From 1b1b13f1269a8218b72cd7dc6931d8fd82792057 Mon Sep 17 00:00:00 2001
From: Silvio Rhatto <rhatto@riseup.net>
Date: Thu, 18 Nov 2010 17:40:08 -0200
Subject: Initial recipients check support

---
 lib/keyringer/functions    | 39 +++++++++++++++++++++++++++++++++++++++
 share/keyringer/recipients |  1 +
 2 files changed, 40 insertions(+)

diff --git a/lib/keyringer/functions b/lib/keyringer/functions
index 9c8dfd7..4a02fd9 100644
--- a/lib/keyringer/functions
+++ b/lib/keyringer/functions
@@ -172,6 +172,7 @@ function keyringer_set_env {
   ACTIONS="`dirname $0`"
   BASENAME="`basename $0`"
   BASEDIR="$1"
+  SUBCOMMAND="$2"
   KEYDIR="$BASEDIR/keys"
   RECIPIENTS="$BASEDIR/config/recipients"
   OPTIONS="$BASEDIR/config/options"
@@ -202,6 +203,9 @@ function keyringer_set_env {
     exit 1
   fi
 
+  # Check recipients file
+  keyringer_check_recipients $SUBCOMMAND
+
   # Ensure that keydir exists
   mkdir -p "$KEYDIR" && chmod 700 "$KEYDIR"
 }
@@ -255,6 +259,41 @@ function keyringer_action_usage {
   fi
 }
 
+# Check recipients
+function keyringer_check_recipients {
+  if [ "$1" == "edit" ]; then
+    # Don't check recipients at edit mode.
+    return
+  fi
+
+  for recipient in $(cat "$RECIPIENTS" | grep -v '^#' | awk '{ print $2 }'); do
+    size=$(echo "$recipient" | wc -c)
+    if (( $size < 41 )); then
+      echo "Fatal: please set the full GPG signature hash for key ID $recipient:"
+      cat <<-EOF
+
+Recipients file can't have 32-bit keyids (e.g.  DEADBEEF or DECAF123).  These
+are trivial to spoof.  With a few gigs of disk space and a day of time on
+cheap, readily-available hardware, it's possible to build keys to match every
+possible 32-bit keyid.  The search space just isn't big enough.
+
+If you're going to specify keys by keyid, they should be specified by full
+160-bit OpenPGP fingerprint.  It would be very bad if someone spoofed a keyID
+and caused another participant in a keyringer instance to reencrypt a secret
+store to the spoofed key in addition to your own.
+EOF
+      exit 1
+    else
+      gpg --list-key $recipient &> /dev/null
+      if [ "$?" != "0" ]; then
+        echo "Fatal: no such key $recipient on your GPG keyring."
+        echo "Please check for this key or fix the recipient file."
+        exit 1
+      fi
+    fi
+  done
+}
+
 # Setup environment
 if [ "$(basename "$0")" != "keyringer" ]; then
   keyringer_set_env $*
diff --git a/share/keyringer/recipients b/share/keyringer/recipients
index c9dbdbb..2fe2ddf 100755
--- a/share/keyringer/recipients
+++ b/share/keyringer/recipients
@@ -14,6 +14,7 @@ if [ "$COMMAND" == "ls" ]; then
   cat "$RECIPIENTS"
 elif [ "$COMMAND" == "edit" ]; then
   "$EDITOR" "$RECIPIENTS"
+  keyringer_check_recipients
 else
   printf "%s: No such command %s\n" "$BASENAME" "$COMMAND"
   exit 1
-- 
cgit v1.2.3