Commit | Line | Data |
---|---|---|
53263601 MW |
1 | ### -*-sh-*- |
2 | ### | |
3 | ### Common key management functions. | |
4 | ### | |
5 | ### (c) 2011 Mark Wooding | |
6 | ### | |
7 | ||
8 | ###----- Licensing notice --------------------------------------------------- | |
9 | ### | |
599c8f75 MW |
10 | ### This file is part of the distorted.org.uk key management suite. |
11 | ### | |
12 | ### distorted-keys is free software; you can redistribute it and/or modify | |
53263601 MW |
13 | ### it under the terms of the GNU General Public License as published by |
14 | ### the Free Software Foundation; either version 2 of the License, or | |
15 | ### (at your option) any later version. | |
16 | ### | |
599c8f75 | 17 | ### distorted-keys is distributed in the hope that it will be useful, |
53263601 MW |
18 | ### but WITHOUT ANY WARRANTY; without even the implied warranty of |
19 | ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
20 | ### GNU General Public License for more details. | |
21 | ### | |
22 | ### You should have received a copy of the GNU General Public License | |
599c8f75 | 23 | ### along with distorted-keys; if not, write to the Free Software Foundation, |
53263601 MW |
24 | ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. |
25 | ||
26 | quis=${0##*/} | |
27 | ||
28 | ###-------------------------------------------------------------------------- | |
29 | ### Configuration variables. | |
30 | ||
31 | PACKAGE="@PACKAGE@" VERSION="@VERSION@" | |
32 | pkgconfdir="@pkgconfdir@" pkglibdir="@pkglibdir@" | |
33 | bindir="@bindir@" | |
34 | ||
35 | case ":$PATH:" in *:"$bindir":*) ;; *) PATH=$bindir:$PATH ;; esac | |
36 | ||
599c8f75 MW |
37 | if [ -f $KEYS/keys.conf ]; then . $KEYS/keys.conf; fi |
38 | : ${random=/dev/random} | |
39 | ||
40 | case "${KEYS_DEBUG+t}" in t) set -x ;; esac | |
41 | ||
53263601 MW |
42 | ###-------------------------------------------------------------------------- |
43 | ### Cleanup handling. | |
44 | ||
45 | cleanups="" | |
46 | cleanup () { cleanups="$cleanups $1"; } | |
47 | trap 'rc=$?; for i in $cleanups; do $i; done; exit $rc' EXIT | |
48 | trap 'exit 127' INT TERM | |
49 | ||
50 | ###-------------------------------------------------------------------------- | |
51 | ### Utility functions. | |
52 | ||
53 | ## Temporary directory. | |
54 | unset tmp | |
55 | rmtmp () { cd /; rm -rf $tmp; } | |
56 | mktmp () { | |
57 | ## Make and return the name of a temporary directory. | |
58 | ||
59 | case "${tmp+t}" in t) echo "$tmp"; return ;; esac | |
599c8f75 | 60 | mem=$(userv root claim-mem-dir </dev/null) |
53263601 MW |
61 | tmp="$mem/keys.tmp.$$" |
62 | rm -rf "$tmp" | |
63 | mkdir -m700 "$tmp" | |
64 | echo "$tmp" | |
65 | } | |
66 | ||
67 | ###-------------------------------------------------------------------------- | |
68 | ### Input validation functions. | |
69 | ||
70 | checknumber () { | |
71 | what=$1 thing=$2 | |
72 | case "$thing" in | |
73 | "" | [!1-9]* | *[!0-9]*) | |
74 | echo >&2 "$quis: bad $what \`$thing'" | |
75 | exit 1 | |
76 | ;; | |
77 | esac | |
78 | } | |
79 | ||
80 | checkword () { | |
81 | what=$1 thing=$2 | |
82 | case "$thing" in | |
83 | "" | *[!-0-9a-zA-Z_!%@+=]*) | |
84 | echo >&2 "$quis: bad $what: \`$thing'" | |
85 | exit 1 | |
86 | ;; | |
87 | esac | |
88 | } | |
89 | ||
599c8f75 MW |
90 | checklabel () { |
91 | what=$1 thing=$2 | |
92 | case "$thing" in | |
93 | *[!-0-9a-zA-Z_!%@+=/#]* | *//* | /* | */) | |
94 | echo >&2 "$quis: bad $what label \`$thing'" | |
95 | exit 1 | |
96 | ;; | |
97 | esac | |
98 | } | |
99 | ||
53263601 MW |
100 | ###-------------------------------------------------------------------------- |
101 | ### Crypto operations. | |
102 | ### | |
103 | ### We use Seccure for this, but it's interface is Very Annoying. | |
104 | ||
105 | run_seccure () { | |
106 | op=$1; shift | |
107 | ## run_seccure OP ARG ... | |
108 | ## | |
109 | ## Run a Seccure program, ensuring that its stderr is reported if it had | |
110 | ## anything very interesting to say, but suppressed if it was boring. | |
111 | ||
112 | ## We need a temporary place for the error output. | |
113 | case ${tmp+t} in | |
114 | t) ;; | |
115 | *) | |
116 | echo >&2 "$quis (INTERNAL): run_seccure called without tmpdir" | |
117 | exit 127 | |
118 | ;; | |
119 | esac | |
120 | ||
121 | ## Run the program. | |
122 | set +e; seccure-$op "$@" 2>$tmp/seccure.out; rc=$?; set -e | |
123 | grep -v '^WARNING: Cannot obtain memory lock' $tmp/seccure.out >&2 || : | |
124 | return $rc | |
125 | } | |
126 | ||
127 | ec_public () { | |
128 | private=$1 | |
129 | ## Write the public key corresponding to PRIVATE to stdout. | |
130 | ||
131 | run_seccure key -q -cp256 -F"$private" | |
132 | } | |
133 | ||
134 | ec_keygen () { | |
135 | private=$1 public=$2 | |
136 | ## Make a new key, write private key to PRIVATE and public key to PUBLIC. | |
137 | ||
599c8f75 MW |
138 | dd if=$random bs=1 count=512 2>/dev/null | |
139 | openssl dgst -sha384 -binary | | |
53263601 MW |
140 | (umask 077 && openssl base64 >"$private") |
141 | ec_public "$private" >"$public" | |
142 | } | |
143 | ||
144 | ec_encrypt () { | |
145 | public=$1; shift | |
146 | ## Encrypt stuff using the PUBLIC key. Use -i/-o or redirection. | |
147 | ||
148 | run_seccure encrypt -q -cp256 -m128 "$@" -- $(cat "$public") | |
149 | } | |
150 | ||
151 | ec_decrypt () { | |
152 | private=$1; shift | |
153 | ## Decrypt stuff using the PRIVATE key. Use -i/-o or redirection. | |
154 | ||
155 | run_seccure decrypt -q -cp256 -m128 -F"$private" "$@" | |
156 | } | |
157 | ||
599c8f75 MW |
158 | ec_sign () { |
159 | private=$1; shift | |
160 | ## Sign stuff using the PRIVATE key. Use -i/-o or redirection. | |
161 | ||
162 | run_seccure sign -q -cp256 -F"$private" "$@" | |
163 | } | |
164 | ||
165 | ec_verify () { | |
166 | public=$1 signature=$2; shift | |
167 | ## Verify a SIGNATURE using the PUBLIC key; use -i or redirection for the | |
168 | ## input. | |
169 | ||
170 | run_seccure verify -q -cp256 "$@" -- $(cat "$public") "$signature" | |
171 | } | |
172 | ||
53263601 MW |
173 | ###-------------------------------------------------------------------------- |
174 | ### Help text. | |
175 | ||
176 | dohelp () { | |
177 | case "$KEYS_HELP" in t) ;; *) return ;; esac | |
178 | help; exit | |
179 | } | |
180 | ||
181 | defhelp () { read umsg; usage="usage: $quis${umsg+ }$umsg"; help=$(cat); } | |
182 | help () { showhelp; } | |
183 | showhelp () { | |
184 | cat <<EOF | |
185 | $usage | |
186 | ||
187 | $help | |
188 | EOF | |
189 | } | |
190 | ||
191 | ###----- That's all, folks -------------------------------------------------- |