3 ### Generate a new recovery key and split it among keepers
5 ### (c) 2011 Mark Wooding
8 ###----- Licensing notice ---------------------------------------------------
10 ### This file is part of the distorted.org.uk key management suite.
12 ### distorted-keys is free software; you can redistribute it and/or modify
13 ### it under the terms of the GNU General Public License as published by
14 ### the Free Software Foundation; either version 2 of the License, or
15 ### (at your option) any later version.
17 ### distorted-keys is distributed in the hope that it will be useful,
18 ### but WITHOUT ANY WARRANTY; without even the implied warranty of
19 ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 ### GNU General Public License for more details.
22 ### You should have received a copy of the GNU General Public License
23 ### along with distorted-keys; if not, write to the Free Software Foundation,
24 ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
27 case "${KEYSLIB+t}" in t) ;; *) echo >&2 "$0: KEYSLIB unset"; exit 1 ;; esac
28 . "$KEYSLIB"/keyfunc.sh
32 Generate a new recovery secret, and split it among the available keepers.
34 The new secret will be called RECOV. For each KEEPER set, the private key
35 wil be split into shares, and encrypted with the KEEPER's public keys; any K
36 of these shares can be used to reveal the original key.
38 If there is already a recovery key called RECOV then it will be rolled over.
39 The previous key must already be revealed. If KEEPERs are listed, these
40 replace the existing keeper sets; otherwise the same keepers as before are
43 If there is not a recovery key called RECOV then at least one keeper set must
48 ## Parse the command line.
49 case $# in 0) echo >&2 "$usage"; exit 1 ;; esac
51 checkword "recovery key label" "$recov"
55 *) echo >&2 "$quis: bad keeper spec \`$k'"; exit 1 ;;
57 keeper=${k%:*} t=${k#*:}
58 checkword "keeper set label" "$keeper"
59 checknumber "keeper quorum" "$t"
62 ## Establish the keeper parameters.
63 rdir=$KEYS/recov/$recov
64 if [ ! -d $rdir ]; then mkdir -m755 -p $rdir; fi
71 keeper=${k%:*} t=${k#*:}
73 done >$rdir/keepers.new
74 kparam=$rdir/keepers.new
77 if [ ! -f $kparam ]; then echo >&2 "$quis: no keepers specified"; exit 1; fi
79 ## Make the new key and issue the shares.
80 tmp=$(mktmp); cleanup rmtmp
84 ec_keygen secret $rdir/new/pub
85 while read keeper k; do
86 read n hunoz <$KEYS/keeper/$keeper/meta
87 shamir issue $k/$n secret | {
89 echo "$param" >$rdir/new/$keeper.param
93 ec_encrypt $KEYS/keeper/$keeper/$i.pub -o$rdir/new/$keeper.$i.share
100 ## If there's an existing instance of this key, transfer the recovery blobs.
101 if [ ! -d $rdir/current ]; then
104 seq=$(readlink $rdir/current)
105 mem=$(userv root claim-mem-dir </dev/null)
106 reveal=$mem/keys.reveal/$recov.current/secret
107 if [ ! -f $reveal ]; then
108 echo >&2 "$quis: current $recov key not revealed"
112 find $rdir/current/ -type f -name '*.recov' -print | while read name; do
113 name=${name#$rdir/current/}
114 case "$name" in */*) mkdir -p -m755 $rdir/new/${name%/*} ;; esac
115 ec_decrypt $reveal -i$rdir/current/$name |
116 ec_encrypt $rdir/new/pub -o$rdir/new/$name
118 rm -r $mem/keys.reveal/$recov.current
121 ## Tidy up and commit. Repointing the symlink is grim because, according to
122 ## POSIX rules, `mv foo bar' should rename `foo' to `bar/foo' is `bar' is a
123 ## symlink to a directory -- and there's no way of turning this behaviour
124 ## off. The subterfuge here is due to Colin Watson.
126 while [ -d $seq ]; do seq=$(( seq + 1 )); done
127 case $kparam in *.new) mv keepers.new keepers ;; esac
131 mkdir hack; mv next hack/current; mv hack/current .; rmdir hack
133 ###----- That's all, folks --------------------------------------------------
~mdw / distorted-keys / blob