mcastorina/tls-workshop.sh

## tls-workshop.sh
#!/bin/bash

## TLS Workshop Playground
## NOTICE: This script is intended for learning purposes only.
# These functions will set environmental variables in your terminal session,
# all beginning with "tls_". Use tls-reset to clean up all variables and remove
# generated temporary files (in the case of asym-gen).

# Print a help message
function tls-help {
    cat <<EOF
Available functions:

    tls-help        This help message
    tls-status      Print status information of environmental variables
    tls-reset       Reset all environmental variables

    hash            One way function to convert arbitrary data into a fixed length "hash"
                    Usage: hash data
    hmac            Hash data with a secret
                    Usage: hmac secret data

    sym-gen         Generate a symmetric key
    sym-enc         Encrypt a message using the generated symmetric key and iv
                    Usage: sym-enc message
    sym-dec         Decrypt a message using the generated symmetric key and iv
                    Usage: sym-dec [cipher]

    asym-gen        Generate an asymmetric key pair
    asym-enc        Encrypt using an asymmetric key (default public key)
                    Usage: asym-enc message [key-file]
    asym-dec        Decrypt using an asymmetric key (default private key)
                    Usage: asym-dec [key-file] [cipher]
EOF
}

# Print status information of environmental variables
function tls-status {
    if [[ -n $tls_hash ]]; then
        echo "hash($tls_hash_input): $tls_hash"
    fi
    if [[ -n $tls_hmac ]]; then
        echo "hmac(secret=$tls_hmac_secret, $tls_hmac_input): $tls_hmac"
    fi
    if [[ -n $tls_sym_key ]]; then
        echo "sym-key: $tls_sym_key"
        echo "sym-iv : $tls_sym_iv"
    fi
    if [[ -n $tls_sym_enc_cipher ]]; then
        echo "sym-enc($tls_sym_enc_input): $tls_sym_enc_cipher"
    fi
    if [[ -n $tls_sym_dec_msg ]]; then
        echo "sym-dec(${tls_sym_dec_input:0:16}...): $tls_sym_dec_msg"
    fi
    if [[ -f $tls_asym_priv_key ]]; then
        echo "hash($tls_asym_priv_key): $(openssl dgst -sha256 $tls_asym_priv_key | cut -d' ' -f2)"
        echo "hash($tls_asym_pub_key) : $(openssl dgst -sha256 $tls_asym_pub_key | cut -d' ' -f2)"
    fi
    if [[ -n $tls_asym_enc_cipher ]]; then
        echo "asym-enc($tls_asym_enc_input): ${tls_asym_enc_cipher:0:16}..."
    fi
    if [[ -n $tls_asym_dec_msg ]]; then
        echo "asym-dec(${tls_asym_dec_input:0:16}...): $tls_asym_dec_msg"
    fi
}

# Reset all environmental variables
function tls-reset {
    unset tls_hash tls_hash_input
    unset tls_hmac tls_hmac_input tls_hmac_secret
    unset tls_sym_key tls_sym_iv
    unset tls_sym_enc_input tls_sym_enc_cipher
    unset tls_sym_dec_input tls_sym_dec_msg
    if [[ -f $tls_asym_pub_key && $tls_asym_pub_key =~ 'tls-rsa-....\.pub$' ]]; then
        echo >&2 "Removing $tls_asym_pub_key"
        rm $tls_asym_pub_key
    fi
    if [[ -f $tls_asym_priv_key && $tls_asym_priv_key =~ 'tls-rsa-....\.priv$' ]]; then
        echo >&2 "Removing $tls_asym_priv_key"
        rm $tls_asym_priv_key
    fi
    unset tls_asym_pub_key tls_asym_priv_key
    unset tls_asym_enc_input tls_asym_enc_cipher
    unset tls_asym_dec_input tls_asym_dec_msg
}

# One way function to convert arbitrary data into a fixed length "hash"
function hash {
    tls_hash_input="$*"
    tls_hash=$(openssl dgst -sha256 <<< "$tls_hash_input" | cut -d' ' -f2)
    echo "$tls_hash"
}

# Hash data with a secret (hash based method authentication code)
# Usage: hmac secret data
function hmac {
    tls_hmac_secret="$1"
    tls_hmac_input="$2"
    tls_hmac=$(openssl dgst -hmac "$tls_hmac_secret" <<< "$tls_hmac_input" | cut -d' ' -f2)
    echo "$tls_hmac"
}

# Generate a symmetric key
# One key - does both encryption and decryption
function sym-gen {
    local out=$(openssl enc -aes-256-cbc -k secret -P 2>/dev/null)
    tls_sym_key=$(grep '^key=' <<< "$out" | cut -d'=' -f2)
    tls_sym_iv=$(grep '^iv =' <<< "$out" | cut -d'=' -f2)
    echo "tls_sym_key: $tls_sym_key"
    echo "tls_sym_iv : $tls_sym_iv"
}

# Encrypt a message using the generated symmetric key and iv
# Output is base64 encoded
function sym-enc {
    if [[ -z $tls_sym_key || -z $tls_sym_iv ]]; then
        echo "Please call symmetric_generate before encrypting"
        return 1
    fi

    tls_sym_enc_input="$*"
    tls_sym_enc_cipher=$(openssl enc -a -aes-256-cbc -K \
        "$tls_sym_key" -iv "$tls_sym_iv" \
        <<< "$tls_sym_enc_input")
    echo "$tls_sym_enc_cipher"
}

# Decrypt a message using the generated symmetric key and iv
# Input is expected to be base64 encoded
function sym-dec {
    if [[ -z $tls_sym_key || -z $tls_sym_iv ]]; then
        echo >&2 "Please set tls_sym_key and tls_sym_iv variables before decrypting."
        return 1
    fi

    # set the input to the arguments or the output of encryption if no args
    tls_sym_dec_input=${*:-$tls_sym_enc_cipher}
    tls_sym_dec_msg=$(openssl enc -d -a -aes-256-cbc -K \
        "$tls_sym_key" -iv "$tls_sym_iv" \
        <<< "$tls_sym_dec_input")
    echo "$tls_sym_dec_msg"
}

# Generate an asymmetric key pair
# Two keys, only it's pair can decrypt what the other encrypts
function asym-gen {
    # generate a file for the private key if one doesn't already exist
    tls_asym_priv_key=${tls_asym_priv_key:-$(mktemp -t tls-rsa-XXXX.priv)}
    # generate a file for the public key based on the private key
    tls_asym_pub_key=${tls_asym_pub_key:-${tls_asym_priv_key%%priv}pub}
    openssl genrsa -out "$tls_asym_priv_key"
    openssl pkey -in "$tls_asym_priv_key" -pubout -out "$tls_asym_pub_key"
    echo "Private key generated in: $tls_asym_priv_key"
    echo "Public key generated in : $tls_asym_pub_key"
}

# Encrypt using an asymmetric key (default public key)
# Usage: asym-enc message [key-file]
function asym-enc {
    tls_asym_enc_input="$1"
    local key=${2:-$tls_asym_pub_key}

    if grep 'PRIVATE' "$key" 2>&1 >/dev/null; then
        echo >&2 "Encrypting using private key $key..."
        # encrypting with a private key is "signing"
        tls_asym_enc_cipher=$(openssl rsautl -inkey "$key" -sign <<< "$tls_asym_enc_input" | base64 | tr -d '\n')
        echo "$tls_asym_enc_cipher"
    elif grep 'PUBLIC' "$key" 2>&1 >/dev/null; then
        echo >&2 "Encrypting using public key $key..."
        tls_asym_enc_cipher=$(openssl rsautl -inkey "$key" -pubin -encrypt <<< "$tls_asym_enc_input" | base64 | tr -d '\n')
        echo "$tls_asym_enc_cipher"
    else
        echo >&2 "Unrecognized key type. Is $key an RSA key?"
        return 1
    fi
}

# Decrypt using an asymmetric key (default private key)
# Usage: asym-dec [key-file] [cipher]
function asym-dec {
    local key=${1:-$tls_asym_priv_key}
    tls_asym_dec_input=${2:-$tls_asym_enc_cipher}

    if grep 'PRIVATE' "$key" 2>&1 >/dev/null; then
        echo >&2 "Decrypting using private key $key..."
        tls_asym_dec_msg=$(openssl rsautl -inkey "$key" -decrypt -in <(base64 -d <<< "$tls_asym_dec_input"))
        echo "$tls_asym_dec_msg"
    elif grep 'PUBLIC' "$key" 2>&1 >/dev/null; then
        echo >&2 "Decrypting using public key $key..."
        # decrypting with a public key is "verifying"
        tls_asym_dec_msg=$(openssl rsautl -inkey "$key" -pubin -verify -in <(base64 -d <<< "$tls_asym_dec_input"))
        echo "$tls_asym_dec_msg"
    else
        echo >&2 "Unrecognized key type. Is $key an RSA key?"
        return 1
    fi
}
	#!/bin/bash

	## TLS Workshop Playground
	## NOTICE: This script is intended for learning purposes only.
	# These functions will set environmental variables in your terminal session,
	# all beginning with "tls_". Use tls-reset to clean up all variables and remove
	# generated temporary files (in the case of asym-gen).

	# Print a help message
	function tls-help {
	cat <<EOF
	Available functions:

	tls-help This help message
	tls-status Print status information of environmental variables
	tls-reset Reset all environmental variables

	hash One way function to convert arbitrary data into a fixed length "hash"
	Usage: hash data
	hmac Hash data with a secret
	Usage: hmac secret data

	sym-gen Generate a symmetric key
	sym-enc Encrypt a message using the generated symmetric key and iv
	Usage: sym-enc message
	sym-dec Decrypt a message using the generated symmetric key and iv
	Usage: sym-dec [cipher]

	asym-gen Generate an asymmetric key pair
	asym-enc Encrypt using an asymmetric key (default public key)
	Usage: asym-enc message [key-file]
	asym-dec Decrypt using an asymmetric key (default private key)
	Usage: asym-dec [key-file] [cipher]
	EOF
	}

	# Print status information of environmental variables
	function tls-status {
	if [[ -n $tls_hash ]]; then
	echo "hash($tls_hash_input): $tls_hash"
	fi
	if [[ -n $tls_hmac ]]; then
	echo "hmac(secret=$tls_hmac_secret, $tls_hmac_input): $tls_hmac"
	fi
	if [[ -n $tls_sym_key ]]; then
	echo "sym-key: $tls_sym_key"
	echo "sym-iv : $tls_sym_iv"
	fi
	if [[ -n $tls_sym_enc_cipher ]]; then
	echo "sym-enc($tls_sym_enc_input): $tls_sym_enc_cipher"
	fi
	if [[ -n $tls_sym_dec_msg ]]; then
	echo "sym-dec(${tls_sym_dec_input:0:16}...): $tls_sym_dec_msg"
	fi
	if [[ -f $tls_asym_priv_key ]]; then
	echo "hash($tls_asym_priv_key): $(openssl dgst -sha256 $tls_asym_priv_key \| cut -d' ' -f2)"
	echo "hash($tls_asym_pub_key) : $(openssl dgst -sha256 $tls_asym_pub_key \| cut -d' ' -f2)"
	fi
	if [[ -n $tls_asym_enc_cipher ]]; then
	echo "asym-enc($tls_asym_enc_input): ${tls_asym_enc_cipher:0:16}..."
	fi
	if [[ -n $tls_asym_dec_msg ]]; then
	echo "asym-dec(${tls_asym_dec_input:0:16}...): $tls_asym_dec_msg"
	fi
	}

	# Reset all environmental variables
	function tls-reset {
	unset tls_hash tls_hash_input
	unset tls_hmac tls_hmac_input tls_hmac_secret
	unset tls_sym_key tls_sym_iv
	unset tls_sym_enc_input tls_sym_enc_cipher
	unset tls_sym_dec_input tls_sym_dec_msg
	if [[ -f $tls_asym_pub_key && $tls_asym_pub_key =~ 'tls-rsa-....\.pub$' ]]; then
	echo >&2 "Removing $tls_asym_pub_key"
	rm $tls_asym_pub_key
	fi
	if [[ -f $tls_asym_priv_key && $tls_asym_priv_key =~ 'tls-rsa-....\.priv$' ]]; then
	echo >&2 "Removing $tls_asym_priv_key"
	rm $tls_asym_priv_key
	fi
	unset tls_asym_pub_key tls_asym_priv_key
	unset tls_asym_enc_input tls_asym_enc_cipher
	unset tls_asym_dec_input tls_asym_dec_msg
	}

	# One way function to convert arbitrary data into a fixed length "hash"
	function hash {
	tls_hash_input="$*"
	tls_hash=$(openssl dgst -sha256 <<< "$tls_hash_input" \| cut -d' ' -f2)
	echo "$tls_hash"
	}

	# Hash data with a secret (hash based method authentication code)
	# Usage: hmac secret data
	function hmac {
	tls_hmac_secret="$1"
	tls_hmac_input="$2"
	tls_hmac=$(openssl dgst -hmac "$tls_hmac_secret" <<< "$tls_hmac_input" \| cut -d' ' -f2)
	echo "$tls_hmac"
	}

	# Generate a symmetric key
	# One key - does both encryption and decryption
	function sym-gen {
	local out=$(openssl enc -aes-256-cbc -k secret -P 2>/dev/null)
	tls_sym_key=$(grep '^key=' <<< "$out" \| cut -d'=' -f2)
	tls_sym_iv=$(grep '^iv =' <<< "$out" \| cut -d'=' -f2)
	echo "tls_sym_key: $tls_sym_key"
	echo "tls_sym_iv : $tls_sym_iv"
	}

	# Encrypt a message using the generated symmetric key and iv
	# Output is base64 encoded
	function sym-enc {
	if [[ -z $tls_sym_key \|\| -z $tls_sym_iv ]]; then
	echo "Please call symmetric_generate before encrypting"
	return 1
	fi

	tls_sym_enc_input="$*"
	tls_sym_enc_cipher=$(openssl enc -a -aes-256-cbc -K \
	"$tls_sym_key" -iv "$tls_sym_iv" \
	<<< "$tls_sym_enc_input")
	echo "$tls_sym_enc_cipher"
	}

	# Decrypt a message using the generated symmetric key and iv
	# Input is expected to be base64 encoded
	function sym-dec {
	if [[ -z $tls_sym_key \|\| -z $tls_sym_iv ]]; then
	echo >&2 "Please set tls_sym_key and tls_sym_iv variables before decrypting."
	return 1
	fi

	# set the input to the arguments or the output of encryption if no args
	tls_sym_dec_input=${*:-$tls_sym_enc_cipher}
	tls_sym_dec_msg=$(openssl enc -d -a -aes-256-cbc -K \
	"$tls_sym_key" -iv "$tls_sym_iv" \
	<<< "$tls_sym_dec_input")
	echo "$tls_sym_dec_msg"
	}

	# Generate an asymmetric key pair
	# Two keys, only it's pair can decrypt what the other encrypts
	function asym-gen {
	# generate a file for the private key if one doesn't already exist
	tls_asym_priv_key=${tls_asym_priv_key:-$(mktemp -t tls-rsa-XXXX.priv)}
	# generate a file for the public key based on the private key
	tls_asym_pub_key=${tls_asym_pub_key:-${tls_asym_priv_key%%priv}pub}
	openssl genrsa -out "$tls_asym_priv_key"
	openssl pkey -in "$tls_asym_priv_key" -pubout -out "$tls_asym_pub_key"
	echo "Private key generated in: $tls_asym_priv_key"
	echo "Public key generated in : $tls_asym_pub_key"
	}

	# Encrypt using an asymmetric key (default public key)
	# Usage: asym-enc message [key-file]
	function asym-enc {
	tls_asym_enc_input="$1"
	local key=${2:-$tls_asym_pub_key}

	if grep 'PRIVATE' "$key" 2>&1 >/dev/null; then
	echo >&2 "Encrypting using private key $key..."
	# encrypting with a private key is "signing"
	tls_asym_enc_cipher=$(openssl rsautl -inkey "$key" -sign <<< "$tls_asym_enc_input" \| base64 \| tr -d '\n')
	echo "$tls_asym_enc_cipher"
	elif grep 'PUBLIC' "$key" 2>&1 >/dev/null; then
	echo >&2 "Encrypting using public key $key..."
	tls_asym_enc_cipher=$(openssl rsautl -inkey "$key" -pubin -encrypt <<< "$tls_asym_enc_input" \| base64 \| tr -d '\n')
	echo "$tls_asym_enc_cipher"
	else
	echo >&2 "Unrecognized key type. Is $key an RSA key?"
	return 1
	fi
	}

	# Decrypt using an asymmetric key (default private key)
	# Usage: asym-dec [key-file] [cipher]
	function asym-dec {
	local key=${1:-$tls_asym_priv_key}
	tls_asym_dec_input=${2:-$tls_asym_enc_cipher}

	if grep 'PRIVATE' "$key" 2>&1 >/dev/null; then
	echo >&2 "Decrypting using private key $key..."
	tls_asym_dec_msg=$(openssl rsautl -inkey "$key" -decrypt -in <(base64 -d <<< "$tls_asym_dec_input"))
	echo "$tls_asym_dec_msg"
	elif grep 'PUBLIC' "$key" 2>&1 >/dev/null; then
	echo >&2 "Decrypting using public key $key..."
	# decrypting with a public key is "verifying"
	tls_asym_dec_msg=$(openssl rsautl -inkey "$key" -pubin -verify -in <(base64 -d <<< "$tls_asym_dec_input"))
	echo "$tls_asym_dec_msg"
	else
	echo >&2 "Unrecognized key type. Is $key an RSA key?"
	return 1
	fi
	}