first input
@@ -91,32 +94,93 @@ gpg_host_edit() {
     gpg_host --command-fd 0 --edit-key "$@"
 }
 
-# export the monkeysphere gpg pub key file
-update_gpg_pub_file() {
+# export the monkeysphere OpenPGP pub key file
+update_pgp_pub_file() {
     log debug "updating openpgp public key file '$HOST_KEY_FILE'..."
-    gpg_host --export --armor --export-options export-minimal > "$HOST_KEY_FILE"
-    log debug "updating fingerprint file '$HOST_KEY_FPR_FILE'..."
-    gpg_host --list-secret-key --with-colons --with-fingerprint \
-	| awk -F: '/^fpr:/{ print $10 }' > "$HOST_KEY_FPR_FILE"
+    gpg_host --export --armor --export-options export-minimal \
+        $(gpg_host --list-secret-keys --with-colons --fingerprint | grep ^fpr | cut -f10 -d:) \
+        > "$HOST_KEY_FILE"
 }
 
-host_fingerprints() {
-    local fprs=($(cat "$HOST_KEY_FPR_FILE"))
+# check that the service name is well formed. we assume that the
+# service name refers to a host; DNS labels for host names are limited
+# to a very small range of characters (see RFC 1912, section 2.1).
 
-    log debug "host key fingerprints:"
-    printf '%s\n' "${fprs[@]}" | log debug
-    printf '%s\n' "${fprs[@]}"
-}
+# FIXME: i'm failing to check here for label components that are
+# all-number (e.g. ssh://666.666), which are technically not allowed
+# (though some exist on the 'net, apparently)
 
-# check that the service name is well formed
 check_service_name() {
     local name="$1"
-    log error "FIX ME: check service name"
+    local errs=""
+    local scheme
+    local port
+    local assigned_ports
+
+    [ -n "$name" ] || \
+        failure "You must supply a service name to check"
+
+    printf '%s' "$name" | perl -n -e '($str = $_) =~ s/\s//g ; exit !(lc($str) eq $_);' || \
+        failure "Not a valid service name: '$name'
+
+Service names should be canonicalized to all lower-case,
+with no whitespace"
+
+    [[ "$name" =~ ^[a-z0-9./:-]+$ ]] || \
+        failure "Not a valid service name: '$name'
+
+Service names should contain only lower-case ASCII letters
+numbers, dots (.), hyphens (-), slashes (/), and a colon (:).
+If you are using non-ASCII characters (e.g. IDN), you should
+use the canonicalized ASCII (NAMEPREP -> Punycode) representation
+(see RFC 3490)."
+
+    [[ "$name" =~ \. ]] || \
+        failure "Not a valid service name: '$name'
+
+Service names should use fully-qualified domain names (FQDN), but the
+domain name you chose appears to only have the local part.  For
+example: don't use 'ssh://foo' ; use 'ssh://foo.example.com' instead."
+
+    [[ "$name" =~ ^[a-z]([a-z0-9-]*[a-z0-9])?://[a-z0-9]([a-z0-9-]*[a-z0-9])?(\.|((\.[a-z0-9]([a-z0-9-]*[a-z0-9])?)+))(:[1-9][0-9]{0,4})?$ ]] || \
+        failure "Not a valid service name: '$name'
+
+Service names look like <scheme>://full.example.com[:<portnumber>],
+where <scheme> is something like ssh or https, and <portnumber> is
+a decimal number (supplied only if the service is on a non-standard
+port)."
+    
+    scheme=$(cut -f1 -d: <<<"$name")
+    port=$(cut -f3 -d: <<<"$name")
+    
+    # check that the scheme name is found in the system services
+    # database
+    available_=$(get_port_for_service "$scheme") || \
+        log error "Error looking up service scheme named '%s'" "$scheme"
+
+    # FIXME: if the service isn't found, or does not have a port, what
+    # should we do? at the moment, we're just warning.
+    
+    if [ -n "$port" ]; then
+    # check that the port number is a legitimate port number (> 0, < 65536)
+        [ "$port" -gt 0 ] && [ "$port" -lt 65536 ] || \
+            failure "The given port number should be greater than 0 and
+less than 65536.  '$port' is not OK"
+
+    # if the port number is given, and the scheme is in the services
+    # database, check that the port number does *not* match the
+    # default port.
+        if (printf '%s' "$assigned_ports" | grep -q -F -x "$port" ) ; then
+            failure $(printf "The scheme %s uses port number %d by default.
+You should leave off the port number if it is the default" "$scheme" "$port")
+        fi
+    fi
+
 }
 
 # fail if host key not present
 check_no_keys() {
-    [ -s "$HOST_KEY_FILE" ] || [ -s "$HOST_KEY_FPR_FILE" ] \
+    [ -s "$HOST_KEY_FILE" ] \
 	|| failure "You don't appear to have a Monkeysphere host key on this server.
 Please run 'monkeysphere-host import-key' import a key."
 }
@@ -126,7 +190,7 @@ Please run 'monkeysphere-host import-key' import a key."
 check_key_input() {
     local keyID="$1"
     # array of fingerprints
-    local fprs=($(host_fingerprints))
+    local fprs=($(list_primary_fingerprints <"$HOST_KEY_FILE"))
 
     case ${#fprs[@]} in
 	0)
@@ -138,12 +202,13 @@ Please run 'monkeysphere-host import-key' to import a key."
 	    ;;
 	*)
 	    if [ -z "$keyID" ] ; then
-		failure "Keyring contains multiple keys.  Please specify one to act on (see 'monkeysphere-host show-key')."
+		failure "Your host keyring contains multiple keys.
+Please specify one to act on (see 'monkeysphere-host show-keys')."
 	    fi
 	    ;;
     esac
     printf '%s\n' "${fprs[@]}" | grep "${keyID}$" \
-	|| failure "Key '$keyID' not found."
+	|| failure "Host key '$keyID' not found."
 }
 
 # return 0 if user ID was found.
@@ -161,17 +226,37 @@ check_key_userid() {
 	grep -q -x -F "$tmpuidMatch" 2>/dev/null
 }
 
+prompt_userid_exists() {
+    local userID="$1"
+    local gpgOut
+    local fingerprint
+
+    if gpgOut=$(gpg_host_list_keys "=${userID}" 2>/dev/null) ; then
+	fingerprint=$(echo "$gpgOut" | grep '^fpr:' | cut -d: -f10)
+	if [ "$PROMPT" != "false" ] ; then
+	    printf "Service name '%s' is already being used by key '%s'.\nAre you sure you want to use it again? (y/N) " "$fingerprint" "$userID" >&2
+	    read OK; OK=${OK:=N}
+	    if [ "${OK/y/Y}" != 'Y' ] ; then
+		failure "Service name not added."
+	    fi
+	else
+	    log info "Key '%s' is already using the service name '%s'." "$fingerprint" "$userID" >&2
+	fi
+    fi
+}
+
 # run command looped over keys
 multi_key() {
     local cmd="$1"
     shift
     local keys=$@
     local i=0
-    local fprs=($(host_fingerprints))
     local key
 
     check_no_keys
 
+    local fprs=($(list_primary_fingerprints <"$HOST_KEY_FILE"))
+
     if [[ -z "$1" || "$1" == '--all' ]] ; then
 	keys="${fprs[@]}"
     fi
@@ -188,8 +273,8 @@ multi_key() {
 show_key() {
     local id="$1"
     local GNUPGHOME
-    local TMPSSH
     local fingerprint
+    local tmpssh
     local revokers
 
     # tmp gpghome dir
@@ -201,27 +286,29 @@ show_key() {
     # import the host key into the tmp dir
     gpg --quiet --import <"$HOST_KEY_FILE"
 
-    # create the ssh key
-    TMPSSH="$GNUPGHOME"/ssh_host_key_rsa_pub
-    if ! gpg --export "$id" 2>/dev/null \
-	| openpgp2ssh 2>/dev/null >"$TMPSSH" ; then
-	failure "Key '$id' not found."
-    fi
-
     # get the gpg fingerprint
-    fingerprint=$(gpg --quiet --list-keys \
+    if gpg --quiet --list-keys \
 	--with-colons --with-fingerprint "$id" \
-	| grep '^fpr:' | cut -d: -f10 )
+	| grep '^fpr:' | cut -d: -f10 > "$GNUPGHOME"/fingerprint ; then
+	fingerprint=$(cat "$GNUPGHOME"/fingerprint)
+    else
+	failure "ID '$id' not found."
+    fi
+
+    # create the ssh key
+    tmpssh="$GNUPGHOME"/ssh_host_key_rsa_pub
+    gpg --export "$fingerprint" 2>/dev/null \
+	| openpgp2ssh 2>/dev/null >"$tmpssh"
 
     # list the host key info
     # FIXME: make no-show-keyring work so we don't have to do the grep'ing
     # FIXME: can we show uid validity somehow?
-    gpg --list-keys --list-options show-unusable-uids "$id" 2>/dev/null \
+    gpg --list-keys --list-options show-unusable-uids "$fingerprint" 2>/dev/null \
 	| grep -v "^${GNUPGHOME}/pubring.gpg$" \
 	| egrep -v '^-+$'
 
     # list revokers, if there are any
-    revokers=$(gpg --list-keys --with-colons --fixed-list-mode "$id" \
+    revokers=$(gpg --list-keys --with-colons --fixed-list-mode "$fingerprint" \
 	| awk -F: '/^rvk:/{ print $10 }' )
     if [ "$revokers" ] ; then
 	echo "The following keys are allowed to revoke this host key:"
@@ -236,7 +323,7 @@ show_key() {
 
     # list the ssh fingerprint
     echo -n "ssh fingerprint: "
-    ssh-keygen -l -f "$TMPSSH" | awk '{ print $1, $2, $4 }'
+    ssh-keygen -l -f "$tmpssh" | awk '{ print $1, $2, $4 }'
 
     # remove the tmp file
     trap - EXIT
@@ -331,8 +418,8 @@ case $COMMAND in
 	diagnostics
 	;;
 
-    'update-gpg-pub-file')
-	update_gpg_pub_file
+    'update-pgp-pub-file')
+	update_pgp_pub_file
 	;;
 
     'version'|'v')