summaryrefslogtreecommitdiff
path: root/examples/samizdat-change-key.sh
diff options
context:
space:
mode:
authorjoe <joe@jerkface.net>2014-07-29 01:02:29 -0400
committerjoe <joe@jerkface.net>2014-07-29 01:02:29 -0400
commitb45a30e7a127363a3255d89909f54108f711a16d (patch)
tree8b826ac49fa479b57f19b611840401c57fe2d174 /examples/samizdat-change-key.sh
parentd3b5c1eebb57b492e1b52b5a1111a1fd9bb8b3c6 (diff)
New script, samizdat-change-key.sh
Diffstat (limited to 'examples/samizdat-change-key.sh')
-rwxr-xr-xexamples/samizdat-change-key.sh75
1 files changed, 75 insertions, 0 deletions
diff --git a/examples/samizdat-change-key.sh b/examples/samizdat-change-key.sh
new file mode 100755
index 0000000..ca51832
--- /dev/null
+++ b/examples/samizdat-change-key.sh
@@ -0,0 +1,75 @@
1#!/bin/sh
2export GNUPGHOME=$ROOT/gpg/gnupghome
3
4pem_to_onion_url()
5{
6 perl -MMIME::Base64 -MDigest::SHA=sha1 -MMIME::Base32=RFC -e '
7 $key=decode_base64(join "", grep {!/[-:]/} qx(ssh-keygen -m PEM -e -f $ARGV[0]));
8 printf "%s.onion\n", lc MIME::Base32::encode(substr(sha1($key), 0, 10))' "$1"
9}
10
11makepub () {
12 tag="$1"
13 path="$2"
14 [ -f $path ] || {
15 mkdir -p "$(dirname $path)"
16 kiki --show-pem "$tag" | ssh-keygen -f /dev/stdin -i -m PKCS8 > "$path"
17 echo "$path": exported >&2
18 }
19}
20
21# External commands invoked by kiki in order to generate keys.
22# Notice that $file will not be interpolated until kiki runs the command.
23ssh='mkdir -p "$(dirname $file)" && ssh-keygen -P "" -q -f $file -b 2048'
24ssl='mkdir -p "$(dirname $file)" && openssl genrsa -out $file 1024'
25
26
27# TODO: This probably shouldn't be hard coded here.
28export GNUPGHOME=/gpg/gnupghome
29
30#####
31##### GENERATE GPG KEY
32#####
33gpg2 --gen-key
34
35echo "What is the keygrip of the new key? (paste it here from scroll)"
36read keygrip
37[ -f $GNUPGHOME/gpg.conf ] && mv $GNUPGHOME/gpg.conf $GNUPGHOME/gpg.conf.bak
38echo "default-key $keygrip" > $GNUPGHOME/gpg.conf
39
40tty -s && echo -n 'Passphrase: '
41read passphrase
42
43# First, we ensure that the tor key does not exist
44# so that it will be created new.
45torkey="$ROOT"/var/lib/tor/samizdat/private_key
46[ -f $torkey ] && rm -rvf $torkey
47
48echo "$passphrase" | \
49 kiki --keypairs tor="$torkey{$ssl}" \
50 --passphrase-fd 0 || exit
51onion_url=$(pem_to_onion_url "$torkey") || exit
52
53key_sw="$ROOT"/etc/ipsec.d/private/"$onion_url".pem
54key_cl="$ROOT"/root/.ssh/id_rsa
55key_sv="$ROOT"/etc/ssh/ssh_host_rsa_key
56
57[ -f $key_sw ] && rm -rvf $key_sw
58[ -f $key_cl ] && rm -rvf $key_cl
59# [ -f $key_sv ] && rm -rvf $key_sv #### XXX: not deleting ssh host key
60
61# Now import, export, or generate the remaining secret keys.
62echo "$passphrase" | \
63 kiki --keypairs \
64 strongswan="$ROOT"/etc/ipsec.d/private/"$onion_url".pem{"$ssl"} \
65 ssh-client="$ROOT"/root/.ssh/id_rsa{"$ssh"} \
66 ssh-host="$ROOT"/etc/ssh/ssh_host_rsa_key{"$ssh"} \
67 --passphrase-fd 0 || exit
68
69# Finally, export public keys if they do not exist.
70makepub ssh-client "$ROOT/root/.ssh/id_rsa.pub"
71makepub ssh-host "$ROOT/etc/ssh/ssh_host_rsa_key.pub"
72
73# TODO: makepub can be made obsolete by implementing something like this:
74# kiki --public ssh-client=$ROOT$HOME/.ssh/id_rsa.pub \
75# ssh-host="$ROOT"/etc/ssh/ssh_host_rsa_key.pub