summaryrefslogtreecommitdiff
path: root/src/leap/bitmask/keymanager
diff options
context:
space:
mode:
Diffstat (limited to 'src/leap/bitmask/keymanager')
-rw-r--r--src/leap/bitmask/keymanager/__init__.py35
-rw-r--r--src/leap/bitmask/keymanager/nicknym.py23
-rw-r--r--src/leap/bitmask/keymanager/refresher.py17
3 files changed, 33 insertions, 42 deletions
diff --git a/src/leap/bitmask/keymanager/__init__.py b/src/leap/bitmask/keymanager/__init__.py
index bc0c2185..45b7e582 100644
--- a/src/leap/bitmask/keymanager/__init__.py
+++ b/src/leap/bitmask/keymanager/__init__.py
@@ -18,16 +18,12 @@
Key Manager is a Nicknym agent for LEAP client.
"""
import fileinput
-import json
-import sys
import tempfile
from urlparse import urlparse
from twisted.logger import Logger
from twisted.internet import defer, task, reactor
-from twisted.web import client
-from twisted.web._responses import NOT_FOUND
from leap.common import ca_bundle
from leap.common.http import HTTPClient
@@ -49,9 +45,6 @@ class KeyManager(object):
log = Logger()
- OPENPGP_KEY = 'openpgp'
- PUBKEY_KEY = "user[public_key]"
-
def __init__(self, address, nickserver_uri, soledad, token=None,
ca_cert_path=None, api_uri=None, api_version=None, uid=None,
gpgbinary=None, combined_ca_bundle=None):
@@ -203,23 +196,17 @@ class KeyManager(object):
:rtype: Deferred
"""
- server_keys = yield self._nicknym.fetch_key_with_address(address)
-
- # insert keys in local database
- if self.OPENPGP_KEY in server_keys:
- # nicknym server is authoritative for its own domain,
- # for other domains the key might come from key servers.
- validation_level = ValidationLevels.Weak_Chain
- _, domain = _split_email(address)
- if (domain == _get_domain(self._nickserver_uri)):
- validation_level = ValidationLevels.Provider_Trust
-
- yield self.put_raw_key(
- server_keys[self.OPENPGP_KEY],
- address=address,
- validation=validation_level)
- else:
- raise KeyNotFound("No openpgp key found")
+ raw_key = yield self._nicknym.fetch_key_with_address(address)
+
+ # nicknym server is authoritative for its own domain,
+ # for other domains the key might come from key servers.
+ validation_level = ValidationLevels.Weak_Chain
+ _, domain = _split_email(address)
+ if (domain == _get_domain(self._nickserver_uri)):
+ validation_level = ValidationLevels.Provider_Trust
+
+ yield self.put_raw_key(
+ raw_key, address=address, validation=validation_level)
def get_key(self, address, private=False, fetch_remote=True):
"""
diff --git a/src/leap/bitmask/keymanager/nicknym.py b/src/leap/bitmask/keymanager/nicknym.py
index cbc4e25d..5342a7e4 100644
--- a/src/leap/bitmask/keymanager/nicknym.py
+++ b/src/leap/bitmask/keymanager/nicknym.py
@@ -38,6 +38,7 @@ class Nicknym(object):
log = Logger()
+ OPENPGP_KEY = 'openpgp'
PUBKEY_KEY = "user[public_key]"
def __init__(self, nickserver_uri, ca_cert_path, token):
@@ -99,12 +100,13 @@ class Nicknym(object):
:param uri: The URI of the request.
:type uri: str
- :return: A deferred that will be fired with GET content as json (dict)
+ :return: A deferred that will be fired with GET content as raw key str
:rtype: Deferred
"""
try:
content = yield self._fetch_and_handle_404_from_nicknym(uri)
json_content = json.loads(content)
+ key = json_content[self.OPENPGP_KEY]
except KeyNotFound:
raise
except IOError as e:
@@ -114,15 +116,12 @@ class Nicknym(object):
except ValueError as v:
self.log.warn('Invalid JSON data from key: %s' % (uri,))
raise KeyNotFound(v.message + ' - ' + uri), None, sys.exc_info()[2]
+ except KeyError:
+ raise KeyNotFound("No openpgp key found")
except Exception as e:
self.log.warn('Error retrieving key: %r' % (e,))
raise KeyNotFound(e.message), None, sys.exc_info()[2]
- # Responses are now text/plain, although it's json anyway, but
- # this will fail when it shouldn't
- # leap_assert(
- # res.headers['content-type'].startswith('application/json'),
- # 'Content-type is not JSON.')
- defer.returnValue(json_content)
+ defer.returnValue(key)
def _fetch_and_handle_404_from_nicknym(self, uri):
"""
@@ -166,9 +165,8 @@ class Nicknym(object):
:param address: The address bound to the keys.
:type address: str
- :return: A Deferred which fires when the key is in the storage,
- or which fails with KeyNotFound if the key was not found on
- nickserver.
+ :return: A Deferred with the raw key, or which fails with KeyNotFound
+ if the key was not found on nickserver.
:rtype: Deferred
"""
@@ -183,9 +181,8 @@ class Nicknym(object):
:param fingerprint: The fingerprint bound to the keys.
:type fingerprint: str
- :return: A Deferred which fires when the key is in the storage,
- or which fails with KeyNotFound if the key was not found on
- nickserver.
+ :return: A Deferred with the raw key, or which fails with KeyNotFound
+ if the key was not found on nickserver.
:rtype: Deferred
"""
diff --git a/src/leap/bitmask/keymanager/refresher.py b/src/leap/bitmask/keymanager/refresher.py
index d89a7508..9ccc81e1 100644
--- a/src/leap/bitmask/keymanager/refresher.py
+++ b/src/leap/bitmask/keymanager/refresher.py
@@ -106,17 +106,24 @@ class RandomRefreshPublicKey(object):
if old_key is None:
defer.returnValue(None)
- old_updated_key = yield self._keymanger._nicknym.\
+ updated_key_data = yield self._keymanger._nicknym.\
fetch_key_with_fingerprint(old_key.fingerprint)
+ updated_key, _ = self._openpgp.parse_key(updated_key_data,
+ old_key.address)
- if old_updated_key.fingerprint != old_key.fingerprint:
+ if updated_key.fingerprint != old_key.fingerprint:
self.log.error(
ERROR_UNEQUAL_FINGERPRINTS % (
- old_key.fingerprint, old_updated_key.fingerprint))
+ old_key.fingerprint, updated_key.fingerprint))
defer.returnValue(None)
- yield self._maybe_unactivate_key(old_updated_key)
- yield self._openpgp.put_key(old_updated_key)
+ updated_key.validation = old_key.validation
+ updated_key.last_audited_at = old_key.last_audited_at
+ updated_key.encr_used = old_key.encr_used
+ updated_key.sign_used = old_key.sign_used
+
+ yield self._maybe_unactivate_key(updated_key)
+ yield self._openpgp.put_key(updated_key)
# No new fetch by address needed, bc that will happen before sending an
# email could be discussed since fetching before sending an email