Last active
February 9, 2022 05:40
-
-
Save mcastorina/8b2e48945192a53ae28fca3825d14d42 to your computer and use it in GitHub Desktop.
TLS Workshop Playground
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
## TLS Workshop Playground | |
## NOTICE: This script is intended for learning purposes only. | |
# These functions will set environmental variables in your terminal session, | |
# all beginning with "tls_". Use tls-reset to clean up all variables and remove | |
# generated temporary files (in the case of asym-gen). | |
# Print a help message | |
function tls-help { | |
cat <<EOF | |
Available functions: | |
tls-help This help message | |
tls-status Print status information of environmental variables | |
tls-reset Reset all environmental variables | |
hash One way function to convert arbitrary data into a fixed length "hash" | |
Usage: hash data | |
hmac Hash data with a secret | |
Usage: hmac secret data | |
sym-gen Generate a symmetric key | |
sym-enc Encrypt a message using the generated symmetric key and iv | |
Usage: sym-enc message | |
sym-dec Decrypt a message using the generated symmetric key and iv | |
Usage: sym-dec [cipher] | |
asym-gen Generate an asymmetric key pair | |
asym-enc Encrypt using an asymmetric key (default public key) | |
Usage: asym-enc message [key-file] | |
asym-dec Decrypt using an asymmetric key (default private key) | |
Usage: asym-dec [key-file] [cipher] | |
EOF | |
} | |
# Print status information of environmental variables | |
function tls-status { | |
if [[ -n $tls_hash ]]; then | |
echo "hash($tls_hash_input): $tls_hash" | |
fi | |
if [[ -n $tls_hmac ]]; then | |
echo "hmac(secret=$tls_hmac_secret, $tls_hmac_input): $tls_hmac" | |
fi | |
if [[ -n $tls_sym_key ]]; then | |
echo "sym-key: $tls_sym_key" | |
echo "sym-iv : $tls_sym_iv" | |
fi | |
if [[ -n $tls_sym_enc_cipher ]]; then | |
echo "sym-enc($tls_sym_enc_input): $tls_sym_enc_cipher" | |
fi | |
if [[ -n $tls_sym_dec_msg ]]; then | |
echo "sym-dec(${tls_sym_dec_input:0:16}...): $tls_sym_dec_msg" | |
fi | |
if [[ -f $tls_asym_priv_key ]]; then | |
echo "hash($tls_asym_priv_key): $(openssl dgst -sha256 $tls_asym_priv_key | cut -d' ' -f2)" | |
echo "hash($tls_asym_pub_key) : $(openssl dgst -sha256 $tls_asym_pub_key | cut -d' ' -f2)" | |
fi | |
if [[ -n $tls_asym_enc_cipher ]]; then | |
echo "asym-enc($tls_asym_enc_input): ${tls_asym_enc_cipher:0:16}..." | |
fi | |
if [[ -n $tls_asym_dec_msg ]]; then | |
echo "asym-dec(${tls_asym_dec_input:0:16}...): $tls_asym_dec_msg" | |
fi | |
} | |
# Reset all environmental variables | |
function tls-reset { | |
unset tls_hash tls_hash_input | |
unset tls_hmac tls_hmac_input tls_hmac_secret | |
unset tls_sym_key tls_sym_iv | |
unset tls_sym_enc_input tls_sym_enc_cipher | |
unset tls_sym_dec_input tls_sym_dec_msg | |
if [[ -f $tls_asym_pub_key && $tls_asym_pub_key =~ 'tls-rsa-....\.pub$' ]]; then | |
echo >&2 "Removing $tls_asym_pub_key" | |
rm $tls_asym_pub_key | |
fi | |
if [[ -f $tls_asym_priv_key && $tls_asym_priv_key =~ 'tls-rsa-....\.priv$' ]]; then | |
echo >&2 "Removing $tls_asym_priv_key" | |
rm $tls_asym_priv_key | |
fi | |
unset tls_asym_pub_key tls_asym_priv_key | |
unset tls_asym_enc_input tls_asym_enc_cipher | |
unset tls_asym_dec_input tls_asym_dec_msg | |
} | |
# One way function to convert arbitrary data into a fixed length "hash" | |
function hash { | |
tls_hash_input="$*" | |
tls_hash=$(openssl dgst -sha256 <<< "$tls_hash_input" | cut -d' ' -f2) | |
echo "$tls_hash" | |
} | |
# Hash data with a secret (hash based method authentication code) | |
# Usage: hmac secret data | |
function hmac { | |
tls_hmac_secret="$1" | |
tls_hmac_input="$2" | |
tls_hmac=$(openssl dgst -hmac "$tls_hmac_secret" <<< "$tls_hmac_input" | cut -d' ' -f2) | |
echo "$tls_hmac" | |
} | |
# Generate a symmetric key | |
# One key - does both encryption and decryption | |
function sym-gen { | |
local out=$(openssl enc -aes-256-cbc -k secret -P 2>/dev/null) | |
tls_sym_key=$(grep '^key=' <<< "$out" | cut -d'=' -f2) | |
tls_sym_iv=$(grep '^iv =' <<< "$out" | cut -d'=' -f2) | |
echo "tls_sym_key: $tls_sym_key" | |
echo "tls_sym_iv : $tls_sym_iv" | |
} | |
# Encrypt a message using the generated symmetric key and iv | |
# Output is base64 encoded | |
function sym-enc { | |
if [[ -z $tls_sym_key || -z $tls_sym_iv ]]; then | |
echo "Please call symmetric_generate before encrypting" | |
return 1 | |
fi | |
tls_sym_enc_input="$*" | |
tls_sym_enc_cipher=$(openssl enc -a -aes-256-cbc -K \ | |
"$tls_sym_key" -iv "$tls_sym_iv" \ | |
<<< "$tls_sym_enc_input") | |
echo "$tls_sym_enc_cipher" | |
} | |
# Decrypt a message using the generated symmetric key and iv | |
# Input is expected to be base64 encoded | |
function sym-dec { | |
if [[ -z $tls_sym_key || -z $tls_sym_iv ]]; then | |
echo >&2 "Please set tls_sym_key and tls_sym_iv variables before decrypting." | |
return 1 | |
fi | |
# set the input to the arguments or the output of encryption if no args | |
tls_sym_dec_input=${*:-$tls_sym_enc_cipher} | |
tls_sym_dec_msg=$(openssl enc -d -a -aes-256-cbc -K \ | |
"$tls_sym_key" -iv "$tls_sym_iv" \ | |
<<< "$tls_sym_dec_input") | |
echo "$tls_sym_dec_msg" | |
} | |
# Generate an asymmetric key pair | |
# Two keys, only it's pair can decrypt what the other encrypts | |
function asym-gen { | |
# generate a file for the private key if one doesn't already exist | |
tls_asym_priv_key=${tls_asym_priv_key:-$(mktemp -t tls-rsa-XXXX.priv)} | |
# generate a file for the public key based on the private key | |
tls_asym_pub_key=${tls_asym_pub_key:-${tls_asym_priv_key%%priv}pub} | |
openssl genrsa -out "$tls_asym_priv_key" | |
openssl pkey -in "$tls_asym_priv_key" -pubout -out "$tls_asym_pub_key" | |
echo "Private key generated in: $tls_asym_priv_key" | |
echo "Public key generated in : $tls_asym_pub_key" | |
} | |
# Encrypt using an asymmetric key (default public key) | |
# Usage: asym-enc message [key-file] | |
function asym-enc { | |
tls_asym_enc_input="$1" | |
local key=${2:-$tls_asym_pub_key} | |
if grep 'PRIVATE' "$key" 2>&1 >/dev/null; then | |
echo >&2 "Encrypting using private key $key..." | |
# encrypting with a private key is "signing" | |
tls_asym_enc_cipher=$(openssl rsautl -inkey "$key" -sign <<< "$tls_asym_enc_input" | base64 | tr -d '\n') | |
echo "$tls_asym_enc_cipher" | |
elif grep 'PUBLIC' "$key" 2>&1 >/dev/null; then | |
echo >&2 "Encrypting using public key $key..." | |
tls_asym_enc_cipher=$(openssl rsautl -inkey "$key" -pubin -encrypt <<< "$tls_asym_enc_input" | base64 | tr -d '\n') | |
echo "$tls_asym_enc_cipher" | |
else | |
echo >&2 "Unrecognized key type. Is $key an RSA key?" | |
return 1 | |
fi | |
} | |
# Decrypt using an asymmetric key (default private key) | |
# Usage: asym-dec [key-file] [cipher] | |
function asym-dec { | |
local key=${1:-$tls_asym_priv_key} | |
tls_asym_dec_input=${2:-$tls_asym_enc_cipher} | |
if grep 'PRIVATE' "$key" 2>&1 >/dev/null; then | |
echo >&2 "Decrypting using private key $key..." | |
tls_asym_dec_msg=$(openssl rsautl -inkey "$key" -decrypt -in <(base64 -d <<< "$tls_asym_dec_input")) | |
echo "$tls_asym_dec_msg" | |
elif grep 'PUBLIC' "$key" 2>&1 >/dev/null; then | |
echo >&2 "Decrypting using public key $key..." | |
# decrypting with a public key is "verifying" | |
tls_asym_dec_msg=$(openssl rsautl -inkey "$key" -pubin -verify -in <(base64 -d <<< "$tls_asym_dec_input")) | |
echo "$tls_asym_dec_msg" | |
else | |
echo >&2 "Unrecognized key type. Is $key an RSA key?" | |
return 1 | |
fi | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment