[distorted-keys] / keyfunc.sh.in

### -*-sh-*-
###
### Common key management functions.
###
### (c) 2011 Mark Wooding
###

###----- Licensing notice ---------------------------------------------------
###
### This file is part of the distorted.org.uk key management suite.
###
### distorted-keys is free software; you can redistribute it and/or modify
### it under the terms of the GNU General Public License as published by
### the Free Software Foundation; either version 2 of the License, or
### (at your option) any later version.
###
### distorted-keys is distributed in the hope that it will be useful,
### but WITHOUT ANY WARRANTY; without even the implied warranty of
### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
### GNU General Public License for more details.
###
### You should have received a copy of the GNU General Public License
### along with distorted-keys; if not, write to the Free Software Foundation,
### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.

quis=${0##*/}

###--------------------------------------------------------------------------
### Configuration variables.

PACKAGE="@PACKAGE@" VERSION="@VERSION@"
pkgconfdir="@pkgconfdir@" pkglibdir="@pkglibdir@"
bindir="@bindir@"

case ":$PATH:" in *:"$bindir":*) ;; *) PATH=$bindir:$PATH ;; esac

if [ -f $KEYS/keys.conf ]; then . $KEYS/keys.conf; fi
: ${random=/dev/random}

case "${KEYS_DEBUG+t}" in t) set -x ;; esac

###--------------------------------------------------------------------------
### Cleanup handling.

cleanups=""
cleanup () { cleanups="$cleanups $1"; }
trap 'rc=$?; for i in $cleanups; do $i; done; exit $rc' EXIT
trap 'exit 127' INT TERM

###--------------------------------------------------------------------------
### Utility functions.

## Temporary directory.
unset tmp
rmtmp () { cd /; rm -rf $tmp; }
mktmp () {
  ## Make and return the name of a temporary directory.

  case "${tmp+t}" in t) echo "$tmp"; return ;; esac
  mem=$(userv root claim-mem-dir </dev/null)
  tmp="$mem/keys.tmp.$$"
  rm -rf "$tmp"
  mkdir -m700 "$tmp"
  echo "$tmp"
}

###--------------------------------------------------------------------------
### Input validation functions.

checknumber () {
  what=$1 thing=$2
  case "$thing" in
    "" | [!1-9]* | *[!0-9]*)
      echo >&2 "$quis: bad $what \`$thing'"
      exit 1
      ;;
  esac
}

checkword () {
  what=$1 thing=$2
  case "$thing" in
    "" | *[!-0-9a-zA-Z_!%@+=]*)
      echo >&2 "$quis: bad $what: \`$thing'"
      exit 1
      ;;
  esac
}

checklabel () {
  what=$1 thing=$2
  case "$thing" in
    *[!-0-9a-zA-Z_!%@+=/#]* | *//* | /* | */)
      echo >&2 "$quis: bad $what label \`$thing'"
      exit 1
      ;;
  esac
}

###--------------------------------------------------------------------------
### Crypto operations.
###
### We use Seccure for this, but it's interface is Very Annoying.

run_seccure () {
  op=$1; shift
  ## run_seccure OP ARG ...
  ##
  ## Run a Seccure program, ensuring that its stderr is reported if it had
  ## anything very interesting to say, but suppressed if it was boring.

  ## We need a temporary place for the error output.
  case ${tmp+t} in
    t) ;;
    *)
      echo >&2 "$quis (INTERNAL): run_seccure called without tmpdir"
      exit 127
      ;;
  esac

  ## Run the program.
  set +e; seccure-$op "$@" 2>$tmp/seccure.out; rc=$?; set -e
  grep -v '^WARNING: Cannot obtain memory lock' $tmp/seccure.out >&2 || :
  return $rc
}

ec_public () {
  private=$1
  ## Write the public key corresponding to PRIVATE to stdout.

  run_seccure key -q -cp256 -F"$private"
}

ec_keygen () {
  private=$1 public=$2
  ## Make a new key, write private key to PRIVATE and public key to PUBLIC.

  dd if=$random bs=1 count=512 2>/dev/null |
    openssl dgst -sha384 -binary |
    (umask 077 && openssl base64 >"$private")
  ec_public "$private" >"$public"
}

ec_encrypt () {
  public=$1; shift
  ## Encrypt stuff using the PUBLIC key.  Use -i/-o or redirection.

  run_seccure encrypt -q -cp256 -m128 "$@" -- $(cat "$public")
}

ec_decrypt () {
  private=$1; shift
  ## Decrypt stuff using the PRIVATE key.  Use -i/-o or redirection.

  run_seccure decrypt -q -cp256 -m128 -F"$private" "$@"
}

ec_sign () {
  private=$1; shift
  ## Sign stuff using the PRIVATE key.  Use -i/-o or redirection.

  run_seccure sign -q -cp256 -F"$private" "$@"
}

ec_verify () {
  public=$1 signature=$2; shift
  ## Verify a SIGNATURE using the PUBLIC key; use -i or redirection for the
  ## input.

  run_seccure verify -q -cp256 "$@" -- $(cat "$public") "$signature"
}

###--------------------------------------------------------------------------
### Help text.

dohelp () {
  case "$KEYS_HELP" in t) ;; *) return ;; esac
  help; exit
}

defhelp () { read umsg; usage="usage: $quis${umsg+ }$umsg"; help=$(cat); }
help () { showhelp; }
showhelp () {
  cat <<EOF
$usage

$help
EOF
}

###----- That's all, folks --------------------------------------------------
Commit	Line	Data
53263601 MW	1	### --sh--
	2	###
	3	### Common key management functions.
	4	###
	5	### (c) 2011 Mark Wooding
	6	###
	7
	8	###----- Licensing notice ---------------------------------------------------
	9	###
599c8f75 MW	10	### This file is part of the distorted.org.uk key management suite.
	11	###
	12	### distorted-keys is free software; you can redistribute it and/or modify
53263601 MW	13	### it under the terms of the GNU General Public License as published by
	14	### the Free Software Foundation; either version 2 of the License, or
	15	### (at your option) any later version.
	16	###
599c8f75	17	### distorted-keys is distributed in the hope that it will be useful,
53263601 MW	18	### but WITHOUT ANY WARRANTY; without even the implied warranty of
	19	### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	20	### GNU General Public License for more details.
	21	###
	22	### You should have received a copy of the GNU General Public License
599c8f75	23	### along with distorted-keys; if not, write to the Free Software Foundation,
53263601 MW	24	### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
	25
	26	quis=${0##*/}
	27
	28	###--------------------------------------------------------------------------
	29	### Configuration variables.
	30
	31	PACKAGE="@PACKAGE@" VERSION="@VERSION@"
	32	pkgconfdir="@pkgconfdir@" pkglibdir="@pkglibdir@"
	33	bindir="@bindir@"
	34
	35	case ":$PATH:" in :"$bindir":) ;; *) PATH=$bindir:$PATH ;; esac
	36
599c8f75 MW	37	if [ -f $KEYS/keys.conf ]; then . $KEYS/keys.conf; fi
	38	: ${random=/dev/random}
	39
	40	case "${KEYS_DEBUG+t}" in t) set -x ;; esac
	41
53263601 MW	42	###--------------------------------------------------------------------------
	43	### Cleanup handling.
	44
	45	cleanups=""
	46	cleanup () { cleanups="$cleanups $1"; }
	47	trap 'rc=$?; for i in $cleanups; do $i; done; exit $rc' EXIT
	48	trap 'exit 127' INT TERM
	49
	50	###--------------------------------------------------------------------------
	51	### Utility functions.
	52
	53	## Temporary directory.
	54	unset tmp
	55	rmtmp () { cd /; rm -rf $tmp; }
	56	mktmp () {
	57	## Make and return the name of a temporary directory.
	58
	59	case "${tmp+t}" in t) echo "$tmp"; return ;; esac
599c8f75	60	mem=$(userv root claim-mem-dir </dev/null)
53263601 MW	61	tmp="$mem/keys.tmp.$$"
	62	rm -rf "$tmp"
	63	mkdir -m700 "$tmp"
	64	echo "$tmp"
	65	}
	66
	67	###--------------------------------------------------------------------------
	68	### Input validation functions.
	69
	70	checknumber () {
	71	what=$1 thing=$2
	72	case "$thing" in
	73	"" \| [!1-9]* \| [!0-9])
	74	echo >&2 "$quis: bad $what \`$thing'"
	75	exit 1
	76	;;
	77	esac
	78	}
	79
	80	checkword () {
	81	what=$1 thing=$2
	82	case "$thing" in
	83	"" \| [!-0-9a-zA-Z_!%@+=])
	84	echo >&2 "$quis: bad $what: \`$thing'"
	85	exit 1
	86	;;
	87	esac
	88	}
	89
599c8f75 MW	90	checklabel () {
	91	what=$1 thing=$2
	92	case "$thing" in
	93	[!-0-9a-zA-Z_!%@+=/#] \| // \| /* \| */)
	94	echo >&2 "$quis: bad $what label \`$thing'"
	95	exit 1
	96	;;
	97	esac
	98	}
	99
53263601 MW	100	###--------------------------------------------------------------------------
	101	### Crypto operations.
	102	###
	103	### We use Seccure for this, but it's interface is Very Annoying.
	104
	105	run_seccure () {
	106	op=$1; shift
	107	## run_seccure OP ARG ...
	108	##
	109	## Run a Seccure program, ensuring that its stderr is reported if it had
	110	## anything very interesting to say, but suppressed if it was boring.
	111
	112	## We need a temporary place for the error output.
	113	case ${tmp+t} in
	114	t) ;;
	115	*)
	116	echo >&2 "$quis (INTERNAL): run_seccure called without tmpdir"
	117	exit 127
	118	;;
	119	esac
	120
	121	## Run the program.
	122	set +e; seccure-$op "$@" 2>$tmp/seccure.out; rc=$?; set -e
	123	grep -v '^WARNING: Cannot obtain memory lock' $tmp/seccure.out >&2 \|\| :
	124	return $rc
	125	}
	126
	127	ec_public () {
	128	private=$1
	129	## Write the public key corresponding to PRIVATE to stdout.
	130
	131	run_seccure key -q -cp256 -F"$private"
	132	}
	133
	134	ec_keygen () {
	135	private=$1 public=$2
	136	## Make a new key, write private key to PRIVATE and public key to PUBLIC.
	137
599c8f75 MW	138	dd if=$random bs=1 count=512 2>/dev/null \|
599c8f75 MW	139	openssl dgst -sha384 -binary \|
53263601 MW	140	(umask 077 && openssl base64 >"$private")
	141	ec_public "$private" >"$public"
	142	}
	143
	144	ec_encrypt () {
	145	public=$1; shift
	146	## Encrypt stuff using the PUBLIC key. Use -i/-o or redirection.
	147
	148	run_seccure encrypt -q -cp256 -m128 "$@" -- $(cat "$public")
	149	}
	150
	151	ec_decrypt () {
	152	private=$1; shift
	153	## Decrypt stuff using the PRIVATE key. Use -i/-o or redirection.
	154
	155	run_seccure decrypt -q -cp256 -m128 -F"$private" "$@"
	156	}
	157
599c8f75 MW	158	ec_sign () {
	159	private=$1; shift
	160	## Sign stuff using the PRIVATE key. Use -i/-o or redirection.
	161
	162	run_seccure sign -q -cp256 -F"$private" "$@"
	163	}
	164
	165	ec_verify () {
	166	public=$1 signature=$2; shift
	167	## Verify a SIGNATURE using the PUBLIC key; use -i or redirection for the
	168	## input.
	169
	170	run_seccure verify -q -cp256 "$@" -- $(cat "$public") "$signature"
	171	}
	172
53263601 MW	173	###--------------------------------------------------------------------------
	174	### Help text.
	175
	176	dohelp () {
	177	case "$KEYS_HELP" in t) ;; *) return ;; esac
	178	help; exit
	179	}
	180
	181	defhelp () { read umsg; usage="usage: $quis${umsg+ }$umsg"; help=$(cat); }
	182	help () { showhelp; }
	183	showhelp () {
	184	cat <<EOF
	185	$usage
	186
	187	$help
	188	EOF
	189	}
	190
	191	###----- That's all, folks --------------------------------------------------