Commit b28ebf27 authored by Pontus Freyhult's avatar Pontus Freyhult
Browse files

Set a restrictive umask. Encrypted keys are

no longer stored unencrypted in a temporary file, just piped
through the conversion chain like unencrypted keys are.

Rev: src/lsh-upgrade-key:1.2
parent d103ce7c
......@@ -19,6 +19,8 @@ if [ $# -eq 0 ] ; then
exit 1
fi
umask 077
: ${SEXP_CONV:=sexp-conv}
: ${LSH_DECRYPT_KEY:=lsh-decrypt-key}
: ${LSH_WRITEKEY:=lsh-writekey}
......@@ -30,19 +32,6 @@ type "$LSH_WRITEKEY" >/dev/null 2>&1 || die "Can't find the lsh-writekey program
for p in $@; do
werror "Converting key $p"
keyname="$p"
crypto=""
if "$SEXP_CONV" -s advanced < "$p" \
| grep 'password-encrypted' >/dev/null; then
werror "Key is encrypted and must be decrypted."
"$LSH_DECRYPT_KEY" --in="$p" --out="$p.tmpdecrypted" || \
die "Decryption failed for $p, aborting."
keyname="$p.tmpdecrypted"
crypto="-c aes256-cbc"
werror "Key be will be reencryptred using aes256-cbc."
fi
# These are the changes we must make:
#
......@@ -52,10 +41,25 @@ for p in $@; do
# It also seems we must reconvert back to transport format to make lsh-writekey
"$SEXP_CONV" -s hex <"$keyname" \
| sed -e 's,(\(.\) #\([89a-fA-F]\),(\1 #00\2,' \
| "$SEXP_CONV" -s transport \
| "$LSH_WRITEKEY" $crypto -o "$p.new"
rm -f "$p.tmpdecrypted" "$p.tmpdecrypted.pub" 2>/dev/null
if "$SEXP_CONV" -s advanced < "$p" \
| grep 'password-encrypted' >/dev/null; then
werror "Key is encrypted and must be decrypted."
# Encrypted key
(("$LSH_DECRYPT_KEY" --in="$p" || \
die "Decryption failed for $p, aborting.") && \
werror "Key will be reencrypted using aes256-cbc") | \
"$SEXP_CONV" -s hex \
| sed -e 's,(\(.\) #\([89a-fA-F]\),(\1 #00\2,' \
| "$SEXP_CONV" -s transport \
| "$LSH_WRITEKEY" -c aes256-cbc -o "$p.new"
else
# Not encrypted
"$SEXP_CONV" -s hex <"$p" \
| sed -e 's,(\(.\) #\([89a-fA-F]\),(\1 #00\2,' \
| "$SEXP_CONV" -s transport \
| "$LSH_WRITEKEY" -o "$p.new"
fi
done
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment