diff options
author | joe <joe@jerkface.net> | 2016-08-30 21:01:56 -0400 |
---|---|---|
committer | joe <joe@jerkface.net> | 2016-08-30 21:01:56 -0400 |
commit | fae3728a6b7e8ee13ed009e7c9cf3918eb4b89d7 (patch) | |
tree | a48c0be5f07e5b7f2a0f6f6d684009f9a1872cfb /lib/KeyRing.hs | |
parent | 8423f5d8382eff36e901937ba6849de325088f5f (diff) |
Factored Transforms out of goliath KeyRing module.
Diffstat (limited to 'lib/KeyRing.hs')
-rw-r--r-- | lib/KeyRing.hs | 663 |
1 files changed, 1 insertions, 662 deletions
diff --git a/lib/KeyRing.hs b/lib/KeyRing.hs index 5953f12..bb32a2e 100644 --- a/lib/KeyRing.hs +++ b/lib/KeyRing.hs | |||
@@ -216,6 +216,7 @@ import ProcessUtils (systemEnv, ExitCode(ExitFailure, ExitSuccess) ) | |||
216 | import GnuPGAgent as Agent | 216 | import GnuPGAgent as Agent |
217 | import Types | 217 | import Types |
218 | import PacketTranscoder | 218 | import PacketTranscoder |
219 | import Transforms | ||
219 | 220 | ||
220 | -- DER-encoded elliptic curve ids | 221 | -- DER-encoded elliptic curve ids |
221 | -- nistp256_id = 0x2a8648ce3d030107 | 222 | -- nistp256_id = 0x2a8648ce3d030107 |
@@ -284,33 +285,6 @@ usageFromFilter (KF_Match usage) = return usage | |||
284 | usageFromFilter _ = mzero | 285 | usageFromFilter _ = mzero |
285 | 286 | ||
286 | 287 | ||
287 | data KeyRingRuntime = KeyRingRuntime | ||
288 | { rtPubring :: FilePath | ||
289 | -- ^ Path to the file represented by 'HomePub' | ||
290 | , rtSecring :: FilePath | ||
291 | -- ^ Path to the file represented by 'HomeSec' | ||
292 | , rtGrip :: Maybe String | ||
293 | -- ^ Fingerprint or portion of a fingerprint used | ||
294 | -- to identify the working GnuPG identity used to | ||
295 | -- make signatures. | ||
296 | , rtWorkingKey :: Maybe Packet | ||
297 | -- ^ The master key of the working GnuPG identity. | ||
298 | , rtKeyDB :: KeyDB | ||
299 | -- ^ The common information pool where files spilled | ||
300 | -- their content and from which they received new | ||
301 | -- content. | ||
302 | , rtRingAccess :: Map.Map InputFile Access | ||
303 | -- ^ The 'Access' values used for files of type | ||
304 | -- 'KeyRingFile'. If 'AutoAccess' was specified | ||
305 | -- for a file, this 'Map.Map' will indicate the | ||
306 | -- detected value that was used by the algorithm. | ||
307 | , rtPassphrases :: PacketTranscoder | ||
308 | } | ||
309 | |||
310 | -- | Roster-entry level actions | ||
311 | data PacketUpdate = InducerSignature String [SignatureSubpacket] | ||
312 | | SubKeyDeletion KeyKey KeyKey | ||
313 | |||
314 | filesToLock :: | 288 | filesToLock :: |
315 | KeyRingOperation -> InputFileContext -> [FilePath] | 289 | KeyRingOperation -> InputFileContext -> [FilePath] |
316 | filesToLock k ctx = do | 290 | filesToLock k ctx = do |
@@ -323,26 +297,11 @@ filesToLock k ctx = do | |||
323 | -- kret :: a -> KeyRingOperation a | 297 | -- kret :: a -> KeyRingOperation a |
324 | -- kret x = KeyRingOperation Map.empty Nothing (KeyRingAction x) | 298 | -- kret x = KeyRingOperation Map.empty Nothing (KeyRingAction x) |
325 | 299 | ||
326 | data RSAPublicKey = RSAKey MPI MPI deriving (Eq,Show) | ||
327 | data PKCS8_RSAPublicKey = RSAKey8 MPI MPI deriving Show | 300 | data PKCS8_RSAPublicKey = RSAKey8 MPI MPI deriving Show |
328 | 301 | ||
329 | pkcs8 :: RSAPublicKey -> PKCS8_RSAPublicKey | 302 | pkcs8 :: RSAPublicKey -> PKCS8_RSAPublicKey |
330 | pkcs8 (RSAKey n e) = RSAKey8 n e | 303 | pkcs8 (RSAKey n e) = RSAKey8 n e |
331 | 304 | ||
332 | instance ASN1Object RSAPublicKey where | ||
333 | -- PKCS #1 RSA Public Key | ||
334 | toASN1 (RSAKey (MPI n) (MPI e)) | ||
335 | = \xs -> Start Sequence | ||
336 | : IntVal n | ||
337 | : IntVal e | ||
338 | : End Sequence | ||
339 | : xs | ||
340 | fromASN1 (Start Sequence:IntVal n:IntVal e:End Sequence:xs) = | ||
341 | Right (RSAKey (MPI n) (MPI e), xs) | ||
342 | |||
343 | fromASN1 _ = | ||
344 | Left "fromASN1: RSAPublicKey: unexpected format" | ||
345 | |||
346 | instance ASN1Object PKCS8_RSAPublicKey where | 305 | instance ASN1Object PKCS8_RSAPublicKey where |
347 | 306 | ||
348 | -- PKCS #8 Public key data | 307 | -- PKCS #8 Public key data |
@@ -450,32 +409,6 @@ instance ASN1Object RSAPrivateKey where | |||
450 | 409 | ||
451 | 410 | ||
452 | 411 | ||
453 | -- | This type is used to describe events triggered by 'runKeyRing'. In | ||
454 | -- addition to normal feedback (e.g. 'NewPacket'), it also may indicate | ||
455 | -- non-fatal IO exceptions (e.g. 'FailedExternal'). Because a | ||
456 | -- 'KeyRingOperation' may describe a very intricate multifaceted algorithm with | ||
457 | -- many inputs and outputs, an operation may be partially (or even mostly) | ||
458 | -- successful even when I/O failures occured. In this situation, the files may | ||
459 | -- not have all the information they were intended to store, but they will be | ||
460 | -- in a valid format for GnuPG or kiki to operate on in the future. | ||
461 | data KikiReportAction = | ||
462 | NewPacket String | ||
463 | | MissingPacket String | ||
464 | | ExportedSubkey | ||
465 | | GeneratedSubkeyFile | ||
466 | | NewWalletKey String | ||
467 | | YieldSignature | ||
468 | | YieldSecretKeyPacket String | ||
469 | | UnableToUpdateExpiredSignature | ||
470 | | WarnFailedToMakeSignature | ||
471 | | FailedExternal Int | ||
472 | | ExternallyGeneratedFile | ||
473 | | UnableToExport KeyAlgorithm String | ||
474 | | FailedFileWrite | ||
475 | | HostsDiff ByteString | ||
476 | | DeletedPacket String | ||
477 | deriving (Eq,Show) | ||
478 | |||
479 | uncamel :: String -> String | 412 | uncamel :: String -> String |
480 | uncamel str = unwords $ firstWord ++ (toLower .: otherWords) ++ args | 413 | uncamel str = unwords $ firstWord ++ (toLower .: otherWords) ++ args |
481 | where | 414 | where |
@@ -501,23 +434,6 @@ data KikiResult a = KikiResult | |||
501 | -- along with the files that triggered them. | 434 | -- along with the files that triggered them. |
502 | } | 435 | } |
503 | 436 | ||
504 | type KikiReport = [ (FilePath, KikiReportAction) ] | ||
505 | |||
506 | keyPacket :: KeyData -> Packet | ||
507 | keyPacket (KeyData k _ _ _) = packet k | ||
508 | |||
509 | subkeyMappedPacket :: SubKey -> MappedPacket | ||
510 | subkeyMappedPacket (SubKey k _ ) = k | ||
511 | |||
512 | |||
513 | usage :: SignatureSubpacket -> Maybe String | ||
514 | usage (NotationDataPacket | ||
515 | { human_readable = True | ||
516 | , notation_name = "usage@" | ||
517 | , notation_value = u | ||
518 | }) = Just u | ||
519 | usage _ = Nothing | ||
520 | |||
521 | x509cert :: SignatureSubpacket -> Maybe Char8.ByteString | 437 | x509cert :: SignatureSubpacket -> Maybe Char8.ByteString |
522 | x509cert (NotationDataPacket | 438 | x509cert (NotationDataPacket |
523 | { human_readable = False | 439 | { human_readable = False |
@@ -526,167 +442,7 @@ x509cert (NotationDataPacket | |||
526 | }) = Just (Char8.pack u) | 442 | }) = Just (Char8.pack u) |
527 | x509cert _ = Nothing | 443 | x509cert _ = Nothing |
528 | 444 | ||
529 | makeInducerSig | ||
530 | :: Packet | ||
531 | -> Packet -> Packet -> [SignatureSubpacket] -> SignatureOver | ||
532 | -- torsig g topk wkun uid timestamp extras = todo | ||
533 | makeInducerSig topk wkun uid extras | ||
534 | = CertificationSignature (secretToPublic topk) | ||
535 | uid | ||
536 | (sigpackets 0x13 | ||
537 | subpackets | ||
538 | subpackets_unh) | ||
539 | where | ||
540 | subpackets = -- implicit: [ SignatureCreationTimePacket (fromIntegral timestamp) ] | ||
541 | tsign | ||
542 | ++ extras | ||
543 | subpackets_unh = [IssuerPacket (fingerprint wkun)] | ||
544 | tsign = if keykey wkun == keykey topk | ||
545 | then [] -- tsign doesnt make sense for self-signatures | ||
546 | else [ TrustSignaturePacket 1 120 | ||
547 | , RegularExpressionPacket regex] | ||
548 | -- <[^>]+[@.]asdf\.nowhere>$ | ||
549 | regex = "<[^>]+[@.]"++hostname++">$" | ||
550 | -- regex = username ++ "@" ++ hostname | ||
551 | -- username = "[a-zA-Z0-9.][-a-zA-Z0-9.]*\\$?" :: String | ||
552 | hostname = subdomain' pu ++ "\\." ++ topdomain' pu | ||
553 | pu = parseUID uidstr where UserIDPacket uidstr = uid | ||
554 | subdomain' = escape . T.unpack . uid_subdomain | ||
555 | topdomain' = escape . T.unpack . uid_topdomain | ||
556 | escape s = concatMap echar s | ||
557 | where | ||
558 | echar '|' = "\\|" | ||
559 | echar '*' = "\\*" | ||
560 | echar '+' = "\\+" | ||
561 | echar '?' = "\\?" | ||
562 | echar '.' = "\\." | ||
563 | echar '^' = "\\^" | ||
564 | echar '$' = "\\$" | ||
565 | echar '\\' = "\\\\" | ||
566 | echar '[' = "\\[" | ||
567 | echar ']' = "\\]" | ||
568 | echar c = [c] | ||
569 | |||
570 | |||
571 | keyflags :: SignatureSubpacket -> Maybe PGPKeyFlags | ||
572 | keyflags flgs@(KeyFlagsPacket {}) = | ||
573 | Just . toEnum $ | ||
574 | ( bit 0x1 certify_keys | ||
575 | .|. bit 0x2 sign_data | ||
576 | .|. bit 0x4 encrypt_communication | ||
577 | .|. bit 0x8 encrypt_storage ) :: Maybe PGPKeyFlags | ||
578 | -- other flags: | ||
579 | -- split_key | ||
580 | -- authentication (ssh-client) | ||
581 | -- group_key | ||
582 | where | ||
583 | bit v f = if f flgs then v else 0 | ||
584 | keyflags _ = Nothing | ||
585 | |||
586 | |||
587 | data PGPKeyFlags = | ||
588 | Special | ||
589 | | Vouch -- 0001 C -- Signkey | ||
590 | | Sign -- 0010 S | ||
591 | | VouchSign -- 0011 | ||
592 | | Communication -- 0100 E | ||
593 | | VouchCommunication -- 0101 | ||
594 | | SignCommunication -- 0110 | ||
595 | | VouchSignCommunication -- 0111 | ||
596 | | Storage -- 1000 E | ||
597 | | VouchStorage -- 1001 | ||
598 | | SignStorage -- 1010 | ||
599 | | VouchSignStorage -- 1011 | ||
600 | | Encrypt -- 1100 E | ||
601 | | VouchEncrypt -- 1101 | ||
602 | | SignEncrypt -- 1110 | ||
603 | | VouchSignEncrypt -- 1111 | ||
604 | deriving (Eq,Show,Read,Enum) | ||
605 | |||
606 | |||
607 | usageString :: PGPKeyFlags -> String | ||
608 | usageString flgs = | ||
609 | case flgs of | ||
610 | Special -> "special" | ||
611 | Vouch -> "vouch" -- signkey | ||
612 | Sign -> "sign" | ||
613 | VouchSign -> "vouch-sign" | ||
614 | Communication -> "communication" | ||
615 | VouchCommunication -> "vouch-communication" | ||
616 | SignCommunication -> "sign-communication" | ||
617 | VouchSignCommunication -> "vouch-sign-communication" | ||
618 | Storage -> "storage" | ||
619 | VouchStorage -> "vouch-storage" | ||
620 | SignStorage -> "sign-storage" | ||
621 | VouchSignStorage -> "vouch-sign-storage" | ||
622 | Encrypt -> "encrypt" | ||
623 | VouchEncrypt -> "vouch-encrypt" | ||
624 | SignEncrypt -> "sign-encrypt" | ||
625 | VouchSignEncrypt -> "vouch-sign-encrypt" | ||
626 | |||
627 | |||
628 | |||
629 | |||
630 | keyFlags :: t -> [Packet] -> [SignatureSubpacket] | ||
631 | keyFlags wkun uids = keyFlags0 wkun (filter isSignaturePacket uids) | ||
632 | |||
633 | keyFlags0 :: t -> [Packet] -> [SignatureSubpacket] | ||
634 | keyFlags0 wkun uidsigs = concat | ||
635 | [ keyflags | ||
636 | , preferredsym | ||
637 | , preferredhash | ||
638 | , preferredcomp | ||
639 | , features ] | ||
640 | 445 | ||
641 | where | ||
642 | subs = concatMap hashed_subpackets uidsigs | ||
643 | keyflags = filterOr isflags subs $ | ||
644 | KeyFlagsPacket { certify_keys = True | ||
645 | , sign_data = True | ||
646 | , encrypt_communication = False | ||
647 | , encrypt_storage = False | ||
648 | , split_key = False | ||
649 | , authentication = False | ||
650 | , group_key = False | ||
651 | } | ||
652 | preferredsym = filterOr ispreferedsym subs $ | ||
653 | PreferredSymmetricAlgorithmsPacket | ||
654 | [ AES256 | ||
655 | , AES192 | ||
656 | , AES128 | ||
657 | , CAST5 | ||
658 | , TripleDES | ||
659 | ] | ||
660 | preferredhash = filterOr ispreferedhash subs $ | ||
661 | PreferredHashAlgorithmsPacket | ||
662 | [ SHA256 | ||
663 | , SHA1 | ||
664 | , SHA384 | ||
665 | , SHA512 | ||
666 | , SHA224 | ||
667 | ] | ||
668 | preferredcomp = filterOr ispreferedcomp subs $ | ||
669 | PreferredCompressionAlgorithmsPacket | ||
670 | [ ZLIB | ||
671 | , BZip2 | ||
672 | , ZIP | ||
673 | ] | ||
674 | features = filterOr isfeatures subs $ | ||
675 | FeaturesPacket { supports_mdc = True | ||
676 | } | ||
677 | |||
678 | filterOr pred xs def = if null rs then [def] else rs where rs=filter pred xs | ||
679 | |||
680 | isflags (KeyFlagsPacket {}) = True | ||
681 | isflags _ = False | ||
682 | ispreferedsym (PreferredSymmetricAlgorithmsPacket {}) = True | ||
683 | ispreferedsym _ = False | ||
684 | ispreferedhash (PreferredHashAlgorithmsPacket {}) = True | ||
685 | ispreferedhash _ = False | ||
686 | ispreferedcomp (PreferredCompressionAlgorithmsPacket {}) = True | ||
687 | ispreferedcomp _ = False | ||
688 | isfeatures (FeaturesPacket {}) = True | ||
689 | isfeatures _ = False | ||
690 | 446 | ||
691 | 447 | ||
692 | matchSpec :: KeySpec -> KeyData -> Bool | 448 | matchSpec :: KeySpec -> KeyData -> Bool |
@@ -710,36 +466,6 @@ matchSpec (KeyUidMatch pat) (KeyData _ _ uids _) = not $ null us | |||
710 | where | 466 | where |
711 | us = filter (isInfixOf pat) $ Map.keys uids | 467 | us = filter (isInfixOf pat) $ Map.keys uids |
712 | 468 | ||
713 | data UserIDRecord = UserIDRecord { | ||
714 | uid_full :: String, | ||
715 | uid_realname :: T.Text, | ||
716 | uid_user :: T.Text, | ||
717 | uid_subdomain :: T.Text, | ||
718 | uid_topdomain :: T.Text | ||
719 | } | ||
720 | deriving Show | ||
721 | |||
722 | parseUID :: String -> UserIDRecord | ||
723 | parseUID str = UserIDRecord { | ||
724 | uid_full = str, | ||
725 | uid_realname = realname, | ||
726 | uid_user = user, | ||
727 | uid_subdomain = subdomain, | ||
728 | uid_topdomain = topdomain | ||
729 | } | ||
730 | where | ||
731 | text = T.pack str | ||
732 | (T.strip-> realname, T.dropAround isBracket-> email) | ||
733 | = T.break (=='<') text | ||
734 | (user, T.drop 1-> hostname) = T.break (=='@') email | ||
735 | ( T.reverse -> topdomain, | ||
736 | T.reverse . T.drop 1 -> subdomain) | ||
737 | = T.break (=='.') . T.reverse $ hostname | ||
738 | isBracket :: Char -> Bool | ||
739 | isBracket '<' = True | ||
740 | isBracket '>' = True | ||
741 | isBracket _ = False | ||
742 | |||
743 | 469 | ||
744 | 470 | ||
745 | 471 | ||
@@ -1532,32 +1258,6 @@ generateInternals transcode mwk db gens = do | |||
1532 | return $ KikiSuccess (Map.insert kk kd db,reportGens) | 1258 | return $ KikiSuccess (Map.insert kk kd db,reportGens) |
1533 | Nothing -> return $ KikiSuccess (db,[]) | 1259 | Nothing -> return $ KikiSuccess (db,[]) |
1534 | 1260 | ||
1535 | torhash :: Packet -> String | ||
1536 | torhash key = fromMaybe "" $ derToBase32 <$> derRSA key | ||
1537 | |||
1538 | torUIDFromKey :: Packet -> String | ||
1539 | torUIDFromKey key = "Anonymous <root@" ++ take 16 (torhash key) ++ ".onion>" | ||
1540 | |||
1541 | derToBase32 :: ByteString -> String | ||
1542 | derToBase32 = map toLower . base32 . sha1 | ||
1543 | where | ||
1544 | sha1 :: L.ByteString -> S.ByteString | ||
1545 | #if !defined(VERSION_cryptonite) | ||
1546 | sha1 = SHA1.hashlazy | ||
1547 | #else | ||
1548 | sha1 x = convert (Vincent.hashlazy x :: Vincent.Digest Vincent.SHA1) | ||
1549 | #endif | ||
1550 | #if defined(VERSION_memory) | ||
1551 | base32 = S8.unpack . convertToBase Base32 | ||
1552 | #elif defined(VERSION_dataenc) | ||
1553 | base32 = Base32.encode . S.unpack | ||
1554 | #endif | ||
1555 | |||
1556 | derRSA :: Packet -> Maybe ByteString | ||
1557 | derRSA rsa = do | ||
1558 | k <- rsaKeyFromPacket rsa | ||
1559 | return $ encodeASN1 DER (toASN1 k []) | ||
1560 | |||
1561 | unconditionally :: IO (KikiCondition a) -> IO a | 1261 | unconditionally :: IO (KikiCondition a) -> IO a |
1562 | unconditionally action = do | 1262 | unconditionally action = do |
1563 | r <- action | 1263 | r <- action |
@@ -1565,13 +1265,6 @@ unconditionally action = do | |||
1565 | KikiSuccess x -> return x | 1265 | KikiSuccess x -> return x |
1566 | e -> error $ errorString e | 1266 | e -> error $ errorString e |
1567 | 1267 | ||
1568 | try :: Monad m => KikiCondition a -> (a -> m (KikiCondition b)) -> m (KikiCondition b) | ||
1569 | try x body = | ||
1570 | case functorToEither x of | ||
1571 | Left e -> return e | ||
1572 | Right x -> body x | ||
1573 | |||
1574 | |||
1575 | data ParsedCert = ParsedCert | 1268 | data ParsedCert = ParsedCert |
1576 | { pcertKey :: Packet | 1269 | { pcertKey :: Packet |
1577 | , pcertTimestamp :: UTCTime | 1270 | , pcertTimestamp :: UTCTime |
@@ -1982,42 +1675,6 @@ writeWalletKeys krd db wk = do | |||
1982 | report <- foldM writeWallet [] (files isMutableWallet) | 1675 | report <- foldM writeWallet [] (files isMutableWallet) |
1983 | return $ KikiSuccess report | 1676 | return $ KikiSuccess report |
1984 | 1677 | ||
1985 | ifSecret :: Packet -> t -> t -> t | ||
1986 | ifSecret (SecretKeyPacket {}) t f = t | ||
1987 | ifSecret _ t f = f | ||
1988 | |||
1989 | showPacket :: Packet -> String | ||
1990 | showPacket p | isKey p = (if is_subkey p | ||
1991 | then showPacket0 p | ||
1992 | else ifSecret p "---Secret" "---Public") | ||
1993 | ++ " "++fingerprint p | ||
1994 | ++ " "++show (key_algorithm p) | ||
1995 | ++ case key_nbits p of { 0 -> ""; n -> "("++show n++")" } | ||
1996 | | isUserID p = showPacket0 p ++ " " ++ show (uidkey p) | ||
1997 | -- | isSignaturePacket p = showPacket0 p ++ maybe "" ((++) (" ^ signed"++sigusage p++": ")) (signature_issuer p) | ||
1998 | | isSignaturePacket p = showPacket0 p ++ maybe "" (" ^ signed: "++) (signature_issuer p) ++ sigusage p | ||
1999 | | otherwise = showPacket0 p | ||
2000 | where | ||
2001 | sigusage p = | ||
2002 | case take 1 (tagStrings p) of | ||
2003 | [] -> "" | ||
2004 | tag:_ -> " "++show tag -- "("++tag++")" | ||
2005 | where | ||
2006 | tagStrings p = usage_tags ++ flags | ||
2007 | where | ||
2008 | usage_tags = mapMaybe usage xs | ||
2009 | flags = mapMaybe (fmap usageString . keyflags) xs | ||
2010 | xs = hashed_subpackets p | ||
2011 | |||
2012 | |||
2013 | showPacket0 p = dropSuffix "Packet" . concat . take 1 $ words (show p) | ||
2014 | where | ||
2015 | dropSuffix :: String -> String -> String | ||
2016 | dropSuffix _ [] = "" | ||
2017 | dropSuffix suff (x:xs) | (x:xs)==suff = "" | ||
2018 | | otherwise = x:dropSuffix suff xs | ||
2019 | |||
2020 | |||
2021 | -- | returns Just True so as to indicate that | 1678 | -- | returns Just True so as to indicate that |
2022 | -- the public portions of keys will be imported | 1679 | -- the public portions of keys will be imported |
2023 | importPublic :: Maybe Bool | 1680 | importPublic :: Maybe Bool |
@@ -2312,75 +1969,6 @@ writePEMKeys doDecrypt db exports = do | |||
2312 | try pun $ \pun -> do | 1969 | try pun $ \pun -> do |
2313 | return $ KikiSuccess (fname,stream,pun) | 1970 | return $ KikiSuccess (fname,stream,pun) |
2314 | 1971 | ||
2315 | performManipulations :: | ||
2316 | (PacketDecrypter) | ||
2317 | -> KeyRingRuntime | ||
2318 | -> Maybe MappedPacket | ||
2319 | -> (KeyRingRuntime -> KeyData -> [PacketUpdate]) | ||
2320 | -> IO (KikiCondition (KeyRingRuntime,KikiReport)) | ||
2321 | performManipulations doDecrypt rt wk manip = do | ||
2322 | let db = rtKeyDB rt | ||
2323 | performAll kd = foldM perform (KikiSuccess (kd,[])) $ manip rt kd | ||
2324 | r <- Traversable.mapM performAll db | ||
2325 | try (sequenceA r) $ \db -> do | ||
2326 | return $ KikiSuccess (rt { rtKeyDB = fmap fst db }, concatMap snd $ Map.elems db) | ||
2327 | where | ||
2328 | perform :: KikiCondition (KeyData,KikiReport) -> PacketUpdate -> IO (KikiCondition (KeyData,KikiReport)) | ||
2329 | perform kd (InducerSignature uid subpaks) = do | ||
2330 | try kd $ \(kd,report) -> do | ||
2331 | flip (maybe $ return NoWorkingKey) wk $ \wk' -> do | ||
2332 | wkun' <- doDecrypt wk' | ||
2333 | try wkun' $ \wkun -> do | ||
2334 | let flgs = if keykey (keyPacket kd) == keykey wkun | ||
2335 | then keyFlags0 (keyPacket kd) (map (\(x,_,_)->x) selfsigs) | ||
2336 | else [] | ||
2337 | sigOver = makeInducerSig (keyPacket kd) | ||
2338 | wkun | ||
2339 | (UserIDPacket uid) | ||
2340 | $ flgs ++ subpaks | ||
2341 | om = Map.singleton "--autosign" (origin p (-1)) where p = UserIDPacket uid | ||
2342 | toMappedPacket om p = (mappedPacket "" p) {locations=om} | ||
2343 | selfsigs = filter (\(sig,v,whosign) -> isJust (v >> Just wkun >>= guard | ||
2344 | . (== keykey whosign) | ||
2345 | . keykey)) vs | ||
2346 | keys = map keyPacket $ Map.elems (rtKeyDB rt) | ||
2347 | overs sig = signatures $ Message (keys++[keyPacket kd,UserIDPacket uid,sig]) | ||
2348 | vs :: [ ( Packet -- signature | ||
2349 | , Maybe SignatureOver -- Nothing means non-verified | ||
2350 | , Packet ) -- key who signed | ||
2351 | ] | ||
2352 | vs = do | ||
2353 | x <- maybeToList $ Map.lookup uid (keyUids kd) | ||
2354 | sig <- map (packet . fst) (fst x) | ||
2355 | o <- overs sig | ||
2356 | k <- keys | ||
2357 | let ov = verify (Message [k]) $ o | ||
2358 | signatures_over ov | ||
2359 | return (sig,Just ov,k) | ||
2360 | additional new_sig = do | ||
2361 | new_sig <- maybeToList new_sig | ||
2362 | guard (null $ selfsigs) | ||
2363 | signatures_over new_sig | ||
2364 | sigr <- pgpSign (Message [wkun]) sigOver SHA1 (fingerprint wkun) | ||
2365 | let f ::([SigAndTrust],OriginMap) -> ([SigAndTrust],OriginMap) | ||
2366 | f x = ( map ( (,Map.empty) . toMappedPacket om) (additional sigr) ++ fst x | ||
2367 | , om `Map.union` snd x ) | ||
2368 | -- XXX: Shouldn't this signature generation show up in the KikiReport ? | ||
2369 | return $ KikiSuccess $ ( kd { keyUids = Map.adjust f uid (keyUids kd) }, report ) | ||
2370 | |||
2371 | perform kd (SubKeyDeletion topk subk) = do | ||
2372 | try kd $ \(kd,report) -> do | ||
2373 | let kk = keykey $ packet $ keyMappedPacket kd | ||
2374 | kd' | kk /= topk = kd | ||
2375 | | otherwise = kd { keySubKeys = Map.filterWithKey pred $ keySubKeys kd } | ||
2376 | pred k _ = k /= subk | ||
2377 | ps = concat $ maybeToList $ do | ||
2378 | SubKey mp sigs <- Map.lookup subk (keySubKeys kd) | ||
2379 | return $ packet mp : concatMap (\(p,ts) -> packet p : Map.elems ts) sigs | ||
2380 | ctx = InputFileContext (rtSecring rt) (rtPubring rt) | ||
2381 | rings = [HomeSec, HomePub] >>= resolveInputFile ctx | ||
2382 | return $ KikiSuccess (kd' , report ++ [ (f,DeletedPacket $ showPacket p) | f <- rings, p <- ps ]) | ||
2383 | |||
2384 | initializeMissingPEMFiles :: | 1972 | initializeMissingPEMFiles :: |
2385 | KeyRingOperation | 1973 | KeyRingOperation |
2386 | -> InputFileContext | 1974 | -> InputFileContext |
@@ -2503,150 +2091,7 @@ combineTransforms trans rt kd = updates | |||
2503 | concatMap (\t -> resolveTransform t rt kd) sanitized | 2091 | concatMap (\t -> resolveTransform t rt kd) sanitized |
2504 | sanitized = group (sort trans) >>= take 1 | 2092 | sanitized = group (sort trans) >>= take 1 |
2505 | 2093 | ||
2506 | isSubkeySignature (SubkeySignature {}) = True | ||
2507 | isSubkeySignature _ = False | ||
2508 | |||
2509 | -- Returned data is simmilar to getBindings but the Word8 codes | ||
2510 | -- are ORed together. | ||
2511 | accBindings :: | ||
2512 | Bits t => | ||
2513 | [(t, (Packet, Packet), [a], [a1], [a2])] | ||
2514 | -> [(t, (Packet, Packet), [a], [a1], [a2])] | ||
2515 | accBindings bs = as | ||
2516 | where | ||
2517 | gs = groupBy samePair . sortBy (comparing bindingPair) $ bs | ||
2518 | as = map (foldl1 combine) gs | ||
2519 | bindingPair (_,p,_,_,_) = pub2 p | ||
2520 | where | ||
2521 | pub2 (a,b) = (pub a, pub b) | ||
2522 | pub a = fingerprint_material a | ||
2523 | samePair a b = bindingPair a == bindingPair b | ||
2524 | combine (ac,p,akind,ahashed,aclaimaints) | ||
2525 | (bc,_,bkind,bhashed,bclaimaints) | ||
2526 | = (ac .|. bc,p,akind++bkind,ahashed++bhashed,aclaimaints++bclaimaints) | ||
2527 | |||
2528 | |||
2529 | |||
2530 | verifyBindings keys nonkeys = (top ++ filter isSubkeySignature embedded,othersigs) | ||
2531 | where | ||
2532 | verified = do | ||
2533 | sig <- signatures (Message nonkeys) | ||
2534 | let v = verify (Message keys) sig | ||
2535 | guard (not . null $ signatures_over v) | ||
2536 | return v | ||
2537 | (top,othersigs) = partition isSubkeySignature verified | ||
2538 | embedded = do | ||
2539 | sub <- top | ||
2540 | let sigover = signatures_over sub | ||
2541 | unhashed = sigover >>= unhashed_subpackets | ||
2542 | subsigs = mapMaybe backsig unhashed | ||
2543 | -- This should consist only of 0x19 values | ||
2544 | -- subtypes = map signature_type subsigs | ||
2545 | -- trace ("subtypes = "++show subtypes) (return ()) | ||
2546 | -- trace ("issuers: "++show (map signature_issuer subsigs)) (return ()) | ||
2547 | sig <- signatures (Message ([topkey sub,subkey sub]++subsigs)) | ||
2548 | let v = verify (Message [subkey sub]) sig | ||
2549 | guard (not . null $ signatures_over v) | ||
2550 | return v | ||
2551 | |||
2552 | smallpr k = drop 24 $ fingerprint k | ||
2553 | |||
2554 | disjoint_fp ks = {- concatMap group2 $ -} transpose grouped | ||
2555 | where | ||
2556 | grouped = groupBy samepr . sortBy (comparing smallpr) $ ks | ||
2557 | samepr a b = smallpr a == smallpr b | ||
2558 | |||
2559 | {- | ||
2560 | -- useful for testing | ||
2561 | group2 :: [a] -> [[a]] | ||
2562 | group2 (x:y:ys) = [x,y]:group2 ys | ||
2563 | group2 [x] = [[x]] | ||
2564 | group2 [] = [] | ||
2565 | -} | ||
2566 | |||
2567 | 2094 | ||
2568 | getBindings :: | ||
2569 | [Packet] | ||
2570 | -> | ||
2571 | ( [([Packet],[SignatureOver])] -- other signatures with key sets | ||
2572 | -- that were used for the verifications | ||
2573 | , [(Word8, | ||
2574 | (Packet, Packet), -- (topkey,subkey) | ||
2575 | [String], -- usage flags | ||
2576 | [SignatureSubpacket], -- hashed data | ||
2577 | [Packet])] -- binding signatures | ||
2578 | ) | ||
2579 | getBindings pkts = (sigs,bindings) | ||
2580 | where | ||
2581 | (sigs,concat->bindings) = unzip $ do | ||
2582 | let (keys,_) = partition isKey pkts | ||
2583 | keys <- disjoint_fp keys | ||
2584 | let (bs,sigs) = verifyBindings keys pkts | ||
2585 | return . ((keys,sigs),) $ do | ||
2586 | b <- bs -- trace ("sigs = "++show (map (map signature_issuer . signatures_over) sigs)) bs | ||
2587 | i <- map signature_issuer (signatures_over b) | ||
2588 | i <- maybeToList i | ||
2589 | who <- maybeToList $ find_key fingerprint (Message keys) i | ||
2590 | let (code,claimants) = | ||
2591 | case () of | ||
2592 | _ | who == topkey b -> (1,[]) | ||
2593 | _ | who == subkey b -> (2,[]) | ||
2594 | _ -> (0,[who]) | ||
2595 | let hashed = signatures_over b >>= hashed_subpackets | ||
2596 | kind = guard (code==1) >> hashed >>= maybeToList . usage | ||
2597 | return (code,(topkey b,subkey b), kind, hashed,claimants) | ||
2598 | |||
2599 | -- | resolveTransform | ||
2600 | resolveTransform :: Transform -> KeyRingRuntime -> KeyData -> [PacketUpdate] | ||
2601 | resolveTransform Autosign rt kd@(KeyData k ksigs umap submap) = ops | ||
2602 | where | ||
2603 | ops = map (\u -> InducerSignature u []) us | ||
2604 | us = filter torStyle $ Map.keys umap | ||
2605 | torStyle str = and [ uid_topdomain parsed == "onion" | ||
2606 | , uid_realname parsed `elem` ["","Anonymous"] | ||
2607 | , uid_user parsed == "root" | ||
2608 | , fmap (match . fst) (lookup (packet k) torbindings) | ||
2609 | == Just True ] | ||
2610 | where parsed = parseUID str | ||
2611 | match = (==subdom) . take (fromIntegral len) | ||
2612 | subdom0 = L.fromChunks [encodeUtf8 (uid_subdomain parsed)] | ||
2613 | subdom = Char8.unpack subdom0 | ||
2614 | len = T.length (uid_subdomain parsed) | ||
2615 | torbindings = getTorKeys (map packet $ flattenTop "" True kd) | ||
2616 | getTorKeys pub = do | ||
2617 | xs <- groupBindings pub | ||
2618 | (_,(top,sub),us,_,_) <- xs | ||
2619 | guard ("tor" `elem` us) | ||
2620 | let torhash = fromMaybe "" $ derToBase32 <$> derRSA sub | ||
2621 | return (top,(torhash,sub)) | ||
2622 | |||
2623 | groupBindings pub = gs | ||
2624 | where (_,bindings) = getBindings pub | ||
2625 | bindings' = accBindings bindings | ||
2626 | code (c,(m,s),_,_,_) = (fingerprint_material m,-c) | ||
2627 | ownerkey (_,(a,_),_,_,_) = a | ||
2628 | sameMaster (ownerkey->a) (ownerkey->b) | ||
2629 | = fingerprint_material a==fingerprint_material b | ||
2630 | gs = groupBy sameMaster (sortBy (comparing code) bindings') | ||
2631 | |||
2632 | |||
2633 | -- (2 of 3) resolveTransform :: Transform -> KeyRingRuntime -> KeyData -> [PacketUpdate] | ||
2634 | resolveTransform (DeleteSubkeyByFingerprint fp) rt kd@(KeyData k ksigs umap submap) = fmap (SubKeyDeletion topk) subk | ||
2635 | where | ||
2636 | topk = keykey $ packet k -- key to master of key to be deleted | ||
2637 | subk = do | ||
2638 | (k,sub) <- Map.toList submap | ||
2639 | guard (map toUpper fp == fingerprint (packet (subkeyMappedPacket sub))) | ||
2640 | return k | ||
2641 | |||
2642 | -- (3 of 3) resolveTransform :: Transform -> KeyRingRuntime -> KeyData -> [PacketUpdate] | ||
2643 | resolveTransform (DeleteSubkeyByUsage tag) rt kd@(KeyData k ksigs umap submap) = fmap (SubKeyDeletion topk) subk | ||
2644 | where | ||
2645 | topk = keykey $ packet k -- key to master of key to be deleted | ||
2646 | subk = do | ||
2647 | (k,SubKey p sigs) <- Map.toList submap | ||
2648 | take 1 $ filter (has_tag tag) $ map (packet . fst) sigs | ||
2649 | return k | ||
2650 | 2095 | ||
2651 | -- | Load and update key files according to the specified 'KeyRingOperation'. | 2096 | -- | Load and update key files according to the specified 'KeyRingOperation'. |
2652 | runKeyRing :: KeyRingOperation -> IO (KikiResult KeyRingRuntime) | 2097 | runKeyRing :: KeyRingOperation -> IO (KikiResult KeyRingRuntime) |
@@ -2790,36 +2235,6 @@ lookupEnv var = | |||
2790 | handleIO_ (return Nothing) $ fmap Just (getEnv var) | 2235 | handleIO_ (return Nothing) $ fmap Just (getEnv var) |
2791 | #endif | 2236 | #endif |
2792 | 2237 | ||
2793 | sigpackets :: | ||
2794 | Monad m => | ||
2795 | Word8 -> [SignatureSubpacket] -> [SignatureSubpacket] -> m Packet | ||
2796 | sigpackets typ hashed unhashed = return $ | ||
2797 | signaturePacket | ||
2798 | 4 -- version | ||
2799 | typ -- 0x18 subkey binding sig, or 0x19 back-signature | ||
2800 | RSA | ||
2801 | SHA1 | ||
2802 | hashed | ||
2803 | unhashed | ||
2804 | 0 -- Word16 -- Left 16 bits of the signed hash value | ||
2805 | [] -- [MPI] | ||
2806 | |||
2807 | secretToPublic :: Packet -> Packet | ||
2808 | secretToPublic pkt@(SecretKeyPacket {}) = | ||
2809 | PublicKeyPacket { version = version pkt | ||
2810 | , timestamp = timestamp pkt | ||
2811 | , key_algorithm = key_algorithm pkt | ||
2812 | -- , ecc_curve = ecc_curve pkt | ||
2813 | , key = let seckey = key pkt | ||
2814 | pubs = public_key_fields (key_algorithm pkt) | ||
2815 | in filter (\(k,v) -> k `elem` pubs) seckey | ||
2816 | , is_subkey = is_subkey pkt | ||
2817 | , v3_days_of_validity = Nothing | ||
2818 | } | ||
2819 | secretToPublic pkt = pkt | ||
2820 | |||
2821 | |||
2822 | |||
2823 | slurpWIPKeys :: Posix.EpochTime -> L.ByteString -> ( [(Word8,Packet)], [L.ByteString]) | 2238 | slurpWIPKeys :: Posix.EpochTime -> L.ByteString -> ( [(Word8,Packet)], [L.ByteString]) |
2824 | slurpWIPKeys stamp "" = ([],[]) | 2239 | slurpWIPKeys stamp "" = ([],[]) |
2825 | slurpWIPKeys stamp cs = | 2240 | slurpWIPKeys stamp cs = |
@@ -2878,14 +2293,6 @@ decode_btc_key timestamp str = do | |||
2878 | , is_subkey = True | 2293 | , is_subkey = True |
2879 | } | 2294 | } |
2880 | 2295 | ||
2881 | rsaKeyFromPacket :: Packet -> Maybe RSAPublicKey | ||
2882 | rsaKeyFromPacket p | isKey p = do | ||
2883 | n <- lookup 'n' $ key p | ||
2884 | e <- lookup 'e' $ key p | ||
2885 | return $ RSAKey n e | ||
2886 | |||
2887 | rsaKeyFromPacket _ = Nothing | ||
2888 | |||
2889 | 2296 | ||
2890 | readPacketsFromWallet :: | 2297 | readPacketsFromWallet :: |
2891 | Maybe Packet | 2298 | Maybe Packet |
@@ -3111,26 +2518,6 @@ makeSig doDecrypt top fname subkey_p tags mbsig = do | |||
3111 | newsig <- addOrigin new_sig | 2518 | newsig <- addOrigin new_sig |
3112 | return $ fmap (,[]) newsig | 2519 | return $ fmap (,[]) newsig |
3113 | 2520 | ||
3114 | |||
3115 | type TrustMap = Map.Map FilePath Packet | ||
3116 | type SigAndTrust = ( MappedPacket | ||
3117 | , TrustMap ) -- trust packets | ||
3118 | |||
3119 | data SubKey = SubKey MappedPacket [SigAndTrust] deriving Show | ||
3120 | |||
3121 | -- | This is a GPG Identity which includes a master key and all its UIDs and | ||
3122 | -- subkeys and associated signatures. | ||
3123 | data KeyData = KeyData { keyMappedPacket :: MappedPacket -- main key | ||
3124 | , keySigAndTrusts :: [SigAndTrust] -- sigs on main key | ||
3125 | , keyUids :: (Map.Map String ([SigAndTrust],OriginMap)) -- uids | ||
3126 | , keySubKeys :: (Map.Map KeyKey SubKey) -- subkeys | ||
3127 | } deriving Show | ||
3128 | |||
3129 | type KeyDB = Map.Map KeyKey KeyData | ||
3130 | |||
3131 | uidkey :: Packet -> String | ||
3132 | uidkey (UserIDPacket str) = str | ||
3133 | |||
3134 | merge :: KeyDB -> InputFile -> Message -> KeyDB | 2521 | merge :: KeyDB -> InputFile -> Message -> KeyDB |
3135 | merge db inputfile (Message ps) = merge_ db filename qs | 2522 | merge db inputfile (Message ps) = merge_ db filename qs |
3136 | where | 2523 | where |
@@ -3298,24 +2685,6 @@ mergeSig sig sigs = | |||
3298 | mergeSameSig a b = b -- trace ("discarding dup "++show a) b | 2685 | mergeSameSig a b = b -- trace ("discarding dup "++show a) b |
3299 | 2686 | ||
3300 | 2687 | ||
3301 | unsig :: FilePath -> Bool -> SigAndTrust -> [MappedPacket] | ||
3302 | unsig fname isPublic (sig,trustmap) = | ||
3303 | sig : map (asMapped (-1)) ( take 1 . Map.elems $ Map.filterWithKey f trustmap) | ||
3304 | where | ||
3305 | f n _ = n==fname -- && trace ("fname=n="++show n) True | ||
3306 | asMapped n p = let m = mappedPacket fname p | ||
3307 | in m { locations = fmap (\x->x {originalNum=n}) (locations m) } | ||
3308 | |||
3309 | concatSort :: | ||
3310 | FilePath -> ([a] -> MappedPacket) -> (b -> [a]) -> [b] -> [a] | ||
3311 | concatSort fname getp f = concat . sortByHint fname getp . map f | ||
3312 | |||
3313 | sortByHint :: FilePath -> (a -> MappedPacket) -> [a] -> [a] | ||
3314 | sortByHint fname f = sortBy (comparing gethint) | ||
3315 | where | ||
3316 | gethint = maybe defnum originalNum . Map.lookup fname . locations . f | ||
3317 | defnum = -1 | ||
3318 | |||
3319 | flattenKeys :: Bool -> KeyDB -> Message | 2688 | flattenKeys :: Bool -> KeyDB -> Message |
3320 | flattenKeys isPublic db = Message $ concatMap (map packet . flattenTop "" isPublic . snd) (prefilter . Map.assocs $ db) | 2689 | flattenKeys isPublic db = Message $ concatMap (map packet . flattenTop "" isPublic . snd) (prefilter . Map.assocs $ db) |
3321 | where | 2690 | where |
@@ -3329,27 +2698,6 @@ flattenKeys isPublic db = Message $ concatMap (map packet . flattenTop "" isPubl | |||
3329 | isSecret _ = False | 2698 | isSecret _ = False |
3330 | 2699 | ||
3331 | 2700 | ||
3332 | flattenTop :: FilePath -> Bool -> KeyData -> [MappedPacket] | ||
3333 | flattenTop fname ispub (KeyData key sigs uids subkeys) = | ||
3334 | unk ispub key : | ||
3335 | ( flattenAllUids fname ispub uids | ||
3336 | ++ concatSort fname head (flattenSub fname ispub) (Map.elems subkeys)) | ||
3337 | |||
3338 | flattenSub :: FilePath -> Bool -> SubKey -> [MappedPacket] | ||
3339 | flattenSub fname ispub (SubKey key sigs) = unk ispub key: concatSort fname head (unsig fname ispub) sigs | ||
3340 | |||
3341 | unk :: Bool -> MappedPacket -> MappedPacket | ||
3342 | unk isPublic = if isPublic then toPacket secretToPublic else id | ||
3343 | where toPacket f mp@(MappedPacket {packet=p}) = mp {packet=(f p)} | ||
3344 | |||
3345 | flattenAllUids :: FilePath -> Bool -> Map.Map String ([SigAndTrust],OriginMap) -> [MappedPacket] | ||
3346 | flattenAllUids fname ispub uids = | ||
3347 | concatSort fname head (flattenUid fname ispub) (Map.assocs uids) | ||
3348 | |||
3349 | flattenUid :: FilePath -> Bool -> (String,([SigAndTrust],OriginMap)) -> [MappedPacket] | ||
3350 | flattenUid fname ispub (str,(sigs,om)) = | ||
3351 | (mappedPacket "" $ UserIDPacket str) {locations=om} : concatSort fname head (unsig fname ispub) sigs | ||
3352 | |||
3353 | data SubkeyStatus = Unsigned | OwnerSigned | CrossSigned | 2701 | data SubkeyStatus = Unsigned | OwnerSigned | CrossSigned |
3354 | deriving (Eq,Ord,Enum,Show,Read) | 2702 | deriving (Eq,Ord,Enum,Show,Read) |
3355 | 2703 | ||
@@ -3384,11 +2732,6 @@ getSubkeys ck topk subs tag = do | |||
3384 | guard (not $ null sigs') | 2732 | guard (not $ null sigs') |
3385 | return subk | 2733 | return subk |
3386 | 2734 | ||
3387 | has_tag tag p = isSignaturePacket p | ||
3388 | && or [ tag `elem` mapMaybe usage (hashed_subpackets p) | ||
3389 | , tag `elem` map usageString (mapMaybe keyflags (hashed_subpackets p)) ] | ||
3390 | |||
3391 | |||
3392 | -- | | 2735 | -- | |
3393 | -- Returns (ip6 fingerprint address,(onion names,other host names)) | 2736 | -- Returns (ip6 fingerprint address,(onion names,other host names)) |
3394 | -- | 2737 | -- |
@@ -3494,10 +2837,6 @@ fingerdress topk = fromMaybe zero $ Hosts.inet_pton addr_str | |||
3494 | colons (a:b:c:d:xs@(_:_)) = [a,b,c,d,':'] ++ colons xs | 2837 | colons (a:b:c:d:xs@(_:_)) = [a,b,c,d,':'] ++ colons xs |
3495 | colons xs = xs | 2838 | colons xs = xs |
3496 | 2839 | ||
3497 | backsig :: SignatureSubpacket -> Maybe Packet | ||
3498 | backsig (EmbeddedSignaturePacket s) = Just s | ||
3499 | backsig _ = Nothing | ||
3500 | |||
3501 | socketFamily :: SockAddr -> Family | 2840 | socketFamily :: SockAddr -> Family |
3502 | socketFamily (SockAddrInet _ _) = AF_INET | 2841 | socketFamily (SockAddrInet _ _) = AF_INET |
3503 | socketFamily (SockAddrInet6 {}) = AF_INET6 | 2842 | socketFamily (SockAddrInet6 {}) = AF_INET6 |