From d516ebd0d3928deae4cf80a113d6ccf1f666bfe6 Mon Sep 17 00:00:00 2001
Message-Id: <d516ebd0d3928deae4cf80a113d6ccf1f666bfe6.1714725581.git.mdw@distorted.org.uk>
From: Mark Wooding <mdw@chiark.greenend.org.uk>
Date: Tue, 10 Jan 2012 00:24:14 +0000
Subject: [PATCH 1/1] keys.*: Enforce separation between user's files and the
 system.
Organization: Straylight/Edgeware

From: Mark Wooding <mdw@distorted.org.uk>

  * keys.new-keeper now writes its nubs into $SAFE rather than the
    caller's current directory.

  * keys.reveal and keys.stash insist on reading their input from stdin
    rather than a file name.

  * keys.keeper-cards writes its output to stdout, and collects input
    nubs from $SAFE.

  * keys.keeper-nub is a new tool which extracts a keeper nub on demand.

Some of the tools have also had their error messages improved.
---
 Makefile.am       |  1 +
 keys.keeper-cards | 34 +++++++++++++++++-------
 keys.keeper-nub   | 66 +++++++++++++++++++++++++++++++++++++++++++++++
 keys.new-keeper   | 39 ++++++++++++++++++----------
 keys.reveal       | 12 +++------
 keys.stash        | 13 +++-------
 6 files changed, 125 insertions(+), 40 deletions(-)
 create mode 100755 keys.keeper-nub

diff --git a/Makefile.am b/Makefile.am
index 136d768..2898615 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -100,6 +100,7 @@ keyfunc.sh: keyfunc.sh.in Makefile
 dist_pkglib_SCRIPTS	+= keys.archive
 dist_pkglib_SCRIPTS	+= keys.conceal
 dist_pkglib_SCRIPTS	+= keys.keeper-cards
+dist_pkglib_SCRIPTS	+= keys.keeper-nub
 dist_pkglib_SCRIPTS	+= keys.new-keeper
 dist_pkglib_SCRIPTS	+= keys.new-recov
 dist_pkglib_SCRIPTS	+= keys.recover
diff --git a/keys.keeper-cards b/keys.keeper-cards
index 73f2411..825f6f5 100755
--- a/keys.keeper-cards
+++ b/keys.keeper-cards
@@ -31,22 +31,38 @@ defhelp <<HELP
 KEEPER [INDICES ...]
 Typeset cards for a set of keeper secrets.
 
-This program writes a file KEEPER.ps which will contain private keys from the
-keeper set KEEPER, specifically the keys with the given INDICES.  Elements of
-the list are either simple integers or ranges [LOW]-[HIGH]; if LOW is
-omitted, it means 0, and if HIGH is omitted, it means the highest possible
-index.  If no INDICES are given then all secret keys are written.
+This program writes a PostScript file to standard output which will contain
+key nubs from the keeper set KEEPER, specifically the keys with the given
+INDICES.  Elements of the list are either simple integers or ranges
+[LOW]-[HIGH]; if LOW is omitted, it means 0, and if HIGH is omitted, it means
+the highest possible index.  If no INDICES are given then all secret keys are
+written.
 
 The public keys are found in $KEYS/keeper/KEEPER/I.pub;
-private keys are read from KEEPER/I in the current directory.
+key nubs are read from the safe place where \`keys new-keeper' left
+them.
 HELP
 
 ## Parse the command line.
 case $# in 0) usage_err ;; esac
 keeper=$1; shift
 checkword "keeper set label" "$keeper"
+
+## Find out about the set.
+if [ ! -f $KEYS/keeper/$keeper/meta ]; then
+  echo >&2 "$quis: unknown keeper set \`$keeper'"
+  exit 1
+fi
 read n hunoz <$KEYS/keeper/$keeper/meta
 
+## Check that nubs are available for the keeper set.
+reqsafe
+if [ ! -d $SAFE/keys.keeper/$keeper/ ]; then
+  echo >&2 "$quis: no nubs available for keeper set \`$keeper'"
+  exit 1
+fi
+cd $SAFE/keys.keeper/$keeper/
+
 ## Build a colon-separated list of the indices we actually want.
 want=:
 case $# in 0) set 0- ;; esac
@@ -239,8 +255,8 @@ i=0
 while [ $i -lt $n ]; do
   case $want in
     *:"$i":*)
-      read secret <$keeper/$i
-      tr -d '\n' <$keeper/$i | qrencode -m0 -s1 -o$tmp/$i.png
+      read secret <$i
+      tr -d '\n' <$i | qrencode -m0 -s1 -o$tmp/$i.png
       convert $tmp/$i.png $tmp/$i.eps
       cat >&3 <<EOF
 \card{$i}{$secret}
@@ -261,6 +277,6 @@ if ! (cd $tmp
   sed >&2 's/^/| /' $tmp/tex.out
   exit 1
 fi
-cp $tmp/$keeper.ps .
+cat $tmp/$keeper.ps
 
 ###----- That's all, folks --------------------------------------------------
diff --git a/keys.keeper-nub b/keys.keeper-nub
new file mode 100755
index 0000000..67a9b32
--- /dev/null
+++ b/keys.keeper-nub
@@ -0,0 +1,66 @@
+#! /bin/sh
+###
+### Collect the value of a newly created keeper nub
+###
+### (c) 2012 Mark Wooding
+###
+
+###----- Licensing notice ---------------------------------------------------
+###
+### This file is part of the distorted.org.uk key management suite.
+###
+### distorted-keys is free software; you can redistribute it and/or modify
+### it under the terms of the GNU General Public License as published by
+### the Free Software Foundation; either version 2 of the License, or
+### (at your option) any later version.
+###
+### distorted-keys is distributed in the hope that it will be useful,
+### but WITHOUT ANY WARRANTY; without even the implied warranty of
+### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+### GNU General Public License for more details.
+###
+### You should have received a copy of the GNU General Public License
+### along with distorted-keys; if not, write to the Free Software Foundation,
+### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+
+set -e
+case "${KEYSLIB+t}" in t) ;; *) echo >&2 "$0: KEYSLIB unset"; exit 1 ;; esac
+. "$KEYSLIB"/keyfunc.sh
+
+defhelp <<HELP
+KEEPER I
+Write the nub for private key I of the keeper set KEEPER to standard output.
+
+The nub is read from the safe but temporary place where \`keys new-keeper'
+left them.
+HELP
+
+## Parse the command line.
+case $# in 2) ;; *) usage_err ;; esac
+keeper=$1 index=$2
+checkword "keeper label" "$keeper"
+checknumber "index" "$index"
+
+## Find out about the set.
+if [ ! -f $KEYS/keeper/$keeper/meta ]; then
+  echo >&2 "$quis: unknown keeper set \`$keeper'"
+  exit 1
+fi
+read n hunoz <$KEYS/keeper/$keeper/meta
+
+if [ $index -ge $n ]; then
+  echo >&2 "$quis: index $index out of range (must be less than $n)"
+  exit 1
+fi
+
+## Check that nubs are available for the keeper set.
+reqsafe
+if [ ! -d $SAFE/keys.keeper/$keeper/ ]; then
+  echo >&2 "$quis: no nubs available for keeper set \`$keeper'"
+  exit 1
+fi
+
+## Done.
+cat $SAFE/keys.keeper/$keeper/$index
+
+###----- That's all, folks --------------------------------------------------
diff --git a/keys.new-keeper b/keys.new-keeper
index 45764bd..2ccd7ee 100755
--- a/keys.new-keeper
+++ b/keys.new-keeper
@@ -28,19 +28,19 @@ case "${KEYSLIB+t}" in t) ;; *) echo >&2 "$0: KEYSLIB unset"; exit 1 ;; esac
 . "$KEYSLIB"/keyfunc.sh
 
 defhelp <<HELP
-[-p PROFILE] KEEPER N [OPTION=VALUE ...]
+[-f] [-p PROFILE] KEEPER N [OPTION=VALUE ...]
 Create a new set of keeper keys.
 
-The key nubs are stored in KEEPER/I for each 0 <= I < N in the current
-directory; presumably you'll do something sensible with them.  A new
-directory $KEYS/keeper/KEEPER is created (it is an error if it already
-exists), containing the key store directories and some metadata meta.
+The key nubs are stored in a safe but temporary place where they can be
+extracted using \`keys keeper-nub'.
 HELP
 
 ## Parse the command line.
+force=nil
 profile=${keeper_profile-keeper}
-while getopts "p:" opt; do
+while getopts "fp:" opt; do
   case "$opt" in
+    f) force=t ;;
     p) profile=$OPTARG ;;
     *) usage_err ;;
   esac
@@ -53,17 +53,28 @@ checknumber "set size" "$n"
 checkword "profile label" "$profile"
 
 ## Preflight checking.
-if [ -e $KEYS/keeper/$keeper ]; then
-  echo >&2 "$0: keeper set \`$keeper' already exists"
-  exit 1
-fi
-if [ -e $keeper ]; then
-  echo >&2 "$0: destination \`$keeper' already exists"
-  exit 1
-fi
+reqsafe
+case $force in
+  nil)
+    if [ -e $KEYS/keeper/$keeper ]; then
+      echo >&2 "$0: keeper set \`$keeper' already exists"
+      exit 1
+    fi
+    if [ -e $SAFE/keys.keeper/$keeper ]; then
+      echo >&2 "$0: destination \`$keeper' already exists"
+      exit 1
+    fi
+    ;;
+  t)
+    rm -rf $KEYS/keeper/$keeper
+    rm -rf $SAFE/keys.keeper/$keeper/
+    ;;
+esac
 
 ## Generate the private keys, one per file, and compute the public keys.
 mktmp
+mkdir -m700 $SAFE/keys.keeper/
+cd $SAFE/keys.keeper/
 rm -rf $keeper.new
 mkdir -m700 $keeper.new
 mkdir -p -m755 $KEYS/keeper/$keeper.new
diff --git a/keys.reveal b/keys.reveal
index a1c0242..f11a59b 100755
--- a/keys.reveal
+++ b/keys.reveal
@@ -28,19 +28,15 @@ case "${KEYSLIB+t}" in t) ;; *) echo >&2 "$0: KEYSLIB unset"; exit 1 ;; esac
 . "$KEYSLIB"/keyfunc.sh
 
 defhelp <<HELP
-RECOV KEEPER [NUB]
+RECOV KEEPER
 Reveal a share of a recovery key distributed among keepers.
 
 If enough shares have been revealed, reconstruct the recovery private key.
-The keeper nub is read from NUB, or stdin if NUB is omitted or \`-'.
+The keeper nub is read from stdin.
 HELP
 
 ## Parse the command line.
-case $# in
-  2) if [ -t 0 ]; then echo >&2 "$quis: stdin is a terminal"; exit 1; fi ;;
-  3) ;;
-  *) usage_err ;;
-esac
+case $# in 2) ;; *) usage_err ;; esac
 recov=$1 keeper=$2; shift 2
 checklabel "recovery key" "$recov"
 case "$recov" in
@@ -65,7 +61,7 @@ fi
 
 ## Grab the key, because we'll need to read it several times.
 mktmp
-cat -- "$@" >$tmp/secret
+cat >$tmp/secret
 
 ## Read the threshold from the recovery metadata.
 read param <$KEYS/recov/$recov/$keeper.param
diff --git a/keys.stash b/keys.stash
index baf6f22..ef80082 100755
--- a/keys.stash
+++ b/keys.stash
@@ -28,27 +28,22 @@ case "${KEYSLIB+t}" in t) ;; *) echo >&2 "$0: KEYSLIB unset"; exit 1 ;; esac
 . "$KEYSLIB"/keyfunc.sh
 
 defhelp <<HELP
-RECOV LABEL [SECRET]
+RECOV LABEL
 Store a secret encrypted under the recovery key RECOV.
 
 The LABEL is used to identify the encrypted secret later to the \`recover'
-command.  The secret is read from SECRET, or stdin if SECRET is omitted or
-\`-'.
+command.  The secret is read from stdin.
 HELP
 
 ## Parse the command line.
-case $# in
-  2) if [ -t 0 ]; then echo >&2 "$quis: stdin is a terminal"; exit 1; fi ;;
-  3) ;;
-  *) usage_err ;;
-esac
+case $# in 2) ;; *) usage_err ;; esac
 recov=$1 label=$2; shift 2
 checkword "recovery key label" "$recov"
 checklabel "secret" "$label"
 
 ## Do the thing.
 mktmp
-cat -- "$@" >$tmp/secret
+cat >$tmp/secret
 stash $recov $label <$tmp/secret
 
 ###----- That's all, folks --------------------------------------------------
-- 
[mdw]