[tor-commits] [bridgedb/master] Add crypto.initializeGnuPG() function.
isis at torproject.org
isis at torproject.org
Sat Mar 21 02:03:02 UTC 2015
commit a4fc36eabb00bb47114b8379319d3897a63427ac
Author: Isis Lovecruft <isis at torproject.org>
Date: Sun Feb 22 10:58:04 2015 +0000
Add crypto.initializeGnuPG() function.
This switches BridgeDB to using python-gnupg rather than pygpgme.
* FIXES #10385 https://bugs.torproject.org/10385
---
lib/bridgedb/crypto.py | 79 ++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 79 insertions(+)
diff --git a/lib/bridgedb/crypto.py b/lib/bridgedb/crypto.py
index a16e45a..6bb5c7d 100644
--- a/lib/bridgedb/crypto.py
+++ b/lib/bridgedb/crypto.py
@@ -41,6 +41,7 @@ Module Overview
from __future__ import absolute_import
from __future__ import unicode_literals
+import gnupg
import hashlib
import hmac
import io
@@ -273,14 +274,92 @@ def removePKCS1Padding(message):
return unpadded
+def initializeGnuPG(config):
+ """Initialize a GnuPG interface and test our configured keys.
+
+ .. note:: This function uses python-gnupg_.
+
+ :type config: :class:`bridgedb.persistent.Conf`
+ :param config: The loaded config file.
+ :rtype: 2-tuple
+ :returns: If ``EMAIL_GPG_SIGNING_ENABLED`` isn't ``True``, or we couldn't
+ initialize GnuPG and make a successful test signature with the
+ specified key, then a 2-tuple of ``None`` is returned. Otherwise, the
+ first item in the tuple is a :class:`gnupg.GPG` interface_ with the
+ GnuPG homedir set to the ``EMAIL_GPG_HOMEDIR`` option and the signing
+ key specified by the ``EMAIL_GPG_SIGNING_KEY_FINGERPRINT`` option in
+ bridgedb.conf set as the default key. The second item in the tuple is
+ a signing function with the passphrase (as specified in either
+ ``EMAIL_GPG_PASSPHRASE`` or ``EMAIL_GPG_PASSPHRASE_FILE``) already
+ set.
+
+ .. _python-gnupg: https://pypi.python.org/pypi/gnupg/
+ .. _interface: https://python-gnupg.readthedocs.org/en/latest/gnupg.html#gnupg-module
+ """
+ ret = (None, None)
+ if not config.EMAIL_GPG_SIGNING_ENABLED:
+ return ret
+ homedir = config.EMAIL_GPG_HOMEDIR
+ primary = config.EMAIL_GPG_PRIMARY_KEY_FINGERPRINT
+ passphrase = config.EMAIL_GPG_PASSPHRASE
+ passFile = config.EMAIL_GPG_PASSPHRASE_FILE
+ logging.info("Using %s as our GnuPG home directory..." % homedir)
+ gpg = gnupg.GPG(homedir=homedir)
+ logging.info("Initialized GnuPG interface using %s binary with version %s."
+ % (gpg.binary, gpg.binary_version))
+ primarySK = None
+ primaryPK = None
+ secrets = gpg.list_keys(secret=True)
+ publics = gpg.list_keys()
+ if not secrets:
+ logging.warn("No secret keys found in %s!" % gpg.secring)
+ return ret
+ primarySK = filter(lambda key: key['fingerprint'] == primary, secrets)
+ primaryPK = filter(lambda key: key['fingerprint'] == primary, publics)
+ if primarySK and primaryPK:
+ logging.info("Found GnuPG primary key with fingerprint: %s" % primary)
+ for sub in primaryPK[0]['subkeys']:
+ logging.info(" Subkey: %s Usage: %s" % (sub[0], sub[1].upper()))
+ else:
+ logging.warn("GnuPG key %s could not be found in %s!" % (primary, gpg.secring))
+ return ret
+
+ if passphrase:
+ logging.info("Read GnuPG passphrase from config.")
+ elif passFile:
+ try:
+ with open(passFile) as fh:
+ passphrase = fh.read()
+ except (IOError, OSError):
+ logging.error("Could not open GnuPG passphrase file: %s!" % passFile)
+ else:
+ logging.info("Read GnuPG passphrase from file: %s" % passFile)
+ def gpgSignMessage(message):
+ """Sign **message** with the default key specified by
+ ``EMAIL_GPG_PRIMARY_KEY_FINGERPRINT``.
+
+ :param str message: A message to sign.
+ :rtype: str or ``None``.
+ :returns: A string containing the clearsigned message, or ``None`` if
+ the signing failed.
+ """
+ sig = gpg.sign(message, default_key=primary, passphrase=passphrase)
+ if sig and sig.data:
+ return sig.data
+
+ logging.debug("Testing signature created with GnuPG key...")
+ sig = gpgSignMessage("Testing 1 2 3")
+ if sig:
+ logging.info("Test signature with GnuPG key %s okay:\n%s" % (primary, sig))
+ return (gpg, gpgSignMessage)
class SSLVerifyingContextFactory(ssl.CertificateOptions):
More information about the tor-commits
mailing list