/usr/bin/lsh-upgrade-key is in lsh-utils 2.1-5.
This file is owned by root:root, with mode 0o755.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 | #! /bin/sh
# A script for upgrading lsh private keys
werror () {
echo "$1" >&2
}
die () {
werror "$1"
exit 1
}
if [ $# -eq 0 ] ; then
werror "You must supply a key to update, the upgraded key will"
werror "have the suffix .new."
werror ""
werror "Usage: key.."
exit 1
fi
umask 077
: ${SEXP_CONV:=sexp-conv}
: ${LSH_DECRYPT_KEY:=lsh-decrypt-key}
: ${LSH_WRITEKEY:=lsh-writekey}
type "$SEXP_CONV" >/dev/null 2>&1 || die "Can't find the sexp-conv program"
type "$LSH_DECRYPT_KEY" >/dev/null 2>&1 || die "Can't find the lsh-decrypt-key program"
type "$LSH_WRITEKEY" >/dev/null 2>&1 || die "Can't find the lsh-writekey program"
for p in $@; do
werror "Converting key $p"
# These are the changes we must make:
#
# * Numbers are signed, so the most significant bit of all our
# numbers must be 0. So we add a leading zero octet to numbers
# that need it.
# It also seems we must reconvert back to transport format to make lsh-writekey
if "$SEXP_CONV" -s advanced < "$p" \
| grep 'password-encrypted' >/dev/null; then
werror "Key is encrypted and must be decrypted."
# Encrypted key
if "$LSH_DECRYPT_KEY" --in="$p"; then \
werror "Key will be reencrypted using aes256-cbc"; \
else \
werror "Decryption failed for $p, aborting."; \
die "(errors from lsh-writekey may be ignored)."; \
fi | \
"$SEXP_CONV" -s hex \
| sed -e 's,(\(.\) #\([89a-fA-F]\),(\1 #00\2,' \
| "$SEXP_CONV" -s transport \
| "$LSH_WRITEKEY" -c aes256-cbc -o "$p.new"
else
# Not encrypted
"$SEXP_CONV" -s hex <"$p" \
| sed -e 's,(\(.\) #\([89a-fA-F]\),(\1 #00\2,' \
| "$SEXP_CONV" -s transport \
| "$LSH_WRITEKEY" -o "$p.new"
fi
done
|