From 76c17804015ffb6c18232cd9ba80cf2a641fd59e Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Wed, 9 Apr 2008 00:34:52 -0400 Subject: [PATCH] exporting RSA public keys in openssh known_hosts format. --- gnutls-helpers.c | 133 ++++++++++++++++++++++++++++++++++++++++++++++- gnutls-helpers.h | 12 +++++ gpg2ssh.c | 84 +++++++++++++++++++++++++++--- 3 files changed, 222 insertions(+), 7 deletions(-) diff --git a/gnutls-helpers.c b/gnutls-helpers.c index a2f8446..ce77d0c 100644 --- a/gnutls-helpers.c +++ b/gnutls-helpers.c @@ -3,6 +3,14 @@ /* License: GPL v3 or later */ #include "gnutls-helpers.h" +/* for htonl() */ +#include + +/* for setlocale() */ +#include + +/* for isalnum() */ +#include int loglevel = 0; @@ -155,7 +163,7 @@ int set_datum_fd(gnutls_datum_t* d, int fd) { return 0; } -/* read the file indicated (by na1me) in the fname parameter. store +/* read the file indicated (by name) in the fname parameter. store its entire contents in a single datum. */ int set_datum_file(gnutls_datum_t* d, const char* fname) { struct stat sbuf; @@ -191,3 +199,126 @@ int set_datum_file(gnutls_datum_t* d, const char* fname) { fclose(file); return 0; } + +int write_datum_fd(int fd, const gnutls_datum_t* d) { + if (d->size != write(fd, d->data, d->size)) { + err("failed to write body of datum.\n"); + return -1; + } + return 0; +} + + +int write_datum_fd_with_length(int fd, const gnutls_datum_t* d) { + uint32_t len = htonl(d->size); + if (write(fd, &len, sizeof(len)) != sizeof(len)) { + err("failed to write size of datum.\n"); + return -2; + } + return write_datum_fd(fd, d); +} + +int write_data_fd_with_length(int fd, const gnutls_datum_t** d, unsigned int num) { + unsigned int i; + int ret; + + for (i = 0; i < num; i++) + if (ret = write_datum_fd_with_length(fd, d[i]), ret != 0) + return ret; + + return 0; +} + + +int datum_from_string(gnutls_datum_t* d, const char* str) { + d->size = strlen(str); + d->data = gnutls_realloc(d->data, d->size); + if (d->data == 0) + return ENOMEM; + memcpy(d->data, str, d->size); + return 0; +} + + +int create_writing_pipe(pid_t* pid, const char* path, char* const argv[]) { + int p[2]; + int ret; + + if (pid == NULL) { + err("bad pointer passed to create_writing_pipe()\n"); + return -1; + } + + if (ret = pipe(p), ret == -1) { + err("failed to create a pipe (error: %d \"%s\")\n", errno, strerror(errno)); + return -1; + } + + *pid = fork(); + if (*pid == -1) { + err("Failed to fork (error: %d \"%s\")\n", errno, strerror(errno)); + return -1; + } + if (*pid == 0) { /* this is the child */ + close(p[1]); /* close unused write end */ + + if (0 != dup2(p[0], 0)) { /* map the reading end into stdin */ + err("Failed to transfer reading file descriptor to stdin (error: %d \"%s\")\n", errno, strerror(errno)); + exit(1); + } + execv(path, argv); + err("exec %s failed (error: %d \"%s\")\n", path, errno, strerror(errno)); + exit(1); + } else { /* this is the parent */ + close(p[0]); /* close unused read end */ + return p[1]; + } +} + +int validate_ssh_host_userid(const char* userid) { + char* oldlocale = setlocale(LC_ALL, "C"); + + /* choke if userid does not match the expected format + ("ssh://fully.qualified.domain.name") */ + if (strncmp("ssh://", userid, strlen("ssh://")) != 0) { + err("The user ID should start with ssh:// for a host key\n"); + goto fail; + } + /* so that isalnum will work properly */ + userid += strlen("ssh://"); + while (0 != (*userid)) { + if (!isalnum(*userid)) { + err("label did not start with a letter or a digit! (%s)\n", userid); + goto fail; + } + userid++; + while (isalnum(*userid) || ('-' == (*userid))) + userid++; + if (('.' == (*userid)) || (0 == (*userid))) { /* clean end of label: + check last char + isalnum */ + if (!isalnum(*(userid - 1))) { + err("label did not end with a letter or a digit!\n"); + goto fail; + } + if ('.' == (*userid)) /* advance to the start of the next label */ + userid++; + } else { + err("invalid character in domain name: %c\n", *userid); + goto fail; + } + } + /* ensure that the last character is valid: */ + if (!isalnum(*(userid - 1))) { + err("hostname did not end with a letter or a digit!\n"); + goto fail; + } + /* FIXME: fqdn's can be unicode now, thanks to RFC 3490 -- how do we + make sure that we've got an OK string? */ + + return 0; + + fail: + setlocale(LC_ALL, oldlocale); + return 1; +} diff --git a/gnutls-helpers.h b/gnutls-helpers.h index c07997f..398413f 100644 --- a/gnutls-helpers.h +++ b/gnutls-helpers.h @@ -32,6 +32,12 @@ void init_datum(gnutls_datum_t* d); void copy_datum(gnutls_datum_t* dest, const gnutls_datum_t* src); int compare_data(const gnutls_datum_t* a, const gnutls_datum_t* b); void free_datum(gnutls_datum_t* d); +int write_datum_fd(int fd, const gnutls_datum_t* d); +int write_datum_fd_with_length(int fd, const gnutls_datum_t* d); +int write_data_fd_with_length(int fd, const gnutls_datum_t** d, unsigned int num); + +/* set up a datum from a null-terminated string */ +int datum_from_string(gnutls_datum_t* d, const char* str); /* keyid manipulations: */ typedef unsigned char printable_keyid[16]; @@ -52,3 +58,9 @@ int set_datum_fd(gnutls_datum_t* d, int fd); its entire contents in a single datum. */ int set_datum_file(gnutls_datum_t* d, const char* fname); +/* set up file descriptor pipe for writing (child process pid gets + stored in pid, fd is returned)*/ +int create_writing_pipe(pid_t* pid, const char* path, char* const argv[]); + +/* return 0 if userid matches the monkeysphere spec for ssh host user IDs */ +int validate_ssh_host_userid(const char* userid); diff --git a/gpg2ssh.c b/gpg2ssh.c index 87b62a3..f5bd55f 100644 --- a/gpg2ssh.c +++ b/gpg2ssh.c @@ -3,9 +3,9 @@ #include #include -/* for htonl() */ -#include - +/* for waitpid() */ +#include +#include /* Author: Daniel Kahn Gillmor @@ -36,9 +36,11 @@ int main(int argc, char* argv[]) { gnutls_pk_algorithm_t algo; gnutls_datum_t m, e, p, q, g, y; + gnutls_datum_t algolabel; char output_data[10240]; - size_t ods = sizeof(output_data); + char userid[10240]; + size_t uidsz = sizeof(userid); init_gnutls(); @@ -51,6 +53,8 @@ int main(int argc, char* argv[]) { init_datum(&g); init_datum(&y); + init_datum(&algolabel); + init_keyid(keyid); /* slurp in the private key from stdin */ @@ -178,11 +182,79 @@ int main(int argc, char* argv[]) { } } - /* now we have algo, and the various MPI data set. Can we export - them cleanly? */ + /* make sure userid is NULL-terminated */ + userid[sizeof(userid) - 1] = 0; + uidsz--; + + /* FIXME: we're just choosing the first UserID from the certificate: + instead, we should be choosing the one that's adequately signed, + and matches the monkeysphere specification. */ + + if (ret = gnutls_openpgp_crt_get_name(openpgp_crt, 0, userid, &uidsz), ret) { + err("Failed to fetch the first UserID (error: %d)\n", ret); + return ret; + } + if (ret = validate_ssh_host_userid(userid), ret) { + err("bad userid: not a valid ssh host.\n"); + return ret; + } + + /* remove ssh:// from the beginning of userid */ + memmove(userid, userid + strlen("ssh://"), 1 + strlen(userid) - strlen("ssh://")); + /* now we have algo, and the various MPI data are set. Can we + export them cleanly? */ + + /* for the moment, we'll just dump the info raw, and pipe it + externally through coreutils' /usr/bin/base64 */ + + if (algo == GNUTLS_PK_RSA) { + const gnutls_datum_t* all[3]; + int pipefd; + pid_t child_pid; + char* const args[] = {"/usr/bin/base64", "--wrap=0", NULL}; + const char* algoname = "ssh-rsa"; + + snprintf(output_data, sizeof(output_data), "%s %s ", userid, algoname); + + write(1, output_data, strlen(output_data)); + + pipefd = create_writing_pipe(&child_pid, args[0], args); + if (pipefd < 0) { + err("failed to create a writing pipe (returned %d)\n", pipefd); + return pipefd; + } + + if (ret = datum_from_string(&algolabel, algoname), ret) { + err("couldn't label string (error: %d)\n", ret); + return ret; + } + all[0] = &algolabel; + all[1] = &e; + all[2] = &m; + + if (0 != write_data_fd_with_length(pipefd, all, 3)) { + err("was not able to write out RSA key data\n"); + return 1; + } + close(pipefd); + if (child_pid != waitpid(child_pid, NULL, 0)) { + err("could not wait for child process to return for some reason.\n"); + return 1; + } + + write(1, "\n", 1); + + } else if (algo == GNUTLS_PK_DSA) { + err("Don't know how to export DSA ssh pubkeys yet.\n"); + return 1; + } else { + err("no idea what this algorithm is: %d\n", algo); + return 1; + } + gnutls_openpgp_crt_deinit(openpgp_crt); gnutls_global_deinit(); return 0; -- 2.25.1