mirrors
/
rspamd
mirror of https://github.com/vstakhov/rspamd.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 159 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
19581 Commits
28 Branches
Tree: f7c44dea2e
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'f7c44dea2e'
${ noResults }
rspamd/lualib/rspamadm/keypair.lua

keypair.lua 12KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485 
  1. --[[

  2. Copyright (c) 2022, Vsevolod Stakhov <vsevolod@rspamd.com>

  3. 

  4. Licensed under the Apache License, Version 2.0 (the "License");

  5. you may not use this file except in compliance with the License.

  6. You may obtain a copy of the License at

  7. 

  8.     http://www.apache.org/licenses/LICENSE-2.0

  9. 

  10. Unless required by applicable law or agreed to in writing, software

  11. distributed under the License is distributed on an "AS IS" BASIS,

  12. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  13. See the License for the specific language governing permissions and

  14. limitations under the License.

  15. ]]--

  16. 

  17. local argparse = require "argparse"

  18. local rspamd_keypair = require "rspamd_cryptobox_keypair"

  19. local rspamd_pubkey = require "rspamd_cryptobox_pubkey"

  20. local rspamd_signature = require "rspamd_cryptobox_signature"

  21. local rspamd_crypto = require "rspamd_cryptobox"

  22. local rspamd_util = require "rspamd_util"

  23. local ucl = require "ucl"

  24. local logger = require "rspamd_logger"

  25. 

  26. -- Define command line options

  27. local parser = argparse()

  28.     :name "rspamadm keypair"

  29.     :description "Manages keypairs for Rspamd"

  30.     :help_description_margin(30)

  31.     :command_target("command")

  32.     :require_command(false)

  33. 

  34. -- Generate subcommand

  35. local generate = parser:command "generate gen g"

  36.                        :description "Creates a new keypair"

  37. generate:flag "-s --sign"

  38.         :description "Generates a sign keypair instead of the encryption one"

  39. generate:flag "-n --nist"

  40.         :description "Uses nist encryption algorithm"

  41. generate:option "-o --output"

  42.         :description "Write keypair to file"

  43.         :argname "<file>"

  44. generate:mutex(

  45.     generate:flag "-j --json"

  46.             :description "Output JSON instead of UCL",

  47.     generate:flag "-u --ucl"

  48.             :description "Output UCL"

  49.             :default(true)

  50. )

  51. 

  52. -- Sign subcommand

  53. 

  54. local sign = parser:command "sign sig s"

  55.                    :description "Signs a file using keypair"

  56. sign:option "-k --keypair"

  57.     :description "Keypair to use"

  58.     :argname "<file>"

  59. sign:option "-s --suffix"

  60.     :description "Suffix for signature"

  61.     :argname "<suffix>"

  62.     :default("sig")

  63. sign:argument "file"

  64.     :description "File to sign"

  65.     :argname "<file>"

  66.     :args "*"

  67. 

  68. -- Verify subcommand

  69. 

  70. local verify = parser:command "verify ver v"

  71.                      :description "Verifies a file using keypair or a public key"

  72. verify:mutex(

  73.     verify:option "-p --pubkey"

  74.           :description "Load pubkey from the specified file"

  75.           :argname "<file>",

  76.     verify:option "-P --pubstring"

  77.           :description "Load pubkey from the base32 encoded string"

  78.           :argname "<base32>",

  79.     verify:option "-k --keypair"

  80.           :description "Get pubkey from the keypair file"

  81.           :argname "<file>"

  82. )

  83. verify:argument "file"

  84.     :description "File to verify"

  85.     :argname "<file>"

  86.     :args "*"

  87. verify:flag "-n --nist"

  88.       :description "Uses nistp curves (P256)"

  89. verify:option "-s --suffix"

  90.       :description "Suffix for signature"

  91.       :argname "<suffix>"

  92.       :default("sig")

  93. 

  94. -- Encrypt subcommand

  95. 

  96. local encrypt = parser:command "encrypt crypt enc e"

  97.                       :description "Encrypts a file using keypair (or a pubkey)"

  98. encrypt:mutex(

  99.     encrypt:option "-p --pubkey"

  100.            :description "Load pubkey from the specified file"

  101.            :argname "<file>",

  102.     encrypt:option "-P --pubstring"

  103.            :description "Load pubkey from the base32 encoded string"

  104.            :argname "<base32>",

  105.     encrypt:option "-k --keypair"

  106.            :description "Get pubkey from the keypair file"

  107.            :argname "<file>"

  108. )

  109. encrypt:option "-s --suffix"

  110.        :description "Suffix for encrypted file"

  111.        :argname "<suffix>"

  112.        :default("enc")

  113. encrypt:argument "file"

  114.        :description "File to encrypt"

  115.        :argname "<file>"

  116.        :args "*"

  117. encrypt:flag "-r --rm"

  118.        :description "Remove unencrypted file"

  119. encrypt:flag "-f --force"

  120.        :description "Remove destination file if it exists"

  121. 

  122. -- Decrypt subcommand

  123. 

  124. local decrypt = parser:command "decrypt dec d"

  125.                       :description "Decrypts a file using keypair"

  126. decrypt:option "-k --keypair"

  127.        :description "Get pubkey from the keypair file"

  128.        :argname "<file>"

  129. decrypt:flag "-S --keep-suffix"

  130.        :description "Preserve suffix for decrypted file (overwrite encrypted)"

  131. decrypt:argument "file"

  132.        :description "File to encrypt"

  133.        :argname "<file>"

  134.        :args "*"

  135. decrypt:flag "-f --force"

  136.        :description "Remove destination file if it exists (implied with -S)"

  137. decrypt:flag "-r --rm"

  138.        :description "Remove encrypted file"

  139. 

  140. -- Default command is generate, so duplicate options to be compatible

  141. 

  142. parser:flag "-s --sign"

  143.         :description "Generates a sign keypair instead of the encryption one"

  144. parser:flag "-n --nist"

  145.         :description "Uses nistp curves (P256)"

  146. parser:mutex(

  147.     parser:flag "-j --json"

  148.             :description "Output JSON instead of UCL",

  149.     parser:flag "-u --ucl"

  150.             :description "Output UCL"

  151.             :default(true)

  152. )

  153. parser:option "-o --output"

  154.       :description "Write keypair to file"

  155.       :argname "<file>"

  156. 

  157. local function fatal(...)

  158.   logger.errx(...)

  159.   os.exit(1)

  160. end

  161. 

  162. local function ask_yes_no(greet, default)

  163.   local def_str

  164.   if default then

  165.     greet = greet .. "[Y/n]: "

  166.     def_str = "yes"

  167.   else

  168.     greet = greet .. "[y/N]: "

  169.     def_str = "no"

  170.   end

  171. 

  172.   local reply = rspamd_util.readline(greet)

  173. 

  174.   if not reply then os.exit(0) end

  175.   if #reply == 0 then reply = def_str end

  176.   reply = reply:lower()

  177.   if reply == 'y' or reply == 'yes' then return true end

  178. 

  179.   return false

  180. end

  181. 

  182. local function generate_handler(opts)

  183.   local mode = 'encryption'

  184.   if opts.sign then

  185.     mode = 'sign'

  186.   end

  187.   local alg = 'curve25519'

  188.   if opts.nist then

  189.     alg = 'nist'

  190.   end

  191.   -- TODO: probably, do it in a more safe way

  192.   local kp = rspamd_keypair.create(mode, alg):totable()

  193. 

  194.   local format = 'ucl'

  195. 

  196.   if opts.json then

  197.     format = 'json'

  198.   end

  199. 

  200.   if opts.output then

  201.     local out = io.open(opts.output, 'w')

  202.     if not out then

  203.       fatal('cannot open output to write: ' .. opts.output)

  204.     end

  205.     out:write(ucl.to_format(kp, format))

  206.     out:close()

  207.   else

  208.     io.write(ucl.to_format(kp, format))

  209.   end

  210. end

  211. 

  212. local function sign_handler(opts)

  213.   if opts.file then

  214.     if type(opts.file) == 'string' then

  215.       opts.file = {opts.file}

  216.     end

  217.   else

  218.     parser:error('no files to sign')

  219.   end

  220.   if not opts.keypair then

  221.     parser:error("no keypair specified")

  222.   end

  223. 

  224.   local ucl_parser = ucl.parser()

  225.   local res,err = ucl_parser:parse_file(opts.keypair)

  226. 

  227.   if not res then

  228.     fatal(string.format('cannot load %s: %s', opts.keypair, err))

  229.   end

  230. 

  231.   local kp = rspamd_keypair.load(ucl_parser:get_object())

  232. 

  233.   if not kp then

  234.     fatal("cannot load keypair: " .. opts.keypair)

  235.   end

  236. 

  237.   for _,fname in ipairs(opts.file) do

  238.     local sig = rspamd_crypto.sign_file(kp, fname)

  239. 

  240.     if not sig then

  241.       fatal(string.format("cannot sign %s\n", fname))

  242.     end

  243. 

  244.     local out = string.format('%s.%s', fname, opts.suffix or 'sig')

  245.     local of = io.open(out, 'w')

  246.     if not of then

  247.       fatal('cannot open output to write: ' .. out)

  248.     end

  249.     of:write(sig:bin())

  250.     of:close()

  251.     io.write(string.format('signed %s -> %s (%s)\n', fname, out, sig:hex()))

  252.   end

  253. end

  254. 

  255. local function verify_handler(opts)

  256.   if opts.file then

  257.     if type(opts.file) == 'string' then

  258.       opts.file = {opts.file}

  259.     end

  260.   else

  261.     parser:error('no files to verify')

  262.   end

  263. 

  264.   local pk

  265.   local alg = 'curve25519'

  266. 

  267.   if opts.keypair then

  268.     local ucl_parser = ucl.parser()

  269.     local res,err = ucl_parser:parse_file(opts.keypair)

  270. 

  271.     if not res then

  272.       fatal(string.format('cannot load %s: %s', opts.keypair, err))

  273.     end

  274. 

  275.     local kp = rspamd_keypair.load(ucl_parser:get_object())

  276. 

  277.     if not kp then

  278.       fatal("cannot load keypair: " .. opts.keypair)

  279.     end

  280. 

  281.     pk = kp:pk()

  282.     alg = kp:alg()

  283.   elseif opts.pubkey then

  284.     if opts.nist then alg = 'nist' end

  285.     pk = rspamd_pubkey.load(opts.pubkey, 'sign', alg)

  286.   elseif opts.pubstr then

  287.     if opts.nist then alg = 'nist' end

  288.     pk = rspamd_pubkey.create(opts.pubstr, 'sign', alg)

  289.   end

  290. 

  291.   if not pk then

  292.     fatal("cannot create pubkey")

  293.   end

  294. 

  295.   local valid = true

  296. 

  297.   for _,fname in ipairs(opts.file) do

  298. 

  299.     local sig_fname = string.format('%s.%s', fname, opts.suffix or 'sig')

  300.     local sig = rspamd_signature.load(sig_fname, alg)

  301. 

  302.     if not sig then

  303.       fatal(string.format("cannot load signature for %s -> %s",

  304.           fname, sig_fname))

  305.     end

  306. 

  307.     if rspamd_crypto.verify_file(pk, sig, fname, alg) then

  308.       io.write(string.format('verified %s -> %s (%s)\n', fname, sig_fname, sig:hex()))

  309.     else

  310.       valid = false

  311.       io.write(string.format('FAILED to verify %s -> %s (%s)\n', fname,

  312.           sig_fname, sig:hex()))

  313.     end

  314.   end

  315. 

  316.   if not valid then

  317.     os.exit(1)

  318.   end

  319. end

  320. 

  321. local function encrypt_handler(opts)

  322.   if opts.file then

  323.     if type(opts.file) == 'string' then

  324.       opts.file = {opts.file}

  325.     end

  326.   else

  327.     parser:error('no files to sign')

  328.   end

  329. 

  330.   local pk

  331.   local alg = 'curve25519'

  332. 

  333.   if opts.keypair then

  334.     local ucl_parser = ucl.parser()

  335.     local res,err = ucl_parser:parse_file(opts.keypair)

  336. 

  337.     if not res then

  338.       fatal(string.format('cannot load %s: %s', opts.keypair, err))

  339.     end

  340. 

  341.     local kp = rspamd_keypair.load(ucl_parser:get_object())

  342. 

  343.     if not kp then

  344.       fatal("cannot load keypair: " .. opts.keypair)

  345.     end

  346. 

  347.     pk = kp:pk()

  348.     alg = kp:alg()

  349.   elseif opts.pubkey then

  350.     if opts.nist then alg = 'nist' end

  351.     pk = rspamd_pubkey.load(opts.pubkey, 'sign', alg)

  352.   elseif opts.pubstr then

  353.     if opts.nist then alg = 'nist' end

  354.     pk = rspamd_pubkey.create(opts.pubstr, 'sign', alg)

  355.   end

  356. 

  357.   if not pk then

  358.     fatal("cannot load keypair: " .. opts.keypair)

  359.   end

  360. 

  361.   for _,fname in ipairs(opts.file) do

  362.     local enc = rspamd_crypto.encrypt_file(pk, fname, alg)

  363. 

  364.     if not enc then

  365.       fatal(string.format("cannot encrypt %s\n", fname))

  366.     end

  367. 

  368.     local out

  369.     if opts.suffix and #opts.suffix > 0 then

  370.       out = string.format('%s.%s', fname, opts.suffix)

  371.     else

  372.       out = string.format('%s', fname)

  373.     end

  374. 

  375.     if rspamd_util.file_exists(out) then

  376.       if opts.force or ask_yes_no(string.format('File %s already exists, overwrite?',

  377.           out), true) then

  378.         os.remove(out)

  379.       else

  380.         os.exit(1)

  381.       end

  382.     end

  383. 

  384.     enc:save_in_file(out)

  385. 

  386.     if opts.rm then

  387.       os.remove(fname)

  388.       io.write(string.format('encrypted %s (deleted) -> %s\n', fname, out))

  389.     else

  390.       io.write(string.format('encrypted %s -> %s\n', fname, out))

  391.     end

  392.   end

  393. end

  394. 

  395. local function decrypt_handler(opts)

  396.   if opts.file then

  397.     if type(opts.file) == 'string' then

  398.       opts.file = {opts.file}

  399.     end

  400.   else

  401.     parser:error('no files to decrypt')

  402.   end

  403.   if not opts.keypair then

  404.     parser:error("no keypair specified")

  405.   end

  406. 

  407.   local ucl_parser = ucl.parser()

  408.   local res,err = ucl_parser:parse_file(opts.keypair)

  409. 

  410.   if not res then

  411.     fatal(string.format('cannot load %s: %s', opts.keypair, err))

  412.   end

  413. 

  414.   local kp = rspamd_keypair.load(ucl_parser:get_object())

  415. 

  416.   if not kp then

  417.     fatal("cannot load keypair: " .. opts.keypair)

  418.   end

  419. 

  420.   for _,fname in ipairs(opts.file) do

  421.     local decrypted = rspamd_crypto.decrypt_file(kp, fname)

  422. 

  423.     if not decrypted then

  424.       fatal(string.format("cannot decrypt %s\n", fname))

  425.     end

  426. 

  427.     local out

  428.     if not opts['keep-suffix'] then

  429.       -- Strip the last suffix

  430.       out = fname:match("^(.+)%..+$")

  431.     else

  432.       out = fname

  433.     end

  434. 

  435.     local removed = false

  436. 

  437.     if rspamd_util.file_exists(out) then

  438.       if (opts.force or opts['keep-suffix'])

  439.           or ask_yes_no(string.format('File %s already exists, overwrite?', out), true) then

  440.         os.remove(out)

  441.         removed = true

  442.       else

  443.         os.exit(1)

  444.       end

  445.     end

  446. 

  447.     if opts.rm then

  448.       os.remove(fname)

  449.       removed = true

  450.     end

  451. 

  452.     if removed then

  453.       io.write(string.format('decrypted %s (removed) -> %s\n', fname, out))

  454.     else

  455.       io.write(string.format('decrypted %s -> %s\n', fname, out))

  456.     end

  457.   end

  458. end

  459. 

  460. local function handler(args)

  461.   local opts = parser:parse(args)

  462. 

  463.   local command = opts.command or "generate"

  464. 

  465.   if command == 'generate' then

  466.     generate_handler(opts)

  467.   elseif command == 'sign' then

  468.     sign_handler(opts)

  469.   elseif command == 'verify' then

  470.     verify_handler(opts)

  471.   elseif command == 'encrypt' then

  472.     encrypt_handler(opts)

  473.   elseif command == 'decrypt' then

  474.     decrypt_handler(opts)

  475.   else

  476.     parser:error('command %s is not implemented', command)

  477.   end

  478. end

  479. 

  480. return {

  481.   name = 'keypair',

  482.   aliases = {'kp', 'key'},

  483.   handler = handler,

  484.   description = parser._description

  485. }