aboutsummaryrefslogtreecommitdiff
path: root/onion-client-auth-genkeys
diff options
context:
space:
mode:
Diffstat (limited to 'onion-client-auth-genkeys')
-rwxr-xr-xonion-client-auth-genkeys81
1 files changed, 81 insertions, 0 deletions
diff --git a/onion-client-auth-genkeys b/onion-client-auth-genkeys
new file mode 100755
index 0000000..26428eb
--- /dev/null
+++ b/onion-client-auth-genkeys
@@ -0,0 +1,81 @@
+#!/usr/bin/env bash
+#
+# Generate a Client Authorization keypair and apply to all Onion Services.
+#
+# Based on https://community.torproject.org/onion-services/advanced/client-auth/
+# See also https://gist.github.com/mtigas/9c2386adf65345be34045dace134140b
+#
+# Copyright (C) 2022 Silvio Rhatto <rhatto@riseup.net>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published
+# by the Free Software Foundation, either version 3 of the License,
+# or any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+# Parameters
+BASENAME="`basename $0`"
+ONION_AUTH_BASEDIR="$HOME/.tor/clientauthkeys"
+KEY_PREFIX="${1}"
+GENERATED_KEY="$ONION_AUTH_BASEDIR/$KEY_PREFIX.priv.pem"
+PRIVATE_KEY="$ONION_AUTH_BASEDIR/$KEY_PREFIX.priv"
+PUBLIC_KEY="$ONION_AUTH_BASEDIR/$KEY_PREFIX.pub"
+AUTH_FILE="$ONION_AUTH_BASEDIR/$KEY_PREFIX.auth"
+
+# Ensuse the auth keys folder exists
+mkdir -p $ONION_AUTH_BASEDIR || exit 1
+chmod 700 $ONION_AUTH_BASEDIR || exit 1
+
+# Syntax
+if [ -z "$KEY_PREFIX" ]; then
+ echo "usage: $BASENAME <key-prefix>"
+ exit 1
+fi
+
+# Key checks
+if [ -e "$ONION_AUTH_BASEDIR/$AUTH_FILE" ]; then
+ echo "$BASENAME: key $AUTH_FILE already exists"
+ exit 1
+fi
+
+# Tool checks
+for tool in openssl base64pem base32; do
+ if ! which $tool &> /dev/null; then
+ echo "Cannot find $tool too, aborting."
+ exit 1
+ fi
+done
+
+# Ensure files exists with the proper permissions
+touch $GENERATED_KEY $PRIVATE_KEY $PUBLIC_KEY $AUTH_FILE
+chmod 600 $GENERATED_KEY $PRIVATE_KEY $PUBLIC_KEY $AUTH_FILE
+
+# Generate the private keypair
+openssl genpkey -algorithm x25519 -out $GENERATED_KEY
+
+# Write the private key in a separate file
+cat $GENERATED_KEY | \
+ grep -v " PRIVATE KEY" | \
+ base64pem -d | \
+ tail --bytes=32 | \
+ base32 | \
+ sed 's/=//g' > $PRIVATE_KEY
+
+# Write the public key in a separate file
+cat $GENERATED_KEY | \
+openssl pkey -in $GENERATED_KEY -pubout | \
+ grep -v " PUBLIC KEY" | \
+ base64pem -d | \
+ tail --bytes=32 | \
+ base32 | \
+ sed 's/=//g' > $PUBLIC_KEY
+
+# Write the public key in Tor's Client Authorization format
+echo "descriptor:x25519:`cat $PUBLIC_KEY`" > $AUTH_FILE