7621bec9f3
script that can be used to test keys for minimal security requirements. A long list of people helped with this. In particular, Michael Lucas and David Wolfskill contributed many corrections and suggestions. I started the script based on the addkey.sh script, and David Wolfskill worked it into something usable. After more testing, the text can suggest using it to check keys before committing them. Reviewed by: accounts@, postmaster@, mwl@, sbruno@, gavin@
261 lines
6.4 KiB
Bash
Executable file
261 lines
6.4 KiB
Bash
Executable file
#!/bin/sh
|
|
#
|
|
# $FreeBSD$
|
|
#
|
|
|
|
#
|
|
# This script is intended to sanity-check PGP keys used by folks with
|
|
# @FreeBSD.org email addresses. The checks are intended to be derived
|
|
# from the information at
|
|
# <https://we.riseup.net/riseuplabs+paow/openpgp-best-practices#openpgp-key-checks>
|
|
#
|
|
|
|
\unalias -a
|
|
|
|
progname=${0##*/}
|
|
|
|
# Print an informational message
|
|
info() {
|
|
echo "$@" >&2
|
|
}
|
|
|
|
# Print a warning message
|
|
warning() {
|
|
echo "WARNING: $@" >&2
|
|
}
|
|
|
|
# Print an error message and exit
|
|
error() {
|
|
echo "ERROR: $@" >&2
|
|
exit 1
|
|
}
|
|
|
|
# Print usage message and exit
|
|
usage() {
|
|
echo "usage: ${progname} [user] [keyid ...]\n" >&2
|
|
exit 1
|
|
}
|
|
|
|
# Look for gpg
|
|
gpg=$(which gpg)
|
|
if [ $? -gt 0 -o -z "${gpg}" -o ! -x "${gpg}" ] ; then
|
|
error "Cannot find gpg"
|
|
fi
|
|
|
|
# Set up our internal default gpg invocation options
|
|
_gpg() {
|
|
${gpg} \
|
|
--display-charset utf-8 \
|
|
--no-greeting \
|
|
--no-secmem-warning \
|
|
--keyid-format long \
|
|
--list-options no-show-uid-validity \
|
|
"$@"
|
|
}
|
|
|
|
# Look up key by key ID
|
|
getkeybyid() {
|
|
_gpg --with-colons --list-keys "$1" 2>/dev/null | awk -F: \
|
|
'$5 ~ /^\([0-9A-F]{8}\)?'"$1"'$/i && $12 ~ /ESC/ { print $5 }'
|
|
}
|
|
|
|
# Look up key by email
|
|
getkeybyemail() {
|
|
_gpg --with-colons --list-keys "$1" 2>/dev/null | awk -F: \
|
|
'$10 ~ /<'"$1"'>/i && $12 ~ /ESC/ { print $5 }'
|
|
}
|
|
|
|
# The first command-line argument can be a user name or a key ID.
|
|
if [ $# -gt 0 ] ; then
|
|
id="$1"
|
|
shift
|
|
else
|
|
id=$(id -nu)
|
|
warning "No argument specified, calculating user ID"
|
|
fi
|
|
|
|
# Now let's try to figure out what kind of thing we have as an ID.
|
|
# We'll check for a keyid first, as it's readily distinguishable
|
|
# from other things, but if we see that we have one, we push it back
|
|
# onto the argument list for later processing (becasue we may have
|
|
# been given a list of keyods).
|
|
if echo "${id}" | egrep -q '^[0-9A-F]{16}$'; then
|
|
id_type="keyid"
|
|
set -- "${id}" $@
|
|
elif echo "${id}" | egrep -q '^[0-9A-F]{8}$'; then
|
|
id_type="keyid"
|
|
set -- "${id}" $@
|
|
elif echo "${id}" | egrep -iq '^[a-z][-0-9a-z_]*@([-0-9a-z]+\.)[-0-9a-z]+$'; then
|
|
id_type="email"
|
|
email="${id}"
|
|
elif echo "${id}" | egrep -iq '^[a-z][-0-9a-z_]*$'; then
|
|
id_type="login"
|
|
login="${id}"
|
|
email="${id}@FreeBSD.org"
|
|
else
|
|
error "Cannot recognize type of ${id} (keyid, login, or email)"
|
|
fi
|
|
|
|
if [ $# -ne 0 ] ; then
|
|
# Verify the keys that were specified on the command line
|
|
for arg ; do
|
|
case $(expr "${arg}" : '^[0-9A-Fa-f]\{8,16\}$') in
|
|
8)
|
|
warning "${arg}: recommend using 16-digit keyid"
|
|
;&
|
|
16)
|
|
keyid=$(getkeybyid "${arg}")
|
|
if [ -n "${keyid}" ] ; then
|
|
keyids="${keyids} ${keyid}"
|
|
else
|
|
warning "${arg} not found"
|
|
fi
|
|
;;
|
|
*)
|
|
warning "${arg} does not appear to be a valid key ID"
|
|
;;
|
|
esac
|
|
shift
|
|
done
|
|
else
|
|
# Search for keys by freebsd.org email
|
|
keyids=$(getkeybyemail "${email}")
|
|
case $(echo "${keyids}" | wc -w) in
|
|
0)
|
|
error "no keys found for ${email}"
|
|
;;
|
|
1)
|
|
;;
|
|
*)
|
|
warning "Multiple keys found for <${email}>; checking all."
|
|
warning "If this is not what you want, specify a key ID" \
|
|
"on the command line."
|
|
;;
|
|
esac
|
|
fi
|
|
|
|
# :(
|
|
if [ -z "${keyids}" ] ; then
|
|
error "no valid keys were found"
|
|
fi
|
|
|
|
# add a problem report to the list of problems with this key
|
|
badkey() {
|
|
key_problems=" ${key_problems}$@
|
|
"
|
|
}
|
|
|
|
exitstatus=0
|
|
|
|
# Check the keys
|
|
for key in ${keyids} ; do
|
|
# no problems found yet
|
|
key_problems=""
|
|
|
|
IFS_save="${IFS}"
|
|
key_info=$( ${gpg} --no-secmem-warning --export-options export-minimal --export ${key} \
|
|
| ${gpg} --no-secmem-warning --list-packets )
|
|
# primary keys should be RSA or DSA-2
|
|
IFS=""
|
|
version=$( echo $key_info | \
|
|
awk '$1 == "version" && $3 == "algo" {sub(",", "", $2); print $2; exit 0}' )
|
|
IFS="${IFS_save}"
|
|
if [ $version -lt 4 ]; then
|
|
badkey "This key is a deprecated version $version key!"
|
|
fi
|
|
|
|
IFS=""
|
|
algonum=$( echo $key_info | \
|
|
awk '$1 == "version" && $3 == "algo" {sub(",", "", $4); print $4; exit 0}' )
|
|
IFS="${IFS_save}"
|
|
case ${algonum} in
|
|
"1") algo="RSA" ;;
|
|
"17") algo="DSA" ;;
|
|
"18") algo="ECC" ;;
|
|
"19") algo="ECDSA" ;;
|
|
*) algo="*UNKNOWN*" ;;
|
|
esac
|
|
|
|
IFS=""
|
|
bitlen=$( echo $key_info | \
|
|
awk -F : '$1 ~ "pkey" { gsub("[^0-9]*","", $2); print $2; exit 0}' )
|
|
IFS="${IFS_save}"
|
|
echo "key ${key}: ${algo}, ${bitlen} bits"
|
|
case ${algo} in
|
|
RSA) ;;
|
|
DSA) if [ "${bitlen}" -le 1024 ]; then \
|
|
badkey "DSA, but not DSA-2"; \
|
|
fi ;;
|
|
*) badkey "non-preferred algorithm"
|
|
esac
|
|
|
|
# self-signatures must not use MD5 or SHA1
|
|
IFS=""
|
|
sig_algonum=$( echo $key_info | \
|
|
awk '$1 == "digest" && $2 == "algo" {sub(",", "", $3); print $3; exit 0}' )
|
|
IFS="${IFS_save}"
|
|
case sig_algonum in
|
|
1) sigs="MD5";;
|
|
2) sigs="SHA1";;
|
|
3) sigs="RIPEMD160";;
|
|
8) sigs="SHA256";;
|
|
9) sigs="SHA384";;
|
|
10) sigs="SHA512";;
|
|
11) sigs="SHA224";;
|
|
*)
|
|
esac
|
|
for sig in ${sigs}; do
|
|
if [ "${sig}" = "MD5" -o "${sig}" = "SHA1" ]; then
|
|
badkey "self-signature ${sig}"
|
|
fi
|
|
done
|
|
|
|
# digest algo pref must include at least one member of SHA-2
|
|
# at a higher priority than both MD5 and SHA1
|
|
IFS=""
|
|
algopref=$( echo $key_info | \
|
|
awk -F : '$1 ~ "pref-hash-algos" {gsub("[^ 0-9]", "", $2); print $2; exit 0}' )
|
|
IFS="${IFS_save}"
|
|
# if 3, 2, or 1 are before 11, 10, 9, or 8, then
|
|
set -- ${algopref}
|
|
if [ $1 -lt 4 ]; then
|
|
badkey "algorithm prefs do not have SHA-2 higher than MD5 or SHA1"
|
|
fi
|
|
|
|
# primary keys should have an expiration date at least a year
|
|
# in the future to make them worth committing, but no more
|
|
# than three years in the future
|
|
expires=$( _gpg --list-keys ${key} | \
|
|
awk "/$keyid .*expires:/ {sub(\"[^-0-9]\", \"\", \$NF); print \$NF; exit 0}" )
|
|
if [ -z "${expires}" ]; then
|
|
badkey "this key does not expire"
|
|
else
|
|
expires_s=$( date -jf "%F" "+%s" "${expires}" )
|
|
now_s=$( date "+%s" )
|
|
# 86400 == # seconds in a normal day
|
|
expire_int_d=$(( ( ${expires_s} - ${now_s} ) / 86400 ))
|
|
exp_min=$(( 1 \* 365 )) # Min expiry time is 1 year
|
|
exp_max=$(( 3 \* 365 + 1 )) # Max expiry time is 3 years
|
|
# We add 1 day because in a 3-year
|
|
# period, probability of a leap day
|
|
# is 297/400, about 0.74250
|
|
if [ ${expire_int_d} -lt ${exp_min} ]; then
|
|
badkey "Key $key expires in less than 1 year ($expire_int_d days)"
|
|
fi
|
|
if [ ${expire_int_d} -gt ${exp_max} ]; then
|
|
badkey "Key $key expires in more than 3 years ($expire_int_d days)"
|
|
fi
|
|
fi
|
|
|
|
# report problems
|
|
if [ -z "${key_problems}" ]; then
|
|
echo " key okay, ${key} meets minimal requirements" >&2
|
|
else
|
|
exitstatus=1
|
|
echo " ** problems found:" >&2
|
|
echo "${key_problems}" >&2
|
|
echo " ** key ${key} should not be used!"
|
|
fi
|
|
echo
|
|
done
|
|
exit ${exitstatus}
|