+### -*-sh-*-
+###
+### Key type for OpenSSL
+###
+### (c) 2015 Mark Wooding
+###
+
+###----- Licensing notice ---------------------------------------------------
+###
+### This file is part of the distorted.org.uk key management suite.
+###
+### distorted-keys is free software; you can redistribute it and/or modify
+### it under the terms of the GNU General Public License as published by
+### the Free Software Foundation; either version 2 of the License, or
+### (at your option) any later version.
+###
+### distorted-keys is distributed in the hope that it will be useful,
+### but WITHOUT ANY WARRANTY; without even the implied warranty of
+### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+### GNU General Public License for more details.
+###
+### You should have received a copy of the GNU General Public License
+### along with distorted-keys; if not, write to the Free Software Foundation,
+### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+
+R_OPT="$R_IDENT:$R_IDENT"
+R_OPTSEQ="$R_OPT\([[:space:]][[:space:]]*$R_OPT\)*"
+
+R_TYPE="[$R_IDENTCHARS[:space:]][$R_IDENTCHARS[:space:]]*"
+R_BASE64="[a-zA-Z0-9+/]*=*"
+R_PARAMS="$R_TYPE:$R_BASE64"
+
+defprops k_props <<EOF
+algorithm t $R_WORD
+opts t $R_OPTSEQ
+params t $R_PARAMS
+fresh_params_p t $R_IDENT
+cipher t $R_WORD
+sig_opts t $R_OPTSEQ
+enc_opts t $R_OPTSEQ
+EOF
+
+: ${kprop_cipher=aes-256-cbc}
+: ${kprop_fresh_params_p=nil}; boolify kprop_fresh_params_p
+have_opts_p=${kprop_opts+t}${kprop_opts-nil}
+have_params_p=${kprop_params+t}${kprop_params-nil}
+have_alg_p=${kprop_algorithm+t}${kprop_algorithm-nil}
+
+pem_to_line () {
+ ## Read an OpenSSL PEM file from stdin and write a condensed one-line
+ ## version to stdout.
+ sed '/^-----BEGIN \(.*\)-----$/s//\1:/; /^-----END .*-----$/d' |
+ tr -d '\n'
+}
+
+line_to_pem () {
+ line=$1
+ ## Write to stdout an OpenSSL PEM file corresponding to LINE.
+
+ ty=${line%%:*}
+ echo "-----BEGIN $ty-----"
+ echo "${line#*:}" | fold -w64
+ echo "-----END $ty-----";
+}
+
+intersperse_opts () {
+ flag=$1 opts=$2
+
+ args= sep=
+ for i in $opts; do args="$args$sep$flag $i" sep=" "; done
+ echo "$args"
+}
+
+k_generate() {
+ base=$1 nub=$2
+
+ ## Convert the options into OpenSSL command-line options.
+ opts=$(intersperse_opts -pkeyopt "$kprop_opts")
+
+ ## Prepare our ducks, ensuring that they're collinear.
+ case $have_params_p,$have_alg_p,$kprop_fresh_params_p,$have_opts_p in
+ t,nil,nil,nil)
+ line_to_pem "$kprop_params" >$TMP/param
+ args="-paramfile $TMP/param"
+ ;;
+ nil,t,t,*)
+ openssl genpkey -genparam -algorithm $kprop_algorithm $opts >$TMP/param
+ args="-paramfile $TMP/param"
+ ;;
+ nil,t,nil,*)
+ args="-algorithm $kprop_algorithm $opts"
+ ;;
+ *)
+ echo >&2 "$quis: invalid combination of properties"
+ exit 1
+ ;;
+ esac
+
+ ## Generate the private key.
+ openssl -cipher $kprop_cipher -pass file:"$nub" -out "$base/priv"
+
+ ## Extract the public key.
+ openssl -passin file:"$nub" -in "$base/priv" -pubout "$base/pub"
+}
+
+k_encrypt () {
+ base=$1
+
+ openssl pkeyutl -encrypt -pubin -inkey "$base/pub" \
+ $(intersperse_opts -pkeyopt "$kprop_enc_opts")
+}
+
+k_decrypt () {
+ base=$1 nub=$2
+
+ openssl pkeyutl -decrypt -passin file:"$nub" -inkey "$base/priv"
+}
+
+k_sign () {
+ base=$1 nub=$2
+
+ openssl pkeyutl -sign -passin file:"$nub" -inkey "$base/priv" \
+ $(intersperse_opts -pkeyopt "$kprop_sig_opts") >$TMP/sig
+ pem_to_line <$TMP/sig
+}
+
+k_verify () {
+ base=$1 sig=$3
+
+ line_to_pem "$3" >$TMP/sig
+ openssl pkeyutl -verify -pubin -inkey "$base/pub" -sigfile $TMP/sig
+}
+
+###----- That's all, folks --------------------------------------------------