Commits

Kristian Fiskerstrand committed 892a4c2

Working key expiry in MR

  • Participants
  • Parent commits 61c0b0b

Comments (0)

Files changed (3)

KeyExpirationTime

+# HG changeset patch
+# Parent f11212b6e1657e41211139f1169a3680361c6b3b
+
+diff -r f11212b6e165 common.ml
+--- a/common.ml	Sun Oct 07 22:12:46 2012 +0200
++++ b/common.ml	Sun Oct 21 00:43:03 2012 +0200
+@@ -44,7 +44,7 @@
+ let enforced_filters = ["yminsky.dedup"]
+ 
+ let version_tuple = (__VERSION__)
+-let version_suffix = "" (* + for development branch *)
++let version_suffix = "+" (* + for development branch *)
+ let compatible_version_tuple = (0,1,5)
+ let version =
+   let (maj_version,min_version,release) = version_tuple in
+diff -r f11212b6e165 mRindex.ml
+--- a/mRindex.ml	Sun Oct 07 22:12:46 2012 +0200
++++ b/mRindex.ml	Sun Oct 21 00:43:03 2012 +0200
+@@ -94,6 +94,26 @@
+   sprintf "uid:%s:%s:%s:"
+     uid_string (time_to_string ctime) (time_to_string exptime)
+ 
++let get_key_expiration_from_uid keyid sigs = 
++  let sigs = get_self_sigs keyid sigs in
++  let times = List.map ~f:ParsePGP.get_key_exptimes sigs in
++  let (ctime,exptime) =
++    List.fold_left ~init:(None,None) ~f:(fun (cmax,emax) (cr,ex) -> if cr > cmax then (cr, ex) else (cmax, emax)) times in
++  (ctime,exptime)
++   
++let key_expiration_from_uids keyid pk_ctime uids =
++ let expir = List.map ~f:(fun (uid,sigs) ->
++      match uid.packet_type with
++          User_ID_Packet -> get_key_expiration_from_uid keyid sigs
++        | _ -> (None, None)
++      ) uids in
++  let (ctime, exptime) = 
++     List.fold_left ~init:(None,None) ~f:(fun (cmax,emax) (cr,ex) -> if cr > cmax then (cr, ex) else (cmax, emax)) expir
++  in
++  match exptime with 
++   | Some x -> x
++   | None -> Int64.zero
++
+ (** number of seconds in a day *)
+ let daysecs = Int64.of_int (60 * 60 * 24)
+ 
+@@ -104,18 +124,22 @@
+   let key_packet = pkey.KeyMerge.key in
+   let pki = ParsePGP.parse_pubkey_info key_packet in
+   let uids = pkey.KeyMerge.uids in
+-  let exp_string = match pki.pk_expiration with
++  (*let exp_string = match pki.pk_expiration with
+     | None -> ""
+     | Some 0 -> "-"
+     | Some days -> sprintf "%Ld"
+         (Int64.add pki.pk_ctime (Int64.mul daysecs (Int64.of_int days)))
++  in*)
++  let key_expiry = key_expiration_from_uids full_keyid pki.pk_ctime uids 
++  in
++   let key_expiry_string = sprintf "%Ld" key_expiry (* This has to be updated to reflect possible expiry in direct key expir *)
+   in
+   let key_line = sprintf "pub:%s:%d:%d:%Ld:%s:%s"
+                    keyid
+                    pki.pk_alg
+                    pki.pk_keylen
+                    pki.pk_ctime
+-                   exp_string
++                   key_expiry_string
+                    (if (Index.is_revoked key) then "r" else "")
+   in
+   let uid_lines =
+diff -r f11212b6e165 parsePGP.ml
+--- a/parsePGP.ml	Sun Oct 07 22:12:46 2012 +0200
++++ b/parsePGP.ml	Sun Oct 21 00:43:03 2012 +0200
+@@ -308,6 +308,7 @@
+ 
+ let ssp_ctime_id = 2
+ let ssp_exptime_id = 3
++let ssp_keyexptime_id = 9
+ 
+ let int32_of_string s =
+   let cin = new Channel.string_in_channel s 0 in
+@@ -317,6 +318,28 @@
+   let cin = new Channel.string_in_channel s 0 in
+   cin#read_int64_size (String.length s)
+ 
++let get_key_exptimes sign = match sign with
++  | V3sig sign ->
++      (Some sign.v3s_ctime, None)
++  | V4sig sign ->
++      let hashed_subpackets = sign.v4s_hashed_subpackets in
++      let (ctime,exptime_delta) =
++        List.fold_left hashed_subpackets ~init:(None,None)
++          ~f:(fun (ctime,exptime) ssp ->
++                if ssp.ssp_type = ssp_ctime_id && ssp.ssp_length = 4 then
++                  (Some (int64_of_string ssp.ssp_body),exptime)
++                else if ssp.ssp_type = ssp_keyexptime_id && ssp.ssp_length = 4 then
++                  (ctime,Some (int64_of_string ssp.ssp_body))
++                else
++                  (ctime,exptime)
++             )
++      in
++      match (ctime,exptime_delta) with
++        | (Some x,None) -> (Some x,None)
++        | (None,_) -> (None,None)
++        | (Some x,Some y) -> (Some x,Some y)
++
++
+ let get_times sign = match sign with
+   | V3sig sign ->
+       (Some sign.v3s_ctime, None)

RELEASE-1.1.4

-# HG changeset patch
-# Parent 889cf11ee8dc29e3afe0bd106f6733bb7d83f9e1
-
-diff -r 889cf11ee8dc ANNOUNCEMENT
---- /dev/null	Thu Jan 01 00:00:00 1970 +0000
-+++ b/ANNOUNCEMENT	Sun Oct 07 21:52:54 2012 +0200
-@@ -0,0 +1,137 @@
-+We are pleased to announce the availability of a new stable SKS
-+release:  Version 1.1.4.
-+
-+SKS is an OpenPGP keyserver whose goal is to provide easy to deploy,
-+decentralized, and highly reliable synchronization. That means that a
-+key submitted to one SKS server will quickly be distributed to all key
-+servers, and even wildly out-of-date servers, or servers that experience
-+spotty connectivity, can fully synchronize with rest of the system.
-+
-+What's New in 1.1.4
-+====================
-+  - Fix X-HKP-Results-Count so that limit=0 returns no results, but include
-+    the header, to let a client poll for how many results exist, without
-+    retrieving any. Submitted by Phil Pennock. See:
-+    http://lists.nongnu.org/archive/html/sks-devel/2010-11/msg00015.html
-+  - Add UPGRADING document to explain upgrading Berkeley DB without
-+    rebuilding. System bdb versions often change with new SKS releases
-+    for .deb and .rpm distros.
-+  - Cleanup build errors for bdb/bdb_stubs.c. Patch from Mike Doty
-+  - Update cryptokit from version 1.0 to 1.5 without requiring OASIS
-+    build system or other additional dependencies
-+  - build, fastbuild, & pbuild fixed to ignore signals USR1 and USR2
-+  - common.ml and reconSC.ml were using different values for minumimum
-+    compatible version. This has been fixed.
-+  - Added new server mime-types, and trying another default document (Issue 6)
-+    In addition to the new MIME types added in 1.1.[23], the server now
-+    looks over a list and and serves the first index file that it finds
-+    Current list: index.html, index.htm, index.xhtml, index.xhtm, index.xml.
-+  - options=mr now works on get as well as (v)index operations. This is
-+    described in http://tools.ietf.org/html/draft-shaw-openpgp-hkp-00
-+    sections 3.2.1.1. and 5.1.
-+  - Updated copyright notices in source files
-+  - Added sksclient tool, similar to old pksclient
-+  - Add no-cache instructions to HTTP response (in order for reverse proxies
-+    not to cache the output from SKS)
-+  - Use unique timestamps for keydb to reduce occurrances of Ptree corruption.
-+  - Added Interface specifications (.mli files) for modules that were missing
-+    them
-+  - Yaron pruned some no longer needed source files from the tree.
-+  - Improved the HTTP status and HTTP error codes returned for various
-+    situations and added checks for more error conditions.
-+  - Add a suffix to version (+) indicating non-release or development builds
-+  - Add an option to specify the contact details of the server administrator
-+    that shows in the status page of the server. The information is in the
-+    form of an OpenPGP KeyID and set by server_contact: in sksconf
-+  - Add a `sks version` command to provide information on the setup.
-+  - Added configuration settings for the remaining database table files. If
-+    no pagesize settings are in sksconf, SKS will use 2048 bytes for key
-+    and 512 for ptree. The remainining files' pagesize will be set by BDB
-+    based on the filesystem settings, typically this is 4096 bytes.
-+    See sampleConfig/sksconf.typical for settings recommended by db_tuner.
-+  - Makefile: Added distclean target. Dropped autogenerated file from VCS.
-+  - Allow tuning BDB environment before creation in [fast]build and pbuild.
-+    If DB_CONFIG exists in basedir, copy it to DB dir before DB creation.
-+    Preference is given to DB_CONFIG.KDB and DB_CONFIG.PTree over DB_CONFIG.
-+  - Add support for Elliptic Curve Public keys (ECDSA, ECDH)
-+  - Add check if an upload is a revocation certificate, and if it is, 
-+    produce an error message tailored for this.
-+
-+Note when upgrading from earlier versions of SKS
-+====================
-+The default values for pagesize settings have changed. To continue
-+using an existing DB without rebuilding, explicit settings have to be
-+added to the sksconf file.
-+pagesize:       4
-+ptree_pagesize: 1
-+
-+Getting the Software
-+====================
-+SKS can be downloaded from 
-+https://bitbucket.org/skskeyserver/sks-keyserver
-+
-+Prerequisites
-+====================
-+There are a few prerequisites to building this code.  You need:
-+* ocaml-3.10.2 or later.  Get it from <http://www.ocaml.org>
-+  ocaml-3.12.x is recommended, ocaml-4.x is not recommended at this time
-+* Berkeley DB version 4.6.* or later, whereby 4.8 or later is recommended.  
-+  You can find the appropriate versions at
-+  <http://www.oracle.com/technetwork/database/berkeleydb/downloads/index.html>
-+
-+Verifying the integrity of the download
-+====================
-+Releases of SKS are signed using the SKS Keyserver Signing Key
-+available on public keyservers with the KeyID
-+
-+    0x41259773973A612A
-+	
-+and has a fingerprint of
-+
-+    C90E F143 0B3A C0DF D00E 6EA5 4125 9773 973A 612A.
-+	
-+Using GnuPG, verification can be accomplished by, first, retrieving the signing key using
-+
-+    gpg --keyserver pool.sks-keyservers.net --recv-key 0x41259773973A612A
-+	
-+followed by verifying that you have the correct key
-+
-+    gpg --keyid-format long --fingerprint 0x41259773973A612A
-+
-+should produce:
-+
-+    pub   4096R/41259773973A612A 2012-06-27
-+    Key fingerprint = C90E F143 0B3A C0DF D00E 6EA5 4125 9773 973A 612A
-+		
-+A check should also be made that the key is signed by
-+trustworthy other keys;
-+
-+    gpg --list-sigs 0x41259773973A612A
-+
-+and the fingerprint should be verified through other trustworthy sources.
-+			
-+Once you are certain that you have the correct key downloaded, you can create
-+a local signature, in order to remember that you have verified the key.
-+
-+     gpg --lsign-key 0x41259773973A612A
-+
-+Finally; verifying the downloaded file can be done using
-+
-+    gpg --keyid-format long --verify sks-x.y.z.tgz.asc
-+
-+The resulting output should be similar to
-+	
-+    gpg: Signature made Wed Jun 27 12:52:39 2012 CEST
-+    gpg:                using RSA key 41259773973A612A
-+    gpg: Good signature from "SKS Keyserver Signing Key"
-+
-+
-+Thanks
-+====================
-+We have to thank all the people who helped with this release, by discussions on
-+the mailing list, submitting patches, or opening issues for items that needed
-+our attention.
-+
-+Happy Hacking,
-+
-+  The SKS Team (Yaron, John, Kristian, Phil, and the other contributors)
-diff -r 889cf11ee8dc CHANGELOG
---- a/CHANGELOG	Mon Aug 27 17:43:39 2012 +0200
-+++ b/CHANGELOG	Sun Oct 07 21:52:54 2012 +0200
-@@ -1,4 +1,4 @@
--Trunk
-+1.1.4
-   - Fix X-HKP-Results-Count so that limit=0 returns no results, but include
-     the header, to let a client poll for how many results exist, without
-     retrieving any. Submitted by Phil Pennock. See:
-@@ -44,7 +44,8 @@
-     If DB_CONFIG exists in basedir, copy it to DB dir before DB creation.
-     Preference is given to DB_CONFIG.KDB and DB_CONFIG.PTree over DB_CONFIG.
-   - Add support for Elliptic Curve Public keys (ECDSA, ECDH)
--  - Add check if upload is a revocation certificate, and if it is, produce an error message tailored for this.
-+  - Add check if an upload is a revocation certificate, and if it is, 
-+    produce an error message tailored for this.
-   
- 1.1.3
-   - Makefile fix for 'make dep' if .depend does not exist. Issue #4
-diff -r 889cf11ee8dc VERSION
---- a/VERSION	Mon Aug 27 17:43:39 2012 +0200
-+++ b/VERSION	Sun Oct 07 21:52:54 2012 +0200
-@@ -1,1 +1,1 @@
--1.1.3
-+1.1.4
-diff -r 889cf11ee8dc common.ml
---- a/common.ml	Mon Aug 27 17:43:39 2012 +0200
-+++ b/common.ml	Sun Oct 07 21:52:54 2012 +0200
-@@ -44,7 +44,7 @@
- let enforced_filters = ["yminsky.dedup"]
- 
- let version_tuple = (__VERSION__)
--let version_suffix = "+" (* + for development branch *)
-+let version_suffix = "" (* + for development branch *)
- let compatible_version_tuple = (0,1,5)
- let version =
-   let (maj_version,min_version,release) = version_tuple in
-RELEASE-1.1.4
+KeyExpirationTime
 Use Long KeyID
 SubkeySignature
 # Placed by Bitbucket