3 # hkpms transport -- HKP-over-TLS, authenticated by monkeysphere
10 # Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
13 # (you should have received a COPYING file with this distribution)
18 { package Crypt::Monkeysphere::MSVA::HKPMS;
20 use Crypt::Monkeysphere::MSVA::Logger;
21 use Crypt::Monkeysphere::MSVA::Client;
22 use Regexp::Common qw /net/;
23 use Module::Load::Conditional;
30 foreach my $line (split(/\n/, $input)) {
35 next if ($line =~ /^#/);
36 my @args = split(/ /, $line);
37 my $cmd = shift @args;
38 $self->{config}->{lc($cmd)} = join(' ', @args);
39 if (lc($cmd) eq 'option') {
40 my $opt = lc($args[0]);
41 if ($opt eq 'debug') {
42 $self->{logger}->set_log_level('debug');
43 } elsif ($opt eq 'verbose') {
44 $self->{logger}->more_verbose();
45 } elsif ($opt eq 'no-check-cert') {
46 $self->{logger}->log('error', "Received no-check-cert option. Why are you bothering with hkpms if you aren't checking?\n");
47 $self->{actually_check} = 0;
48 } elsif ($opt eq 'check-cert') {
49 $self->{actually_check} = 1;
50 } elsif ($opt =~ /^http-proxy=(.*)/) {
52 if ($hp =~ /^(socks|http|https):\/\/($RE{net}{domain}|$RE{net}{IPv4}):([[:digit:]]+)\/?$/) {
54 if ( ! Module::Load::Conditional::check_install(module => 'LWP::Protocol::socks')) {
55 $self->{logger}->log('error', "Requesting a socks proxy for hkpms, but LWP::Protocol::socks is not installed.\nThis will likely fail.\n");
58 $self->{proxy} = sprintf('%s://%s:%s', $1, $2, $3);
60 $self->{logger}->log('error', "Failed to make sense of this http-proxy address: '%s'; ignoring.\n", $hp);
63 $self->{logger}->log('error', "Received '%s' as an option, but gpgkeys_hkpms does not implement it. Ignoring...\n", $opt);
65 # FIXME: consider other keyserver-options from gpg(1).
66 # in particular, the following might be interesting:
74 push(@{$self->{args}}, $line);
81 my ($ok, $ctxstore, $certname, $error, $cert) = @_;
82 my $certpem = Net::SSLeay::PEM_get_string_X509($cert);
85 if (exists $self->{cache}->{$certpem}) {
86 ($status, $ret) = @{$self->{cache}->{$certpem}};
87 $self->{logger}->log('debug', "Found response in cache\n");
89 # use Crypt::Monkeysphere::MSVA::Client if available:
90 if (defined($self->{client})) {
91 # because we really don't want to create some sort of MSVA loop:
92 ($status, $ret) = $self->{client}->query_agent('https', $self->{config}->{host}, 'server', 'x509pem', $certpem, 'never');
94 use Crypt::Monkeysphere::MSVA;
95 # If there is no running agent, we might want to be able to fall
98 # FIXME: this is hackery! we're just calling daemon-internal code
99 # (and it's not a stable API):
101 my $data = {peer => { name => $self->{config}->{host}, type => 'server' },
103 pkc => { type => 'x509pem', data => $certpem },
104 keyserverpolicy => 'never', # because we really don't want to create some sort of MSVA loop
107 my $clientinfo = { uid => POSIX::geteuid(), inode => undef };
109 ($status, $ret) = Crypt::Monkeysphere::MSVA::reviewcert($data, $clientinfo);
112 # make a cache of the cert if it verifies once, since this seems
113 # to get called 3 times by perl for some reason. (see
114 # https://bugs.debian.org/606249)
115 $self->{cache}->{$certpem} = [ $status, $ret ];
116 if (JSON::is_bool($ret->{valid}) && ($ret->{valid} eq 1)) {
117 $self->{logger}->log('verbose', "Monkeysphere HKPMS Certificate validation succeeded:\n %s\n", $ret->{message});
119 $self->{logger}->log('error', "Monkeysphere HKPMS Certificate validation failed:\n %s\n", $ret->{message});
123 if (JSON::is_bool($ret->{valid}) && ($ret->{valid} eq 1)) {
133 # FIXME: i'd like to pass this debug argument to IO::Socket::SSL,
134 # but i don't know how to do that.
135 # i get 'Variable "@iosslargs" will not stay shared' if i try to call
136 # use IO::Socket::SSL 1.37 @iosslargs;
138 if ($self->{logger}->get_log_level() >= 4) {
139 push @iosslargs, sprintf("debug%d", int($self->{logger}->get_log_level() - 3));
142 # versions earlier than 1.35 can fail open: bad news!.
143 # 1.37 lets us set ca_path and ca_file to undef, which is what we want.
144 use IO::Socket::SSL 1.37;
149 IO::Socket::SSL::set_ctx_defaults(
150 verify_callback => sub { $self->verify_cert(@_); },
156 my $ua = LWP::UserAgent::->new();
158 if (exists($self->{proxy})) {
159 $self->{logger}->log('verbose', "Using http-proxy: %s\n", $self->{proxy});
160 $ua->proxy([qw(http https)] => $self->{proxy});
162 # if no proxy was explicitly set, use the environment:
166 printf("VERSION 1\nPROGRAM %s gpgkeys_hkpms msva-perl/%s\n",
167 $self->{config}->{program}, # this is kind of cheating :/
168 $Crypt::Monkeysphere::MSVA::VERSION);
171 $self->{logger}->log('debug', "command: %s\n", $self->{config}->{command});
172 if (lc($self->{config}->{command}) eq 'search') {
173 # for COMMAND = SEARCH, we want op=index, and we want to rejoin all args with spaces.
174 my $uri = URI::->new(sprintf('https://%s/pks/lookup', $self->{config}->{host}));
175 my $arg = join(' ', @{$self->{args}});
176 $uri->query_form(op => 'index',
180 $arg =~ s/\n/ /g ; # swap out newlines for spaces
181 printf("\n%s %s BEGIN\n", $self->{config}->{command}, $arg);
182 $self->{logger}->log('debug', "URI: %s\n", $uri);
183 my $resp = $ua->get($uri);
184 if ($resp->is_success) {
185 print($resp->decoded_content);
187 # FIXME: handle errors better
188 $self->{logger}->log('error', "HTTPS error: %s\n", $resp->status_line);
190 printf("\n%s %s END\n", $self->{config}->{command}, $arg);
191 } elsif (lc($self->{config}->{command}) eq 'get') {
192 # for COMMAND = GET, we want op=get, and we want to issue each query separately.
193 my $uri = URI::->new(sprintf('https://%s/pks/lookup', $self->{config}->{host}));
194 foreach my $arg (@{$self->{args}}) {
195 printf("\n%s %s BEGIN\n", $self->{config}->{command}, $arg);
196 $uri->query_form(op => 'get',
200 my $resp = $ua->get($uri);
201 if ($resp->is_success) {
202 print($resp->decoded_content);
204 # FIXME: handle errors better
205 $self->{logger}->log('error', "HTTPS error: %s\n", $resp->status_line);
207 printf("\n%s %s END\n", $self->{config}->{command}, $arg);
209 } elsif (lc($self->{config}->{command}) eq 'send') {
210 $self->{logger}->log('debug', "Sending keys");
211 # walk the input looking for "KEY E403BC1A17856FB7 BEGIN" lines.
214 foreach my $arg (@{$self->{args}}) {
215 if ($arg =~ /^KEY ([a-fA-F0-9]+) BEGIN\s*$/) {
218 $self->{logger}->log('debug', "Found KEY BEGIN line (%s)\n", $keyid);
219 } elsif (defined($keyid)) {
220 if ($arg eq sprintf('KEY %s END', $keyid)) {
221 $self->{logger}->log('debug', "Found KEY END line with %d lines of data elapsed\n", scalar(@keydata));
222 # for sending keys, we want to POST to /pks/add, with a keytext variable.
223 my $uri = URI::->new(sprintf('https://%s/pks/add', $self->{config}->{host}));
224 my $resp = $ua->post($uri, {keytext => join("\n", @keydata)});
225 if ($resp->is_success) {
226 printf("\n%s", $resp->decoded_content);
228 # FIXME: handle errors better
229 $self->{logger}->log('error', "HTTPS error: %s\n", $resp->status_line);
231 printf("\nKEY %s SENT\n", $keyid);
238 $self->{logger}->log('debug2', "Found garbage line\n");
241 if (defined($keyid)) {
242 $self->{logger}->log('error', "Never got a 'KEY %s END' line, discarding.\n", $keyid);
245 # are there other commands we might want?
246 $self->{logger}->log('error', "Unknown command %s\n", $self->{config}->{command});
254 my $default_log_level = 'error';
256 if (exists($ENV{MONKEYSPHERE_VALIDATION_AGENT_SOCKET})) {
257 $client = Crypt::Monkeysphere::MSVA::Client::->new(
258 socket => $ENV{MONKEYSPHERE_VALIDATION_AGENT_SOCKET},
259 log_level => $default_log_level,
262 my $self = { config => { },
264 logger => (defined($client) ? $client->{logger} : Crypt::Monkeysphere::MSVA::Logger::->new($default_log_level)),
270 bless ($self, $class);
277 my $hkpms = Crypt::Monkeysphere::MSVA::HKPMS::->new();
279 my $input = # load gpg instructions from stdin:
286 $hkpms->parse_input($input);