Merge commit 'dkg/master'

[monkeysphere.git] / src / share / m / gen_subkey

# -*-shell-script-*-
# This should be sourced by bash (though we welcome changes to make it POSIX sh compliant)

# Monkeysphere gen-subkey subcommand
#
# The monkeysphere scripts are written by:
# Jameson Rollins <jrollins@finestructure.net>
# Jamie McClelland <jm@mayfirst.org>
# Daniel Kahn Gillmor <dkg@fifthhorseman.net>
#
# They are Copyright 2008-2009, and are all released under the GPL,
# version 3 or later.

# generate a subkey with the 'a' usage flags set

gen_subkey(){
    local keyLength
    local keyExpire
    local keyID
    local gpgOut
    local userID

    # get options
    while true ; do
        case "$1" in
            -l|--length)
                keyLength="$2"
                shift 2
                ;;
            -e|--expire)
                keyExpire="$2"
                shift 2
                ;;
            *)
                if [ "$(echo "$1" | cut -c 1)" = '-' ] ; then
                    failure "Unknown option '$1'.
Type '$PGRM help' for usage."
                fi
                break
                ;;
        esac
    done

    case "$#" in
        0)
            gpgSecOut=$(gpg --quiet --fixed-list-mode --list-secret-keys --with-colons 2>/dev/null | egrep '^sec:')
            ;;
        1)
            gpgSecOut=$(gpg --quiet --fixed-list-mode --list-secret-keys --with-colons "$1" | egrep '^sec:') || failure
            ;;
        *)
            failure "You must specify only a single primary key ID."
            ;;
    esac

    # check that only a single secret key was found
    case $(echo "$gpgSecOut" | grep -c '^sec:') in
        0)
            failure "No secret keys found.  Create an OpenPGP key with the following command:
 gpg --gen-key"
            ;;
        1)
            keyID=$(echo "$gpgSecOut" | cut -d: -f5)
            ;;
        *)
            echo "Multiple primary secret keys found:"
            echo "$gpgSecOut" | cut -d: -f5
            failure "Please specify which primary key to use."
            ;;
    esac

    # check that a valid authentication key does not already exist
    IFS=$'\n'
    for line in $(gpg --quiet --fixed-list-mode --list-keys --with-colons "$keyID") ; do
        type=$(echo "$line" | cut -d: -f1)
        validity=$(echo "$line" | cut -d: -f2)
        usage=$(echo "$line" | cut -d: -f12)

        # look at keys only
        if [ "$type" != 'pub' -a "$type" != 'sub' ] ; then
            continue
        fi
        # check for authentication capability
        if ! check_capability "$usage" 'a' ; then
            continue
        fi
        # if authentication key is valid, prompt to continue
        if [ "$validity" = 'u' ] ; then
            echo "A valid authentication key already exists for primary key '$keyID'."
            read -p "Are you sure you would like to generate another one? (y/N) " OK; OK=${OK:N}
            if [ "${OK/y/Y}" != 'Y' ] ; then
                failure "aborting."
            fi
            break
        fi
    done

    # set subkey defaults
    # prompt about key expiration if not specified
    keyExpire=$(get_gpg_expiration "$keyExpire")

    # generate the list of commands that will be passed to edit-key
    editCommands=$(cat <<EOF
addkey
7
S
E
A
Q
$keyLength
$keyExpire
save
EOF
)

    log verbose "generating subkey..."
    fifoDir=$(mktemp -d ${TMPDIR:-/tmp}/tmp.XXXXXXXXXX)
    (umask 077 && mkfifo "$fifoDir/pass")
    echo "$editCommands" | gpg --passphrase-fd 3 3< "$fifoDir/pass" --expert --command-fd 0 --edit-key "$keyID" &

    # FIXME: this needs to fail more gracefully if the passphrase is incorrect
    passphrase_prompt  "Please enter your passphrase for $keyID: " "$fifoDir/pass"

    rm -rf "$fifoDir"
    wait
    log verbose "done."
}