monkeysphere 0.37-2 / usr / share / monkeysphere / ma / add_certifier

This file is indexed.

/usr/share/monkeysphere/ma/add_certifier is in monkeysphere 0.37-2.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below. 

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
# -*-shell-script-*-
# This should be sourced by bash (though we welcome changes to make it POSIX sh compliant)

# Monkeysphere authentication add-certifier subcommand
#
# This function adds a certifier whose signatures will be used to
# calculate validity of keys used to connect to user accounts on the
# server.  The specified certifier key is first retrieved from the Web
# of Trust with the monkeysphere-user-controlled gpg_sphere keyring.
# Once then new key is retrieved, it is imported into the core
# keyring.  The gpg_core then ltsigns the key with the desired trust
# level, and then the key is exported back to the gpg_sphere keyring.
# The gpg_sphere has ultimate owner trust of the core key, so the core
# ltsigs on the new certifier key can then be used by gpg_sphere
# calculate validity for keys inserted in the authorized_keys file.
#
# This is all to keep the monkeysphere user that connects to the
# keyservers from accessing the core secret key.
#
# The monkeysphere scripts are written by:
# Jameson Rollins <jrollins@finestructure.net>
# Jamie McClelland <jm@mayfirst.org>
# Daniel Kahn Gillmor <dkg@fifthhorseman.net>
#
# They are Copyright 2008-2009, and are all released under the GPL,
# version 3 or later.

add_certifier() {

local domain=
local trust=full
local depth=1
local keyID
local fingerprint
local ltsignCommand
local trustval

# get options
while true ; do
    case "$1" in
	-n|--domain)
	    domain="$2"
	    shift 2
	    ;;
	-t|--trust)
	    trust="$2"
	    shift 2
	    ;;
	-d|--depth)
	    depth="$2"
	    shift 2
	    ;;
	-)
	    break
	    ;;
	*)
	    if [ "$(echo "$1" | cut -c 1)" = '-' ] ; then
		failure "Unknown option '$1'.
Type '$PGRM help' for usage."
	    fi
	    break
	    ;;
    esac
done

keyID="$1"

# check that key ID or file is specified
if [ -z "$keyID" ] ; then
    failure "You must specify the key ID of a key to add, or specify a file to read the key from."
fi

# check the trust value
case "$trust" in
    'marginal')
	trustval=1
	;;
    'full')
	trustval=2
	;;
    *)
	failure "Trust value requested ('$trust') was unclear (only 'marginal' or 'full' are supported)."
	;;
esac

# if file is specified
if [ -f "$keyID" -o "$keyID" = '-' ] ; then
    # load the key from stdin
    if [ "$keyID" = '-' ] ; then
	# make a temporary file to hold the key from stdin
	keyID=$(msmktempfile)
	trap "rm -f $keyID" EXIT
	log verbose "reading key from stdin..."
	cat > "$keyID"

    # load the key from the file
    elif [ -f "$keyID" ] ; then
	log verbose "reading key from file '$keyID'..."
    fi

    # check the key is ok as monkeysphere user before loading
    log debug "checking keys in file..."
    fingerprint=$(su_monkeysphere_user \
	"${SYSSHAREDIR}/common" list_primary_fingerprints < "$keyID")

    if [ $(printf "%s" "$fingerprint" | egrep -c '^[A-F0-9]{40}$') -ne 1 ] ; then
	failure "There was not exactly one gpg key in the file."
    fi

    # load the key
    gpg_sphere --import <"$keyID" 2>/dev/null \
	|| failure "could not read key from '$keyID'"

# else, get the key from the keyserver
else
    log verbose "searching keyserver $KEYSERVER for keyID $keyID..."
    gpg_sphere --keyserver "$KEYSERVER" --recv-key "0x${keyID}!" \
	|| failure "Could not receive a key with this ID from the '$KEYSERVER' keyserver."

    # get the full fingerprint of new certifier key
    log debug "getting fingerprint of certifier key..."
    fingerprint=$(gpg_sphere --list-key --with-colons --with-fingerprint "0x${keyID}!" \
	| grep '^fpr:' | cut -d: -f10)

    # test that there is only a single fingerprint
    if (( $(echo "$fingerprint" | wc -l) != 1 )) ; then
	cat <<EOF
More than one fingerprint found:
$fingerprint
Please use a more specific key ID.
EOF
	failure
    fi

    log info "key found:"
    gpg_sphere --fingerprint "0x${fingerprint}!"

    if [ "$PROMPT" != "false" ] ; then
	printf "Are you sure you want to add the above key as a certifier\nof users on this system? (Y/n) " >&2
	read OK; OK=${OK:-Y}
	if [ "${OK/y/Y}" != 'Y' ] ; then
	    failure "Identity certifier not added."
	fi
    else
	log debug "adding key without prompting."
    fi
fi

# export the key to the core keyring so that the core can sign the
# new certifier key
log debug "loading key into core keyring..."
gpg_sphere --export "0x${fingerprint}!" | gpg_core --import

# edit-key script to ltsign key
# NOTE: *all* user IDs will be ltsigned
ltsignCommand="ltsign
y
$trustval
$depth
$domain
y
save"
# end script

# core ltsigns the newly imported certifier key
log debug "executing core ltsign script..."
if echo "$ltsignCommand" | \
    gpg_core --command-fd 0 --edit-key "0x${fingerprint}!" ; then

    # transfer the new sigs back to the sphere keyring
    gpg_core_sphere_sig_transfer

    # update the sphere trustdb
    log debug "updating sphere trustdb..."
    gpg_sphere --check-trustdb 2>&1 | log debug

    log info "Identity certifier added."
else
    failure "Problem adding identify certifier."
fi

}

APT Browse - Built by Thomas Orozco.