.Os
.Sh NAME
pem2openpgp
-.Nd translate PEM encoded keys to OpenPGP keys
+.Nd translate PEM-encoded RSA keys to OpenPGP certificates
.Sh SYNOPSIS
-.Nm pem2openpgp $USERID < mykey.pem
+.Nm pem2openpgp "$USERID" < mykey.pem | gpg --import
.Pp
-.Nm ??? gpg --export $KEYID | openpgp2ssh $KEYID
-.Pp
-.Nm ????gpg --export-secret-key $KEYID | openpgp2ssh $KEYID
+.Nm PEM2OPENPGP_EXPIRATION=$((86400 * $DAYS)) PEM2OPENPGP_USAGE_FLAGS=authentication,certify pem2openpgp "$USERID" <mykey.pem
.Sh DESCRIPTION
.Nm
-WRITE ME!!!
+is a low-level utility for transforming raw, PEM-encoded RSA secret
+keys into OpenPGP-formatted certificates. The generated certificates
+include the secret key material, so they should be handled carefully.
+.Pp
+It works as an element within a pipeline: feed it the raw key on
+stdin, supply the desired User ID as a command line argument. Note
+that you may need to quote the string to ensure that it is entirely in
+a single argument.
+.Pp
+Other choices about how to generate the new OpenPGP certificate are
+governed by environment variables.
+.Sh ENVIRONMENT
+The following environment variables influence the behavior of
+.Nm :
+.Pp
+.ti 3
+\fBPEM2OPENPGP_TIMESTAMP\fP controls the timestamp (measured in
+seconds since the UNIX epoch) indicated as the creation time (a.k.a
+"not valid before") of the generated certificate. By default,
+.Nm
+uses the current time.
+.Pp
+.ti 3
+\fBPEM2OPENPGP_USAGE_FLAGS\fP should contain a comma-separated list of
+valid OpenPGP usage flags (see section 5.2.3.21 of RFC 4880 for what
+these mean). The available choices are: certify, sign, encrypt_comms,
+encrypt_storage, encrypt (this means both encrypt_comms and
+encrypt_storage), authenticate, split, shared. By default,
+.Nm
+only sets the certify flag.
+.Pp
+.ti 3
+\fBPEM2OPENPGP_EXPIRATION\fP sets an expiration (measured in seconds
+after the creation time of the key) in each self-signature packet. By
+default, no expiration subpacket is included.
+.Pp
+.ti 3
+\fBPEM2OPENPGP_NEWKEY\fP indicates that
+.Nm
+should ignore stdin, and instead generate a new key internally and
+build the certificate based on this new key. Set this variable to the
+number of bits for the new key (e.g. 2048). By default (when this is
+unset),
+.Nm
+will read the key from stdin.
.Sh AUTHOR
.Nm
and this man page were written by Daniel Kahn Gillmor
<dkg@fifthhorseman.net>.
.Sh BUGS
+Only handles RSA keys at the moment. It would be nice to handle DSA
+keys as well.
+.Pp
+Currently only creates certificates with a single User ID. Should be
+able to create certificates with multiple User IDs.
+.Pp
+Currently only accepts unencrypted RSA keys. It should be able to
+deal with passphrase-locked key material.
+.Pp
+Currently outputs OpenPGP certificates with cleartext secret key
+material. It would be good to be able to lock the output with a
+passphrase.
+.Pp
+If you find other bugs, please report them at
+https://labs.riseup.net/code/projects/show/monkeysphere
.Sh SEE ALSO
.Xr openpgp2ssh 1,
.Xr monkeysphere 1 ,
.Xr monkeysphere 7 ,
.Xr ssh 1 ,
-.Xr monkeysphere-server 8
+.Xr monkeysphere-host 8 ,
+.Xr monkeysphere-authentication 8
return Digest::SHA1::sha1(pack('Cn', 0x99, length($rsabody)).$rsabody);
}
-# we're just not dealing with newline business right now. slurp in
-# the whole file.
-undef $/;
-my $buf = <STDIN>;
-
-my $rsa = Crypt::OpenSSL::RSA->new_private_key($buf);
+my $rsa;
+if (defined $ENV{PEM2OPENPGP_NEWKEY}) {
+ $rsa = Crypt::OpenSSL::RSA->generate_key($ENV{PEM2OPENPGP_NEWKEY});
+} else {
+ # we're just not dealing with newline business right now. slurp in
+ # the whole file.
+ undef $/;
+ $rsa = Crypt::OpenSSL::RSA->new_private_key(<STDIN>);
+}
$rsa->use_sha1_hash();
$sig_data_to_be_hashed.
$trailer;
-print STDERR $datatosign;
-
my $data_hash = Digest::SHA1::sha1_hex($datatosign);
-
my $issuer_packet = pack('CCa8', 9, $subpacket_types->{issuer}, $keyid);
my $sig = Crypt::OpenSSL::Bignum->new_from_bin($rsa->sign($datatosign));
local CORE_UID=$(printf "Monkeysphere authentication trust core UID (random string: %s)" $(head -c21 </dev/urandom | base64))
- local TMPLOC=$(mktemp -d "${MATMPDIR}"/tmp.XXXXXXXXXX) || failure "Could not create temporary directory!"
-
- # generate the key with ssh-keygen...
- log debug "generating ssh key ($CORE_KEYLENGTH bits)..."
- ssh-keygen -q -b "$CORE_KEYLENGTH" -t rsa -N '' -f "${TMPLOC}/authkey" || failure "Could not generate new key for Monkeysphere authentication trust core"
- # and then translate to openpgp encoding and import
- # FIXME: pem2openpgp currently sets the A flag and a short
- # expiration date. We should set the C flag and no expiration
- # date.
- log debug "converting ssh key to openpgp key and importing into core..."
- < "${TMPLOC}/authkey" pem2openpgp "$CORE_UID" | gpg_core --import || failure "Could not import new key for Monkeysphere authentication trust core"
+ log debug "generating monkeysphere authentication trust core key ($CORE_KEYLENGTH bits)..."
+ PEM2OPENPGP_USAGE_FLAGS=certify PEM2OPENPGP_NEWKEY=$CORE_KEYLENGTH pem2openpgp "$CORE_UID" | gpg_core --import || failure "Could not import new key for Monkeysphere authentication trust core"
# get fingerprint of core key. should definitely not be empty at this point
log debug "get core key fingerprint..."
local userID
local fingerprint
-# check for presense of secret key
+# check for presence of secret key
# FIXME: is this the proper test to be doing here?
fingerprint_host_key >/dev/null \
&& failure "An OpenPGP host key already exists."
log verbose "importing ssh key..."
# translate ssh key to a private key
-(umask 077 && \
- pem2openpgp "$userID" | gpg_host --import)
+PEM2OPENPGP_USAGE_FLAGS=authenticate pem2openpgp "$userID" | gpg_host --import
# find the key fingerprint of the newly converted key
fingerprint=$(fingerprint_host_key)
# piped commands should return the code of the first non-zero return
set -o pipefail
-export TESTDIR=$(dirname "$0")
+# make sure the TESTDIR is an absolute path, not a relative one.
+export TESTDIR=$(cd $(dirname "$0") && pwd)
source "$TESTDIR"/common
# gpg command for test admin user
gpgadmin() {
+ chmod 0700 "$TEMPDIR"/admin
GNUPGHOME="$TEMPDIR"/admin/.gnupg gpg "$@"
}
## the tests, not system-wide:
# make temp dir
-TEMPDIR="$TESTDIR"/tmp
-if [ -e "$TEMPDIR" ] ; then
- echo "tempdir '$TEMPDIR' already exists."
- exit 1
-fi
-mkdir -p "$TEMPDIR"
+mkdir -p "$TESTDIR"/tmp
+TEMPDIR=$(mktemp -d "${TMPDIR:-$TESTDIR/tmp}/monkeyspheretest.XXXXXXX")
# Use the local copy of executables first, instead of system ones.
# This should help us test without installing.
# set up environment for testuser
export TESTHOME="$TEMPDIR"/testuser
export GNUPGHOME="$TESTHOME"/.gnupg
+chmod 0700 "$GNUPGHOME"
export SSH_ASKPASS="$TESTHOME"/.ssh/askpass
export MONKEYSPHERE_HOME="$TESTHOME"/.monkeysphere
cat <<EOF >> "$TESTHOME"/.ssh/config
echo "### setup monkeysphere authentication..."
cp "$TESTDIR"/etc/monkeysphere/monkeysphere-authentication.conf "$TEMPDIR"/
cat <<EOF >> "$TEMPDIR"/monkeysphere-authentication.conf
-AUTHORIZED_USER_IDS="$MONKEYSPHERE_HOME/authentication/authorized_user_ids"
+AUTHORIZED_USER_IDS="$MONKEYSPHERE_HOME/authorized_user_ids"
EOF
monkeysphere-authentication setup
get_gpg_prng_arg >> "$MONKEYSPHERE_SYSDATADIR"/authentication/sphere/gpg.conf
# teach the "server" about the testuser's key
echo "##################################################"
echo "### export testuser key to server..."
-gpg --export testuser | monkeysphere-authentication gpg-cmd --import
+gpg --export testuser | monkeysphere-authentication expert gpg-cmd --import
# update authorized_keys for user
echo "##################################################"
######################################################################
### TESTS
-# connect to test sshd, using monkeysphere-ssh-proxycommand to verify
+# connect to test sshd, using monkeysphere ssh-proxycommand to verify
# the identity before connection. This should work in both directions!
echo "##################################################"
echo "### ssh connection test for success..."
-# Base monkeysphere-server.conf for monkeysphere tests
+# Base monkeysphere-authentication.conf for monkeysphere tests
# AUTHORIZED_USER_IDS variable will be added dynamically during test.
# simple socket-based proxy-command wrapper for testing monkeysphere.
# pass this thing the host, the port, and the socket.
+which monkeysphere >&2
-monkeysphere-ssh-proxycommand --no-connect "$1" "$2" && \
+monkeysphere ssh-proxycommand --no-connect "$1" "$2" && \
exec socat STDIO UNIX:"$3"
<(PEM2OPENPGP_USAGE_FLAGS=sign,certify \
PEM2OPENPGP_TIMESTAMP="$timestamp" pem2openpgp testtest < \
"$TEMPDIR"/test.pem | hd )
+
+trap - EXIT
+
+echo "##################################################"
+echo " Monkeysphere keytrans test completed successfully!"
+echo "##################################################"
+
+cleanup
--- /dev/null
+[[meta title="Plans for The Golden Bezoar"]]
+
+A workday with several Monkeysphere contributors on 2009-01-31
+resulted in a significant reorganization of the project in several
+areas, primarily driven by the realization that there are two
+fundamentally different concepts on the server side:
+
+* publishing host keys via the Web-of-Trust (WoT), and
+* authenticating users via the WoT.
+
+For simplicity and clarity, those two concepts should be independent
+from each other, but earlier releases of the Monkeysphere tangled the
+two up together more than we probably should have.
+
+So the next release, version 0.23 (a.k.a. *The Golden Bezoar*) will
+have the following significant changes:
+
+* __user interface__: `/usr/sbin/monkeysphere-server` is no more, and
+ its functionality will be split out into
+ `/usr/sbin/monkeysphere-host` (for functionality dealing with
+ publishing the ssh host key through the WoT) and
+ `/usr/sbin/monkeysphere-authentication` (for functionality dealing
+ with authenticating users via the
+ WoT). `/usr/bin/monkeysphere-ssh-proxycommand` has been folded into
+ `/usr/bin/monkeysphere` itself as a new subcommand.
+
+* __code__: the subfunctions are now stored in their own separate
+ files, and sourced as-needed by the three top-level commands. The
+ test suite has also been re-written to reflect the above UI changes.
+
+* __documentation__: in addition to making the man pages reflect the
+ above UI changes, we're rewriting the "getting started"
+ [documentation](/doc/) to use the conceptually-cleaner distinctions
+ above.
+
+* __data storage__: `/var/lib/monkeysphere` itself has been
+ re-organized with the aim of keeping the host/authentication
+ distinction clear, simplifying the internal use of `gpg`, and
+ facilitating privilege-separated access.
+
+*The Golden Bezoar* will also feature the ability to painlessly
+publish your current ssh host key to the WoT without needing to re-key
+the server. If you're considering adopting the Monkeysphere in the
+near future, we recommend waiting for 0.23 to be released, as it
+should be conceptually clearer and easier to use.
projects / monkeysphere.git / commitdiff