freedombone/src/freedombone-utils-gpg

#!/bin/bash
#  _____               _           _
# |   __|___ ___ ___ _| |___ _____| |_ ___ ___ ___
# |   __|  _| -_| -_| . | . |     | . | . |   | -_|
# |__|  |_| |___|___|___|___|_|_|_|___|___|_|_|___|
#
#                              Freedom in the Cloud
#
# gpg functions
#
# License
# =======
#
# Copyright (C) 2016-2018 Bob Mottram <bob@freedombone.net>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.

function gpg_update_mutt {
    key_username="$1"

    if [ ! -f "/home/$key_username/.muttrc" ]; then
        return
    fi

    CURR_EMAIL_ADDRESS=$key_username@$HOSTNAME
    CURR_GPG_ID=$(gpg --homedir="/home/$key_username/.gnupg" --list-keys "$CURR_EMAIL_ADDRESS" | sed -n '2p' | sed 's/^[ \t]*//')

    # If the default key is specified within gpg.conf
    if [ -f "/home/$key_username/gpg.conf" ]; then
        if grep -q "default-key" "/home/$key_username/gpg.conf"; then
            default_gpg_key=$(grep "default-key" "/home/$key_username/gpg.conf")
            if [[ "$default_gpg_key" != *'#'* ]]; then
                default_gpg_key=$(grep "default-key" "/home/$key_username/gpg.conf" | awk -F ' ' '{print $2}')
                if [ ${#default_gpg_key} -gt 3 ]; then
                    CURR_GPG_ID=$(gpg --homedir="/home/$key_username/.gnupg" --list-keys "$default_gpg_key" | sed -n '2p' | sed 's/^[ \t]*//')
                fi
            fi
        fi
    fi

    sed -i "s|set pgp_encrypt_only_command.*|set pgp_encrypt_only_command=\"/usr/lib/mutt/pgpewrap gpg --batch --quiet --no-verbose --output - --encrypt --textmode --armor --trust-model always --encrypt-to $CURR_GPG_ID -- -r %r -- %f\"|g" "/home/$key_username/.muttrc"
    sed -i "s|set pgp_encrypt_sign_command.*|set pgp_encrypt_sign_command=\"/usr/lib/mutt/pgpewrap gpg %?p?--passphrase-fd 0? --batch --quiet --no-verbose --textmode --output - --encrypt --sign %?a?-u %a? --armor --trust-model always --encrypt-to $CURR_GPG_ID -- -r %r -- %f\"|g" "/home/$key_username/.muttrc"

    chown "$key_username":"$key_username" "/home/$key_username/.muttrc"
}

function gpg_import_public_key {
    key_username="$1"
    key_filename="$2"

    gpg --homedir="/home/$key_username/.gnupg" --import "$key_filename"
    gpg_set_permissions "$key_username"
}

function gpg_import_private_key {
    key_username="$1"
    key_filename="$2"

    gpg --homedir="/home/$key_username/.gnupg" --allow-secret-key-import --import "$key_filename"
    gpg_set_permissions "$key_username"
}

function gpg_export_public_key {
    key_username="$1"
    key_id="$2"
    key_filename="$3"

    chown -R "$key_username":"$key_username" "/home/$key_username/.gnupg"
    su -m root -c "gpg --homedir /home/$key_username/.gnupg --output $key_filename --armor --export $key_id" - "$key_username"
}

function gpg_export_private_key {
    key_username=$1
    key_id=$2
    key_filename=$3

    chown -R "$key_username":"$key_username" "/home/$key_username/.gnupg"
    su -m root -c "gpg --homedir=/home/$key_username/.gnupg --armor --output $key_filename --export-secret-key $key_id" - "$key_username"
}

function gpg_create_key {
    key_username="$1"
    key_passphrase="$2"

    gpg_dir="/home/$key_username/.gnupg"

    { echo 'Key-Type: eddsa';
      echo 'Key-Curve: Ed25519';
      echo 'Subkey-Type: eddsa';
      echo 'Subkey-Curve: Ed25519';
      echo "Name-Real:  $MY_NAME";
      echo "Name-Email: $MY_EMAIL_ADDRESS";
      echo 'Expire-Date: 0'; } > "/home/$key_username/gpg-genkey.conf"
    cat "/home/$key_username/gpg-genkey.conf"
    if [ "$key_passphrase" ]; then
        echo "Passphrase: $key_passphrase" >> "/home/$key_username/gpg-genkey.conf"
    else
        echo "Passphrase: $PROJECT_NAME" >> "/home/$key_username/gpg-genkey.conf"
    fi
    chown "$key_username":"$key_username" "/home/$key_username/gpg-genkey.conf"

    echo $'Generating a new GPG key'
    su -m root -c "gpg --homedir /home/$key_username/.gnupg --batch --full-gen-key /home/$key_username/gpg-genkey.conf" - "$key_username"
    chown -R "$key_username":"$key_username" "/home/$key_username/.gnupg"
    KEY_EXISTS=$(gpg_key_exists "$key_username" "$MY_EMAIL_ADDRESS")
    if [[ $KEY_EXISTS == "no" ]]; then
        echo $"A GPG key for $MY_EMAIL_ADDRESS could not be created"
        exit 63621
    fi
    shred -zu "/home/$key_username/gpg-genkey.conf"
    CURR_GPG_PUBLIC_KEY_ID=$(gpg_pubkey_from_email "$key_username" "$MY_EMAIL_ADDRESS")
    if [ ${#CURR_GPG_PUBLIC_KEY_ID} -lt 4 ]; then
        echo $"GPG public key ID could not be obtained for $MY_EMAIL_ADDRESS"
        exit 825292
    fi
    gpg_set_permissions "$key_username"
}

function gpg_delete_key {
    key_username="$1"
    key_id="$2"

    chown -R "$key_username":"$key_username" "/home/$key_username/.gnupg"
    su -c "gpg --batch --quiet --homedir=/home/$key_username/.gnupg --delete-secret-key $key_id" - "$key_username"
    su -c "gpg --batch --quiet --homedir=/home/$key_username/.gnupg --delete-key $key_id" - "$key_username"
}

function gpg_set_permissions {
    key_username=$1

    if [[ "$key_username" != 'root' ]]; then
        chmod 700 "/home/$key_username/.gnupg"
        chmod -R 600 "/home/$key_username/.gnupg/"*
        printf '%%Assuan%%\nsocket=/dev/shm/S.dirmngr\n' > "/home/$key_username/.gnupg/S.dirmngr"
        if [ -d "/home/$key_username/.gnupg/crls.d" ]; then
            chmod +x "/home/$key_username/.gnupg/crls.d"
        fi
        chown -R "$key_username":"$key_username" "/home/$key_username/.gnupg"
    else
        chmod 700 /root/.gnupg
        chmod -R 600 /root/.gnupg/*
        printf '%%Assuan%%\nsocket=/dev/shm/S.dirmngr\n' > /root/.gnupg/S.dirmngr
        if [ -d /root/.gnupg/crls.d ]; then
            chmod +x /root/.gnupg/crls.d
        fi
        chown -R "$key_username":"$key_username" /root/.gnupg
    fi
}

function gpg_reconstruct_key {
    key_username=$1
    key_interactive=$2

    if [ ! -d "/home/$key_username/.gnupg_fragments" ]; then
        return
    fi
    cd "/home/$key_username/.gnupg_fragments" || exit 3468346
    # shellcheck disable=SC2012
    no_of_shares=$(ls -afq keyshare.asc.* | wc -l)
    if (( no_of_shares < 4 )); then
        if [ "$key_interactive" ]; then
            dialog --title $"Recover Encryption Keys" --msgbox $'Not enough fragments to reconstruct the key' 6 70
        else
            echo $'Not enough fragments to reconstruct the key'
        fi
        exit 7348
    fi
    if ! gfcombine "/home/$key_username/.gnupg_fragments/keyshare*"; then
        if [ "$key_interactive" ]; then
            dialog --title $"Recover Encryption Keys" --msgbox $'Unable to reconstruct the key' 6 70
        else
            echo $'Unable to reconstruct the key'
        fi
        exit 7348
    fi

    KEYS_FILE=/home/$key_username/.gnupg_fragments/keyshare.asc
    if [ ! -f "$KEYS_FILE" ]; then
        if [ "$key_interactive" ]; then
            dialog --title $"Recover Encryption Keys" --msgbox $'Unable to reconstruct the key' 6 70
        else
            echo $'Unable to reconstruct the key'
        fi
        exit 52852
    fi

    if ! gpg --homedir="/home/$key_username/.gnupg" --allow-secret-key-import --import "$KEYS_FILE"; then
        shred -zu "$KEYS_FILE"
        rm -rf "/home/$key_username/.tempgnupg"
        if [ "$key_interactive" ]; then
            dialog --title $"Recover Encryption Keys" --msgbox $'Unable to import gpg key' 6 70
        else
            echo $'Unable to import gpg key'
        fi
        exit 96547
    fi
    shred -zu "$KEYS_FILE"

    gpg_set_permissions "$key_username"

    if [ "$key_interactive" ]; then
        dialog --title $"Recover Encryption Keys" --msgbox $'Key has been reconstructed' 6 70
    else
        echo $'Key has been reconstructed'
    fi
}

function gpg_agent_setup {
    gpg_username=$1

    if [[ $gpg_username == 'root' ]]; then
        if ! grep -q 'GPG_TTY' /root/.bashrc; then
            { echo '';
              echo "GPG_TTY=\$(tty)";
              echo 'export GPG_TTY'; } >> /root/.bashrc
        fi
        if grep -q '# use-agent' /root/.gnupg/gpg.conf; then
            sed -i 's|# use-agent|use-agent|g' /root/.gnupg/gpg.conf
        fi
        if ! grep -q 'use-agent' /root/.gnupg/gpg.conf; then
            echo 'use-agent' >> /root/.gnupg/gpg.conf
        fi
        { echo 'default-cache-ttl 300';
          echo 'max-cache-ttl 999999';
          echo 'allow-loopback-pinentry'; } > /root/.gnupg/gpg-agent.conf
        if [ -f /root/.gnupg/S.dirmngr ]; then
            rm /root/.gnupg/S.dirmngr
        fi
        echo RELOADAGENT | gpg-connect-agent
    else
        if ! grep -q 'GPG_TTY' "/home/$gpg_username/.bashrc"; then
            { echo '';
              echo "GPG_TTY=\$(tty)";
              echo 'export GPG_TTY'; } >> "/home/$gpg_username/.bashrc"
            chown "$gpg_username":"$gpg_username" "/home/$gpg_username/.bashrc"
        fi
        if grep -q '# use-agent' "/home/$gpg_username/.gnupg/gpg.conf"; then
            sed -i 's|# use-agent|use-agent|g' "/home/$gpg_username/.gnupg/gpg.conf"
        fi
        if ! grep -q 'use-agent' "/home/$gpg_username/.gnupg/gpg.conf"; then
            echo 'use-agent' >> "/home/$gpg_username/.gnupg/gpg.conf"
        fi
        if ! grep -q 'pinentry-mode loopback' "/home/$gpg_username/.gnupg/gpg.conf"; then
            echo 'pinentry-mode loopback' >> "/home/$gpg_username/.gnupg/gpg.conf"
        fi
        echo 'default-cache-ttl 300' > "/home/$gpg_username/.gnupg/gpg-agent.conf"
        echo 'max-cache-ttl 999999' >> "/home/$gpg_username/.gnupg/gpg-agent.conf"
        echo 'allow-loopback-pinentry' >> "/home/$gpg_username/.gnupg/gpg-agent.conf"
        if [ -f "/home/$gpg_username/.gnupg/S.dirmngr" ]; then
            rm "/home/$gpg_username/.gnupg/S.dirmngr"
        fi
        if [[ "$gpg_username" != "$USER" ]]; then
            su -c "echo RELOADAGENT | gpg-connect-agent" - "$gpg_username"
        else
            echo RELOADAGENT | gpg-connect-agent
        fi
    fi
}

function gpg_agent_enable {
    gpg_username=$1

    if [[ $gpg_username == 'root' ]]; then
        return
    else
        if grep -q 'GPG_TTY' "/home/$gpg_username/.bashrc"; then
            sed -i '/GPG_TTY/d' "/home/$gpg_username/.bashrc"
            chown "$gpg_username":"$gpg_username" "/home/$gpg_username/.bashrc"
        fi
        if grep -q 'use-agent' "/home/$gpg_username/.gnupg/gpg.conf"; then
           sed -i '/use-agent/d' "/home/$gpg_username/.gnupg/gpg.conf"
        fi
        if grep -q 'pinentry-mode loopback' "/home/$gpg_username/.gnupg/gpg.conf"; then
            sed -i '/pinentry-mode loopback/d' "/home/$gpg_username/.gnupg/gpg.conf"
        fi
        if [ -f "/home/$gpg_username/.gnupg/gpg-agent.conf" ]; then
            rm "/home/$gpg_username/.gnupg/gpg-agent.conf"
        fi
        if [[ "$gpg_username" != "$USER" ]]; then
            su -c "echo RELOADAGENT | gpg-connect-agent" - "$gpg_username"
        else
            echo RELOADAGENT | gpg-connect-agent
        fi
    fi
}

function gpg_pubkey_from_email {
    key_owner_username=$1
    key_email_address=$2
    key_id=
    if [[ $key_owner_username != "root" ]]; then
        key_id=$(su -c "gpg --list-keys $key_email_address" - "$key_owner_username" | sed -n '2p' | sed 's/^[ \t]*//')

        # If the default key is specified within gpg.conf
        if [ -f "/home/$key_owner_username/gpg.conf" ]; then
            if grep -q "default-key" "/home/$key_owner_username/gpg.conf"; then
                default_gpg_key=$(grep "default-key" "/home/$key_owner_username/gpg.conf")
                if [[ "$default_gpg_key" != *'#'* ]]; then
                    default_gpg_key=$(grep "default-key" "/home/$key_owner_username/gpg.conf" | awk -F ' ' '{print $2}')
                    if [ ${#default_gpg_key} -gt 3 ]; then
                        key_id=$(su -c "gpg --list-keys $default_gpg_key" - "$key_owner_username" | sed -n '2p' | sed 's/^[ \t]*//')
                    fi
                fi
            fi
        fi
    else
        key_id=$(gpg --list-keys "$key_email_address" | sed -n '2p' | sed 's/^[ \t]*//')

        # If the default key is specified within gpg.conf
        if [ -f /root/gpg.conf ]; then
            if grep -q "default-key" /root/gpg.conf; then
                default_gpg_key=$(grep "default-key" /root/gpg.conf)
                if [[ "$default_gpg_key" != *'#'* ]]; then
                    default_gpg_key=$(grep "default-key" /root/gpg.conf | awk -F ' ' '{print $2}')
                    if [ ${#default_gpg_key} -gt 3 ]; then
                        key_id=$(gpg --list-keys "$default_gpg_key" | sed -n '2p' | sed 's/^[ \t]*//')
                    fi
                fi
            fi
        fi
    fi
    echo "$key_id"
}

function enable_email_encryption_at_rest {
    for d in /home/*/ ; do
        USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
        if [[ $(is_valid_user "$USERNAME") == "1" ]]; then
            if grep -q '#| /usr/bin/gpgit.pl' "/home/$USERNAME/.procmailrc"; then
                sed -i 's@#| /usr/bin/gpgit.pl@| /usr/bin/gpgit.pl@g' "/home/$USERNAME/.procmailrc"
                sed -i 's|#:0 f|:0 f|g' "/home/$USERNAME/.procmailrc"
            fi
        fi
    done

    if grep -q '#| /usr/bin/gpgit.pl' /etc/skel/.procmailrc; then
        sed -i 's@#| /usr/bin/gpgit.pl@| /usr/bin/gpgit.pl@g' /etc/skel/.procmailrc
        sed -i 's|#:0 f|:0 f|g' /etc/skel/.procmailrc
    fi
}

function disable_email_encryption_at_rest {
    for d in /home/*/ ; do
        USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
        if [[ $(is_valid_user "$USERNAME") == "1" ]]; then
            if ! grep -q '#| /usr/bin/gpgit.pl' "/home/$USERNAME/.procmailrc"; then
                sed -i 's@| /usr/bin/gpgit.pl@#| /usr/bin/gpgit.pl@g' "/home/$USERNAME/.procmailrc"
                sed -i 's|:0 f|#:0 f|g' "/home/$USERNAME/.procmailrc"
            fi
        fi
    done

    if ! grep -q '#| /usr/bin/gpgit.pl' /etc/skel/.procmailrc; then
        sed -i 's@| /usr/bin/gpgit.pl@#| /usr/bin/gpgit.pl@g' /etc/skel/.procmailrc
        sed -i 's|:0 f|#:0 f|g' /etc/skel/.procmailrc
    fi
}

# NOTE: deliberately no exit 0