### -*-sh-*- ### ### Common key management functions. ### ### (c) 2011 Mark Wooding ### ###----- Licensing notice --------------------------------------------------- ### ### This file is part of the distorted.org.uk key management suite. ### ### distorted-keys is free software; you can redistribute it and/or modify ### it under the terms of the GNU General Public License as published by ### the Free Software Foundation; either version 2 of the License, or ### (at your option) any later version. ### ### distorted-keys is distributed in the hope that it will be useful, ### but WITHOUT ANY WARRANTY; without even the implied warranty of ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ### GNU General Public License for more details. ### ### You should have received a copy of the GNU General Public License ### along with distorted-keys; if not, write to the Free Software Foundation, ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. quis=${0##*/} ###-------------------------------------------------------------------------- ### Configuration variables. PACKAGE="@PACKAGE@" VERSION="@VERSION@" pkgconfdir="@pkgconfdir@" pkglibdir="@pkglibdir@" bindir="@bindir@" case ":$PATH:" in *:"$bindir":*) ;; *) PATH=$bindir:$PATH ;; esac if [ -f $KEYS/keys.conf ]; then . $KEYS/keys.conf; fi : ${random=/dev/random} case "${KEYS_DEBUG+t}" in t) set -x ;; esac ###-------------------------------------------------------------------------- ### Cleanup handling. cleanups="" cleanup () { cleanups="$cleanups $1"; } trap 'rc=$?; for i in $cleanups; do $i; done; exit $rc' EXIT trap 'exit 127' INT TERM ###-------------------------------------------------------------------------- ### Utility functions. ## Temporary directory. unset tmp rmtmp () { cd /; rm -rf $tmp; } mktmp () { ## Make and return the name of a temporary directory. case "${tmp+t}" in t) echo "$tmp"; return ;; esac mem=$(userv root claim-mem-dir &2 "$quis: bad $what \`$thing'" exit 1 ;; esac } checkword () { what=$1 thing=$2 case "$thing" in "" | *[!-0-9a-zA-Z_!%@+=]*) echo >&2 "$quis: bad $what: \`$thing'" exit 1 ;; esac } checklabel () { what=$1 thing=$2 case "$thing" in *[!-0-9a-zA-Z_!%@+=/#]* | *//* | /* | */) echo >&2 "$quis: bad $what label \`$thing'" exit 1 ;; esac } ###-------------------------------------------------------------------------- ### Crypto operations. ### ### We use Seccure for this, but it's interface is Very Annoying. run_seccure () { op=$1; shift ## run_seccure OP ARG ... ## ## Run a Seccure program, ensuring that its stderr is reported if it had ## anything very interesting to say, but suppressed if it was boring. ## We need a temporary place for the error output. case ${tmp+t} in t) ;; *) echo >&2 "$quis (INTERNAL): run_seccure called without tmpdir" exit 127 ;; esac ## Run the program. set +e; seccure-$op "$@" 2>$tmp/seccure.out; rc=$?; set -e grep -v '^WARNING: Cannot obtain memory lock' $tmp/seccure.out >&2 || : return $rc } ec_public () { private=$1 ## Write the public key corresponding to PRIVATE to stdout. run_seccure key -q -cp256 -F"$private" } ec_keygen () { private=$1 public=$2 ## Make a new key, write private key to PRIVATE and public key to PUBLIC. dd if=$random bs=1 count=512 2>/dev/null | openssl dgst -sha384 -binary | (umask 077 && openssl base64 >"$private") ec_public "$private" >"$public" } ec_encrypt () { public=$1; shift ## Encrypt stuff using the PUBLIC key. Use -i/-o or redirection. run_seccure encrypt -q -cp256 -m128 "$@" -- $(cat "$public") } ec_decrypt () { private=$1; shift ## Decrypt stuff using the PRIVATE key. Use -i/-o or redirection. run_seccure decrypt -q -cp256 -m128 -F"$private" "$@" } ec_sign () { private=$1; shift ## Sign stuff using the PRIVATE key. Use -i/-o or redirection. run_seccure sign -q -cp256 -F"$private" "$@" } ec_verify () { public=$1 signature=$2; shift ## Verify a SIGNATURE using the PUBLIC key; use -i or redirection for the ## input. run_seccure verify -q -cp256 "$@" -- $(cat "$public") "$signature" } ###-------------------------------------------------------------------------- ### Help text. dohelp () { case "$KEYS_HELP" in t) ;; *) return ;; esac help; exit } defhelp () { read umsg; usage="usage: $quis${umsg+ }$umsg"; help=$(cat); } help () { showhelp; } showhelp () { cat <