Last active
December 17, 2018 14:54
-
-
Save mathieuancelin/b8c4d4915d091d69961791b301b74085 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| set -e | |
| outfile= | |
| passfile= | |
| pin= | |
| encKey=01 | |
| action=encrypt | |
| while getopts ":f:o:p:k:a:h" opt; do | |
| case $opt in | |
| f) | |
| file="$OPTARG";; | |
| o) | |
| outfile="$OPTARG" | |
| do_shift=$((do_shift+2));; | |
| p) | |
| pin="$OPTARG" | |
| do_shift=$((do_shift+2));; | |
| k) | |
| encKey="$OPTARG" | |
| do_shift=$((do_shift+2));; | |
| a) | |
| action="$OPTARG" | |
| do_shift=$((do_shift+2));; | |
| h) | |
| echo "Usage yubikey [...opts]" | |
| echo " " | |
| echo "-a action: encrypt | decrypt | sign | verify" | |
| echo "-f path to file to encrypt" | |
| echo "-o output filename" | |
| echo "-p pin code for PIV" | |
| echo "-k key to use on PIV card (01, 02, 03, 04)" | |
| echo " " | |
| exit 0;; | |
| esac | |
| done | |
| shift $do_shift | |
| function extractCert { | |
| pkcs11-tool -r -p "$pin" --id "$encKey" --type cert --module /Library/OpenSC/lib/opensc-pkcs11.so > "$encKey.cert" | |
| openssl x509 -inform DER -in "$encKey.cert" -pubkey > "$encKey.pub" | |
| rm -f "$encKey.cert" | |
| } | |
| function encrypt { | |
| if [ ! -f "$encKey.pub" ]; then | |
| extractCert | |
| fi | |
| if [ ! -f "./pass" ]; then | |
| openssl rand -hex 64 -out ./pass | |
| #echo "Pass phrase is:" | |
| #cat ./pass | |
| fi | |
| openssl enc -aes-256-cbc -salt -in $file -out $outfile -pass file:./pass | |
| openssl rsautl -encrypt -inkey $encKey.pub -in ./pass -pubin -out $passfile | |
| rm -f ./pass | |
| rm -f $encKey.pub | |
| } | |
| function decrypt { | |
| cat $passfile | pkcs11-tool --id "$encKey" --decrypt -p "$pin" -m RSA-PKCS --module /Library/OpenSC/lib/opensc-pkcs11.so > ./pass | |
| openssl enc -d -aes-256-cbc -in $file -out $outfile -pass file:./pass | |
| rm -f ./pass | |
| } | |
| function sign { | |
| shasum -a 512 $file | awk '{print $1}' > ./sha512 | |
| cat ./sha512 | pkcs11-tool --id "$encKey" -s -p "$pin" -m RSA-PKCS --module /Library/OpenSC/lib/opensc-pkcs11.so > $outfile | |
| rm -f ./sha512 | |
| } | |
| function verify { | |
| if [ ! -f "$encKey.pub" ]; then | |
| extractCert | |
| fi | |
| openssl rsautl -verify -inkey $encKey.pub -in $file -pubin | |
| rm -f $encKey.pub | |
| } | |
| # echo "=== Debug ====" | |
| # echo "file=$file" | |
| # echo "outfile=$outfile" | |
| # echo "pin=$pin" | |
| # echo "encKey=$encKey" | |
| # echo "action=$action" | |
| # echo "passfile=$passfile" | |
| # echo "==============" | |
| if [ "$file" == "" ]; then | |
| echo "Missing input file..." | |
| exit 1 | |
| fi | |
| echo "Insert your key ..." | |
| until piv-tool --wait --serial > /dev/null; do sleep 1; done; | |
| if [ "$pin" == "" ]; then | |
| echo "PIV pin code:" | |
| read -s pin | |
| fi | |
| if [ "$action" = "encrypt" ]; then | |
| if [ "$outfile" == "" ]; then | |
| outfile=$(echo $file).enc | |
| passfile=$(echo $file).pass | |
| fi | |
| encrypt | |
| elif [ "$action" = "decrypt" ]; then | |
| if [ "$outfile" == "" ]; then | |
| outfile=$(echo $file).dec | |
| passfile=$(echo $file).pass | |
| fi | |
| decrypt | |
| elif [ "$action" = "sign" ]; then | |
| if [ "$outfile" == "" ]; then | |
| outfile=$(echo $file).sig | |
| passfile=$(echo $file).pass | |
| fi | |
| sign | |
| elif [ "$action" = "verify" ]; then | |
| verify | |
| fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment