From d2ac6863a84fce308b8f801d2ed1983a97e1163d Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Mon, 11 Oct 2010 16:27:20 -0400 Subject: [PATCH] read keyserver from gpg.conf if $MSVA_KEYSERVER is empty or unset --- Changelog | 7 ++++++ Crypt/Monkeysphere/MSVA.pm | 45 +++++++++++++++++++++++++++++++------- msva-perl | 6 +++-- 3 files changed, 48 insertions(+), 10 deletions(-) diff --git a/Changelog b/Changelog index ada68be..cbbebb2 100644 --- a/Changelog +++ b/Changelog @@ -1,3 +1,10 @@ +msva-perl (0.5~pre) unstable; urgency=low + + * If ${MSVA_KEYSERVER} is unset or blank, default to using keyserver + from ${GNUPGHOME}/gpg.conf if that file exists. (addresses MS #2080) + + -- Daniel Kahn Gillmor Mon, 11 Oct 2010 16:02:22 -0400 + msva-perl (0.4) upstream; * removed dependency on monkeysphere package -- just invoke GnuPG diff --git a/Crypt/Monkeysphere/MSVA.pm b/Crypt/Monkeysphere/MSVA.pm index a3ccff5..8a02c8d 100755 --- a/Crypt/Monkeysphere/MSVA.pm +++ b/Crypt/Monkeysphere/MSVA.pm @@ -36,6 +36,9 @@ use IO::Socket; use IO::File; use Socket; + use File::Spec; + use File::HomeDir; + use Config::General; use JSON; use POSIX qw(strftime); @@ -367,7 +370,7 @@ } sub get_keyserver_policy { - if (exists $ENV{MSVA_KEYSERVER_POLICY}) { + if (exists $ENV{MSVA_KEYSERVER_POLICY} and $ENV{MSVA_KEYSERVER_POLICY} ne '') { if ($ENV{MSVA_KEYSERVER_POLICY} =~ /^(always|never|unlessvalid)$/) { return $1; } @@ -379,15 +382,38 @@ sub get_keyserver { # We should read from (first hit wins): # the environment - if (exists $ENV{MSVA_KEYSERVER}) { - if ($ENV{MSVA_KEYSERVER} =~ /^((hkps?|finger|ldap):\/\/)?$RE{net}{domain}$/) { + if (exists $ENV{MSVA_KEYSERVER} and $ENV{MSVA_KEYSERVER} ne '') { + if ($ENV{MSVA_KEYSERVER} =~ /^(((hkps?|finger|ldap):\/\/)?$RE{net}{domain})$/) { return $1; } msvalog('error', "Not a valid keyserver (from MSVA_KEYSERVER):\n %s\n", $ENV{MSVA_KEYSERVER}); } # FIXME: some msva.conf file (system and user?) - # FIXME: the relevant gnupg.conf instead? + + # or else read from the relevant gnupg.conf: + my $gpghome; + if (exists $ENV{GNUPGHOME} and $ENV{GNUPGHOME} ne '') { + $gpghome = untaint($ENV{GNUPGHOME}); + } else { + $gpghome = File::Spec->catfile(File::HomeDir->my_home, '.gnupg'); + } + my $gpgconf = File::Spec->catfile($gpghome, 'gpg.conf'); + if (-f $gpgconf) { + if (-r $gpgconf) { + my %gpgconfig = Config::General::ParseConfig($gpgconf); + if ($gpgconfig{keyserver} =~ /^(((hkps?|finger|ldap):\/\/)?$RE{net}{domain})$/) { + msvalog('debug', "Using keyserver %s from the GnuPG configuration file (%s)\n", $1, $gpgconf); + return $1; + } else { + msvalog('error', "Not a valid keyserver (from gpg config %s):\n %s\n", $gpgconf, $gpgconfig{keyserver}); + } + } else { + msvalog('error', "The GnuPG configuration file (%s) is not readable\n", $gpgconf); + } + } else { + msvalog('info', "Did not find GnuPG configuration file while looking for keyserver '%s'\n", $gpgconf); + } # the default_keyserver return $default_keyserver; @@ -400,12 +426,13 @@ my $out = IO::Handle->new(); my $nul = IO::File->new("< /dev/null"); - msvalog('debug', "start ks query for UserID: %s", $uid); + my $ks = get_keyserver(); + msvalog('debug', "start ks query to %s for UserID: %s\n", $ks, $uid); my $pid = $gnupg->wrap_call ( handles => GnuPG::Handles->new( command => $cmd, stdout => $out, stderr => $nul ), command_args => [ '='.$uid ], commands => [ '--keyserver', - get_keyserver(), + $ks, qw( --no-tty --with-colons --search ) ] ); while (my $line = $out->getline()) { @@ -413,6 +440,7 @@ if ($line =~ /^info:(\d+):(\d+)/ ) { $cmd->print(join(' ', ($1..$2))."\n"); msvalog('debug', 'to ks query: '.join(' ', ($1..$2))."\n"); + last; } } # FIXME: can we do something to avoid hanging forever? @@ -462,6 +490,9 @@ } else { $ret->{message} = sprintf('Failed to validate "%s" through the OpenPGP Web of Trust.', $uid); my $lastloop = 0; + msvalog('debug', "keyserver policy: %s\n", get_keyserver_policy); + # needed because $gnupg spawns child processes + $ENV{PATH} = '/usr/local/bin:/usr/bin:/bin'; if (get_keyserver_policy() eq 'always') { fetch_uid_from_keyserver($uid); $lastloop = 1; @@ -469,8 +500,6 @@ $lastloop = 1; } my $foundvalid = 0; - # needed because $gnupg spawns child processes - $ENV{PATH} = '/usr/local/bin:/usr/bin:/bin'; # fingerprints of keys that are not fully-valid for this User ID, but match # the key from the queried certificate: diff --git a/msva-perl b/msva-perl index 35bd202..54e233b 100755 --- a/msva-perl +++ b/msva-perl @@ -102,8 +102,10 @@ on an arbitrary open port. =item MSVA_KEYSERVER msva-perl will request information from OpenPGP keyservers. Set -MSVA_KEYSERVER to declare the keyserver you want it to check with. -Default is 'hkp://pool.sks-keyservers.net'. +MSVA_KEYSERVER to declare the keyserver you want it to check with. If +this variable is blank or unset, and your gpg.conf contains a +keyserver declaration, it will use the GnuPG configuration. Failing +that, the default is 'hkp://pool.sks-keyservers.net'. =item MSVA_KEYSERVER_POLICY -- 2.26.2