From b45a30e7a127363a3255d89909f54108f711a16d Mon Sep 17 00:00:00 2001 From: joe Date: Tue, 29 Jul 2014 01:02:29 -0400 Subject: New script, samizdat-change-key.sh --- examples/samizdat-change-key.sh | 75 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 75 insertions(+) create mode 100755 examples/samizdat-change-key.sh diff --git a/examples/samizdat-change-key.sh b/examples/samizdat-change-key.sh new file mode 100755 index 0000000..ca51832 --- /dev/null +++ b/examples/samizdat-change-key.sh @@ -0,0 +1,75 @@ +#!/bin/sh +export GNUPGHOME=$ROOT/gpg/gnupghome + +pem_to_onion_url() +{ + perl -MMIME::Base64 -MDigest::SHA=sha1 -MMIME::Base32=RFC -e ' + $key=decode_base64(join "", grep {!/[-:]/} qx(ssh-keygen -m PEM -e -f $ARGV[0])); + printf "%s.onion\n", lc MIME::Base32::encode(substr(sha1($key), 0, 10))' "$1" +} + +makepub () { + tag="$1" + path="$2" + [ -f $path ] || { + mkdir -p "$(dirname $path)" + kiki --show-pem "$tag" | ssh-keygen -f /dev/stdin -i -m PKCS8 > "$path" + echo "$path": exported >&2 + } +} + +# External commands invoked by kiki in order to generate keys. +# Notice that $file will not be interpolated until kiki runs the command. +ssh='mkdir -p "$(dirname $file)" && ssh-keygen -P "" -q -f $file -b 2048' +ssl='mkdir -p "$(dirname $file)" && openssl genrsa -out $file 1024' + + +# TODO: This probably shouldn't be hard coded here. +export GNUPGHOME=/gpg/gnupghome + +##### +##### GENERATE GPG KEY +##### +gpg2 --gen-key + +echo "What is the keygrip of the new key? (paste it here from scroll)" +read keygrip +[ -f $GNUPGHOME/gpg.conf ] && mv $GNUPGHOME/gpg.conf $GNUPGHOME/gpg.conf.bak +echo "default-key $keygrip" > $GNUPGHOME/gpg.conf + +tty -s && echo -n 'Passphrase: ' +read passphrase + +# First, we ensure that the tor key does not exist +# so that it will be created new. +torkey="$ROOT"/var/lib/tor/samizdat/private_key +[ -f $torkey ] && rm -rvf $torkey + +echo "$passphrase" | \ + kiki --keypairs tor="$torkey{$ssl}" \ + --passphrase-fd 0 || exit +onion_url=$(pem_to_onion_url "$torkey") || exit + +key_sw="$ROOT"/etc/ipsec.d/private/"$onion_url".pem +key_cl="$ROOT"/root/.ssh/id_rsa +key_sv="$ROOT"/etc/ssh/ssh_host_rsa_key + +[ -f $key_sw ] && rm -rvf $key_sw +[ -f $key_cl ] && rm -rvf $key_cl +# [ -f $key_sv ] && rm -rvf $key_sv #### XXX: not deleting ssh host key + +# Now import, export, or generate the remaining secret keys. +echo "$passphrase" | \ + kiki --keypairs \ + strongswan="$ROOT"/etc/ipsec.d/private/"$onion_url".pem{"$ssl"} \ + ssh-client="$ROOT"/root/.ssh/id_rsa{"$ssh"} \ + ssh-host="$ROOT"/etc/ssh/ssh_host_rsa_key{"$ssh"} \ + --passphrase-fd 0 || exit + +# Finally, export public keys if they do not exist. +makepub ssh-client "$ROOT/root/.ssh/id_rsa.pub" +makepub ssh-host "$ROOT/etc/ssh/ssh_host_rsa_key.pub" + +# TODO: makepub can be made obsolete by implementing something like this: +# kiki --public ssh-client=$ROOT$HOME/.ssh/id_rsa.pub \ +# ssh-host="$ROOT"/etc/ssh/ssh_host_rsa_key.pub -- cgit v1.2.3