use Exporter ();
our (@EXPORT_OK,@ISA);
@ISA = qw(Exporter);
- @EXPORT_OK = qw( &msvalog );
+ @EXPORT_OK = qw( &msvalog &reviewcert );
}
our @EXPORT_OK;
my $clientinfo = shift;
return if !ref $data;
+ msvalog('verbose', "reviewing data...\n");
+
my $status = '200 OK';
my $ret = { valid => JSON::false,
message => 'Unknown failure',
$ret->{message} = sprintf('invalid peer/context');
return $status, $ret;
}
+ msvalog('verbose', "context: %s\n", $data->{context});
+ msvalog('verbose', "peer: %s\n", $data->{peer});
my $rawdata = join('', map(chr, @{$data->{pkc}->{data}}));
my $cert = Crypt::X509->new(cert => $rawdata);
+
msvalog('verbose', "cert subject: %s\n", $cert->subject_cn());
msvalog('verbose', "cert issuer: %s\n", $cert->issuer_cn());
msvalog('verbose', "cert pubkey algo: %s\n", $cert->PubKeyAlg());
--- /dev/null
+#----------------------------------------------------------------------
+# Monkeysphere Validation Agent, Perl version
+# Marginal User Interface for reasonable prompting
+# Copyright © 2010 Daniel Kahn Gillmor <dkg@fifthhorseman.net>,
+# Matthew James Goins <mjgoins@openflows.com>,
+# Jameson Graef Rollins <jrollins@finestructure.net>,
+# Elliot Winard <enw@caveteen.com>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+#----------------------------------------------------------------------
+
+{ package Crypt::Monkeysphere::MSVA::Client;
+
+ use strict;
+ use warnings;
+
+ BEGIN {
+ use Exporter ();
+ our (@EXPORT_OK,@ISA);
+ @ISA = qw(Exporter);
+ @EXPORT_OK = qw( &create_apd );
+ }
+ our @EXPORT_OK;
+
+ use JSON;
+ use Crypt::Monkeysphere::MSVA qw( msvalog );
+
+ sub query_agent {
+ use LWP::UserAgent;
+ use HTTP::Request;
+
+ my $self = shift;
+ my $context = shift;
+ my $peer = shift;
+ my $pkctype = shift;
+
+ my $apd = create_apd($context, $peer, $pkctype);
+
+ my $apdjson = to_json($apd);
+
+ # get msva socket from environment
+ my $msvasocket = $ENV{MONKEYSPHERE_VALIDATION_AGENT_SOCKET};
+
+ # creat the user agent
+ my $ua = LWP::UserAgent->new;
+
+ my $headers = HTTP::Headers->new(
+ 'Content-Type' => 'application/json',
+ 'Content-Length' => length($apdjson),
+ 'Connection' => 'close',
+ 'Accept' => 'application/json',
+ );
+
+ my $requesturl = $msvasocket . '/reviewcert';
+
+ my $request = HTTP::Request->new(
+ 'POST',
+ $requesturl,
+ $headers,
+ $apdjson,
+ );
+
+ my $response = $ua->request($request);
+
+ my $status = $response->status_line;
+ my $ret = from_json($response->content);
+
+ return $status, $ret;
+ }
+
+ sub create_apd {
+ my $context = shift;
+ my $peer = shift;
+ my $pkctype = shift;
+
+ my $pkcdata;
+ my $pkcdataraw;
+
+ # load raw pkc data from stdin
+ $pkcdataraw = do {
+ local $/; # slurp!
+ <STDIN>;
+ };
+
+ msvalog('debug', "context: %s\n", $context);
+ msvalog('debug', "peer: %s\n", $peer);
+ msvalog('debug', "pkctype: %s\n", $pkctype);
+
+
+ if ($pkctype eq 'x509der') {
+ my $cert = Crypt::X509->new(cert => $pkcdataraw);
+ if ($cert->error) {
+ die;
+ };
+ msvalog('info', "x509der certificate loaded.\n");
+ msvalog('verbose', "cert subject: %s\n", $cert->subject_cn());
+ msvalog('verbose', "cert issuer: %s\n", $cert->issuer_cn());
+ msvalog('verbose', "cert pubkey algo: %s\n", $cert->PubKeyAlg());
+ msvalog('verbose', "cert pubkey: %s\n", unpack('H*', $cert->pubkey()));
+ } else {
+ msvalog('error', "unknown pkc type '%s'.\n", $pkctype);
+ die;
+ };
+
+ # remap raw pkc data into numeric array
+ my @remap = map(ord, split(//,$pkcdataraw));
+
+ my %apd = (
+ context => $context,
+ peer => $peer,
+ pkc => {
+ type => $pkctype,
+ data => \@remap,
+ },
+ );
+
+ return \%apd;
+ }
+
+ 1;
+}
#!/usr/bin/make -f
-# Makefile for xul-ext-monkeysphere
+# Makefile for msva-perl
# © 2010 Daniel Kahn Gillmor <dkg@fifthhorseman.net>
# Licensed under GPL v3 or later
VERSION=`dpkg-parsechangelog -lChangelog | grep ^Version: | cut -f2 -d\ `
DEBIAN_VERSION=`dpkg-parsechangelog | grep ^Version: | cut -f2 -d\ `
-all: msva-perl.1
+all: msva-perl.1 msva-query-agent.1 msva-review-cert.1
msva-perl.1: msva-perl
pod2man msva-perl msva-perl.1
+msva-query-agent.1: msva-query-agent
+ pod2man msva-query-agent msva-query-agent.1
+
+msva-review-cert.1: msva-review-cert
+ pod2man msva-review-cert msva-review-cert.1
+
clean:
- rm -f msva-perl.1
+ rm -f msva-perl.1 msva-query-agent.1 msva-review-cert.1
debian-package:
git buildpackage -uc -us
--- /dev/null
+#!/usr/bin/perl -wT
+
+# Monkeysphere Validation Agent Client, Perl version
+# Copyright © 2010 Jameson Greaf Rollins <jrollins@finestructure.net>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+use warnings;
+use strict;
+
+use Crypt::Monkeysphere::MSVA qw( msvalog );
+use Crypt::Monkeysphere::MSVA::Client;
+
+my $context = shift;
+my $peer = shift;
+my $pkctype = shift || 'x509der';
+my ($status,$ret) = Crypt::Monkeysphere::MSVA::Client->query_agent($context,$peer,$pkctype);
+
+msvalog('info', "status: %s\n", $status);
+msvalog('info', "valid: %s\n", $ret->{valid});
+msvalog('info', "message: %s\n", $ret->{message});
+
+if ($ret->{valid}) {
+ exit 0;
+}
+else {
+ exit 1;
+}
+__END__
+
+=head1 NAME
+
+msva-query-agent - query a Monkeysphere Validation Agent
+
+=head1 SYNOPSIS
+
+msva-query-agent CONTEXT PEER PKC_TYPE < PKC_DATA
+
+=head1 ABSTRACT
+
+msva-query-agent provides a means of querying a Monkeysphere
+Validation Agent for certificate validation.
+
+=head1 INTRODUCTION
+
+The Monkeysphere Validation Agent offers a local service for tools to
+validate certificates (both X.509 and OpenPGP) and other public keys.
+
+Clients of the validation agent query it with a public key carrier (a
+raw public key, or some flavor of certificate), the supposed name of
+the remote peer offering the pubkey, and the context in which the
+validation check is relevant (e.g. ssh, https, etc).
+
+The validation agent tells the client whether it was able to
+successfully validate the peer's use of the public key in the given
+context.
+
+=head1 USAGE
+
+msva-query-agent create an agent post data (APD) object which is sent
+to the msva. The return code of the client indicates the validity of
+the certificate. If the certificate is valid, the return code is 0.
+Otherwise, the return code if 1.
+
+The APD is created from certificate data provided on stdin (PKC_DATA),
+and the following information provided on the command line:
+
+=over 4
+
+=item CONTEXT
+
+Context of query, e.g. 'https', 'ssh', etc.
+
+=item PEER
+
+Service address portion of url, e.g. 'foo.example.net'.
+
+=item PKC_TYPE
+
+Type of public key carrier data provided on stdin, e.g. 'x509der',
+etc.
+
+=item PKC_DATA
+
+Public key carrier data provided on stdin.
+
+=back
+
+=head1 ENVIRONMENT VARIABLES
+
+msva-query-agent accepts some environment variables:
+
+=over 4
+
+=item MONKEYSPHERE_VALIDATION_AGENT_SOCKET
+
+Socket over which to query the validation agent. If unset, the
+default value is 'http://localhost:8901'.
+
+=item MSVA_LOG_LEVEL
+
+Log messages about its operation to stderr. MSVA_LOG_LEVEL controls
+its verbosity, and should be one of (in increasing verbosity): silent,
+quiet, fatal, error, info, verbose, debug, debug1, debug2, debug3.
+Default is 'error'.
+
+=item MSVA_KEYSERVER_POLICY
+
+msva-perl must decide when to check with keyservers (for new keys,
+revocation certificates, new certifications, etc). There are three
+possible options: 'always' means to check with the keyserver on every
+query it receives. 'never' means to never check with a
+keyserver. 'unlessvalid' will only check with the keyserver on a
+specific query if no keys are already locally known to be valid for
+the requested peer. Default is 'unlessvalid'.
+
+=back
+
+=head1 COMMUNICATION PROTOCOL DETAILS
+
+Communications with the Monkeysphere Validation Agent are in the form
+of JSON requests over plain HTTP. Responses from the agent are also
+JSON objects. For details on the structure of the requests and
+responses, please see
+http://web.monkeysphere.info/validation-agent/protocol
+
+=head1 SEE ALSO
+
+msva-perl(1), monkeysphere(1), monkeysphere(7)
+
+=head1 BUGS AND FEEDBACK
+
+Bugs or feature requests for msva-perl should be filed with the
+Monkeysphere project's bug tracker at
+https://labs.riseup.net/code/projects/monkeysphere/issues/
+
+=head1 AUTHORS AND CONTRIBUTORS
+
+Jameson Graef Rollins E<lt>jrollins@finestructure.net<gt>
+Daniel Kahn Gillmor E<lt>dkg@fifthhorseman.net<gt>
+
+The Monkeysphere Team http://web.monkeysphere.info/
+
+=head1 COPYRIGHT AND LICENSE
+
+Copyright © Jameson Graef Rollins and others from the Monkeysphere
+team. msva-query-agent is free software, distributed under the GNU
+Public License, version 3 or later.
--- /dev/null
+#!/usr/bin/perl -wT
+
+# Monkeysphere Validation Agent, Perl version
+# Copyright © 2010 Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+use warnings;
+use strict;
+
+use Crypt::Monkeysphere::MSVA qw( msvalog reviewcert );
+use Crypt::Monkeysphere::MSVA::Client qw( create_apd);
+
+my $context = shift;
+my $peer = shift;
+my $pkctype = shift || 'x509der';
+
+my $apd = create_apd($context,$peer,$pkctype);
+my ($status,$ret) = reviewcert($apd);
+
+msvalog('info', "status: %s\n", $status);
+msvalog('info', "valid: %s\n", $ret->{valid});
+msvalog('info', "message: %s\n", $ret->{message});
+
+if ($ret->{valid}) {
+ exit 0;
+}
+else {
+ exit 1;
+}
+__END__
+
+=head1 NAME
+
+msva-review-cert - review a certificate for validity
+
+=head1 SYNOPSIS
+
+msva-review-cert CONTEXT PEER PKC_TYPE < PKC_DATA
+
+=head1 ABSTRACT
+
+msva-review-cert provides...
+
+=head1 INTRODUCTION
+
+Takes as input a public key carrier (a raw public key, or some flavor
+of certificate), the supposed name of the remote peer offering the
+pubkey, and the context in which the validation check is relevant
+(e.g. ssh, https, etc). Reports on the validity of the peer's use of
+the public key in the given context.
+
+=head1 USAGE
+
+msva-review-cert create an agent post data (APD) object which is
+reviewed by the monkeysphere. The return code of the client indicates
+the validity of the certificate. If the certificate is valid, the
+return code is 0. Otherwise, the return code if 1.
+
+The APD is created from certificate data provided on stdin (PKC_DATA),
+and the following information provided on the command line:
+
+=over 4
+
+=item CONTEXT
+
+Context of query, e.g. 'https', 'ssh', etc.
+
+=item PEER
+
+Service address portion of url, e.g. 'foo.example.net'.
+
+=item PKC_TYPE
+
+Type of public key carrier data provided on stdin, e.g. 'x509der',
+etc.
+
+=item PKC_DATA
+
+Public key carrier data provided on stdin.
+
+=back
+
+=head1 ENVIRONMENT VARIABLES
+
+msva-review-cert accepts some environment variables:
+
+=over 4
+
+=item MSVA_LOG_LEVEL
+
+Log messages about its operation to stderr. MSVA_LOG_LEVEL controls
+its verbosity, and should be one of (in increasing verbosity): silent,
+quiet, fatal, error, info, verbose, debug, debug1, debug2, debug3.
+Default is 'error'.
+
+=item MSVA_KEYSERVER_POLICY
+
+msva-perl must decide when to check with keyservers (for new keys,
+revocation certificates, new certifications, etc). There are three
+possible options: 'always' means to check with the keyserver on every
+query it receives. 'never' means to never check with a
+keyserver. 'unlessvalid' will only check with the keyserver on a
+specific query if no keys are already locally known to be valid for
+the requested peer. Default is 'unlessvalid'.
+
+=back
+
+=head1 SEE ALSO
+
+msva-query-agent(1), msva-perl(1), monkeysphere(1), monkeysphere(7)
+
+=head1 BUGS AND FEEDBACK
+
+Bugs or feature requests for msva-perl should be filed with the
+Monkeysphere project's bug tracker at
+https://labs.riseup.net/code/projects/monkeysphere/issues/
+
+=head1 AUTHORS AND CONTRIBUTORS
+
+Jameson Graef Rollins E<lt>jrollins@finestructure.net<gt>
+Daniel Kahn Gillmor E<lt>dkg@fifthhorseman.net<gt>
+
+The Monkeysphere Team http://web.monkeysphere.info/
+
+=head1 COPYRIGHT AND LICENSE
+
+Copyright © Jameson Graef Rollins and others from the Monkeysphere
+team. msva-query-agent is free software, distributed under the GNU
+Public License, version 3 or later.
#!/bin/sh
-# this script exists so that you can launch the msva-perl directly
-# from your development environment without having to install
+# this script exists so that you can launch the msva perl scripts
+# directly from your development environment without having to install
# anything.
# it appears to be necessary because of some weirdness in how
# Date: 2010-03-11 14:53:07-0500
dir=$(dirname "$0")
-exec perl -wT -I"$dir" "$dir"/msva-perl "$@"
-
+cmd="$1"
+shift
+exec perl -wT -I"$dir" "$dir"/"$cmd" "$@"