forked from dren-dk/DontBeADick
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathrekey
executable file
·91 lines (68 loc) · 2.52 KB
/
rekey
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
#!/usr/bin/perl
use strict;
use warnings;
use FindBin qw($Bin $Script);
use Fcntl qw(:flock SEEK_END);
use POSIX;
use File::Path;
use lib $Bin;
use Cammy;
init("$ENV{HOME}/.dont-be-a-dick.config");
my $ram = cfgRAM;
mkpath $ram unless -d $ram;
my $disk = cfgLocalStorage;
my $currentPassphraseFile = "$ram/current-passphrase";
my $ppAge = -f $currentPassphraseFile ? time-(stat $currentPassphraseFile)[9] : -1;
if (!-f $currentPassphraseFile) {
open P, "+>$currentPassphraseFile" or die "Failed to write passphrase to $currentPassphraseFile: $!";
} else {
open P, "+<$currentPassphraseFile" or die "Failed to write passphrase to $currentPassphraseFile: $!";
}
flock(P, LOCK_EX);
if ($ppAge < 60 && $ppAge >= 0) {
print STDERR "Refusing to generate a new key, because the current one is $ppAge seconds old\n";
exit 0;
}
my $keyTime = strftime("%Y-%m-%d-%H-%M-%S", localtime);
open URANDOM, "/dev/urandom" or die "Failed to read /dev/urandom: $!";
my $binPassphrase;
read(URANDOM, $binPassphrase, 64) == 64 or die "Failed to read from urandom: $!";
close URANDOM;
my $passphrase = unpack("H*", $binPassphrase);
truncate(P,0);
print P $passphrase;
# Make a note of the key time so the write script knows where to dump the output
open KT, ">$ram/key-time" or die "Urgh: $!";
print KT $keyTime;
close KT;
# Split the key into parts
my $dir = "$disk/$keyTime";
mkdir $dir;
my @board = cfgBoard;
my $quorum = cfgQuorum;
my $parts = scalar(@board);
my $ssssDir = cfgSSSS();
my $cmd = qq!cat $currentPassphraseFile | $ssssDir/ssss-split -t $quorum -n $parts -q -Q -w "$keyTime"!;
print "Splitting passphrase using: $cmd\n";
my $partLines = qx"$cmd";
my @parts = split /\n/, $partLines;
die "Failed to get the correct number of lines from '$partLines' ".scalar(@parts)." != $parts" unless @parts == $parts;
my $keydir = "$dir/keys";
mkdir $keydir;
for my $pn (0..$parts-1) {
my $bm = $board[$pn];
my $part = $parts[$pn];
my $pf = "$currentPassphraseFile.$pn";
open PF, ">$pf" or die "Failed to write passphrase part $pn to $pf:$!";
print PF $part;
close PF;
my $ek = "$keydir/$bm";
my $gpgcmd = "gpg --lock-never --batch --passphrase-fd 0 --armor --encrypt --recipient '$bm' --output='$ek.$pn' '$pf'";
print "Running $gpgcmd\n";
open PP, "|$gpgcmd" or die "Failed to run\n$gpgcmd\n$!";
print PP cfgGPGPassPhrase;
close PP;
die "Failed to encrypt passphrase part $pf for $bm, the file $ek.$pn doesn't exist" unless -f "$ek.$pn";
}
# Finally close the file to release the file lock.
close P;