File/plugins/gpg/functions/key.php

Description
Description | Functions

gpg_key_functions.php ----------- GPG plugin key management functions

Copyright (c) 2002-2005 Braverock Ventures Copyright (c) 2007 The NaSMail Project Licensed under the GNU GPL. For full terms see the file COPYING.

  • author: Aaron van Meerten
  • author: Brian Peterson
  • version: $Id: key.php 946 2007-10-22 17:12:43Z tokul $
Functions
Description | Functions
gpg_generate_keypair (line 339)

This function generates a keypair

Unattended key generation ========================= This feature allows unattended generation of keys controlled by a parameter file. To use this feature, you use --gen-key together with --batch and feed the parameters either from stdin or from a file given on the commandline.

The format of this file is as follows:

  • Text only, line length is limited to about 1000 chars.
  • You must use UTF-8 encoding to specify non-ascii characters.
  • Empty lines are ignored.
  • Leading and trailing spaces are ignored.
  • A hash sign as the first non white space character indicates a comment line.
  • Control statements are indicated by a leading percent sign, the arguments are separated by white space from the keyword.
  • Parameters are specified by a keyword, followed by a colon. Arguments are separated by white space.
  • The first parameter must be "Key-Type", control statements may be placed anywhere.
  • Key generation takes place when either the end of the parameter file is reached, the next "Key-Type" parameter is encountered or at the control statement "%commit"
  • Control statements: %echo <text>
Print <text>. %dry-run Suppress actual key generation (useful for syntax checking). %commit Perform the key generation. An implicit commit is done at the next "Key-Type" parameter. %pubring <filename> %secring <filename> Do not write the key to the default or commandline given keyring but to <filename>. This must be given before the first commit to take place, duplicate specification of the same filename is ignored, the last filename before a commit is used. The filename is used until a new filename is used (at commit points) and all keys are written to that file. If a new filename is given, this file is created (and overwrites an existing one). Both control statements must be given.
  • The order of the parameters does not matter except for "Key-Type" which must be the first parameter. The parameters are only for the generated keyblock and parameters from previous key generations are not used. Some syntactically checks may be performed. The currently defined parameters are: Key-Type: <algo-number>|<algo-string>
Starts a new parameter block by giving the type of the primary key. The algorithm must be capable of signing. This is a required parameter. Key-Length: <length-in-bits> Length of the key in bits. Default is 1024. Key-Usage: <usage-list> Space or comma delimited list of key usage, allowed values are "encrypt" and "sign". This is used to generate the key flags. Please make sure that the algorithm is capable of this usage. Subkey-Type: <algo-number>|<algo-string> This generates a secondary key. Currently only one subkey can be handled. Subkey-Length: <length-in-bits> Length of the subkey in bits. Default is 1024. Subkey-Usage: <usage-list> Similar to Key-Usage. Passphrase: <string> If you want to specify a passphrase for the secret key, enter it here. Default is not to use any passphrase. Name-Real: <string> Name-Comment: <string> Name-Email: <string> The 3 parts of a key. Remember to use UTF-8 here. If you don't give any of them, no user ID is created. Expire-Date: <iso-date>|(<number>[d|w|m|y]) Set the expiration date for the key (and the subkey). It may either be entered in ISO date format (2000-08-15) or as number of days, weeks, month or years. Without a letter days are assumed. Preferences: <string> Set the cipher, hash, and compression preference values for this key. This expects the same type of string as "setpref" in the --edit menu.

Here is an example: $ cat >foo <<EOF %echo Generating a standard key Key-Type: DSA Key-Length: 1024 Subkey-Type: ELG-E Subkey-Length: 1024 Name-Real: Joe Tester Name-Comment: with stupid passphrase Name-Email: joe@foo.bar Expire-Date: 0 Passphrase: abc %pubring foo.pub %secring foo.sec

  • Do a commit here, so that we can later print "done" :-)
%commit %echo done EOF $ gpg --batch --gen-key -a foo [...]

echo "Key-Type: DSA Key-Length: 1024 Subkey-Type: ELG-E Subkey-Length: 2048 \ Name-Real: Joe Tester Name-Email: joe@foo.bar Passphrase: abc" \ | gpg --batch --gen-key --armor --homedir $gpg_key_dir

Keys created with the option set below are PGP compatible Key-Type: DSA Key-Length: 1024 Subkey-Type: ELG-E Preferences: S2 S7 S3 H2 H3 Z2 Z1 (don't forget to put in the other options needed for actual key creation)

  • return: with output we were able to retrieve from the gpg command
array gpg_generate_keypair (string $real_name, string $email, string $passphrase, [optional $comment = ''], [optional $keylength = 1024], [optional $expiredate = 0], optional 6)
  • string $real_name: Full Name for the uid
  • string $email: Email address to be oput in the uid
  • string $passphrase: Passphrase to protect te secret key
  • optional 6: string $revoker fingerprint of key to set as revoker
  • optional $comment: string $comment Comment to be appended to the default comment
  • optional $keylength: integer $keylength Length of key to generate
  • optional $expiredate: date $expiredate when should this key expire?
gpg_keyserver_findkey (line 155)

This function will search for keys on a public keyserver

Ideally, we would use a command like: gpg --keyserver wwwkeys.pgp.net --search-keys brian@braverock.com

BUT: this command is interactive, expecting input, and I can't find anything about using it in batch mode. if you try --batch you get : gpg: Sorry, we are in batchmode - can't get input so we would have to use a cycle to get the output and parse it then use the GnuPG::importKey_server function

SO: until we figure out how to parse the HKP output, or use the LDAP interface

We will first take an email address or keyid $search_keyid and look on the keyserver using http, like this:

http://pgp.mit.edu:11371/pks/lookup?op=index&search=$search_keyid http://stinkfoot.org:11371/pks/lookup?op=index&search=$search_keyid http://wwwkeys.pgp.net:11371/pks/lookup?op=index&search=$search_keyid http://wwwkeys.eu.pgp.net:11371/pks/lookup?op=index&search=$search_keyid

Then, we will parse the output, and place it in an array for display and selection.

Information on public keyservers may be found at

http://www.vcnet.com/~rossde/pgp_keyserv.html

Finally, we will return an array of the key(s) to the interface so the user may select one or more for import.

It would be nice to use the HKP or LDAP interfaces too, but this will work for now.

  • deprecated: Use GnuPG::searchKey_server()
  • todo: Move http://$keyserver lookups to GnuPG::searchKey_server()
array gpg_keyserver_findkey (string $search_keyid)
  • string $search_keyid
gpg_list_keys (line 33)

This function is the generic key lister for the plugin it is used for trusted_key operations, as well as key signing

Add switches to this function to modify the gpg command line

The format of the --with-colons parameter is described in detail in the file named DETAILS in the gpg distribution.

  • return: with output, parse string on the UI.
string gpg_list_keys (string $search_string, [optional $with_colons = false], [optional $keyring_type = 'public'], [optional $with_fingerprint = false])
  • string $search_string
  • optional $with_colons: boolean $with_colons
  • optional $keyring_type: enum $keyring_type
  • optional $with_fingerprint: boolean $with_fingerprint

Documentation generated on Sun, 22 Nov 2009 17:36:40 +0200 by phpDocumentor 1.4.3