# -*-shell-script-*-
# This should be sourced by bash (though we welcome changes to make it POSIX sh compliant)

# Monkeysphere authentication list-certifiers subcommand
#
# The monkeysphere scripts are written by:
# Jameson Rollins <jrollins@finestructure.net>
# Jamie McClelland <jm@mayfirst.org>
# Daniel Kahn Gillmor <dkg@fifthhorseman.net>
#
# They are Copyright 2008-2009, and are all released under the GPL,
# version 3 or later.

# list the host certifiers

list_certifiers() {

local keys
local key
local authfpr
local keyfpr
local uid
local printedfpr

# find trusted keys in sphere keychain
log debug "finding trusted keys..."

# FIXME: this assumes that the keygrip (16 hex chars) is unique; we're
# only searching by keygrip at the moment.

authgrip=$(core_fingerprint | cut -b 25-40)

# We're walking the list of known signatures, and extracting all trust
# signatures made by the core fingerprint and known to the sphere
# keyring.

# for each one of these, we're printing (colon-delimited): the
# fingerprint, the trust depth, the trust level (60 == marginal, 120
# == full), and the domain regex (if any):

gpg_sphere "--fingerprint --with-colons --fixed-list-mode --check-sigs" | \
    cut -f 1,2,5,8,9,10 -d: | \
    egrep '^(fpr:::::|uat:|uid:|sig:!:'"$authgrip"':[[:digit:]]+ [[:digit:]]+:)' | \
    while IFS=: read -r type validity grip trustparams trustdomain fpr ; do
    case $type in
	'fpr') # this is a new key
	    keyfpr=$fpr
	    uid=
	    printedfpr=no
	    ;;
	'uid') # here comes a user id (if we don't have a key, or the
	       # uid has no calculated validity, we will not bother
	       # with it):
	    if [ "$keyfpr" ] && [ "$validity" = 'f' ] ; then
		uid="$fpr"
	    else
		uid=
	    fi
	    ;;
	'uat') # this is a user attribute. DETAILS.gz states that the
	       # 10th field is the number of user attribute
	       # subpackets, followed by the total number of bytes of
	       # the subpackets:
	    if [ "$keyfpr" ] && [ "$validity" = 'f' ] ; then
		uid=$(printf "%d JPEG(?) image(s), total %d bytes" \
		    "${fpr%% *}" "${fpr##* }")
	    else
		uid=
	    fi
	    ;;
	'sig') # print all trust signatures, including regexes if
	       # present, assuming that
	    if [ "$keyfpr" ] && [ "$uid" ] ; then
		trustdepth=${trustparams%% *}
		trustlevel=${trustparams##* }
		if [ "$printedfpr" = no ] ; then
		    printf "%s:\n" "$keyfpr"
		    printedfpr=yes
		fi

	    # FIXME: this is clumsy and not human-friendly.  we should
	    # print out more human-readable information, if possible.
		printf " :%s:%d:%d:%s\n" "$uid" "$trustdepth" "$trustlevel" "$trustdomain"
	    fi
	    ;;
    esac
done

}