cacert/cacert-webdb
9
0
Fork 0
Code Issues Pull requests 3 Projects Releases 4 Wiki Activity

Compare commits

base: cacert:main
Branches Tags
cacert:main
cacert:fix/bug-1550b
cacert:fix/bug-1550a
cacert:fix-gpg-expiry-date-calculation
cacert:add-quality-check-script
cacert:v2024.10.01
cacert:v2024.09.21
cacert:v2023.09.16
cacert:v2024.05.20
..
compare: cacert:fix-gpg-expiry-date-calculation
Branches Tags
cacert:fix/bug-1550b
cacert:fix/bug-1550a
cacert:main
cacert:fix-gpg-expiry-date-calculation
cacert:add-quality-check-script
cacert:v2024.10.01
cacert:v2024.09.21
cacert:v2023.09.16
cacert:v2024.05.20

6 commits
main ... fix-gpg-ex

Author SHA1 Message Date
Jan Dittberner
f794fd9e8b Merge remote-tracking branch 'origin/main' into fix-gpg-expiry-date-calculation 
* origin/main:
  Implement warning thresholds for OpenPGP
 2024-10-16 17:11:10 +02:00
Jan Dittberner
ec8c828069 Merge branch 'main' into fix-gpg-expiry-date-calculation 2024-10-06 13:56:30 +00:00
Jan Dittberner
6829f5c634 Fix OpenPGP signature handling 
- define configuration variable $signer_openpgp_key_id to hold the
  OpenPGP public key id of the signer
- define a variable for the long date format to keep it consistent for all uses in client.pl
- remove unused $timestamp global variable
- extract function parse_gpg_signature_output that handles the extraction
  of machine-readable information from the gpg output
- ensure that the signature creation and expiration date are read from signature packets that have
  been
- increase the warning counter for a gpg signing attempt
 2024-10-06 15:55:51 +02:00
Jan Dittberner
ddd60a87f6 Add script to analyze gpg signature timestamps 
This is primarily a debugging tool for critical admins.
 2024-10-06 14:03:13 +02:00
Jan Dittberner
8ca6e44c69 Fix issues with OpenPGPextractExpiryDate 
- add missing closing brace
- remove old commented code
 2024-10-05 11:26:00 +02:00
Jan Dittberner
8619ae841c Fix OpenPGP signature expiry calculation 
- use machine-readable output of gpg
- avoid regex and use direct matching of public key lines
- format date with POSIX::strftime
 2024-10-05 11:03:06 +02:00
3 changed files with 150 additions and 263 deletions
Show stats Expand all files Collapse all files

196
CONTRIBUTING.md
View file

@ -1,196 +0,0 @@
# Contributing to the CAcert code base
This short guide will help you to get your contributions into the cacert-webdb
code base.
## Checking the bug tracker
CAcert tracks bugs in the bug tracker at https://bugs.cacert.org/. Please look
whether the change you want to contribute addresses any of the issues there.
The bug tracker is linked from the "Issues" link on
https://code.cacert.org/cacert/cacert-webdb.
## Clone the repository
You need a local working copy to contribute changes. Get a clone using a git
client of your choice. The following shell snippets use the official git
command line client that can be installed from common Linux distribution
repositories or can be downloaded or installed from [the Git project
website](https://git-scm.com/downloads).
```shell
# go to where you usually store your code or projects
cd ~/projects
# clone the repository
git clone https://code.cacert.org/cacert/cacert-webdb.git
```
## Create a local bugfix branch
Get the latest changes from the original repository before you start
```shell
# go to your local copy of the cacert-webdb repository
cd ~/projects/cacert-webdb
# fetch all recent changes (not needed if you just cloned the repository)
# -p removes local copies of branches that are no longer available in the
# main repository
git fetch --all -p
```
Create a new bugfix branch based on the origin/main branch. The main branch is
where all changes are merged before they are deployed in production.
```
# go to your local copy of the cacert-webdb repository
cd ~/projects/cacert-webdb
# create a new branch from the main branch
git checkout -b the-descriptive-name-for-your-change origin/main
```
## Edit code / documentation
Make sure that you do the minimal required changes to the code or documentation
files, this will make life of reviewers easier. Avoid whitespace changes and
code reformatting that are not related to the lines that you change. Code
reformatting should be performed in separate branches and pull requests that
contain no other changes.
Try to keep your changes small and isolated. A pull request (PR) should focus
on a single purpose.
Code comments should be used to explain the "Why" of code. It does not make
sense to comment things that are obvious from the code itself:
```php
// BAD EXAMPLE, don't do this
// print Hello
print("Hello");
```
## Commit your changes
Commit the changes that you made to your local branch. Please provide a
[meaningful commit message](https://chris.beams.io/posts/git-commit/) and
reference the bug number from the [Bug tracker](https://bugs.cacert.org/) when
you contribute to fix any of the issues.
```shell
git add .
git commit -m "Fix foo in bla subsystem
This commit does XYZ to address ABC.
Address #<number>"
```
You may add more commits but please make sure that you only do changes required
for the specific contribution. Please use new branches for other
features/bugfixes (see above).
## Contribute your changes
There are two ways to contribute changes. You can either push your branch to
https://code.cacert.org/cacert/cacert-webdb or you can upload a series of patches to
the bug tracker. Pushing the changes to https://code.cacert.org/ is the
preferred variant as it makes life of reviewers easier.
If it took a while to prepare your changes you should rebase your branch on the
latest changes in the CAcertOrg/cacert-devel release branch:
```shell
# go to your local copy of the cacert-webdb repository
cd ~/projects/cacert-webdb
git fetch --all -p
git rebase origin/main
```
You might need to fix merge conflicts in case you changed the same lines as
another contributor. A introduction to merge conflict handling can be found in
the [Git Book](https://git-scm.com/book/en/v2/Git-Branching-Basic-Branching-and-Merging#_basic_merge_conflicts).
Please be aware that all of us are volunteers. It might take a while until we
find the time to review and merge your changes.
### Create a pull request on code.cacert.org
You need a user account on code.cacert.org to contribute changes. If you don't
have an account yet send a mail to code-admin@cacert.org and include:
* your full name
* an email address
* a desired short username (up to 16 characters)
* a short introduction about you, if you are not yet known to other members of
the software team
An administrator will create an account for you and give you access to the
repositories. When you have received the welcome mail from the administrator
you should login to https://code.cacert.org/ and set your password.
Once you logged in using your password you may choose to add OpenID Connect
authentication to your account. Visit the
[Security](https://code.cacert.org/user/settings/security) settings of your
account and click on "Link account" and choose "cacert-oidc". You can then use
a CAcert client certificate and use the "Sign in with cacert-oidc" option for
future logins to the code.cacert.org application.
After this onboarding procedure you can push changes to the repository and
create pull requests.
```shell
# go to your local copy of the cacert-webdb repository
cd ~/projects/cacert-webdb
# push your changes
git push -u origin the-descriptive-name-for-your-change
```
The response to the push command will contain a short description and a link to
create a pull request. Please follow that link or go to
https://code.cacert.org/cacert/cacert-webdb/pulls to create a new pull request
from your branch to the main branch.
The code.cacert.org system will suggest a short description based on your
commit messages, you should add more information if you think that reviewers
will need some context to understand your pull requests' intent.
### Submit a series of patches for the bug tracker
If you have reasons not to use the pull request workflow you may create a
series of patches for your changes. Please be aware that this makes reviews
harder and may delay merging the changes.
To create a series of patches use the following:
```shell
# go to your local copy of the cacert-webdb repository
cd ~/projects/cacert-webdb
# fetch the latest changes if it has been a while
git fetch --all -p
# create a patch series and write the patches to the /tmp/ directory
git format-patch -o /tmp origin/main..the-descriptive-name-for-your-change
```
The git format-patch command will output the patch file names, similar to this:
```text
/tmp/0001-Change-the-files-for-me.patch
/tmp/0002-Update-the-documentation.patch
```
To submit this open the corresponding issue in [the bug
tracker](https://bugs.cacert.org/) and attach the patch files to the bug
report. Please add a descriptive comment to help reviewers understand what you
have changed.
## What next?
Once you have submitted your pull request or patch files you need to wait for
reviews. If your changes look ok they will be merged into the main branch.
Deployments to the production system are usually done close to the merges and
will be marked using git tags.
If reviewers ask you for changes to your pull requests please use your local
copy of the cacert-webdb code, add new commits to your branch and push them as
described above. The git format-patch workflow is a bit harder. You will need
to create a new patch series based on what you have submitted before and will
need to attach the new patch(es) to the bug tracker.

139
CommModule/client.pl
View file

@ -43,7 +43,8 @@ my $debug=0;
# number of attempts before giving up
my $warn_threshold = 3;
#my $serialport="/dev/ttyS0";
my $signer_openpgp_key_id = "D2BB0D0165D0FD58";
my $serialport="/dev/ttyUSB0";
my $gpgbin="/usr/bin/gpg";
@ -61,6 +62,7 @@ my $newlayout=1;
########################################################
my $long_timestamp_format = "%Y-%m-%d %H:%M:%S";
my %monarr = ("Jan" => 1, "Feb" => 2, "Mar" => 3, "Apr" => 4, "May" => 5, "Jun" => 6, "Jul" => 7, "Aug" => 8, "Sep" => 9, "Oct" => 10, "Nov" => 11, "Dec" => 12);
@ -103,7 +105,7 @@ my $lastdate = "";
sub SysLog($)
{
return if(not defined($_[0]));
my $timestamp = strftime("%Y-%m-%d %H:%M:%S", localtime);
my $timestamp = POSIX::strftime($long_timestamp_format, localtime);
my $currdate = substr($timestamp, 0, 10);
if ($lastdate ne $currdate) {
close LOG if ($lastdate ne "");
@ -124,8 +126,6 @@ die $_[0];
}
my $timestamp=strftime("%Y-%m-%d %H:%M:%S",localtime);
#mkdir "revokehashes";
foreach (keys %revokefile)
{
@ -529,71 +529,72 @@ sub X509extractSerialNumber($)
return "";
}
sub OpenPGPextractExpiryDate ($)
sub parse_gpg_signature_output
{
my $r="";
my $cts;
my @date;
my ($gpg_output, $debug_output) = @_;
my $key_id;
my @key_creation_date;
my @key_expiration_date;
my @sig_creation_date;
my @sig_expiration_date;
open(RGPG, $gpgbin.' -vv '.$_[0].' 2>&1 |') or Error('Can\'t start GnuPG($gpgbin): '.$!."\n");
open(OUT, '> infogpg.txt' ) or Error('Can\'t open output file: infogpg.txt: '.$!);
$/="\n";
while (<RGPG>)
{
print OUT $_;
unless ($r)
{
if ( /^\s*version \d+, created (\d+), md5len 0, sigclass (?:0x[0-9a-fA-F]+|\d+)\s*$/ )
{
SysLog "Detected CTS: $1\n";
$cts = int($1);
} elsif ( /^\s*critical hashed subpkt \d+ len \d+ \(sig expires after ((\d+)y)?((\d+)d)?((\d+)h)?(\d+)m\)\s*$/ )
{
SysLog "Detected FRAME $2 $4 $6 $8\n";
$cts += $2 * 31536000; # secs per year (60 * 60 * 24 * 365)
$cts += $4 * 86400; # secs per day (60 * 60 * 24)
$cts += $6 * 3600; # secs per hour (60 * 60)
$cts += $8 * 60; # secs per min (60)
$r = $cts;
}
elsif(/version/)
{
SysLog "Detected VERSION\n";
while (<$gpg_output>) {
print $debug_output $_;
unless (@sig_expiration_date) {
if ( $_ =~ /^(pub|sig):/ ) {
my @fields = split /:/, $_;
if ( $fields[0] eq "pub" ) {
SysLog "Detected public key packet: key id: $fields[4], created $fields[5], expires $fields[6]\n";
$key_id = $fields[4];
@key_creation_date = gmtime($fields[5]);
if ($fields[6]) {
@key_expiration_date = gmtime($fields[6]);
}
}
elsif ( $fields[0] eq "sig" && $fields[4] eq $signer_openpgp_key_id) {
SysLog "Detected signer signature packet: created $fields[5], expires $fields[6]\n";
@sig_creation_date = gmtime($fields[5]);
if ( $fields[6] ) {
@sig_expiration_date = gmtime($fields[6]);
}
}
}
}
}
close(OUT );
close(RGPG);
SysLog "CTS: $cts R: $r\n";
if ( $r )
{
@date = gmtime($r);
$r = sprintf('%.4i-%.2i-%.2i %.2i:%.2i:%.2i', # date format
$date[5] + 1900, $date[4] + 1, $date[3], # day
$date[2], $date[1], $date[0], # time
);
SysLog "key with key id ${key_id} created at " . POSIX::strftime($long_timestamp_format, @key_creation_date) . "\n";
if ( @key_expiration_date ) {
SysLog "key expires at " . POSIX::strftime($long_timestamp_format, @key_creation_date) . "\n";
}
SysLog "$r\n";
return $r;
if ( @sig_creation_date && @sig_expiration_date ) {
print "signer signature created at " . POSIX::strftime($long_timestamp_format, @sig_creation_date) . "\n";
my $signature_expiration = POSIX::strftime($long_timestamp_format, @sig_expiration_date);
print "signer signature expires at ${signature_expiration}\n";
return $signature_expiration;
}
Error "The OpenPGP file ${signed_file} contains no signature from the signer key id ${signer_openpgp_key_id}. This probably means that there is an issue with the signer OpenPGP key.\n";
}
#sub OpenPGPextractExpiryDate($)
#{
# my $data=`$gpgbin -v $_[0]`;
# open OUT,">infogpg.txt";
# print OUT $data;
# close OUT;
# if($data=~m/^sig\s+[0-9A-F]{8} (\d{4}-\d\d-\d\d) [^\[]/)
# {
# return "$1 00:00:00";
# }
# return "";
#}
sub OpenPGPextractExpiryDate ($)
{
my ($signed_file) = @_;
open(my $gpg_output, "-|", "${gpgbin} -vv --with-colons ${signed_file} 2>&1") or Error('Can\'t start GnuPG ($gpgbin): '.$!."\n");
open(my $debug_output, ">", "infogpg.txt") or Error('Can\'t open output file: infogpg.txt: '.$!."\n");
my $sig_expiration = parse_gpg_signature_output($gpg_output, $debug_output);
close $debug_output;
close $gpg_output;
return $sig_expiration;
}
# Sets the locale according to the users preferred language
sub setUsersLanguage($)
@ -1139,16 +1140,20 @@ sub HandleGPG()
my $date=OpenPGPextractExpiryDate($crtname);
my %user=getUserData($row{memid});
$dbh->do("update `gpg` set `crt`='$crtname', issued=now(), `expire`='$date' where `id`='".$row{'id'}."'");
if ( defined $date ) {
$dbh->do(sprintf("update gpg set crt='%s', issued=now(), expire='%s' where id='%d'", $crtname, $date, $row{id}));
my $body = _("Hi")." $user{fname},\n\n";
$body .= sprintf(_("Your CAcert signed key for %s is available online at:")."\n\n", $row{'email'});
$body .= "https://www.cacert.org/gpg.php?id=3&cert=$row{id}\n\n";
$body .= _("To help improve the trust of CAcert in general, it's appreciated if you could also sign our key and upload it to a key server. Below is a copy of our primary key details:")."\n\n";
$body .= "pub 1024D/65D0FD58 2003-07-11 CA Cert Signing Authority (Root CA) <gpg\@cacert.org>\n";
$body .= "Key fingerprint = A31D 4F81 EF4E BD07 B456 FA04 D2BB 0D01 65D0 FD58\n\n";
$body .= _("Best regards")."\n"._("CAcert.org Support!")."\n\n";
sendmail($user{email}, "[CAcert.org] Your GPG/PGP Key", $body, "support\@cacert.org", "", "", "CAcert Support");
my $body = _("Hi")." $user{fname},\n\n";
$body .= sprintf(_("Your CAcert signed key for %s is available online at:")."\n\n", $row{'email'});
$body .= "https://www.cacert.org/gpg.php?id=3&cert=$row{id}\n\n";
$body .= _("To help improve the trust of CAcert in general, it's appreciated if you could also sign our key and upload it to a key server. Below is a copy of our primary key details:")."\n\n";
$body .= "pub 1024D/65D0FD58 2003-07-11 CA Cert Signing Authority (Root CA) <gpg\@cacert.org>\n";
$body .= "Key fingerprint = A31D 4F81 EF4E BD07 B456 FA04 D2BB 0D01 65D0 FD58\n\n";
$body .= _("Best regards")."\n"._("CAcert.org Support!")."\n\n";
sendmail($user{email}, "[CAcert.org] Your GPG/PGP Key", $body, "support\@cacert.org", "", "", "CAcert Support");
} else {
$dbh->do(sprintf("update gpg set warning=warning + 1 where id='%d'", $row{id}));
}
} else {
SysLog("Could not find the issued gpg key. ".$row{"id"}."\n");
$dbh->do(sprintf("update gpg set warning=warning+1 where id=%d", $row{'id'}));

78
CommModule/openpgp-signature-timestamps.pl Normal file
View file

@ -0,0 +1,78 @@
#!/usr/bin/env perl
# This is a helper tool for debugging purposes. It is meant to output key and
# signature timestamps for signed public keys. The tool matches signatures
# against the public key id of the known signer key defined in the
# $signer_keyid variable.
use strict;
use warnings;
use POSIX;
# configuration for the signer key id
my $signer_keyid = "D2BB0D0165D0FD58";
sub process_gpg_file {
my ($signed_file) = @_;
open(my $gpg_output, "-|", "/usr/bin/gpg -vv --with-colons $signed_file 2>&1") or die("Can't start GnuPG: ".$!."\n");
open(my $debug_output, ">", 'infogpg.txt') or die("Can't open output file: infogpg.txt: ".$!."\n");
parse_gpg_output($gpg_output, $debug_output);
close $debug_output;
close $gpg_output;
}
sub parse_gpg_output {
my ($gpg_output, $debug_output) = @_;
my $key_id;
my @key_expiration_date;
my @key_creation_date;
my @sig_creation_date;
my @sig_expiration_date;
while (<$gpg_output>) {
print $debug_output $_;
unless( @sig_expiration_date ) {
if ( $_ =~ /^(pub|sig):/ ) {
my @fields = split /:/, $_;
if ( $fields[0] eq "pub" ) {
$key_id = $fields[4];
@key_creation_date = gmtime($fields[5]);
if ( $fields[6] ) {
@key_expiration_date = gmtime($fields[6]);
}
} elsif ( $fields[0] eq "sig" && $fields[4] eq $signer_keyid ) {
@sig_creation_date = gmtime($fields[5]);
if ( $fields[6] ) {
@sig_expiration_date = gmtime($fields[6]);
}
}
}
}
}
print "key id: ${key_id}\n";
print "key created: " . POSIX::strftime("%Y-%m-%d %H:%M:%S", @key_creation_date) . "\n";
if ( @key_expiration_date ) {
print "key expires: " . POSIX::strftime("%Y-%m-%d %H:%M:%S", @key_expiration_date) . "\n";
}
if ( @sig_creation_date ) {
print "signature created: " . POSIX::strftime("%Y-%m-%d %H:%M:%S", @sig_creation_date) . "\n";
if ( @sig_expiration_date ) {
print "signature expires: " . POSIX::strftime("%Y-%m-%d %H:%M:%S", @sig_expiration_date) . "\n";
}
} else {
print "There is no signature from the signer key id ${signer_keyid}. This probably means that there is an issue with the signer OpenPGP key.\n";
}
}
my $signed_file = shift;
if ( !$signed_file ) {
print "Usage $0 <signed_file>\n";
exit 1;
}
process_gpg_file($signed_file);