From 72f6db37961e30117818c1d030a7c69869928028 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Fri, 18 Oct 2013 17:03:40 -0300 Subject: FHS compliance (closes #18) --- Makefile | 8 +- keyringer | 4 +- lib/keyringer/actions/append | 41 +++++++ lib/keyringer/actions/append-batch | 1 + lib/keyringer/actions/commands | 10 ++ lib/keyringer/actions/decrypt | 17 +++ lib/keyringer/actions/del | 16 +++ lib/keyringer/actions/edit | 45 ++++++++ lib/keyringer/actions/encrypt | 56 +++++++++ lib/keyringer/actions/encrypt-batch | 1 + lib/keyringer/actions/genpair | 222 ++++++++++++++++++++++++++++++++++++ lib/keyringer/actions/git | 16 +++ lib/keyringer/actions/ls | 16 +++ lib/keyringer/actions/open | 1 + lib/keyringer/actions/options | 30 +++++ lib/keyringer/actions/preferences | 37 ++++++ lib/keyringer/actions/recipients | 46 ++++++++ lib/keyringer/actions/recrypt | 45 ++++++++ lib/keyringer/actions/usage | 10 ++ share/keyringer/append | 41 ------- share/keyringer/append-batch | 1 - share/keyringer/commands | 10 -- share/keyringer/decrypt | 17 --- share/keyringer/del | 16 --- share/keyringer/edit | 45 -------- share/keyringer/encrypt | 56 --------- share/keyringer/encrypt-batch | 1 - share/keyringer/genpair | 222 ------------------------------------ share/keyringer/git | 16 --- share/keyringer/ls | 16 --- share/keyringer/open | 1 - share/keyringer/options | 30 ----- share/keyringer/preferences | 37 ------ share/keyringer/recipients | 46 -------- share/keyringer/recrypt | 45 -------- share/keyringer/usage | 10 -- 36 files changed, 615 insertions(+), 617 deletions(-) create mode 100755 lib/keyringer/actions/append create mode 120000 lib/keyringer/actions/append-batch create mode 100755 lib/keyringer/actions/commands create mode 100755 lib/keyringer/actions/decrypt create mode 100755 lib/keyringer/actions/del create mode 100755 lib/keyringer/actions/edit create mode 100755 lib/keyringer/actions/encrypt create mode 120000 lib/keyringer/actions/encrypt-batch create mode 100755 lib/keyringer/actions/genpair create mode 100755 lib/keyringer/actions/git create mode 100755 lib/keyringer/actions/ls create mode 120000 lib/keyringer/actions/open create mode 100755 lib/keyringer/actions/options create mode 100755 lib/keyringer/actions/preferences create mode 100755 lib/keyringer/actions/recipients create mode 100755 lib/keyringer/actions/recrypt create mode 100755 lib/keyringer/actions/usage delete mode 100755 share/keyringer/append delete mode 120000 share/keyringer/append-batch delete mode 100755 share/keyringer/commands delete mode 100755 share/keyringer/decrypt delete mode 100755 share/keyringer/del delete mode 100755 share/keyringer/edit delete mode 100755 share/keyringer/encrypt delete mode 120000 share/keyringer/encrypt-batch delete mode 100755 share/keyringer/genpair delete mode 100755 share/keyringer/git delete mode 100755 share/keyringer/ls delete mode 120000 share/keyringer/open delete mode 100755 share/keyringer/options delete mode 100755 share/keyringer/preferences delete mode 100755 share/keyringer/recipients delete mode 100755 share/keyringer/recrypt delete mode 100755 share/keyringer/usage diff --git a/Makefile b/Makefile index 374579c..7d734ff 100644 --- a/Makefile +++ b/Makefile @@ -24,10 +24,8 @@ clean: install_lib: $(INSTALL) -D --mode=0755 lib/keyringer/functions $(DESTDIR)/$(PREFIX)/lib/$(PACKAGE)/functions - -install_share: - $(INSTALL) -D --mode=0755 -d share/keyringer $(DESTDIR)/$(PREFIX)/share/$(PACKAGE) - $(INSTALL) -D --mode=0755 share/keyringer/* $(DESTDIR)/$(PREFIX)/share/$(PACKAGE) + $(INSTALL) -D --mode=0755 -d lib/keyringer/actions $(DESTDIR)/$(PREFIX)/lib/$(PACKAGE)/actions + $(INSTALL) -D --mode=0755 lib/keyringer/actions/* $(DESTDIR)/$(PREFIX)/lib/$(PACKAGE)/actions install_bin: $(INSTALL) -D --mode=0755 keyringer $(DESTDIR)/$(PREFIX)/bin/keyringer @@ -44,7 +42,7 @@ install_completion: $(INSTALL) -D --mode=0644 lib/keyringer/completions/zsh/_keyringer $(DESTDIR)/$(PREFIX)/share/zsh/vendor-completions/_keyringer install: clean - @make install_lib install_share install_bin install_doc install_man install_completion + @make install_lib install_bin install_doc install_man install_completion build_man: pandoc -s -w man share/man/keyringer.1.mdwn -o share/man/keyringer.1 diff --git a/keyringer b/keyringer index a4e8b2c..604ef1d 100755 --- a/keyringer +++ b/keyringer @@ -137,9 +137,9 @@ else fi # Set actions location -if [ -e "`dirname $(readlink -f $0)`/share/$NAME" ]; then +if [ -e "`dirname $(readlink -f $0)`/lib/$NAME/actions" ]; then # Development or local installation layout - ACTIONS="`dirname $(readlink -f $0)`/share/$NAME" + ACTIONS="`dirname $(readlink -f $0)`/lib/$NAME/actions" else # System installation layout ACTIONS="`dirname $(readlink -f $0)`/../share/$NAME" diff --git a/lib/keyringer/actions/append b/lib/keyringer/actions/append new file mode 100755 index 0000000..30c2d5b --- /dev/null +++ b/lib/keyringer/actions/append @@ -0,0 +1,41 @@ +#!/bin/bash +# +# Append information into encrypted files. +# + +# Load functions +LIB="`dirname $0`/../functions" +source "$LIB" || exit 1 + +# Get file +keyringer_get_file "$2" + +OLDIFS="$IFS" +IFS=$'\n' + +CONTENT=($(keyringer_exec decrypt "$BASEDIR" "$FILE")) + +if [ "$BASENAME" == "append" ]; then + # only display directions if we're running append, not append-batch + printf "\n%s currently has %d lines\n\n" "$FILE" "${#CONTENT[@]}" + printf "Now please write the content to be appended on %s, finnishing with Ctrl-D:\n" "$FILE" +fi + +# FIXME: dkg doesn't know how to check that this does proper escaping +# (2010-11-16) + +APPEND=($(cat -)) + +NEW=( ${CONTENT[@]} ${APPEND[@]} ) + +for element in $(seq 0 $((${#NEW[@]} - 1))); do + echo ${NEW[$element]} +done | keyringer_exec encrypt-batch $BASEDIR $FILE + +err="$?" + +if [ "$err" != "0" ]; then + exit "$err" +fi + +IFS="$OLDIFS" diff --git a/lib/keyringer/actions/append-batch b/lib/keyringer/actions/append-batch new file mode 120000 index 0000000..6b140f7 --- /dev/null +++ b/lib/keyringer/actions/append-batch @@ -0,0 +1 @@ +append \ No newline at end of file diff --git a/lib/keyringer/actions/commands b/lib/keyringer/actions/commands new file mode 100755 index 0000000..2605666 --- /dev/null +++ b/lib/keyringer/actions/commands @@ -0,0 +1,10 @@ +#!/bin/bash +# +# Show available commands +# + +# Load functions +LIB="`dirname $0`/../functions" +source "$LIB" || exit 1 + +keyringer_show_actions diff --git a/lib/keyringer/actions/decrypt b/lib/keyringer/actions/decrypt new file mode 100755 index 0000000..2b1401c --- /dev/null +++ b/lib/keyringer/actions/decrypt @@ -0,0 +1,17 @@ +#!/bin/bash +# +# Decrypt files. +# + +# Load functions +LIB="`dirname $0`/../functions" +source "$LIB" || exit 1 + +# Get file +keyringer_get_file "$2" + +# Decrypt +$GPG --quiet --use-agent -d "$KEYDIR/$FILE" + +# Exit +exit "$?" diff --git a/lib/keyringer/actions/del b/lib/keyringer/actions/del new file mode 100755 index 0000000..babd212 --- /dev/null +++ b/lib/keyringer/actions/del @@ -0,0 +1,16 @@ +#!/bin/bash +# +# Remove files. +# + +# Load functions +LIB="`dirname $0`/../functions" +source "$LIB" || exit 1 + +# Get file +keyringer_get_file "$2" + +# Remove +if [ -d "$BASEDIR/.git" ]; then + keyringer_exec git "$BASEDIR" rm "keys/$FILE" +fi diff --git a/lib/keyringer/actions/edit b/lib/keyringer/actions/edit new file mode 100755 index 0000000..54d0fec --- /dev/null +++ b/lib/keyringer/actions/edit @@ -0,0 +1,45 @@ +#!/bin/bash +# +# Edit keys. +# + +# Load functions +LIB="`dirname $0`/../functions" +source "$LIB" || exit 1 + +# Get file +keyringer_get_file "$2" + +# Set recipients file +keyringer_set_recipients "$FILE" + +# Warn user +echo "Make sure that $BASEDIR is atop of an encrypted volume." + +# Set a tmp file +keyringer_set_tmpfile edit + +# Decrypt the information to the file +$GPG --yes -o "$TMPWORK" --use-agent -d "$KEYDIR/$FILE" + +if [ "$BASENAME" == "edit" ]; then + APP="$EDITOR" +elif [ "$BASENAME" == "open" ]; then + if which xdg-open &> /dev/null; then + APP="xdg-open" + else + echo "You should have xdg-open application to perform this action, aborting." + exit 1 + fi +fi + +# Prompt +echo "Press any key to open the decrypted data with $APP, Ctrl-C to abort" +read key +$APP "$TMPWORK" + +# Encrypt again +$GPG --yes -o "$KEYDIR/$FILE" --use-agent --armor -e -s $(keyringer_recipients "$RECIPIENTS_FILE") "$TMPWORK" + +# Remove temp file +keyringer_unset_tmpfile "$TMPWORK" diff --git a/lib/keyringer/actions/encrypt b/lib/keyringer/actions/encrypt new file mode 100755 index 0000000..cc73b55 --- /dev/null +++ b/lib/keyringer/actions/encrypt @@ -0,0 +1,56 @@ +#!/bin/bash +# +# Encrypt files to multiple recipients. +# + +# Load functions +LIB="`dirname $0`/../functions" +source "$LIB" || exit 1 + +# Aditional parameters +if [ ! -z "$3" ]; then + UNENCRYPTED_FILE="$2" + shift 2 + keyringer_get_new_file "$*" + + if [ ! -f "$UNENCRYPTED_FILE" ]; then + echo "Error: cannot encrypted $UNENCRYPTED_FILE: file not found." + exit 1 + fi +else + UNENCRYPTED_FILE="-" + shift + keyringer_get_new_file $* +fi + +# Set recipients file +keyringer_set_recipients "$FILE" + +# Encrypt +mkdir -p "$KEYDIR/`dirname $FILE`" + +if [ "$BASENAME" == "encrypt" ]; then + # Only display directions if we're running encrypt, not encrypt-batch + if [ "$UNENCRYPTED_FILE" == "-" ]; then + echo "Type your message and finish your input with EOF (Ctrl-D)." + fi +fi + +$GPG --use-agent --armor -e -s $(keyringer_recipients "$RECIPIENTS_FILE") --yes --output "$KEYDIR/$FILE" $UNENCRYPTED_FILE + +err="$?" + +if [ "$err" != "0" ]; then + exit "$err" +fi + +if [ "$UNENCRYPTED_FILE" != "-" ]; then + echo "Now make to wipe the non-encrypted $UNENCRYPTED_FILE." +fi + +# Stage +if [ -d "$BASEDIR/.git" ]; then + keyringer_exec git "$BASEDIR" add "keys/$FILE" +fi + +exit "$?" diff --git a/lib/keyringer/actions/encrypt-batch b/lib/keyringer/actions/encrypt-batch new file mode 120000 index 0000000..8267197 --- /dev/null +++ b/lib/keyringer/actions/encrypt-batch @@ -0,0 +1 @@ +encrypt \ No newline at end of file diff --git a/lib/keyringer/actions/genpair b/lib/keyringer/actions/genpair new file mode 100755 index 0000000..f048bc7 --- /dev/null +++ b/lib/keyringer/actions/genpair @@ -0,0 +1,222 @@ +#!/bin/bash +# +# Generate keypairs. +# +# This script is just a wrapper to easily generate keys for +# automated systems. +# + +# Generate a keypair, ssh version +function genpair_ssh { + echo "Make sure that $KEYDIR is atop of an encrypted volume." + read -p "Hit ENTER to continue." prompt + + # We're using empty passphrases + ssh-keygen -t rsa -P '' -f "$TMPWORK/id_rsa" -C "root@$NODE" + + # Encrypt the result + echo "Encrypting secret key into keyringer..." + cat "$TMPWORK/id_rsa" | keyringer_exec encrypt "$BASEDIR" "$FILE" + echo "Encrypting public key into keyringer..." + cat "$TMPWORK/id_rsa.pub" | keyringer_exec encrypt "$BASEDIR" "$FILE.pub" + + if [ ! -z "$OUTFILE" ]; then + mkdir -p `dirname $OUTFILE` + printf "Saving copies at %s and %s.pub\n" "$OUTFILE" "$OUTFILE" + cat "$TMPWORK/id_rsa" > "$OUTFILE" + cat "$TMPWORK/id_rsa.pub" > "$OUTFILE.pub" + fi + + echo "Done" +} + +# Generate a keypair, gpg version +function genpair_gpg { + echo "Make sure that $KEYDIR is atop of an encrypted volume." + + passphrase="no" + passphrase_confirm="confirm" + + while [ "$passphrase" != "$passphrase_confirm" ]; do + read -s -p "Enter password for the private key: " passphrase + printf "\n" + read -s -p "Enter password again: " passphrase_confirm + printf "\n" + + if [ "$passphrase" != "$passphrase_confirm" ]; then + echo "Password don't match." + fi + done + + # TODO: insert random bytes + # TODO: custom Name-Comment and Name-Email + # TODO: allow for empty passphrases + $GPG --homedir "$TMPWORK" --gen-key --batch < "$OUTFILE" + $GPG --armor --homedir "$TMPWORK" --export > "$OUTFILE.pub" + fi + + echo "Done" +} + +# Generate a keypair, ssl version +function genpair_ssl { + echo "Make sure that $KEYDIR is atop of an encrypted volume." + read -p "Hit ENTER to continue." prompt + + # Check for wildcard certs + if [ "`echo $NODE | cut -d . -f 1`" == "*" ]; then + WILDCARD="yes" + CNAME="$NODE" + NODE="`echo $NODE | sed -e 's/^\*\.//'`" + else + CNAME="${NODE}" + fi + + # Setup + cd "$TMPWORK" + + # Generate certificate +cat <> openssl.conf +[ req ] +default_keyfile = ${NODE}_privatekey.pem +distinguished_name = req_distinguished_name +encrypt_key = no +req_extensions = v3_req # Extensions to add to certificate request +string_mask = nombstr + +[ req_distinguished_name ] +commonName_default = ${CNAME} +organizationName = Organization Name +organizationalUnitName = Organizational Unit Name +emailAddress = Email Address +localityName = Locality +stateOrProvinceName = State +countryName = Country Name +commonName = Common Name + +[ v3_req ] +extendedKeyUsage=serverAuth,clientAuth +EOF + + # Add SubjectAltNames so wildcard certs can work correctly. + if [ "$WILDCARD" == "yes" ]; then +cat <> openssl.conf +subjectAltName=DNS:${NODE}, DNS:${CNAME} +EOF + fi + + echo "Please review your OpenSSL configuration:" + cat openssl.conf + read -p "Hit ENTER to continue." prompt + + openssl req -batch -nodes -config openssl.conf -newkey rsa:2048 -sha256 \ + -keyout ${NODE}_privatekey.pem -out ${NODE}_csr.pem + + openssl req -noout -text -in ${NODE}_csr.pem + + # Self-sign + if [ "$KEYTYPE" == "ssl-self" ]; then + openssl x509 -in "${NODE}_csr.pem" -out "$NODE.crt" -req -signkey "${NODE}_privatekey.pem" -days 365 + chmod 600 "${NODE}_privatekey.pem" + fi + + # Encrypt the result + echo "Encrypting private key into keyringer..." + cat "${NODE}_privatekey.pem" | keyringer_exec encrypt "$BASEDIR" "$FILE.pem" + echo "Encrypting certificate request into keyringer..." + cat "${NODE}_csr.pem" | keyringer_exec encrypt "$BASEDIR" "$FILE.csr" + + if [ "$KEYTYPE" == "ssl-self" ]; then + echo "Encrypting certificate into keyringer..." + cat "${NODE}.crt" | keyringer_exec encrypt "$BASEDIR" "$FILE.crt" + elif [ -f "$BASEDIR/keys/$FILE.crt.asc" ]; then + # Remove any existing crt + keyringer_exec del "$BASEDIR" "$FILE.crt" + fi + + cd "$CWD" + + if [ ! -z "$OUTFILE" ]; then + mkdir -p `dirname $OUTFILE` + printf "Saving copies at %s\n" "`dirname $OUTFILE`" + cat "$TMPWORK/${NODE}_privatekey.pem" > "$OUTFILE.pem" + cat "$TMPWORK/${NODE}_csr.pem" > "$OUTFILE.csr" + + if [ -f "$TMPWORK/${NODE}.crt" ]; then + cat "$TMPWORK/${NODE}.crt" > "$OUTFILE.crt" + fi + fi + + # Show cert fingerprint + if [ "$KEYTYPE" == "ssl-self" ]; then + openssl x509 -noout -in "$TMPWORK/${NODE}.crt" -fingerprint + fi + + echo "Done" +} + +# Load functions +LIB="`dirname $0`/../functions" +source "$LIB" || exit 1 + +# Aditional parameters +KEYTYPE="$2" +FILE="$3" +NODE="$4" +OUTFILE="$5" +CWD="`pwd`" + +# Verify +if [ -z "$NODE" ]; then + echo -e "Usage: keyringer $BASENAME [outfile]" + echo -e "Options:" + echo -e "\t gpg|ssh|ssl[-self]: key type." + echo -e "\t file : base file name for encrypted output (relative to keys folder)," + echo -e "\t without spaces" + echo -e "\t hostname : host for the key pair" + echo -e "\t outfile : optional unencrypted output file, useful for deployment," + echo -e "\t without spaces" + exit 1 +elif [ ! -e "$KEYDIR" ]; then + echo "Folder not found: $KEYDIR, leaving" + exit 1 +fi + +# Set a tmp file +keyringer_set_tmpfile genpair -d + +# Dispatch +echo "Generating $KEYTYPE key for $NODE..." +if [ "$KEYTYPE" == "ssl-self" ]; then + genpair_ssl +else + genpair_"$KEYTYPE" +fi + +# Cleanup +cd "$CWD" +rm -rf "$TMPWORK" +trap - EXIT diff --git a/lib/keyringer/actions/git b/lib/keyringer/actions/git new file mode 100755 index 0000000..3c4f435 --- /dev/null +++ b/lib/keyringer/actions/git @@ -0,0 +1,16 @@ +#!/bin/bash +# +# Git wrapper. +# + +# Load functions +LIB="`dirname $0`/../functions" +source "$LIB" || exit 1 + +# Aditional parameters +CWD="`pwd`" + +# Run git command +shift +mkdir -p "$BASEDIR" && cd "$BASEDIR" && git $* +cd "$CWD" diff --git a/lib/keyringer/actions/ls b/lib/keyringer/actions/ls new file mode 100755 index 0000000..ec8080b --- /dev/null +++ b/lib/keyringer/actions/ls @@ -0,0 +1,16 @@ +#!/bin/bash +# +# List keys. +# + +# Load functions +LIB="`dirname $0`/../functions" +source "$LIB" || exit 1 + +# Aditional parameters +CWD="`pwd`" + +# Run list command +shift +cd "$KEYDIR" && ls $* +cd "$CWD" diff --git a/lib/keyringer/actions/open b/lib/keyringer/actions/open new file mode 120000 index 0000000..8491ab9 --- /dev/null +++ b/lib/keyringer/actions/open @@ -0,0 +1 @@ +edit \ No newline at end of file diff --git a/lib/keyringer/actions/options b/lib/keyringer/actions/options new file mode 100755 index 0000000..8508aea --- /dev/null +++ b/lib/keyringer/actions/options @@ -0,0 +1,30 @@ +#!/bin/bash +# +# Recipient management. +# + +# Load functions +LIB="`dirname $0`/../functions" +source "$LIB" || exit 1 + +# Command parser +keyringer_get_command "$2" + +# Create options file if old repository +if [ ! -e "$OPTIONS" ]; then + echo "Creating options file..." + touch "$OPTIONS" + keyringer_exec git "$BASEDIR" add config/options +fi + +if [ "$COMMAND" == "ls" ]; then + cat "$OPTIONS" +elif [ "$COMMAND" == "edit" ]; then + "$EDITOR" "$OPTIONS" +elif [ "$COMMAND" == "add" ]; then + shift 2 + echo $* >> "$OPTIONS" +else + printf "%s: No such command %s\n" "$BASENAME" "$COMMAND" + exit 1 +fi diff --git a/lib/keyringer/actions/preferences b/lib/keyringer/actions/preferences new file mode 100755 index 0000000..e82848d --- /dev/null +++ b/lib/keyringer/actions/preferences @@ -0,0 +1,37 @@ +#!/bin/bash +# +# Manipulate preferences. +# + +# Load functions +LIB="`dirname $0`/../functions" +source "$LIB" || exit 1 + +COMMAND="$2" + +if [ -z "$COMMAND" ]; then + echo "Usage: keyringer preferences [arguments]" + echo "Available commands:" + echo " ls" + echo " edit" + echo " add" + exit 1 +fi + +# Create options file if old repository +if [ ! -e "$PREFERENCES" ]; then + echo "Creating preferences file..." + touch "$PREFERENCES" +fi + +if [ "$COMMAND" == "ls" ]; then + cat "$PREFERENCES" +elif [ "$COMMAND" == "edit" ]; then + "$EDITOR" "$PREFERENCES" +elif [ "$COMMAND" == "add" ]; then + shift 2 + [[ -n $* ]] && echo $* >> "$PREFERENCES" +else + printf "%s: No such command %s\n" "$BASENAME" "$COMMAND" + exit 1 +fi diff --git a/lib/keyringer/actions/recipients b/lib/keyringer/actions/recipients new file mode 100755 index 0000000..7093a6b --- /dev/null +++ b/lib/keyringer/actions/recipients @@ -0,0 +1,46 @@ +#!/bin/bash +# +# Recipient management. +# + +# Load functions +LIB="`dirname $0`/../functions" +source "$LIB" || exit 1 + +# Command parser +keyringer_get_command "$2" + +# Set recipients file +keyringer_set_new_recipients "$3" + +if [ "$COMMAND" == "ls" ]; then + if [ ! -z "$3" ]; then + if [ -e "$RECIPIENTS_FILE" ]; then + cat "$RECIPIENTS_FILE" + else + echo "Recipients file not found: $RECIPIENTS_FILE_BASE" + exit 1 + fi + else + for recipients in `ls $RECIPIENTS`; do + echo "In recipients file $recipients:" + echo "-----------------------------------------------------------------------------------" + cat $RECIPIENTS/$recipients + echo "" + done + fi +elif [ "$COMMAND" == "edit" ]; then + if [ ! -z "$3" ]; then + keyringer_create_new_recipients $RECIPIENTS_FILE + $EDITOR "$RECIPIENTS_FILE" + keyringer_check_recipients + keyringer_exec git "$BASEDIR" add "$RECIPIENTS_FILE_BASE" + else + echo "Please specify one recipient to edit among the available:" + ls $RECIPIENTS | sed -e 's/^/\t/' + exit 1 + fi +else + printf "%s: No such command %s\n" "$BASENAME" "$COMMAND" + exit 1 +fi diff --git a/lib/keyringer/actions/recrypt b/lib/keyringer/actions/recrypt new file mode 100755 index 0000000..014fef7 --- /dev/null +++ b/lib/keyringer/actions/recrypt @@ -0,0 +1,45 @@ +#!/bin/bash +# +# Re-encrypt files to multiple recipients. +# + +# Load functions +LIB="`dirname $0`/../functions" +source "$LIB" || exit 1 + +function keyringer_recrypt { + # Get file + keyringer_get_file "$1" + + # Set recipients file + keyringer_set_recipients "$FILE" + + # Decrypt + decrypted="$($GPG --use-agent -d "$KEYDIR/$FILE" 2> /dev/null)" + + if [ "$?" != "0" ]; then + echo "Decryption error." + exit 1 + fi + + # Recrypt + recrypted="`echo "$decrypted" | $GPG --use-agent --armor -e -s $(keyringer_recipients "$RECIPIENTS_FILE")`" + + if [ "$?" != "0" ]; then + echo "Recryption error." + exit 1 + fi + + unset decrypted + echo "$recrypted" > "$KEYDIR/$FILE" +} + +if [ ! -z "$2" ]; then + keyringer_recrypt $2 +else + cd $KEYDIR && find | while read file; do + if [ ! -d "$KEYDIR/$file" ]; then + keyringer_recrypt "$file" + fi + done +fi diff --git a/lib/keyringer/actions/usage b/lib/keyringer/actions/usage new file mode 100755 index 0000000..f4ac0fa --- /dev/null +++ b/lib/keyringer/actions/usage @@ -0,0 +1,10 @@ +#!/bin/bash +# +# Show available commands +# + +# Load functions +LIB="`dirname $0`/../functions" +source "$LIB" || exit 1 + +keyringer_usage diff --git a/share/keyringer/append b/share/keyringer/append deleted file mode 100755 index bcc9e5e..0000000 --- a/share/keyringer/append +++ /dev/null @@ -1,41 +0,0 @@ -#!/bin/bash -# -# Append information into encrypted files. -# - -# Load functions -LIB="`dirname $0`/../../lib/keyringer/functions" -source "$LIB" || exit 1 - -# Get file -keyringer_get_file "$2" - -OLDIFS="$IFS" -IFS=$'\n' - -CONTENT=($(keyringer_exec decrypt "$BASEDIR" "$FILE")) - -if [ "$BASENAME" == "append" ]; then - # only display directions if we're running append, not append-batch - printf "\n%s currently has %d lines\n\n" "$FILE" "${#CONTENT[@]}" - printf "Now please write the content to be appended on %s, finnishing with Ctrl-D:\n" "$FILE" -fi - -# FIXME: dkg doesn't know how to check that this does proper escaping -# (2010-11-16) - -APPEND=($(cat -)) - -NEW=( ${CONTENT[@]} ${APPEND[@]} ) - -for element in $(seq 0 $((${#NEW[@]} - 1))); do - echo ${NEW[$element]} -done | keyringer_exec encrypt-batch $BASEDIR $FILE - -err="$?" - -if [ "$err" != "0" ]; then - exit "$err" -fi - -IFS="$OLDIFS" diff --git a/share/keyringer/append-batch b/share/keyringer/append-batch deleted file mode 120000 index 6b140f7..0000000 --- a/share/keyringer/append-batch +++ /dev/null @@ -1 +0,0 @@ -append \ No newline at end of file diff --git a/share/keyringer/commands b/share/keyringer/commands deleted file mode 100755 index 139725a..0000000 --- a/share/keyringer/commands +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash -# -# Show available commands -# - -# Load functions -LIB="`dirname $0`/../../lib/keyringer/functions" -source "$LIB" || exit 1 - -keyringer_show_actions diff --git a/share/keyringer/decrypt b/share/keyringer/decrypt deleted file mode 100755 index bab9b34..0000000 --- a/share/keyringer/decrypt +++ /dev/null @@ -1,17 +0,0 @@ -#!/bin/bash -# -# Decrypt files. -# - -# Load functions -LIB="`dirname $0`/../../lib/keyringer/functions" -source "$LIB" || exit 1 - -# Get file -keyringer_get_file "$2" - -# Decrypt -$GPG --quiet --use-agent -d "$KEYDIR/$FILE" - -# Exit -exit "$?" diff --git a/share/keyringer/del b/share/keyringer/del deleted file mode 100755 index 4eca0e3..0000000 --- a/share/keyringer/del +++ /dev/null @@ -1,16 +0,0 @@ -#!/bin/bash -# -# Remove files. -# - -# Load functions -LIB="`dirname $0`/../../lib/keyringer/functions" -source "$LIB" || exit 1 - -# Get file -keyringer_get_file "$2" - -# Remove -if [ -d "$BASEDIR/.git" ]; then - keyringer_exec git "$BASEDIR" rm "keys/$FILE" -fi diff --git a/share/keyringer/edit b/share/keyringer/edit deleted file mode 100755 index fe05ecc..0000000 --- a/share/keyringer/edit +++ /dev/null @@ -1,45 +0,0 @@ -#!/bin/bash -# -# Edit keys. -# - -# Load functions -LIB="`dirname $0`/../../lib/keyringer/functions" -source "$LIB" || exit 1 - -# Get file -keyringer_get_file "$2" - -# Set recipients file -keyringer_set_recipients "$FILE" - -# Warn user -echo "Make sure that $BASEDIR is atop of an encrypted volume." - -# Set a tmp file -keyringer_set_tmpfile edit - -# Decrypt the information to the file -$GPG --yes -o "$TMPWORK" --use-agent -d "$KEYDIR/$FILE" - -if [ "$BASENAME" == "edit" ]; then - APP="$EDITOR" -elif [ "$BASENAME" == "open" ]; then - if which xdg-open &> /dev/null; then - APP="xdg-open" - else - echo "You should have xdg-open application to perform this action, aborting." - exit 1 - fi -fi - -# Prompt -echo "Press any key to open the decrypted data with $APP, Ctrl-C to abort" -read key -$APP "$TMPWORK" - -# Encrypt again -$GPG --yes -o "$KEYDIR/$FILE" --use-agent --armor -e -s $(keyringer_recipients "$RECIPIENTS_FILE") "$TMPWORK" - -# Remove temp file -keyringer_unset_tmpfile "$TMPWORK" diff --git a/share/keyringer/encrypt b/share/keyringer/encrypt deleted file mode 100755 index ac305a4..0000000 --- a/share/keyringer/encrypt +++ /dev/null @@ -1,56 +0,0 @@ -#!/bin/bash -# -# Encrypt files to multiple recipients. -# - -# Load functions -LIB="`dirname $0`/../../lib/keyringer/functions" -source "$LIB" || exit 1 - -# Aditional parameters -if [ ! -z "$3" ]; then - UNENCRYPTED_FILE="$2" - shift 2 - keyringer_get_new_file "$*" - - if [ ! -f "$UNENCRYPTED_FILE" ]; then - echo "Error: cannot encrypted $UNENCRYPTED_FILE: file not found." - exit 1 - fi -else - UNENCRYPTED_FILE="-" - shift - keyringer_get_new_file $* -fi - -# Set recipients file -keyringer_set_recipients "$FILE" - -# Encrypt -mkdir -p "$KEYDIR/`dirname $FILE`" - -if [ "$BASENAME" == "encrypt" ]; then - # Only display directions if we're running encrypt, not encrypt-batch - if [ "$UNENCRYPTED_FILE" == "-" ]; then - echo "Type your message and finish your input with EOF (Ctrl-D)." - fi -fi - -$GPG --use-agent --armor -e -s $(keyringer_recipients "$RECIPIENTS_FILE") --yes --output "$KEYDIR/$FILE" $UNENCRYPTED_FILE - -err="$?" - -if [ "$err" != "0" ]; then - exit "$err" -fi - -if [ "$UNENCRYPTED_FILE" != "-" ]; then - echo "Now make to wipe the non-encrypted $UNENCRYPTED_FILE." -fi - -# Stage -if [ -d "$BASEDIR/.git" ]; then - keyringer_exec git "$BASEDIR" add "keys/$FILE" -fi - -exit "$?" diff --git a/share/keyringer/encrypt-batch b/share/keyringer/encrypt-batch deleted file mode 120000 index 8267197..0000000 --- a/share/keyringer/encrypt-batch +++ /dev/null @@ -1 +0,0 @@ -encrypt \ No newline at end of file diff --git a/share/keyringer/genpair b/share/keyringer/genpair deleted file mode 100755 index f977714..0000000 --- a/share/keyringer/genpair +++ /dev/null @@ -1,222 +0,0 @@ -#!/bin/bash -# -# Generate keypairs. -# -# This script is just a wrapper to easily generate keys for -# automated systems. -# - -# Generate a keypair, ssh version -function genpair_ssh { - echo "Make sure that $KEYDIR is atop of an encrypted volume." - read -p "Hit ENTER to continue." prompt - - # We're using empty passphrases - ssh-keygen -t rsa -P '' -f "$TMPWORK/id_rsa" -C "root@$NODE" - - # Encrypt the result - echo "Encrypting secret key into keyringer..." - cat "$TMPWORK/id_rsa" | keyringer_exec encrypt "$BASEDIR" "$FILE" - echo "Encrypting public key into keyringer..." - cat "$TMPWORK/id_rsa.pub" | keyringer_exec encrypt "$BASEDIR" "$FILE.pub" - - if [ ! -z "$OUTFILE" ]; then - mkdir -p `dirname $OUTFILE` - printf "Saving copies at %s and %s.pub\n" "$OUTFILE" "$OUTFILE" - cat "$TMPWORK/id_rsa" > "$OUTFILE" - cat "$TMPWORK/id_rsa.pub" > "$OUTFILE.pub" - fi - - echo "Done" -} - -# Generate a keypair, gpg version -function genpair_gpg { - echo "Make sure that $KEYDIR is atop of an encrypted volume." - - passphrase="no" - passphrase_confirm="confirm" - - while [ "$passphrase" != "$passphrase_confirm" ]; do - read -s -p "Enter password for the private key: " passphrase - printf "\n" - read -s -p "Enter password again: " passphrase_confirm - printf "\n" - - if [ "$passphrase" != "$passphrase_confirm" ]; then - echo "Password don't match." - fi - done - - # TODO: insert random bytes - # TODO: custom Name-Comment and Name-Email - # TODO: allow for empty passphrases - $GPG --homedir "$TMPWORK" --gen-key --batch < "$OUTFILE" - $GPG --armor --homedir "$TMPWORK" --export > "$OUTFILE.pub" - fi - - echo "Done" -} - -# Generate a keypair, ssl version -function genpair_ssl { - echo "Make sure that $KEYDIR is atop of an encrypted volume." - read -p "Hit ENTER to continue." prompt - - # Check for wildcard certs - if [ "`echo $NODE | cut -d . -f 1`" == "*" ]; then - WILDCARD="yes" - CNAME="$NODE" - NODE="`echo $NODE | sed -e 's/^\*\.//'`" - else - CNAME="${NODE}" - fi - - # Setup - cd "$TMPWORK" - - # Generate certificate -cat <> openssl.conf -[ req ] -default_keyfile = ${NODE}_privatekey.pem -distinguished_name = req_distinguished_name -encrypt_key = no -req_extensions = v3_req # Extensions to add to certificate request -string_mask = nombstr - -[ req_distinguished_name ] -commonName_default = ${CNAME} -organizationName = Organization Name -organizationalUnitName = Organizational Unit Name -emailAddress = Email Address -localityName = Locality -stateOrProvinceName = State -countryName = Country Name -commonName = Common Name - -[ v3_req ] -extendedKeyUsage=serverAuth,clientAuth -EOF - - # Add SubjectAltNames so wildcard certs can work correctly. - if [ "$WILDCARD" == "yes" ]; then -cat <> openssl.conf -subjectAltName=DNS:${NODE}, DNS:${CNAME} -EOF - fi - - echo "Please review your OpenSSL configuration:" - cat openssl.conf - read -p "Hit ENTER to continue." prompt - - openssl req -batch -nodes -config openssl.conf -newkey rsa:2048 -sha256 \ - -keyout ${NODE}_privatekey.pem -out ${NODE}_csr.pem - - openssl req -noout -text -in ${NODE}_csr.pem - - # Self-sign - if [ "$KEYTYPE" == "ssl-self" ]; then - openssl x509 -in "${NODE}_csr.pem" -out "$NODE.crt" -req -signkey "${NODE}_privatekey.pem" -days 365 - chmod 600 "${NODE}_privatekey.pem" - fi - - # Encrypt the result - echo "Encrypting private key into keyringer..." - cat "${NODE}_privatekey.pem" | keyringer_exec encrypt "$BASEDIR" "$FILE.pem" - echo "Encrypting certificate request into keyringer..." - cat "${NODE}_csr.pem" | keyringer_exec encrypt "$BASEDIR" "$FILE.csr" - - if [ "$KEYTYPE" == "ssl-self" ]; then - echo "Encrypting certificate into keyringer..." - cat "${NODE}.crt" | keyringer_exec encrypt "$BASEDIR" "$FILE.crt" - elif [ -f "$BASEDIR/keys/$FILE.crt.asc" ]; then - # Remove any existing crt - keyringer_exec del "$BASEDIR" "$FILE.crt" - fi - - cd "$CWD" - - if [ ! -z "$OUTFILE" ]; then - mkdir -p `dirname $OUTFILE` - printf "Saving copies at %s\n" "`dirname $OUTFILE`" - cat "$TMPWORK/${NODE}_privatekey.pem" > "$OUTFILE.pem" - cat "$TMPWORK/${NODE}_csr.pem" > "$OUTFILE.csr" - - if [ -f "$TMPWORK/${NODE}.crt" ]; then - cat "$TMPWORK/${NODE}.crt" > "$OUTFILE.crt" - fi - fi - - # Show cert fingerprint - if [ "$KEYTYPE" == "ssl-self" ]; then - openssl x509 -noout -in "$TMPWORK/${NODE}.crt" -fingerprint - fi - - echo "Done" -} - -# Load functions -LIB="`dirname $0`/../../lib/keyringer" -source "$LIB/functions" || exit 1 - -# Aditional parameters -KEYTYPE="$2" -FILE="$3" -NODE="$4" -OUTFILE="$5" -CWD="`pwd`" - -# Verify -if [ -z "$NODE" ]; then - echo -e "Usage: keyringer $BASENAME [outfile]" - echo -e "Options:" - echo -e "\t gpg|ssh|ssl[-self]: key type." - echo -e "\t file : base file name for encrypted output (relative to keys folder)," - echo -e "\t without spaces" - echo -e "\t hostname : host for the key pair" - echo -e "\t outfile : optional unencrypted output file, useful for deployment," - echo -e "\t without spaces" - exit 1 -elif [ ! -e "$KEYDIR" ]; then - echo "Folder not found: $KEYDIR, leaving" - exit 1 -fi - -# Set a tmp file -keyringer_set_tmpfile genpair -d - -# Dispatch -echo "Generating $KEYTYPE key for $NODE..." -if [ "$KEYTYPE" == "ssl-self" ]; then - genpair_ssl -else - genpair_"$KEYTYPE" -fi - -# Cleanup -cd "$CWD" -rm -rf "$TMPWORK" -trap - EXIT diff --git a/share/keyringer/git b/share/keyringer/git deleted file mode 100755 index cd2a188..0000000 --- a/share/keyringer/git +++ /dev/null @@ -1,16 +0,0 @@ -#!/bin/bash -# -# Git wrapper. -# - -# Load functions -LIB="`dirname $0`/../../lib/keyringer/functions" -source "$LIB" || exit 1 - -# Aditional parameters -CWD="`pwd`" - -# Run git command -shift -mkdir -p "$BASEDIR" && cd "$BASEDIR" && git $* -cd "$CWD" diff --git a/share/keyringer/ls b/share/keyringer/ls deleted file mode 100755 index 31e8805..0000000 --- a/share/keyringer/ls +++ /dev/null @@ -1,16 +0,0 @@ -#!/bin/bash -# -# List keys. -# - -# Load functions -LIB="`dirname $0`/../../lib/keyringer/functions" -source "$LIB" || exit 1 - -# Aditional parameters -CWD="`pwd`" - -# Run list command -shift -cd "$KEYDIR" && ls $* -cd "$CWD" diff --git a/share/keyringer/open b/share/keyringer/open deleted file mode 120000 index 8491ab9..0000000 --- a/share/keyringer/open +++ /dev/null @@ -1 +0,0 @@ -edit \ No newline at end of file diff --git a/share/keyringer/options b/share/keyringer/options deleted file mode 100755 index 3047380..0000000 --- a/share/keyringer/options +++ /dev/null @@ -1,30 +0,0 @@ -#!/bin/bash -# -# Recipient management. -# - -# Load functions -LIB="`dirname $0`/../../lib/keyringer" -source "$LIB/functions" || exit 1 - -# Command parser -keyringer_get_command "$2" - -# Create options file if old repository -if [ ! -e "$OPTIONS" ]; then - echo "Creating options file..." - touch "$OPTIONS" - keyringer_exec git "$BASEDIR" add config/options -fi - -if [ "$COMMAND" == "ls" ]; then - cat "$OPTIONS" -elif [ "$COMMAND" == "edit" ]; then - "$EDITOR" "$OPTIONS" -elif [ "$COMMAND" == "add" ]; then - shift 2 - echo $* >> "$OPTIONS" -else - printf "%s: No such command %s\n" "$BASENAME" "$COMMAND" - exit 1 -fi diff --git a/share/keyringer/preferences b/share/keyringer/preferences deleted file mode 100755 index 2819b50..0000000 --- a/share/keyringer/preferences +++ /dev/null @@ -1,37 +0,0 @@ -#!/bin/bash -# -# Manipulate preferences. -# - -# Load functions -LIB="`dirname $0`/../../lib/keyringer/functions" -source "$LIB" || exit 1 - -COMMAND="$2" - -if [ -z "$COMMAND" ]; then - echo "Usage: keyringer preferences [arguments]" - echo "Available commands:" - echo " ls" - echo " edit" - echo " add" - exit 1 -fi - -# Create options file if old repository -if [ ! -e "$PREFERENCES" ]; then - echo "Creating preferences file..." - touch "$PREFERENCES" -fi - -if [ "$COMMAND" == "ls" ]; then - cat "$PREFERENCES" -elif [ "$COMMAND" == "edit" ]; then - "$EDITOR" "$PREFERENCES" -elif [ "$COMMAND" == "add" ]; then - shift 2 - [[ -n $* ]] && echo $* >> "$PREFERENCES" -else - printf "%s: No such command %s\n" "$BASENAME" "$COMMAND" - exit 1 -fi diff --git a/share/keyringer/recipients b/share/keyringer/recipients deleted file mode 100755 index 0460842..0000000 --- a/share/keyringer/recipients +++ /dev/null @@ -1,46 +0,0 @@ -#!/bin/bash -# -# Recipient management. -# - -# Load functions -LIB="`dirname $0`/../../lib/keyringer" -source "$LIB/functions" || exit 1 - -# Command parser -keyringer_get_command "$2" - -# Set recipients file -keyringer_set_new_recipients "$3" - -if [ "$COMMAND" == "ls" ]; then - if [ ! -z "$3" ]; then - if [ -e "$RECIPIENTS_FILE" ]; then - cat "$RECIPIENTS_FILE" - else - echo "Recipients file not found: $RECIPIENTS_FILE_BASE" - exit 1 - fi - else - for recipients in `ls $RECIPIENTS`; do - echo "In recipients file $recipients:" - echo "-----------------------------------------------------------------------------------" - cat $RECIPIENTS/$recipients - echo "" - done - fi -elif [ "$COMMAND" == "edit" ]; then - if [ ! -z "$3" ]; then - keyringer_create_new_recipients $RECIPIENTS_FILE - $EDITOR "$RECIPIENTS_FILE" - keyringer_check_recipients - keyringer_exec git "$BASEDIR" add "$RECIPIENTS_FILE_BASE" - else - echo "Please specify one recipient to edit among the available:" - ls $RECIPIENTS | sed -e 's/^/\t/' - exit 1 - fi -else - printf "%s: No such command %s\n" "$BASENAME" "$COMMAND" - exit 1 -fi diff --git a/share/keyringer/recrypt b/share/keyringer/recrypt deleted file mode 100755 index 63f7bc6..0000000 --- a/share/keyringer/recrypt +++ /dev/null @@ -1,45 +0,0 @@ -#!/bin/bash -# -# Re-encrypt files to multiple recipients. -# - -# Load functions -LIB="`dirname $0`/../../lib/keyringer/functions" -source "$LIB" || exit 1 - -function keyringer_recrypt { - # Get file - keyringer_get_file "$1" - - # Set recipients file - keyringer_set_recipients "$FILE" - - # Decrypt - decrypted="$($GPG --use-agent -d "$KEYDIR/$FILE" 2> /dev/null)" - - if [ "$?" != "0" ]; then - echo "Decryption error." - exit 1 - fi - - # Recrypt - recrypted="`echo "$decrypted" | $GPG --use-agent --armor -e -s $(keyringer_recipients "$RECIPIENTS_FILE")`" - - if [ "$?" != "0" ]; then - echo "Recryption error." - exit 1 - fi - - unset decrypted - echo "$recrypted" > "$KEYDIR/$FILE" -} - -if [ ! -z "$2" ]; then - keyringer_recrypt $2 -else - cd $KEYDIR && find | while read file; do - if [ ! -d "$KEYDIR/$file" ]; then - keyringer_recrypt "$file" - fi - done -fi diff --git a/share/keyringer/usage b/share/keyringer/usage deleted file mode 100755 index a4602ac..0000000 --- a/share/keyringer/usage +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash -# -# Show available commands -# - -# Load functions -LIB="`dirname $0`/../../lib/keyringer/functions" -source "$LIB" || exit 1 - -keyringer_usage -- cgit v1.2.3