chiark / gitweb /
summary |
shortlog | log |
commit |
commitdiff |
tree
first ⋅ prev ⋅ next
Mark Wooding [Thu, 23 Feb 2012 03:03:09 +0000 (03:03 +0000)]
claim-dir, debian/distorted-keys.postinst: Let `keys' run `claim-dir'.
Unfortunately, `keys' as created by the `postinst' script doesn't have a
shell. Allow callers without shells to run `claim-dir' if they have a
particular magical shell configured, and set this magic on the `keys'
user.
Mark Wooding [Thu, 23 Feb 2012 03:01:16 +0000 (03:01 +0000)]
ktype.seccure: Stop `seccure' from trying to open `/dev/tty'.
It won't work in a `userv' service. For some reason, it will try to do
this if you don't provide a key file, even for operations which don't
need a private key.
Mark Wooding [Thu, 23 Feb 2012 02:59:54 +0000 (02:59 +0000)]
keys.new-keeper: Don't try to create $SAFE/keys.keeper if it exists.
It's pointless and you get an error.
Mark Wooding [Thu, 23 Feb 2012 02:54:24 +0000 (02:54 +0000)]
keyfunc.sh.in: Fix the OpenSSL `dgst' rune.
A compatibility hack was a nice idea, but it helps if you don't throw
away the interesting answer and keep the boring and incompatible extra
filename.
Mark Wooding [Wed, 15 Feb 2012 01:10:48 +0000 (01:10 +0000)]
Split underlying machinery into a separate package.
Mark Wooding [Wed, 15 Feb 2012 00:50:18 +0000 (00:50 +0000)]
pubkeyop.in: New script for doing stuff with public keys.
Now we can move public keys about, without losing the convenient
key-types abstraction.
Mark Wooding [Wed, 15 Feb 2012 00:48:18 +0000 (00:48 +0000)]
New ktype operation `k_import'.
Given a directory containing `pub', populate it with anything else
necessary.
This is trivial for `seccure'; `gnupg' requires a refactoring of key
generation, to split out the directory setup stuff.
Mark Wooding [Wed, 15 Feb 2012 00:45:09 +0000 (00:45 +0000)]
keyfunc.sh.in: Infrastructure for built-in subcommands.
This is the `defcmd' machinery from elsewhere, in yet another guise.
Mark Wooding [Wed, 15 Feb 2012 00:49:26 +0000 (00:49 +0000)]
cryptop.public: New operation to export a key with its properties.
This form will be useful soon.
Mark Wooding [Wed, 15 Feb 2012 00:46:36 +0000 (00:46 +0000)]
keyfunc.sh.in, cryptop.info: Refactor property dumping.
Move the functionality into the library. Also, stop mangling
underscores in a broken way -- in fact, don't do it at all, so the
output is acceptable to `readprops'.
Mark Wooding [Wed, 15 Feb 2012 00:42:07 +0000 (00:42 +0000)]
keys.archive -> cryptop.archive: Command was in the wrong suite.
It uses user keys, and the archives are public. It doesn't make sense
to restrict it to administrators only. Also, it wrote its output to the
wrong place. Since the output is in two pieces, this is fiddly: use a
tarball.
Mark Wooding [Sun, 12 Feb 2012 23:21:44 +0000 (23:21 +0000)]
keys.conf: New file, suggesting a possible implementation of `$SAFE'.
Mark Wooding [Sun, 12 Feb 2012 23:14:36 +0000 (23:14 +0000)]
Directory claiming and ephemeral filesystems.
Two new related tools.
* `mount-ephemeral' creates (and removes) a temporary filesystem,
encrypted using a fresh random key so the contents are irretrievably
lost when the host reboots or the power fails.
* `claim-dir' is a `userv' service which allows users to claim
directories in a shared filesystem without the hazardous
free-for-all that results from world writability with a sticky bit.
These go in their own separate Debian package. There's no direct link
between the two, but bundling them together provides a hint regarding
possible applications.
Mark Wooding [Sun, 12 Feb 2012 23:19:52 +0000 (23:19 +0000)]
keys.list-{keepers,recov}: New commands for inspecting infrastructure.
There's some overlap in functionality (and, distressingly, in
implementation) but I think the two perspectives are useful.
Mark Wooding [Sun, 12 Feb 2012 23:08:31 +0000 (23:08 +0000)]
keyfunc.sh.in, keys.reveal: Factor out sharing parameter file parsing.
We'll want it elsewhere soon.
Mark Wooding [Sun, 12 Feb 2012 23:07:24 +0000 (23:07 +0000)]
profile.d/{01gnupg,01seccure}: Distinct secrecy/integrity sections.
So that they actually include the correct ACLs.
Mark Wooding [Sun, 12 Feb 2012 23:05:32 +0000 (23:05 +0000)]
profile.d/00base: Make `%FOO-secrecy' include the right base sections.
Copy and paste error.
Mark Wooding [Sun, 12 Feb 2012 23:00:03 +0000 (23:00 +0000)]
keyfunc.sh.in: Don't let `userv' gobble our input.
Unfortunately, `userv' has a bad habit of eating our stdin, whether it
needs it or not. (This is a result of the `cat' processes and pipes
strung between the calling and service environments.) To prevent this
from gobbling our input, which we might actually want to process
ourselves in some way, make sure that we let it chew on something less
important. Like `/dev/null', say.
Mark Wooding [Sun, 12 Feb 2012 23:10:52 +0000 (23:10 +0000)]
Makefile.am: Distinctive `SUBST' indicator for `confsubst' rules.
Rather than use the generic `GEN' indicator.
Mark Wooding [Sun, 12 Feb 2012 21:23:03 +0000 (21:23 +0000)]
keys.new-keeper: Use `$quis' in errors, rather than `$0'.
Mark Wooding [Tue, 10 Jan 2012 00:39:11 +0000 (00:39 +0000)]
keys.keeper-cards: Fallback plan in case `mdwfonts' doesn't exist.
Just don't fiddle with the fonts in that case.
Mark Wooding [Sun, 8 Jan 2012 00:45:36 +0000 (00:45 +0000)]
Programs invoke themselves via `userv' if necessary.
This will prevent the permissions in the key store being messed up. To
this end:
* Move `cryptop' to @bindir@ where we can expect users to find it, and
move `keys' to @sbindir@ where only administrators are likely to
look.
* Add a new userv service for `keys', with some configuration files
listing the permitted users.
Mark Wooding [Tue, 10 Jan 2012 00:24:14 +0000 (00:24 +0000)]
keys.*: Enforce separation between user's files and the system.
* keys.new-keeper now writes its nubs into $SAFE rather than the
caller's current directory.
* keys.reveal and keys.stash insist on reading their input from stdin
rather than a file name.
* keys.keeper-cards writes its output to stdout, and collects input
nubs from $SAFE.
* keys.keeper-nub is a new tool which extracts a keeper nub on demand.
Some of the tools have also had their error messages improved.
Mark Wooding [Sat, 7 Jan 2012 02:14:49 +0000 (02:14 +0000)]
debian: About time, really.
Mark Wooding [Sat, 7 Jan 2012 02:13:24 +0000 (02:13 +0000)]
Makefile: Do the release hook thing.
Mark Wooding [Sat, 7 Jan 2012 02:12:47 +0000 (02:12 +0000)]
profile.d/*: Base configuration files.
Fairly detailed commentary. Makes up for the lack of useful
documentation in my dreams, at least.
Mark Wooding [Sun, 12 Feb 2012 21:29:21 +0000 (21:29 +0000)]
userv/distorted-keys.in: Reformat, with backslashes in their own column.
A whitespace-only change, empty under `diff -b'.
Mark Wooding [Sat, 7 Jan 2012 02:10:44 +0000 (02:10 +0000)]
userv/distorted-keys.in: Rename from distorted-keys.userv.in.
This way it gets created with the right name. It makes Debianizing
easier.
Mark Wooding [Sat, 7 Jan 2012 02:08:53 +0000 (02:08 +0000)]
keyfunc.sh: Check ACLs for good characters.
Mark Wooding [Sat, 7 Jan 2012 02:08:18 +0000 (02:08 +0000)]
keyfunc.sh: Protect arguments to expr(1).
Make sure they don't look like operators or functions.
Mark Wooding [Sat, 7 Jan 2012 02:07:29 +0000 (02:07 +0000)]
keys.stash: Shebang line.
I'm an idiot.
Mark Wooding [Sat, 7 Jan 2012 02:07:10 +0000 (02:07 +0000)]
extract-profile: Allow `%' characters in internal property names.
Now we don't have to spam the caller with uninteresting properties.
Mark Wooding [Wed, 28 Dec 2011 23:43:57 +0000 (23:43 +0000)]
cryptop.list: Search the requested user's keys only; sort the output.
Mark Wooding [Mon, 26 Dec 2011 18:40:39 +0000 (18:40 +0000)]
cryptop.list: Fix up the column-spec documentation.
It got a bit out of date with respect to the actual implementation.
Mark Wooding [Sat, 7 Jan 2012 16:12:07 +0000 (16:12 +0000)]
Whitespace fixing.
Mark Wooding [Mon, 26 Dec 2011 04:19:01 +0000 (04:19 +0000)]
cryptop.list: New tool for listing keys.
Surprisingly nice output format.
Mark Wooding [Mon, 26 Dec 2011 04:18:33 +0000 (04:18 +0000)]
keyfunc.sh.in, cryptop.{genkey,recover}: Care over key ownership.
Interpret profiles relative to the key owner, not the caller! Only allow
the key owner to recover a key.
Mark Wooding [Mon, 26 Dec 2011 00:03:53 +0000 (00:03 +0000)]
keys.archive: New program to capture and sign an archive.
Doesn't include the key nubs.
Mark Wooding [Mon, 26 Dec 2011 00:03:18 +0000 (00:03 +0000)]
distorted-keys.userv: Add userv configuration snippet.
Needs a configured user name, and sbindir.
Mark Wooding [Mon, 26 Dec 2011 00:00:43 +0000 (00:00 +0000)]
Makefile.am: Move cryptop stuff after keys stuff.
Makes more sense this way.
Mark Wooding [Sun, 25 Dec 2011 23:55:59 +0000 (23:55 +0000)]
extract-profile.in: Allow empty sections.
Create a section as soon as we see a section header; we no longer need
the more complicated lazy creation code.
Mark Wooding [Sun, 25 Dec 2011 23:51:36 +0000 (23:51 +0000)]
cryptop.in, keyfunc.sh.in: Move userv variable setup into keyfunc.sh.
We'll need these set up in a later program.
Mark Wooding [Sun, 25 Dec 2011 23:47:22 +0000 (23:47 +0000)]
cryptop.public: Don't check an ACL.
It's not worthwhile: public keys will be clearly visible in an archive
copy.
Mark Wooding [Sun, 25 Dec 2011 23:46:39 +0000 (23:46 +0000)]
keyfunc.sh.in (prepare): Indicate that an ACL check isn't necessary.
Mark Wooding [Sun, 25 Dec 2011 23:43:10 +0000 (23:43 +0000)]
keyfunc.sh.in: Add come commentary to the configuration section.
Mark Wooding [Sun, 25 Dec 2011 23:49:44 +0000 (23:49 +0000)]
keys.new-recov, keys.reveal, keyfunc.sh.in: Don't put @bindir@ on the PATH.
Call `shamir' using an explicit pathname instead.
Mark Wooding [Sun, 25 Dec 2011 23:32:48 +0000 (23:32 +0000)]
keyfunc.sh.in: Rename the nub computation properties.
These names are more consistent with the longer names used elsewhere.
Mark Wooding [Sun, 25 Dec 2011 23:58:43 +0000 (23:58 +0000)]
extract-profile.in: Property name fixup wasn't applied to ${...} tokens.
Move it into the common replacement code.
Mark Wooding [Sun, 25 Dec 2011 23:43:50 +0000 (23:43 +0000)]
keyfunc.sh.in (prepare): Exit nonzero if ACL check fails.
Just a missing return code.
Mark Wooding [Sun, 25 Dec 2011 23:54:23 +0000 (23:54 +0000)]
cryptop.verify: Use the correct operations.
Stupid copy-and-paste error.
Mark Wooding [Sun, 25 Dec 2011 23:41:43 +0000 (23:41 +0000)]
keyfunc.sh.in, extract-profile.in: Put profile name before the filenames.
This is the way it was originally, but that version wasn't checked in.
I had some crazy idea that this ordering made interfacing to userv
easier, but it doesn't.
Mark Wooding [Sun, 25 Dec 2011 23:30:26 +0000 (23:30 +0000)]
cryptop.*, extract-profile.in: Set execute bits.
Mark Wooding [Sat, 24 Dec 2011 02:29:11 +0000 (02:29 +0000)]
Multiple key types, key profiles, and user key storage.
* Introduce multiple key types (currently GnuPG and Seccure, but maybe
more later, e.g., OpenSSL).
* Parameters are provided via time-varying profiles.
* Profiles can be chosen for keeper and recovery keys.
* Allow users to generate and use keys.
Mark Wooding [Sat, 17 Dec 2011 00:15:00 +0000 (00:15 +0000)]
more progress. recovery seems to be working now.
Mark Wooding [Tue, 13 Dec 2011 01:05:10 +0000 (01:05 +0000)]
initial checkin: still somewhat sketchy