chiark / gitweb /
keyfunc.sh.in, cryptop.info: Refactor property dumping.
[distorted-keys] / keyfunc.sh.in
CommitLineData
53263601
MW
1### -*-sh-*-
2###
3### Common key management functions.
4###
5### (c) 2011 Mark Wooding
6###
7
8###----- Licensing notice ---------------------------------------------------
9###
599c8f75
MW
10### This file is part of the distorted.org.uk key management suite.
11###
12### distorted-keys is free software; you can redistribute it and/or modify
53263601
MW
13### it under the terms of the GNU General Public License as published by
14### the Free Software Foundation; either version 2 of the License, or
15### (at your option) any later version.
16###
599c8f75 17### distorted-keys is distributed in the hope that it will be useful,
53263601
MW
18### but WITHOUT ANY WARRANTY; without even the implied warranty of
19### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20### GNU General Public License for more details.
21###
22### You should have received a copy of the GNU General Public License
599c8f75 23### along with distorted-keys; if not, write to the Free Software Foundation,
53263601
MW
24### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
25
26quis=${0##*/}
27
28###--------------------------------------------------------------------------
29### Configuration variables.
30
e787e19c 31## Automatically configured pathnames.
53263601 32PACKAGE="@PACKAGE@" VERSION="@VERSION@"
53263601
MW
33bindir="@bindir@"
34
e787e19c 35## Read user configuration.
c47f2aba 36if [ -f $ETC/keys.conf ]; then . $ETC/keys.conf; fi
599c8f75 37
e787e19c 38## Maybe turn on debugging.
599c8f75
MW
39case "${KEYS_DEBUG+t}" in t) set -x ;; esac
40
ec208149
MW
41## Fake up caller credentials if not called via userv.
42case "${USERV_USER+t}" in
43 t) ;;
44 *) USERV_USER=${LOGNAME-${USER-$(id -un)}} USERV_UID=$(id -u) ;;
45esac
46case "${USERV_GROUP+t}" in
47 t) ;;
48 *) USERV_GROUP=$(id -Gn) USERV_GID=$(id -gn) ;;
49esac
50
53263601
MW
51###--------------------------------------------------------------------------
52### Cleanup handling.
53
54cleanups=""
c47f2aba
MW
55cleanup () { cleanups=${cleanups+$cleanups }$1; }
56runcleanups () { for i in $cleanups; do $i; done; }
57trap 'rc=$?; runcleanups; exit $rc' EXIT
58trap 'trap "" EXIT; runcleanups; exit 127' INT TERM
53263601
MW
59
60###--------------------------------------------------------------------------
61### Utility functions.
62
c47f2aba
MW
63reqsafe () {
64 ## Fail unless a safe directory is set.
65
66 err="$quis: (CONFIGURATION ERROR)"
67 case ${SAFE+t} in
68 t) ;;
69 *) echo >&2 "$err: no SAFE directory"; exit 1 ;;
70 esac
71 if [ ! -d "$SAFE" ]; then
72 echo >&2 "$err: SAFE path \`$SAFE' isn't a directory"
73 exit 1
74 fi
75 case "$SAFE" in
76 [!/]* | *[][[:space:]*?]*)
77 echo >&2 "$err: SAFE path \`$SAFE' contains bad characters"
78 exit 1
79 ;;
80 esac
81 ls -ld "$SAFE" | {
82 me=$(id -un)
83 read perm _ user stuff
84 case "$perm:$user" in
85 d???------:"$me") ;;
86 *)
87 echo >&2 "$err: SAFE path \`$SAFE' has bad owner or permissions"
88 exit 1
89 ;;
90 esac
91 }
92}
93
53263601
MW
94## Temporary directory.
95unset tmp
c47f2aba
MW
96rmtmp () { case ${tmp+t} in t) cd /; rm -rf $tmp ;; esac; }
97cleanup rmtmp
53263601 98mktmp () {
c47f2aba 99 ## Make a temporary directory and store its name in `tmp'.
53263601 100
c47f2aba
MW
101 case "${tmp+t}" in t) return ;; esac
102 reqsafe
103 tmp="$SAFE/keys.tmp.$$"
53263601
MW
104 rm -rf "$tmp"
105 mkdir -m700 "$tmp"
53263601
MW
106}
107
c47f2aba
MW
108reqtmp () {
109 ## Fail unless a temporary directory is set.
53263601 110
c47f2aba
MW
111 case ${tmp+t} in
112 t) ;;
113 *) echo >&2 "$quis (INTERNAL): no tmp directory set"; exit 127 ;;
53263601
MW
114 esac
115}
116
c47f2aba
MW
117parse_keylabel () {
118 key=$1
119 ## Parse the key label string KEY. Set `kdir' to the base path to use for
120 ## the key's storage, and `kowner' to the key owner's name.
121
122 case "$key" in
123 *:*) kowner=${key%%:*} klabel=${key#*:} ;;
124 *) kowner=$USERV_USER klabel=$key ;;
53263601 125 esac
c47f2aba
MW
126 checkword "key owner name" "$kowner"
127 checklabel "key" "$klabel"
128 kdir=$KEYS/store/$kowner/$klabel
129 knub=$KEYS/nub/$kowner/$klabel
53263601
MW
130}
131
4c8c4065
MW
132runas () {
133 user=$1 service=$2; shift 2
134 ## If the current (effective) user is not USER then reinvoke via `userv',
135 ## as the specified service, with the remaining arguments.
136
137 case $(id -un) in
138 "$user") ;;
139 *) exec userv "$user" "$service" "$@" ;;
140 esac
141}
142
c47f2aba
MW
143###--------------------------------------------------------------------------
144### Input validation functions.
145
146nl="
147"
148check () {
149 ckwhat=$1 ckpat=$2 thing=$3
150 ## Verify that THING matches the (anchored, basic) regular expression
151 ## CKPAT. Since matching newlines is hard to do portably, also check that
152 ## THING doesn't contain any. If the checks fail, report an error and
153 ## exit.
154
155 validp=t
599c8f75 156 case "$thing" in
c47f2aba 157 *"$nl"*) validp=nil ;;
11c7b588 158 *) if ! expr >/dev/null "Q$thing" : "Q$ckpat\$"; then validp=nil; fi ;;
c47f2aba
MW
159 esac
160 case $validp in
161 nil) echo >&2 "$quis: bad $ckwhat \`$thing'"; exit 1 ;;
599c8f75
MW
162 esac
163}
164
c47f2aba
MW
165## Regular expressions for validating input.
166R_IDENTCHARS="A-Za-z0-9_"
09c56d3e
MW
167R_GOODPUNCT="!%@+="
168R_WORDCHARS="-$R_IDENTCHARS$R_GOODPUNCT"
c47f2aba
MW
169R_IDENT="[$R_IDENTCHARS][$R_IDENTCHARS]*"
170R_WORD="[$R_WORDCHARS][$R_WORDCHARS]*"
09c56d3e 171R_ACLCHARS="][$R_IDENTCHARS$R_GOODPUNCT*?:.#"
c47f2aba 172R_WORDSEQ="[$R_WORDCHARS[:space:]][$R_WORDCHARS[:space:]]*"
09c56d3e 173R_ACL="[$R_ACLCHARS[:space:]-][$R_ACLCHARS[:space:]-]*"
c47f2aba
MW
174R_NUMERIC='\(\([1-9][0-9]*\)\{0,1\}0\{0,1\}\)'
175R_LABEL="\($R_WORD\(/$R_WORD\)*\)"
176R_LINE=".*"
177
178## Various validation functions.
179checknumber () { check "$1" "$R_NUMERIC" "$2"; }
180checkident () { check "$1" "$R_IDENT" "$2"; }
181checkword () { check "$1" "$R_WORD" "$2"; }
182checklabel () { check "$1 label" "$R_LABEL" "$2"; }
183
53263601 184###--------------------------------------------------------------------------
c47f2aba
MW
185### Key storage and properties.
186
187getsysprofile () {
188 profile=$1
189 ## Write the named system PROFILE to standard output.
190
b65e1f93 191 $bindir/extract-profile "$profile" $ETC/profile.d/
c47f2aba
MW
192}
193
194setprops () {
195 what=$1 prefix=$2; shift 2
196 ## Set variables based on the NAME=VALUE assignments in the arguments. The
197 ## value for property NAME is stored in the shell variable PREFIX_NAME.
198
199 for assg in "$@"; do
200 goodp=t
201 case "$assg" in
202 *\=*) name=${assg%%=*} value=${assg#*=} ;;
203 *) goodp=nil ;;
204 esac
205 case "$goodp,$name" in t,*[!0-9A-Za-z_]*=*) goodp=nil ;; esac
206 case "$goodp" in
207 nil) echo >&2 "$quis: bad $what assignment \`$assg'"; exit 1 ;;
208 esac
209 eval "$prefix$name=\$value"
210 done
211}
53263601 212
c47f2aba
MW
213checkprops () {
214 whatprop=$1 prefix=$2; shift 2
215 ## Check that property variables are set in accordance with the remaining
216 ## TABLE arguments. Each row of TABLE has the form
53263601 217 ##
c47f2aba
MW
218 ## NAME OMIT PAT
219 ##
220 ## A table row is satisfied if there is a variable PREFIXNAME whose value
221 ## matces the (basic) regular expression PAT, or if the variable is unset
222 ## and OMIT is `t'.
223
224 for table in "$@"; do
225 case "$table" in ?*) ;; *) continue ;; esac
226 while read -r name omit pat; do
227 eval foundp=\${$prefix$name+t}
228 case "$foundp,$omit" in
229 ,t) continue ;;
230 ,nil)
231 echo >&2 "$quis: missing $whatprop \`$name' required"
232 exit 1
233 ;;
234 esac
235 eval value=\$$prefix$name
236 check "value for $whatprop \`$name'" "$pat" "$value"
237 done <<EOF
238$table
239EOF
240 done
241}
53263601 242
f9431707
MW
243dumpprops () {
244 prefix=$1
245 ## Write the properties stored in the variables beginning with PREFIX.
246
247 set | sed -n "/^$prefix/{s/=.*\$//;p}" | sort | while read name; do
248 eval value=\$$name
249 echo "${name#$prefix}=$value"
250 done
251}
252
c47f2aba
MW
253defprops () {
254 name=$1
255 ## Define a properties table NAME.
256
257 table=$(cat)
258 eval $name=\$table
259}
260
261defprops g_props <<EOF
262type nil $R_IDENT
263recovery t $R_WORDSEQ
264random t $R_WORD
2a877b7f
MW
265nub_hash t $R_WORD
266nubid_hash t $R_WORD
267nub_random_bytes t $R_NUMERIC
09c56d3e
MW
268acl_encrypt t $R_ACL
269acl_decrypt t $R_ACL
270acl_sign t $R_ACL
271acl_verify t $R_ACL
272acl_info t $R_ACL
c47f2aba
MW
273EOF
274
275readprops () {
276 file=$1
277 ## Read a profile from a file. This doesn't check the form of the
278 ## filename, so it's not suitable for unchecked input. Properties are set
279 ## using `setprops' with prefix `kprop_'.
280
281 ## Parse the settings from the file.
282 exec 3<"$file"
283 while read line; do
284 case "$line" in "" | \#*) continue ;; esac
285 setprops "property" kprop_ "$line"
286 done <&3
287 exec 3>&-
288 checkprops "property" kprop_ "$g_props"
289
290 ## Fetch the key-type handling library.
291 if [ ! -f $KEYSLIB/ktype.$kprop_type ]; then
292 echo >&2 "$quis: unknown key type \`$kprop_type'"
293 exit 1
294 fi
295 . $KEYSLIB/ktype.$kprop_type
296 checkprops "property" kprop_ "$k_props"
297}
298
299readmeta () {
300 kdir=$1
301 ## Read key metadata from KDIR.
302
303 { read profile; } <"$kdir"/meta
304}
305
306makenub () {
307 ## Generate a key nub in the default way, and write it to standard output.
2a877b7f
MW
308 ## The properties `random', `nub_random_bytes' and `nub_hash' are referred
309 ## to.
c47f2aba
MW
310
311 dd 2>/dev/null \
2a877b7f
MW
312 if=/dev/${kprop_random-random} bs=1 count=${kprop_nub_random_bytes-64} |
313 openssl dgst -${kprop_nub_hash-sha256} -binary |
c47f2aba
MW
314 openssl base64
315}
316
317nubid () {
318 ## Compute a hash of the key nub in stdin, and write it to stdout in hex.
2a877b7f 319 ## The property `nubid_hash' is used.
c47f2aba 320
21a21fff
MW
321 ## Stupid dance because the output incompatibly grew a filename, in order
322 ## to demonstrate the same idiocy as GNU mumblesum.
323 set _ $({ echo "distorted-keys nubid"; cat -; } |
324 openssl dgst -${kprop_nubid_hash-sha256})
325 echo $2
c47f2aba
MW
326}
327
328subst () {
329 what=$1 templ=$2 prefix=$3 pat=$4
330 ## Substitute option values into the template TEMPL. Each occurrence of
331 ## %{VAR} is replaced by the value of the variable PREFIXVAR. Finally, an
332 ## error is reported unless the final value matches the regular expression
333 ## PAT.
334
335 out=""
336 rest=$templ
337 while :; do
338
339 ## If there are no more markers to substitute, then finish.
340 case "$rest" in *"%{"*"}"*) ;; *) out=$out$rest; break ;; esac
341
342 ## Split the template into three parts.
343 left=${rest%%\%\{*} right=${rest#*\%\{}
344 var=${right%%\}*} rest=${right#*\}}
345 case "$var" in
346 *-*) default=${var#*-} var=${var%%-*} defaultp=t ;;
347 *) defaultp=nil ;;
348 esac
349
350 ## Find the variable value.
351 checkident "template variable name" "$var"
352 eval foundp=\${$prefix$var+t}
353 case $foundp,$defaultp in
354 t,*) eval value=\$$prefix$var ;;
355 ,t) value=$default ;;
356 *)
357 echo >&2 "$quis: option \`$var' unset, used in template \`$templ'"
358 exit 1
359 ;;
360 esac
361
362 ## Do the substitution.
363 out=$out$left$value
364 done
365
366 ## Check the final result.
367 check "$what" "$pat" "$out"
368
369 ## Done.
370 echo "$out"
371}
372
373read_profile () {
e9cf7079 374 owner=$1 profile=$2
c47f2aba 375 ## Read property settings from a profile. The PROFILE name has the form
e9cf7079
MW
376 ## [USER:]LABEL; USER defaults to OWNER. Properties are set using
377 ## `setprops' with prefix `kprop_'.
c47f2aba
MW
378
379 reqtmp
380 case "$profile" in
381 :*)
382 label=${profile#:} uservp=nil
383 ;;
53263601 384 *)
e9cf7079 385 user=$kowner label=$profile uservp=t
c47f2aba
MW
386 ;;
387 *:*)
388 user=${profile%%:*} label=${profile#*:} uservp=t
389 ;;
390 esac
391 checkword "profile label" "$label"
392
393 ## Fetch the profile settings from the user.
394 reqtmp
395 case $uservp in
396 t)
397 checkword "profile user" "$user"
21a21fff 398 userv "$user" cryptop-profile "$label" >$tmp/profile </dev/null
c47f2aba
MW
399 ;;
400 nil)
b65e1f93 401 $bindir/extract-profile "$label" $ETC/profile.d/ >$tmp/profile
53263601
MW
402 ;;
403 esac
404
c47f2aba
MW
405 ## Read the file.
406 readprops $tmp/profile
53263601
MW
407}
408
c47f2aba
MW
409###--------------------------------------------------------------------------
410### General crypto operations.
411
412c_genkey () {
413 profile=$1 kdir=$2 knub=$3 hook=$4; shift 4
414 ## Generate a key, and associate it with the named PROFILE (which is
415 ## assumed already to have been read!); store the main data in KDIR, and
416 ## the nub separately in the file KNUB; run HOOK after generation, passing
417 ## it the working key directory and nub file. Remaining arguments are
418 ## options to the key type.
419
420 ## Set options and check them.
421 setprops "option" kopt_ "$@"
422 checkprops "option" kopt_ "$k_genopts"
423
424 ## Create directory structure and start writing metadata.
425 rm -rf "$kdir.new"
426 mkdir -m755 -p "$kdir.new"
427 case "$knub" in */*) mkdir -m700 -p "${knub%/*}" ;; esac
428 cat >"$kdir.new/meta" <<EOF
429$profile
430EOF
53263601 431
c47f2aba
MW
432 ## Generate the key.
433 umask=$(umask); umask 077; >"$knub.new"; umask $umask
434 k_generate "$kdir.new" "$knub.new"
435 $hook "$kdir.new" "$knub.new"
436
437 ## Hash the nub.
438 nubid <"$knub.new" >"$kdir.new/nubid"
439
440 ## Juggle everything into place. Doing this atomically is very difficult,
441 ## and requires more machinery than I can really justify here. If
442 ## something goes wrong halfway, it should always be possible to fix it,
443 ## either by backing out (if $kdir.new still exists) or pressing on
444 ## forwards (if not).
445 rm -rf "$kdir.old"
446 if [ -e "$kdir" ]; then mv "$kdir" "$kdir.old"; fi
447 mv "$kdir.new" "$kdir"
448 mv "$knub.new" "$knub"
449 rm -rf "$kdir.old"
53263601
MW
450}
451
c47f2aba
MW
452c_encrypt () { k_encrypt "$@"; }
453c_decrypt () {
454 if k_decrypt "$@" >$tmp/plain; then cat $tmp/plain
455 else return $?
456 fi
457}
458c_sign () { k_sign "$@"; }
459c_verify () { k_verify "$@"; }
460
461## Stub implementations.
462notsupp () { op=$1; echo >&2 "$quis: operation \`$op' not supported"; }
463k_info () { :; }
464k_encrypt () { notsupp encrypt; }
465k_decrypt () { notsupp decrypt; }
466k_sign () { notsupp sign; }
467k_verify () { notsupp verify; }
468
469prepare () {
470 key=$1 op=$2
471 ## Prepare for a crypto operation OP, using the KEY. This validates the
5cff41ea
MW
472 ## key label, reads the profile, and checks the access-control list. If OP
473 ## is `-' then allow the operation unconditionally.
c47f2aba
MW
474
475 ## Find the key properties.
476 parse_keylabel "$key"
477 if [ ! -d $kdir ]; then echo >&2 "$quis: unknown key \`$key'"; exit 1; fi
478 readmeta $kdir
e9cf7079 479 read_profile $kowner "$profile"
c47f2aba
MW
480
481 ## Check whether we're allowed to do this thing. This is annoyingly
482 ## fiddly.
5cff41ea 483 case $op in -) return ;; esac
c47f2aba
MW
484 eval acl=\${kprop_acl_$op-!owner}
485 verdict=forbid
486 while :; do
487
488 ## Remove leading whitespace.
489 while :; do
490 case "$acl" in
491 [[:space:]]*) acl=${acl#?} ;;
492 *) break ;;
493 esac
494 done
495
496 ## If there's nothing left, leave.
497 case "$acl" in ?*) ;; *) break ;; esac
498
499 ## Split off the leading word.
500 case "$acl" in
501 *[[:space:]]*) word=${acl%%[[:space:]]*} acl=${acl#*[[:space:]]} ;;
502 *) word=$acl acl="" ;;
503 esac
504
505 ## See what sense it has if it matches.
506 case "$word" in
507 -*) sense=forbid rest=${word#-} ;;
508 *) sense=allow rest=$word ;;
509 esac
510
511 ## See whether the calling user matches.
512 case "$rest" in
513 !owner) pat=$kowner list=$USERV_USER ;;
514 !*) echo >&2 "$quis: unknown ACL token \`$word'" ;;
515 %*) pat=${rest#%} list="$USERV_GROUP $USERV_GID" ;;
516 *) pat=$rest list="$USERV_USER $USERV_UID" ;;
517 esac
518 matchp=nil
519 for i in $list; do case "$i" in $pat) matchp=t; break ;; esac; done
520 case $matchp in t) verdict=$sense; break ;; esac
521 done
522
523 case $verdict in
68023101 524 forbid) echo >&2 "$quis: $op access to key \`$key' forbidden"; exit 1 ;;
c47f2aba 525 esac
53263601
MW
526}
527
c47f2aba
MW
528###--------------------------------------------------------------------------
529### Crypto operations for infrastructure purposes.
530
531c_sysprofile () {
532 profile=$1
533 ## Select the profile in FILE for future crypto operations.
53263601 534
c47f2aba
MW
535 unset $(set | sed -n '/^kprop_/s/=.*$//p')
536 reqtmp
537 getsysprofile "$profile" >$tmp/profile
538 readprops $tmp/profile
53263601
MW
539}
540
c47f2aba
MW
541c_gensyskey () {
542 profile=$1 kdir=$2 knub=$3; shift 3
543 ## Generate a system key using PROFILE; store the data in KDIR and the nub
544 ## in KNUB. Remaining arguments are options.
53263601 545
c47f2aba
MW
546 c_sysprofile "$profile"
547 c_genkey "$profile" "$kdir" "$knub" : "$@"
53263601
MW
548}
549
c47f2aba
MW
550c_sysprepare () {
551 kdir=$1
552 readmeta "$kdir"
553 c_sysprofile "$profile"
554}
599c8f75 555
c47f2aba
MW
556c_sysop () {
557 op=$1 kdir=$2; shift 1
558 c_sysprepare "$kdir"
559 c_$op "$@"
599c8f75
MW
560}
561
c47f2aba
MW
562c_sysencrypt () { c_sysop encrypt "$1" /dev/null; }
563c_sysdecrypt () { c_sysop decrypt "$1" "$2"; }
564c_syssign () { c_sysop sign "$1" "$2"; }
565c_sysverify () { c_sysop verify "$1" /dev/null; }
566
567###--------------------------------------------------------------------------
568### Recovery operations.
569
2661d8aa
MW
570sharethresh () {
571 pf=$1
572 ## Return the sharing threshold from the parameter file PARAM.
573
574 read param <"$pf"
575 case "$param" in
576 shamir-params:*) ;;
577 *)
578 echo >&2 "$quis: secret sharing parameter file damaged (wrong header)"
579 exit 1
580 ;;
581 esac
582 t=";${param#*:}"
583 case "$t" in
584 *";t="*) ;;
585 *)
586 echo >&2 "$quis: secret sharing parameter file damaged (missing t)"
587 exit 1
588 ;;
589 esac
590 t=${t#*;t=}
591 t=${t%%;*}
592 echo "$t"
593}
594
c47f2aba
MW
595stash () {
596 recov=$1 label=$2
597 ## Stash a copy of stdin encrypted under the recovery key RECOV, with a
598 ## given LABEL.
599 checkword "recovery key label" "$recov"
600 checklabel "secret" "$label"
601
602 rdir=$KEYS/recov/$recov/current
603 if [ ! -d $rdir/store ]; then
604 echo >&2 "$quis: unknown recovery key \`$recov'"
605 exit 1
606 fi
607 case $label in */*) mkdir -m755 -p $rdir/${label%/*} ;; esac
608 (c_sysencrypt $rdir/store >$rdir/$label.new)
609 mv $rdir/$label.new $rdir/$label.recov
610}
599c8f75 611
c47f2aba
MW
612recover () {
613 recov=$1 label=$2
614 ## Recover a stashed secret, protected by RECOV and stored as LABEL, and
615 ## write it to stdout.
616 checkword "recovery key label" "$recov"
617 checklabel "secret" "$label"
618
619 rdir=$KEYS/recov/$recov/current
620 if [ ! -f $rdir/$label.recov ]; then
621 echo >&2 "$quis: no blob for \`$label' under recovery key \`$recov'"
622 exit 1
623 fi
624 reqsafe
625 nub=$SAFE/keys.reveal/$recov.current/nub
626 if [ ! -f $nub ]; then
627 echo >&2 "$quis: current recovery key \`$recov' not revealed"
628 exit 1;
629 fi
630 mktmp
631 c_sysdecrypt $rdir/store $nub <$rdir/$label.recov
599c8f75
MW
632}
633
53263601
MW
634###--------------------------------------------------------------------------
635### Help text.
636
c47f2aba
MW
637defhelp () {
638 read umsg
639 usage="usage: $quis${umsg+ }$umsg"
640 help=$(cat)
641 case "$KEYS_HELP" in t) help; exit ;; esac
53263601
MW
642}
643
53263601
MW
644help () { showhelp; }
645showhelp () {
646 cat <<EOF
647$usage
648
649$help
650EOF
651}
652
c47f2aba
MW
653usage_err () { echo >&2 "$usage"; exit 1; }
654
655###--------------------------------------------------------------------------
656### Subcommand handling.
657
658version () {
659 echo "$PACKAGE version $VERSION"
660}
661
662cmd_help () {
663 rc=0
664 version
665 case $# in
666 0)
667 cat <<EOF
668
669$usage
670
671Options:
672 -h Show this help text.
673 -v Show the program version number.
674
675Commands installed:
676EOF
677 cd "$KEYSLIB"
678 for i in $prefix.*; do
679 if [ ! -x "$i" ]; then continue; fi
680 sed -n "/<<HELP/{n;s/^/ ${i#$prefix.} /;p;q;}" "$i"
681 done
682 ;;
683 *)
684 for i in "$@"; do
685 echo
686 if [ ! -x "$KEYSLIB/$prefix.$i" ]; then
687 echo >&2 "$quis: unrecognized command \`$i'"
688 rc=1
689 continue
690 elif ! KEYS_HELP=t "$KEYSLIB/$prefix.$i"; then
691 rc=1
692 fi
693 done
694 ;;
695 esac
696 return $rc
697}
698
699dispatch () {
700 case $# in 0) echo >&2 "$usage"; exit 1 ;; esac
701 cmd=$1; shift
702 case "$cmd" in help) cmd_help "$@"; exit ;; esac
703 if [ ! -x "$KEYSLIB/$prefix.$cmd" ]; then
704 echo >&2 "$quis: unrecognized command \`$cmd'"
705 exit 1
706 fi
707
708 unset KEYS_HELP
709 exec "$KEYSLIB/$prefix.$cmd" "$@"
710}
711
53263601 712###----- That's all, folks --------------------------------------------------