diff options
| author | agc <agc> | 2014-02-04 02:11:18 +0000 |
|---|---|---|
| committer | agc <agc> | 2014-02-04 02:11:18 +0000 |
| commit | e8cd73bb46ef3b57d9b1d9cb8a3db48db9c46166 (patch) | |
| tree | c57375724b589f375d29b5f60052936a55ece8dd /security/netpgpverify/files/main.c | |
| parent | 552db118abb0de5926baa067d35f2f8080c2be79 (diff) | |
| download | pkgsrc-e8cd73bb46ef3b57d9b1d9cb8a3db48db9c46166.tar.gz | |
Update security/netpgpverify to version 20140202
Changes from previous version:
Add the ability for netpgpverify to verify ssh-pub-key-based signatures.
It is much more likely for ssh (rather than pgp) keys to be available,
and used, as a source of authentication data. These changes add the
ability for netpgpverify(1) -- the standalone, zero-prereq utility -
to verify signatures made by netpgp when using ssh keys.
Running the regression tests in WRKDIR gives the following output:
% mk -f *.bsd tst
./netpgpverify -k pubring.gpg NetBSD-6.0_RC1_hashes.asc
Good signature for NetBSD-6.0_RC1_hashes.asc made Thu Aug 23 11:47:50 2012
signature 4096/RSA (Encrypt or Sign) 064973ac4c4a706e 2009-06-23
fingerprint ddee 2bdb 9c98 a0d1 d4fb dbf7 0649 73ac 4c4a 706e
uid NetBSD Security Officer <security-officer@NetBSD.org>
./netpgpverify -k pubring.gpg NetBSD-6.0_RC1_hashes.gpg
Good signature for NetBSD-6.0_RC1_hashes.gpg made Thu Mar 14 13:32:59 2013
signature 4096/RSA (Encrypt or Sign) 064973ac4c4a706e 2009-06-23
fingerprint ddee 2bdb 9c98 a0d1 d4fb dbf7 0649 73ac 4c4a 706e
uid NetBSD Security Officer <security-officer@NetBSD.org>
./netpgpverify -v
netpgpverify portable 20140202
./netpgpverify -S sshtest-20140202.pub data.gpg
Good signature for data.gpg made Mon Feb 3 17:54:21 2014
signature 4096/RSA (Encrypt or Sign) 4d129225945bbb8f 1970-01-01
fingerprint 874b 75de d6a3 341f 2d5a 2219 4d12 9225 945b bb8f
uid netbsd-001.cupertino.alistaircrooks.com (sshtest-20140202.pub) <agc@netbsd-001.cupertino.alistaircrooks.com>
./netpgpverify -S sshtest-20140202.pub data.sig
Good signature for data.sig made Sun Feb 2 21:45:05 2014
signature 4096/RSA (Encrypt or Sign) 4d129225945bbb8f 1970-01-01
fingerprint 874b 75de d6a3 341f 2d5a 2219 4d12 9225 945b bb8f
uid netbsd-001.cupertino.alistaircrooks.com (sshtest-20140202.pub) <agc@netbsd-001.cupertino.alistaircrooks.com>
expected failure, to check bad signatures fail to verify
sed -e 's|A|B|' data.gpg | ./netpgpverify -S sshtest-20140202.pub
Signature did not match contents -- Signature on data did not match
*** Error code 1 (ignored)
%
A new HOWTO file is provided in the sources (files/HOWTO) to show how
to sign data using ssh keys and netpgp(1).
Diffstat (limited to 'security/netpgpverify/files/main.c')
| -rw-r--r-- | security/netpgpverify/files/main.c | 34 |
1 files changed, 25 insertions, 9 deletions
diff --git a/security/netpgpverify/files/main.c b/security/netpgpverify/files/main.c index 793f5355cdb..40cc1755c49 100644 --- a/security/netpgpverify/files/main.c +++ b/security/netpgpverify/files/main.c @@ -49,11 +49,11 @@ ptime(int64_t secs) /* print entry n */ static void -pentry(pgpv_t *pgp, int n) +pentry(pgpv_t *pgp, int n, const char *modifiers) { char *s; - pgpv_get_entry(pgp, (unsigned)n, &s); + pgpv_get_entry(pgp, (unsigned)n, &s, modifiers); printf("%s", s); free(s); } @@ -91,6 +91,7 @@ static int verify_data(pgpv_t *pgp, const char *cmd, const char *inname, char *in, ssize_t cc) { pgpv_cursor_t cursor; + const char *modifiers; size_t size; size_t cookie; char *data; @@ -103,16 +104,17 @@ verify_data(pgpv_t *pgp, const char *cmd, const char *inname, char *in, ssize_t } return 1; } - } else if (strcasecmp(cmd, "verify") == 0) { + } else if (strcasecmp(cmd, "verify") == 0 || strcasecmp(cmd, "trust") == 0) { + modifiers = (strcasecmp(cmd, "trust") == 0) ? "trust" : NULL; if (pgpv_verify(&cursor, pgp, in, cc)) { printf("Good signature for %s made ", inname); ptime(cursor.sigtime); - pentry(pgp, ARRAY_ELEMENT(cursor.found, 0)); + pentry(pgp, ARRAY_ELEMENT(cursor.found, 0), modifiers); return 1; } - fprintf(stderr, "Signature did not match contents -- %s", cursor.why); + fprintf(stderr, "Signature did not match contents -- %s\n", cursor.why); } else { - fprintf(stderr, "unrecognised command \"%s\"", cmd); + fprintf(stderr, "unrecognised command \"%s\"\n", cmd); } return 0; } @@ -120,21 +122,29 @@ verify_data(pgpv_t *pgp, const char *cmd, const char *inname, char *in, ssize_t int main(int argc, char **argv) { + const char *modifiers; const char *keyring; const char *cmd; ssize_t cc; size_t size; pgpv_t pgp; char *in; + int ssh; int ok; int i; memset(&pgp, 0x0, sizeof(pgp)); keyring = NULL; + ssh = 0; ok = 1; cmd = "verify"; - while ((i = getopt(argc, argv, "c:k:v")) != -1) { + modifiers = NULL; + while ((i = getopt(argc, argv, "S:c:k:v")) != -1) { switch(i) { + case 'S': + ssh = 1; + keyring = optarg; + break; case 'c': cmd = optarg; break; @@ -148,8 +158,14 @@ main(int argc, char **argv) break; } } - if (!pgpv_read_pubring(&pgp, keyring, -1)) { - errx(EXIT_FAILURE, "can't read keyring"); + if (ssh) { + if (!pgpv_read_ssh_pubkeys(&pgp, keyring, -1)) { + fprintf(stderr, "can't read ssh keyring\n"); + exit(EXIT_FAILURE); + } + } else if (!pgpv_read_pubring(&pgp, keyring, -1)) { + fprintf(stderr, "can't read keyring\n"); + exit(EXIT_FAILURE); } if (optind == argc) { in = getstdin(&cc, &size); |