From 51bc655f4b0acb30ff873c8c32c9aacb1408258e Mon Sep 17 00:00:00 2001
From: joe <joe@jerkface.net>
Date: Sun, 24 Apr 2016 03:41:20 -0400
Subject: init-key now checks cross-certification before exporting ipsec keys.

---
 kiki.hs | 20 +++++++++++++-------
 1 file changed, 13 insertions(+), 7 deletions(-)

(limited to 'kiki.hs')

diff --git a/kiki.hs b/kiki.hs
index 865e551..4aa5885 100644
--- a/kiki.hs
+++ b/kiki.hs
@@ -1573,6 +1573,7 @@ kiki "init-key" args = do
     let writeFileWARNING fname bs = do
         --TODO
         hPutStrLn stderr $ fname ++ ": DID NOT CHECK TRUST (TODO)"
+        writeFile fname bs
     flip (maybe $ warn "missing working key?") (rtGrip rt) $ \grip -> do
     gotc <- doesFileExist (sshcpathpub)
     when (not gotc) $ do
@@ -1596,18 +1597,21 @@ kiki "init-key" args = do
         notme kd = keykey (keyPacket kd) /= kk
 
         installConctact kd = do
+            -- The getHostnames command requires a valid cross-signed tor key
+            -- for each onion name returned in (_,(ns,_)).
             let (_,(ns,_)) = getHostnames kd
-                contactname = fmap Char8.unpack $ listToMaybe ns
+                contactname = fmap Char8.unpack $ listToMaybe ns -- only first onion name.
             flip (maybe $ return ()) contactname $ \contactname -> do
+
             let cpath = interp (Map.singleton "onion" contactname) contactipsec0
-                kspec = ( KeyGrip $ fingerprint $ keyPacket kd
-                        , Just "strongswan" )
-                mbk = selectPublicKey kspec $ Map.singleton (keykey $ keyPacket kd) kd
-            flip (maybe $ return ()) mbk $ \k -> do
+                their_master = packet $ keyMappedPacket kd
+                -- We find all cross-certified ipsec keys for the given cross-certified onion name.
+                ipsecs = sortOn (Down . timestamp)
+                         $ getCrossSignedSubkeys their_master (keySubKeys kd) "strongswan"
+            forM_ (take 1 ipsecs) $ \k -> do
             goti <- doesFileExist (cpath)
             when (not goti) $ do
-                either warn (writeFileWARNING $ cpath)
-                    $ pemFromPacket k
+                either warn (writeFile cpath) $ pemFromPacket k
 
     mapM_ installConctact cs
 
@@ -1850,6 +1854,8 @@ commands =
  , ( "tar", "import or export system key files in tar format" )
  ]
 
+-- |
+-- interpolate %var patterns in a string.
 interp vars raw = es >>= interp1
  where
     gs = groupBy (\_ c -> c/='%') raw
-- 
cgit v1.2.3