| 1 | ### -*-sh-*- |
| 2 | ### |
| 3 | ### Common key management functions. |
| 4 | ### |
| 5 | ### (c) 2011 Mark Wooding |
| 6 | ### |
| 7 | |
| 8 | ###----- Licensing notice --------------------------------------------------- |
| 9 | ### |
| 10 | ### This file is part of the distorted.org.uk key management suite. |
| 11 | ### |
| 12 | ### distorted-keys is free software; you can redistribute it and/or modify |
| 13 | ### it under the terms of the GNU General Public License as published by |
| 14 | ### the Free Software Foundation; either version 2 of the License, or |
| 15 | ### (at your option) any later version. |
| 16 | ### |
| 17 | ### distorted-keys is distributed in the hope that it will be useful, |
| 18 | ### but WITHOUT ANY WARRANTY; without even the implied warranty of |
| 19 | ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| 20 | ### GNU General Public License for more details. |
| 21 | ### |
| 22 | ### You should have received a copy of the GNU General Public License |
| 23 | ### along with distorted-keys; if not, write to the Free Software Foundation, |
| 24 | ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. |
| 25 | |
| 26 | quis=${0##*/} |
| 27 | |
| 28 | ###-------------------------------------------------------------------------- |
| 29 | ### Configuration variables. |
| 30 | |
| 31 | ## Automatically configured pathnames. |
| 32 | PACKAGE="@PACKAGE@" VERSION="@VERSION@" |
| 33 | bindir="@bindir@" |
| 34 | |
| 35 | ## Read user configuration. |
| 36 | if [ -f $ETC/keys.conf ]; then . $ETC/keys.conf; fi |
| 37 | |
| 38 | ## Maybe turn on debugging. |
| 39 | case "${KEYS_DEBUG+t}" in t) set -x ;; esac |
| 40 | |
| 41 | ## Fake up caller credentials if not called via userv. |
| 42 | case "${USERV_USER+t}" in |
| 43 | t) ;; |
| 44 | *) USERV_USER=${LOGNAME-${USER-$(id -un)}} USERV_UID=$(id -u) ;; |
| 45 | esac |
| 46 | case "${USERV_GROUP+t}" in |
| 47 | t) ;; |
| 48 | *) USERV_GROUP=$(id -Gn) USERV_GID=$(id -gn) ;; |
| 49 | esac |
| 50 | |
| 51 | ###-------------------------------------------------------------------------- |
| 52 | ### Cleanup handling. |
| 53 | |
| 54 | cleanups="" |
| 55 | cleanup () { cleanups=${cleanups+$cleanups }$1; } |
| 56 | runcleanups () { for i in $cleanups; do $i; done; } |
| 57 | trap 'rc=$?; runcleanups; exit $rc' EXIT |
| 58 | trap 'trap "" EXIT; runcleanups; exit 127' INT TERM |
| 59 | |
| 60 | ###-------------------------------------------------------------------------- |
| 61 | ### Utility functions. |
| 62 | |
| 63 | reqsafe () { |
| 64 | ## Fail unless a safe directory is set. |
| 65 | |
| 66 | err="$quis: (CONFIGURATION ERROR)" |
| 67 | case ${SAFE+t} in |
| 68 | t) ;; |
| 69 | *) echo >&2 "$err: no SAFE directory"; exit 1 ;; |
| 70 | esac |
| 71 | if [ ! -d "$SAFE" ]; then |
| 72 | echo >&2 "$err: SAFE path \`$SAFE' isn't a directory" |
| 73 | exit 1 |
| 74 | fi |
| 75 | case "$SAFE" in |
| 76 | [!/]* | *[][[:space:]*?]*) |
| 77 | echo >&2 "$err: SAFE path \`$SAFE' contains bad characters" |
| 78 | exit 1 |
| 79 | ;; |
| 80 | esac |
| 81 | ls -ld "$SAFE" | { |
| 82 | me=$(id -un) |
| 83 | read perm _ user stuff |
| 84 | case "$perm:$user" in |
| 85 | d???------:"$me") ;; |
| 86 | *) |
| 87 | echo >&2 "$err: SAFE path \`$SAFE' has bad owner or permissions" |
| 88 | exit 1 |
| 89 | ;; |
| 90 | esac |
| 91 | } |
| 92 | } |
| 93 | |
| 94 | ## Temporary directory. |
| 95 | unset tmp |
| 96 | rmtmp () { case ${tmp+t} in t) cd /; rm -rf $tmp ;; esac; } |
| 97 | cleanup rmtmp |
| 98 | mktmp () { |
| 99 | ## Make a temporary directory and store its name in `tmp'. |
| 100 | |
| 101 | case "${tmp+t}" in t) return ;; esac |
| 102 | reqsafe |
| 103 | tmp="$SAFE/keys.tmp.$$" |
| 104 | rm -rf "$tmp" |
| 105 | mkdir -m700 "$tmp" |
| 106 | } |
| 107 | |
| 108 | reqtmp () { |
| 109 | ## Fail unless a temporary directory is set. |
| 110 | |
| 111 | case ${tmp+t} in |
| 112 | t) ;; |
| 113 | *) echo >&2 "$quis (INTERNAL): no tmp directory set"; exit 127 ;; |
| 114 | esac |
| 115 | } |
| 116 | |
| 117 | parse_keylabel () { |
| 118 | key=$1 |
| 119 | ## Parse the key label string KEY. Set `kdir' to the base path to use for |
| 120 | ## the key's storage, and `kowner' to the key owner's name. |
| 121 | |
| 122 | case "$key" in |
| 123 | *:*) kowner=${key%%:*} klabel=${key#*:} ;; |
| 124 | *) kowner=$USERV_USER klabel=$key ;; |
| 125 | esac |
| 126 | checkword "key owner name" "$kowner" |
| 127 | checklabel "key" "$klabel" |
| 128 | kdir=$KEYS/store/$kowner/$klabel |
| 129 | knub=$KEYS/nub/$kowner/$klabel |
| 130 | } |
| 131 | |
| 132 | runas () { |
| 133 | user=$1 service=$2; shift 2 |
| 134 | ## If the current (effective) user is not USER then reinvoke via `userv', |
| 135 | ## as the specified service, with the remaining arguments. |
| 136 | |
| 137 | case $(id -un) in |
| 138 | "$user") ;; |
| 139 | *) exec userv "$user" "$service" "$@" ;; |
| 140 | esac |
| 141 | } |
| 142 | |
| 143 | ###-------------------------------------------------------------------------- |
| 144 | ### Input validation functions. |
| 145 | |
| 146 | nl=" |
| 147 | " |
| 148 | check () { |
| 149 | ckwhat=$1 ckpat=$2 thing=$3 |
| 150 | ## Verify that THING matches the (anchored, basic) regular expression |
| 151 | ## CKPAT. Since matching newlines is hard to do portably, also check that |
| 152 | ## THING doesn't contain any. If the checks fail, report an error and |
| 153 | ## exit. |
| 154 | |
| 155 | validp=t |
| 156 | case "$thing" in |
| 157 | *"$nl"*) |
| 158 | validp=nil |
| 159 | ;; |
| 160 | *) |
| 161 | if ! expr >/dev/null "Q$thing" : "\(Q$ckpat\)\$"; then |
| 162 | validp=nil |
| 163 | fi |
| 164 | ;; |
| 165 | esac |
| 166 | case $validp in |
| 167 | nil) echo >&2 "$quis: bad $ckwhat \`$thing'"; exit 1 ;; |
| 168 | esac |
| 169 | } |
| 170 | |
| 171 | ## Regular expressions for validating input. |
| 172 | R_IDENTCHARS="A-Za-z0-9_" |
| 173 | R_GOODPUNCT="!%@+=" |
| 174 | R_WORDCHARS="-$R_IDENTCHARS$R_GOODPUNCT" |
| 175 | R_IDENT="[$R_IDENTCHARS][$R_IDENTCHARS]*" |
| 176 | R_WORD="[$R_WORDCHARS][$R_WORDCHARS]*" |
| 177 | R_ACLCHARS="][$R_IDENTCHARS$R_GOODPUNCT*?:.#" |
| 178 | R_WORDSEQ="[$R_WORDCHARS[:space:]][$R_WORDCHARS[:space:]]*" |
| 179 | R_ACL="[$R_ACLCHARS[:space:]-][$R_ACLCHARS[:space:]-]*" |
| 180 | R_NUMERIC='\(\([1-9][0-9]*\)\{0,1\}0\{0,1\}\)' |
| 181 | R_LABEL="\($R_WORD\(/$R_WORD\)*\)" |
| 182 | R_LINE=".*" |
| 183 | |
| 184 | ## Various validation functions. |
| 185 | checknumber () { check "$1" "$R_NUMERIC" "$2"; } |
| 186 | checkident () { check "$1" "$R_IDENT" "$2"; } |
| 187 | checkword () { check "$1" "$R_WORD" "$2"; } |
| 188 | checklabel () { check "$1 label" "$R_LABEL" "$2"; } |
| 189 | |
| 190 | ###-------------------------------------------------------------------------- |
| 191 | ### Key storage and properties. |
| 192 | |
| 193 | getsysprofile () { |
| 194 | profile=$1 |
| 195 | ## Write the named system PROFILE to standard output. |
| 196 | |
| 197 | $bindir/extract-profile "$profile" $ETC/profile.d/ |
| 198 | } |
| 199 | |
| 200 | setprops () { |
| 201 | what=$1 prefix=$2; shift 2 |
| 202 | ## Set variables based on the NAME=VALUE assignments in the arguments. The |
| 203 | ## value for property NAME is stored in the shell variable PREFIX_NAME. |
| 204 | |
| 205 | for assg in "$@"; do |
| 206 | goodp=t |
| 207 | case "$assg" in |
| 208 | *\=*) name=${assg%%=*} value=${assg#*=} ;; |
| 209 | *) goodp=nil ;; |
| 210 | esac |
| 211 | case "$goodp,$name" in t,*[!0-9A-Za-z_]*=*) goodp=nil ;; esac |
| 212 | case "$goodp" in |
| 213 | nil) echo >&2 "$quis: bad $what assignment \`$assg'"; exit 1 ;; |
| 214 | esac |
| 215 | eval "$prefix$name=\$value" |
| 216 | done |
| 217 | } |
| 218 | |
| 219 | checkprops () { |
| 220 | whatprop=$1 prefix=$2; shift 2 |
| 221 | ## Check that property variables are set in accordance with the remaining |
| 222 | ## TABLE arguments. Each row of TABLE has the form |
| 223 | ## |
| 224 | ## NAME OMIT PAT |
| 225 | ## |
| 226 | ## A table row is satisfied if there is a variable PREFIXNAME whose value |
| 227 | ## matces the (basic) regular expression PAT, or if the variable is unset |
| 228 | ## and OMIT is `t'. |
| 229 | |
| 230 | for table in "$@"; do |
| 231 | case "$table" in ?*) ;; *) continue ;; esac |
| 232 | while read -r name omit pat; do |
| 233 | eval foundp=\${$prefix$name+t} |
| 234 | case "$foundp,$omit" in |
| 235 | ,t) continue ;; |
| 236 | ,nil) |
| 237 | echo >&2 "$quis: missing $whatprop \`$name' required" |
| 238 | exit 1 |
| 239 | ;; |
| 240 | esac |
| 241 | eval value=\$$prefix$name |
| 242 | check "value for $whatprop \`$name'" "$pat" "$value" |
| 243 | done <<EOF |
| 244 | $table |
| 245 | EOF |
| 246 | done |
| 247 | } |
| 248 | |
| 249 | dumpprops () { |
| 250 | prefix=$1 |
| 251 | ## Write the properties stored in the variables beginning with PREFIX. |
| 252 | |
| 253 | set | sed -n "/^$prefix/{s/=.*\$//;p}" | sort | while read name; do |
| 254 | eval value=\$$name |
| 255 | echo "${name#$prefix}=$value" |
| 256 | done |
| 257 | } |
| 258 | |
| 259 | defprops () { |
| 260 | name=$1 |
| 261 | ## Define a properties table NAME. |
| 262 | |
| 263 | table=$(cat) |
| 264 | eval $name=\$table |
| 265 | } |
| 266 | |
| 267 | defprops g_props <<EOF |
| 268 | type nil $R_IDENT |
| 269 | recovery t $R_WORDSEQ |
| 270 | random t $R_WORD |
| 271 | nub_hash t $R_WORD |
| 272 | nubid_hash t $R_WORD |
| 273 | nub_random_bytes t $R_NUMERIC |
| 274 | acl_encrypt t $R_ACL |
| 275 | acl_decrypt t $R_ACL |
| 276 | acl_sign t $R_ACL |
| 277 | acl_verify t $R_ACL |
| 278 | acl_info t $R_ACL |
| 279 | EOF |
| 280 | |
| 281 | readprops () { |
| 282 | file=$1 |
| 283 | ## Read a profile from a file. This doesn't check the form of the |
| 284 | ## filename, so it's not suitable for unchecked input. Properties are set |
| 285 | ## using `setprops' with prefix `kprop_'. |
| 286 | |
| 287 | ## Parse the settings from the file. |
| 288 | exec 3<"$file" |
| 289 | while read line; do |
| 290 | case "$line" in "" | \#*) continue ;; esac |
| 291 | setprops "property" kprop_ "$line" |
| 292 | done <&3 |
| 293 | exec 3>&- |
| 294 | checkprops "property" kprop_ "$g_props" |
| 295 | |
| 296 | ## Fetch the key-type handling library. |
| 297 | if [ ! -f $KEYSLIB/ktype.$kprop_type ]; then |
| 298 | echo >&2 "$quis: unknown key type \`$kprop_type'" |
| 299 | exit 1 |
| 300 | fi |
| 301 | . $KEYSLIB/ktype.$kprop_type |
| 302 | checkprops "property" kprop_ "$k_props" |
| 303 | } |
| 304 | |
| 305 | readmeta () { |
| 306 | kdir=$1 |
| 307 | ## Read key metadata from KDIR. |
| 308 | |
| 309 | { read profile; } <"$kdir"/meta |
| 310 | } |
| 311 | |
| 312 | makenub () { |
| 313 | ## Generate a key nub in the default way, and write it to standard output. |
| 314 | ## The properties `random', `nub_random_bytes' and `nub_hash' are referred |
| 315 | ## to. |
| 316 | |
| 317 | dd 2>/dev/null \ |
| 318 | if=/dev/${kprop_random-random} bs=1 count=${kprop_nub_random_bytes-64} | |
| 319 | openssl dgst -${kprop_nub_hash-sha256} -binary | |
| 320 | openssl base64 |
| 321 | } |
| 322 | |
| 323 | nubid () { |
| 324 | ## Compute a hash of the key nub in stdin, and write it to stdout in hex. |
| 325 | ## The property `nubid_hash' is used. |
| 326 | |
| 327 | ## Stupid dance because the output incompatibly grew a filename, in order |
| 328 | ## to demonstrate the same idiocy as GNU mumblesum. |
| 329 | set _ $({ echo "distorted-keys nubid"; cat -; } | |
| 330 | openssl dgst -${kprop_nubid_hash-sha256}) |
| 331 | if [ $# -gt 2 ]; then shift; fi |
| 332 | echo $2 |
| 333 | } |
| 334 | |
| 335 | subst () { |
| 336 | what=$1 templ=$2 prefix=$3 pat=$4 |
| 337 | ## Substitute option values into the template TEMPL. Each occurrence of |
| 338 | ## %{VAR} is replaced by the value of the variable PREFIXVAR. Finally, an |
| 339 | ## error is reported unless the final value matches the regular expression |
| 340 | ## PAT. |
| 341 | |
| 342 | out="" |
| 343 | rest=$templ |
| 344 | while :; do |
| 345 | |
| 346 | ## If there are no more markers to substitute, then finish. |
| 347 | case "$rest" in *"%{"*"}"*) ;; *) out=$out$rest; break ;; esac |
| 348 | |
| 349 | ## Split the template into three parts. |
| 350 | left=${rest%%\%\{*} right=${rest#*\%\{} |
| 351 | var=${right%%\}*} rest=${right#*\}} |
| 352 | case "$var" in |
| 353 | *-*) default=${var#*-} var=${var%%-*} defaultp=t ;; |
| 354 | *) defaultp=nil ;; |
| 355 | esac |
| 356 | |
| 357 | ## Find the variable value. |
| 358 | checkident "template variable name" "$var" |
| 359 | eval foundp=\${$prefix$var+t} |
| 360 | case $foundp,$defaultp in |
| 361 | t,*) eval value=\$$prefix$var ;; |
| 362 | ,t) value=$default ;; |
| 363 | *) |
| 364 | echo >&2 "$quis: option \`$var' unset, used in template \`$templ'" |
| 365 | exit 1 |
| 366 | ;; |
| 367 | esac |
| 368 | |
| 369 | ## Do the substitution. |
| 370 | out=$out$left$value |
| 371 | done |
| 372 | |
| 373 | ## Check the final result. |
| 374 | check "$what" "$pat" "$out" |
| 375 | |
| 376 | ## Done. |
| 377 | echo "$out" |
| 378 | } |
| 379 | |
| 380 | read_profile () { |
| 381 | owner=$1 profile=$2 |
| 382 | ## Read property settings from a profile. The PROFILE name has the form |
| 383 | ## [USER:]LABEL; USER defaults to OWNER. Properties are set using |
| 384 | ## `setprops' with prefix `kprop_'. |
| 385 | |
| 386 | reqtmp |
| 387 | case "$profile" in |
| 388 | :*) |
| 389 | label=${profile#:} uservp=nil |
| 390 | ;; |
| 391 | *) |
| 392 | user=$kowner label=$profile uservp=t |
| 393 | ;; |
| 394 | *:*) |
| 395 | user=${profile%%:*} label=${profile#*:} uservp=t |
| 396 | ;; |
| 397 | esac |
| 398 | checkword "profile label" "$label" |
| 399 | |
| 400 | ## Fetch the profile settings from the user. |
| 401 | reqtmp |
| 402 | case $uservp in |
| 403 | t) |
| 404 | checkword "profile user" "$user" |
| 405 | userv "$user" cryptop-profile "$label" >$tmp/profile </dev/null |
| 406 | ;; |
| 407 | nil) |
| 408 | $bindir/extract-profile "$label" $ETC/profile.d/ >$tmp/profile |
| 409 | ;; |
| 410 | esac |
| 411 | |
| 412 | ## Read the file. |
| 413 | readprops $tmp/profile |
| 414 | } |
| 415 | |
| 416 | ###-------------------------------------------------------------------------- |
| 417 | ### General crypto operations. |
| 418 | |
| 419 | c_genkey () { |
| 420 | profile=$1 kdir=$2 knub=$3 hook=$4; shift 4 |
| 421 | ## Generate a key, and associate it with the named PROFILE (which is |
| 422 | ## assumed already to have been read!); store the main data in KDIR, and |
| 423 | ## the nub separately in the file KNUB; run HOOK after generation, passing |
| 424 | ## it the working key directory and nub file. Remaining arguments are |
| 425 | ## options to the key type. |
| 426 | |
| 427 | ## Set options and check them. |
| 428 | setprops "option" kopt_ "$@" |
| 429 | checkprops "option" kopt_ "$k_genopts" |
| 430 | |
| 431 | ## Create directory structure and start writing metadata. |
| 432 | rm -rf "$kdir.new" |
| 433 | mkdir -m755 -p "$kdir.new" |
| 434 | case "$knub" in */*) mkdir -m700 -p "${knub%/*}" ;; esac |
| 435 | cat >"$kdir.new/meta" <<EOF |
| 436 | $profile |
| 437 | EOF |
| 438 | |
| 439 | ## Generate the key. |
| 440 | umask=$(umask); umask 077; >"$knub.new"; umask $umask |
| 441 | k_generate "$kdir.new" "$knub.new" |
| 442 | $hook "$kdir.new" "$knub.new" |
| 443 | |
| 444 | ## Hash the nub. |
| 445 | nubid <"$knub.new" >"$kdir.new/nubid" |
| 446 | |
| 447 | ## Juggle everything into place. Doing this atomically is very difficult, |
| 448 | ## and requires more machinery than I can really justify here. If |
| 449 | ## something goes wrong halfway, it should always be possible to fix it, |
| 450 | ## either by backing out (if $kdir.new still exists) or pressing on |
| 451 | ## forwards (if not). |
| 452 | rm -rf "$kdir.old" |
| 453 | if [ -e "$kdir" ]; then mv "$kdir" "$kdir.old"; fi |
| 454 | mv "$kdir.new" "$kdir" |
| 455 | mv "$knub.new" "$knub" |
| 456 | rm -rf "$kdir.old" |
| 457 | } |
| 458 | |
| 459 | c_encrypt () { k_encrypt "$@"; } |
| 460 | c_decrypt () { |
| 461 | if k_decrypt "$@" >$tmp/plain; then cat $tmp/plain |
| 462 | else return $? |
| 463 | fi |
| 464 | } |
| 465 | c_sign () { k_sign "$@"; } |
| 466 | c_verify () { k_verify "$@"; } |
| 467 | |
| 468 | ## Stub implementations. |
| 469 | notsupp () { op=$1; echo >&2 "$quis: operation \`$op' not supported"; } |
| 470 | k_info () { :; } |
| 471 | k_import () { :; } |
| 472 | k_encrypt () { notsupp encrypt; } |
| 473 | k_decrypt () { notsupp decrypt; } |
| 474 | k_sign () { notsupp sign; } |
| 475 | k_verify () { notsupp verify; } |
| 476 | |
| 477 | prepare () { |
| 478 | key=$1 op=$2 |
| 479 | ## Prepare for a crypto operation OP, using the KEY. This validates the |
| 480 | ## key label, reads the profile, and checks the access-control list. If OP |
| 481 | ## is `-' then allow the operation unconditionally. |
| 482 | |
| 483 | ## Find the key properties. |
| 484 | parse_keylabel "$key" |
| 485 | if [ ! -d $kdir ]; then echo >&2 "$quis: unknown key \`$key'"; exit 1; fi |
| 486 | readmeta $kdir |
| 487 | read_profile $kowner "$profile" |
| 488 | |
| 489 | ## Check whether we're allowed to do this thing. This is annoyingly |
| 490 | ## fiddly. |
| 491 | case $op in -) return ;; esac |
| 492 | eval acl=\${kprop_acl_$op-!owner} |
| 493 | verdict=forbid |
| 494 | while :; do |
| 495 | |
| 496 | ## Remove leading whitespace. |
| 497 | while :; do |
| 498 | case "$acl" in |
| 499 | [[:space:]]*) acl=${acl#?} ;; |
| 500 | *) break ;; |
| 501 | esac |
| 502 | done |
| 503 | |
| 504 | ## If there's nothing left, leave. |
| 505 | case "$acl" in ?*) ;; *) break ;; esac |
| 506 | |
| 507 | ## Split off the leading word. |
| 508 | case "$acl" in |
| 509 | *[[:space:]]*) word=${acl%%[[:space:]]*} acl=${acl#*[[:space:]]} ;; |
| 510 | *) word=$acl acl="" ;; |
| 511 | esac |
| 512 | |
| 513 | ## See what sense it has if it matches. |
| 514 | case "$word" in |
| 515 | -*) sense=forbid rest=${word#-} ;; |
| 516 | *) sense=allow rest=$word ;; |
| 517 | esac |
| 518 | |
| 519 | ## See whether the calling user matches. |
| 520 | case "$rest" in |
| 521 | !owner) pat=$kowner list=$USERV_USER ;; |
| 522 | !*) echo >&2 "$quis: unknown ACL token \`$word'" ;; |
| 523 | %*) pat=${rest#%} list="$USERV_GROUP $USERV_GID" ;; |
| 524 | *) pat=$rest list="$USERV_USER $USERV_UID" ;; |
| 525 | esac |
| 526 | matchp=nil |
| 527 | for i in $list; do case "$i" in $pat) matchp=t; break ;; esac; done |
| 528 | case $matchp in t) verdict=$sense; break ;; esac |
| 529 | done |
| 530 | |
| 531 | case $verdict in |
| 532 | forbid) echo >&2 "$quis: $op access to key \`$key' forbidden"; exit 1 ;; |
| 533 | esac |
| 534 | } |
| 535 | |
| 536 | ###-------------------------------------------------------------------------- |
| 537 | ### Crypto operations for infrastructure purposes. |
| 538 | |
| 539 | c_sysprofile () { |
| 540 | profile=$1 |
| 541 | ## Select the profile in FILE for future crypto operations. |
| 542 | |
| 543 | unset $(set | sed -n '/^kprop_/s/=.*$//p') |
| 544 | reqtmp |
| 545 | getsysprofile "$profile" >$tmp/profile |
| 546 | readprops $tmp/profile |
| 547 | } |
| 548 | |
| 549 | c_gensyskey () { |
| 550 | profile=$1 kdir=$2 knub=$3; shift 3 |
| 551 | ## Generate a system key using PROFILE; store the data in KDIR and the nub |
| 552 | ## in KNUB. Remaining arguments are options. |
| 553 | |
| 554 | c_sysprofile "$profile" |
| 555 | c_genkey "$profile" "$kdir" "$knub" : "$@" |
| 556 | } |
| 557 | |
| 558 | c_sysprepare () { |
| 559 | kdir=$1 |
| 560 | readmeta "$kdir" |
| 561 | c_sysprofile "$profile" |
| 562 | } |
| 563 | |
| 564 | c_sysop () { |
| 565 | op=$1 kdir=$2; shift 1 |
| 566 | c_sysprepare "$kdir" |
| 567 | c_$op "$@" |
| 568 | } |
| 569 | |
| 570 | c_sysencrypt () { c_sysop encrypt "$1" /dev/null; } |
| 571 | c_sysdecrypt () { c_sysop decrypt "$1" "$2"; } |
| 572 | c_syssign () { c_sysop sign "$1" "$2"; } |
| 573 | c_sysverify () { c_sysop verify "$1" /dev/null; } |
| 574 | |
| 575 | ###-------------------------------------------------------------------------- |
| 576 | ### Recovery operations. |
| 577 | |
| 578 | sharethresh () { |
| 579 | pf=$1 |
| 580 | ## Return the sharing threshold from the parameter file PARAM. |
| 581 | |
| 582 | read param <"$pf" |
| 583 | case "$param" in |
| 584 | shamir-params:*) ;; |
| 585 | *) |
| 586 | echo >&2 "$quis: secret sharing parameter file damaged (wrong header)" |
| 587 | exit 1 |
| 588 | ;; |
| 589 | esac |
| 590 | t=";${param#*:}" |
| 591 | case "$t" in |
| 592 | *";t="*) ;; |
| 593 | *) |
| 594 | echo >&2 "$quis: secret sharing parameter file damaged (missing t)" |
| 595 | exit 1 |
| 596 | ;; |
| 597 | esac |
| 598 | t=${t#*;t=} |
| 599 | t=${t%%;*} |
| 600 | echo "$t" |
| 601 | } |
| 602 | |
| 603 | stash () { |
| 604 | recov=$1 label=$2 |
| 605 | ## Stash a copy of stdin encrypted under the recovery key RECOV, with a |
| 606 | ## given LABEL. |
| 607 | checkword "recovery key label" "$recov" |
| 608 | checklabel "secret" "$label" |
| 609 | |
| 610 | rdir=$KEYS/recov/$recov/current |
| 611 | if [ ! -d $rdir/store ]; then |
| 612 | echo >&2 "$quis: unknown recovery key \`$recov'" |
| 613 | exit 1 |
| 614 | fi |
| 615 | case $label in */*) mkdir -m755 -p $rdir/${label%/*} ;; esac |
| 616 | (c_sysencrypt $rdir/store >$rdir/$label.new) |
| 617 | mv $rdir/$label.new $rdir/$label.recov |
| 618 | } |
| 619 | |
| 620 | recover () { |
| 621 | recov=$1 inst=$2 label=$3 |
| 622 | ## Recover a stashed secret, protected by RECOV and stored as LABEL, and |
| 623 | ## write it to stdout. |
| 624 | checkword "recovery key label" "$recov" |
| 625 | checkword "recovery instance" "$inst" |
| 626 | checklabel "secret" "$label" |
| 627 | |
| 628 | rdir=$KEYS/recov/$recov/$inst |
| 629 | if [ ! -f $rdir/$label.recov ]; then |
| 630 | echo >&2 "$quis: recovery key \`$recov/$inst' has no blob for \`$label'" |
| 631 | exit 1 |
| 632 | fi |
| 633 | reqsafe |
| 634 | tag=$recov.$inst |
| 635 | nub=$SAFE/keys.reveal/$tag/nub |
| 636 | if [ ! -f $nub ]; then |
| 637 | echo >&2 "$quis: recovery key \`$recov/$inst' not revealed" |
| 638 | exit 1; |
| 639 | fi |
| 640 | mktmp |
| 641 | c_sysdecrypt $rdir/store $nub <$rdir/$label.recov |
| 642 | } |
| 643 | |
| 644 | ###-------------------------------------------------------------------------- |
| 645 | ### Help text. |
| 646 | |
| 647 | defhelp () { |
| 648 | read umsg |
| 649 | usage=$umsg |
| 650 | help=$(cat) |
| 651 | case "$KEYS_HELP" in t) help; exit ;; esac |
| 652 | } |
| 653 | |
| 654 | help () { showhelp; } |
| 655 | showhelp () { |
| 656 | cat <<EOF |
| 657 | Usage: $quis${usage:+ $usage} |
| 658 | |
| 659 | $help |
| 660 | EOF |
| 661 | } |
| 662 | |
| 663 | usage () { |
| 664 | : ${cmdargs=$usage} |
| 665 | echo "usage: $quis${cmdname:+ $cmdname}${cmdargs:+ $cmdargs}" |
| 666 | } |
| 667 | usage_err () { usage >&2; exit 1; } |
| 668 | |
| 669 | ###-------------------------------------------------------------------------- |
| 670 | ### Subcommand handling. |
| 671 | |
| 672 | version () { |
| 673 | echo "$quis, $PACKAGE version $VERSION" |
| 674 | } |
| 675 | |
| 676 | unset cmdargs |
| 677 | unset cmdname |
| 678 | cmds="" |
| 679 | defcmd () { |
| 680 | cmd=$1; shift; args=$* |
| 681 | help=$(cat) |
| 682 | eval help_$cmd=\$help |
| 683 | cmds="${cmds:+$cmds |
| 684 | }$cmd $args" |
| 685 | } |
| 686 | |
| 687 | defcmd help "[COMMAND ...]" <<EOF |
| 688 | Show help about the COMMANDs, or about $quis if none are named. |
| 689 | EOF |
| 690 | cmd_help () { |
| 691 | rc=0 |
| 692 | version |
| 693 | case $# in |
| 694 | 0) |
| 695 | cat <<EOF |
| 696 | |
| 697 | Usage: $quis${usage:+ $usage} |
| 698 | |
| 699 | Options: |
| 700 | -h Show this help text. |
| 701 | -v Show the program version number. |
| 702 | |
| 703 | Commands provided: |
| 704 | EOF |
| 705 | while read cmd args; do echo " $cmd${args:+ $args}"; done <<EOF |
| 706 | $cmds |
| 707 | EOF |
| 708 | case ${prefix+t} in |
| 709 | t) |
| 710 | cd $KEYSLIB |
| 711 | for i in $prefix.*; do |
| 712 | if [ ! -x "$i" ]; then continue; fi |
| 713 | sed -n "/<<HELP/{n;s/^/ ${i#$prefix.} /;p;q;}" "$i" |
| 714 | done |
| 715 | ;; |
| 716 | esac |
| 717 | ;; |
| 718 | *) |
| 719 | for cmd in "$@"; do |
| 720 | echo |
| 721 | foundp=nil |
| 722 | while read cmdname cmdargs; do |
| 723 | case $cmdname in "$cmd") foundp=t; break ;; esac |
| 724 | done <<EOF |
| 725 | $cmds |
| 726 | EOF |
| 727 | case $foundp in |
| 728 | t) |
| 729 | eval help=\$help_$cmdname; echo "$help" |
| 730 | ;; |
| 731 | nil) |
| 732 | if [ ! -x "$KEYSLIB/$prefix.$cmd" ]; then |
| 733 | echo >&2 "$quis: unrecognized command \`$cmd'" |
| 734 | rc=1 |
| 735 | continue |
| 736 | elif ! KEYS_HELP=t "$KEYSLIB/$prefix.$cmd"; then |
| 737 | rc=1 |
| 738 | fi |
| 739 | ;; |
| 740 | esac |
| 741 | done |
| 742 | ;; |
| 743 | esac |
| 744 | return $rc |
| 745 | } |
| 746 | |
| 747 | dispatch () { |
| 748 | case $# in 0) usage_err ;; esac |
| 749 | cmd=$1; shift |
| 750 | foundp=nil |
| 751 | while read cmdname cmdargs; do |
| 752 | case $cmdname in "$cmd") foundp=t; break ;; esac |
| 753 | done <<EOF |
| 754 | $cmds |
| 755 | EOF |
| 756 | case $foundp in |
| 757 | t) |
| 758 | OPTIND=1 |
| 759 | cmd_$cmdname "$@" |
| 760 | ;; |
| 761 | nil) |
| 762 | if [ ! -x "$KEYSLIB/$prefix.$cmd" ]; then |
| 763 | echo >&2 "$quis: unrecognized command \`$cmd'" |
| 764 | exit 1 |
| 765 | fi |
| 766 | unset KEYS_HELP |
| 767 | exec "$KEYSLIB/$prefix.$cmd" "$@" |
| 768 | ;; |
| 769 | esac |
| 770 | } |
| 771 | |
| 772 | ###----- That's all, folks -------------------------------------------------- |