-- hokey.hs: hOpenPGP key tool
-- Copyright © 2013 Clint Adams
--
-- vim: softtabstop=4:shiftwidth=4:expandtab
--
-- This program is free software: you can redistribute it and/or modify
-- it under the terms of the GNU Affero General Public License as
-- published by the Free Software Foundation, either version 3 of the
-- License, or (at your option) any later version.
--
-- This program is distributed in the hope that it will be useful,
-- but WITHOUT ANY WARRANTY; without even the implied warranty of
-- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-- GNU Affero General Public License for more details.
--
-- You should have received a copy of the GNU Affero General Public License
-- along with this program. If not, see .
import Paths_hopenpgp_tools (version)
import Codec.Encryption.OpenPGP.Fingerprint (fingerprint, eightOctetKeyID)
import Codec.Encryption.OpenPGP.KeyInfo (keySize)
import Codec.Encryption.OpenPGP.Types
import Control.Applicative ((<$>),(<*>), optional)
import Control.Lens ((^.), (^?!), ix)
import Control.Monad.Trans.Writer.Lazy (execWriter, tell)
import qualified Crypto.PubKey.RSA as RSA
import qualified Crypto.PubKey.DSA as DSA
import Data.Bits (shiftR)
import qualified Data.ByteString as B
import Data.Conduit (($=),($$), runResourceT)
import qualified Data.Conduit.Binary as CB
import Data.Conduit.Cereal (conduitGet)
import Data.Conduit.OpenPGP.Keyring (conduitToTKsDropping, sinkKeyringMap)
import Data.List (unfoldr)
import Data.Maybe (fromMaybe)
import Data.Monoid ((<>))
import Data.IxSet ((@=))
import qualified Data.IxSet as IxSet
import Data.Serialize (get)
import Data.Version (showVersion)
import Options.Applicative.Builder (argument, command, help, idm, info, long, metavar, progDesc, str, strOption, subparser)
import Options.Applicative.Extra (execParser)
import Options.Applicative.Types (Parser)
import System.Directory (getHomeDirectory)
import System.IO (hPutStrLn, stderr)
grabMatchingKeys :: FilePath -> String -> IO [TK]
grabMatchingKeys fp eok = do
kr <- runResourceT $ CB.sourceFile fp $= conduitGet get $= conduitToTKsDropping $$ sinkKeyringMap
return $! IxSet.toList (kr @= (read eok :: EightOctetKeyId))
checkKey :: TK -> IO ()
checkKey key = putStrLn . unlines . execWriter $ do
tell [ "Key has fingerprint: " ++ (show . fingerprint $ key^.tkPKP) ]
tell [ "Checking to see if key is OpenPGPv4: " ++ (show $ V4 == key^.tkPKP^.keyVersion) ]
tell [ "Checking to see if key is RSA or DSA (>= 2048-bit): " ++ (show $ rsadsa2) ]
tell [ "Checking self-sig hash algorithms (poorly): " ] -- FIXME
tell $ map (\(x,ys) -> " " ++ x ++ ": " ++ (show . map hashAlgo . filter (\x -> sigissuer x == Issuer (eoki key)) $ ys)) (key^.tkUIDs)
tell $ map (\(_,ys) -> " :" ++ (show . map hashAlgo . filter (\x -> sigissuer x == Issuer (eoki key)) $ ys)) (key^.tkUAts)
tell [ "Checking preferred hash algorithms (poorly): " ] -- FIXME
tell $ concatMap (\(x,ys) -> (" " ++ x ++ ":"):((map ((" "++) . show . phas) . filter (\x -> sigissuer x == Issuer (eoki key)) $ ys))) (key^.tkUIDs)
tell $ concatMap (\(_,ys) -> (" :"):((map ((" "++) . show . phas) . filter (\x -> sigissuer x == Issuer (eoki key)) $ ys))) (key^.tkUAts)
tell [ "Checking key expiration times (poorly): " ] -- FIXME
tell $ concatMap (\(x,ys) -> (" " ++ x ++ ":"):((map ((" "++) . show . kets) . filter (\x -> sigissuer x == Issuer (eoki key)) $ ys))) (key^.tkUIDs)
tell $ concatMap (\(_,ys) -> (" :"):((map ((" "++) . show . kets) . filter (\x -> sigissuer x == Issuer (eoki key)) $ ys))) (key^.tkUAts)
where
rsadsa2 = (key^.tkPKP^.pkalgo == RSA && keysize >= 2048) ||
(key^.tkPKP^.pkalgo == DSA && keysize >= 2048)
keysize = keySize (key^.tkPKP^.pubkey)
sigissuer (SigV3 _ _ _ _ _ _ _) = OtherSigSub 666 B.empty -- this is dumb
sigissuer (SigV4 _ _ _ _ xs _ _) = xs^?!ix 0^.sspPayload -- this is a horrible stack of stupid assumptions
sigissuer (SigVOther _ _) = error "We're in the future."
sigissuer _ = error "WTF"
eoki = eightOctetKeyID . _tkPKP
hashAlgo (SigV4 _ _ x _ _ _ _) = x
phas (SigV4 _ _ _ xs _ _ _) = concatMap (\(SigSubPacket _ (PreferredHashAlgorithms x)) -> x) $ filter isPHA xs
isPHA (SigSubPacket _ (PreferredHashAlgorithms _)) = True
isPHA _ = False
kets (SigV4 _ _ _ xs _ _ _) = map (\(SigSubPacket _ (KeyExpirationTime x)) -> durationPrettyPrinter x) $ filter isKET xs
isKET (SigSubPacket _ (KeyExpirationTime _)) = True
isKET _ = False
-- this does not have the same sense of calendar anyone else might
durationPrettyPrinter :: TimeStamp -> String
durationPrettyPrinter = concat . unfoldr durU
where
durU x
| x >= 31557600 = Just $ ((++"y") . show $ x `div` 31557600, x `mod` 31557600)
| x >= 2629800 = Just $ ((++"m") . show $ x `div` 2629800, x `mod` 2629800)
| x >= 86400 = Just $ ((++"d") . show $ x `div` 86400, x `mod` 86400)
| x > 0 = Just $ ((++"s") . show $ x, 0)
| otherwise = Nothing
data Options = Options {
keyring :: String
, target :: String
}
data Command = Lint Options
lintO :: String -> Parser Options
lintO homedir = Options
<$> (fromMaybe (homedir ++ "/.gnupg/pubring.gpg") <$> (optional $ strOption
( long "keyring"
<> metavar "FILE"
<> help "file containing keyring" )))
<*> argument str ( metavar "TARGET" )
dispatch :: Command -> IO ()
dispatch (Lint o) = doLint o
main :: IO ()
main = do
homedir <- getHomeDirectory
hPutStrLn stderr $ "hokey version " ++ showVersion version ++ ", Copyright (C) 2013 Clint Adams\n\
\hokey comes with ABSOLUTELY NO WARRANTY.\n\
\This is free software, and you are welcome to redistribute it\n\
\under certain conditions.\n"
execParser (info (cmd homedir) idm) >>= dispatch
cmd :: String -> Parser Command
cmd homedir = subparser
( command "lint" (info ( Lint <$> lintO homedir) ( progDesc "check key(s) for 'best practices'" )))
doLint :: Options -> IO ()
doLint o = do
keys <- grabMatchingKeys (keyring o) (target o)
mapM_ checkKey keys