1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
|
//! Asynchronously access keyservers.
//!
//! This module exposes the same interface, but for use within an
//! asynchronous framework.
use failure;
use futures::{future, Future, Stream};
use hyper::client::{ResponseFuture, HttpConnector};
use hyper::header::{CONTENT_LENGTH, CONTENT_TYPE, HeaderValue};
use hyper::{self, Client, Body, StatusCode, Request};
use hyper_tls::HttpsConnector;
use native_tls::{Certificate, TlsConnector};
use percent_encoding::{percent_encode, DEFAULT_ENCODE_SET};
use std::convert::From;
use std::io::Cursor;
use tokio_core::reactor::Handle;
use url::Url;
use openpgp::TPK;
use openpgp::{KeyID, armor};
use sequoia_core::{Context, NetworkPolicy};
use super::{Error, Result};
define_encode_set! {
/// Encoding used for submitting keys.
///
/// The SKS keyserver as of version 1.1.6 is a bit picky with
/// respect to the encoding.
pub KEYSERVER_ENCODE_SET = [DEFAULT_ENCODE_SET] | {'-', '+', '/' }
}
/// For accessing keyservers using HKP.
pub struct KeyServer {
client: Box<AClient>,
uri: Url,
}
const DNS_WORKER: usize = 4;
impl KeyServer {
/// Returns a handle for the given URI.
pub fn new(ctx: &Context, uri: &str, _handle: &Handle) -> Result<Self> {
let uri: Url = uri.parse()?;
let client: Box<AClient> = match uri.scheme() {
"hkp" => Box::new(Client::new()),
"hkps" => {
Box::new(Client::builder()
.build(HttpsConnector::new(DNS_WORKER)?))
},
_ => return Err(Error::MalformedUri.into()),
};
Self::make(ctx, client, uri)
}
/// Returns a handle for the given URI.
///
/// `cert` is used to authenticate the server.
pub fn with_cert(ctx: &Context, uri: &str, cert: Certificate,
_handle: &Handle) -> Result<Self> {
let uri: Url = uri.parse()?;
let client: Box<AClient> = {
let mut tls = TlsConnector::builder();
tls.add_root_certificate(cert);
let tls = tls.build()?;
let mut http = HttpConnector::new(DNS_WORKER);
http.enforce_http(false);
Box::new(Client::builder()
.build(HttpsConnector::from((http, tls))))
};
Self::make(ctx, client, uri)
}
/// Returns a handle for the SKS keyserver pool.
///
/// The pool `hkps://hkps.pool.sks-keyservers.net` provides HKP
/// services over https. It is authenticated using a certificate
/// included in this library. It is a good default choice.
pub fn sks_pool(ctx: &Context, handle: &Handle) -> Result<Self> {
let uri = "hkps://hkps.pool.sks-keyservers.net";
let cert = Certificate::from_der(
include_bytes!("sks-keyservers.netCA.der")).unwrap();
Self::with_cert(ctx, uri, cert, handle)
}
/// Common code for the above functions.
fn make(ctx: &Context, client: Box<AClient>, uri: Url) -> Result<Self> {
let s = uri.scheme();
match s {
"hkp" => ctx.network_policy().assert(NetworkPolicy::Insecure),
"hkps" => ctx.network_policy().assert(NetworkPolicy::Encrypted),
_ => return Err(Error::MalformedUri.into())
}?;
let uri =
format!("{}://{}:{}",
match s {"hkp" => "http", "hkps" => "https",
_ => unreachable!()},
uri.host().ok_or(Error::MalformedUri)?,
match s {
"hkp" => uri.port().or(Some(11371)),
"hkps" => uri.port().or(Some(443)),
_ => unreachable!(),
}.unwrap()).parse()?;
Ok(KeyServer{client: client, uri: uri})
}
/// Retrieves the key with the given `keyid`.
pub fn get(&mut self, keyid: &KeyID)
-> Box<Future<Item=TPK, Error=failure::Error> + 'static> {
let uri = self.uri.join(
&format!("pks/lookup?op=get&options=mr&search=0x{}",
keyid.to_hex()));
if let Err(e) = uri {
// This shouldn't happen, but better safe than sorry.
return Box::new(future::err(Error::from(e).into()));
}
Box::new(self.client.do_get(uri.unwrap())
.from_err()
.and_then(|res| {
let status = res.status();
res.into_body().concat2().from_err()
.and_then(move |body| match status {
StatusCode::OK => {
let c = Cursor::new(body.as_ref());
let r = armor::Reader::new(
c, Some(armor::Kind::PublicKey));
future::done(TPK::from_reader(r))
},
StatusCode::NOT_FOUND =>
future::err(Error::NotFound.into()),
n => future::err(Error::HttpStatus(n).into()),
})
}))
}
/// Sends the given key to the server.
pub fn send(&mut self, key: &TPK)
-> Box<Future<Item=(), Error=failure::Error> + 'static> {
use openpgp::armor::{Writer, Kind};
let uri =
match self.uri.join("pks/add") {
Err(e) =>
// This shouldn't happen, but better safe than sorry.
return Box::new(future::err(Error::from(e).into())),
Ok(u) => u,
};
let mut armored_blob = vec![];
{
let mut w = match Writer::new(&mut armored_blob,
Kind::PublicKey, &[][..]) {
Err(e) => return Box::new(future::err(e.into())),
Ok(w) => w,
};
if let Err(e) = key.serialize(&mut w) {
return Box::new(future::err(e));
}
}
// Prepare to send url-encoded data.
let mut post_data = b"keytext=".to_vec();
post_data.extend_from_slice(percent_encode(&armored_blob, KEYSERVER_ENCODE_SET)
.collect::<String>().as_bytes());
let length = post_data.len();
let mut request =
|
