diff options
-rw-r--r-- | Makefile | 9 | ||||
-rw-r--r-- | kiki.hs | 146 | ||||
-rw-r--r-- | lib/KeyDB.hs | 6 | ||||
-rw-r--r-- | lib/KeyRing.hs | 19 | ||||
-rw-r--r-- | lib/KeyRing/BuildKeyDB.hs | 16 | ||||
-rw-r--r-- | lib/KeyRing/Types.hs | 2 | ||||
-rw-r--r-- | lib/Kiki.hs | 22 | ||||
-rw-r--r-- | lib/Transforms.hs | 6 | ||||
-rw-r--r-- | stack.yaml | 8 |
9 files changed, 51 insertions, 183 deletions
diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..e2b7af1 --- /dev/null +++ b/Makefile | |||
@@ -0,0 +1,9 @@ | |||
1 | build: | ||
2 | stack build | ||
3 | |||
4 | execs = kiki cokiki hosts | ||
5 | dests = $(addprefix ~/.local/bin/, $(execs)) | ||
6 | |||
7 | install: build | ||
8 | stack install | ||
9 | sudo ln -sf $(dests) /usr/local/bin/ | ||
@@ -43,7 +43,6 @@ import qualified Data.Map as Map | |||
43 | import Control.Arrow (first,second) | 43 | import Control.Arrow (first,second) |
44 | import Data.Monoid ( (<>) ) | 44 | import Data.Monoid ( (<>) ) |
45 | import Data.Binary.Put | 45 | import Data.Binary.Put |
46 | import System.Posix.User | ||
47 | 46 | ||
48 | import CommandLine | 47 | import CommandLine |
49 | import Data.OpenPGP.Util (verify, fingerprint, GenerateKeyParams(..)) | 48 | import Data.OpenPGP.Util (verify, fingerprint, GenerateKeyParams(..)) |
@@ -1312,8 +1311,6 @@ kiki "merge" [] = do | |||
1312 | , " don't write)." | 1311 | , " don't write)." |
1313 | , "" | 1312 | , "" |
1314 | , " --create=(rsa:SIZE|cmd:CMD)" | 1313 | , " --create=(rsa:SIZE|cmd:CMD)" |
1315 | , " Note: With --flow=spill, a dummy file name must still be" | ||
1316 | , " provided so that the command line can be parsed." | ||
1317 | , "" | 1314 | , "" |
1318 | , " --autosign[=no]" | 1315 | , " --autosign[=no]" |
1319 | , "" | 1316 | , "" |
@@ -1536,16 +1533,7 @@ kiki "init" args | "--help" `elem` args = do | |||
1536 | , "" | 1533 | , "" |
1537 | ] ++ documentHomeDir ++ [""] ++ documentPassphraseFDFlag True True True | 1534 | ] ++ documentHomeDir ++ [""] ++ documentPassphraseFDFlag True True True |
1538 | 1535 | ||
1539 | kiki "init" args = do | 1536 | kiki "init" args = run args $ importAndRefresh <$> dashdashChroot <*> dashdashHomedir <*> dashdashCipher |
1540 | rootOK <- case runArgs ([],args) dashdashChroot of | ||
1541 | Left e -> hPutStrLn stderr (usageErrorMessage e) >> return False | ||
1542 | Right root -> if root "x" /= root "x" | ||
1543 | then return True | ||
1544 | else fmap (==0) $ getEffectiveUserID | ||
1545 | if rootOK | ||
1546 | then run args $ importAndRefresh <$> dashdashChroot <*> dashdashHomedir <*> dashdashCipher | ||
1547 | else do hPutStrLn stderr "Missing --chroot option. Permision denied." | ||
1548 | exitFailure | ||
1549 | kiki "spawn" args | "--help" `elem` args = | 1537 | kiki "spawn" args | "--help" `elem` args = |
1550 | putStr . unlines $ | 1538 | putStr . unlines $ |
1551 | [ "kiki spawn [ --passphrase-fd=FD" | 1539 | [ "kiki spawn [ --passphrase-fd=FD" |
@@ -1612,18 +1600,6 @@ kiki "tar" args | "--help" `elem` args = do | |||
1612 | ," (sub-string of a user id without 'u:' prefix)" | 1600 | ," (sub-string of a user id without 'u:' prefix)" |
1613 | ] | 1601 | ] |
1614 | 1602 | ||
1615 | kiki "tar" args = do | ||
1616 | let parsed_args = processArgs sargspec [] "" args | ||
1617 | sargspec = [("-t",0),("-c",0),("--secrets",1)] | ||
1618 | ismode ("-t":_) = True | ||
1619 | ismode ("-c":_) = True | ||
1620 | ismode _ = False | ||
1621 | case filter ismode (fst parsed_args) of | ||
1622 | ["-t":_] -> tarT parsed_args | ||
1623 | ["-c":_] -> tarC parsed_args | ||
1624 | ["-A":_] -> putStrLn "unimplemented." -- import tar file? | ||
1625 | _ -> kiki "tar" ["--help"] | ||
1626 | |||
1627 | kiki "verify" args | "--help" `elem` args = do | 1603 | kiki "verify" args | "--help" `elem` args = do |
1628 | putStr . unlines $ | 1604 | putStr . unlines $ |
1629 | [ "kiki verify [--homedir HOMEDIR | --homeless] [[--keyring FILE] ...] FILE" | 1605 | [ "kiki verify [--homedir HOMEDIR | --homeless] [[--keyring FILE] ...] FILE" |
@@ -1644,126 +1620,6 @@ sshkeyname :: Packet -> [FilePath] | |||
1644 | sshkeyname SecretKeyPacket { key_algorithm = RSA } = ["id_rsa"] | 1620 | sshkeyname SecretKeyPacket { key_algorithm = RSA } = ["id_rsa"] |
1645 | sshkeyname _ = [] | 1621 | sshkeyname _ = [] |
1646 | 1622 | ||
1647 | |||
1648 | tarContent :: KeyRingRuntime | ||
1649 | -> Maybe String | ||
1650 | -> ([Char8.ByteString] -> SockAddr -> Packet -> [Packet] -> t ) | ||
1651 | -> ([(KeyRing.KeyKey, Packet, [Packet])] -> t) | ||
1652 | -> (Packet -> t) | ||
1653 | -> [(String, t)] | ||
1654 | tarContent rt spec pubpem knownhosts secpem = ipsecs ++ sshs ++ secrets "root" | ||
1655 | where | ||
1656 | ipsecs = do | ||
1657 | (kk,ipsec,sigs) <- selectPublicKeyAndSigs (KeyUidMatch "",Just "ipsec") (rtKeyDB rt) | ||
1658 | let kd = fromJust $ lookupKeyData kk (rtKeyDB rt) | ||
1659 | Hostnames addr onames ns _ = getHostnames kd | ||
1660 | oname <- onames | ||
1661 | return ("etc/ipsec.d/certs/" ++ Char8.unpack oname ++ ".pem", pubpem ns addr ipsec sigs) | ||
1662 | |||
1663 | sshs = case selectPublicKeyAndSigs (KeyUidMatch "",Just "ssh-host") (rtKeyDB rt) of | ||
1664 | [] -> [] | ||
1665 | ssh_sel -> [("etc/ssh/ssh_known_hosts", knownhosts ssh_sel)] | ||
1666 | |||
1667 | secrets_kd = case fst . parseSpec "" <$> (++"/") <$> spec of | ||
1668 | _ | spec == Just "-" || spec == Just "" | ||
1669 | -> maybeToList (rtWorkingKey rt) | ||
1670 | >>= return . fromJust . (`lookupKeyData` rtKeyDB rt) . keykey | ||
1671 | Just topspec | ||
1672 | -> map snd $ filterMatches topspec $ kkData $ rtKeyDB rt | ||
1673 | w -> [] | ||
1674 | |||
1675 | lookupSecret tag kd = take 1 $ snd $ (\(y:ys) -> seek_key (KeyTag y tag) ys) | ||
1676 | $ snd $ seek_key (KeyGrip "") | ||
1677 | $ map packet $ flattenTop "" False kd | ||
1678 | |||
1679 | dir :: FilePath -> FilePath | ||
1680 | dir d = d -- TODO: prepend prefix path? | ||
1681 | |||
1682 | spem d k = (d, secpem k) | ||
1683 | |||
1684 | secrets homedir = do | ||
1685 | kd <- secrets_kd | ||
1686 | let torkey = spem (dir "var/lib/tor/samizdat/private_key") <$> lookupSecret "tor" kd | ||
1687 | sshcli = do k <- lookupSecret "ssh-client" kd | ||
1688 | keyname <- sshkeyname k | ||
1689 | return $ spem (dir $ homedir ++ "/.ssh/" ++ keyname) k | ||
1690 | sshsvr = spem (dir "etc/ssh/ssh_host_rsa_key") <$> lookupSecret "ssh-host" kd | ||
1691 | ipseckey = do | ||
1692 | k <- lookupSecret "ipsec" kd | ||
1693 | keyName <- ipsecKeyNames (getHostnames kd) | ||
1694 | return $ spem (dir $ keyName) k | ||
1695 | torkey ++ sshcli ++ sshsvr ++ ipseckey | ||
1696 | |||
1697 | ipsecKeyNames :: Hostnames -> [String] | ||
1698 | ipsecKeyNames (Hostnames _ onames _ _) = do | ||
1699 | oname <- Char8.unpack <$> onames | ||
1700 | return $ "etc/ipsec.d/private/"++oname++".pem" | ||
1701 | |||
1702 | tarT :: ([[String]],Map.Map String [String]) -> IO () | ||
1703 | tarT (sargs,margs) = do | ||
1704 | KikiResult rt report <- runKeyRing $ minimalOp False $ parseCommonArgs margs | ||
1705 | case rt of | ||
1706 | KikiSuccess rt -> do | ||
1707 | let keyspec = concat . take 1 <$> Map.lookup "--secrets" margs | ||
1708 | nil = error "internal error!" | ||
1709 | fs = map fst $ tarContent rt keyspec nil nil nil | ||
1710 | mapM_ putStrLn fs | ||
1711 | err -> putStrLn $ errorString err | ||
1712 | |||
1713 | tarC :: ([[String]],Map.Map String [String]) -> IO () | ||
1714 | tarC (sargs,margs) = do | ||
1715 | KikiResult rt report <- runKeyRing $ minimalOp False $ parseCommonArgs margs | ||
1716 | case rt of | ||
1717 | KikiSuccess rt -> do | ||
1718 | CTime pubtime <- modificationTime <$> getFileStatus (rtPubring rt) | ||
1719 | let keyspec = concat . take 1 <$> Map.lookup "--secrets" margs | ||
1720 | pubtime64 :: Int64 | ||
1721 | pubtime64 = fromIntegral pubtime -- EpochTime=CTime is Int32 on some platforms | ||
1722 | fs :: [(String, (Int64,Either (IO (Maybe Char8.ByteString)) Char8.ByteString))] | ||
1723 | fs = tarContent rt keyspec build_ipsec (build_ssh rt pubtime64) (build_secret rt) | ||
1724 | es = do | ||
1725 | (n,(epoch_time_int64,ebs)) <- fs | ||
1726 | let mktar' = mktar n epoch_time_int64 | ||
1727 | return $ case ebs of | ||
1728 | Right bs -> return $ either (const Nothing) Just $ mktar' bs | ||
1729 | Left iombs -> do | ||
1730 | mbs <- iombs | ||
1731 | case mbs of | ||
1732 | Nothing -> return Nothing | ||
1733 | Just bs -> return $ either (const Nothing) Just $ mktar' bs | ||
1734 | tarbs <- Tar.write . mapMaybe id <$> sequence es | ||
1735 | L.putStr tarbs | ||
1736 | err -> putStrLn $ errorString err | ||
1737 | where | ||
1738 | build_ipsec :: Num n => b -> c -> Packet -> d -> (n, Either a Char8.ByteString) | ||
1739 | build_ipsec ns addr ipsec sigs | ||
1740 | = ( fromIntegral $ timestamp ipsec | ||
1741 | , Right $ Char8.pack $ fromJust $ pemFromPacket ipsec) | ||
1742 | build_ssh rt timestamp sshs = (timestamp, Right $ Char8.unlines $ map knownhost sshs) | ||
1743 | where | ||
1744 | knownhost (kk,hostkey,sigs) = Char8.intercalate "," ns <> " " <> Char8.pack (sshblobFromPacket hostkey) | ||
1745 | where | ||
1746 | ns = onames ++ others | ||
1747 | Hostnames _ onames others _ = getHostnames $ fromJust $ lookupKeyData kk (rtKeyDB rt) | ||
1748 | |||
1749 | build_secret :: Num t => KeyRingRuntime -> Packet -> (t, Either (IO (Maybe Char8.ByteString)) b) | ||
1750 | build_secret rt k = ( fromIntegral $ timestamp k | ||
1751 | , Left $ fmap Char8.pack . (>>= secretPemFromPacket) <$> decrypt rt k ) | ||
1752 | |||
1753 | mktar :: FilePath -> Tar.EpochTime -> L.ByteString -> Either String Tar.Entry | ||
1754 | mktar n epoch_time_int64 bs = do | ||
1755 | torpath <- Tar.toTarPath False n | ||
1756 | Right $ (Tar.fileEntry torpath bs) { Tar.entryTime = epoch_time_int64 } | ||
1757 | |||
1758 | decrypt :: KeyRingRuntime -> Packet -> IO (Maybe Packet) | ||
1759 | decrypt rt k@SecretKeyPacket { symmetric_algorithm = Unencrypted } = return $ Just k | ||
1760 | decrypt rt k = do | ||
1761 | r <- rtPassphrases rt (Unencrypted,S2K 100 "") (MappedPacket k Map.empty) | ||
1762 | case r of | ||
1763 | KikiSuccess p -> return $ Just p | ||
1764 | _ -> do | ||
1765 | hPutStrLn stderr $ "Failed to decrypt "++show (fingerprint k) ++ "." | ||
1766 | return Nothing | ||
1767 | -- | | 1623 | -- | |
1768 | -- | 1624 | -- |
1769 | -- no leading hyphen, returns Right (input string). | 1625 | -- no leading hyphen, returns Right (input string). |
diff --git a/lib/KeyDB.hs b/lib/KeyDB.hs index c92f614..fd0a9ce 100644 --- a/lib/KeyDB.hs +++ b/lib/KeyDB.hs | |||
@@ -71,7 +71,11 @@ newtype KeyGrip = KeyInt Int | |||
71 | 71 | ||
72 | fingerprintGrip :: Fingerprint -> KeyGrip | 72 | fingerprintGrip :: Fingerprint -> KeyGrip |
73 | fingerprintGrip (Fingerprint bs) = | 73 | fingerprintGrip (Fingerprint bs) = |
74 | case decode $ L.fromStrict $ S.drop (S.length bs - sizeOf (0::Int)) bs of | 74 | -- case decode $ L.fromStrict $ S.drop (S.length bs - sizeOf (0::Int)) bs of |
75 | -- -- The above was removed because Int is encoded as 8 bytes even when we are | ||
76 | -- -- using 32-bit GHC. | ||
77 | -- Presumably, the extra 4 bytes will be truncated. | ||
78 | case decode $ L.fromStrict $ S.drop (S.length bs - 8) bs of | ||
75 | i -> KeyInt i | 79 | i -> KeyInt i |
76 | 80 | ||
77 | smallprGrip :: String -> Maybe KeyGrip | 81 | smallprGrip :: String -> Maybe KeyGrip |
diff --git a/lib/KeyRing.hs b/lib/KeyRing.hs index 3da3565..5f43b4f 100644 --- a/lib/KeyRing.hs +++ b/lib/KeyRing.hs | |||
@@ -68,7 +68,7 @@ import Base58 | |||
68 | import FunctorToMaybe | 68 | import FunctorToMaybe |
69 | import DotLock | 69 | import DotLock |
70 | import ProcessUtils (systemEnv, ExitCode(ExitFailure, ExitSuccess) ) | 70 | import ProcessUtils (systemEnv, ExitCode(ExitFailure, ExitSuccess) ) |
71 | import KeyRing.BuildKeyDB (Hostnames(..), | 71 | import KeyRing.BuildKeyDB (allNames', Hostnames, |
72 | IPsToWriteToHostsFile(..), | 72 | IPsToWriteToHostsFile(..), |
73 | buildKeyDB, | 73 | buildKeyDB, |
74 | combineTransforms, | 74 | combineTransforms, |
@@ -532,11 +532,7 @@ writeHostsFiles krd ctx (hostdbs0,hostdbs,u1,gpgnames,IPsToWriteToHostsFile outg | |||
532 | 532 | ||
533 | -- 3. add hostnames from gpg for addresses not in U | 533 | -- 3. add hostnames from gpg for addresses not in U |
534 | let u = foldl' f u1 ans | 534 | let u = foldl' f u1 ans |
535 | ans = reverse $ do | 535 | ans = reverse . filter ((`elem` outgoing_names) . fst) . concat $ allNames' <$> gpgnames |
536 | Hostnames addr _ ns _ <- gpgnames | ||
537 | guard $ addr `elem` outgoing_names -- . null $ Hosts.namesForAddress addr u0 | ||
538 | n <- ns | ||
539 | return (addr,n) | ||
540 | f h (addr,n) = Hosts.assignNewName addr n h | 536 | f h (addr,n) = Hosts.assignNewName addr n h |
541 | 537 | ||
542 | -- 4. for each host db H, union H with U and write it out as H' | 538 | -- 4. for each host db H, union H with U and write it out as H' |
@@ -796,8 +792,8 @@ subkeysForExport subspec (KeyData key _ _ subkeys) = do | |||
796 | data PemType = PemPublicKey | PemPrivateKey | PemCertificate | 792 | data PemType = PemPublicKey | PemPrivateKey | PemCertificate |
797 | 793 | ||
798 | pemTypeString :: PemType -> String | 794 | pemTypeString :: PemType -> String |
799 | pemTypeString PemPublicKey = "PUBLIC KEY" | 795 | pemTypeString PemPublicKey = "PUBLIC KEY" |
800 | pemTypeString PemPrivateKey = "PRIVATE KEY" | 796 | pemTypeString PemPrivateKey = "RSA PRIVATE KEY" |
801 | pemTypeString PemCertificate = "CERTIFICATE" | 797 | pemTypeString PemCertificate = "CERTIFICATE" |
802 | 798 | ||
803 | writePEM :: PemType -> String -> String | 799 | writePEM :: PemType -> String -> String |
@@ -1202,10 +1198,3 @@ getHomeDir protohome = do | |||
1202 | where topair (x:xs) = (x,xs) | 1198 | where topair (x:xs) = (x,xs) |
1203 | return $ lookup "default-key" config >>= listToMaybe | 1199 | return $ lookup "default-key" config >>= listToMaybe |
1204 | 1200 | ||
1205 | {- | ||
1206 | onionName :: KeyData -> (SockAddr,L.ByteString) | ||
1207 | onionName kd = (addr,name) | ||
1208 | where | ||
1209 | (addr,(name:_,_)) = getHostnames kd | ||
1210 | -} | ||
1211 | |||
diff --git a/lib/KeyRing/BuildKeyDB.hs b/lib/KeyRing/BuildKeyDB.hs index 587d812..3fe1d17 100644 --- a/lib/KeyRing/BuildKeyDB.hs +++ b/lib/KeyRing/BuildKeyDB.hs | |||
@@ -2,6 +2,7 @@ | |||
2 | {-# LANGUAGE DoAndIfThenElse #-} | 2 | {-# LANGUAGE DoAndIfThenElse #-} |
3 | {-# LANGUAGE ForeignFunctionInterface #-} | 3 | {-# LANGUAGE ForeignFunctionInterface #-} |
4 | {-# LANGUAGE LambdaCase #-} | 4 | {-# LANGUAGE LambdaCase #-} |
5 | {-# LANGUAGE NamedFieldPuns #-} | ||
5 | {-# LANGUAGE OverloadedStrings #-} | 6 | {-# LANGUAGE OverloadedStrings #-} |
6 | {-# LANGUAGE PatternGuards #-} | 7 | {-# LANGUAGE PatternGuards #-} |
7 | {-# LANGUAGE TupleSections #-} | 8 | {-# LANGUAGE TupleSections #-} |
@@ -550,10 +551,7 @@ mergeHostFiles krd db ctx = do | |||
550 | hostdbs0 <- mapM (fmap Hosts.decode . readInputFileL' ctx) hns | 551 | hostdbs0 <- mapM (fmap Hosts.decode . readInputFileL' ctx) hns |
551 | 552 | ||
552 | let gpgnames = map getHostnames $ keyData db | 553 | let gpgnames = map getHostnames $ keyData db |
553 | os = do | 554 | os = concat $ allNames' <$> gpgnames |
554 | Hostnames addr ns _ _ <- gpgnames | ||
555 | n <- ns | ||
556 | return (addr,n) | ||
557 | setOnions hosts = foldl' (flip $ uncurry Hosts.assignName) hosts os | 555 | setOnions hosts = foldl' (flip $ uncurry Hosts.assignName) hosts os |
558 | -- we ensure .onion names are set properly | 556 | -- we ensure .onion names are set properly |
559 | hostdbs = map setOnions hostdbs0 | 557 | hostdbs = map setOnions hostdbs0 |
@@ -864,6 +862,12 @@ generateSubkey transcode kd' (genparam,StreamInfo { spill = KF_Match tag }) = do | |||
864 | return $ KikiSuccess (kd,report0) | 862 | return $ KikiSuccess (kd,report0) |
865 | generateSubkey _ kd _ = return kd | 863 | generateSubkey _ kd _ = return kd |
866 | 864 | ||
865 | allNames :: Hostnames -> [Char8.ByteString] | ||
866 | allNames (Hostnames _ ns os cs) = ns ++ os ++ (maybe [] return cs) | ||
867 | |||
868 | allNames' :: Hostnames -> [(SockAddr, Char8.ByteString)] | ||
869 | allNames' h@Hostnames{gpgipv6addr} = (gpgipv6addr,) <$> allNames h | ||
870 | |||
867 | data Hostnames = Hostnames { | 871 | data Hostnames = Hostnames { |
868 | gpgipv6addr :: SockAddr, | 872 | gpgipv6addr :: SockAddr, |
869 | verifiedOnionNames :: [L.ByteString], | 873 | verifiedOnionNames :: [L.ByteString], |
@@ -915,7 +919,7 @@ setHostnames (IPsToWriteToHostsFile outgoing_names) hosts kd@(KeyData topmp tops | |||
915 | -- when we should be removing origins from the locations | 919 | -- when we should be removing origins from the locations |
916 | -- field of the sig's MappedPacket records. | 920 | -- field of the sig's MappedPacket records. |
917 | -- Call getHostnames and compare to see if no-op. | 921 | -- Call getHostnames and compare to see if no-op. |
918 | if pred || pred2 | 922 | if (addr `elem` outgoing_names) || (gotNonOnions == namesWithoutGotOnions) |
919 | then {- trace (unlines [ "setHostnames NO-OP: gpg: "++show (map Char8.unpack onions, map Char8.unpack names0) | 923 | then {- trace (unlines [ "setHostnames NO-OP: gpg: "++show (map Char8.unpack onions, map Char8.unpack names0) |
920 | , " file: "++show (map Char8.unpack names) | 924 | , " file: "++show (map Char8.unpack names) |
921 | , " pred: "++show (pred addr)]) -} | 925 | , " pred: "++show (pred addr)]) -} |
@@ -931,11 +935,9 @@ setHostnames (IPsToWriteToHostsFile outgoing_names) hosts kd@(KeyData topmp tops | |||
931 | -} | 935 | -} |
932 | return $ KeyData topmp topsigs uids1 subs | 936 | return $ KeyData topmp topsigs uids1 subs |
933 | where | 937 | where |
934 | pred = addr `elem` outgoing_names | ||
935 | addr = fingerdress $ packet topmp | 938 | addr = fingerdress $ packet topmp |
936 | names :: [Char8.ByteString] | 939 | names :: [Char8.ByteString] |
937 | names = Hosts.namesForAddress addr hosts | 940 | names = Hosts.namesForAddress addr hosts |
938 | pred2 = gotNonOnions == namesWithoutGotOnions | ||
939 | 941 | ||
940 | Hostnames _ gotOnions gotNonOnions cryptonomic = getHostnames kd | 942 | Hostnames _ gotOnions gotNonOnions cryptonomic = getHostnames kd |
941 | 943 | ||
diff --git a/lib/KeyRing/Types.hs b/lib/KeyRing/Types.hs index 5318b31..af213ce 100644 --- a/lib/KeyRing/Types.hs +++ b/lib/KeyRing/Types.hs | |||
@@ -161,7 +161,7 @@ data Transform = | |||
161 | Autosign | 161 | Autosign |
162 | -- ^ This operation will make signatures for any tor-style UID | 162 | -- ^ This operation will make signatures for any tor-style UID |
163 | -- that matches a tor subkey and thus can be authenticated without | 163 | -- that matches a tor subkey and thus can be authenticated without |
164 | -- requring the judgement of a human user. | 164 | -- requiring the judgment of a human user. |
165 | -- | 165 | -- |
166 | -- A tor-style UID is one of the following form: | 166 | -- A tor-style UID is one of the following form: |
167 | -- | 167 | -- |
diff --git a/lib/Kiki.hs b/lib/Kiki.hs index 64dc2bd..258892f 100644 --- a/lib/Kiki.hs +++ b/lib/Kiki.hs | |||
@@ -49,6 +49,7 @@ import DotLock | |||
49 | import GnuPGAgent (Query (..)) | 49 | import GnuPGAgent (Query (..)) |
50 | import KeyRing hiding (pemFromPacket) | 50 | import KeyRing hiding (pemFromPacket) |
51 | import KeyDB | 51 | import KeyDB |
52 | import KeyRing.BuildKeyDB (gpgipv6addr, Hostnames, allNames) | ||
52 | 53 | ||
53 | withAgent :: [PassphraseSpec] -> [PassphraseSpec] | 54 | withAgent :: [PassphraseSpec] -> [PassphraseSpec] |
54 | withAgent [] = [PassphraseAgent] | 55 | withAgent [] = [PassphraseAgent] |
@@ -448,9 +449,6 @@ generateHostsFile fw rt = do | |||
448 | KikiResult _ report <- runKeyRing op | 449 | KikiResult _ report <- runKeyRing op |
449 | outputReport report | 450 | outputReport report |
450 | 451 | ||
451 | allNames :: Hostnames -> [Char8.ByteString] | ||
452 | allNames (Hostnames _ ns os cs) = ns ++ os ++ (maybe [] return cs) | ||
453 | |||
454 | getSshKnownHosts :: Peer -> Char8.ByteString | 452 | getSshKnownHosts :: Peer -> Char8.ByteString |
455 | getSshKnownHosts peer@Peer{kd} = Char8.unlines taggedblobs | 453 | getSshKnownHosts peer@Peer{kd} = Char8.unlines taggedblobs |
456 | where | 454 | where |
@@ -496,7 +494,7 @@ installIpsecConf fw MyIdentity{myGpgAddress} cs = do | |||
496 | getMyIdentity :: KeyRingRuntime -> Maybe MyIdentity | 494 | getMyIdentity :: KeyRingRuntime -> Maybe MyIdentity |
497 | getMyIdentity rt = do | 495 | getMyIdentity rt = do |
498 | wk <- rtWorkingKey rt | 496 | wk <- rtWorkingKey rt |
499 | Hostnames wkaddr _ _ _ <- getHostnames <$> lookupKeyData (keykey wk) (rtKeyDB rt) | 497 | wkaddr <- gpgipv6addr . getHostnames <$> lookupKeyData (keykey wk) (rtKeyDB rt) |
500 | return $ MyIdentity wkaddr (show $ fingerprint wk) | 498 | return $ MyIdentity wkaddr (show $ fingerprint wk) |
501 | 499 | ||
502 | refreshCache :: KeyRingRuntime -> Maybe FilePath -> IO () | 500 | refreshCache :: KeyRingRuntime -> Maybe FilePath -> IO () |
@@ -734,16 +732,24 @@ verifyFile isHomeless cap keyrings filename = do | |||
734 | Right sigs -> do | 732 | Right sigs -> do |
735 | let over = DataSignature lit sigs | 733 | let over = DataSignature lit sigs |
736 | lit = LiteralDataPacket | 734 | lit = LiteralDataPacket |
737 | { format = error "format" :: Char | 735 | { format = error "format" :: Char -- TODO |
738 | , filename = filename | 736 | , filename = filename |
739 | , timestamp = error "timestamp" :: Word32 | 737 | , timestamp = error "timestamp" :: Word32 -- TODO |
740 | , content = bs | 738 | , content = txt |
741 | } | 739 | } |
742 | -- TODO: Remove this take 1 after optimizing 'candidateSignerKeys' | 740 | -- TODO: Remove this take 1 after optimizing 'candidateSignerKeys' |
743 | tentativeTake1 xs = take 1 xs | 741 | tentativeTake1 xs = take 1 xs |
744 | keys = concatMap (candidateSignerKeys (rtKeyDB rt)) $ tentativeTake1 sigs | 742 | keys = concatMap (candidateSignerKeys (rtKeyDB rt)) $ tentativeTake1 sigs |
745 | good = verify (Message keys) over | 743 | good = verify (Message keys) over |
746 | putStrLn $ "verifyFile: " ++ show (length $ signatures_over good) | 744 | putStrLn $ unwords |
745 | [ "verifyFile:" | ||
746 | , show (length $ signatures_over good) | ||
747 | , "good of" | ||
748 | , show (length $ signatures_over over) | ||
749 | , "signatures." | ||
750 | ] | ||
751 | -- when (null (signatures_over good)) $ do | ||
752 | -- L.putStrLn txt | ||
747 | rs -> do | 753 | rs -> do |
748 | hPutStrLn stderr $ show rs | 754 | hPutStrLn stderr $ show rs |
749 | _ -> do | 755 | _ -> do |
diff --git a/lib/Transforms.hs b/lib/Transforms.hs index f3cd5e3..8a1da73 100644 --- a/lib/Transforms.hs +++ b/lib/Transforms.hs | |||
@@ -79,8 +79,7 @@ instance ASN1Object RSAPublicKey where | |||
79 | fromASN1 (Start Sequence:IntVal n:IntVal e:End Sequence:xs) = | 79 | fromASN1 (Start Sequence:IntVal n:IntVal e:End Sequence:xs) = |
80 | Right (RSAKey (MPI n) (MPI e), xs) | 80 | Right (RSAKey (MPI n) (MPI e), xs) |
81 | 81 | ||
82 | fromASN1 _ = | 82 | fromASN1 _ = Left "fromASN1: RSAPublicKey: unexpected format" |
83 | Left "fromASN1: RSAPublicKey: unexpected format" | ||
84 | 83 | ||
85 | 84 | ||
86 | -- | This type is used to describe events triggered by 'runKeyRing'. In | 85 | -- | This type is used to describe events triggered by 'runKeyRing'. In |
@@ -778,7 +777,7 @@ selfAuthenticated k kd (UidString str) = | |||
778 | and [ uid_topdomain parsed == "onion" | 777 | and [ uid_topdomain parsed == "onion" |
779 | , uid_realname parsed `elem` ["","Anonymous"] | 778 | , uid_realname parsed `elem` ["","Anonymous"] |
780 | , uid_user parsed == "root" | 779 | , uid_user parsed == "root" |
781 | , fmap (match . fst) (lookup (packet k) torbindings) == Just True | 780 | , fmap match torSubdom == Just True |
782 | ] | 781 | ] |
783 | where | 782 | where |
784 | parsed = parseUID str | 783 | parsed = parseUID str |
@@ -786,6 +785,7 @@ selfAuthenticated k kd (UidString str) = | |||
786 | len = T.length (uid_subdomain parsed) | 785 | len = T.length (uid_subdomain parsed) |
787 | subdom0 = L.fromChunks [encodeUtf8 (uid_subdomain parsed)] | 786 | subdom0 = L.fromChunks [encodeUtf8 (uid_subdomain parsed)] |
788 | subdom = Char8.unpack subdom0 | 787 | subdom = Char8.unpack subdom0 |
788 | torSubdom = fst <$> lookup (packet k) torbindings | ||
789 | torbindings = getTorKeys (map packet $ flattenTop "" True kd) | 789 | torbindings = getTorKeys (map packet $ flattenTop "" True kd) |
790 | 790 | ||
791 | getTorKeys :: [Packet] -> [(Packet, (String, Packet))] | 791 | getTorKeys :: [Packet] -> [(Packet, (String, Packet))] |
@@ -1,6 +1,8 @@ | |||
1 | resolver: lts-14.2 | 1 | resolver: lts-14.2 |
2 | packages: | 2 | packages: |
3 | - . | 3 | - '.' |
4 | extra-deps: | 4 | extra-deps: |
5 | - git: d@cryptonomic.net:public_git/openpgp-util.git | 5 | - git: d@cryptonomic.net:public_git/openpgp-util.git |
6 | commit: bb3a9e181638fa881e2bcd8425f10cfb365533f5 | 6 | commit: bb3a9e181638fa881e2bcd8425f10cfb365533f5 |
7 | - git: d@cryptonomic.net:public_git/openpgp-asciiarmor.git | ||
8 | commit: 9694b1b6ae3763c44d3b1361b5faa0a7b27e77a9 | ||