mdw@git.distorted.org.uk Git - distorted-keys/blob - keyfunc.sh.in

   1 ### -*-sh-*-
   2 ###
   3 ### Common key management functions.
   4 ###
   5 ### (c) 2011 Mark Wooding
   6 ###
   7
   8 ###----- Licensing notice ---------------------------------------------------
   9 ###
  10 ### This file is part of the distorted.org.uk key management suite.
  11 ###
  12 ### distorted-keys is free software; you can redistribute it and/or modify
  13 ### it under the terms of the GNU General Public License as published by
  14 ### the Free Software Foundation; either version 2 of the License, or
  15 ### (at your option) any later version.
  16 ###
  17 ### distorted-keys is distributed in the hope that it will be useful,
  18 ### but WITHOUT ANY WARRANTY; without even the implied warranty of
  19 ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  20 ### GNU General Public License for more details.
  21 ###
  22 ### You should have received a copy of the GNU General Public License
  23 ### along with distorted-keys; if not, write to the Free Software Foundation,
  24 ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
  25
  26 quis=${0##*/}
  27
  28 ###--------------------------------------------------------------------------
  29 ### Configuration variables.
  30
  31 PACKAGE="@PACKAGE@" VERSION="@VERSION@"
  32 pkgconfdir="@pkgconfdir@" pkglibdir="@pkglibdir@"
  33 bindir="@bindir@"
  34
  35 case ":$PATH:" in *:"$bindir":*) ;; *) PATH=$bindir:$PATH ;; esac
  36
  37 if [ -f $KEYS/keys.conf ]; then . $KEYS/keys.conf; fi
  38 : ${random=/dev/random}
  39
  40 case "${KEYS_DEBUG+t}" in t) set -x ;; esac
  41
  42 ###--------------------------------------------------------------------------
  43 ### Cleanup handling.
  44
  45 cleanups=""
  46 cleanup () { cleanups="$cleanups $1"; }
  47 trap 'rc=$?; for i in $cleanups; do $i; done; exit $rc' EXIT
  48 trap 'exit 127' INT TERM
  49
  50 ###--------------------------------------------------------------------------
  51 ### Utility functions.
  52
  53 ## Temporary directory.
  54 unset tmp
  55 rmtmp () { cd /; rm -rf $tmp; }
  56 mktmp () {
  57   ## Make and return the name of a temporary directory.
  58
  59   case "${tmp+t}" in t) echo "$tmp"; return ;; esac
  60   mem=$(userv root claim-mem-dir </dev/null)
  61   tmp="$mem/keys.tmp.$$"
  62   rm -rf "$tmp"
  63   mkdir -m700 "$tmp"
  64   echo "$tmp"
  65 }
  66
  67 ###--------------------------------------------------------------------------
  68 ### Input validation functions.
  69
  70 checknumber () {
  71   what=$1 thing=$2
  72   case "$thing" in
  73     "" | [!1-9]* | *[!0-9]*)
  74       echo >&2 "$quis: bad $what \`$thing'"
  75       exit 1
  76       ;;
  77   esac
  78 }
  79
  80 checkword () {
  81   what=$1 thing=$2
  82   case "$thing" in
  83     "" | *[!-0-9a-zA-Z_!%@+=]*)
  84       echo >&2 "$quis: bad $what: \`$thing'"
  85       exit 1
  86       ;;
  87   esac
  88 }
  89
  90 checklabel () {
  91   what=$1 thing=$2
  92   case "$thing" in
  93     *[!-0-9a-zA-Z_!%@+=/#]* | *//* | /* | */)
  94       echo >&2 "$quis: bad $what label \`$thing'"
  95       exit 1
  96       ;;
  97   esac
  98 }
  99
 100 ###--------------------------------------------------------------------------
 101 ### Crypto operations.
 102 ###
 103 ### We use Seccure for this, but it's interface is Very Annoying.
 104
 105 run_seccure () {
 106   op=$1; shift
 107   ## run_seccure OP ARG ...
 108   ##
 109   ## Run a Seccure program, ensuring that its stderr is reported if it had
 110   ## anything very interesting to say, but suppressed if it was boring.
 111
 112   ## We need a temporary place for the error output.
 113   case ${tmp+t} in
 114     t) ;;
 115     *)
 116       echo >&2 "$quis (INTERNAL): run_seccure called without tmpdir"
 117       exit 127
 118       ;;
 119   esac
 120
 121   ## Run the program.
 122   set +e; seccure-$op "$@" 2>$tmp/seccure.out; rc=$?; set -e
 123   grep -v '^WARNING: Cannot obtain memory lock' $tmp/seccure.out >&2 || :
 124   return $rc
 125 }
 126
 127 ec_public () {
 128   private=$1
 129   ## Write the public key corresponding to PRIVATE to stdout.
 130
 131   run_seccure key -q -cp256 -F"$private"
 132 }
 133
 134 ec_keygen () {
 135   private=$1 public=$2
 136   ## Make a new key, write private key to PRIVATE and public key to PUBLIC.
 137
 138   dd if=$random bs=1 count=512 2>/dev/null |
 139     openssl dgst -sha384 -binary |
 140     (umask 077 && openssl base64 >"$private")
 141   ec_public "$private" >"$public"
 142 }
 143
 144 ec_encrypt () {
 145   public=$1; shift
 146   ## Encrypt stuff using the PUBLIC key.  Use -i/-o or redirection.
 147
 148   run_seccure encrypt -q -cp256 -m128 "$@" -- $(cat "$public")
 149 }
 150
 151 ec_decrypt () {
 152   private=$1; shift
 153   ## Decrypt stuff using the PRIVATE key.  Use -i/-o or redirection.
 154
 155   run_seccure decrypt -q -cp256 -m128 -F"$private" "$@"
 156 }
 157
 158 ec_sign () {
 159   private=$1; shift
 160   ## Sign stuff using the PRIVATE key.  Use -i/-o or redirection.
 161
 162   run_seccure sign -q -cp256 -F"$private" "$@"
 163 }
 164
 165 ec_verify () {
 166   public=$1 signature=$2; shift
 167   ## Verify a SIGNATURE using the PUBLIC key; use -i or redirection for the
 168   ## input.
 169
 170   run_seccure verify -q -cp256 "$@" -- $(cat "$public") "$signature"
 171 }
 172
 173 ###--------------------------------------------------------------------------
 174 ### Help text.
 175
 176 dohelp () {
 177   case "$KEYS_HELP" in t) ;; *) return ;; esac
 178   help; exit
 179 }
 180
 181 defhelp () { read umsg; usage="usage: $quis${umsg+ }$umsg"; help=$(cat); }
 182 help () { showhelp; }
 183 showhelp () {
 184   cat <<EOF
 185 $usage
 186
 187 $help
 188 EOF
 189 }
 190
 191 ###----- That's all, folks --------------------------------------------------