1 #include "gnutls-helpers.h"
3 #include <gnutls/openpgp.h>
4 #include <gnutls/x509.h>
11 Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
12 Date: Tue, 08 Apr 2008
13 License: GPL v3 or later
15 monkeysphere public key translator: execute this with an GPG
16 certificate (public key(s) + userid(s)) on stdin. It currently
17 only works with RSA keys.
19 It will spit out a version of the first key capable of being used
20 for authentication on stdout. The output format should be suitable
21 for appending a known_hosts file.
23 Requirements: I've only built this so far with GnuTLS v2.3.4 --
24 version 2.2.0 does not contain the appropriate pieces.
28 int main(int argc, char* argv[]) {
31 gnutls_openpgp_crt_t openpgp_crt;
32 gnutls_openpgp_keyid_t keyid;
33 printable_keyid p_keyid;
35 unsigned int usage, bits;
36 gnutls_pk_algorithm_t algo;
38 gnutls_datum_t m, e, p, q, g, y;
39 gnutls_datum_t algolabel;
41 char output_data[10240];
43 size_t uidsz = sizeof(userid);
56 init_datum(&algolabel);
60 /* slurp in the private key from stdin */
61 if (ret = set_datum_fd(&data, 0), ret) {
62 err("didn't read file descriptor 0\n");
67 if (ret = gnutls_openpgp_crt_init(&openpgp_crt), ret) {
68 err("Failed to initialize OpenPGP certificate (error: %d)\n", ret);
72 /* format could be either: GNUTLS_OPENPGP_FMT_RAW,
73 GNUTLS_OPENPGP_FMT_BASE64; if MONKEYSPHERE_RAW is set, use RAW,
74 otherwise, use BASE64: */
76 if (getenv("MONKEYSPHERE_RAW")) {
77 err("assuming RAW formatted certificate\n");
78 if (ret = gnutls_openpgp_crt_import(openpgp_crt, &data, GNUTLS_OPENPGP_FMT_RAW), ret) {
79 err("failed to import the OpenPGP certificate in RAW format (error: %d)\n", ret);
83 err("assuming BASE64 formatted certificate\n");
84 if (ret = gnutls_openpgp_crt_import (openpgp_crt, &data, GNUTLS_OPENPGP_FMT_BASE64), ret) {
85 err("failed to import the OpenPGP certificate in BASE64 format (error: %d)\n", ret);
90 if (gnutls_openpgp_crt_get_revoked_status(openpgp_crt)) {
91 err("the primary key was revoked!\n");
95 if (ret = gnutls_openpgp_crt_get_key_usage(openpgp_crt, &usage), ret) {
96 err("failed to get the usage flags for the primary key (error: %d)\n", ret);
99 if (usage & GNUTLS_KEY_KEY_AGREEMENT) {
100 err("the primary key can be used for authentication\n");
102 algo = gnutls_openpgp_crt_get_pk_algorithm(openpgp_crt, &bits);
104 err("failed to get the algorithm of the OpenPGP public key (error: %d)\n", algo);
106 } else if (algo == GNUTLS_PK_RSA) {
108 err("OpenPGP RSA certificate, with %d bits\n", bits);
109 ret = gnutls_openpgp_crt_get_pk_rsa_raw(openpgp_crt, &m, &e);
110 if (GNUTLS_E_SUCCESS != ret) {
111 err ("failed to export RSA key parameters (error: %d)\n", ret);
114 } else if (algo == GNUTLS_PK_DSA) {
115 err("OpenPGP DSA Key, with %d bits\n", bits);
116 ret = gnutls_openpgp_crt_get_pk_dsa_raw(openpgp_crt, &p, &q, &g, &y);
117 if (GNUTLS_E_SUCCESS != ret) {
118 err ("failed to export DSA key parameters (error: %d)\n", ret);
122 err("OpenPGP Key was not RSA or DSA -- can't deal! (actual algorithm was: %d)\n", algo);
127 err("primary key is only good for: 0x%08x. Trying subkeys...\n", usage);
129 if (ret = gnutls_openpgp_crt_get_auth_subkey(openpgp_crt, keyid), ret) {
130 err("failed to find a subkey capable of authentication (error: %d)\n", ret);
133 make_keyid_printable(p_keyid, keyid);
134 err("found authentication subkey %.16s\n", p_keyid);
136 ret = gnutls_openpgp_crt_get_subkey_idx(openpgp_crt, keyid);
138 err("could not get the index of subkey %.16s (error: %d)\n", ret);
143 if (gnutls_openpgp_crt_get_subkey_revoked_status(openpgp_crt, keyidx)) {
144 err("The authentication subkey was revoked!\n");
148 if (ret = gnutls_openpgp_crt_get_subkey_usage(openpgp_crt, keyidx, &usage), ret) {
149 err("could not figure out usage of subkey %.16s (error: %d)\n", p_keyid, ret);
152 if ((usage & GNUTLS_KEY_KEY_AGREEMENT) == 0) {
153 err("could not find a subkey with authentication privileges.\n");
157 /* switch, based on the algorithm in question, to extract the MPI
160 algo = gnutls_openpgp_crt_get_subkey_pk_algorithm(openpgp_crt, keyidx, &bits);
162 err("failed to get the algorithm of the authentication subkey (error: %d)\n", algo);
164 } else if (algo == GNUTLS_PK_RSA) {
166 err("OpenPGP RSA subkey, with %d bits\n", bits);
167 ret = gnutls_openpgp_crt_get_subkey_pk_rsa_raw(openpgp_crt, keyidx, &m, &e);
168 if (GNUTLS_E_SUCCESS != ret) {
169 err ("failed to export RSA subkey parameters (error: %d)\n", ret);
172 } else if (algo == GNUTLS_PK_DSA) {
173 err("OpenPGP DSA subkey, with %d bits\n", bits);
174 ret = gnutls_openpgp_crt_get_subkey_pk_dsa_raw(openpgp_crt, keyidx, &p, &q, &g, &y);
175 if (GNUTLS_E_SUCCESS != ret) {
176 err ("failed to export DSA subkey parameters (error: %d)\n", ret);
180 err("OpenPGP subkey was not RSA or DSA -- can't deal! (actual algorithm was: %d)\n", algo);
185 /* make sure userid is NULL-terminated */
186 userid[sizeof(userid) - 1] = 0;
189 /* FIXME: we're just choosing the first UserID from the certificate:
190 instead, we should be choosing the one that's adequately signed,
191 and matches the monkeysphere specification. */
193 if (ret = gnutls_openpgp_crt_get_name(openpgp_crt, 0, userid, &uidsz), ret) {
194 err("Failed to fetch the first UserID (error: %d)\n", ret);
198 if (ret = validate_ssh_host_userid(userid), ret) {
199 err("bad userid: not a valid ssh host.\n");
203 /* remove ssh:// from the beginning of userid */
204 memmove(userid, userid + strlen("ssh://"), 1 + strlen(userid) - strlen("ssh://"));
207 /* now we have algo, and the various MPI data are set. Can we
208 export them cleanly? */
210 /* for the moment, we'll just dump the info raw, and pipe it
211 externally through coreutils' /usr/bin/base64 */
213 if (algo == GNUTLS_PK_RSA) {
214 const gnutls_datum_t* all[3];
217 char* const args[] = {"/usr/bin/base64", "--wrap=0", NULL};
218 const char* algoname = "ssh-rsa";
220 snprintf(output_data, sizeof(output_data), "%s %s ", userid, algoname);
222 write(1, output_data, strlen(output_data));
224 pipefd = create_writing_pipe(&child_pid, args[0], args);
226 err("failed to create a writing pipe (returned %d)\n", pipefd);
230 if (ret = datum_from_string(&algolabel, algoname), ret) {
231 err("couldn't label string (error: %d)\n", ret);
238 if (0 != write_data_fd_with_length(pipefd, all, 3)) {
239 err("was not able to write out RSA key data\n");
243 if (child_pid != waitpid(child_pid, NULL, 0)) {
244 err("could not wait for child process to return for some reason.\n");
250 } else if (algo == GNUTLS_PK_DSA) {
251 err("Don't know how to export DSA ssh pubkeys yet.\n");
254 err("no idea what this algorithm is: %d\n", algo);
258 gnutls_openpgp_crt_deinit(openpgp_crt);
259 gnutls_global_deinit();