[Pkg-privacy-commits] [msva-perl] 03/15: limit key output to authentication-capable, non-disabled, non-expired keys

Ximin Luo infinity0 at moszumanska.debian.org
Mon Aug 24 07:42:17 UTC 2015


This is an automated email from the git hooks/post-receive script.

infinity0 pushed a commit to branch master
in repository msva-perl.

commit 3d1ba6a0a31546cd3a25a8b73efd3f12ea6d6d03
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date:   Mon Feb 4 20:28:58 2013 -0500

    limit key output to authentication-capable, non-disabled, non-expired keys
---
 openpgp2x509 | 39 ++++++++++++++++++++++++++++++++-------
 1 file changed, 32 insertions(+), 7 deletions(-)

diff --git a/openpgp2x509 b/openpgp2x509
index 787947e..acc81f7 100755
--- a/openpgp2x509
+++ b/openpgp2x509
@@ -4,14 +4,26 @@
 # Copyright: 2011, 2013
 # License: GPL-3+
 
+# Usage (two examples):
+
+# openpgp2x509 'Daniel Kahn Gillmor <dkg at fifthhorseman.net>'
+# openpgp2x509 ssh://lair.fifthhorseman.net
+
+# Each invocation will produce a series of PEM-encoded X.509
+# certificates on stdout corresponding to keys that are well-bound to
+# the specified OpenPGP User ID.
+
+# This tool should detect (based on the form of the User ID) what kind
+# of X.509 certificate to produce
+
+# It only emits certificates for OpenPGP keys that are marked with the
+# "Authentication" usage flag.  FIXME: make the usage flag selection
+# adjustable by an environment variable or something.
+
 # WARNING: This is very rough code!  the interface WILL change
 # dramatically.  The only thing I can commit to keeping stable are the
 # OIDs.
 
-# Use this code to take an OpenPGP certificate (pubkey) and emit a
-# corresponding OpenPGP-validated X.509 certificate.
-
-# Usage: openpgp2x509 ssh://lair.fifthhorseman.net
 
 use strict;
 use warnings;
@@ -271,7 +283,20 @@ sub makeX509CertForUserID {
         err("key 0x%s is algorithm %d (not RSA) -- we currently only handle RSA\n", $subkey->fingerprint->as_hex_string, $subkey->algo_num);
         next;
       }
-      # FIXME: reject/skip over revoked/expired keys.
+      # FIXME: reject/skip over revoked keys.
+      if (defined($subkey->{expiration_date}) &&
+          $subkey->{expiration_date} <= time()) {
+        err("key 0x%s is expired -- skipping\n", $subkey->fingerprint->as_hex_string);
+        next;
+      }
+      if ($subkey->{usage_flags} =~ /D/) {
+        err("key 0x%s is disabled -- skipping\n", $subkey->fingerprint->as_hex_string);
+        next;
+      }
+      if ($subkey->{usage_flags} !~ /a/) {
+        err("key 0x%s is not authentication-capable -- skipping\n", $subkey->fingerprint->as_hex_string);
+        next
+      }
 
       my $pubkey = { 'modulus' => @{$subkey->pubkey_data}[0],
                      'exponent' => @{$subkey->pubkey_data}[1],
@@ -336,9 +361,9 @@ sub makeX509CertForUserID {
       # FIXME: add subjectAltName that matches the type of information
       # we believe we're working with (see the cert-id draft).
 
-      # if @sans is present, should we add them as subjectAltNames? (i
+      # if @sans is present, should we add them as subjectAltNames? i
       # don't think so.  this certificate should be just for the User
-      # ID requested.  The user can always make) another certificate
+      # ID requested.  The user can always make another certificate
       # for the other user IDs and use that one.
 
 

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-privacy/packages/msva-perl.git



More information about the Pkg-privacy-commits mailing list