4 # Check PGP signed emails
6 # This script verifies the signature on incoming mail for a couple of things
7 # - That the signature is valid, recent and is not replay
8 # - The signer is in the LDAP directory and is in the right group
9 # - The message contains no extra text that is not signed.
12 # -r Replay cache file, if unset replay checking is disabled
13 # -k Colon seperated list of keyrings to use
14 # -d LDAP search base DN
16 # -g supplementary group membership
17 # -p File of Phrases that must be in the plaintext.
18 # -m Disallow PGP/MIME
21 # Typical Debian invokation may look like:
22 # ./gpgwrapper -k /usr/share/keyrings/debian-keyring.gpg:/usr/share/keyrings/debian-keyring.pgp \
23 # -d ou=users,dc=debian,dc=org -l db.debian.org \
24 # -m debian.org -a admin@db.debian.org \
25 # -e /etc/userdir-ldap/templtes/error-reply -- test.sh
27 import sys, traceback, time, os;
28 import string, pwd, getopt;
29 from userdir_gpg import *;
32 EX_PERMFAIL = 65; # EX_DATAERR
33 Error = 'Message Error';
36 ReplayCacheFile = None;
46 sys.stderr.write(msg + "\n")
48 # Match the key fingerprint against an LDAP directory
49 def CheckLDAP(FingerPrint):
52 # Connect to the ldap server
53 global ErrTyp, ErrMsg;
54 ErrType = EX_TEMPFAIL;
55 ErrMsg = "An error occured while performing the LDAP lookup:";
57 l = ldap.open(LDAPServer);
58 l.simple_bind_s("","");
60 # Search for the matching key fingerprint
61 verbmsg("Processing fingerprint %s" % FingerPrint)
62 Attrs = l.search_s(LDAPDn,ldap.SCOPE_ONELEVEL,"keyfingerprint=" + FingerPrint);
64 raise Error, "Key not found"
66 raise Error, "Oddly your key fingerprint is assigned to more than one account.."
68 # See if the group membership is OK
69 if GroupMember != None:
71 for x in Attrs[0][1].get("supplementarygid",[]):
75 raise Error, "You don't have %s group permissions."%(GroupMember);
77 # Start of main program
79 (options, arguments) = getopt.getopt(sys.argv[1:], "r:k:d:l:g:mp:v");
80 for (switch, val) in options:
82 ReplayCacheFile = val;
83 elif (switch == '-k'):
84 SetKeyrings(string.split(val,":"));
85 elif (switch == '-d'):
87 elif (switch == '-l'):
89 elif (switch == '-g'):
91 elif (switch == '-m'):
93 elif (switch == '-v'):
95 elif (switch == '-p'):
98 Now = time.strftime("%a, %d %b %Y %H:%M:%S",time.gmtime(time.time()));
99 ErrMsg = "Indeterminate Error";
100 ErrType = EX_TEMPFAIL;
103 # Startup the replay cache
104 ErrType = EX_TEMPFAIL;
105 if ReplayCacheFile != None:
106 ErrMsg = "Failed to initialize the replay cache:";
107 RC = ReplayCache(ReplayCacheFile);
111 ErrType = EX_PERMFAIL;
112 ErrMsg = "Failed to understand the email or find a signature:";
113 Email = mimetools.Message(sys.stdin,0);
114 MsgID = Email.getheader("Message-ID");
115 print "Inspecting message %s"%MsgID;
116 verbmsg("Processing message %s" % MsgID)
117 Msg = GetClearSig(Email,1);
119 if AllowMIME == 0 and Msg[1] != 0:
120 raise Error, "PGP/MIME disallowed";
122 ErrMsg = "Message is not PGP signed:"
123 if string.find(Msg[0],"-----BEGIN PGP SIGNED MESSAGE-----") == -1:
124 raise Error, "No PGP signature";
126 # Check the signature
127 ErrMsg = "Unable to check the signature or the signature was invalid:";
128 Res = GPGCheckSig(Msg[0]);
134 raise Error, "Null signature text";
136 # Check the signature against the replay cache
137 if ReplayCacheFile != None:
138 ErrMsg = "The replay cache rejected your message. Check your clock!";
139 Rply = RC.Check(Res[1]);
146 CheckLDAP(Res[2][1]);
148 ErrMsg = "Verifying message:";
150 F = open(Phrases,"r");
153 if Line == "": break;
154 if string.find(Res[3],string.strip(Line)) == -1:
155 raise Error,"Phrase '%s' was not found"%(string.strip(Line));
158 ErrMsg = "[%s] \"%s\" \"%s %s\"\n"%(Now,MsgID,ErrMsg,sys.exc_value);
159 sys.stderr.write(ErrMsg);
161 Trace = "==> %s: %s\n" %(sys.exc_type,sys.exc_value);
162 List = traceback.extract_tb(sys.exc_traceback);
164 Trace = Trace + "Python Stack Trace:\n";
166 Trace = Trace + " %s %s:%u: %s\n" %(x[2],x[0],x[1],x[3]);
169 sys.exit(EX_PERMFAIL);
172 print "Message %s passed"%MsgID;