MHDATADIR="${SYSDATADIR}/host"
# host pub key files
-HOST_KEY_FILE="${SYSDATADIR}/host_keys.pub.gpg"
-# host pub key fingerprints file
-HOST_KEY_FPR_FILE="${SYSDATADIR}/host_keys.fprs"
+HOST_KEY_FILE="${SYSDATADIR}/host_keys.pub.pgp"
# UTC date in ISO 8601 format if needed
DATE=$(date -u '+%FT%T')
# list the info about the a key, in colon format, to stdout
gpg_host_list_keys() {
- gpg_host --list-keys --with-colons --fixed-list-mode \
- --with-fingerprint --with-fingerprint \
- "$1"
+ if [ "$1" ] ; then
+ gpg_host --list-keys --with-colons --fixed-list-mode \
+ --with-fingerprint --with-fingerprint \
+ "$1"
+ else
+ gpg_host --list-keys --with-colons --fixed-list-mode \
+ --with-fingerprint --with-fingerprint
+ fi
}
# edit key scripts, takes scripts on stdin, and keyID as first input
gpg_host --command-fd 0 --edit-key "$@"
}
-# export the monkeysphere gpg pub key file
-update_gpg_pub_file() {
+# export the monkeysphere OpenPGP pub key file
+update_pgp_pub_file() {
log debug "updating openpgp public key file '$HOST_KEY_FILE'..."
- gpg_host --export --armor --export-options export-minimal > "$HOST_KEY_FILE"
- log debug "updating fingerprint file '$HOST_KEY_FPR_FILE'..."
- gpg_host --list-secret-key --with-colons --with-fingerprint \
- | awk -F: '/^fpr:/{ print $10 }' > "$HOST_KEY_FPR_FILE"
+ gpg_host --export --armor --export-options export-minimal \
+ $(gpg_host --list-secret-keys --with-colons --fingerprint | grep ^fpr | cut -f10 -d:) \
+ > "$HOST_KEY_FILE"
}
-host_fingerprints() {
- local fprs=($(cat "$HOST_KEY_FPR_FILE"))
+# check that the service name is well formed. we assume that the
+# service name refers to a host; DNS labels for host names are limited
+# to a very small range of characters (see RFC 1912, section 2.1).
- log debug "host key fingerprints:"
- printf '%s\n' "${fprs[@]}" | log debug
- printf '%s\n' "${fprs[@]}"
-}
+# FIXME: i'm failing to check here for label components that are
+# all-number (e.g. ssh://666.666), which are technically not allowed
+# (though some exist on the 'net, apparently)
+
+# FIXME: this will probably misbehave if raw IP addresses are provided,
+# either IPv4 or IPv6 using the bracket notation.
+
+# FIXME: this doesn't address the use of hashed User IDs.
-# check that the service name is well formed
check_service_name() {
local name="$1"
- log error "FIX ME: check service name"
+ local errs=""
+ local scheme
+ local port
+ local assigned_ports
+
+ [ -n "$name" ] || \
+ failure "You must supply a service name to check"
+
+ printf '%s' "$name" | perl -n -e '($str = $_) =~ s/\s//g ; exit !(lc($str) eq $_);' || \
+ failure "Not a valid service name: '$name'
+
+Service names should be canonicalized to all lower-case,
+with no whitespace"
+
+ [[ "$name" =~ ^[a-z0-9./:-]+$ ]] || \
+ failure "Not a valid service name: '$name'
+
+Service names should contain only lower-case ASCII letters
+numbers, dots (.), hyphens (-), slashes (/), and a colon (:).
+If you are using non-ASCII characters (e.g. IDN), you should
+use the canonicalized ASCII (NAMEPREP -> Punycode) representation
+(see RFC 3490)."
+
+ [[ "$name" =~ \. ]] || \
+ failure "Not a valid service name: '$name'
+
+Service names should use fully-qualified domain names (FQDN), but the
+domain name you chose appears to only have the local part. For
+example: don't use 'ssh://foo' ; use 'ssh://foo.example.com' instead."
+
+ [[ "$name" =~ ^[a-z0-9]([a-z0-9-]*[a-z0-9])?://[a-z0-9]([a-z0-9-]*[a-z0-9])?(\.|((\.[a-z0-9]([a-z0-9-]*[a-z0-9])?)+))(:[1-9][0-9]{0,4})?$ ]] || \
+ failure "Not a valid service name: '$name'
+
+Service names look like <scheme>://full.example.com[:<portnumber>],
+where <scheme> is something like ssh or https, and <portnumber> is
+a decimal number (supplied only if the service is on a non-standard
+port)."
+
+ scheme=$(cut -f1 -d: <<<"$name")
+ port=$(cut -f3 -d: <<<"$name")
+
+ # check that the scheme name is found in the system services
+ # database
+ available_=$(get_port_for_service "$scheme") || \
+ log error "Error looking up service scheme named '%s'" "$scheme"
+
+ # FIXME: if the service isn't found, or does not have a port, what
+ # should we do? at the moment, we're just warning.
+
+ if [ -n "$port" ]; then
+ # check that the port number is a legitimate port number (> 0, < 65536)
+ [ "$port" -gt 0 ] && [ "$port" -lt 65536 ] || \
+ failure "The given port number should be greater than 0 and
+less than 65536. '$port' is not OK"
+
+ # if the port number is given, and the scheme is in the services
+ # database, check that the port number does *not* match the
+ # default port.
+ if (printf '%s' "$assigned_ports" | grep -q -F -x "$port" ) ; then
+ failure $(printf "The scheme %s uses port number %d by default.
+You should leave off the port number if it is the default" "$scheme" "$port")
+ fi
+ fi
+
}
# fail if host key not present
check_no_keys() {
- [ -s "$HOST_KEY_FILE" ] || [ -s "$HOST_KEY_FPR_FILE" ] \
+ [ -s "$HOST_KEY_FILE" ] \
|| failure "You don't appear to have a Monkeysphere host key on this server.
Please run 'monkeysphere-host import-key' import a key."
}
check_key_input() {
local keyID="$1"
# array of fingerprints
- local fprs=($(host_fingerprints))
+ local fprs=($(list_primary_fingerprints <"$HOST_KEY_FILE"))
case ${#fprs[@]} in
0)
;;
*)
if [ -z "$keyID" ] ; then
- failure "Keyring contains multiple keys. Please specify one to act on (see 'monkeysphere-host show-key')."
+ failure "Your host keyring contains multiple keys.
+Please specify one to act on (see 'monkeysphere-host show-keys')."
fi
;;
esac
printf '%s\n' "${fprs[@]}" | grep "${keyID}$" \
- || failure "Key '$keyID' not found."
+ || failure "Host key '$keyID' not found."
}
# return 0 if user ID was found.
grep -q -x -F "$tmpuidMatch" 2>/dev/null
}
+prompt_userid_exists() {
+ local userID="$1"
+ local gpgOut
+ local fingerprint
+
+ if gpgOut=$(gpg_host_list_keys "=${userID}" 2>/dev/null) ; then
+ fingerprint=$(echo "$gpgOut" | grep '^fpr:' | cut -d: -f10)
+ if [ "$PROMPT" != "false" ] ; then
+ printf "Service name '%s' is already being used by key '%s'.\nAre you sure you want to use it again? (y/N) " "$userID" "$fingerprint" >&2
+ read OK; OK=${OK:=N}
+ if [ "${OK/y/Y}" != 'Y' ] ; then
+ failure "Service name not added."
+ fi
+ else
+ log info "Key '%s' is already using the service name '%s'." "$fingerprint" "$userID" >&2
+ fi
+ fi
+}
+
# run command looped over keys
multi_key() {
local cmd="$1"
shift
local keys=$@
local i=0
- local fprs=($(host_fingerprints))
local key
check_no_keys
+ local fprs=($(list_primary_fingerprints <"$HOST_KEY_FILE"))
+
if [[ -z "$1" || "$1" == '--all' ]] ; then
keys="${fprs[@]}"
- else
- for key in $keys ; do
- printf '%s\n' "${fprs[@]}" | grep "${key}$" \
- || failure "Key '$key' not found."
- done
fi
for key in $keys ; do
if (( i++ > 0 )) ; then
- echo "##############################"
+ printf "\n"
fi
- eval "$cmd" "$key"
+ "$cmd" "$key"
done
}
show_key() {
local id="$1"
local GNUPGHOME
- local TMPSSH
local fingerprint
+ local tmpssh
local revokers
# tmp gpghome dir
# import the host key into the tmp dir
gpg --quiet --import <"$HOST_KEY_FILE"
- # create the ssh key
- TMPSSH="$GNUPGHOME"/ssh_host_key_rsa_pub
- gpg --export "$id" | openpgp2ssh 2>/dev/null >"$TMPSSH"
-
# get the gpg fingerprint
- fingerprint=$(gpg --quiet --list-keys \
+ if gpg --quiet --list-keys \
--with-colons --with-fingerprint "$id" \
- | grep '^fpr:' | cut -d: -f10 )
+ | grep '^fpr:' | cut -d: -f10 > "$GNUPGHOME"/fingerprint ; then
+ fingerprint=$(cat "$GNUPGHOME"/fingerprint)
+ else
+ failure "ID '$id' not found."
+ fi
+
+ # create the ssh key
+ tmpssh="$GNUPGHOME"/ssh_host_key_rsa_pub
+ gpg --export --no-armor "$fingerprint" 2>/dev/null \
+ | openpgp2ssh 2>/dev/null >"$tmpssh"
# list the host key info
# FIXME: make no-show-keyring work so we don't have to do the grep'ing
# FIXME: can we show uid validity somehow?
- gpg --list-keys --list-options show-unusable-uids "$id" 2>/dev/null \
- | grep -v "^${GNUPGHOME}/pubring.gpg$" \
- | egrep -v '^-+$'
+ gpg --list-keys --list-options show-unusable-uids "$fingerprint" 2>/dev/null \
+ | grep -v "^${GNUPGHOME}/pubring.gpg$" \
+ | egrep -v '^-+$' \
+ | grep -v '^$'
# list revokers, if there are any
- revokers=$(gpg --list-keys --with-colons --fixed-list-mode "$id" \
+ revokers=$(gpg --list-keys --with-colons --fixed-list-mode "$fingerprint" \
| awk -F: '/^rvk:/{ print $10 }' )
if [ "$revokers" ] ; then
echo "The following keys are allowed to revoke this host key:"
for key in $revokers ; do
echo "revoker: $key"
done
- echo
fi
# list the pgp fingerprint
# list the ssh fingerprint
echo -n "ssh fingerprint: "
- ssh-keygen -l -f "$TMPSSH" | awk '{ print $1, $2, $4 }'
+ ssh-keygen -l -f "$tmpssh" | awk '{ print $1, $2, $4 }'
# remove the tmp file
trap - EXIT
shift
case $COMMAND in
- 'import-key'|'i')
+ 'import-key'|'import'|'i')
source "${MHSHAREDIR}/import_key"
import_key "$@"
;;
multi_key show_key "$@"
;;
- 'set-expire'|'extend-key'|'e')
+ 'set-expire'|'extend-key'|'extend'|'e')
source "${MHSHAREDIR}/set_expire"
set_expire "$@"
;;
diagnostics
;;
- 'update-gpg-pub-file')
- update_gpg_pub_file
+ 'update-pgp-pub-file')
+ update_pgp_pub_file
;;
- 'version'|'v')
+ 'version'|'--version'|'v')
version
;;
projects / monkeysphere.git / blobdiff