knub=$KEYS/nub/$kowner/$klabel
}
+runas () {
+ user=$1 service=$2; shift 2
+ ## If the current (effective) user is not USER then reinvoke via `userv',
+ ## as the specified service, with the remaining arguments.
+
+ case $(id -un) in
+ "$user") ;;
+ *) exec userv "$user" "$service" "$@" ;;
+ esac
+}
+
###--------------------------------------------------------------------------
### Input validation functions.
validp=t
case "$thing" in
*"$nl"*) validp=nil ;;
- *) if ! expr >/dev/null "$thing" : "$ckpat\$"; then validp=nil; fi ;;
+ *) if ! expr >/dev/null "Q$thing" : "Q$ckpat\$"; then validp=nil; fi ;;
esac
case $validp in
nil) echo >&2 "$quis: bad $ckwhat \`$thing'"; exit 1 ;;
## Regular expressions for validating input.
R_IDENTCHARS="A-Za-z0-9_"
-R_WORDCHARS="-$R_IDENTCHARS!%@+="
+R_GOODPUNCT="!%@+="
+R_WORDCHARS="-$R_IDENTCHARS$R_GOODPUNCT"
R_IDENT="[$R_IDENTCHARS][$R_IDENTCHARS]*"
R_WORD="[$R_WORDCHARS][$R_WORDCHARS]*"
+R_ACLCHARS="][$R_IDENTCHARS$R_GOODPUNCT*?:.#"
R_WORDSEQ="[$R_WORDCHARS[:space:]][$R_WORDCHARS[:space:]]*"
+R_ACL="[$R_ACLCHARS[:space:]-][$R_ACLCHARS[:space:]-]*"
R_NUMERIC='\(\([1-9][0-9]*\)\{0,1\}0\{0,1\}\)'
R_LABEL="\($R_WORD\(/$R_WORD\)*\)"
R_LINE=".*"
done
}
+dumpprops () {
+ prefix=$1
+ ## Write the properties stored in the variables beginning with PREFIX.
+
+ set | sed -n "/^$prefix/{s/=.*\$//;p}" | sort | while read name; do
+ eval value=\$$name
+ echo "${name#$prefix}=$value"
+ done
+}
+
defprops () {
name=$1
## Define a properties table NAME.
nub_hash t $R_WORD
nubid_hash t $R_WORD
nub_random_bytes t $R_NUMERIC
+acl_encrypt t $R_ACL
+acl_decrypt t $R_ACL
+acl_sign t $R_ACL
+acl_verify t $R_ACL
+acl_info t $R_ACL
EOF
readprops () {
## Compute a hash of the key nub in stdin, and write it to stdout in hex.
## The property `nubid_hash' is used.
- { echo "distorted-keys nubid"; cat -; } |
- openssl dgst -${kprop_nubid_hash-sha256}
+ ## Stupid dance because the output incompatibly grew a filename, in order
+ ## to demonstrate the same idiocy as GNU mumblesum.
+ set _ $({ echo "distorted-keys nubid"; cat -; } |
+ openssl dgst -${kprop_nubid_hash-sha256})
+ echo $2
}
subst () {
case $uservp in
t)
checkword "profile user" "$user"
- userv "$user" cryptop-profile "$label" >$tmp/profile
+ userv "$user" cryptop-profile "$label" >$tmp/profile </dev/null
;;
nil)
$bindir/extract-profile "$label" $ETC/profile.d/ >$tmp/profile
###--------------------------------------------------------------------------
### Recovery operations.
+sharethresh () {
+ pf=$1
+ ## Return the sharing threshold from the parameter file PARAM.
+
+ read param <"$pf"
+ case "$param" in
+ shamir-params:*) ;;
+ *)
+ echo >&2 "$quis: secret sharing parameter file damaged (wrong header)"
+ exit 1
+ ;;
+ esac
+ t=";${param#*:}"
+ case "$t" in
+ *";t="*) ;;
+ *)
+ echo >&2 "$quis: secret sharing parameter file damaged (missing t)"
+ exit 1
+ ;;
+ esac
+ t=${t#*;t=}
+ t=${t%%;*}
+ echo "$t"
+}
+
stash () {
recov=$1 label=$2
## Stash a copy of stdin encrypted under the recovery key RECOV, with a