~mdw / distorted-keys / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
keyfunc.sh: Check ACLs for good characters.
[distorted-keys] / keyfunc.sh.in
1 ### -*-sh-*-
2 ###
3 ### Common key management functions.
4 ###
5 ### (c) 2011 Mark Wooding
6 ###
7
8 ###----- Licensing notice ---------------------------------------------------
9 ###
10 ### This file is part of the distorted.org.uk key management suite.
11 ###
12 ### distorted-keys is free software; you can redistribute it and/or modify
13 ### it under the terms of the GNU General Public License as published by
14 ### the Free Software Foundation; either version 2 of the License, or
15 ### (at your option) any later version.
16 ###
17 ### distorted-keys is distributed in the hope that it will be useful,
18 ### but WITHOUT ANY WARRANTY; without even the implied warranty of
19 ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 ### GNU General Public License for more details.
21 ###
22 ### You should have received a copy of the GNU General Public License
23 ### along with distorted-keys; if not, write to the Free Software Foundation,
24 ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
25
26 quis=${0##*/}
27
28 ###--------------------------------------------------------------------------
29 ### Configuration variables.
30
31 ## Automatically configured pathnames.
32 PACKAGE="@PACKAGE@" VERSION="@VERSION@"
33 bindir="@bindir@"
34
35 ## Read user configuration.
36 if [ -f $ETC/keys.conf ]; then . $ETC/keys.conf; fi
37
38 ## Maybe turn on debugging.
39 case "${KEYS_DEBUG+t}" in t) set -x ;; esac
40
41 ## Fake up caller credentials if not called via userv.
42 case "${USERV_USER+t}" in
43 t) ;;
44 *) USERV_USER=${LOGNAME-${USER-$(id -un)}} USERV_UID=$(id -u) ;;
45 esac
46 case "${USERV_GROUP+t}" in
47 t) ;;
48 *) USERV_GROUP=$(id -Gn) USERV_GID=$(id -gn) ;;
49 esac
50
51 ###--------------------------------------------------------------------------
52 ### Cleanup handling.
53
54 cleanups=""
55 cleanup () { cleanups=${cleanups+$cleanups }$1; }
56 runcleanups () { for i in $cleanups; do $i; done; }
57 trap 'rc=$?; runcleanups; exit $rc' EXIT
58 trap 'trap "" EXIT; runcleanups; exit 127' INT TERM
59
60 ###--------------------------------------------------------------------------
61 ### Utility functions.
62
63 reqsafe () {
64 ## Fail unless a safe directory is set.
65
66 err="$quis: (CONFIGURATION ERROR)"
67 case ${SAFE+t} in
68 t) ;;
69 *) echo >&2 "$err: no SAFE directory"; exit 1 ;;
70 esac
71 if [ ! -d "$SAFE" ]; then
72 echo >&2 "$err: SAFE path \`$SAFE' isn't a directory"
73 exit 1
74 fi
75 case "$SAFE" in
76 [!/]* | *[][[:space:]*?]*)
77 echo >&2 "$err: SAFE path \`$SAFE' contains bad characters"
78 exit 1
79 ;;
80 esac
81 ls -ld "$SAFE" | {
82 me=$(id -un)
83 read perm _ user stuff
84 case "$perm:$user" in
85 d???------:"$me") ;;
86 *)
87 echo >&2 "$err: SAFE path \`$SAFE' has bad owner or permissions"
88 exit 1
89 ;;
90 esac
91 }
92 }
93
94 ## Temporary directory.
95 unset tmp
96 rmtmp () { case ${tmp+t} in t) cd /; rm -rf $tmp ;; esac; }
97 cleanup rmtmp
98 mktmp () {
99 ## Make a temporary directory and store its name in `tmp'.
100
101 case "${tmp+t}" in t) return ;; esac
102 reqsafe
103 tmp="$SAFE/keys.tmp.$$"
104 rm -rf "$tmp"
105 mkdir -m700 "$tmp"
106 }
107
108 reqtmp () {
109 ## Fail unless a temporary directory is set.
110
111 case ${tmp+t} in
112 t) ;;
113 *) echo >&2 "$quis (INTERNAL): no tmp directory set"; exit 127 ;;
114 esac
115 }
116
117 parse_keylabel () {
118 key=$1
119 ## Parse the key label string KEY. Set `kdir' to the base path to use for
120 ## the key's storage, and `kowner' to the key owner's name.
121
122 case "$key" in
123 *:*) kowner=${key%%:*} klabel=${key#*:} ;;
124 *) kowner=$USERV_USER klabel=$key ;;
125 esac
126 checkword "key owner name" "$kowner"
127 checklabel "key" "$klabel"
128 kdir=$KEYS/store/$kowner/$klabel
129 knub=$KEYS/nub/$kowner/$klabel
130 }
131
132 ###--------------------------------------------------------------------------
133 ### Input validation functions.
134
135 nl="
136 "
137 check () {
138 ckwhat=$1 ckpat=$2 thing=$3
139 ## Verify that THING matches the (anchored, basic) regular expression
140 ## CKPAT. Since matching newlines is hard to do portably, also check that
141 ## THING doesn't contain any. If the checks fail, report an error and
142 ## exit.
143
144 validp=t
145 case "$thing" in
146 *"$nl"*) validp=nil ;;
147 *) if ! expr >/dev/null "Q$thing" : "Q$ckpat\$"; then validp=nil; fi ;;
148 esac
149 case $validp in
150 nil) echo >&2 "$quis: bad $ckwhat \`$thing'"; exit 1 ;;
151 esac
152 }
153
154 ## Regular expressions for validating input.
155 R_IDENTCHARS="A-Za-z0-9_"
156 R_GOODPUNCT="!%@+="
157 R_WORDCHARS="-$R_IDENTCHARS$R_GOODPUNCT"
158 R_IDENT="[$R_IDENTCHARS][$R_IDENTCHARS]*"
159 R_WORD="[$R_WORDCHARS][$R_WORDCHARS]*"
160 R_ACLCHARS="][$R_IDENTCHARS$R_GOODPUNCT*?:.#"
161 R_WORDSEQ="[$R_WORDCHARS[:space:]][$R_WORDCHARS[:space:]]*"
162 R_ACL="[$R_ACLCHARS[:space:]-][$R_ACLCHARS[:space:]-]*"
163 R_NUMERIC='\(\([1-9][0-9]*\)\{0,1\}0\{0,1\}\)'
164 R_LABEL="\($R_WORD\(/$R_WORD\)*\)"
165 R_LINE=".*"
166
167 ## Various validation functions.
168 checknumber () { check "$1" "$R_NUMERIC" "$2"; }
169 checkident () { check "$1" "$R_IDENT" "$2"; }
170 checkword () { check "$1" "$R_WORD" "$2"; }
171 checklabel () { check "$1 label" "$R_LABEL" "$2"; }
172
173 ###--------------------------------------------------------------------------
174 ### Key storage and properties.
175
176 getsysprofile () {
177 profile=$1
178 ## Write the named system PROFILE to standard output.
179
180 $bindir/extract-profile "$profile" $ETC/profile.d/
181 }
182
183 setprops () {
184 what=$1 prefix=$2; shift 2
185 ## Set variables based on the NAME=VALUE assignments in the arguments. The
186 ## value for property NAME is stored in the shell variable PREFIX_NAME.
187
188 for assg in "$@"; do
189 goodp=t
190 case "$assg" in
191 *\=*) name=${assg%%=*} value=${assg#*=} ;;
192 *) goodp=nil ;;
193 esac
194 case "$goodp,$name" in t,*[!0-9A-Za-z_]*=*) goodp=nil ;; esac
195 case "$goodp" in
196 nil) echo >&2 "$quis: bad $what assignment \`$assg'"; exit 1 ;;
197 esac
198 eval "$prefix$name=\$value"
199 done
200 }
201
202 checkprops () {
203 whatprop=$1 prefix=$2; shift 2
204 ## Check that property variables are set in accordance with the remaining
205 ## TABLE arguments. Each row of TABLE has the form
206 ##
207 ## NAME OMIT PAT
208 ##
209 ## A table row is satisfied if there is a variable PREFIXNAME whose value
210 ## matces the (basic) regular expression PAT, or if the variable is unset
211 ## and OMIT is `t'.
212
213 for table in "$@"; do
214 case "$table" in ?*) ;; *) continue ;; esac
215 while read -r name omit pat; do
216 eval foundp=\${$prefix$name+t}
217 case "$foundp,$omit" in
218 ,t) continue ;;
219 ,nil)
220 echo >&2 "$quis: missing $whatprop \`$name' required"
221 exit 1
222 ;;
223 esac
224 eval value=\$$prefix$name
225 check "value for $whatprop \`$name'" "$pat" "$value"
226 done <<EOF
227 $table
228 EOF
229 done
230 }
231
232 defprops () {
233 name=$1
234 ## Define a properties table NAME.
235
236 table=$(cat)
237 eval $name=\$table
238 }
239
240 defprops g_props <<EOF
241 type nil $R_IDENT
242 recovery t $R_WORDSEQ
243 random t $R_WORD
244 nub_hash t $R_WORD
245 nubid_hash t $R_WORD
246 nub_random_bytes t $R_NUMERIC
247 acl_encrypt t $R_ACL
248 acl_decrypt t $R_ACL
249 acl_sign t $R_ACL
250 acl_verify t $R_ACL
251 acl_info t $R_ACL
252 EOF
253
254 readprops () {
255 file=$1
256 ## Read a profile from a file. This doesn't check the form of the
257 ## filename, so it's not suitable for unchecked input. Properties are set
258 ## using `setprops' with prefix `kprop_'.
259
260 ## Parse the settings from the file.
261 exec 3<"$file"
262 while read line; do
263 case "$line" in "" | \#*) continue ;; esac
264 setprops "property" kprop_ "$line"
265 done <&3
266 exec 3>&-
267 checkprops "property" kprop_ "$g_props"
268
269 ## Fetch the key-type handling library.
270 if [ ! -f $KEYSLIB/ktype.$kprop_type ]; then
271 echo >&2 "$quis: unknown key type \`$kprop_type'"
272 exit 1
273 fi
274 . $KEYSLIB/ktype.$kprop_type
275 checkprops "property" kprop_ "$k_props"
276 }
277
278 readmeta () {
279 kdir=$1
280 ## Read key metadata from KDIR.
281
282 { read profile; } <"$kdir"/meta
283 }
284
285 makenub () {
286 ## Generate a key nub in the default way, and write it to standard output.
287 ## The properties `random', `nub_random_bytes' and `nub_hash' are referred
288 ## to.
289
290 dd 2>/dev/null \
291 if=/dev/${kprop_random-random} bs=1 count=${kprop_nub_random_bytes-64} |
292 openssl dgst -${kprop_nub_hash-sha256} -binary |
293 openssl base64
294 }
295
296 nubid () {
297 ## Compute a hash of the key nub in stdin, and write it to stdout in hex.
298 ## The property `nubid_hash' is used.
299
300 { echo "distorted-keys nubid"; cat -; } |
301 openssl dgst -${kprop_nubid_hash-sha256}
302 }
303
304 subst () {
305 what=$1 templ=$2 prefix=$3 pat=$4
306 ## Substitute option values into the template TEMPL. Each occurrence of
307 ## %{VAR} is replaced by the value of the variable PREFIXVAR. Finally, an
308 ## error is reported unless the final value matches the regular expression
309 ## PAT.
310
311 out=""
312 rest=$templ
313 while :; do
314
315 ## If there are no more markers to substitute, then finish.
316 case "$rest" in *"%{"*"}"*) ;; *) out=$out$rest; break ;; esac
317
318 ## Split the template into three parts.
319 left=${rest%%\%\{*} right=${rest#*\%\{}
320 var=${right%%\}*} rest=${right#*\}}
321 case "$var" in
322 *-*) default=${var#*-} var=${var%%-*} defaultp=t ;;
323 *) defaultp=nil ;;
324 esac
325
326 ## Find the variable value.
327 checkident "template variable name" "$var"
328 eval foundp=\${$prefix$var+t}
329 case $foundp,$defaultp in
330 t,*) eval value=\$$prefix$var ;;
331 ,t) value=$default ;;
332 *)
333 echo >&2 "$quis: option \`$var' unset, used in template \`$templ'"
334 exit 1
335 ;;
336 esac
337
338 ## Do the substitution.
339 out=$out$left$value
340 done
341
342 ## Check the final result.
343 check "$what" "$pat" "$out"
344
345 ## Done.
346 echo "$out"
347 }
348
349 read_profile () {
350 owner=$1 profile=$2
351 ## Read property settings from a profile. The PROFILE name has the form
352 ## [USER:]LABEL; USER defaults to OWNER. Properties are set using
353 ## `setprops' with prefix `kprop_'.
354
355 reqtmp
356 case "$profile" in
357 :*)
358 label=${profile#:} uservp=nil
359 ;;
360 *)
361 user=$kowner label=$profile uservp=t
362 ;;
363 *:*)
364 user=${profile%%:*} label=${profile#*:} uservp=t
365 ;;
366 esac
367 checkword "profile label" "$label"
368
369 ## Fetch the profile settings from the user.
370 reqtmp
371 case $uservp in
372 t)
373 checkword "profile user" "$user"
374 userv "$user" cryptop-profile "$label" >$tmp/profile
375 ;;
376 nil)
377 $bindir/extract-profile "$label" $ETC/profile.d/ >$tmp/profile
378 ;;
379 esac
380
381 ## Read the file.
382 readprops $tmp/profile
383 }
384
385 ###--------------------------------------------------------------------------
386 ### General crypto operations.
387
388 c_genkey () {
389 profile=$1 kdir=$2 knub=$3 hook=$4; shift 4
390 ## Generate a key, and associate it with the named PROFILE (which is
391 ## assumed already to have been read!); store the main data in KDIR, and
392 ## the nub separately in the file KNUB; run HOOK after generation, passing
393 ## it the working key directory and nub file. Remaining arguments are
394 ## options to the key type.
395
396 ## Set options and check them.
397 setprops "option" kopt_ "$@"
398 checkprops "option" kopt_ "$k_genopts"
399
400 ## Create directory structure and start writing metadata.
401 rm -rf "$kdir.new"
402 mkdir -m755 -p "$kdir.new"
403 case "$knub" in */*) mkdir -m700 -p "${knub%/*}" ;; esac
404 cat >"$kdir.new/meta" <<EOF
405 $profile
406 EOF
407
408 ## Generate the key.
409 umask=$(umask); umask 077; >"$knub.new"; umask $umask
410 k_generate "$kdir.new" "$knub.new"
411 $hook "$kdir.new" "$knub.new"
412
413 ## Hash the nub.
414 nubid <"$knub.new" >"$kdir.new/nubid"
415
416 ## Juggle everything into place. Doing this atomically is very difficult,
417 ## and requires more machinery than I can really justify here. If
418 ## something goes wrong halfway, it should always be possible to fix it,
419 ## either by backing out (if $kdir.new still exists) or pressing on
420 ## forwards (if not).
421 rm -rf "$kdir.old"
422 if [ -e "$kdir" ]; then mv "$kdir" "$kdir.old"; fi
423 mv "$kdir.new" "$kdir"
424 mv "$knub.new" "$knub"
425 rm -rf "$kdir.old"
426 }
427
428 c_encrypt () { k_encrypt "$@"; }
429 c_decrypt () {
430 if k_decrypt "$@" >$tmp/plain; then cat $tmp/plain
431 else return $?
432 fi
433 }
434 c_sign () { k_sign "$@"; }
435 c_verify () { k_verify "$@"; }
436
437 ## Stub implementations.
438 notsupp () { op=$1; echo >&2 "$quis: operation \`$op' not supported"; }
439 k_info () { :; }
440 k_encrypt () { notsupp encrypt; }
441 k_decrypt () { notsupp decrypt; }
442 k_sign () { notsupp sign; }
443 k_verify () { notsupp verify; }
444
445 prepare () {
446 key=$1 op=$2
447 ## Prepare for a crypto operation OP, using the KEY. This validates the
448 ## key label, reads the profile, and checks the access-control list. If OP
449 ## is `-' then allow the operation unconditionally.
450
451 ## Find the key properties.
452 parse_keylabel "$key"
453 if [ ! -d $kdir ]; then echo >&2 "$quis: unknown key \`$key'"; exit 1; fi
454 readmeta $kdir
455 read_profile $kowner "$profile"
456
457 ## Check whether we're allowed to do this thing. This is annoyingly
458 ## fiddly.
459 case $op in -) return ;; esac
460 eval acl=\${kprop_acl_$op-!owner}
461 verdict=forbid
462 while :; do
463
464 ## Remove leading whitespace.
465 while :; do
466 case "$acl" in
467 [[:space:]]*) acl=${acl#?} ;;
468 *) break ;;
469 esac
470 done
471
472 ## If there's nothing left, leave.
473 case "$acl" in ?*) ;; *) break ;; esac
474
475 ## Split off the leading word.
476 case "$acl" in
477 *[[:space:]]*) word=${acl%%[[:space:]]*} acl=${acl#*[[:space:]]} ;;
478 *) word=$acl acl="" ;;
479 esac
480
481 ## See what sense it has if it matches.
482 case "$word" in
483 -*) sense=forbid rest=${word#-} ;;
484 *) sense=allow rest=$word ;;
485 esac
486
487 ## See whether the calling user matches.
488 case "$rest" in
489 !owner) pat=$kowner list=$USERV_USER ;;
490 !*) echo >&2 "$quis: unknown ACL token \`$word'" ;;
491 %*) pat=${rest#%} list="$USERV_GROUP $USERV_GID" ;;
492 *) pat=$rest list="$USERV_USER $USERV_UID" ;;
493 esac
494 matchp=nil
495 for i in $list; do case "$i" in $pat) matchp=t; break ;; esac; done
496 case $matchp in t) verdict=$sense; break ;; esac
497 done
498
499 case $verdict in
500 forbid) echo >&2 "$quis: $op access to key \`$key' forbidden"; exit 1 ;;
501 esac
502 }
503
504 ###--------------------------------------------------------------------------
505 ### Crypto operations for infrastructure purposes.
506
507 c_sysprofile () {
508 profile=$1
509 ## Select the profile in FILE for future crypto operations.
510
511 unset $(set | sed -n '/^kprop_/s/=.*$//p')
512 reqtmp
513 getsysprofile "$profile" >$tmp/profile
514 readprops $tmp/profile
515 }
516
517 c_gensyskey () {
518 profile=$1 kdir=$2 knub=$3; shift 3
519 ## Generate a system key using PROFILE; store the data in KDIR and the nub
520 ## in KNUB. Remaining arguments are options.
521
522 c_sysprofile "$profile"
523 c_genkey "$profile" "$kdir" "$knub" : "$@"
524 }
525
526 c_sysprepare () {
527 kdir=$1
528 readmeta "$kdir"
529 c_sysprofile "$profile"
530 }
531
532 c_sysop () {
533 op=$1 kdir=$2; shift 1
534 c_sysprepare "$kdir"
535 c_$op "$@"
536 }
537
538 c_sysencrypt () { c_sysop encrypt "$1" /dev/null; }
539 c_sysdecrypt () { c_sysop decrypt "$1" "$2"; }
540 c_syssign () { c_sysop sign "$1" "$2"; }
541 c_sysverify () { c_sysop verify "$1" /dev/null; }
542
543 ###--------------------------------------------------------------------------
544 ### Recovery operations.
545
546 stash () {
547 recov=$1 label=$2
548 ## Stash a copy of stdin encrypted under the recovery key RECOV, with a
549 ## given LABEL.
550 checkword "recovery key label" "$recov"
551 checklabel "secret" "$label"
552
553 rdir=$KEYS/recov/$recov/current
554 if [ ! -d $rdir/store ]; then
555 echo >&2 "$quis: unknown recovery key \`$recov'"
556 exit 1
557 fi
558 case $label in */*) mkdir -m755 -p $rdir/${label%/*} ;; esac
559 (c_sysencrypt $rdir/store >$rdir/$label.new)
560 mv $rdir/$label.new $rdir/$label.recov
561 }
562
563 recover () {
564 recov=$1 label=$2
565 ## Recover a stashed secret, protected by RECOV and stored as LABEL, and
566 ## write it to stdout.
567 checkword "recovery key label" "$recov"
568 checklabel "secret" "$label"
569
570 rdir=$KEYS/recov/$recov/current
571 if [ ! -f $rdir/$label.recov ]; then
572 echo >&2 "$quis: no blob for \`$label' under recovery key \`$recov'"
573 exit 1
574 fi
575 reqsafe
576 nub=$SAFE/keys.reveal/$recov.current/nub
577 if [ ! -f $nub ]; then
578 echo >&2 "$quis: current recovery key \`$recov' not revealed"
579 exit 1;
580 fi
581 mktmp
582 c_sysdecrypt $rdir/store $nub <$rdir/$label.recov
583 }
584
585 ###--------------------------------------------------------------------------
586 ### Help text.
587
588 defhelp () {
589 read umsg
590 usage="usage: $quis${umsg+ }$umsg"
591 help=$(cat)
592 case "$KEYS_HELP" in t) help; exit ;; esac
593 }
594
595 help () { showhelp; }
596 showhelp () {
597 cat <<EOF
598 $usage
599
600 $help
601 EOF
602 }
603
604 usage_err () { echo >&2 "$usage"; exit 1; }
605
606 ###--------------------------------------------------------------------------
607 ### Subcommand handling.
608
609 version () {
610 echo "$PACKAGE version $VERSION"
611 }
612
613 cmd_help () {
614 rc=0
615 version
616 case $# in
617 0)
618 cat <<EOF
619
620 $usage
621
622 Options:
623 -h Show this help text.
624 -v Show the program version number.
625
626 Commands installed:
627 EOF
628 cd "$KEYSLIB"
629 for i in $prefix.*; do
630 if [ ! -x "$i" ]; then continue; fi
631 sed -n "/<<HELP/{n;s/^/ ${i#$prefix.} /;p;q;}" "$i"
632 done
633 ;;
634 *)
635 for i in "$@"; do
636 echo
637 if [ ! -x "$KEYSLIB/$prefix.$i" ]; then
638 echo >&2 "$quis: unrecognized command \`$i'"
639 rc=1
640 continue
641 elif ! KEYS_HELP=t "$KEYSLIB/$prefix.$i"; then
642 rc=1
643 fi
644 done
645 ;;
646 esac
647 return $rc
648 }
649
650 dispatch () {
651 case $# in 0) echo >&2 "$usage"; exit 1 ;; esac
652 cmd=$1; shift
653 case "$cmd" in help) cmd_help "$@"; exit ;; esac
654 if [ ! -x "$KEYSLIB/$prefix.$cmd" ]; then
655 echo >&2 "$quis: unrecognized command \`$cmd'"
656 exit 1
657 fi
658
659 unset KEYS_HELP
660 exec "$KEYSLIB/$prefix.$cmd" "$@"
661 }
662
663 ###----- That's all, folks --------------------------------------------------
A Userv-based key management system.