123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853 |
- <?php
-
- /* vim: set expandtab tabstop=4 shiftwidth=4 softtabstop=4: */
-
- /**
- * Contains a class implementing automatic pinentry for gpg-agent
- *
- * PHP version 5
- *
- * LICENSE:
- *
- * This library is free software; you can redistribute it and/or modify
- * it under the terms of the GNU Lesser General Public License as
- * published by the Free Software Foundation; either version 2.1 of the
- * License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, see
- * <http://www.gnu.org/licenses/>
- *
- * @category Encryption
- * @package Crypt_GPG
- * @author Michael Gauthier <mike@silverorange.com>
- * @copyright 2013 silverorange
- * @license http://www.gnu.org/copyleft/lesser.html LGPL License 2.1
- * @link http://pear.php.net/package/Crypt_GPG
- */
-
- /**
- * CLI user-interface and parser.
- */
- require_once 'Console/CommandLine.php';
-
- // {{{ class Crypt_GPG_PinEntry
-
- /**
- * A command-line dummy pinentry program for use with gpg-agent and Crypt_GPG
- *
- * This pinentry receives passphrases through en environment variable and
- * automatically enters the PIN in response to gpg-agent requests. No user-
- * interaction required.
- *
- * The pinentry can be run independently for testing and debugging with the
- * following syntax:
- *
- * <pre>
- * Usage:
- * crypt-gpg-pinentry [options]
- *
- * Options:
- * -l log, --log=log Optional location to log pinentry activity.
- * -v, --verbose Sets verbosity level. Use multiples for more detail
- * (e.g. "-vv").
- * -h, --help show this help message and exit
- * --version show the program version and exit
- * </pre>
- *
- * @category Encryption
- * @package Crypt_GPG
- * @author Michael Gauthier <mike@silverorange.com>
- * @copyright 2013 silverorange
- * @license http://www.gnu.org/copyleft/lesser.html LGPL License 2.1
- * @link http://pear.php.net/package/Crypt_GPG
- * @see Crypt_GPG::getKeys()
- */
- class Crypt_GPG_PinEntry
- {
- // {{{ class constants
-
- /**
- * Verbosity level for showing no output.
- */
- const VERBOSITY_NONE = 0;
-
- /**
- * Verbosity level for showing error output.
- */
- const VERBOSITY_ERRORS = 1;
-
- /**
- * Verbosity level for showing all output, including Assuan protocol
- * messages.
- */
- const VERBOSITY_ALL = 2;
-
- /**
- * Length of buffer for reading lines from the Assuan server.
- *
- * PHP reads 8192 bytes. If this is set to less than 8192, PHP reads 8192
- * and buffers the rest so we might as well just read 8192.
- *
- * Using values other than 8192 also triggers PHP bugs.
- *
- * @see http://bugs.php.net/bug.php?id=35224
- */
- const CHUNK_SIZE = 8192;
-
- // }}}
- // {{{ protected properties
-
- /**
- * File handle for the input stream
- *
- * @var resource
- */
- protected $stdin = null;
-
- /**
- * File handle for the output stream
- *
- * @var resource
- */
- protected $stdout = null;
-
- /**
- * File handle for the log file if a log file is used
- *
- * @var resource
- */
- protected $logFile = null;
-
- /**
- * Whether or not this pinentry is finished and is exiting
- *
- * @var boolean
- */
- protected $moribund = false;
-
- /**
- * Verbosity level
- *
- * One of:
- * - {@link Crypt_GPG_PinEntry::VERBOSITY_NONE},
- * - {@link Crypt_GPG_PinEntry::VERBOSITY_ERRORS}, or
- * - {@link Crypt_GPG_PinEntry::VERBOSITY_ALL}
- *
- * @var integer
- */
- protected $verbosity = self::VERBOSITY_NONE;
-
- /**
- * The command-line interface parser for this pinentry
- *
- * @var Console_CommandLine
- *
- * @see Crypt_GPG_PinEntry::getParser()
- */
- protected $parser = null;
-
- /**
- * PINs to be entered by this pinentry
- *
- * An indexed array of associative arrays in the form:
- * <code>
- * <?php
- * array(
- * array(
- * 'keyId' => $keyId,
- * 'passphrase' => $passphrase
- * ),
- * ...
- * );
- * ?>
- * </code>
- *
- * This array is parsed from the environment variable
- * <kbd>PINENTRY_USER_DATA</kbd>.
- *
- * @var array
- *
- * @see Crypt_GPG_PinEntry::initPinsFromENV()
- */
- protected $pins = array();
-
- /**
- * The PIN currently being requested by the Assuan server
- *
- * If set, this is an associative array in the form:
- * <code>
- * <?php
- * array(
- * 'keyId' => $shortKeyId,
- * 'userId' => $userIdString
- * );
- * ?>
- * </code>
- *
- * @var array|null
- */
- protected $currentPin = null;
-
- // }}}
- // {{{ __invoke()
-
- /**
- * Runs this pinentry
- *
- * @return void
- */
- public function __invoke()
- {
- $this->parser = $this->getCommandLineParser();
-
- try {
- $result = $this->parser->parse();
-
- $this->setVerbosity($result->options['verbose']);
- $this->setLogFilename($result->options['log']);
-
- $this->connect();
- $this->initPinsFromENV();
-
- while (($line = fgets($this->stdin, self::CHUNK_SIZE)) !== false) {
- $this->parseCommand(mb_substr($line, 0, -1, '8bit'));
- if ($this->moribund) {
- break;
- }
- }
-
- $this->disconnect();
-
- } catch (Console_CommandLineException $e) {
- $this->log($e->getMessage() . PHP_EOL, slf::VERBOSITY_ERRORS);
- exit(1);
- } catch (Exception $e) {
- $this->log($e->getMessage() . PHP_EOL, self::VERBOSITY_ERRORS);
- $this->log($e->getTraceAsString() . PHP_EOL, self::VERBOSITY_ERRORS);
- exit(1);
- }
- }
-
- // }}}
- // {{{ setVerbosity()
-
- /**
- * Sets the verbosity of logging for this pinentry
- *
- * Verbosity levels are:
- *
- * - {@link Crypt_GPG_PinEntry::VERBOSITY_NONE} - no logging.
- * - {@link Crypt_GPG_PinEntry::VERBOSITY_ERRORS} - log errors only.
- * - {@link Crypt_GPG_PinEntry::VERBOSITY_ALL} - log everything, including
- * the assuan protocol.
- *
- * @param integer $verbosity the level of verbosity of this pinentry.
- *
- * @return Crypt_GPG_PinEntry the current object, for fluent interface.
- */
- public function setVerbosity($verbosity)
- {
- $this->verbosity = (integer)$verbosity;
- return $this;
- }
-
- // }}}
- // {{{ setLogFilename()
-
- /**
- * Sets the log file location
- *
- * @param string $filename the new log filename to use. If an empty string
- * is used, file-based logging is disabled.
- *
- * @return Crypt_GPG_PinEntry the current object, for fluent interface.
- */
- public function setLogFilename($filename)
- {
- if (is_resource($this->logFile)) {
- fflush($this->logFile);
- fclose($this->logFile);
- $this->logFile = null;
- }
-
- if ($filename != '') {
- if (($this->logFile = fopen($filename, 'w')) === false) {
- $this->log(
- 'Unable to open log file "' . $filename . '" '
- . 'for writing.' . PHP_EOL,
- self::VERBOSITY_ERRORS
- );
- exit(1);
- } else {
- stream_set_write_buffer($this->logFile, 0);
- }
- }
-
- return $this;
- }
-
- // }}}
- // {{{ getUIXML()
-
- /**
- * Gets the CLI user-interface definition for this pinentry
- *
- * Detects whether or not this package is PEAR-installed and appropriately
- * locates the XML UI definition.
- *
- * @return string the location of the CLI user-interface definition XML.
- */
- protected function getUIXML()
- {
- // Find PinEntry config depending on the way how the package is installed
- $ds = DIRECTORY_SEPARATOR;
- $root = __DIR__ . $ds . '..' . $ds . '..' . $ds;
- $paths = array(
- '@data-dir@' . $ds . '@package-name@' . $ds . 'data', // PEAR
- $root . 'data', // Git
- $root . 'data' . $ds . 'Crypt_GPG' . $ds . 'data', // Composer
- );
-
- foreach ($paths as $path) {
- if (file_exists($path . $ds . 'pinentry-cli.xml')) {
- return $path . $ds . 'pinentry-cli.xml';
- }
- }
- }
-
- // }}}
- // {{{ getCommandLineParser()
-
- /**
- * Gets the CLI parser for this pinentry
- *
- * @return Console_CommandLine the CLI parser for this pinentry.
- */
- protected function getCommandLineParser()
- {
- return Console_CommandLine::fromXmlFile($this->getUIXML());
- }
-
- // }}}
- // {{{ log()
-
- /**
- * Logs a message at the specified verbosity level
- *
- * If a log file is used, the message is written to the log. Otherwise,
- * the message is sent to STDERR.
- *
- * @param string $data the message to log.
- * @param integer $level the verbosity level above which the message should
- * be logged.
- *
- * @return Crypt_GPG_PinEntry the current object, for fluent interface.
- */
- protected function log($data, $level)
- {
- if ($this->verbosity >= $level) {
- if (is_resource($this->logFile)) {
- fwrite($this->logFile, $data);
- fflush($this->logFile);
- } else {
- $this->parser->outputter->stderr($data);
- }
- }
-
- return $this;
- }
-
- // }}}
- // {{{ connect()
-
- /**
- * Connects this pinentry to the assuan server
- *
- * Opens I/O streams and sends initial handshake.
- *
- * @return Crypt_GPG_PinEntry the current object, for fluent interface.
- */
- protected function connect()
- {
- // Binary operations will not work on Windows with PHP < 5.2.6.
- $rb = (version_compare(PHP_VERSION, '5.2.6') < 0) ? 'r' : 'rb';
- $wb = (version_compare(PHP_VERSION, '5.2.6') < 0) ? 'w' : 'wb';
-
- $this->stdin = fopen('php://stdin', $rb);
- $this->stdout = fopen('php://stdout', $wb);
-
- if (function_exists('stream_set_read_buffer')) {
- stream_set_read_buffer($this->stdin, 0);
- }
- stream_set_write_buffer($this->stdout, 0);
-
- // initial handshake
- $this->send($this->getOK('Crypt_GPG pinentry ready and waiting'));
-
- return $this;
- }
-
- // }}}
- // {{{ parseCommand()
-
- /**
- * Parses an assuan command and performs the appropriate action
- *
- * Documentation of the assuan commands for pinentry is limited to
- * non-existent. Most of these commands were taken from the C source code
- * to gpg-agent and pinentry.
- *
- * Additional context was provided by using strace -f when calling the
- * gpg-agent.
- *
- * @param string $line the assuan command line to parse
- *
- * @return Crypt_GPG_PinEntry the current object, for fluent interface.
- */
- protected function parseCommand($line)
- {
- $this->log('<- ' . $line . PHP_EOL, self::VERBOSITY_ALL);
-
- $parts = explode(' ', $line, 2);
-
- $command = $parts[0];
-
- if (count($parts) === 2) {
- $data = $parts[1];
- } else {
- $data = null;
- }
-
- switch ($command) {
- case 'SETDESC':
- return $this->sendSetDescription($data);
-
- case 'MESSAGE':
- return $this->sendMessage();
-
- case 'CONFIRM':
- return $this->sendConfirm();
-
- case 'GETINFO':
- return $this->sendGetInfo($data);
-
- case 'GETPIN':
- return $this->sendGetPin($data);
-
- case 'RESET':
- return $this->sendReset();
-
- case 'BYE':
- return $this->sendBye();
-
- default:
- return $this->sendNotImplementedOK();
- }
- }
-
- // }}}
- // {{{ initPinsFromENV()
-
- /**
- * Initializes the PINs to be entered by this pinentry from the environment
- * variable PINENTRY_USER_DATA
- *
- * The PINs are parsed from a JSON-encoded string.
- *
- * @return Crypt_GPG_PinEntry the current object, for fluent interface.
- */
- protected function initPinsFromENV()
- {
- if (($userData = getenv('PINENTRY_USER_DATA')) !== false) {
- $pins = json_decode($userData, true);
- if ($pins === null) {
- $this->log(
- '-- failed to parse user data' . PHP_EOL,
- self::VERBOSITY_ERRORS
- );
- } else {
- $this->pins = $pins;
- $this->log(
- '-- got user data [not showing passphrases]' . PHP_EOL,
- self::VERBOSITY_ALL
- );
- }
- }
-
- return $this;
- }
-
- // }}}
- // {{{ disconnect()
-
- /**
- * Disconnects this pinentry from the Assuan server
- *
- * @return Crypt_GPG_PinEntry the current object, for fluent interface.
- */
- protected function disconnect()
- {
- $this->log('-- disconnecting' . PHP_EOL, self::VERBOSITY_ALL);
-
- fflush($this->stdout);
- fclose($this->stdout);
- fclose($this->stdin);
-
- $this->stdin = null;
- $this->stdout = null;
-
- $this->log('-- disconnected' . PHP_EOL, self::VERBOSITY_ALL);
-
- if (is_resource($this->logFile)) {
- fflush($this->logFile);
- fclose($this->logFile);
- $this->logFile = null;
- }
-
- return $this;
- }
-
- // }}}
- // {{{ sendNotImplementedOK()
-
- /**
- * Sends an OK response for a not implemented feature
- *
- * @return Crypt_GPG_PinEntry the current object, for fluent interface.
- */
- protected function sendNotImplementedOK()
- {
- return $this->send($this->getOK());
- }
-
- // }}}
- // {{{ sendSetDescription()
-
- /**
- * Parses the currently requested key identifier and user identifier from
- * the description passed to this pinentry
- *
- * @param string $text the raw description sent from gpg-agent.
- *
- * @return Crypt_GPG_PinEntry the current object, for fluent interface.
- */
- protected function sendSetDescription($text)
- {
- $text = rawurldecode($text);
- $matches = array();
- // TODO: handle user id with quotation marks
- $exp = '/\n"(.+)"\n.*\sID ([A-Z0-9]+),\n/mu';
- if (preg_match($exp, $text, $matches) === 1) {
- $userId = $matches[1];
- $keyId = $matches[2];
-
- if ($this->currentPin === null || $this->currentPin['keyId'] !== $keyId) {
- $this->currentPin = array(
- 'userId' => $userId,
- 'keyId' => $keyId
- );
- $this->log(
- '-- looking for PIN for ' . $keyId . PHP_EOL,
- self::VERBOSITY_ALL
- );
- }
- }
-
- return $this->send($this->getOK());
- }
-
- // }}}
- // {{{ sendConfirm()
-
- /**
- * Tells the assuan server to confirm the operation
- *
- * @return Crypt_GPG_PinEntry the current object, for fluent interface.
- */
- protected function sendConfirm()
- {
- return $this->send($this->getOK());
- }
-
- // }}}
- // {{{ sendMessage()
-
- /**
- * Tells the assuan server that any requested pop-up messages were confirmed
- * by pressing the fake 'close' button
- *
- * @return Crypt_GPG_PinEntry the current object, for fluent interface.
- */
- protected function sendMessage()
- {
- return $this->sendButtonInfo('close');
- }
-
- // }}}
- // {{{ sendButtonInfo()
-
- /**
- * Sends information about pressed buttons to the assuan server
- *
- * This is used to fake a user-interface for this pinentry.
- *
- * @param string $text the button status to send.
- *
- * @return Crypt_GPG_PinEntry the current object, for fluent interface.
- */
- protected function sendButtonInfo($text)
- {
- return $this->send('BUTTON_INFO ' . $text . "\n");
- }
-
- // }}}
- // {{{ sendGetPin()
-
- /**
- * Sends the PIN value for the currently requested key
- *
- * @return Crypt_GPG_PinEntry the current object, for fluent interface.
- */
- protected function sendGetPin()
- {
- $foundPin = '';
-
- if (is_array($this->currentPin)) {
- $keyIdLength = mb_strlen($this->currentPin['keyId'], '8bit');
-
- // search for the pin
- foreach ($this->pins as $_keyId => $pin) {
- // Warning: GnuPG 2.1 asks 3 times for passphrase if it is invalid
- $keyId = $this->currentPin['keyId'];
- $_keyIdLength = mb_strlen($_keyId, '8bit');
-
- // Get last X characters of key identifier to compare
- // Most GnuPG versions use 8 characters, but recent ones can use 16,
- // We support 8 for backward compatibility
- if ($keyIdLength < $_keyIdLength) {
- $_keyId = mb_substr($_keyId, -$keyIdLength, $keyIdLength, '8bit');
- } else if ($keyIdLength > $_keyIdLength) {
- $keyId = mb_substr($keyId, -$_keyIdLength, $_keyIdLength, '8bit');
- }
-
- if ($_keyId === $keyId) {
- $foundPin = $pin;
- break;
- }
- }
- }
-
- return $this
- ->send($this->getData($foundPin))
- ->send($this->getOK());
- }
-
- // }}}
- // {{{ sendGetInfo()
-
- /**
- * Sends information about this pinentry
- *
- * @param string $data the information requested by the assuan server.
- * Currently only 'pid' is supported. Other requests
- * return no information.
- *
- * @return Crypt_GPG_PinEntry the current object, for fluent interface.
- */
- protected function sendGetInfo($data)
- {
- $parts = explode(' ', $data, 2);
- $command = reset($parts);
-
- switch ($command) {
- case 'pid':
- return $this->sendGetInfoPID();
- default:
- return $this->send($this->getOK());
- }
-
- return $this;
- }
- // }}}
- // {{{ sendGetInfoPID()
-
- /**
- * Sends the PID of this pinentry to the assuan server
- *
- * @return Crypt_GPG_PinEntry the current object, for fluent interface.
- */
- protected function sendGetInfoPID()
- {
- return $this
- ->send($this->getData(getmypid()))
- ->send($this->getOK());
- }
-
- // }}}
- // {{{ sendBye()
-
- /**
- * Flags this pinentry for disconnection and sends an OK response
- *
- * @return Crypt_GPG_PinEntry the current object, for fluent interface.
- */
- protected function sendBye()
- {
- $return = $this->send($this->getOK('closing connection'));
- $this->moribund = true;
- return $return;
- }
-
- // }}}
- // {{{ sendReset()
-
- /**
- * Resets this pinentry and sends an OK response
- *
- * @return Crypt_GPG_PinEntry the current object, for fluent interface.
- */
- protected function sendReset()
- {
- $this->currentPin = null;
- return $this->send($this->getOK());
- }
-
- // }}}
- // {{{ getOK()
-
- /**
- * Gets an OK response to send to the assuan server
- *
- * @param string $data an optional message to include with the OK response.
- *
- * @return string the OK response.
- */
- protected function getOK($data = null)
- {
- $return = 'OK';
-
- if ($data) {
- $return .= ' ' . $data;
- }
-
- return $return . "\n";
- }
-
- // }}}
- // {{{ getData()
-
- /**
- * Gets data ready to send to the assuan server
- *
- * Data is appropriately escaped and long lines are wrapped.
- *
- * @param string $data the data to send to the assuan server.
- *
- * @return string the properly escaped, formatted data.
- *
- * @see http://www.gnupg.org/documentation/manuals/assuan/Server-responses.html
- */
- protected function getData($data)
- {
- // Escape data. Only %, \n and \r need to be escaped but other
- // values are allowed to be escaped. See
- // http://www.gnupg.org/documentation/manuals/assuan/Server-responses.html
- $data = rawurlencode($data);
- $data = $this->getWordWrappedData($data, 'D');
- return $data;
- }
-
- // }}}
- // {{{ getComment()
-
- /**
- * Gets a comment ready to send to the assuan server
- *
- * @param string $data the comment to send to the assuan server.
- *
- * @return string the properly formatted comment.
- *
- * @see http://www.gnupg.org/documentation/manuals/assuan/Server-responses.html
- */
- protected function getComment($data)
- {
- return $this->getWordWrappedData($data, '#');
- }
-
- // }}}
- // {{{ getWordWrappedData()
-
- /**
- * Wraps strings at 1,000 bytes without splitting UTF-8 multibyte
- * characters
- *
- * Each line is prepended with the specified line prefix. Wrapped lines
- * are automatically appended with \ characters.
- *
- * Protocol strings are UTF-8 but maximum line length is 1,000 bytes.
- * <kbd>mb_strcut()</kbd> is used so we can limit line length by bytes
- * and not split characters across multiple lines.
- *
- * @param string $data the data to wrap.
- * @param string $prefix a single character to use as the line prefix. For
- * example, 'D' or '#'.
- *
- * @return string the word-wrapped, prefixed string.
- *
- * @see http://www.gnupg.org/documentation/manuals/assuan/Server-responses.html
- */
- protected function getWordWrappedData($data, $prefix)
- {
- $lines = array();
-
- do {
- if (mb_strlen($data, '8bit') > 997) {
- $line = $prefix . ' ' . mb_strcut($data, 0, 996, 'utf-8') . "\\\n";
- $lines[] = $line;
- $lineLength = mb_strlen($line, '8bit') - 1;
- $dataLength = mb_substr($data, '8bit');
- $data = mb_substr(
- $data,
- $lineLength,
- $dataLength - $lineLength,
- '8bit'
- );
- } else {
- $lines[] = $prefix . ' ' . $data . "\n";
- $data = '';
- }
- } while ($data != '');
-
- return implode('', $lines);
- }
-
- // }}}
- // {{{ send()
-
- /**
- * Sends raw data to the assuan server
- *
- * @param string $data the data to send.
- *
- * @return Crypt_GPG_PinEntry the current object, for fluent interface.
- */
- protected function send($data)
- {
- $this->log('-> ' . $data, self::VERBOSITY_ALL);
- fwrite($this->stdout, $data);
- fflush($this->stdout);
- return $this;
- }
-
- // }}}
- }
-
- // }}}
-
- ?>
|