3 ### Common key management functions.
5 ### (c) 2011 Mark Wooding
8 ###----- Licensing notice ---------------------------------------------------
10 ### This file is part of the distorted.org.uk key management suite.
12 ### distorted-keys is free software; you can redistribute it and/or modify
13 ### it under the terms of the GNU General Public License as published by
14 ### the Free Software Foundation; either version 2 of the License, or
15 ### (at your option) any later version.
17 ### distorted-keys is distributed in the hope that it will be useful,
18 ### but WITHOUT ANY WARRANTY; without even the implied warranty of
19 ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 ### GNU General Public License for more details.
22 ### You should have received a copy of the GNU General Public License
23 ### along with distorted-keys; if not, write to the Free Software Foundation,
24 ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
28 ###--------------------------------------------------------------------------
29 ### Configuration variables.
31 ## Automatically configured pathnames.
32 PACKAGE="@PACKAGE@" VERSION="@VERSION@"
35 ## Read user configuration.
36 if [ -f $ETC/keys.conf ]; then . $ETC/keys.conf; fi
38 ## Maybe turn on debugging.
39 case "${KEYS_DEBUG+t}" in t) set -x ;; esac
41 ## Fake up caller credentials if not called via userv.
42 case "${USERV_USER+t}" in
44 *) USERV_USER=${LOGNAME-${USER-$(id -un)}} USERV_UID=$(id -u) ;;
46 case "${USERV_GROUP+t}" in
48 *) USERV_GROUP=$(id -Gn) USERV_GID=$(id -gn) ;;
51 ###--------------------------------------------------------------------------
55 cleanup () { cleanups=${cleanups+$cleanups }$1; }
56 runcleanups () { for i in $cleanups; do $i; done; }
57 trap 'rc=$?; runcleanups; exit $rc' EXIT
58 trap 'trap "" EXIT; runcleanups; exit 127' INT TERM
60 ###--------------------------------------------------------------------------
61 ### Utility functions.
64 ## Fail unless a safe directory is set.
66 err="$quis: (CONFIGURATION ERROR)"
69 *) echo >&2 "$err: no SAFE directory"; exit 1 ;;
71 if [ ! -d "$SAFE" ]; then
72 echo >&2 "$err: SAFE path \`$SAFE' isn't a directory"
76 [!/]* | *[][[:space:]*?]*)
77 echo >&2 "$err: SAFE path \`$SAFE' contains bad characters"
83 read perm _ user stuff
87 echo >&2 "$err: SAFE path \`$SAFE' has bad owner or permissions"
94 ## Temporary directory.
96 rmtmp () { case ${tmp+t} in t) cd /; rm -rf $tmp ;; esac; }
99 ## Make a temporary directory and store its name in `tmp'.
101 case "${tmp+t}" in t) return ;; esac
103 tmp="$SAFE/keys.tmp.$$"
109 ## Fail unless a temporary directory is set.
113 *) echo >&2 "$quis (INTERNAL): no tmp directory set"; exit 127 ;;
119 ## Parse the key label string KEY. Set `kdir' to the base path to use for
120 ## the key's storage, and `kowner' to the key owner's name.
123 *:*) kowner=${key%%:*} klabel=${key#*:} ;;
124 *) kowner=$USERV_USER klabel=$key ;;
126 checkword "key owner name" "$kowner"
127 checklabel "key" "$klabel"
128 kdir=$KEYS/store/$kowner/$klabel
129 knub=$KEYS/nub/$kowner/$klabel
133 user=$1 service=$2; shift 2
134 ## If the current (effective) user is not USER then reinvoke via `userv',
135 ## as the specified service, with the remaining arguments.
139 *) exec userv "$user" "$service" "$@" ;;
143 ###--------------------------------------------------------------------------
144 ### Input validation functions.
149 ckwhat=$1 ckpat=$2 thing=$3
150 ## Verify that THING matches the (anchored, basic) regular expression
151 ## CKPAT. Since matching newlines is hard to do portably, also check that
152 ## THING doesn't contain any. If the checks fail, report an error and
161 if ! expr >/dev/null "Q$thing" : "\(Q$ckpat\)\$"; then
167 nil) echo >&2 "$quis: bad $ckwhat \`$thing'"; exit 1 ;;
171 ## Regular expressions for validating input.
172 R_IDENTCHARS="A-Za-z0-9_"
174 R_WORDCHARS="-$R_IDENTCHARS$R_GOODPUNCT"
175 R_IDENT="[$R_IDENTCHARS][$R_IDENTCHARS]*"
176 R_WORD="[$R_WORDCHARS][$R_WORDCHARS]*"
177 R_ACLCHARS="][$R_IDENTCHARS$R_GOODPUNCT*?:.#"
178 R_WORDSEQ="[$R_WORDCHARS[:space:]][$R_WORDCHARS[:space:]]*"
179 R_ACL="[$R_ACLCHARS[:space:]-][$R_ACLCHARS[:space:]-]*"
180 R_NUMERIC='\(\([1-9][0-9]*\)\{0,1\}0\{0,1\}\)'
181 R_LABEL="\($R_WORD\(/$R_WORD\)*\)"
184 ## Various validation functions.
185 checknumber () { check "$1" "$R_NUMERIC" "$2"; }
186 checkident () { check "$1" "$R_IDENT" "$2"; }
187 checkword () { check "$1" "$R_WORD" "$2"; }
188 checklabel () { check "$1 label" "$R_LABEL" "$2"; }
190 ## Boolean canonification.
196 1 | y | yes | on | t | true) v=t ;;
197 0 | n | no | off | f | false | nil) v=nil ;;
198 *) echo >&2 "$quis: bad boolean $what \`$v'"; exit 1 ;;
203 ###--------------------------------------------------------------------------
204 ### Key storage and properties.
208 ## Write the named system PROFILE to standard output.
210 $bindir/extract-profile "$profile" $ETC/profile.d/
214 what=$1 prefix=$2; shift 2
215 ## Set variables based on the NAME=VALUE assignments in the arguments. The
216 ## value for property NAME is stored in the shell variable PREFIX_NAME.
221 *\=*) name=${assg%%=*} value=${assg#*=} ;;
224 case "$goodp,$name" in t,*[!0-9A-Za-z_]*=*) goodp=nil ;; esac
226 nil) echo >&2 "$quis: bad $what assignment \`$assg'"; exit 1 ;;
228 eval "$prefix$name=\$value"
233 whatprop=$1 prefix=$2; shift 2
234 ## Check that property variables are set in accordance with the remaining
235 ## TABLE arguments. Each row of TABLE has the form
239 ## A table row is satisfied if there is a variable PREFIXNAME whose value
240 ## matces the (basic) regular expression PAT, or if the variable is unset
243 for table in "$@"; do
244 case "$table" in ?*) ;; *) continue ;; esac
245 while read -r name omit pat; do
246 eval foundp=\${$prefix$name+t}
247 case "$foundp,$omit" in
250 echo >&2 "$quis: missing $whatprop \`$name' required"
254 eval value=\$$prefix$name
255 check "value for $whatprop \`$name'" "$pat" "$value"
264 ## Write the properties stored in the variables beginning with PREFIX.
266 set | sed -n "/^$prefix/{s/=.*\$//;p}" | sort | while read name; do
268 echo "${name#$prefix}=$value"
274 ## Define a properties table NAME.
280 defprops g_props <<EOF
282 recovery t $R_WORDSEQ
286 nub_random_bytes t $R_NUMERIC
296 ## Read a profile from a file. This doesn't check the form of the
297 ## filename, so it's not suitable for unchecked input. Properties are set
298 ## using `setprops' with prefix `kprop_'.
300 ## Parse the settings from the file.
303 case "$line" in "" | \#*) continue ;; esac
304 setprops "property" kprop_ "$line"
307 checkprops "property" kprop_ "$g_props"
309 ## Fetch the key-type handling library.
310 if [ ! -f $KEYSLIB/ktype.$kprop_type ]; then
311 echo >&2 "$quis: unknown key type \`$kprop_type'"
314 . $KEYSLIB/ktype.$kprop_type
315 checkprops "property" kprop_ "$k_props"
320 ## Read key metadata from KDIR.
322 { read profile; } <"$kdir"/meta
326 ## Generate a key nub in the default way, and write it to standard output.
327 ## The properties `random', `nub_random_bytes' and `nub_hash' are referred
331 if=/dev/${kprop_random-random} bs=1 count=${kprop_nub_random_bytes-64} |
332 openssl dgst -${kprop_nub_hash-sha256} -binary |
337 ## Compute a hash of the key nub in stdin, and write it to stdout in hex.
338 ## The property `nubid_hash' is used.
340 ## Stupid dance because the output incompatibly grew a filename, in order
341 ## to demonstrate the same idiocy as GNU mumblesum.
342 set _ $({ echo "distorted-keys nubid"; cat -; } |
343 openssl dgst -${kprop_nubid_hash-sha256})
344 if [ $# -gt 2 ]; then shift; fi
349 what=$1 templ=$2 prefix=$3 pat=$4
350 ## Substitute option values into the template TEMPL. Each occurrence of
351 ## %{VAR} is replaced by the value of the variable PREFIXVAR. Finally, an
352 ## error is reported unless the final value matches the regular expression
359 ## If there are no more markers to substitute, then finish.
360 case "$rest" in *"%{"*"}"*) ;; *) out=$out$rest; break ;; esac
362 ## Split the template into three parts.
363 left=${rest%%\%\{*} right=${rest#*\%\{}
364 var=${right%%\}*} rest=${right#*\}}
366 *-*) default=${var#*-} var=${var%%-*} defaultp=t ;;
370 ## Find the variable value.
371 checkident "template variable name" "$var"
372 eval foundp=\${$prefix$var+t}
373 case $foundp,$defaultp in
374 t,*) eval value=\$$prefix$var ;;
375 ,t) value=$default ;;
377 echo >&2 "$quis: option \`$var' unset, used in template \`$templ'"
382 ## Do the substitution.
386 ## Check the final result.
387 check "$what" "$pat" "$out"
395 ## Read property settings from a profile. The PROFILE name has the form
396 ## [USER:]LABEL; USER defaults to OWNER. Properties are set using
397 ## `setprops' with prefix `kprop_'.
402 label=${profile#:} uservp=nil
405 user=$kowner label=$profile uservp=t
408 user=${profile%%:*} label=${profile#*:} uservp=t
411 checkword "profile label" "$label"
413 ## Fetch the profile settings from the user.
417 checkword "profile user" "$user"
418 userv "$user" cryptop-profile "$label" >$tmp/profile </dev/null
421 $bindir/extract-profile "$label" $ETC/profile.d/ >$tmp/profile
426 readprops $tmp/profile
429 ###--------------------------------------------------------------------------
430 ### General crypto operations.
433 profile=$1 kdir=$2 knub=$3 hook=$4; shift 4
434 ## Generate a key, and associate it with the named PROFILE (which is
435 ## assumed already to have been read!); store the main data in KDIR, and
436 ## the nub separately in the file KNUB; run HOOK after generation, passing
437 ## it the working key directory and nub file. Remaining arguments are
438 ## options to the key type.
440 ## Set options and check them.
441 kopt_owner=$kowner kopt_label=$klabel
442 setprops "option" kopt_ "$@"
443 checkprops "option" kopt_ "$k_genopts"
445 ## Create directory structure and start writing metadata.
447 mkdir -m755 -p "$kdir.new"
448 case "$knub" in */*) mkdir -m755 -p "${knub%/*}" ;; esac
449 cat >"$kdir.new/meta" <<EOF
454 (umask 077; makenub >"$knub.new")
455 k_generate "$kdir.new" "$knub.new"
456 $hook "$kdir.new" "$knub.new"
459 nubid <"$knub.new" >"$kdir.new/nubid"
461 ## Juggle everything into place. Doing this atomically is very difficult,
462 ## and requires more machinery than I can really justify here. If
463 ## something goes wrong halfway, it should always be possible to fix it,
464 ## either by backing out (if $kdir.new still exists) or pressing on
465 ## forwards (if not).
467 if [ -e "$kdir" ]; then mv "$kdir" "$kdir.old"; fi
468 mv "$kdir.new" "$kdir"
469 mv "$knub.new" "$knub"
473 c_encrypt () { k_encrypt "$@"; }
475 if k_decrypt "$@" >$tmp/plain; then cat $tmp/plain
479 c_sign () { k_sign "$@"; }
480 c_verify () { k_verify "$@"; }
482 ## Stub implementations.
483 notsupp () { op=$1; echo >&2 "$quis: operation \`$op' not supported"; }
486 k_encrypt () { notsupp encrypt; }
487 k_decrypt () { notsupp decrypt; }
488 k_sign () { notsupp sign; }
489 k_verify () { notsupp verify; }
493 ## Prepare for a crypto operation OP, using the KEY. This validates the
494 ## key label, reads the profile, and checks the access-control list. If OP
495 ## is `-' then allow the operation unconditionally.
497 ## Find the key properties.
498 parse_keylabel "$key"
499 if [ ! -d $kdir ]; then echo >&2 "$quis: unknown key \`$key'"; exit 1; fi
501 read_profile $kowner "$profile"
503 ## Check whether we're allowed to do this thing. This is annoyingly
505 case $op in -) return ;; esac
506 eval acl=\${kprop_acl_$op-!owner}
510 ## Remove leading whitespace.
513 [[:space:]]*) acl=${acl#?} ;;
518 ## If there's nothing left, leave.
519 case "$acl" in ?*) ;; *) break ;; esac
521 ## Split off the leading word.
523 *[[:space:]]*) word=${acl%%[[:space:]]*} acl=${acl#*[[:space:]]} ;;
524 *) word=$acl acl="" ;;
527 ## See what sense it has if it matches.
529 -*) sense=forbid rest=${word#-} ;;
530 *) sense=allow rest=$word ;;
533 ## See whether the calling user matches.
535 !owner) pat=$kowner list=$USERV_USER ;;
536 !*) echo >&2 "$quis: unknown ACL token \`$word'" ;;
537 %*) pat=${rest#%} list="$USERV_GROUP $USERV_GID" ;;
538 *) pat=$rest list="$USERV_USER $USERV_UID" ;;
541 for i in $list; do case "$i" in $pat) matchp=t; break ;; esac; done
542 case $matchp in t) verdict=$sense; break ;; esac
546 forbid) echo >&2 "$quis: $op access to key \`$key' forbidden"; exit 1 ;;
550 ###--------------------------------------------------------------------------
551 ### Crypto operations for infrastructure purposes.
555 ## Select the profile in FILE for future crypto operations.
557 unset $(set | sed -n '/^kprop_/s/=.*$//p')
559 getsysprofile "$profile" >$tmp/profile
560 readprops $tmp/profile
564 profile=$1 kdir=$2 knub=$3; shift 3
565 ## Generate a system key using PROFILE; store the data in KDIR and the nub
566 ## in KNUB. Remaining arguments are options.
568 c_sysprofile "$profile"
569 c_genkey "$profile" "$kdir" "$knub" : "$@"
575 c_sysprofile "$profile"
579 op=$1 kdir=$2; shift 1
584 c_sysencrypt () { c_sysop encrypt "$1" /dev/null; }
585 c_sysdecrypt () { c_sysop decrypt "$1" "$2"; }
586 c_syssign () { c_sysop sign "$1" "$2"; }
587 c_sysverify () { c_sysop verify "$1" /dev/null; }
589 ###--------------------------------------------------------------------------
590 ### Recovery operations.
594 ## Return the sharing threshold from the parameter file PARAM.
600 echo >&2 "$quis: secret sharing parameter file damaged (wrong header)"
608 echo >&2 "$quis: secret sharing parameter file damaged (missing t)"
619 ## Stash a copy of stdin encrypted under the recovery key RECOV, with a
621 checkword "recovery key label" "$recov"
622 checklabel "secret" "$label"
624 rdir=$KEYS/recov/$recov/current
625 if [ ! -d $rdir/store ]; then
626 echo >&2 "$quis: unknown recovery key \`$recov'"
629 case $label in */*) mkdir -m755 -p $rdir/${label%/*} ;; esac
630 (c_sysencrypt $rdir/store >$rdir/$label.new)
631 mv $rdir/$label.new $rdir/$label.recov
635 recov=$1 inst=$2 label=$3
636 ## Recover a stashed secret, protected by RECOV and stored as LABEL, and
637 ## write it to stdout.
638 checkword "recovery key label" "$recov"
639 checkword "recovery instance" "$inst"
640 checklabel "secret" "$label"
642 rdir=$KEYS/recov/$recov/$inst
643 if [ ! -f $rdir/$label.recov ]; then
644 echo >&2 "$quis: recovery key \`$recov/$inst' has no blob for \`$label'"
649 nub=$SAFE/keys.reveal/$tag/nub
650 if [ ! -f $nub ]; then
651 echo >&2 "$quis: recovery key \`$recov/$inst' not revealed"
655 c_sysdecrypt $rdir/store $nub <$rdir/$label.recov
658 ###--------------------------------------------------------------------------
665 case "$KEYS_HELP" in t) help; exit ;; esac
668 help () { showhelp; }
671 Usage: $quis${usage:+ $usage}
679 echo "usage: $quis${cmdname:+ $cmdname}${cmdargs:+ $cmdargs}"
681 usage_err () { usage >&2; exit 1; }
683 ###--------------------------------------------------------------------------
684 ### Subcommand handling.
687 echo "$quis, $PACKAGE version $VERSION"
694 cmd=$1; shift; args=$*
696 eval help_$cmd=\$help
701 defcmd help "[COMMAND ...]" <<EOF
702 Show help about the COMMANDs, or about $quis if none are named.
711 Usage: $quis${usage:+ $usage}
714 -h Show this help text.
715 -v Show the program version number.
719 while read cmd args; do echo " $cmd${args:+ $args}"; done <<EOF
725 for i in $prefix.*; do
726 if [ ! -x "$i" ]; then continue; fi
727 sed -n "/<<HELP/{n;s/^/ ${i#$prefix.} /;p;q;}" "$i"
736 while read cmdname cmdargs; do
737 case $cmdname in "$cmd") foundp=t; break ;; esac
744 eval help=\$help_$cmdname; echo "$help"
747 if [ ! -x "$KEYSLIB/$prefix.$cmd" ]; then
748 echo >&2 "$quis: unrecognized command \`$cmd'"
751 elif ! KEYS_HELP=t "$KEYSLIB/$prefix.$cmd"; then
763 case $# in 0) usage_err ;; esac
766 while read cmdname cmdargs; do
767 case $cmdname in "$cmd") foundp=t; break ;; esac
777 if [ ! -x "$KEYSLIB/$prefix.$cmd" ]; then
778 echo >&2 "$quis: unrecognized command \`$cmd'"
782 exec "$KEYSLIB/$prefix.$cmd" "$@"
787 ###----- That's all, folks --------------------------------------------------