From c2f28e4bb4e6bc8a642d0fdc0b09b012042e9724 Mon Sep 17 00:00:00 2001 Message-Id: From: Mark Wooding Date: Thu, 7 Feb 2013 10:27:51 +0000 Subject: [PATCH] keys/: New `check' command to remind about keys about to expire. Organization: Straylight/Edgeware From: Mark Wooding This is version 1.0.0pre12.2. --- debian/changelog | 7 +++++++ keys/tripe-keys.8.in | 12 ++++++++++++ keys/tripe-keys.conf.5.in | 7 +++++++ keys/tripe-keys.in | 23 +++++++++++++++++++++++ 4 files changed, 49 insertions(+) diff --git a/debian/changelog b/debian/changelog index a8608e91..0183dc0a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +tripe (1.0.0pre12.2) experimental; urgency=low + + * New `tripe-keys' command: `check' reports on keys which will expire + soon, so that someone remembers to refresh them. + + -- Mark Wooding Thu, 07 Feb 2013 10:37:01 +0000 + tripe (1.0.0pre12.1) experimental; urgency=low * Extract Wireshark version number from `wireshark-common' rather than diff --git a/keys/tripe-keys.8.in b/keys/tripe-keys.8.in index 146eb7a6..f94f9687 100644 --- a/keys/tripe-keys.8.in +++ b/keys/tripe-keys.8.in @@ -56,6 +56,8 @@ tripe-keys \- simple centralized key management for tripe .br .B "clean" .br +.B "check" +.br .BR "mtu " [ \fIpath-mtu ] . .\"-------------------------------------------------------------------------- @@ -218,6 +220,16 @@ and their associated .B .old files. .TP +.B check +Checks the various keyrings. Currently, it checks the +.B master +and +.B keyring.pub +files, and prints a report warning of keys which will expire soon. It +is expected that this command be run against the master repository by +.BR cron (8). +Additional checking may added in the future. +.TP .BR "mtu " [ \fIpath-mtu ] Write, as a decimal number on standard output, the recommended MTU for a TrIPE tunnel interface, given that the diff --git a/keys/tripe-keys.conf.5.in b/keys/tripe-keys.conf.5.in index 887faf67..468070a9 100644 --- a/keys/tripe-keys.conf.5.in +++ b/keys/tripe-keys.conf.5.in @@ -279,6 +279,13 @@ and .I conf-file Filename for local repository configuration file. Default is .IB basedir /tripe-keys.conf \fR. +.TP +.I kx-warn-days +The +.B "tripe-keys check" +command will warn about keys which will in less than +.I kx-warn-days +days. Default is 28. . .\"-------------------------------------------------------------------------- .SH "SEE ALSO" diff --git a/keys/tripe-keys.in b/keys/tripe-keys.in index 2be5e2dd..ad8671e1 100644 --- a/keys/tripe-keys.in +++ b/keys/tripe-keys.in @@ -33,6 +33,7 @@ import sys as SYS import re as RX import getopt as O import shutil as SH +import time as T import filecmp as FC from cStringIO import StringIO from errno import * @@ -240,6 +241,7 @@ def conf_defaults(): ('kx-param', lambda: {'dh': '-LS -b3072 -B256', 'ec': '-Cnist-p256'}[conf['kx']]), ('kx-expire', 'now + 1 year'), + ('kx-warn-days', '28'), ('cipher', 'rijndael-cbc'), ('hash', 'sha256'), ('master-keygen-flags', '-l'), @@ -493,6 +495,26 @@ def cmd_clean(args): r == 'keyring' or r == 'keyring.pub' or r.startswith('peer-')): zap(i) +###-------------------------------------------------------------------------- +### Commands: check + +def cmd_check(args): + now = T.time() + thresh = int(conf['kx-warn-days']) * 86400 + for krf in ['master', 'keyring.pub']: + if not OS.path.exists(krf): continue + kr = C.KeyFile(krf) + for k in kr.itervalues(): + if k.exptime == C.KEXP_FOREVER: continue + elif k.exptime == C.KEXP_EXPIRE: left = -1 + else: left = k.exptime - now + if left < 0: + print "key `%s' HAS EXPIRED" % k.tag + elif left < thresh: + if left >= 86400: n, u, uu = left // 86400, 'day', 'days' + else: n, u, uu = left // 3600, 'hour', 'hours' + print "key `%s' EXPIRES in %d %s" % (k.tag, n, n == 1 and u or uu) + ###-------------------------------------------------------------------------- ### Commands: mtu @@ -530,6 +552,7 @@ commands = {'help': (cmd_help, 0, 1, ''), 'update': (cmd_update, 0, 0, ''), 'clean': (cmd_clean, 0, 0, ''), 'mtu': (cmd_mtu, 0, 1, '[PATH-MTU]'), + 'check': (cmd_check, 0, 0, ''), 'generate': (cmd_generate, 1, 1, 'TAG'), 'rebuild': (cmd_rebuild, 0, 0, '')} -- [mdw]