diff options
author | Joe Crayne <joe@jerkface.net> | 2020-05-03 15:22:03 -0400 |
---|---|---|
committer | Joe Crayne <joe@jerkface.net> | 2020-05-03 15:22:03 -0400 |
commit | 7920977b5cadd936756865bceb39758f10e46346 (patch) | |
tree | 5babcf94bd043ac61fa23efe95de1c460602984a | |
parent | 24cdfd9a26ba1617765cad4ab36967d9cede714c (diff) |
Added cryptonomic.net to --autosign and --import-if-authentic.
WARNING: UNTESTED. This was quick and dirty and affects security
critical code. Needs a little more attention.
-rw-r--r-- | lib/Transforms.hs | 31 |
1 files changed, 25 insertions, 6 deletions
diff --git a/lib/Transforms.hs b/lib/Transforms.hs index 8adf6af..7e4d288 100644 --- a/lib/Transforms.hs +++ b/lib/Transforms.hs | |||
@@ -29,7 +29,7 @@ import qualified Data.ByteString.Lazy.Char8 as Char8 | |||
29 | import qualified Data.Map.Strict as Map | 29 | import qualified Data.Map.Strict as Map |
30 | import qualified Data.ByteString.Char8 as S8 | 30 | import qualified Data.ByteString.Char8 as S8 |
31 | import Data.ByteArray.Encoding | 31 | import Data.ByteArray.Encoding |
32 | import qualified Crypto.Hash as Vincent | 32 | import qualified Crypto.Hash as C |
33 | import Data.ByteArray (convert) | 33 | import Data.ByteArray (convert) |
34 | import Data.ASN1.BinaryEncoding ( DER(..) ) | 34 | import Data.ASN1.BinaryEncoding ( DER(..) ) |
35 | import Data.ASN1.Types (toASN1, ASN1Object, fromASN1, ASN1(Start, End, IntVal), ASN1ConstructionType(Sequence) ) | 35 | import Data.ASN1.Types (toASN1, ASN1Object, fromASN1, ASN1(Start, End, IntVal), ASN1ConstructionType(Sequence) ) |
@@ -39,6 +39,7 @@ import qualified Data.Text as T ( Text, unpack, pack, | |||
39 | strip, reverse, drop, break, dropAround, length, breakOn ) | 39 | strip, reverse, drop, break, dropAround, length, breakOn ) |
40 | import Data.Text.Encoding ( encodeUtf8 ) | 40 | import Data.Text.Encoding ( encodeUtf8 ) |
41 | import Data.Bits ((.|.), (.&.), Bits) | 41 | import Data.Bits ((.|.), (.&.), Bits) |
42 | import qualified SSHKey as SSH | ||
42 | 43 | ||
43 | 44 | ||
44 | data KeyRingRuntime = KeyRingRuntime | 45 | data KeyRingRuntime = KeyRingRuntime |
@@ -523,7 +524,7 @@ derToBase32 :: L.ByteString -> String | |||
523 | derToBase32 = map toLower . base32 . sha1 | 524 | derToBase32 = map toLower . base32 . sha1 |
524 | where | 525 | where |
525 | sha1 :: L.ByteString -> S.ByteString | 526 | sha1 :: L.ByteString -> S.ByteString |
526 | sha1 x = convert (Vincent.hashlazy x :: Vincent.Digest Vincent.SHA1) | 527 | sha1 x = convert (C.hashlazy x :: C.Digest C.SHA1) |
527 | base32 = S8.unpack . convertToBase Base32 | 528 | base32 = S8.unpack . convertToBase Base32 |
528 | 529 | ||
529 | derRSA :: Packet -> Maybe L.ByteString | 530 | derRSA :: Packet -> Maybe L.ByteString |
@@ -776,10 +777,13 @@ parseUID str = UserIDRecord { | |||
776 | 777 | ||
777 | selfAuthenticated :: OriginMapped Packet -> KeyData -> UidString -> Bool | 778 | selfAuthenticated :: OriginMapped Packet -> KeyData -> UidString -> Bool |
778 | selfAuthenticated k kd (UidString str) = | 779 | selfAuthenticated k kd (UidString str) = |
779 | and [ uid_topdomain parsed == "onion" | 780 | and [ uid_realname parsed `elem` ["","Anonymous"] |
780 | , uid_realname parsed `elem` ["","Anonymous"] | ||
781 | , uid_user parsed == "root" | 781 | , uid_user parsed == "root" |
782 | , fmap match torSubdom == Just True | 782 | , ( uid_topdomain parsed == "onion" |
783 | && fmap match torSubdom == Just True ) | ||
784 | || | ||
785 | ( uid_topdomain parsed == "ssh-rsa.cryptonomic.net" | ||
786 | && fmap match sshSubdom == Just True ) | ||
783 | ] | 787 | ] |
784 | where | 788 | where |
785 | parsed = parseUID str | 789 | parsed = parseUID str |
@@ -787,8 +791,11 @@ selfAuthenticated k kd (UidString str) = | |||
787 | len = T.length (uid_subdomain parsed) | 791 | len = T.length (uid_subdomain parsed) |
788 | subdom0 = L.fromChunks [encodeUtf8 (uid_subdomain parsed)] | 792 | subdom0 = L.fromChunks [encodeUtf8 (uid_subdomain parsed)] |
789 | subdom = Char8.unpack subdom0 | 793 | subdom = Char8.unpack subdom0 |
794 | keys = map packet $ flattenTop "" True kd | ||
790 | torSubdom = fst <$> lookup (packet k) torbindings | 795 | torSubdom = fst <$> lookup (packet k) torbindings |
791 | torbindings = getTorKeys (map packet $ flattenTop "" True kd) | 796 | torbindings = getTorKeys keys |
797 | sshSubdom = fst <$> lookup (packet k) hostbindings | ||
798 | hostbindings = getHostKeys keys | ||
792 | 799 | ||
793 | getTorKeys :: [Packet] -> [(Packet, (String, Packet))] | 800 | getTorKeys :: [Packet] -> [(Packet, (String, Packet))] |
794 | getTorKeys pub = do | 801 | getTorKeys pub = do |
@@ -798,6 +805,18 @@ getTorKeys pub = do | |||
798 | let torhash = fromMaybe "" $ derToBase32 <$> derRSA sub | 805 | let torhash = fromMaybe "" $ derToBase32 <$> derRSA sub |
799 | return (top,(torhash,sub)) | 806 | return (top,(torhash,sub)) |
800 | 807 | ||
808 | getHostKeys :: [Packet] -> [(Packet, (String, Packet))] | ||
809 | getHostKeys pub = do | ||
810 | xs <- groupBindings pub | ||
811 | (_,(top,sub),us,_,_) <- xs | ||
812 | guard ("ssh-host" `elem` us) | ||
813 | RSAKey (MPI n) (MPI e) <- maybeToList $ rsaKeyFromPacket sub | ||
814 | let blob = SSH.sshrsa e n | ||
815 | sha1 = C.hashlazy blob :: C.Digest C.SHA1 | ||
816 | subdomain = convertToBase Base16 sha1 | ||
817 | return (top,(S8.unpack subdomain,sub)) | ||
818 | |||
819 | |||
801 | groupBindings :: [Packet] -> [[(Word8, (Packet, Packet), [String], [SignatureSubpacket], [Packet])]] | 820 | groupBindings :: [Packet] -> [[(Word8, (Packet, Packet), [String], [SignatureSubpacket], [Packet])]] |
802 | groupBindings (accBindings . snd . getBindings -> bindings) = gs | 821 | groupBindings (accBindings . snd . getBindings -> bindings) = gs |
803 | where | 822 | where |