Renaming lib/keyringer to lib/bash

author: Silvio Rhatto <rhatto@riseup.net> 2011-01-22 13:00:43 -0200
committer: Silvio Rhatto <rhatto@riseup.net> 2011-01-22 13:00:43 -0200
commit: c5b447359303979ac91e8cea126d14480536df94 (patch)
tree: 25634600b33f7ca728b496b2a6f6680a85b475be /lib/bash
parent: d26a9d55a519fff08ee3d44c64c9567c6ec3a8f0 (diff)
download: keyringer-c5b447359303979ac91e8cea126d14480536df94.tar.gz
keyringer-c5b447359303979ac91e8cea126d14480536df94.tar.bz2
2 files changed, 466 insertions, 0 deletions
diff --git a/lib/bash/csr.sh b/lib/bash/csr.sh
new file mode 100755
index 0000000..881a46f
--- /dev/null
+++ b/lib/bash/csr.sh
@@ -0,0 +1,145 @@
+#!/bin/sh
+# csr.sh: Certificate Signing Request Generator
+# Copyright(c) 2005 Evaldo Gardenali <evaldo@gardenali.biz>
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE 
+# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 
+# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 
+# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 
+# POSSIBILITY OF SUCH DAMAGE.
+#
+# ChangeLog:
+# Mon May 23 00:14:37 BRT  2005 - evaldo - Initial Release
+# Thu Nov  3 10:11:51 GMT  2005 - chrisc - $HOME removed so that key and csr
+#                                          are generated in the current directory
+# Wed Nov 16 10:42:42 GMT  2005 - chrisc - Updated to match latest version on
+#                                          the CAcert wiki, rev #73
+#                                          http://wiki.cacert.org/wiki/VhostTaskForce 
+# Mon Jan  4 18:37:28 BRST 2010 - rhatto - Support for non-interactive mode
+
+
+# be safe about permissions
+LASTUMASK=`umask`
+umask 077
+
+# OpenSSL for HPUX needs a random file
+RANDOMFILE="$HOME/.rnd"
+
+# create a config file for openssl
+CONFIG=`mktemp -q /tmp/openssl-conf.XXXXXXXX`
+if [ ! $? -eq 0 ]; then
+    echo "Could not create temporary config file. exiting"
+    exit 1
+fi
+
+echo "Private Key and Certificate Signing Request Generator"
+echo "This script was designed to suit the request format needed by"
+echo "the CAcert Certificate Authority. www.CAcert.org"
+echo
+
+HOST="$1"
+COMMONNAME="$2"
+SAN="$3"
+
+if [ -z "$HOST" ]; then
+  printf "Short Hostname (ie. imap big_srv www2): "
+  read HOST
+fi
+
+if [ -z "$COMMONNAME" ]; then
+  printf "FQDN/CommonName (ie. www.example.com) : "
+  read COMMONNAME
+fi
+
+if [ -z "$SAN" ]; then
+  echo "Type SubjectAltNames for the certificate, one per line. Enter a blank line to finish"
+  SAN=1        # bogus value to begin the loop
+  SANAMES=""   # sanitize
+  while [ ! "$SAN" = "" ]; do
+    printf "SubjectAltName: DNS:"
+    read SAN
+    if [ "$SAN" = "" ]; then break; fi # end of input
+      if [ "$SANAMES" = "" ]; then
+        SANAMES="DNS:$SAN"
+      else
+        SANAMES="$SANAMES,DNS:$SAN"
+      fi
+    done
+else
+  SANAMES="DNS:$SAN"
+fi
+
+# Config File Generation
+
+cat <<EOF > "$CONFIG"
+# -------------- BEGIN custom openssl.cnf -----
+ HOME                    = $HOME
+EOF
+
+if [ "`uname -s`" = "HP-UX" ]; then
+    echo " RANDFILE                = $RANDOMFILE" >> "$CONFIG"
+fi
+
+cat <<EOF >> "$CONFIG"
+ oid_section             = new_oids
+ [ new_oids ]
+ [ req ]
+ default_days            = 730            # how long to certify for
+ default_keyfile         = ${HOST}_privatekey.pem
+ distinguished_name      = req_distinguished_name
+ encrypt_key             = no
+ string_mask = nombstr
+EOF
+
+if [ ! "$SANAMES" = "" ]; then
+    echo "req_extensions = v3_req # Extensions to add to certificate request" >> "$CONFIG"
+fi
+
+cat <<EOF >> "$CONFIG"
+ [ req_distinguished_name ]
+ commonName              = Common Name (eg, YOUR name)
+ commonName_default      = $COMMONNAME
+ commonName_max          = 64
+ [ v3_req ]
+EOF
+
+if [ ! "$SANAMES" = "" ]; then
+    echo "subjectAltName=$SANAMES" >> "$CONFIG"
+fi
+
+echo "# -------------- END custom openssl.cnf -----" >> "$CONFIG"
+
+echo "Running OpenSSL..."
+# The first one doesn't work, the second one does:
+#openssl req -batch -config "$CONFIG" -newkey rsa -out ${HOST}_csr.pem
+openssl req -batch -config "$CONFIG" -newkey rsa:2048 -out "${HOST}_csr.pem"
+
+echo "Copy the following Certificate Request and paste into CAcert website to obtain a Certificate."
+echo "When you receive your certificate, you 'should' name it something like ${HOST}_server.pem"
+echo
+cat ${HOST}_csr.pem
+echo
+printf "The Certificate request is also available in '%s_csr.pem'\n" "$HOST"
+printf "The Private Key is stored in '%s_privatekey.pem'\n" "$HOST"
+echo
+
+rm "$CONFIG"
+
+#restore umask
+umask "$LASTUMASK"
+
diff --git a/lib/bash/functions b/lib/bash/functions
new file mode 100644
index 0000000..11d1b86
--- /dev/null
+++ b/lib/bash/functions
@@ -0,0 +1,321 @@
+#!/bin/bash
+#
+# Common functions.
+#
+
+# Setup main configuration and load preferences
+function keyringer_config_load {
+  if [ -f "$HOME/.$NAME" ]; then
+    echo "Converting legacy configuration scheme..."
+    mv "$HOME/.$NAME" "$HOME/.$NAME.tmp"
+    mkdir "$HOME/.$NAME"
+    mv "$HOME/.$NAME.tmp" "$CONFIG"
+  fi
+
+  if [ ! -e "$CONFIG" ]; then
+    echo "Creating $CONFIG..."
+    mkdir -p `dirname $CONFIG`
+    touch "$CONFIG"
+    chmod 600 "$CONFIG"
+    echo "# Keyringer config file." > "$CONFIG"
+    echo "" >> "$CONFIG"
+  fi
+
+  keyringer_config_load_preferences
+}
+
+# Load config preferences
+function keyringer_config_load_preferences {
+  # Load custom keyring preferences
+  if [ ! -z "$PREFERENCES" ] && [ -f "$PREFERENCES" ]; then
+    source "$PREFERENCES"
+  fi
+}
+
+# Load a parameter from config
+function keyringer_config {
+  if [ -z "$CONFIG" ]; then
+    echo "Your have to set CONFIG variable in the code"
+    exit 1
+  elif [ -e "$CONFIG" ]; then
+    grep -e "^$1=" "$CONFIG" | tail -n 1 | cut -d = -f 2 | sed -e 's/"//g' -e "s/'//g" | sed -e 's/ *#.*$//'
+  else
+    echo "Config file not found: $CONFIG"
+    exit 1
+  fi
+}
+
+# Return the list of recipients
+function keyringer_recipients {
+  grep -v '^#' "$1" | grep -v '^$' | awk '{ print "-r " $2 }' | xargs
+}
+
+# Check if keyringer has a given action
+function keyringer_has_action {
+ if [ -z "$ACTIONS" ]; then
+   echo "Your have to set ACTIONS variable in the code"
+   exit 1
+ fi
+
+ if [ -e "$ACTIONS/$1" ]; then
+   true
+ else
+   false
+ fi
+}
+
+# Execute an action
+function keyringer_exec {
+  # Setup
+  action="$1"
+  basedir="$2"
+  shift 2
+  
+  # Dispatch
+  if keyringer_has_action "$action"; then
+    "$ACTIONS/$action" "$basedir" $*
+  fi
+}
+
+# Return a filename with correct extension
+function keyringer_filename {
+  if [ -z "$1" ]; then
+    return
+  else
+    printf "%s/%s.asc\n" "$(dirname "$1")" "$(basename "$1" .asc)"
+  fi
+}
+
+# Check if a folder is inside a git repository
+function keyringer_is_git {
+  if [ -z "$1" ]; then
+    false
+  elif [ ! -d "$1" ]; then
+    false
+  elif [ -d "$1/.git" ]; then
+    true
+  else
+    cwd="`pwd`"
+    cd "$1" && git="`git status &> /dev/null`" && cd "$cwd"
+
+    if [ "$git" != "128" ]; then
+      true
+    else
+      false
+    fi
+  fi
+}
+
+# Setup a temporary file
+function keyringer_set_tmpfile {
+  if [ -z "$BASEDIR" ]; then
+    echo "Please set BASEDIR before creating a tmp file"
+    exit 1
+  fi
+
+  if [ -z "$1" ]; then
+    template="$BASEDIR/tmp/keyringer.XXXXXXXXXX"
+  else
+    template="$BASEDIR/tmp/$1.XXXXXXXXXX"
+  fi
+
+  mkdir -p "$BASEDIR/tmp"
+  keyringer_git_ignore 'tmp/*'
+
+  if [ "$2" == "-d" ]; then
+    TMPWORK="$(mktemp -d "$template")"
+  else
+    TMPWORK="$(mktemp "$template")"
+  fi
+  
+  if [ "$?" != "0" ]; then
+    printf "Error: can't set TMPWORK %s\n" "$TMPWORK"
+    exit 1
+  fi
+
+  trap "keyringer_unset_tmpfile $TMPWORK; exit" INT TERM EXIT
+}
+
+# Remove a temporary file
+function keyringer_unset_tmpfile {
+  if [ -z "$1" ]; then
+    echo "No tmp file set"
+  fi
+
+  rm -f "$1"
+
+  if [ "$?" != "0" ]; then
+    echo "Warning: could not delete file $1. Please delete it manually as it might have sensitive information."
+    exit 1
+  fi
+}
+
+# Add a pattern into gitignore
+function keyringer_git_ignore {
+  if [ ! -z "$BASEDIR/.gitignore" ]; then
+    echo "$1" > "$BASEDIR/.gitignore"
+    keyringer_exec git "$BASEDIR" add .gitignore
+  else
+    if ! grep -q -e "^$1$" "$BASEDIR/.gitignore"; then
+      echo "$1" >> "$BASEDIR/.gitignore"
+    fi
+  fi
+}
+
+# Set needed environment variables and do basic checks.
+function keyringer_set_env {
+  if [ -z "$1" ]; then
+    echo "Error: missing arguments for keyringer_set_env"
+    exit 1    
+  fi
+
+  ACTIONS="`dirname $0`"
+  BASENAME="`basename $0`"
+  BASEDIR="$1"
+  SUBCOMMAND="$2"
+  KEYDIR="$BASEDIR/keys"
+  RECIPIENTS="$BASEDIR/config/recipients"
+  OPTIONS="$BASEDIR/config/options"
+  VERSION_INFO="$BASEDIR/config/version"
+
+  if [ -z "$BASEDIR" ]; then
+    keyringer_action_usage
+    exit 1
+  fi
+
+  if [ ! -f "$RECIPIENTS" ]; then
+    echo "No recipient config was found"
+    exit 1
+  fi
+
+  if [ -z "$EDITOR" ]; then
+    if type sensible-editor > /dev/null 2>&1 ; then
+      EDITOR=sensible-editor
+    elif type editor > /dev/null 2>&1 ; then
+      EDITOR=editor
+    else
+      echo "You have to set EDITOR env variable"
+      exit 1
+    fi
+  fi
+
+  if [ ! -f "$OPTIONS" ]; then
+    echo "No option config was found"
+    exit 1
+  fi
+
+  # Check recipients file
+  keyringer_check_recipients $SUBCOMMAND
+
+  # Ensure that keydir exists
+  mkdir -p "$KEYDIR" && chmod 700 "$KEYDIR"
+
+  # Check keyring config version
+  keyringer_check_version
+}
+
+# Configuration version tracking to help keyring upgrades
+function keyringer_check_version {
+  if [ ! -f "$VERSION_INFO" ]; then
+    echo "Creating configuration version file..."
+    echo 0 > "$VERSION_INFO"
+    keyringer_exec git "$BASEDIR" add config/version
+  fi
+
+  VERSION="`cat $VERSION_INFO`"
+}
+
+# Get a file argument
+function keyringer_get_file {
+  FILE="$(keyringer_filename "$1")"
+  
+  if [ -z "$FILE" ]; then
+    keyringer_action_usage
+    exit 1
+  elif [ ! -f "$KEYDIR/$FILE" ]; then
+    echo "File not found: $KEYDIR/$FILE"
+    exit 1
+  fi
+}
+
+# Get a new file argument
+function keyringer_get_new_file {
+  FILE="$(keyringer_filename "$1")"
+  
+  if [ -z "$FILE" ]; then
+    keyringer_action_usage
+    exit 1
+  fi
+}
+
+# Get a command argument
+function keyringer_get_command {
+  # Aditional parameters
+  COMMAND="$1"
+  
+  if [ -z "$COMMAND" ]; then
+    keyringer_action_usage command
+    exit 1
+  fi
+}
+
+# Run the action usage
+function keyringer_action_usage {
+  if [ "`type -t "keyringer_usage_$BASENAME"`" == "function" ]; then
+    # Use custom action usage
+    "keyringer_usage_$BASENAME"
+  else
+    # Default usage
+    if [ "$1" == "command" ]; then
+      echo "Usage: keyringer <keyring> $BASENAME <command> [arguments]"
+    else
+      echo "Usage: keyringer <keyring> $BASENAME <file>"
+    fi
+  fi
+}
+
+# Check recipients
+function keyringer_check_recipients {
+  # Check recipients header for updates.
+  if grep -qe ' XXXXXXXX$' "$RECIPIENTS"; then
+    echo "Updating recipients file..."
+    sed -i -e 's/ XXXXXXXX$/ XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/' "$RECIPIENTS"
+  fi
+
+  if [ "$1" == "edit" ]; then
+    # Don't do the other checks at edit mode.
+    return
+  fi
+
+  for recipient in $(cat "$RECIPIENTS" | grep -v '^#' | awk '{ print $2 }'); do
+    size=$(echo "$recipient" | wc -c)
+    if (( $size < 41 )); then
+      echo "Fatal: please set the full GPG signature hash for key ID $recipient:"
+      cat <<-EOF
+
+Recipients file can't have 32-bit keyids (e.g.  DEADBEEF or DECAF123).  These
+are trivial to spoof.  With a few gigs of disk space and a day of time on
+cheap, readily-available hardware, it's possible to build keys to match every
+possible 32-bit keyid.  The search space just isn't big enough.
+
+If you're going to specify keys by keyid, they should be specified by full
+160-bit OpenPGP fingerprint.  It would be very bad if someone spoofed a keyID
+and caused another participant in a keyringer instance to reencrypt a secret
+store to the spoofed key in addition to your own.
+EOF
+      exit 1
+    else
+      gpg --list-key "$recipient" &> /dev/null
+      if [ "$?" != "0" ]; then
+        echo "Fatal: no such key $recipient on your GPG keyring."
+        echo "Please check for this key or fix the recipient file."
+        exit 1
+      fi
+    fi
+  done
+}
+
+# Setup environment
+if [ "$(basename "$0")" != "keyringer" ]; then
+  keyringer_set_env $*
+fi
author	Silvio Rhatto <rhatto@riseup.net>	2011-01-22 13:00:43 -0200
committer	Silvio Rhatto <rhatto@riseup.net>	2011-01-22 13:00:43 -0200
commit	c5b447359303979ac91e8cea126d14480536df94 (patch)
tree	25634600b33f7ca728b496b2a6f6680a85b475be /lib/bash
parent	d26a9d55a519fff08ee3d44c64c9567c6ec3a8f0 (diff)
download	keyringer-c5b447359303979ac91e8cea126d14480536df94.tar.gz keyringer-c5b447359303979ac91e8cea126d14480536df94.tar.bz2