diff options
| author | joe <joe@jerkface.net> | 2014-07-29 01:02:29 -0400 |
|---|---|---|
| committer | joe <joe@jerkface.net> | 2014-07-29 01:02:29 -0400 |
| commit | b45a30e7a127363a3255d89909f54108f711a16d (patch) | |
| tree | 8b826ac49fa479b57f19b611840401c57fe2d174 /examples/samizdat-change-key.sh | |
| parent | d3b5c1eebb57b492e1b52b5a1111a1fd9bb8b3c6 (diff) | |
New script, samizdat-change-key.sh
Diffstat (limited to 'examples/samizdat-change-key.sh')
| -rwxr-xr-x | examples/samizdat-change-key.sh | 75 |
1 files changed, 75 insertions, 0 deletions
diff --git a/examples/samizdat-change-key.sh b/examples/samizdat-change-key.sh new file mode 100755 index 0000000..ca51832 --- /dev/null +++ b/examples/samizdat-change-key.sh | |||
| @@ -0,0 +1,75 @@ | |||
| 1 | #!/bin/sh | ||
| 2 | export GNUPGHOME=$ROOT/gpg/gnupghome | ||
| 3 | |||
| 4 | pem_to_onion_url() | ||
| 5 | { | ||
| 6 | perl -MMIME::Base64 -MDigest::SHA=sha1 -MMIME::Base32=RFC -e ' | ||
| 7 | $key=decode_base64(join "", grep {!/[-:]/} qx(ssh-keygen -m PEM -e -f $ARGV[0])); | ||
| 8 | printf "%s.onion\n", lc MIME::Base32::encode(substr(sha1($key), 0, 10))' "$1" | ||
| 9 | } | ||
| 10 | |||
| 11 | makepub () { | ||
| 12 | tag="$1" | ||
| 13 | path="$2" | ||
| 14 | [ -f $path ] || { | ||
| 15 | mkdir -p "$(dirname $path)" | ||
| 16 | kiki --show-pem "$tag" | ssh-keygen -f /dev/stdin -i -m PKCS8 > "$path" | ||
| 17 | echo "$path": exported >&2 | ||
| 18 | } | ||
| 19 | } | ||
| 20 | |||
| 21 | # External commands invoked by kiki in order to generate keys. | ||
| 22 | # Notice that $file will not be interpolated until kiki runs the command. | ||
| 23 | ssh='mkdir -p "$(dirname $file)" && ssh-keygen -P "" -q -f $file -b 2048' | ||
| 24 | ssl='mkdir -p "$(dirname $file)" && openssl genrsa -out $file 1024' | ||
| 25 | |||
| 26 | |||
| 27 | # TODO: This probably shouldn't be hard coded here. | ||
| 28 | export GNUPGHOME=/gpg/gnupghome | ||
| 29 | |||
| 30 | ##### | ||
| 31 | ##### GENERATE GPG KEY | ||
| 32 | ##### | ||
| 33 | gpg2 --gen-key | ||
| 34 | |||
| 35 | echo "What is the keygrip of the new key? (paste it here from scroll)" | ||
| 36 | read keygrip | ||
| 37 | [ -f $GNUPGHOME/gpg.conf ] && mv $GNUPGHOME/gpg.conf $GNUPGHOME/gpg.conf.bak | ||
| 38 | echo "default-key $keygrip" > $GNUPGHOME/gpg.conf | ||
| 39 | |||
| 40 | tty -s && echo -n 'Passphrase: ' | ||
| 41 | read passphrase | ||
| 42 | |||
| 43 | # First, we ensure that the tor key does not exist | ||
| 44 | # so that it will be created new. | ||
| 45 | torkey="$ROOT"/var/lib/tor/samizdat/private_key | ||
| 46 | [ -f $torkey ] && rm -rvf $torkey | ||
| 47 | |||
| 48 | echo "$passphrase" | \ | ||
| 49 | kiki --keypairs tor="$torkey{$ssl}" \ | ||
| 50 | --passphrase-fd 0 || exit | ||
| 51 | onion_url=$(pem_to_onion_url "$torkey") || exit | ||
| 52 | |||
| 53 | key_sw="$ROOT"/etc/ipsec.d/private/"$onion_url".pem | ||
| 54 | key_cl="$ROOT"/root/.ssh/id_rsa | ||
| 55 | key_sv="$ROOT"/etc/ssh/ssh_host_rsa_key | ||
| 56 | |||
| 57 | [ -f $key_sw ] && rm -rvf $key_sw | ||
| 58 | [ -f $key_cl ] && rm -rvf $key_cl | ||
| 59 | # [ -f $key_sv ] && rm -rvf $key_sv #### XXX: not deleting ssh host key | ||
| 60 | |||
| 61 | # Now import, export, or generate the remaining secret keys. | ||
| 62 | echo "$passphrase" | \ | ||
| 63 | kiki --keypairs \ | ||
| 64 | strongswan="$ROOT"/etc/ipsec.d/private/"$onion_url".pem{"$ssl"} \ | ||
| 65 | ssh-client="$ROOT"/root/.ssh/id_rsa{"$ssh"} \ | ||
| 66 | ssh-host="$ROOT"/etc/ssh/ssh_host_rsa_key{"$ssh"} \ | ||
| 67 | --passphrase-fd 0 || exit | ||
| 68 | |||
| 69 | # Finally, export public keys if they do not exist. | ||
| 70 | makepub ssh-client "$ROOT/root/.ssh/id_rsa.pub" | ||
| 71 | makepub ssh-host "$ROOT/etc/ssh/ssh_host_rsa_key.pub" | ||
| 72 | |||
| 73 | # TODO: makepub can be made obsolete by implementing something like this: | ||
| 74 | # kiki --public ssh-client=$ROOT$HOME/.ssh/id_rsa.pub \ | ||
| 75 | # ssh-host="$ROOT"/etc/ssh/ssh_host_rsa_key.pub | ||