From 2e85a1f314bd77a6196d4dce99a586864d173fd3 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Fri, 15 Oct 2010 01:59:09 -0400 Subject: [PATCH] now respects keyserverpolicy request member variable (closes MS #2542) --- Changelog | 7 +++++++ Crypt/Monkeysphere/MSVA.pm | 14 +++++++++++--- msva.protocol.README | 7 ++++--- 3 files changed, 22 insertions(+), 6 deletions(-) diff --git a/Changelog b/Changelog index 25411aa..8410b89 100644 --- a/Changelog +++ b/Changelog @@ -1,3 +1,10 @@ +msva-perl (0.6~pre) unstable; urgency=low + + * add new element to JSON syntax allowing request to override + keyserver_policy (closes MS #2542) + + -- Daniel Kahn Gillmor Thu, 14 Oct 2010 16:30:54 -0400 + msva-perl (0.5) unstable; urgency=low * If ${MSVA_KEYSERVER} is unset or blank, default to using keyserver diff --git a/Crypt/Monkeysphere/MSVA.pm b/Crypt/Monkeysphere/MSVA.pm index d4c5852..94a5c76 100755 --- a/Crypt/Monkeysphere/MSVA.pm +++ b/Crypt/Monkeysphere/MSVA.pm @@ -543,13 +543,21 @@ } else { $ret->{message} = sprintf('Failed to validate "%s" through the OpenPGP Web of Trust.', $uid); my $lastloop = 0; - msvalog('debug', "keyserver policy: %s\n", get_keyserver_policy); + my $kspolicy; + if (defined $data->{keyserverpolicy} && + $data->{keyserverpolicy} =~ /^(always|never|unlessvalid)$/) { + $kspolicy = $1; + msvalog("verbose", "using requested keyserver policy: %s\n", $1); + } else { + $kspolicy = get_keyserver_policy(); + } + msvalog('debug', "keyserver policy: %s\n", $kspolicy); # needed because $gnupg spawns child processes $ENV{PATH} = '/usr/local/bin:/usr/bin:/bin'; - if (get_keyserver_policy() eq 'always') { + if ($kspolicy eq 'always') { fetch_uid_from_keyserver($uid); $lastloop = 1; - } elsif (get_keyserver_policy() eq 'never') { + } elsif ($kspolicy eq 'never') { $lastloop = 1; } my $foundvalid = 0; diff --git a/msva.protocol.README b/msva.protocol.README index d8ca551..0d7fd51 100644 --- a/msva.protocol.README +++ b/msva.protocol.README @@ -14,7 +14,8 @@ GET / -- initial contact query, protocol version compatibility. (returns: protoversion, server, available) POST /reviewcert -- request validation of a certificate - (query parameters: uid, context, pkc) + (required query parameters: uid, context, pkc) + (optional query parameters: keyserverpolicy) (returns: valid, message) Query parameters are posted as a JSON blob (*not* as @@ -23,9 +24,9 @@ www-form-encoded). The variables that are returned are application/json as well. (PKC means: public key carrier: raw key, OpenPGP cert, or X.509 cert) -(UID means: User ID (like in OpenPGP)) +(UID means: User ID (similar to OpenPGP)) (context means: (this is too vague right now) something like "this certificate was used to try to identify an HTTPS server") - +(keyserverpolicy is optional; it states an advisory preference for how/whether the agent should contact the keyserver network for information about the key. The options are `always`, `never`, and `unlessvalid` (see the `msva-perl(1)` man page section about the `KEYSERVER_POLICY` environment variable for more details). Be aware that the agent may disregard, override, or simply not implement this preference.) Full details on the Monkeysphere Validation Agent protocol should be available at http://web.monkeysphere.info/validation-agent/protocol -- 2.26.2