From: Jameson Rollins Date: Sat, 16 Oct 2010 05:48:04 +0000 (-0400) Subject: Add client module to query agent X-Git-Tag: msva-perl_debian/0.6-1~3^2~32 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=0af9a9fb3b0898a447c8a96eb2bcf9eb0edd369e;p=monkeysphere-validation-agent.git Add client module to query agent A new command-line utility, msva-query-agent, is created that can query an msva. It takes the pkc data on stdin, and then the context, peer, and pkc type as arguments. An alternate command, msva-review-cert, is also included that actually uses the msva library to review the cert directly, without needing to query an agent over a network socket. --- diff --git a/Crypt/Monkeysphere/MSVA.pm b/Crypt/Monkeysphere/MSVA.pm index 2a66347..9118c00 100755 --- a/Crypt/Monkeysphere/MSVA.pm +++ b/Crypt/Monkeysphere/MSVA.pm @@ -23,7 +23,7 @@ use Exporter (); our (@EXPORT_OK,@ISA); @ISA = qw(Exporter); - @EXPORT_OK = qw( &msvalog ); + @EXPORT_OK = qw( &msvalog &reviewcert ); } our @EXPORT_OK; @@ -505,6 +505,8 @@ my $clientinfo = shift; return if !ref $data; + msvalog('verbose', "reviewing data...\n"); + my $status = '200 OK'; my $ret = { valid => JSON::false, message => 'Unknown failure', @@ -516,9 +518,12 @@ $ret->{message} = sprintf('invalid peer/context'); return $status, $ret; } + msvalog('verbose', "context: %s\n", $data->{context}); + msvalog('verbose', "peer: %s\n", $data->{peer}); my $rawdata = join('', map(chr, @{$data->{pkc}->{data}})); my $cert = Crypt::X509->new(cert => $rawdata); + msvalog('verbose', "cert subject: %s\n", $cert->subject_cn()); msvalog('verbose', "cert issuer: %s\n", $cert->issuer_cn()); msvalog('verbose', "cert pubkey algo: %s\n", $cert->PubKeyAlg()); diff --git a/Crypt/Monkeysphere/MSVA/Client.pm b/Crypt/Monkeysphere/MSVA/Client.pm new file mode 100644 index 0000000..dc4532f --- /dev/null +++ b/Crypt/Monkeysphere/MSVA/Client.pm @@ -0,0 +1,133 @@ +#---------------------------------------------------------------------- +# Monkeysphere Validation Agent, Perl version +# Marginal User Interface for reasonable prompting +# Copyright © 2010 Daniel Kahn Gillmor , +# Matthew James Goins , +# Jameson Graef Rollins , +# Elliot Winard +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# +#---------------------------------------------------------------------- + +{ package Crypt::Monkeysphere::MSVA::Client; + + use strict; + use warnings; + + BEGIN { + use Exporter (); + our (@EXPORT_OK,@ISA); + @ISA = qw(Exporter); + @EXPORT_OK = qw( &create_apd ); + } + our @EXPORT_OK; + + use JSON; + use Crypt::Monkeysphere::MSVA qw( msvalog ); + + sub query_agent { + use LWP::UserAgent; + use HTTP::Request; + + my $self = shift; + my $context = shift; + my $peer = shift; + my $pkctype = shift; + + my $apd = create_apd($context, $peer, $pkctype); + + my $apdjson = to_json($apd); + + # get msva socket from environment + my $msvasocket = $ENV{MONKEYSPHERE_VALIDATION_AGENT_SOCKET}; + + # creat the user agent + my $ua = LWP::UserAgent->new; + + my $headers = HTTP::Headers->new( + 'Content-Type' => 'application/json', + 'Content-Length' => length($apdjson), + 'Connection' => 'close', + 'Accept' => 'application/json', + ); + + my $requesturl = $msvasocket . '/reviewcert'; + + my $request = HTTP::Request->new( + 'POST', + $requesturl, + $headers, + $apdjson, + ); + + my $response = $ua->request($request); + + my $status = $response->status_line; + my $ret = from_json($response->content); + + return $status, $ret; + } + + sub create_apd { + my $context = shift; + my $peer = shift; + my $pkctype = shift; + + my $pkcdata; + my $pkcdataraw; + + # load raw pkc data from stdin + $pkcdataraw = do { + local $/; # slurp! + ; + }; + + msvalog('debug', "context: %s\n", $context); + msvalog('debug', "peer: %s\n", $peer); + msvalog('debug', "pkctype: %s\n", $pkctype); + + + if ($pkctype eq 'x509der') { + my $cert = Crypt::X509->new(cert => $pkcdataraw); + if ($cert->error) { + die; + }; + msvalog('info', "x509der certificate loaded.\n"); + msvalog('verbose', "cert subject: %s\n", $cert->subject_cn()); + msvalog('verbose', "cert issuer: %s\n", $cert->issuer_cn()); + msvalog('verbose', "cert pubkey algo: %s\n", $cert->PubKeyAlg()); + msvalog('verbose', "cert pubkey: %s\n", unpack('H*', $cert->pubkey())); + } else { + msvalog('error', "unknown pkc type '%s'.\n", $pkctype); + die; + }; + + # remap raw pkc data into numeric array + my @remap = map(ord, split(//,$pkcdataraw)); + + my %apd = ( + context => $context, + peer => $peer, + pkc => { + type => $pkctype, + data => \@remap, + }, + ); + + return \%apd; + } + + 1; +} diff --git a/Makefile b/Makefile old mode 100644 new mode 100755 index a62c307..ae753ce --- a/Makefile +++ b/Makefile @@ -1,6 +1,6 @@ #!/usr/bin/make -f -# Makefile for xul-ext-monkeysphere +# Makefile for msva-perl # © 2010 Daniel Kahn Gillmor # Licensed under GPL v3 or later @@ -8,13 +8,19 @@ VERSION=`dpkg-parsechangelog -lChangelog | grep ^Version: | cut -f2 -d\ ` DEBIAN_VERSION=`dpkg-parsechangelog | grep ^Version: | cut -f2 -d\ ` -all: msva-perl.1 +all: msva-perl.1 msva-query-agent.1 msva-review-cert.1 msva-perl.1: msva-perl pod2man msva-perl msva-perl.1 +msva-query-agent.1: msva-query-agent + pod2man msva-query-agent msva-query-agent.1 + +msva-review-cert.1: msva-review-cert + pod2man msva-review-cert msva-review-cert.1 + clean: - rm -f msva-perl.1 + rm -f msva-perl.1 msva-query-agent.1 msva-review-cert.1 debian-package: git buildpackage -uc -us diff --git a/msva-query-agent b/msva-query-agent new file mode 100755 index 0000000..79b76f7 --- /dev/null +++ b/msva-query-agent @@ -0,0 +1,159 @@ +#!/usr/bin/perl -wT + +# Monkeysphere Validation Agent Client, Perl version +# Copyright © 2010 Jameson Greaf Rollins +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +use warnings; +use strict; + +use Crypt::Monkeysphere::MSVA qw( msvalog ); +use Crypt::Monkeysphere::MSVA::Client; + +my $context = shift; +my $peer = shift; +my $pkctype = shift || 'x509der'; +my ($status,$ret) = Crypt::Monkeysphere::MSVA::Client->query_agent($context,$peer,$pkctype); + +msvalog('info', "status: %s\n", $status); +msvalog('info', "valid: %s\n", $ret->{valid}); +msvalog('info', "message: %s\n", $ret->{message}); + +if ($ret->{valid}) { + exit 0; +} +else { + exit 1; +} +__END__ + +=head1 NAME + +msva-query-agent - query a Monkeysphere Validation Agent + +=head1 SYNOPSIS + +msva-query-agent CONTEXT PEER PKC_TYPE < PKC_DATA + +=head1 ABSTRACT + +msva-query-agent provides a means of querying a Monkeysphere +Validation Agent for certificate validation. + +=head1 INTRODUCTION + +The Monkeysphere Validation Agent offers a local service for tools to +validate certificates (both X.509 and OpenPGP) and other public keys. + +Clients of the validation agent query it with a public key carrier (a +raw public key, or some flavor of certificate), the supposed name of +the remote peer offering the pubkey, and the context in which the +validation check is relevant (e.g. ssh, https, etc). + +The validation agent tells the client whether it was able to +successfully validate the peer's use of the public key in the given +context. + +=head1 USAGE + +msva-query-agent create an agent post data (APD) object which is sent +to the msva. The return code of the client indicates the validity of +the certificate. If the certificate is valid, the return code is 0. +Otherwise, the return code if 1. + +The APD is created from certificate data provided on stdin (PKC_DATA), +and the following information provided on the command line: + +=over 4 + +=item CONTEXT + +Context of query, e.g. 'https', 'ssh', etc. + +=item PEER + +Service address portion of url, e.g. 'foo.example.net'. + +=item PKC_TYPE + +Type of public key carrier data provided on stdin, e.g. 'x509der', +etc. + +=item PKC_DATA + +Public key carrier data provided on stdin. + +=back + +=head1 ENVIRONMENT VARIABLES + +msva-query-agent accepts some environment variables: + +=over 4 + +=item MONKEYSPHERE_VALIDATION_AGENT_SOCKET + +Socket over which to query the validation agent. If unset, the +default value is 'http://localhost:8901'. + +=item MSVA_LOG_LEVEL + +Log messages about its operation to stderr. MSVA_LOG_LEVEL controls +its verbosity, and should be one of (in increasing verbosity): silent, +quiet, fatal, error, info, verbose, debug, debug1, debug2, debug3. +Default is 'error'. + +=item MSVA_KEYSERVER_POLICY + +msva-perl must decide when to check with keyservers (for new keys, +revocation certificates, new certifications, etc). There are three +possible options: 'always' means to check with the keyserver on every +query it receives. 'never' means to never check with a +keyserver. 'unlessvalid' will only check with the keyserver on a +specific query if no keys are already locally known to be valid for +the requested peer. Default is 'unlessvalid'. + +=back + +=head1 COMMUNICATION PROTOCOL DETAILS + +Communications with the Monkeysphere Validation Agent are in the form +of JSON requests over plain HTTP. Responses from the agent are also +JSON objects. For details on the structure of the requests and +responses, please see +http://web.monkeysphere.info/validation-agent/protocol + +=head1 SEE ALSO + +msva-perl(1), monkeysphere(1), monkeysphere(7) + +=head1 BUGS AND FEEDBACK + +Bugs or feature requests for msva-perl should be filed with the +Monkeysphere project's bug tracker at +https://labs.riseup.net/code/projects/monkeysphere/issues/ + +=head1 AUTHORS AND CONTRIBUTORS + +Jameson Graef Rollins Ejrollins@finestructure.net +Daniel Kahn Gillmor Edkg@fifthhorseman.net + +The Monkeysphere Team http://web.monkeysphere.info/ + +=head1 COPYRIGHT AND LICENSE + +Copyright © Jameson Graef Rollins and others from the Monkeysphere +team. msva-query-agent is free software, distributed under the GNU +Public License, version 3 or later. diff --git a/msva-review-cert b/msva-review-cert new file mode 100755 index 0000000..7ec0b9e --- /dev/null +++ b/msva-review-cert @@ -0,0 +1,141 @@ +#!/usr/bin/perl -wT + +# Monkeysphere Validation Agent, Perl version +# Copyright © 2010 Daniel Kahn Gillmor +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +use warnings; +use strict; + +use Crypt::Monkeysphere::MSVA qw( msvalog reviewcert ); +use Crypt::Monkeysphere::MSVA::Client qw( create_apd); + +my $context = shift; +my $peer = shift; +my $pkctype = shift || 'x509der'; + +my $apd = create_apd($context,$peer,$pkctype); +my ($status,$ret) = reviewcert($apd); + +msvalog('info', "status: %s\n", $status); +msvalog('info', "valid: %s\n", $ret->{valid}); +msvalog('info', "message: %s\n", $ret->{message}); + +if ($ret->{valid}) { + exit 0; +} +else { + exit 1; +} +__END__ + +=head1 NAME + +msva-review-cert - review a certificate for validity + +=head1 SYNOPSIS + +msva-review-cert CONTEXT PEER PKC_TYPE < PKC_DATA + +=head1 ABSTRACT + +msva-review-cert provides... + +=head1 INTRODUCTION + +Takes as input a public key carrier (a raw public key, or some flavor +of certificate), the supposed name of the remote peer offering the +pubkey, and the context in which the validation check is relevant +(e.g. ssh, https, etc). Reports on the validity of the peer's use of +the public key in the given context. + +=head1 USAGE + +msva-review-cert create an agent post data (APD) object which is +reviewed by the monkeysphere. The return code of the client indicates +the validity of the certificate. If the certificate is valid, the +return code is 0. Otherwise, the return code if 1. + +The APD is created from certificate data provided on stdin (PKC_DATA), +and the following information provided on the command line: + +=over 4 + +=item CONTEXT + +Context of query, e.g. 'https', 'ssh', etc. + +=item PEER + +Service address portion of url, e.g. 'foo.example.net'. + +=item PKC_TYPE + +Type of public key carrier data provided on stdin, e.g. 'x509der', +etc. + +=item PKC_DATA + +Public key carrier data provided on stdin. + +=back + +=head1 ENVIRONMENT VARIABLES + +msva-review-cert accepts some environment variables: + +=over 4 + +=item MSVA_LOG_LEVEL + +Log messages about its operation to stderr. MSVA_LOG_LEVEL controls +its verbosity, and should be one of (in increasing verbosity): silent, +quiet, fatal, error, info, verbose, debug, debug1, debug2, debug3. +Default is 'error'. + +=item MSVA_KEYSERVER_POLICY + +msva-perl must decide when to check with keyservers (for new keys, +revocation certificates, new certifications, etc). There are three +possible options: 'always' means to check with the keyserver on every +query it receives. 'never' means to never check with a +keyserver. 'unlessvalid' will only check with the keyserver on a +specific query if no keys are already locally known to be valid for +the requested peer. Default is 'unlessvalid'. + +=back + +=head1 SEE ALSO + +msva-query-agent(1), msva-perl(1), monkeysphere(1), monkeysphere(7) + +=head1 BUGS AND FEEDBACK + +Bugs or feature requests for msva-perl should be filed with the +Monkeysphere project's bug tracker at +https://labs.riseup.net/code/projects/monkeysphere/issues/ + +=head1 AUTHORS AND CONTRIBUTORS + +Jameson Graef Rollins Ejrollins@finestructure.net +Daniel Kahn Gillmor Edkg@fifthhorseman.net + +The Monkeysphere Team http://web.monkeysphere.info/ + +=head1 COPYRIGHT AND LICENSE + +Copyright © Jameson Graef Rollins and others from the Monkeysphere +team. msva-query-agent is free software, distributed under the GNU +Public License, version 3 or later. diff --git a/test-msva b/test-msva index 3aff6bc..3e244e5 100755 --- a/test-msva +++ b/test-msva @@ -1,7 +1,7 @@ #!/bin/sh -# this script exists so that you can launch the msva-perl directly -# from your development environment without having to install +# this script exists so that you can launch the msva perl scripts +# directly from your development environment without having to install # anything. # it appears to be necessary because of some weirdness in how @@ -12,5 +12,6 @@ # Date: 2010-03-11 14:53:07-0500 dir=$(dirname "$0") -exec perl -wT -I"$dir" "$dir"/msva-perl "$@" - +cmd="$1" +shift +exec perl -wT -I"$dir" "$dir"/"$cmd" "$@"