diff options
author | Silvio Rhatto <rhatto@riseup.net> | 2011-01-22 13:00:43 -0200 |
---|---|---|
committer | Silvio Rhatto <rhatto@riseup.net> | 2011-01-22 13:00:43 -0200 |
commit | c5b447359303979ac91e8cea126d14480536df94 (patch) | |
tree | 25634600b33f7ca728b496b2a6f6680a85b475be /lib/keyringer | |
parent | d26a9d55a519fff08ee3d44c64c9567c6ec3a8f0 (diff) | |
download | keyringer-c5b447359303979ac91e8cea126d14480536df94.tar.gz keyringer-c5b447359303979ac91e8cea126d14480536df94.tar.bz2 |
Renaming lib/keyringer to lib/bash
Diffstat (limited to 'lib/keyringer')
-rwxr-xr-x | lib/keyringer/csr.sh | 145 | ||||
-rw-r--r-- | lib/keyringer/functions | 321 |
2 files changed, 0 insertions, 466 deletions
diff --git a/lib/keyringer/csr.sh b/lib/keyringer/csr.sh deleted file mode 100755 index 881a46f..0000000 --- a/lib/keyringer/csr.sh +++ /dev/null @@ -1,145 +0,0 @@ -#!/bin/sh -# csr.sh: Certificate Signing Request Generator -# Copyright(c) 2005 Evaldo Gardenali <evaldo@gardenali.biz> -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE -# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF -# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS -# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN -# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE -# POSSIBILITY OF SUCH DAMAGE. -# -# ChangeLog: -# Mon May 23 00:14:37 BRT 2005 - evaldo - Initial Release -# Thu Nov 3 10:11:51 GMT 2005 - chrisc - $HOME removed so that key and csr -# are generated in the current directory -# Wed Nov 16 10:42:42 GMT 2005 - chrisc - Updated to match latest version on -# the CAcert wiki, rev #73 -# http://wiki.cacert.org/wiki/VhostTaskForce -# Mon Jan 4 18:37:28 BRST 2010 - rhatto - Support for non-interactive mode - - -# be safe about permissions -LASTUMASK=`umask` -umask 077 - -# OpenSSL for HPUX needs a random file -RANDOMFILE="$HOME/.rnd" - -# create a config file for openssl -CONFIG=`mktemp -q /tmp/openssl-conf.XXXXXXXX` -if [ ! $? -eq 0 ]; then - echo "Could not create temporary config file. exiting" - exit 1 -fi - -echo "Private Key and Certificate Signing Request Generator" -echo "This script was designed to suit the request format needed by" -echo "the CAcert Certificate Authority. www.CAcert.org" -echo - -HOST="$1" -COMMONNAME="$2" -SAN="$3" - -if [ -z "$HOST" ]; then - printf "Short Hostname (ie. imap big_srv www2): " - read HOST -fi - -if [ -z "$COMMONNAME" ]; then - printf "FQDN/CommonName (ie. www.example.com) : " - read COMMONNAME -fi - -if [ -z "$SAN" ]; then - echo "Type SubjectAltNames for the certificate, one per line. Enter a blank line to finish" - SAN=1 # bogus value to begin the loop - SANAMES="" # sanitize - while [ ! "$SAN" = "" ]; do - printf "SubjectAltName: DNS:" - read SAN - if [ "$SAN" = "" ]; then break; fi # end of input - if [ "$SANAMES" = "" ]; then - SANAMES="DNS:$SAN" - else - SANAMES="$SANAMES,DNS:$SAN" - fi - done -else - SANAMES="DNS:$SAN" -fi - -# Config File Generation - -cat <<EOF > "$CONFIG" -# -------------- BEGIN custom openssl.cnf ----- - HOME = $HOME -EOF - -if [ "`uname -s`" = "HP-UX" ]; then - echo " RANDFILE = $RANDOMFILE" >> "$CONFIG" -fi - -cat <<EOF >> "$CONFIG" - oid_section = new_oids - [ new_oids ] - [ req ] - default_days = 730 # how long to certify for - default_keyfile = ${HOST}_privatekey.pem - distinguished_name = req_distinguished_name - encrypt_key = no - string_mask = nombstr -EOF - -if [ ! "$SANAMES" = "" ]; then - echo "req_extensions = v3_req # Extensions to add to certificate request" >> "$CONFIG" -fi - -cat <<EOF >> "$CONFIG" - [ req_distinguished_name ] - commonName = Common Name (eg, YOUR name) - commonName_default = $COMMONNAME - commonName_max = 64 - [ v3_req ] -EOF - -if [ ! "$SANAMES" = "" ]; then - echo "subjectAltName=$SANAMES" >> "$CONFIG" -fi - -echo "# -------------- END custom openssl.cnf -----" >> "$CONFIG" - -echo "Running OpenSSL..." -# The first one doesn't work, the second one does: -#openssl req -batch -config "$CONFIG" -newkey rsa -out ${HOST}_csr.pem -openssl req -batch -config "$CONFIG" -newkey rsa:2048 -out "${HOST}_csr.pem" - -echo "Copy the following Certificate Request and paste into CAcert website to obtain a Certificate." -echo "When you receive your certificate, you 'should' name it something like ${HOST}_server.pem" -echo -cat ${HOST}_csr.pem -echo -printf "The Certificate request is also available in '%s_csr.pem'\n" "$HOST" -printf "The Private Key is stored in '%s_privatekey.pem'\n" "$HOST" -echo - -rm "$CONFIG" - -#restore umask -umask "$LASTUMASK" - diff --git a/lib/keyringer/functions b/lib/keyringer/functions deleted file mode 100644 index 11d1b86..0000000 --- a/lib/keyringer/functions +++ /dev/null @@ -1,321 +0,0 @@ -#!/bin/bash -# -# Common functions. -# - -# Setup main configuration and load preferences -function keyringer_config_load { - if [ -f "$HOME/.$NAME" ]; then - echo "Converting legacy configuration scheme..." - mv "$HOME/.$NAME" "$HOME/.$NAME.tmp" - mkdir "$HOME/.$NAME" - mv "$HOME/.$NAME.tmp" "$CONFIG" - fi - - if [ ! -e "$CONFIG" ]; then - echo "Creating $CONFIG..." - mkdir -p `dirname $CONFIG` - touch "$CONFIG" - chmod 600 "$CONFIG" - echo "# Keyringer config file." > "$CONFIG" - echo "" >> "$CONFIG" - fi - - keyringer_config_load_preferences -} - -# Load config preferences -function keyringer_config_load_preferences { - # Load custom keyring preferences - if [ ! -z "$PREFERENCES" ] && [ -f "$PREFERENCES" ]; then - source "$PREFERENCES" - fi -} - -# Load a parameter from config -function keyringer_config { - if [ -z "$CONFIG" ]; then - echo "Your have to set CONFIG variable in the code" - exit 1 - elif [ -e "$CONFIG" ]; then - grep -e "^$1=" "$CONFIG" | tail -n 1 | cut -d = -f 2 | sed -e 's/"//g' -e "s/'//g" | sed -e 's/ *#.*$//' - else - echo "Config file not found: $CONFIG" - exit 1 - fi -} - -# Return the list of recipients -function keyringer_recipients { - grep -v '^#' "$1" | grep -v '^$' | awk '{ print "-r " $2 }' | xargs -} - -# Check if keyringer has a given action -function keyringer_has_action { - if [ -z "$ACTIONS" ]; then - echo "Your have to set ACTIONS variable in the code" - exit 1 - fi - - if [ -e "$ACTIONS/$1" ]; then - true - else - false - fi -} - -# Execute an action -function keyringer_exec { - # Setup - action="$1" - basedir="$2" - shift 2 - - # Dispatch - if keyringer_has_action "$action"; then - "$ACTIONS/$action" "$basedir" $* - fi -} - -# Return a filename with correct extension -function keyringer_filename { - if [ -z "$1" ]; then - return - else - printf "%s/%s.asc\n" "$(dirname "$1")" "$(basename "$1" .asc)" - fi -} - -# Check if a folder is inside a git repository -function keyringer_is_git { - if [ -z "$1" ]; then - false - elif [ ! -d "$1" ]; then - false - elif [ -d "$1/.git" ]; then - true - else - cwd="`pwd`" - cd "$1" && git="`git status &> /dev/null`" && cd "$cwd" - - if [ "$git" != "128" ]; then - true - else - false - fi - fi -} - -# Setup a temporary file -function keyringer_set_tmpfile { - if [ -z "$BASEDIR" ]; then - echo "Please set BASEDIR before creating a tmp file" - exit 1 - fi - - if [ -z "$1" ]; then - template="$BASEDIR/tmp/keyringer.XXXXXXXXXX" - else - template="$BASEDIR/tmp/$1.XXXXXXXXXX" - fi - - mkdir -p "$BASEDIR/tmp" - keyringer_git_ignore 'tmp/*' - - if [ "$2" == "-d" ]; then - TMPWORK="$(mktemp -d "$template")" - else - TMPWORK="$(mktemp "$template")" - fi - - if [ "$?" != "0" ]; then - printf "Error: can't set TMPWORK %s\n" "$TMPWORK" - exit 1 - fi - - trap "keyringer_unset_tmpfile $TMPWORK; exit" INT TERM EXIT -} - -# Remove a temporary file -function keyringer_unset_tmpfile { - if [ -z "$1" ]; then - echo "No tmp file set" - fi - - rm -f "$1" - - if [ "$?" != "0" ]; then - echo "Warning: could not delete file $1. Please delete it manually as it might have sensitive information." - exit 1 - fi -} - -# Add a pattern into gitignore -function keyringer_git_ignore { - if [ ! -z "$BASEDIR/.gitignore" ]; then - echo "$1" > "$BASEDIR/.gitignore" - keyringer_exec git "$BASEDIR" add .gitignore - else - if ! grep -q -e "^$1$" "$BASEDIR/.gitignore"; then - echo "$1" >> "$BASEDIR/.gitignore" - fi - fi -} - -# Set needed environment variables and do basic checks. -function keyringer_set_env { - if [ -z "$1" ]; then - echo "Error: missing arguments for keyringer_set_env" - exit 1 - fi - - ACTIONS="`dirname $0`" - BASENAME="`basename $0`" - BASEDIR="$1" - SUBCOMMAND="$2" - KEYDIR="$BASEDIR/keys" - RECIPIENTS="$BASEDIR/config/recipients" - OPTIONS="$BASEDIR/config/options" - VERSION_INFO="$BASEDIR/config/version" - - if [ -z "$BASEDIR" ]; then - keyringer_action_usage - exit 1 - fi - - if [ ! -f "$RECIPIENTS" ]; then - echo "No recipient config was found" - exit 1 - fi - - if [ -z "$EDITOR" ]; then - if type sensible-editor > /dev/null 2>&1 ; then - EDITOR=sensible-editor - elif type editor > /dev/null 2>&1 ; then - EDITOR=editor - else - echo "You have to set EDITOR env variable" - exit 1 - fi - fi - - if [ ! -f "$OPTIONS" ]; then - echo "No option config was found" - exit 1 - fi - - # Check recipients file - keyringer_check_recipients $SUBCOMMAND - - # Ensure that keydir exists - mkdir -p "$KEYDIR" && chmod 700 "$KEYDIR" - - # Check keyring config version - keyringer_check_version -} - -# Configuration version tracking to help keyring upgrades -function keyringer_check_version { - if [ ! -f "$VERSION_INFO" ]; then - echo "Creating configuration version file..." - echo 0 > "$VERSION_INFO" - keyringer_exec git "$BASEDIR" add config/version - fi - - VERSION="`cat $VERSION_INFO`" -} - -# Get a file argument -function keyringer_get_file { - FILE="$(keyringer_filename "$1")" - - if [ -z "$FILE" ]; then - keyringer_action_usage - exit 1 - elif [ ! -f "$KEYDIR/$FILE" ]; then - echo "File not found: $KEYDIR/$FILE" - exit 1 - fi -} - -# Get a new file argument -function keyringer_get_new_file { - FILE="$(keyringer_filename "$1")" - - if [ -z "$FILE" ]; then - keyringer_action_usage - exit 1 - fi -} - -# Get a command argument -function keyringer_get_command { - # Aditional parameters - COMMAND="$1" - - if [ -z "$COMMAND" ]; then - keyringer_action_usage command - exit 1 - fi -} - -# Run the action usage -function keyringer_action_usage { - if [ "`type -t "keyringer_usage_$BASENAME"`" == "function" ]; then - # Use custom action usage - "keyringer_usage_$BASENAME" - else - # Default usage - if [ "$1" == "command" ]; then - echo "Usage: keyringer <keyring> $BASENAME <command> [arguments]" - else - echo "Usage: keyringer <keyring> $BASENAME <file>" - fi - fi -} - -# Check recipients -function keyringer_check_recipients { - # Check recipients header for updates. - if grep -qe ' XXXXXXXX$' "$RECIPIENTS"; then - echo "Updating recipients file..." - sed -i -e 's/ XXXXXXXX$/ XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/' "$RECIPIENTS" - fi - - if [ "$1" == "edit" ]; then - # Don't do the other checks at edit mode. - return - fi - - for recipient in $(cat "$RECIPIENTS" | grep -v '^#' | awk '{ print $2 }'); do - size=$(echo "$recipient" | wc -c) - if (( $size < 41 )); then - echo "Fatal: please set the full GPG signature hash for key ID $recipient:" - cat <<-EOF - -Recipients file can't have 32-bit keyids (e.g. DEADBEEF or DECAF123). These -are trivial to spoof. With a few gigs of disk space and a day of time on -cheap, readily-available hardware, it's possible to build keys to match every -possible 32-bit keyid. The search space just isn't big enough. - -If you're going to specify keys by keyid, they should be specified by full -160-bit OpenPGP fingerprint. It would be very bad if someone spoofed a keyID -and caused another participant in a keyringer instance to reencrypt a secret -store to the spoofed key in addition to your own. -EOF - exit 1 - else - gpg --list-key "$recipient" &> /dev/null - if [ "$?" != "0" ]; then - echo "Fatal: no such key $recipient on your GPG keyring." - echo "Please check for this key or fix the recipient file." - exit 1 - fi - fi - done -} - -# Setup environment -if [ "$(basename "$0")" != "keyringer" ]; then - keyringer_set_env $* -fi |