[Pkg-privacy-commits] [Git][pkg-privacy-team/monkeysphere][master] 5 commits: update preparing-release to account for DEP-14 branch names
Daniel Kahn Gillmor
dkg at debian.org
Fri May 10 22:17:27 BST 2019
Daniel Kahn Gillmor pushed to branch master at Privacy Maintainers / monkeysphere
Commits:
d419333a by Daniel Kahn Gillmor at 2019-05-10T21:14:26Z
update preparing-release to account for DEP-14 branch names
- - - - -
ba881b1a by Daniel Kahn Gillmor at 2019-05-10T21:14:26Z
tests/basic: ensure functionality with output of standard OpenSSH keygen
Our "fix" to https://bugs.debian.org/909700 in
d8fc9f284fc9a128a174b16ad19e866f1c00bc27 just avoided testing the
actual typical default output of ssh-keygen.
While this was fair to do in tests/keytrans, where it is exercised on
pem2openpgp (which is explicitly defined as only accepting PEM input),
this is inappropriate for testing monkeysphere in general.
So now, the test suite breaks again, but we need to provide a proper
fix.
- - - - -
198271a7 by Daniel Kahn Gillmor at 2019-05-10T21:14:26Z
Use gpg's reworked --quick-* interface for adding/revoking uids
This interface stabilized in GnuPG 2.1.17, so we increase our
versioned dependency.
- - - - -
84feb2ef by Daniel Kahn Gillmor at 2019-05-10T21:14:26Z
Drop unused keytrans subcommands adduserid and revokeuserid
These subcommands are explicitly undocumented and unmaintained, and we
are no longer using them. Get rid of the cruft.
- - - - -
96d97ca1 by Daniel Kahn Gillmor at 2019-05-10T21:14:26Z
mh import-key: use ssh-add and gpg-agent for import (Closes: #909700)
This directly fixes the problem that monkeysphere-host was failing to
import the style of SSH host key that was generated by default by
ssh-keygen.
As a side effect, we can now support all the host key algorithms that
are supported by both gpg-agent (in its ssh-agent implementation) and
ssh-add.
The lockfile and the dancing around the gpg-agent run in
$GNUPGHOME_HOST is a bit awkward. It would be nicer to use an
ephemeral GnuPG homedir as recommended in the "Unattended Usage"
section of the gnupg info pages, but to do that we'd need to be able
to extract the secret key, which is blocked by
https://dev.gnupg.org/T4490
- - - - -
9 changed files:
- README
- man/man8/monkeysphere-host.8
- src/share/keytrans
- src/share/mh/add_name
- src/share/mh/import_key
- src/share/mh/revoke_name
- tests/basic
- tests/keytrans
- utils/preparing-release
Changes:
=====================================
README
=====================================
@@ -19,7 +19,7 @@ Dependencies
Monkeysphere depends on:
- * GnuPG >= 2.1.11
+ * GnuPG >= 2.1.17
* Perl
* Perl's Crypt::OpenSSL::RSA module
* lockfile-progs or procmail's lockfile
=====================================
man/man8/monkeysphere-host.8
=====================================
@@ -27,9 +27,10 @@ be omitted, and \fBmonkeysphere\-host\fP will operate on it.
\fBmonkeysphere\-host\fP takes various subcommands:
.TP
.B import\-key FILE SCHEME://HOSTNAME[:PORT]
-Import a PEM\-encoded host secret key from file FILE. If FILE is
-`\-', then the key will be imported from stdin. Only RSA keys are
-supported at the moment. SCHEME://HOSTNAME[:PORT] is used to specify
+Import an SSH host secret key from file FILE. If FILE is
+`\-', then the key will be imported from stdin, and must be an
+RSA key in PEM\-encoded format.
+SCHEME://HOSTNAME[:PORT] is used to specify
the scheme (e.g. ssh or https), fully\-qualified hostname (and port)
used in the user ID of the new OpenPGP key (e.g. ssh://example.net or
https://www.example.net). If PORT is not specified, then no port is
=====================================
src/share/keytrans
=====================================
@@ -871,147 +871,6 @@ sub getallprimarykeys {
}
}
-sub adduserid {
- my $instr = shift;
- my $fpr = shift;
- my $uid = shift;
- my $args = shift;
-
- if ((! defined $fpr) ||
- (length($fpr) < 8)) {
- die "We need at least 8 hex digits of fingerprint.\n";
- }
-
- $fpr = uc($fpr);
-
- if (! defined $uid) {
- die "No User ID defined.\n";
- }
-
- my $data = { target => { fpr => $fpr,
- uid => $uid,
- },
- };
- my $subs = { $packet_types->{seckey} => \&findkey,
- $packet_types->{uid} => \&finduid,
- $packet_types->{sig} => \&findsig,
- };
-
- packetwalk($instr, $subs, $data);
-
- if ((! defined $data->{key}) ||
- (! defined $data->{key}->{rsa}) ||
- (! defined $data->{key}->{timestamp})) {
- die "The key requested was not found.\n"
- }
-
- if (defined $data->{uid}->{$uid} &&
- defined $data->{sigs} &&
- scalar(@{$data->{sigs}}) > 0 ) {
- die "The requested User ID '$uid' is already associated with this key.\n";
- }
- $args->{key_timestamp} = $data->{key}->{timestamp};
-
- return
- make_packet($packet_types->{pubkey}, make_rsa_pub_key_body($data->{key}->{rsa}, $data->{key}->{timestamp})).
- make_packet($packet_types->{uid}, $uid).
- makeselfsig($data->{key}->{rsa},
- $uid,
- $args);
-
-}
-
-
-sub revokeuserid {
- my $instr = shift;
- my $fpr = shift;
- my $uid = shift;
- my $sigtime = shift;
-
- if ((! defined $fpr) ||
- (length($fpr) < 8)) {
- die "We need at least 8 hex digits of fingerprint.\n";
- }
-
- $fpr = uc($fpr);
-
- if (! defined $uid) {
- die "No User ID defined.\n";
- }
-
- my $data = { target => { fpr => $fpr,
- uid => $uid,
- },
- };
- my $subs = { $packet_types->{seckey} => \&findkey,
- $packet_types->{uid} => \&finduid,
- $packet_types->{sig} => \&findsig,
- };
-
- packetwalk($instr, $subs, $data);
-
- if ((! defined $data->{uid}) ||
- (! defined $data->{uid}->{$uid})) {
- die "The User ID \"$uid\" is not associated with this key";
- }
-
- if ((! defined $data->{key}) ||
- (! defined $data->{key}->{rsa}) ||
- (! defined $data->{key}->{timestamp})) {
- die "The key requested was not found."
- }
-
- my $revocation_reason = 'No longer using this hostname';
- if (defined $data->{revocation_reason}) {
- $revocation_reason = $data->{revocation_reason};
- }
-
- my $rev_reason_subpkt = prefixsubpacket(pack('CC',
- $subpacket_types->{revocation_reason},
- $revocation_reasons->{user_id_no_longer_valid}).
- $revocation_reason);
-
- if (! defined $sigtime) {
- $sigtime = time();
- }
- # what does a signature like this look like?
- my $args = { key_timestamp => $data->{key}->{timestamp},
- sig_timestamp => $sigtime,
- certification_type => $sig_types->{certification_revocation},
- hashed_subpackets => $rev_reason_subpkt,
- };
-
- return
- make_packet($packet_types->{pubkey}, make_rsa_pub_key_body($data->{key}->{rsa}, $data->{key}->{timestamp})).
- make_packet($packet_types->{uid}, $uid).
- join('', @{$data->{sigs}}).
- gensig($data->{key}->{rsa}, $uid, $args);
-}
-
-
-# see 5.2.3.1 for tips on how to calculate the length of a subpacket:
-sub prefixsubpacket {
- my $subpacket = shift;
-
- my $len = length($subpacket);
- my $prefix;
- use bytes;
- if ($len < 192) {
- # one byte:
- $prefix = pack('C', $len);
- } elsif ($len < 16576) {
- my $in = $len - 192;
- my $second = $in%256;
- my $first = ($in - $second)>>8;
- $prefix = pack('CC', $first + 192, $second)
- } else {
- $prefix = pack('CN', 255, $len);
- }
- return $prefix.$subpacket;
-}
-
-
-
sub packetwalk {
my $instr = shift;
my $subs = shift;
@@ -1172,30 +1031,7 @@ for (basename($0)) {
# UNDOCUMENTED, and WILL NOT BE MAINTAINED.
my $subcommand = shift;
for ($subcommand) {
- if (/^revokeuserid$/) {
- my $fpr = shift;
- my $uid = shift;
- my $instream;
- open($instream,'-');
- binmode($instream, ":bytes");
-
- my $revcert = revokeuserid($instream, $fpr, $uid, $ENV{PEM2OPENPGP_TIMESTAMP});
-
- print $revcert;
- } elsif (/^adduserid$/) {
- my $fpr = shift;
- my $uid = shift;
- my $instream;
- open($instream,'-');
- binmode($instream, ":bytes");
- my $newuid = adduserid($instream, $fpr, $uid,
- { sig_timestamp => $ENV{PEM2OPENPGP_TIMESTAMP},
- expiration => $ENV{PEM2OPENPGP_EXPIRATION},
- usage_flags => $ENV{PEM2OPENPGP_USAGE_FLAGS},
- });
-
- print $newuid;
- } elsif (/^listfprs$/) {
+ if (/^listfprs$/) {
my $instream;
open($instream,'-');
binmode($instream, ":bytes");
@@ -1232,4 +1068,3 @@ for (basename($0)) {
die "Unrecognized keytrans call.\n";
}
}
-
=====================================
src/share/mh/add_name
=====================================
@@ -50,10 +50,7 @@ else
fi
# execute edit-key script
-if gpg_host --export-secret-keys "$keyID" | \
- PEM2OPENPGP_USAGE_FLAGS=authenticate \
- "$SYSSHAREDIR/keytrans" adduserid "$keyID" "$serviceName" \
- | gpg_host --import ; then
+if gpg_host --quick-add-uid "$keyID" "$serviceName" ; then
gpg_host --check-trustdb
=====================================
src/share/mh/import_key
=====================================
@@ -18,7 +18,7 @@ local serviceName="$2"
# check that key file specified
if [ -z "$keyFile" ] ; then
- failure "Must specify PEM-encoded key file to import, or specify '-' for stdin."
+ failure "Must specify key file to import, or specify '-' for PEM-encoded RSA key on stdin."
fi
# fail if hostname not specified
@@ -37,16 +37,84 @@ mkdir -p "${MHDATADIR}"
mkdir -p "${GNUPGHOME_HOST}"
chmod 700 "${GNUPGHOME_HOST}"
-# import pem-encoded key to an OpenPGP private key
+key_type_from_file() {
+ # translates from OpenSSH's pubkey format string to GnuPG's
+ # Key-Type parameter:
+ local keyType
+ if keyType=$(ssh-keygen -y -f "$keyFile" | awk '{ print $1 }'); then
+ case "$keyType" in
+ ssh-dss)
+ echo DSA
+ ;;
+ ecdsa-sha2-nistp256)
+ echo ECDSA
+ ;;
+ ssh-ed25519)
+ echo EDDSA
+ ;;
+ ssh-rsa)
+ echo RSA
+ ;;
+ *)
+ log error "unknown key type '$keyType' from file '$keyFile'"
+ return 1
+ ;;
+ esac
+ else
+ log error "ssh-keygen could not interpret '$keyFile'"
+ return 1
+ fi
+ return 0
+}
+
+
if [ "$keyFile" = '-' ] ; then
- log verbose "importing key from stdin..."
+ # import PEM-encoded RSA stdin to an OpenPGP private key
+ log verbose "importing PEM-encoded RSA key from stdin..."
PEM2OPENPGP_USAGE_FLAGS=authenticate pem2openpgp "$serviceName" \
| gpg_host --import
else
- log verbose "importing key from file '$keyFile'..."
- PEM2OPENPGP_USAGE_FLAGS=authenticate pem2openpgp "$serviceName" \
- <"$keyFile" \
- | gpg_host --import
+ # import some sort of file that OpenSSH's keygen can handle
+ if keyType=$(key_type_from_file "$keyFile"); then
+ # we lock to avoid concurrent interactions with gpg-agent and
+ # the sshcontrol file would be dubious
+ lock create "$GNUPGHOME_HOST/importlock"
+ if test -e "$GNUPGHOME_HOST/sshcontrol" && grep -q '^[0-9A-F]' "$GNUPGHOME_HOST/sshcontrol"; then
+ backupSshControl=$(mktemp "$GNUPGHOME_HOST/sshcontrol.XXXXXXXX")
+ log error "$GNUPGHOME_HOST/sshcontrol already contained a key, backing up to $backupSshControl"
+ mv -f "$GNUPGHOME_HOST/sshcontrol" "$backupSshControl"
+ fi
+
+ log verbose "importing $keyType key from file '$keyFile'..."
+ if ! { test -e "$GNUPGHOME_HOST/gpg-agent.conf" && grep -Fxq batch "$GNUPGHOME_HOST/gpg-agent.conf" ; }; then
+ echo batch >> "$GNUPGHOME_HOST/gpg-agent.conf"
+ GNUPGHOME="$GNUPGHOME_HOST" gpgconf --reload gpg-agent
+ GNUPGHOME="$GNUPGHOME_HOST" gpgconf --launch gpg-agent
+ fi
+ SSH_AUTH_SOCK=$(GNUPGHOME="$GNUPGHOME_HOST" gpgconf --list-dirs agent-ssh-socket) ssh-add "$keyFile"
+ if keyGrip=$(awk '/^[0-9A-F]/{print $1}' < "$GNUPGHOME_HOST/sshcontrol") &&
+ test -n "$keyGrip" && [ $(wc -l <<<"$keyGrip") -eq 1 ] ; then
+ gpg_host --batch --full-generate-key <<EOF
+Key-Type: $keyType
+Key-Grip: $keyGrip
+Key-Usage: auth
+Name-Real: $serviceName
+%no-protection
+%commit
+EOF
+ else
+ rm -f "$GNUPGHOME_HOST/sshcontrol"
+ lock remove "$GNUPGHOME_HOST/importlock"
+ failure "did not find a single keygrip in $GNUPGHOME_HOST/sshcontrol during import"
+ fi
+ rm -f "$GNUPGHOME_HOST/sshcontrol"
+ lock remove "$GNUPGHOME_HOST/importlock"
+ else
+ log error "falling back to pem2openpgp (which will probably still fail)..."
+ PEM2OPENPGP_USAGE_FLAGS=authenticate pem2openpgp "$serviceName" \
+ <"$keyFile" \
+ | gpg_host --import
+ fi
fi
# export to OpenPGP public key to file
=====================================
src/share/mh/revoke_name
=====================================
@@ -46,15 +46,7 @@ else
fi
# actually revoke:
-
-# the gpg secring might not contain the host key we are trying to
-# revoke (let alone any selfsig over that host key), but the plain
-# --export won't contain the secret key. "keytrans revokeuserid"
-# needs access to both pieces, so we feed it both of them.
-
-if gpg_host --export-secret-keys "$keyID" \
- | "$SYSSHAREDIR/keytrans" revokeuserid "$keyID" "$serviceName" \
- | gpg_host --import ; then
+if gpg_host --quick-revoke-uid "$keyID" "$serviceName" ; then
gpg_host --check-trustdb
=====================================
tests/basic
=====================================
@@ -275,7 +275,7 @@ fi
echo
echo "##################################################"
echo "### import host key..."
-ssh-keygen -m PEM -b 3072 -t rsa -N '' -f "$TEMPDIR"/ssh_host_rsa_key
+ssh-keygen -b 3072 -t rsa -N '' -f "$TEMPDIR"/ssh_host_rsa_key
monkeysphere-host import-key "$TEMPDIR"/ssh_host_rsa_key ssh://testhost.example
echo
=====================================
tests/keytrans
=====================================
@@ -136,57 +136,6 @@ gpg --check-trustdb
gpg --list-keys
-echo "##################################################"
-echo "### test User ID addition..."
-gpg --export-secret-keys | \
-PEM2OPENPGP_TIMESTAMP="$timestamp" \
- PEM2OPENPGP_USAGE_FLAGS=sign,certify \
- keytrans adduserid "$KEYID" "monkeymonkey" | gpg --import
-
-gpg --check-trustdb
-gpg --list-keys
-
-cat >"$TEMPDIR"/expectedout <<EOF
-pub:u:3072:1:$KEYID:$timestamp:::u:::scSC
-uid:u::::$timestamp::E90EC72E68C6C2A0751DADC70F54F60D27B88C3D::monkeymonkey
-sig:!::1:$KEYID:$timestamp::::monkeymonkey:13x::$KEYFPR:::8
-uid:u::::$timestamp::8200BD0425CC70C7D698DF3FE412044EAAB83F94::testtest
-sig:!::1:$KEYID:$timestamp::::monkeymonkey:13x::$KEYFPR:::8
-EOF
-
-diff -u "$TEMPDIR"/expectedout <(gpg --check-sigs --with-colons | grep -vE '^(tru|fpr):' | cut -d: -f1-16 | sed 's/:*$//')
-
-echo "##################################################"
-echo "### sleeping to avoid test suite breakage on fast"
-echo "### processors (see https://bugs.debian.org/591118)"
-
-sleep 2
-
-echo "##################################################"
-echo "### test User ID revocation ... "
-
-revtime=$(($timestamp + 1))
-
-gpg --export-secret-keys | \
-PEM2OPENPGP_TIMESTAMP="$revtime" \
- keytrans revokeuserid "$KEYID" "testtest" | gpg --import
-
-gpg --check-trustdb
-gpg --list-keys
-
-cat >"$TEMPDIR"/expectedout <<EOF
-pub:u:3072:1:$KEYID:$timestamp:::u:::scSC
-uid:u::::$timestamp::E90EC72E68C6C2A0751DADC70F54F60D27B88C3D::monkeymonkey
-sig:!::1:$KEYID:$timestamp::::monkeymonkey:13x::$KEYFPR:::8
-uid:r::::::8200BD0425CC70C7D698DF3FE412044EAAB83F94::testtest
-sig:!::1:$KEYID:$timestamp::::monkeymonkey:13x::$KEYFPR:::8
-rev:!::1:$KEYID:$revtime::::monkeymonkey:30x,20::$KEYFPR:::8
-EOF
-
-
-diff -u "$TEMPDIR"/expectedout <(gpg --check-sigs --with-colons | grep -vE '^(tru|fpr):' | cut -d: -f1-16 | sed 's/:*$//')
-
-
echo "##################################################"
echo "### test working with two primary keys ... "
@@ -201,19 +150,14 @@ NEWKEYID=$( printf "%s" "$NEWKEYFPR" | cut -b25-40)
< "$TEMPDIR"/newkey.gpg gpg --import
-gpg --export-secret-keys | \
-PEM2OPENPGP_TIMESTAMP="$timestamp" \
- keytrans adduserid "$KEYID" "baz" | gpg --import
+gpg --batch --no-tty --faked-system-time "$timestamp" --quick-add-uid "$KEYID" baz
cat >"$TEMPDIR"/expectedout <<EOF
pub:u:3072:1:$KEYID:$timestamp:::u:::scSC
-uid:u::::$timestamp::E90EC72E68C6C2A0751DADC70F54F60D27B88C3D::monkeymonkey
-sig:!::1:$KEYID:$timestamp::::monkeymonkey:13x::$KEYFPR:::8
-uid:r::::::8200BD0425CC70C7D698DF3FE412044EAAB83F94::testtest
-sig:!::1:$KEYID:$timestamp::::monkeymonkey:13x::$KEYFPR:::8
-rev:!::1:$KEYID:$revtime::::monkeymonkey:30x,20::$KEYFPR:::8
+uid:u::::$timestamp::8200BD0425CC70C7D698DF3FE412044EAAB83F94::testtest
+sig:!::1:$KEYID:$timestamp::::testtest:13x::$KEYFPR:::8
uid:u::::$timestamp::EDDC32D783E7F4C7B6982D9AE5DC4A61000648BA::baz
-sig:!::1:$KEYID:$timestamp::::monkeymonkey:13x::$KEYFPR:::8
+sig:!::1:$KEYID:$timestamp::::testtest:13x::$KEYFPR:::8
pub:-:3072:1:$NEWKEYID:$(($timestamp + 1)):::-:::caCA
uid:-::::$(($timestamp + 1))::A0D708F51CC257DEFC01AEDE1E0A5F329DFD8F16::fubar
sig:!::1:$NEWKEYID:$(($timestamp + 1))::::fubar:13x::$NEWKEYFPR:::8
=====================================
utils/preparing-release
=====================================
@@ -11,7 +11,7 @@
* create debian-specific version tag:
- git tag -s -m "Tagging Monkeysphere $version-1" monkeysphere_$version-1 debian
+ git tag -s -m "Tagging Monkeysphere $version-1" monkeysphere_$version-1 debian/master
* make releasenote
View it on GitLab: https://salsa.debian.org/pkg-privacy-team/monkeysphere/compare/48785b0e71407d5c45de89df024d1afce65454a6...96d97ca1894b838b82e078368ef44a8863eca151
--
View it on GitLab: https://salsa.debian.org/pkg-privacy-team/monkeysphere/compare/48785b0e71407d5c45de89df024d1afce65454a6...96d97ca1894b838b82e078368ef44a8863eca151
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-privacy-commits/attachments/20190510/0f598156/attachment-0001.html>
More information about the Pkg-privacy-commits
mailing list