[Pkg-privacy-commits] [Git][pkg-privacy-team/monkeysphere][master] 4 commits: examples/make-x509-certreqs: use gpgsm instead of openpgp2ssh
Daniel Kahn Gillmor
dkg at debian.org
Sun May 12 19:28:16 BST 2019
Daniel Kahn Gillmor pushed to branch master at Privacy Maintainers / monkeysphere
Commits:
badeb83c by Daniel Kahn Gillmor at 2019-05-12T17:39:47Z
examples/make-x509-certreqs: use gpgsm instead of openpgp2ssh
Ideally, we could just rely on gpgsm to generate the appropriate
certificate request. However, that's not currently possible (see
https://dev.gnupg.org/T4503).
Note that this codebase doesn't yet work on systems where
monkeysphere-host had initially imported keys from classic GnuPG
(version 1.4), since gpgsm does not share secret key material with
classic GnuPG.
Fixing that properly would require an upgrade/transition step that
detects the older pubring.gpg and secring.gpg and imports them
correctly (possibly managing ownertrust at the same time).
- - - - -
3a93907b by Daniel Kahn Gillmor at 2019-05-12T17:46:35Z
drop unimplemented import-subkey
https://dev.gnupg.org/T4489 represents the best way to ensure that
something like import-subkey works given the current implementation of
monkeysphere. If that works, and we can adopt it by increasing the
versioned dependency on GnuPG, then we can add this feature, but
currently we should not keep unimplemented code lingering.
- - - - -
87bd1dbc by Daniel Kahn Gillmor at 2019-05-12T18:00:12Z
ma/setup: use gpg --quick-gen-key instead of pem2openpgp's key creation
modern gpg permits clean, quiet key generation; by using it here, we
reduce our dependency on pem2openpgp.
- - - - -
bedd79cd by Daniel Kahn Gillmor at 2019-05-12T18:24:39Z
mh/import_key: avoid use of pem2openpgp
since ssh-add as of OpenSSH 6.0 can use - as stdin, we depend on that
codepath for all cases. This removes the final dependence on keytrans
for the standard monkeysphere interface.
- - - - -
8 changed files:
- README
- examples/make-x509-certreqs
- man/man8/monkeysphere-host.8
- src/monkeysphere
- src/share/keytrans
- − src/share/m/import_subkey
- src/share/ma/setup
- src/share/mh/import_key
Changes:
=====================================
README
=====================================
@@ -24,4 +24,4 @@ Monkeysphere depends on:
* Perl's Crypt::OpenSSL::RSA module
* lockfile-progs or procmail's lockfile
* Bash
- * OpenSSH's ssh-keygen utility (ideally >= 6.0)
+ * OpenSSH's ssh-keygen utility (>= 6.0)
=====================================
examples/make-x509-certreqs
=====================================
@@ -13,7 +13,7 @@
# This script uses bashisms
-# It currently needs OpenSSL binaries to work properly
+# It currently needs OpenSSL binaries, gpg, and gpgsm to work properly
# It assumes that the monkeysphere-host keyring is in
# /var/lib/monkeysphere/host (which it is on debian)
@@ -67,23 +67,40 @@ EOF
}
gencertreq() {
- keyid="$1"
+ local keyid="$1"
- timestamp=$(gpg --fixed-list-mode --with-colons --list-keys "0x$keyid!" | grep ^pub: | cut -f6 -d:)
+ # It would be great to be able to do all of this with gpgsm
+ # directly. See https://dev.gnupg.org/T4503 for why we need to
+ # use OpenSSL for now.
+
+ local timestamp=$(gpg --fixed-list-mode --with-colons --list-keys "0x$keyid!" | awk -F: '/^pub:/{ print $6 }')
+ local keygrip=$(gpg --fixed-list-mode --with-keygrip --with-colons --list-keys "0x$keyid!" | awk -F: '/^grp:/{ print $10 }')
- san=''
- primary=''
+ local primary
# find all the $proto-using User IDs:
- uids=$(gpg --fixed-list-mode --with-colons --list-keys "0x$keyid!" | \
+ local uids=$(gpg --fixed-list-mode --with-colons --list-keys \&"$keygrip" | \
grep '^uid:' | cut -f10 -d: | \
grep '^'"${proto}"'\\x3a//' | \
sed -r -e 's!^'"${proto}"'\\x3a//!!' -e 's!:[0-9]+$!!')
primary=$(printf "%s" "$uids" | head -n1)
-
+
+ # does gpgsm know about this key?
+ if ! gpgsm --with-colons --with-keygrip --list-keys \&"$keygrip" | grep -q ^grp: ; then
+ # ensure that gpgsm has a dummy self-signed cert; otherwise, it
+ # cannot emit the secret key in the necessary form.
+ local batchcmd="Key-Type: RSA
+Key-Grip: $keygrip
+Name-DN: CN=$primary (monkeysphere dummy self-signed)
+Serial: $keygrip
+%commit"
+ local dummycert="$(gpgsm --armor --batch --generate-key <<<"$batchcmd")"
+ gpgsm --import <<<"$dummycert"
+ fi
+
printf "Certificate Request for TLS WWW server %s\n[OpenPGP key %s]\n" "$primary" "$keyid"
openssl req -text -new \
-config <(get_openssl_config "$timestamp" "$uids") \
- -key <(gpg --export-secret-key "$keyid" | openpgp2ssh "$keyid") \
+ -key <(gpgsm --armor --export-secret-key-raw \&"$keygrip") \
-subj "/CN=${primary}/"
}
=====================================
man/man8/monkeysphere-host.8
=====================================
@@ -29,7 +29,7 @@ be omitted, and \fBmonkeysphere\-host\fP will operate on it.
.B import\-key FILE SCHEME://HOSTNAME[:PORT]
Import an SSH host secret key from file FILE. If FILE is
`\-', then the key will be imported from stdin, and must be an
-RSA key in PEM\-encoded format.
+RSA key.
SCHEME://HOSTNAME[:PORT] is used to specify
the scheme (e.g. ssh or https), fully\-qualified hostname (and port)
used in the user ID of the new OpenPGP key (e.g. ssh://example.net or
=====================================
src/monkeysphere
=====================================
@@ -246,8 +246,7 @@ case $COMMAND in
;;
'import-subkey'|'import'|'i')
- source "${MSHAREDIR}/import_subkey"
- import_subkey "$@"
+ failure "import-subkey is not implemented yet. (see https://dev.gnupg.org/T4489)"
;;
'gen-subkey'|'g')
=====================================
src/share/keytrans
=====================================
@@ -36,7 +36,7 @@
# Example usage:
# gpg --export-secret-subkeys --export-options export-reset-subkey-passwd $KEYID | \
-# openpgp2ssh $KEYID | ssh-add /dev/stdin
+# openpgp2ssh $KEYID | ssh-add -
# Authors:
=====================================
src/share/m/import_subkey deleted
=====================================
@@ -1,68 +0,0 @@
-# -*-shell-script-*-
-# This should be sourced by bash (though we welcome changes to make it POSIX sh compliant)
-
-# Monkeysphere import-subkey subcommand
-#
-# The monkeysphere scripts are written by:
-# Jameson Rollins <jrollins at finestructure.net>
-# Jamie McClelland <jm at mayfirst.org>
-# Daniel Kahn Gillmor <dkg at fifthhorseman.net>
-#
-# They are Copyright 2008-2009, and are all released under the GPL,
-# version 3 or later.
-
-# import an existing ssh key as a gpg subkey
-
-## 2009-02-20 00:49:11-0500: This is not implemented yet, because we
-## don't currently have a good way to manipulate the user's OpenPGP
-## secret key such that we could make a proper subkey binding
-## signature.
-
-import_subkey() {
- local sshKeyFile
- local keyID
- local gpgSecOut
- local fifoDir
-
- # FIXME: implement!
- failure "import-subkey is not implemented yet. We welcome patches. Sorry!"
-
- sshKeyFile="$1"
- shift
-
- # check that key file specified
- if [ -z "$sshKeyFile" ] ; then
- failure "Must specify ssh key file to import, or specify '-' for stdin."
- fi
-
- # check that the keyID is unique
- keyID=$(check_gpg_sec_key_id "$@")
-
- # check that an authentication subkey does not already exist
- check_gpg_authentication_subkey "$keyID"
-
- # setup the temp fifo dir for retrieving the key password
- log debug "creating password fifo..."
- fifoDir=$(msmktempdir)
- trap "rm -rf $fifoDir" EXIT
- (umask 077 && mkfifo "$fifoDir/pass")
-
- # import ssh key to as authentication subkey
- if [ "$sshKeyFile" = '-' ] ; then
- log verbose "importing ssh key from stdin..."
- PEM2OPENPGP_USAGE_FLAGS=authenticate pem2openpgp "$userID" \
- | gpg_user --batch --passphrase-fd 3 3< "$fifoDir/pass" --expert --command-fd 0 --import &
- else
- log verbose "importing ssh key from file '$sshKeyFile'..."
- PEM2OPENPGP_USAGE_FLAGS=authenticate pem2openpgp "$userID" <"$sshKeyFile" \
- | gpg_user --batch --passphrase-fd 3 3< "$fifoDir/pass" --expert --command-fd 0 --import &
- fi
-
- # get the password if needed
- passphrase_prompt "Please enter your passphrase for $keyID: " "$fifoDir/pass"
-
- trap - EXIT
- rm -rf "$fifoDir"
- wait
- log verbose "done."
-}
=====================================
src/share/ma/setup
=====================================
@@ -70,11 +70,9 @@ EOF
local CORE_UID=$(printf "Monkeysphere authentication trust core UID (random string: %s)" $(dd if=/dev/urandom bs=21 count=1 2>/dev/null | perl -MMIME::Base64 -ne 'print encode_base64($_)'))
- printf "generating monkeysphere authentication trust core key:\nsize: %d bits\nuid: '%s'\n" "$CORE_KEYLENGTH" "$CORE_UID" | log debug
- PEM2OPENPGP_USAGE_FLAGS=certify \
- PEM2OPENPGP_NEWKEY=$CORE_KEYLENGTH pem2openpgp "$CORE_UID" \
- | gpg_core --import \
- || failure "Could not import new key for Monkeysphere authentication trust core"
+ printf "generating monkeysphere authentication trust core RSA key:\nsize: %d bits\nuid: '%s'\n" "$CORE_KEYLENGTH" "$CORE_UID" | log debug
+ gpg_core --pinentry-mode=loopback --passphrase '' --quick-generate-key "$CORE_UID" "rsa$CORE_KEYLENGTH" cert \
+ || failure "Could not import new key for Monkeysphere authentication trust core"
# get fingerprint of core key. should definitely not be empty at this point
CORE_FPR=$(core_fingerprint)
=====================================
src/share/mh/import_key
=====================================
@@ -69,32 +69,34 @@ key_type_from_file() {
if [ "$keyFile" = '-' ] ; then
- # import PEM-encoded RSA stdin to an OpenPGP private key
- log verbose "importing PEM-encoded RSA key from stdin..."
- PEM2OPENPGP_USAGE_FLAGS=authenticate pem2openpgp "$serviceName" \
- | gpg_host --import
+ # stdin we just assume is RSA, since we don't get a chance to scan it twice:
+ log verbose "importing RSA key from stdin..."
+ keyType=RSA
else
- # import some sort of file that OpenSSH's keygen can handle
- if keyType=$(key_type_from_file "$keyFile"); then
- # we lock to avoid concurrent interactions with gpg-agent and
- # the sshcontrol file would be dubious
- lock create "$GNUPGHOME_HOST/importlock"
- if test -e "$GNUPGHOME_HOST/sshcontrol" && grep -q '^[0-9A-F]' "$GNUPGHOME_HOST/sshcontrol"; then
- backupSshControl=$(mktemp "$GNUPGHOME_HOST/sshcontrol.XXXXXXXX")
- log error "$GNUPGHOME_HOST/sshcontrol already contained a key, backing up to $backupSshControl"
- mv -f "$GNUPGHOME_HOST/sshcontrol" "$backupSshControl"
- fi
-
- log verbose "importing $keyType key from file '$keyFile'..."
- if ! { test -e "$GNUPGHOME_HOST/gpg-agent.conf" && grep -Fxq batch "$GNUPGHOME_HOST/gpg-agent.conf" ; }; then
- echo batch >> "$GNUPGHOME_HOST/gpg-agent.conf"
- GNUPGHOME="$GNUPGHOME_HOST" gpgconf --reload gpg-agent
- GNUPGHOME="$GNUPGHOME_HOST" gpgconf --launch gpg-agent
- fi
- SSH_AUTH_SOCK=$(GNUPGHOME="$GNUPGHOME_HOST" gpgconf --list-dirs agent-ssh-socket) ssh-add "$keyFile"
- if keyGrip=$(awk '/^[0-9A-F]/{print $1}' < "$GNUPGHOME_HOST/sshcontrol") &&
- test -n "$keyGrip" && [ $(wc -l <<<"$keyGrip") -eq 1 ] ; then
- gpg_host --batch --full-generate-key <<EOF
+ # import some sort of file that OpenSSH's ssh-keygen can handle
+ # if it turns out that ssh-keygen can't handle it, this should fail, and we'll abort.
+ keyType=$(key_type_from_file "$keyFile")
+fi
+
+# we lock to avoid concurrent interactions with gpg-agent and
+# the sshcontrol file would be dubious
+lock create "$GNUPGHOME_HOST/importlock"
+if test -e "$GNUPGHOME_HOST/sshcontrol" && grep -q '^[0-9A-F]' "$GNUPGHOME_HOST/sshcontrol"; then
+ backupSshControl=$(mktemp "$GNUPGHOME_HOST/sshcontrol.XXXXXXXX")
+ log error "$GNUPGHOME_HOST/sshcontrol already contained a key, backing up to $backupSshControl"
+ mv -f "$GNUPGHOME_HOST/sshcontrol" "$backupSshControl"
+fi
+
+log verbose "importing $keyType key from file '$keyFile'..."
+if ! { test -e "$GNUPGHOME_HOST/gpg-agent.conf" && grep -Fxq batch "$GNUPGHOME_HOST/gpg-agent.conf" ; }; then
+ echo batch >> "$GNUPGHOME_HOST/gpg-agent.conf"
+ GNUPGHOME="$GNUPGHOME_HOST" gpgconf --reload gpg-agent
+ GNUPGHOME="$GNUPGHOME_HOST" gpgconf --launch gpg-agent
+fi
+SSH_AUTH_SOCK=$(GNUPGHOME="$GNUPGHOME_HOST" gpgconf --list-dirs agent-ssh-socket) ssh-add "$keyFile"
+if keyGrip=$(awk '/^[0-9A-F]/{print $1}' < "$GNUPGHOME_HOST/sshcontrol") &&
+ test -n "$keyGrip" && [ $(wc -l <<<"$keyGrip") -eq 1 ] ; then
+ gpg_host --batch --full-generate-key <<EOF
Key-Type: $keyType
Key-Grip: $keyGrip
Key-Usage: auth
@@ -102,20 +104,13 @@ Name-Real: $serviceName
%no-protection
%commit
EOF
- else
- rm -f "$GNUPGHOME_HOST/sshcontrol"
- lock remove "$GNUPGHOME_HOST/importlock"
- failure "did not find a single keygrip in $GNUPGHOME_HOST/sshcontrol during import"
- fi
- rm -f "$GNUPGHOME_HOST/sshcontrol"
- lock remove "$GNUPGHOME_HOST/importlock"
- else
- log error "falling back to pem2openpgp (which will probably still fail)..."
- PEM2OPENPGP_USAGE_FLAGS=authenticate pem2openpgp "$serviceName" \
- <"$keyFile" \
- | gpg_host --import
- fi
+else
+ rm -f "$GNUPGHOME_HOST/sshcontrol"
+ lock remove "$GNUPGHOME_HOST/importlock"
+ failure "did not find a single keygrip in $GNUPGHOME_HOST/sshcontrol during import"
fi
+rm -f "$GNUPGHOME_HOST/sshcontrol"
+lock remove "$GNUPGHOME_HOST/importlock"
# export to OpenPGP public key to file
update_pgp_pub_file
View it on GitLab: https://salsa.debian.org/pkg-privacy-team/monkeysphere/compare/54ce0b7febc075981f86441da68334054d652ac1...bedd79cd5c1e1340e5fefbb3e4a68d5c8045bff8
--
View it on GitLab: https://salsa.debian.org/pkg-privacy-team/monkeysphere/compare/54ce0b7febc075981f86441da68334054d652ac1...bedd79cd5c1e1340e5fefbb3e4a68d5c8045bff8
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-privacy-commits/attachments/20190512/f509e9d8/attachment-0001.html>
More information about the Pkg-privacy-commits
mailing list