X-Git-Url: https://codewiz.org/gitweb?a=blobdiff_plain;f=src%2Fshare%2Fkeytrans;h=56ddde2ad4cecccbb0f8904d5e8bf9c24be3d47b;hb=aaa7dc2d06d8a9bdda5d0d818990fdbbaf2d0017;hp=0e52a477ff186a3929caf092b2e644a7b81aef64;hpb=339dd73b29eabfba4fcfe92b425678e5bed912c8;p=monkeysphere.git diff --git a/src/share/keytrans b/src/share/keytrans index 0e52a47..56ddde2 100755 --- a/src/share/keytrans +++ b/src/share/keytrans @@ -429,7 +429,7 @@ sub fingerprint { # FIXME: handle DSA keys as well! -sub pem2openpgp { +sub makeselfsig { my $rsa = shift; my $uid = shift; my $args = shift; @@ -442,10 +442,7 @@ sub pem2openpgp { if (! defined $args->{sig_timestamp}) { $args->{sig_timestamp} = time(); } - if (! defined $args->{key_timestamp}) { - $args->{key_timestamp} = $args->{sig_timestamp} + 0; - } - my $key_timestamp = $args->{key_timestamp}; + my $key_timestamp = $args->{key_timestamp} + 0; # generate and aggregate subpackets: @@ -518,10 +515,7 @@ sub pem2openpgp { $feature_subpacket. $keyserver_pref; - return - make_packet($packet_types->{seckey}, make_rsa_sec_key_body($rsa, $key_timestamp)). - make_packet($packet_types->{uid}, $uid). - gensig($rsa, $uid, $args); + return gensig($rsa, $uid, $args); } # FIXME: handle non-RSA keys @@ -608,7 +602,6 @@ sub gensig { $sig_data_to_be_hashed. $trailer; - # FIXME: handle signatures over digests other than SHA256: my $data_hash = Digest::SHA::sha256_hex($datatosign); @@ -642,8 +635,8 @@ sub finduid { ($tag == $packet_types->{uid}) or die "This should not be called on anything but a User ID packet\n"; read($instr, $dummy, $packetlen); - $data->{uid} = {} unless defined $data->{uid}; $data->{uid}->{$dummy} = {}; + $data->{current}->{uid} = $dummy; } @@ -659,46 +652,25 @@ sub findsig { my $dummy; my $readbytes = 0; - if ((undef $data->{key}) || - (undef $data->{uid}) || - (undef $data->{uid}->{$data->{target}->{uid}})) { - # this is not the user ID we are looking for. - read($instr, $dummy, $packetlen - $readbytes) or die "Could not skip past this packet.\n"; - } + read($instr, $dummy, $packetlen - $readbytes) or die "Could not read in this packet.\n"; - read($instr, $data, 6) or die "could not read signature header\n"; - my ($ver, $sigtype, $pubkeyalgo, $digestalgo, $subpacketsize) = unpack('CCCCn', $data); - if ($ver != 4) { - printf(STDERR "We only work with version 4 signatures."); - read($instr, $dummy, $packetlen - $readbytes) or die "Could not skip past this packet.\n"; - return; - } - if ($pubkeyalgo != $asym_algos->{rsa}) { - printf(STDERR "We can only work with RSA at the moment"); - read($instr, $dummy, $packetlen - $readbytes) or die "Could not skip past this packet.\n"; - return; - } - if ($sigtype != $sig_types->{positive_certification}) { - # FIXME: some weird implementations might have made generic, - # persona, or casual certifications instead of positive - # certifications for self-sigs. Probably should handle them too. - read($instr, $dummy, $packetlen - $readbytes) or die "Could not skip past this packet.\n"; + if ((! defined $data->{key}) || + (! defined $data->{uid}) || + (! defined $data->{uid}->{$data->{target}->{uid}})) { + # the user ID we are looking for has not been found yet. return; } - my $subpackets; - read($instr, $subpackets, $subpacketsize) or die "could not read hashed signature subpackets.\n"; - - read($instr, $subpacketsize, 2) or die "could not read unhashed signature subpacket size.\n"; - $subpacketsize = unpack('n', $subpacketsize); - - my $unhashedsubpackets; - read($instr, $unhashedsubpackets, $subpacketsize) or die "could not read unhashed signature subpackets.\n"; + # FIXME: if we get two primary keys on stdin, both with the same + # targetd user ID, we'll store signatures from both keys, which is + # probably wrong. - my $hashtail; - read($instr, $hashtail, 2) or die "could not read left 16 bits of digest.\n"; + # the current ID is not what we're looking for: + return if ($data->{current}->{uid} ne $data->{target}->{uid}); - # FIXME: RSA signatures should read in how many MPIs? + # just storing the raw signatures for the moment: + push @{$data->{sigs}}, make_packet($packet_types->{sig}, $dummy); + return; } @@ -836,10 +808,60 @@ sub openpgp2rsa { return $data->{key}->{rsa}; } +sub adduserid { + my $instr = shift; + my $fpr = shift; + my $uid = shift; + my $args = shift; + + if ((! defined $fpr) || + (length($fpr) < 8)) { + die "We need at least 8 hex digits of fingerprint.\n"; + } + + $fpr = uc($fpr); + + if (! defined $uid) { + die "No User ID defined.\n"; + } + + my $data = { target => { fpr => $fpr, + uid => $uid, + }, + }; + my $subs = { $packet_types->{seckey} => \&findkey, + $packet_types->{uid} => \&finduid, + $packet_types->{sig} => \&findsig, + }; + + packetwalk($instr, $subs, $data); + + if ((! defined $data->{key}) || + (! defined $data->{key}->{rsa}) || + (! defined $data->{key}->{timestamp})) { + die "The key requested was not found.\n" + } + + if (defined $data->{uid}->{$uid}) { + die "The requested User ID '$uid' is already associated with this key.\n"; + } + $args->{key_timestamp} = $data->{key}->{timestamp}; + + return + make_packet($packet_types->{pubkey}, make_rsa_pub_key_body($data->{key}->{rsa}, $data->{key}->{timestamp})). + make_packet($packet_types->{uid}, $uid). + makeselfsig($data->{key}->{rsa}, + $uid, + $args); + +} + + sub revokeuserid { my $instr = shift; my $fpr = shift; my $uid = shift; + my $sigtime = shift; if ((! defined $fpr) || (length($fpr) < 8)) { @@ -853,10 +875,12 @@ sub revokeuserid { } my $data = { target => { fpr => $fpr, + uid => $uid, }, }; my $subs = { $packet_types->{seckey} => \&findkey, - $packet_types->{uid} => \&finduid + $packet_types->{uid} => \&finduid, + $packet_types->{sig} => \&findsig, }; packetwalk($instr, $subs, $data); @@ -882,15 +906,21 @@ sub revokeuserid { $revocation_reasons->{user_id_no_longer_valid}). $revocation_reason); + if (! defined $sigtime) { + $sigtime = time(); + } # what does a signature like this look like? - my $args = { 'key_timestamp' => $data->{key}->{timestamp}, - 'sig_timestamp' => time(), - 'certification_type' => $sig_types->{certification_revocation}, - 'hashed_subpackets' => $rev_reason_subpkt, + my $args = { key_timestamp => $data->{key}->{timestamp}, + sig_timestamp => $sigtime, + certification_type => $sig_types->{certification_revocation}, + hashed_subpackets => $rev_reason_subpkt, }; - - return gensig($data->{key}->{rsa}, $data->{uid}, $args); + return + make_packet($packet_types->{pubkey}, make_rsa_pub_key_body($data->{key}->{rsa}, $data->{key}->{timestamp})). + make_packet($packet_types->{uid}, $uid). + join('', @{$data->{sigs}}). + gensig($data->{key}->{rsa}, $uid, $args); } @@ -1009,10 +1039,18 @@ for (basename($0)) { $rsa = Crypt::OpenSSL::RSA->new_private_key($stdin); } - print pem2openpgp($rsa, + my $key_timestamp = $ENV{PEM2OPENPGP_KEY_TIMESTAMP}; + my $sig_timestamp = $ENV{PEM2OPENPGP_TIMESTAMP}; + $sig_timestamp = time() if (!defined $sig_timestamp); + $key_timestamp = $sig_timestamp if (!defined $key_timestamp); + + print + make_packet($packet_types->{seckey}, make_rsa_sec_key_body($rsa, $key_timestamp)). + make_packet($packet_types->{uid}, $uid). + makeselfsig($rsa, $uid, - { sig_timestamp => $ENV{PEM2OPENPGP_TIMESTAMP}, - key_timestamp => $ENV{PEM2OPENPGP_KEY_TIMESTAMP}, + { sig_timestamp => $sig_timestamp, + key_timestamp => $key_timestamp, expiration => $ENV{PEM2OPENPGP_EXPIRATION}, usage_flags => $ENV{PEM2OPENPGP_USAGE_FLAGS}, } @@ -1046,9 +1084,22 @@ for (basename($0)) { open($instream,'-'); binmode($instream, ":bytes"); - my $revcert = revokeuserid($instream, $fpr, $uid); + my $revcert = revokeuserid($instream, $fpr, $uid, $ENV{KEYTRANS_REVUID_TIMESTAMP}); print $revcert; + } elsif (/^adduserid$/) { + my $fpr = shift; + my $uid = shift; + my $instream; + open($instream,'-'); + binmode($instream, ":bytes"); + my $newuid = adduserid($instream, $fpr, $uid, + { sig_timestamp => $ENV{PEM2OPENPGP_TIMESTAMP}, + expiration => $ENV{PEM2OPENPGP_EXPIRATION}, + usage_flags => $ENV{PEM2OPENPGP_USAGE_FLAGS}, + }); + + print $newuid; } else { die "Unrecognized subcomand. keytrans subcommands are not a stable interface!\n"; }