-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathclient_auth.sh
154 lines (128 loc) · 4.04 KB
/
client_auth.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
#!/usr/bin/env bash
## DEPENDENCIES
# openssl 1.1+, coreutils (Alpine) / basez (Debain)
## REFERENCE
# Bash script template: https://betterdev.blog/minimal-safe-bash-script-template/
# Tor client authorisation: http://xmrhfasfg5suueegrnc4gsgyi2tyclcy5oz7f5drnrodmdtob6t2ioyd.onion/onion-services/advanced/client-auth/index.html
# Key creation adapted from: https://gist.github.com/mtigas/9c2386adf65345be34045dace134140b
set -Eeuo pipefail
trap cleanup SIGINT SIGTERM ERR EXIT
script_dir=$(cd "$(dirname "${BASH_SOURCE[0]}")" &>/dev/null && pwd -P)
usage() {
cat <<EOF
Usage: $(basename "${BASH_SOURCE[0]}") [-h] -p param_value arg1 [arg2...]
Script description here.
Available options:
-h, --help Print this help and exit
-s, --service Hidden service name
-c, --client Hidden service client
-d, --dir Hidden service directory (optional)
EOF
exit
}
cleanup() {
trap - SIGINT SIGTERM ERR EXIT
# script cleanup here
}
setup_colors() {
if [[ -t 2 ]] && [[ -z "${NO_COLOR-}" ]] && [[ "${TERM-}" != "dumb" ]]; then
NOFORMAT='\033[0m' RED='\033[0;31m' GREEN='\033[0;32m' ORANGE='\033[0;33m' BLUE='\033[0;34m' PURPLE='\033[0;35m' CYAN='\033[0;36m' YELLOW='\033[1;33m'
else
NOFORMAT='' RED='' GREEN='' ORANGE='' BLUE='' PURPLE='' CYAN='' YELLOW=''
fi
}
msg() {
echo >&2 -e "${1-}"
}
die() {
local msg=$1
local code=${2-1} # default exit status 1
msg "$msg"
exit "$code"
}
parse_params() {
# default values of variables set from params
service=''
client=''
dir='/tor/hidden_services' # Location set in torrc
while :; do
case "${1-}" in
-h | --help) usage ;;
--no-color) NO_COLOR=1 ;;
-s | --service) # Hidden service name, used in folder path
service="${2-}"
shift
;;
-c | --client) # Hideen service authorisation client name
client="${2-}"
shift
;;
-d | --dir) # Optional hidden service directory
dir="${2-}"
shift
;;
-?*) die "Unknown option: $1" ;;
*) break ;;
esac
shift
done
# check required params
[[ -z "${service-}" ]] && die "Missing required parameter: -s | --service"
[[ -z "${client-}" ]] && die "Missing required parameter: -c | --client"
return 0
}
parse_params "$@"
setup_colors
####=- START SCRIPT LOGIC -=####
## DIRECTORY/FILE LOCATIONS
auth_dir=${dir}/${service}/authorized_clients
auth_private_dir=${dir}/auth_privates/${service}
hostname_file=${dir}/${service}/hostname
## GENERATE KEY
openssl genpkey -algorithm x25519 -out /tmp/k1.prv.pem
## CREATE PRIVATE KEY FOR CLIENT
key=$(
cat /tmp/k1.prv.pem |\
grep -v " PRIVATE KEY" |\
base64 -d |\
tail --bytes=32 |\
base32 |\
sed 's/=//g'
)
## CREATE PUBLIC KEY FOR SERVICE
public=$(
openssl pkey -in /tmp/k1.prv.pem -pubout |\
grep -v " PUBLIC KEY" |\
base64 -d |\
tail --bytes=32 |\
base32 |\
sed 's/=//g'
)
## SERVICE ONION ADDRESS
# Default to user finding and pasting onion address
address="<56-char-onion-addr-without-.onion-part>"
# If service has a hostname file, extract onion address without '.onion'
if [ -e ${hostname_file} ]; then
address=$(
cat ${dir}/${service}/hostname | sed 's/.onion//g'
)
fi
## CREATE FOLDERS IF THEY DON'T EXIST
if [ ! -d ${auth_dir} ]; then
mkdir -p ${auth_dir} && chown -R nonroot:nonroot ${auth_dir} && chmod go+rX,u+rwX ${auth_dir} && chmod go+rX,u+rwX ${dir} && chmod go+rX,u+rwX ${dir}/${service}
fi
if [ ! -d ${auth_private_dir} ]; then
mkdir -p ${auth_private_dir} && chown -R nonroot:nonroot ${auth_dir} && chmod go+rX,u+rwX ${auth_private_dir}
fi
## CREATE PUBLIC/PRIVATE KEY FILES
echo "descriptor:x25519:${public}" > ${auth_dir}/${client}.auth
echo "${address}:descriptor:x25519:${key}" > ${auth_private_dir}/${client}.auth_private
## REMOVE GENERATED KEY FROM TMP FOLDER
rm -f /tmp/k1.prv.pem
####=- END SCRIPT LOGIC -=####
# msg "${RED}Read parameters:${NOFORMAT}"
# msg "- service: ${service}"
# msg "- client: ${client}"
# msg "- directory: ${dir}"
# msg "- key: <56-char-onion-addr-without-.onion-part>:descriptor:x25519:${key}"
# msg "- public: descriptor:x25519:${public}"