diff options
author | Joe Crayne <joe@jerkface.net> | 2020-05-03 14:56:03 -0400 |
---|---|---|
committer | Joe Crayne <joe@jerkface.net> | 2020-05-03 14:56:03 -0400 |
commit | 24cdfd9a26ba1617765cad4ab36967d9cede714c (patch) | |
tree | b837fd739714f27eea1b72f6c37b1c34bef34a9e | |
parent | 322404eb315352084b403a8643d5285b67aedd90 (diff) |
Verify cryptonomic self-auth for display.
-rw-r--r-- | kiki.hs | 43 | ||||
-rw-r--r-- | lib/Transforms.hs | 10 |
2 files changed, 34 insertions, 19 deletions
@@ -34,7 +34,7 @@ import Data.ByteArray.Encoding | |||
34 | import qualified Codec.Archive.Tar as Tar | 34 | import qualified Codec.Archive.Tar as Tar |
35 | import qualified Codec.Archive.Tar.Entry as Tar | 35 | import qualified Codec.Archive.Tar.Entry as Tar |
36 | import Crypto.Hash.Algorithms (RIPEMD160(..)) | 36 | import Crypto.Hash.Algorithms (RIPEMD160(..)) |
37 | import Crypto.Hash | 37 | import Crypto.Hash as C |
38 | import Data.ByteArray (convert) | 38 | import Data.ByteArray (convert) |
39 | import qualified Data.ByteString as S | 39 | import qualified Data.ByteString as S |
40 | import qualified Data.ByteString.Lazy as L | 40 | import qualified Data.ByteString.Lazy as L |
@@ -75,6 +75,30 @@ fpmatch grip key = | |||
75 | where | 75 | where |
76 | backend xs ys = and $ zipWith (==) (reverse xs) (reverse ys) | 76 | backend xs ys = and $ zipWith (==) (reverse xs) (reverse ys) |
77 | 77 | ||
78 | subkeysForDomain "onion" subs = do | ||
79 | (code,(top,sub), kind, hashed,claimants) <- subs | ||
80 | guard ("tor" `elem` kind) | ||
81 | guard (code .&. 0x2 /= 0) | ||
82 | maybeToList $ derToBase32 <$> derRSA sub | ||
83 | subkeysForDomain "ssh-rsa.cryptonomic.net" subs = do | ||
84 | (code,(top,sub), kind, hashed,claimants) <- subs | ||
85 | guard ("ssh-host" `elem` kind) | ||
86 | guard (code .&. 0x2 /= 0) | ||
87 | RSAKey (MPI n) (MPI e) <- maybeToList $ rsaKeyFromPacket sub | ||
88 | let blob = SSH.sshrsa e n | ||
89 | sha1 = C.hashlazy blob :: C.Digest C.SHA1 | ||
90 | subdomain = convertToBase Base16 sha1 | ||
91 | [ S8.unpack subdomain ] | ||
92 | subkeysForDomain _ _ = [] | ||
93 | |||
94 | checkSelfAuthenticating parsed subs = do | ||
95 | let subdom0 = L.fromChunks [encodeUtf8 (uid_subdomain parsed)] | ||
96 | len = L.length subdom0 | ||
97 | subdom = Char8.unpack subdom0 | ||
98 | match k = subdom == take (fromIntegral len) k | ||
99 | guard (len >= 16) | ||
100 | listToMaybe $ filter match $ subkeysForDomain (uid_topdomain parsed) subs | ||
101 | |||
78 | listKeys :: [Packet] -> [Char] | 102 | listKeys :: [Packet] -> [Char] |
79 | listKeys pkts = listKeysFiltered [] pkts | 103 | listKeys pkts = listKeysFiltered [] pkts |
80 | 104 | ||
@@ -144,11 +168,6 @@ listKeysFiltered grips pkts = do | |||
144 | else showsigs claimants | 168 | else showsigs claimants |
145 | kcipher k = if isSecretKey k then " " ++ ciphername (symmetric_algorithm k) | 169 | kcipher k = if isSecretKey k then " " ++ ciphername (symmetric_algorithm k) |
146 | else "" | 170 | else "" |
147 | torkeys = do | ||
148 | (code,(top,sub), kind, hashed,claimants) <- subs | ||
149 | guard ("tor" `elem` kind) | ||
150 | guard (code .&. 0x2 /= 0) | ||
151 | maybeToList $ derToBase32 <$> derRSA sub | ||
152 | uid = {- fromMaybe "" . listToMaybe $ -} do | 171 | uid = {- fromMaybe "" . listToMaybe $ -} do |
153 | (keys,sigs) <- certs | 172 | (keys,sigs) <- certs |
154 | sig <- sigs | 173 | sig <- sigs |
@@ -167,15 +186,9 @@ listKeysFiltered grips pkts = do | |||
167 | let UserIDPacket uid = user_id sig | 186 | let UserIDPacket uid = user_id sig |
168 | parsed = parseUID uid | 187 | parsed = parseUID uid |
169 | ar = maybe " --> " (const " <-> ") $ do | 188 | ar = maybe " --> " (const " <-> ") $ do |
170 | guard (uid_topdomain parsed == "onion" ) | ||
171 | guard ( uid_realname parsed `elem` ["","Anonymous"]) | 189 | guard ( uid_realname parsed `elem` ["","Anonymous"]) |
172 | guard ( uid_user parsed == "root" ) | 190 | guard ( uid_user parsed == "root" ) |
173 | let subdom0 = L.fromChunks [encodeUtf8 (uid_subdomain parsed)] | 191 | checkSelfAuthenticating parsed subs |
174 | len = L.length subdom0 | ||
175 | subdom = Char8.unpack subdom0 | ||
176 | match = (==subdom) . take (fromIntegral len) | ||
177 | guard (len >= 16) | ||
178 | listToMaybe $ filter match torkeys | ||
179 | unlines $ (" " ++ ar ++ "@" ++ " " ++ uid_full parsed) : showsigs secondary | 192 | unlines $ (" " ++ ar ++ "@" ++ " " ++ uid_full parsed) : showsigs secondary |
180 | -- (_,sigs) = unzip certs | 193 | -- (_,sigs) = unzip certs |
181 | "master-key " ++ show (fingerprint top) ++ kcipher top ++ "\n" ++ uid ++" ...\n" ++ subkeys ++ "\n" | 194 | "master-key " ++ show (fingerprint top) ++ kcipher top ++ "\n" ++ uid ++" ...\n" ++ subkeys ++ "\n" |
@@ -410,8 +423,8 @@ bitcoinAddress network_id k = address | |||
410 | Just (MPI y) = lookup 'y' (key k) | 423 | Just (MPI y) = lookup 'y' (key k) |
411 | pub = cannonical_eckey x y | 424 | pub = cannonical_eckey x y |
412 | hsh = S.cons network_id . ripemd160 . sha256 . S.pack $ pub | 425 | hsh = S.cons network_id . ripemd160 . sha256 . S.pack $ pub |
413 | sha256 x = convert (Crypto.Hash.hash x :: Digest SHA256) :: S.ByteString | 426 | sha256 x = convert (C.hash x :: Digest SHA256) :: S.ByteString |
414 | ripemd160 x = convert (Crypto.Hash.hash x :: Digest RIPEMD160) :: S.ByteString | 427 | ripemd160 x = convert (C.hash x :: Digest RIPEMD160) :: S.ByteString |
415 | address = base58_encode hsh | 428 | address = base58_encode hsh |
416 | 429 | ||
417 | whoseKey :: RSAPublicKey -> KeyDB -> [KeyData] | 430 | whoseKey :: RSAPublicKey -> KeyDB -> [KeyData] |
diff --git a/lib/Transforms.hs b/lib/Transforms.hs index 8a1da73..8adf6af 100644 --- a/lib/Transforms.hs +++ b/lib/Transforms.hs | |||
@@ -36,7 +36,7 @@ import Data.ASN1.Types (toASN1, ASN1Object, fromASN1, ASN1(Start, End, IntVal), | |||
36 | 36 | ||
37 | import Data.ASN1.Encoding ( encodeASN1 ) | 37 | import Data.ASN1.Encoding ( encodeASN1 ) |
38 | import qualified Data.Text as T ( Text, unpack, pack, | 38 | import qualified Data.Text as T ( Text, unpack, pack, |
39 | strip, reverse, drop, break, dropAround, length ) | 39 | strip, reverse, drop, break, dropAround, length, breakOn ) |
40 | import Data.Text.Encoding ( encodeUtf8 ) | 40 | import Data.Text.Encoding ( encodeUtf8 ) |
41 | import Data.Bits ((.|.), (.&.), Bits) | 41 | import Data.Bits ((.|.), (.&.), Bits) |
42 | 42 | ||
@@ -768,9 +768,11 @@ parseUID str = UserIDRecord { | |||
768 | (T.strip-> realname, T.dropAround isBracket-> email) | 768 | (T.strip-> realname, T.dropAround isBracket-> email) |
769 | = T.break (=='<') text | 769 | = T.break (=='<') text |
770 | (user, T.drop 1-> hostname) = T.break (=='@') email | 770 | (user, T.drop 1-> hostname) = T.break (=='@') email |
771 | ( T.reverse -> topdomain, | 771 | (topdomain, subdomain) = |
772 | T.reverse . T.drop 1 -> subdomain) | 772 | case T.breakOn ".ssh-rsa.cryptonomic.net" hostname of |
773 | = T.break (=='.') . T.reverse $ hostname | 773 | (s,".ssh-rsa.cryptonomic.net") -> ("ssh-rsa.cryptonomic.net", s) |
774 | _ -> (T.reverse *** T.reverse . T.drop 1) | ||
775 | $ T.break (=='.') . T.reverse $ hostname | ||
774 | 776 | ||
775 | selfAuthenticated :: OriginMapped Packet -> KeyData -> UidString -> Bool | 777 | selfAuthenticated :: OriginMapped Packet -> KeyData -> UidString -> Bool |
776 | selfAuthenticated k kd (UidString str) = | 778 | selfAuthenticated k kd (UidString str) = |