1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
|
#
#-*- coding:utf-8 -*-
"""
Gentoo-Keys - gkeygen/checks.py
Primary key checks module
@copyright: 2014 by Brian Dolbec <dolsen@gentoo.org>
@license: GNU GPL2, see COPYING for details
"""
import time
from collections import namedtuple, OrderedDict
from gkeys.config import GKEY_CHECK
from pyGPG.mappings import (ALGORITHM_CODES, CAPABILITY_MAP,
KEY_VERSION_FPR_LEN, VALIDITY_MAP, INVALID_LIST,
VALID_LIST)
SPEC_INDEX = {
'key': 0,
'capabilities': 1,
'fingerprint': 2,
'bits': 3,
'created': 4,
'expire': 5,
'encrypt_capable': 6,
'sign_capable': 7,
'algo': 8,
'version': 9,
'id': 10,
'days': 11,
'validity': 12,
'expire_reason': 13,
'long_caps': 14, # long version of the capbilities
'caps': 15,
'caps_reason': 16,
'id_reason': 17,
'is_valid': 18,
'passed_spec': 19,
}
SPEC_INDEX = OrderedDict(sorted(SPEC_INDEX.items(), key=lambda t: t[1]))
SPEC_STAT = ['', '','', False, False, False, False, False, False, False, False,
0, '', '', '', True, '', '', False, False]
# Default glep 63 minimum gpg key specification
# and approved options, limits
TEST_SPEC = {
'bits': {
'DSA': 2048,
'RSA': 2048,
},
'expire': 3 * 365, # in days
'subkeys': { # warning/error mode
'encrypt': {
'mode': 'notice',
'expire': 3 * 365,
},
'sign': {
'mode': 'error',
'expire': 365,
},
},
'algorithms': ['DSA', 'RSA', '1', '2', '3', '17'],
'versions': ['4'],
'qualified_id': '@gentoo.org',
}
# Final pass/fail fields and the pass value required
TEST_REQUIREMENTS = {
'bits': True,
'created': True,
'expire': True,
'sign_capable': True,
'algo': True,
'version': True,
'id': True,
'is_valid': True,
'caps': True,
}
SECONDS_PER_DAY = 86400
SPECCHECK_STRING = ''' ----------
Fingerprint......: %(fingerprint)s
Key type ........: %(key)s Capabilities.: %(capabilities)s %(long_caps)s
Algorithm........: %(algo)s Bit Length...: %(bits)s
Create Date......: %(created)s Expire Date..: %(expire)s
Key Version......: %(version)s Validity.....: %(validity)s
Days till expiry.: %(days)s %(expire_reason)s
Capability.......: %(caps)s %(caps_reason)s
Qualified ID.....: %(id)s %(id_reason)s
This %(pub_sub)s.: %(passed_spec)s'''
SPECCHECK_SUMMARY = ''' Key summary
primary..........: %(pub)s signing subkey: %(sign)s
encryption subkey: %(encrypt)s authentication subkey: %(auth)s
SPEC requirements: %(final)s
'''
def convert_pf(data, fields):
'''Converts dictionary items from True/False to Pass/Fail strings
@param data: dict
@param fields: list
@returns: dict
'''
for f in fields:
if data[f]:
data[f] = 'Pass'
else:
data[f] = 'Fail'
return data
def convert_yn(data, fields):
'''Converts dictionary items from True/False to Yes/No strings
@param data: dict
@param fields: list
@returns: dict
'''
for f in fields:
if data[f]:
data[f] = 'Yes '
else:
data[f] = 'No '
return data
class SpecCheck(namedtuple("SpecKey", list(SPEC_INDEX))):
__slots__ = ()
def pretty_print(self):
data = self.convert_data()
output = SPECCHECK_STRING % (data)
return output
def convert_data(self):
data = dict(self._asdict())
data = convert_pf(data, ['algo', 'bits', 'caps', 'created', 'expire', 'id',
'passed_spec', 'version'])
for f in ['caps', 'id']:
data[f] = data[f].ljust(10)
data['validity'] += ', %s' % (VALIDITY_MAP[data['validity']])
days = data['days']
if days == float("inf"):
data['days'] = "infinite".ljust(10)
else:
data['days'] = str(int(data['days'])).ljust(10)
if data['capabilities'] == 'e':
data['algo'] = '----'
data['bits'] = '----'
if data['key'] =='PUB':
data['pub_sub'] = 'primary key'
else:
data['pub_sub'] = 'subkey.....'
return data
class KeyChecks(object):
'''Primary gpg key validation and specifications checks class'''
def __init__(self, logger, spec=TEST_SPEC, qualified_id_check=True):
'''@param spec: optional gpg specification to test against
Defaults to TEST_SPEC
'''
self.logger = logger
self.spec = spec
self.check_id = qualified_id_check
def validity_checks(self, keydir, keyid, result):
'''Check the specified result based on the seed type
@param keydir: the keydir to list the keys for
@param keyid: the keyid to check
@param result: pyGPG.output.GPGResult object
@returns: GKEY_CHECK instance
'''
revoked = expired = invalid = sign = False
for data in result.status.data:
if data.name == "PUB":
if data.long_keyid == keyid[2:]:
# check if revoked
if 'r' in data.validity:
revoked = True
self.logger.debug("ERROR in key %s : revoked" % data.long_keyid)
break
# if primary key expired, all subkeys expire
if 'e' in data.validity:
expired = True
self.logger.debug("ERROR in key %s : expired" % data.long_keyid)
break
# check if invalid
if 'i' in data.validity:
invalid = True
self.logger.debug("ERROR in key %s : invalid" % data.long_keyid)
break
if 's' in data.key_capabilities:
sign = True
self.logger.debug("INFO primary key %s : key signing capabilities" % data.long_keyid)
if data.name == "SUB":
# check if invalid
if 'i' in data.validity:
self.logger.debug("WARNING in subkey %s : invalid" % data.long_keyid)
continue
# check if expired
if 'e' in data.validity:
self.logger.debug("WARNING in subkey %s : expired" % data.long_keyid)
continue
# check if revoked
if 'r' in data.validity:
self.logger.debug("WARNING in subkey %s : revoked" % data.long_keyid)
continue
# check if subkey has signing capabilities
if 's' in data.key_capabilities:
sign = True
self.logger.debug("INFO subkey %s : subkey signing capabilities" % data.long_keyid)
return GKEY_CHECK(keyid, revoked, expired, invalid, sign)
def spec_check(self, keydir, keyid, result):
'''Performs the minimum specifications checks on the key'''
self.logger.debug("SPEC_CHECK() : CHECKING: %s" % keyid)
results = {}
pub = None
stats = None
pub_days = 0
for data in result.status.data:
if data.name == "PUB":
if stats:
stats = self._test_final(data, stats)
results[pub.long_keyid].append(SpecCheck._make(stats))
pub = data
found_id = False
found_id_reason = ''
results[data.long_keyid] = []
stats = SPEC_STAT[:]
stats[SPEC_INDEX['key']] = data.name
stats[SPEC_INDEX['capabilities']] = data.key_capabilities
stats[SPEC_INDEX['validity']] = data.validity
stats = self._test_created(data, stats)
stats = self._test_algo(data, stats)
stats = self._test_bits(data, stats)
stats = self._test_expire(data, stats, pub_days)
pub_days = stats[SPEC_INDEX['days']]
stats = self._test_caps(data, stats)
stats = self._test_validity(data, stats)
elif data.name == "FPR":
pub = pub._replace(**{'fingerprint': data.fingerprint})
stats[SPEC_INDEX['fingerprint']] = data.fingerprint
stats = self._test_version(data, stats)
elif data.name == "UID":
stats = self._test_uid(data, stats)
if stats[SPEC_INDEX['id']] in [True, '-----']:
found_id = stats[SPEC_INDEX['id']]
found_id_reason = ''
stats[SPEC_INDEX['id_reason']] = ''
else:
found_id_reason = stats[SPEC_INDEX['id_reason']]
elif data.name == "SUB":
if stats:
stats = self._test_final(data, stats)
results[pub.long_keyid].append(SpecCheck._make(stats))
stats = SPEC_STAT[:]
stats[SPEC_INDEX['key']] = data.name
stats[SPEC_INDEX['capabilities']] = data.key_capabilities
stats[SPEC_INDEX['fingerprint']] = '%s' \
% (data.long_keyid)
stats[SPEC_INDEX['id']] = found_id
stats[SPEC_INDEX['id_reason']] = found_id_reason
stats[SPEC_INDEX['validity']] = data.validity
stats = self._test_validity(data, stats)
stats = self._test_created(data, stats)
stats = self._test_algo(data, stats)
stats = self._test_bits(data, stats)
stats = self._test_expire(data, stats, pub_days)
stats = self._test_caps(data, stats)
if stats:
stats = self._test_final(data, stats)
results[pub.long_keyid].append(SpecCheck._make(stats))
stats = None
self.logger.debug("SPEC_CHECK() : COMPLETED: %s" % keyid)
return results
def _test_algo(self, data, stats):
algo = data.pubkey_algo
if algo in TEST_SPEC['algorithms']:
stats[SPEC_INDEX['algo']] = True
else:
self.logger.debug("ERROR in key %s : invalid Type: %s"
% (data.long_keyid, ALGORITHM_CODES[algo]))
return stats
def _test_bits(self, data, stats):
bits = int(data.keylength)
if data.pubkey_algo in TEST_SPEC['algorithms']:
if bits >= TEST_SPEC['bits'][ALGORITHM_CODES[data.pubkey_algo]]:
stats[SPEC_INDEX['bits']] = True
else:
self.logger.debug("ERROR in key %s : invalid Bit length: %d"
% (data.long_keyid, bits))
return stats
def _test_version(self, data, stats):
fpr_l = len(data.fingerprint)
if KEY_VERSION_FPR_LEN[fpr_l] in TEST_SPEC['versions']:
stats[SPEC_INDEX['version']] = True
else:
self.logger.debug("ERROR in key %s : invalid gpg key version: %s"
% (data.long_keyid, KEY_VERSION_FPR_LEN[fpr_l]))
return stats
def _test_created(self, data, stats):
try:
created = float(data.creation_date)
except ValueError:
created = 0
if created <= time.time() :
stats[SPEC_INDEX['created']] = True
else:
self.logger.debug("ERROR in key %s : invalid gpg key creation date: %s"
% (data.long_keyid, data.creation_date))
return stats
def _test_expire(self, data, stats, pub_days):
if data.name in ["PUB"]:
delta_t = TEST_SPEC['expire']
stats = self._expire_check(data, stats, delta_t, pub_days)
return stats
else:
for cap in data.key_capabilities:
try:
delta_t = TEST_SPEC['subkeys'][CAPABILITY_MAP[cap]]['expire']
except KeyError:
self.logger.debug(
"WARNING in capability key %s : setting delta_t to main expiry: %d"
% (cap, TEST_SPEC['expire']))
delta_t = TEST_SPEC['expire']
stats = self._expire_check(data, stats, delta_t, pub_days)
return stats
def _expire_check(self, data, stats, delta_t, pub_days):
today = time.time()
try:
expires = float(data.expiredate)
except ValueError:
expires = float("inf")
if data.name == 'SUB' and expires == float("inf"):
days = stats[SPEC_INDEX['days']] = pub_days
elif expires == float("inf"):
days = stats[SPEC_INDEX['days']] = expires
else:
days = stats[SPEC_INDEX['days']] = max(0, int((expires - today)/SECONDS_PER_DAY))
if days <= delta_t:
stats[SPEC_INDEX['expire']] = True
elif days > delta_t and not ('i' in data.validity or 'r' in data.validity):
stats[SPEC_INDEX['expire_reason']] = '<== Exceeds specification'
else:
self.logger.debug("ERROR in key %s : invalid gpg key expire date: %s"
% (data.long_keyid, data.expiredate))
if 0 < days < 30 and not ('i' in data.validity or 'r' in data.validity):
stats[SPEC_INDEX['expire_reason']] = '<== WARNING < 30 days'
return stats
def _test_caps(self, data, stats):
if 'e' in data.key_capabilities:
if 's' in data.key_capabilities or 'a' in data.key_capabilities:
stats[SPEC_INDEX['caps']] = False
stats[SPEC_INDEX['caps_reason']] = "<== Mixing of 'e' with 's' and/or 'a'"
if not stats[SPEC_INDEX['is_valid']]:
return stats
kcaps = []
for cap in data.key_capabilities:
if CAPABILITY_MAP[cap] and stats[SPEC_INDEX['caps']]:
kcaps.append(CAPABILITY_MAP[cap])
if cap in ["s"] and not data.name == "PUB":
stats[SPEC_INDEX['sign_capable']] = True
elif cap in ["e"]:
stats[SPEC_INDEX['encrypt_capable']] = True
elif cap not in CAPABILITY_MAP:
stats[SPEC_INDEX['caps']] = False
self.logger.debug("ERROR in key %s : unknown gpg key capability: %s"
% (data.long_keyid, cap))
stats[SPEC_INDEX['long_caps']] = ', '.join(kcaps)
return stats
def _test_uid(self, data, stats):
if not self.check_id:
stats[SPEC_INDEX['id']] = '-----'
stats[SPEC_INDEX['id_reason']] = ''
return stats
if TEST_SPEC['qualified_id'] in data.user_ID :
stats[SPEC_INDEX['id']] = True
stats[SPEC_INDEX['id_reason']] = ''
else:
stats[SPEC_INDEX['id_reason']] = "<== '%s' user id not found" % TEST_SPEC['qualified_id']
self.logger.debug("Warning: No qualified ID found in key %s"
% (data.user_ID))
return stats
def _test_validity(self, data, stats):
if data.validity in VALID_LIST:
stats[SPEC_INDEX['is_valid']] = True
return stats
def _test_final(self, data, stats):
for test, result in TEST_REQUIREMENTS.items():
if ((stats[SPEC_INDEX['key']] == 'PUB' and test == 'sign_capable') or
(stats[SPEC_INDEX['capabilities']] == 'e' and test in ['algo', 'bits', 'sign_capable'])
or (stats[SPEC_INDEX['capabilities']] == 'a' and test in ['sign_capable'])):
continue
if stats[SPEC_INDEX[test]] == result:
stats[SPEC_INDEX['passed_spec']] = True
else:
stats[SPEC_INDEX['passed_spec']] = False
break
return stats
|