freedombone/src/freedombone-utils-gpg

#!/bin/bash
#
# .---.                  .              .
# |                      |              |
# |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.
# |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'
# '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'
#
#                    Freedom in the Cloud
#
# gpg functions
#
# License
# =======
#
# Copyright (C) 2016-2018 Bob Mottram <bob@freedombone.net>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.

function gpg_update_mutt {
    key_username=$1

    if [ ! -f /home/$key_username/.muttrc ]; then
        return
    fi

    CURR_EMAIL_ADDRESS=$key_username@$HOSTNAME
    CURR_GPG_ID=$(gpg --homedir=/home/$key_username/.gnupg --list-keys $CURR_EMAIL_ADDRESS | sed -n '2p' | sed 's/^[ \t]*//')

    # If the default key is specified within gpg.conf
    if [ -f /home/$key_username/gpg.conf ]; then
        if grep -q "default-key" /home/$key_username/gpg.conf; then
            default_gpg_key=$(cat /home/$key_username/gpg.conf | grep "default-key")
            if [[ "$default_gpg_key" != *'#'* ]]; then
                default_gpg_key=$(cat /home/$key_username/gpg.conf | grep "default-key" | awk -F ' ' '{print $2}')
                if [ ${#default_gpg_key} -gt 3 ]; then
                    CURR_GPG_ID=$(gpg --homedir=/home/$key_username/.gnupg --list-keys $default_gpg_key | sed -n '2p' | sed 's/^[ \t]*//')
                fi
            fi
        fi
    fi

    sed -i "s|set pgp_encrypt_only_command.*|set pgp_encrypt_only_command=\"/usr/lib/mutt/pgpewrap gpg --batch --quiet --no-verbose --output - --encrypt --textmode --armor --trust-model always --encrypt-to $CURR_GPG_ID -- -r %r -- %f\"|g" /home/$key_username/.muttrc
    sed -i "s|set pgp_encrypt_sign_command.*|set pgp_encrypt_sign_command=\"/usr/lib/mutt/pgpewrap gpg %?p?--passphrase-fd 0? --batch --quiet --no-verbose --textmode --output - --encrypt --sign %?a?-u %a? --armor --trust-model always --encrypt-to $CURR_GPG_ID -- -r %r -- %f\"|g" /home/$key_username/.muttrc

    chown $key_username:$key_username /home/$key_username/.muttrc
}

function gpg_import_public_key {
    key_username=$1
    key_filename=$2

    gpg --homedir=/home/$key_username/.gnupg --import $key_filename
    gpg_set_permissions $key_username
}

function gpg_import_private_key {
    key_username=$1
    key_filename=$2

    gpg --homedir=/home/$key_username/.gnupg --allow-secret-key-import --import $key_filename
    gpg_set_permissions $key_username
}

function gpg_export_public_key {
    key_username=$1
    key_id=$2
    key_filename=$3

    chown -R $key_username:$key_username /home/$key_username/.gnupg
    su -m root -c "gpg --homedir /home/$key_username/.gnupg --output $key_filename --armor --export $key_id" - $key_username
}

function gpg_export_private_key {
    key_username=$1
    key_id=$2
    key_filename=$3

    chown -R $key_username:$key_username /home/$key_username/.gnupg
    su -m root -c "gpg --homedir=/home/$key_username/.gnupg --armor --output $key_filename --export-secret-key $key_id" - $key_username
}

function gpg_create_key {
    key_username=$1
    key_passphrase=$2

    gpg_dir=/home/$key_username/.gnupg

    echo 'Key-Type: eddsa' > /home/$key_username/gpg-genkey.conf
    echo 'Key-Curve: Ed25519' >> /home/$key_username/gpg-genkey.conf
    echo 'Subkey-Type: eddsa' >> /home/$key_username/gpg-genkey.conf
    echo 'Subkey-Curve: Ed25519' >> /home/$key_username/gpg-genkey.conf
    echo "Name-Real:  $MY_NAME" >> /home/$key_username/gpg-genkey.conf
    echo "Name-Email: $MY_EMAIL_ADDRESS" >> /home/$key_username/gpg-genkey.conf
    echo 'Expire-Date: 0' >> /home/$key_username/gpg-genkey.conf
    cat /home/$key_username/gpg-genkey.conf
    if [ $key_passphrase ]; then
        echo "Passphrase: $key_passphrase" >> /home/$key_username/gpg-genkey.conf
    else
        echo "Passphrase: $PROJECT_NAME" >> /home/$key_username/gpg-genkey.conf
    fi
    chown $key_username:$key_username /home/$key_username/gpg-genkey.conf

    echo $'Generating a new GPG key'
    su -m root -c "gpg --homedir /home/$key_username/.gnupg --batch --full-gen-key /home/$key_username/gpg-genkey.conf" - $key_username
    chown -R $key_username:$key_username /home/$key_username/.gnupg
    KEY_EXISTS=$(gpg_key_exists "$key_username" "$MY_EMAIL_ADDRESS")
    if [[ $KEY_EXISTS == "no" ]]; then
        echo $"A GPG key for $MY_EMAIL_ADDRESS could not be created"
        exit 63621
    fi
    shred -zu /home/$key_username/gpg-genkey.conf
    CURR_GPG_PUBLIC_KEY_ID=$(gpg_pubkey_from_email "$key_username" "$MY_EMAIL_ADDRESS")
    if [ ${#CURR_GPG_PUBLIC_KEY_ID} -lt 4 ]; then
        echo $"GPG public key ID could not be obtained for $MY_EMAIL_ADDRESS"
        exit 825292
    fi
    gpg_set_permissions $key_username
}

function gpg_delete_key {
    key_username=$1
    key_id=$2

    chown -R $key_username:$key_username /home/$key_username/.gnupg
    su -c "gpg --batch --quiet --homedir=/home/$key_username/.gnupg --delete-secret-key $key_id" - $key_username
    su -c "gpg --batch --quiet --homedir=/home/$key_username/.gnupg --delete-key $key_id" - $key_username
}

function gpg_set_permissions {
    key_username=$1

    if [[ "$key_username" != 'root' ]]; then
        chmod 700 /home/$key_username/.gnupg
        chmod -R 600 /home/$key_username/.gnupg/*
        printf '%%Assuan%%\nsocket=/dev/shm/S.dirmngr\n' > /home/$key_username/.gnupg/S.dirmngr
        if [ -d /home/$key_username/.gnupg/crls.d ]; then
            chmod +x /home/$key_username/.gnupg/crls.d
        fi
        chown -R $key_username:$key_username /home/$key_username/.gnupg
    else
        chmod 700 /root/.gnupg
        chmod -R 600 /root/.gnupg/*
        printf '%%Assuan%%\nsocket=/dev/shm/S.dirmngr\n' > /root/.gnupg/S.dirmngr
        if [ -d /root/.gnupg/crls.d ]; then
            chmod +x /root/.gnupg/crls.d
        fi
        chown -R $key_username:$key_username /root/.gnupg
    fi
}

function gpg_reconstruct_key {
    key_username=$1
    key_interactive=$2

    if [ ! -d /home/$key_username/.gnupg_fragments ]; then
        return
    fi
    cd /home/$key_username/.gnupg_fragments
    no_of_shares=$(ls -afq keyshare.asc.* | wc -l)
    if (( no_of_shares < 4 )); then
        if [ $key_interactive ]; then
            dialog --title $"Recover Encryption Keys" --msgbox $'Not enough fragments to reconstruct the key' 6 70
        else
            echo $'Not enough fragments to reconstruct the key'
        fi
        exit 7348
    fi
    gfcombine /home/$key_username/.gnupg_fragments/keyshare*
    if [ ! "$?" = "0" ]; then
        if [ $key_interactive ]; then
            dialog --title $"Recover Encryption Keys" --msgbox $'Unable to reconstruct the key' 6 70
        else
            echo $'Unable to reconstruct the key'
        fi
        exit 7348
    fi

    KEYS_FILE=/home/$key_username/.gnupg_fragments/keyshare.asc
    if [ ! -f $KEYS_FILE ]; then
        if [ $key_interactive ]; then
            dialog --title $"Recover Encryption Keys" --msgbox $'Unable to reconstruct the key' 6 70
        else
            echo $'Unable to reconstruct the key'
        fi
        exit 52852
    fi

    gpg --homedir=/home/$key_username/.gnupg --allow-secret-key-import --import $KEYS_FILE
    if [ ! "$?" = "0" ]; then
        shred -zu $KEYS_FILE
        rm -rf /home/$key_username/.tempgnupg
        if [ $key_interactive ]; then
            dialog --title $"Recover Encryption Keys" --msgbox $'Unable to import gpg key' 6 70
        else
            echo $'Unable to import gpg key'
        fi
        exit 96547
    fi
    shred -zu $KEYS_FILE

    gpg_set_permissions $key_username

    if [ $key_interactive ]; then
        dialog --title $"Recover Encryption Keys" --msgbox $'Key has been reconstructed' 6 70
    else
        echo $'Key has been reconstructed'
    fi
}

function gpg_agent_setup {
    gpg_username=$1

    if [[ $gpg_username == 'root' ]]; then
        if ! grep -q 'GPG_TTY' /root/.bashrc; then
            echo '' >> /root/.bashrc
            echo 'GPG_TTY=$(tty)' >> /root/.bashrc
            echo 'export GPG_TTY' >> /root/.bashrc
        fi
        if grep -q '# use-agent' /root/.gnupg/gpg.conf; then
            sed -i 's|# use-agent|use-agent|g' /root/.gnupg/gpg.conf
        fi
        if ! grep -q 'use-agent' /root/.gnupg/gpg.conf; then
            echo 'use-agent' >> /root/.gnupg/gpg.conf
        fi
        echo 'default-cache-ttl 300' > /root/.gnupg/gpg-agent.conf
        echo 'max-cache-ttl 999999' >> /root/.gnupg/gpg-agent.conf
        echo 'allow-loopback-pinentry' >> /root/.gnupg/gpg-agent.conf
        if [ -f /root/.gnupg/S.dirmngr ]; then
            rm /root/.gnupg/S.dirmngr
        fi
        echo RELOADAGENT | gpg-connect-agent
    else
        if ! grep -q 'GPG_TTY' /home/$gpg_username/.bashrc; then
            echo '' >> /home/$gpg_username/.bashrc
            echo 'GPG_TTY=$(tty)' >> /home/$gpg_username/.bashrc
            echo 'export GPG_TTY' >> /home/$gpg_username/.bashrc
            chown $gpg_username:$gpg_username /home/$gpg_username/.bashrc
        fi
        if grep -q '# use-agent' /home/$gpg_username/.gnupg/gpg.conf; then
            sed -i 's|# use-agent|use-agent|g' /home/$gpg_username/.gnupg/gpg.conf
        fi
        if ! grep -q 'use-agent' /home/$gpg_username/.gnupg/gpg.conf; then
            echo 'use-agent' >> /home/$gpg_username/.gnupg/gpg.conf
        fi
        if ! grep -q 'pinentry-mode loopback' /home/$gpg_username/.gnupg/gpg.conf; then
            echo 'pinentry-mode loopback' >> /home/$gpg_username/.gnupg/gpg.conf
        fi
        echo 'default-cache-ttl 300' > /home/$gpg_username/.gnupg/gpg-agent.conf
        echo 'max-cache-ttl 999999' >> /home/$gpg_username/.gnupg/gpg-agent.conf
        echo 'allow-loopback-pinentry' >> /home/$gpg_username/.gnupg/gpg-agent.conf
        if [ -f /home/$gpg_username/.gnupg/S.dirmngr ]; then
            rm /home/$gpg_username/.gnupg/S.dirmngr
        fi
        if [[ "$gpg_username" != "$USER" ]]; then
            su -c "echo RELOADAGENT | gpg-connect-agent" - $gpg_username
        else
            echo RELOADAGENT | gpg-connect-agent
        fi
    fi
}

function gpg_agent_enable {
    gpg_username=$1

    if [[ $gpg_username == 'root' ]]; then
        return
    else
        if grep -q 'GPG_TTY' /home/$gpg_username/.bashrc; then
            sed -i '/GPG_TTY/d' /home/$gpg_username/.bashrc
            chown $gpg_username:$gpg_username /home/$gpg_username/.bashrc
        fi
        if grep -q 'use-agent' /home/$gpg_username/.gnupg/gpg.conf; then
           sed -i '/use-agent/d' /home/$gpg_username/.gnupg/gpg.conf
        fi
        if grep -q 'pinentry-mode loopback' /home/$gpg_username/.gnupg/gpg.conf; then
            sed -i '/pinentry-mode loopback/d' /home/$gpg_username/.gnupg/gpg.conf
        fi
        if [ -f /home/$gpg_username/.gnupg/gpg-agent.conf ]; then
            rm /home/$gpg_username/.gnupg/gpg-agent.conf
        fi
        if [[ "$gpg_username" != "$USER" ]]; then
            su -c "echo RELOADAGENT | gpg-connect-agent" - $gpg_username
        else
            echo RELOADAGENT | gpg-connect-agent
        fi
    fi
}

function gpg_pubkey_from_email {
    key_owner_username=$1
    key_email_address=$2
    key_id=
    if [[ $key_owner_username != "root" ]]; then
        key_id=$(su -c "gpg --list-keys $key_email_address" - $key_owner_username | sed -n '2p' | sed 's/^[ \t]*//')

        # If the default key is specified within gpg.conf
        if [ -f /home/$key_owner_username/gpg.conf ]; then
            if grep -q "default-key" /home/$key_owner_username/gpg.conf; then
                default_gpg_key=$(cat /home/$key_owner_username/gpg.conf | grep "default-key")
                if [[ "$default_gpg_key" != *'#'* ]]; then
                    default_gpg_key=$(cat /home/$key_owner_username/gpg.conf | grep "default-key" | awk -F ' ' '{print $2}')
                    if [ ${#default_gpg_key} -gt 3 ]; then
                        key_id=$(su -c "gpg --list-keys $default_gpg_key" - $key_owner_username | sed -n '2p' | sed 's/^[ \t]*//')
                    fi
                fi
            fi
        fi
    else
        key_id=$(gpg --list-keys $key_email_address | sed -n '2p' | sed 's/^[ \t]*//')

        # If the default key is specified within gpg.conf
        if [ -f /root/gpg.conf ]; then
            if grep -q "default-key" /root/gpg.conf; then
                default_gpg_key=$(cat /root/gpg.conf | grep "default-key")
                if [[ "$default_gpg_key" != *'#'* ]]; then
                    default_gpg_key=$(cat /root/gpg.conf | grep "default-key" | awk -F ' ' '{print $2}')
                    if [ ${#default_gpg_key} -gt 3 ]; then
                        key_id=$(gpg --list-keys $default_gpg_key | sed -n '2p' | sed 's/^[ \t]*//')
                    fi
                fi
            fi
        fi
    fi
    echo $key_id
}

function enable_email_encryption_at_rest {
    for d in /home/*/ ; do
        USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
        if [[ $(is_valid_user "$USERNAME") == "1" ]]; then
            if grep -q '#| /usr/bin/gpgit.pl' /home/$USERNAME/.procmailrc; then
                sed -i 's@#| /usr/bin/gpgit.pl@| /usr/bin/gpgit.pl@g' /home/$USERNAME/.procmailrc
                sed -i 's|#:0 f|:0 f|g' /home/$USERNAME/.procmailrc
            fi
        fi
    done

    if grep -q '#| /usr/bin/gpgit.pl' /etc/skel/.procmailrc; then
        sed -i 's@#| /usr/bin/gpgit.pl@| /usr/bin/gpgit.pl@g' /etc/skel/.procmailrc
        sed -i 's|#:0 f|:0 f|g' /etc/skel/.procmailrc
    fi
}

function disable_email_encryption_at_rest {
    for d in /home/*/ ; do
        USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
        if [[ $(is_valid_user "$USERNAME") == "1" ]]; then
            if ! grep -q '#| /usr/bin/gpgit.pl' /home/$USERNAME/.procmailrc; then
                sed -i 's@| /usr/bin/gpgit.pl@#| /usr/bin/gpgit.pl@g' /home/$USERNAME/.procmailrc
                sed -i 's|:0 f|#:0 f|g' /home/$USERNAME/.procmailrc
            fi
        fi
    done

    if ! grep -q '#| /usr/bin/gpgit.pl' /etc/skel/.procmailrc; then
        sed -i 's@| /usr/bin/gpgit.pl@#| /usr/bin/gpgit.pl@g' /etc/skel/.procmailrc
        sed -i 's|:0 f|#:0 f|g' /etc/skel/.procmailrc
    fi
}

# NOTE: deliberately no exit 0