Adds onion-client-auth-genkeys

diff --git a/onion-client-auth-genkeys b/onion-client-auth-genkeys
new file mode 100755 (executable)
index 0000000..26428eb
--- /dev/null
+++ b/onion-client-auth-genkeys
@@ -0,0 +1,81 @@
+#!/usr/bin/env bash
+#
+# Generate a Client Authorization keypair and apply to all Onion Services.
+#
+# Based on https://community.torproject.org/onion-services/advanced/client-auth/
+# See also https://gist.github.com/mtigas/9c2386adf65345be34045dace134140b
+#
+# Copyright (C) 2022 Silvio Rhatto <rhatto@riseup.net>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published
+# by the Free Software Foundation, either version 3 of the License,
+# or any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# Parameters
+BASENAME="`basename $0`"
+ONION_AUTH_BASEDIR="$HOME/.tor/clientauthkeys"
+KEY_PREFIX="${1}"
+GENERATED_KEY="$ONION_AUTH_BASEDIR/$KEY_PREFIX.priv.pem"
+PRIVATE_KEY="$ONION_AUTH_BASEDIR/$KEY_PREFIX.priv"
+PUBLIC_KEY="$ONION_AUTH_BASEDIR/$KEY_PREFIX.pub"
+AUTH_FILE="$ONION_AUTH_BASEDIR/$KEY_PREFIX.auth"
+
+# Ensuse the auth keys folder exists
+mkdir -p $ONION_AUTH_BASEDIR  || exit 1
+chmod 700 $ONION_AUTH_BASEDIR || exit 1
+
+# Syntax
+if [ -z "$KEY_PREFIX" ]; then
+  echo "usage: $BASENAME <key-prefix>"
+  exit 1
+fi
+
+# Key checks
+if [ -e "$ONION_AUTH_BASEDIR/$AUTH_FILE" ]; then
+  echo "$BASENAME: key $AUTH_FILE already exists"
+  exit 1
+fi
+
+# Tool checks
+for tool in openssl base64pem base32; do
+  if ! which $tool &> /dev/null; then
+    echo "Cannot find $tool too, aborting."
+    exit 1
+  fi
+done
+
+# Ensure files exists with the proper permissions
+touch     $GENERATED_KEY $PRIVATE_KEY $PUBLIC_KEY $AUTH_FILE
+chmod 600 $GENERATED_KEY $PRIVATE_KEY $PUBLIC_KEY $AUTH_FILE
+
+# Generate the private keypair
+openssl genpkey -algorithm x25519 -out $GENERATED_KEY
+
+# Write the private key in a separate file
+cat $GENERATED_KEY       | \
+  grep -v " PRIVATE KEY" | \
+  base64pem -d           | \
+  tail --bytes=32        | \
+  base32                 | \
+  sed 's/=//g' > $PRIVATE_KEY
+
+# Write the public key in a separate file
+cat $GENERATED_KEY                      | \
+openssl pkey -in $GENERATED_KEY -pubout | \
+  grep -v " PUBLIC KEY"                 | \
+  base64pem -d                          | \
+  tail --bytes=32                       | \
+  base32                                | \
+  sed 's/=//g' > $PUBLIC_KEY
+
+# Write the public key in Tor's Client Authorization format
+echo "descriptor:x25519:`cat $PUBLIC_KEY`" > $AUTH_FILE