From 2bc28a462d3c526f5d364fe6635f441009274fb4 Mon Sep 17 00:00:00 2001 From: PrincessPi3 Date: Sat, 23 May 2026 14:11:54 -0600 Subject: [PATCH] hhh --- create-attributable-archive.sh | 419 +++++++++++++---------------- create-attributable-archive.sh.bak | 405 ++++++++++++++++++++++++++++ scratch.sh | 4 +- 3 files changed, 588 insertions(+), 240 deletions(-) create mode 100644 create-attributable-archive.sh.bak diff --git a/create-attributable-archive.sh b/create-attributable-archive.sh index 53c1b01..53a157c 100755 --- a/create-attributable-archive.sh +++ b/create-attributable-archive.sh @@ -1,397 +1,340 @@ -#!/bin/bash +#!/usr/bin/env bash # packages: 7zip, shred, secure-delete, cracklib-runtime, openssl, curl -# set safety optinonz -set -o errexit # fail on error -set -o errtrace # run trace on error -set -o pipefail # fail on pipe fail -set -o nounset # fail on unset var +set -o errtrace +set -o nounset +set -o pipefail +IFS=$'\n\t' -# aset ya globals unix_seconds=$(date +%s) key_path="./private_ed25519_${unix_seconds}" signature_tag="file-integrity" out_dir="./out" inner_dir="$out_dir/contents" -# save here to use in error_handle function +RED='\033[31m' +GREEN='\033[32m' +RESET='\033[0m' + num_of_args="$#" all_args="$@" -checkcode() { - local retcode - if [ -z "$1" ]; then - echo -e "\n\e[31mERROR!\033[0m checkcode missing return code parameter\n" +require_command() { + if ! command -v "$1" >/dev/null 2>&1; then + echo "Missing required command: $1" >&2 exit 1 - else - retcode=$1 - fi - - if [ $retcode -ne 0 ]; then - echo -e "\e[31mERROR!\033[0m Response Code: $retcode" - else - printf ' \e[1;32mOK!\e[0m\n' fi } +require_dependencies() { + local deps=(bash shred srm openssl curl ssh-keygen 7z sha512sum awk grep realpath) + for dep in "${deps[@]}"; do + require_command "$dep" + done +} + +checkcode() { + local retcode="${1:-}" + if [[ -z "$retcode" ]]; then + echo -e "\n${RED}ERROR!${RESET} checkcode missing return code parameter\n" >&2 + exit 1 + fi + + if [[ "$retcode" -ne 0 ]]; then + echo -e "${RED}ERROR!${RESET} Response code: $retcode" >&2 + exit "$retcode" + fi + + printf ' %bOK!%b\n' "$GREEN" "$RESET" +} + +run_cmd() { + "$@" + checkcode $? +} + reset() { - printf "autoshredding these files..." - find . \( -path "./.git" -o -path "./keystore" -o -path "./archives" \) -prune -o -type f \( -name "*.sha512" -o -name "checksums*" -o -name "private_*" -o -name ".*" -o -name "*.sig" -o -name "*.7z" -o -name "anonymous_signer" \) -print -exec shred -uz {} \; + printf 'Autoshredding known artifacts...\n' + find . -maxdepth 1 -type f \( -name 'private_*' -o -name 'attribution_passphrase_*' -o -name '*.sha512' -o -name 'checksums*' -o -name '*.sig' -o -name '*.7z' -o -name 'anonymous_signer' \) -exec shred -uz {} + checkcode $? - if compgen -G "private_*"; then - printf "nuking errant priv key files..." - shred -uz private_* - checkcode $? + if compgen -G 'private_*' >/dev/null 2>&1; then + printf 'Shredding errant private key files...\n' + shred -uz private_* || true fi - if compgen -G "attribution_passphrase_*" > /dev/null; then - printf "nuking errant attribution passphrase files" - shred -uz attribution_passphrase_* - checkcode $? + if compgen -G 'attribution_passphrase_*' >/dev/null 2>&1; then + printf 'Shredding errant attribution passphrase files...\n' + shred -uz attribution_passphrase_* || true fi - echo "autoshredding out..." - srm -r -z -l -l "$out_dir" > /dev/null 2>&1 + printf 'Removing previous output directory...\n' + rm -rf "$out_dir" checkcode $? - echo "rebuilding out..." - printf "making out dir structure..." - mkdir -p "$inner_dir" > /dev/null 2>&1 + printf 'Rebuilding output directory structure...\n' + mkdir -p "$inner_dir" checkcode $? - printf "updating $inner_dir/README.md..." - echo "put files to verifiably archive in here" > "$inner_dir/README.md" + printf 'Writing placeholder README files...\n' + echo 'put files to verifiably archive in here' > "$inner_dir/README.md" checkcode $? - - printf "updating $out_dir/README.md..." - echo "# todo: make this nice" > "$out_dir/README.md" + echo '# todo: make this nice' > "$out_dir/README.md" checkcode $? - printf "making $out_dir/test_validate_passphrase.sh..." - cp test_validate_passphrase.txt "$out_dir/test_validate_passphrase.sh" > /dev/null 2>&1 + printf 'Copying verification helpers...\n' + cp test_validate_passphrase.txt "$out_dir/test_validate_passphrase.sh" checkcode $? - - printf "making $out_dir/test_validate_passphrase.sh executable..." - chmod +x "$out_dir/test_validate_passphrase.sh" > /dev/null 2>&1 + chmod +x "$out_dir/test_validate_passphrase.sh" checkcode $? - - printf "making $out_dir/verify-everything.sh..." - cp verify-everything.txt "$out_dir"/verify-everything.sh > /dev/null 2>&1 + cp verify-everything.txt "$out_dir/verify-everything.sh" checkcode $? - - printf "making $out_dir/verify-everything.sh executable..." - chmod +x "$out_dir/verify-everything.sh" > /dev/null 2>&1 + chmod +x "$out_dir/verify-everything.sh" checkcode $? - housekeeping_dirs=("archives" "keystore") + local housekeeping_dirs=(archives keystore) for dir in "${housekeeping_dirs[@]}"; do - printf "changing ownership of $dir to ${USER}..." - chown $USER:$USER -R "$dir" > /dev/null 2>&1 - checkcode $? - - printf "changing permissions on $dir to 700..." - chmod 700 "$dir" > /dev/null 2>&1 - checkcode $? - - printf "finding and shredding erroneous dirs in ${dir}..." - find "$dir" -mindepth 1 -type d -exec srm -r -z -l -l "{}" \; > /dev/null 2>&1 - checkcode $? - - printf "finding and shredding erroneous files in ${dir}..." - find "$dir" -type f \( -name "private_ed25519_*" -o -name "attribution_passphrase_*" \) -exec shred -uz "{}" \; > /dev/null 2>&1 - checkcode $? + if [[ -d "$dir" ]]; then + printf 'Hardening %s...\n' "$dir" + chmod 700 "$dir" + checkcode $? - printf "changing perms of files in $dir to 600..." - find "$dir" -type f -exec chmod 600 "{}" \; > /dev/null 2>&1 - checkcode $? + find "$dir" -mindepth 1 -type d -exec srm -r -z -l '{}' + >/dev/null 2>&1 || true + find "$dir" -type f \( -name 'private_ed25519_*' -o -name 'attribution_passphrase_*' \) -exec shred -uz '{}' + >/dev/null 2>&1 || true + find "$dir" -type f -exec chmod 600 '{}' + + checkcode $? + fi done } -# some heinously vibe coded shit pls forgiv audit_passphrase() { - local raw_password="$1" - local check_password="$2" - + local raw_password="${1:-}" + local check_password="${2:-}" + if [[ -z "$raw_password" ]]; then - echo "[ERROR] No passphrase provided for validation." >&2 + echo '[ERROR] No passphrase provided for validation.' >&2 exit 2 fi if [[ -z "$check_password" ]]; then - echo "[ERROR] No check passphrase provided for validation." >&2 + echo '[ERROR] No check passphrase provided for validation.' >&2 exit 2 fi if [[ "$raw_password" != "$check_password" ]]; then - echo "[ERROR] Passphrases do not match!" >&2 - exit 2 + echo '[ERROR] Passphrases do not match!' >&2 + exit 2 fi unset check_password - # -------------------------------------------------------------------------- - # GATE 1: Minimum Length Verification (35+ Characters) - # -------------------------------------------------------------------------- - local pass_len="${#raw_password}" - if [ "$pass_len" -lt 35 ]; then + local pass_len=${#raw_password} + if [[ "$pass_len" -lt 35 ]]; then echo "❌ REJECTED: Passphrase is too short ($pass_len characters). Minimum length required is 35." exit 1 fi echo "[PASS] Length verification satisfied ($pass_len characters)." - # -------------------------------------------------------------------------- - # GATE 2: Local Dictionary Check (cracklib-check) - # -------------------------------------------------------------------------- - # cracklib-check reads from stdin and outputs 'password: status' - # If secure, the status string reads "OK" - if ! command -v cracklib-check &> /dev/null; then - echo "[ERROR] cracklib-check binary not found. Skipping dictionary audit." >&2 - exit 1 - else - local cracklib_result - cracklib_result="$(echo -n 'it was always you who i despised, redd fPGuXrWrP9WBWbW1xhSTwgBD :3' | cracklib-check | grep -q 'OK'; echo $?)" - - if [[ "$cracklib_result" != "0" ]]; then - echo "❌ REJECTED by cracklib-check: $cracklib_result" + if command -v cracklib-check >/dev/null 2>&1; then + if ! printf '%s' "$raw_password" | cracklib-check | grep -q 'OK$'; then + echo '❌ REJECTED by cracklib-check.' exit 1 fi - echo "[PASS] Local dictionary and structural complexity audit clear." + echo '[PASS] Local dictionary and structural complexity audit clear.' + else + echo '[WARN] cracklib-check not found; skipping local dictionary audit.' >&2 fi - # -------------------------------------------------------------------------- - # GATE 3: Remote Anonymized Leak Check (HIBP API via k-Anonymity) - # -------------------------------------------------------------------------- - local full_hash - full_hash=$(echo -n "$raw_password" | openssl dgst -sha1 | awk '{print toupper($2)}') + local full_hash prefix suffix response + full_hash=$(printf '%s' "$raw_password" | openssl dgst -sha1 | awk '{print toupper($2)}') + prefix=${full_hash:0:5} + suffix=${full_hash:5} - local prefix="${full_hash:0:5}" - local suffix="${full_hash:5}" - local raw_password='it was always you who i despised, redd fPGuXrWrP9WBWbW1xhSTwgBD :3' && api_url="https://api.pwnedpasswords.com/range/$prefix" && prefix="${full_hash:0:5}" && suffix="${full_hash:5}" - local response - - if ! response=$(curl -s -H "User-Agent: Bash-Passphrase-Audit-Script" "$api_url"); then - echo "[FATAL] Failed to communicate with HIBP API." >&2 + if ! response=$(curl -fsS -A 'Bash-Passphrase-Audit-Script' "https://api.pwnedpasswords.com/range/$prefix"); then + echo -e "${RED}[FATAL]${RESET} Failed to communicate with HIBP API." >&2 exit 3 fi - local match - match=$(echo "$response" | grep -i "^$suffix:") - - if [[ -n "$match" ]]; then - local pwn_count - pwn_count=$(echo "$match" | cut -d':' -f2 | tr -d $'\r') - echo "❌ VULNERABLE: This passphrase has appeared in $pwn_count known public breaches." + if printf '%s\n' "$response" | grep -qi "^$suffix:"; then + echo -e "${RED}[FATAL]${RESET} Passphrase has been leaked!" >&2 exit 1 - else - echo "✅ SUCCESS: Passphrase meets all local criteria and was not found in HIBP records." - return 0 fi + + echo -e "not leaked! (via hibp)... ${GREEN}OK${RESET}" } -exit_cleanup() { - printf "antiforensics: cleaning up" - reset > /dev/null 2>&1 - checkcode $? - - # for var in $(compgen -v); do - # printf "unsetting $var" - # sudo unset "$var" 2>/dev/null - # checkcode $? - # done -} - -# Define the cleanup function error_handle() { - # CRITICAL: Capture the exit status code before ANY other command runs local exit_code=$? - local script_path="$(realpath $0)" + local script_path + if command -v realpath >/dev/null 2>&1; then + script_path=$(realpath "$0") + else + script_path="$PWD/$0" + fi + local hr='====================================================' echo - echo $hr - echo -e "🚨 \033[0;31m FATAL ERROR DETECTED \033[0m" - echo $hr + echo "$hr" + echo -e "🚨 ${RED}FATAL ERROR DETECTED${RESET}" + echo "$hr" echo "-> Script : $0" echo "-> Num Script Args : $num_of_args" echo "-> Script Args : $all_args" - echo "-> Shell : $SHELL" + echo "-> Shell : ${SHELL:-unknown}" echo "-> Script Path : $script_path" echo "-> Script (full) : $SHELL $script_path $all_args" - echo "-> User : $USER" + echo "-> User : ${USER:-unknown}" echo "-> Working Directory : $PWD" echo "-> Failed Command : $BASH_COMMAND" echo "-> Line Number : $LINENO" echo "-> Exit Status : $exit_code" echo "-> Seconds Elapsed : $SECONDS" echo "-> Date Failed : $(date)" - # Generate a professional, clean stack traceback - echo "-> Stack Trace" - printf "\t" # to intent da stack trace + echo '-> Stack Trace' local frame=0 - # Loop backwards through the function execution stack array - while caller $frame; do - printf "\t" # to indenet da stack trace + while caller "$frame"; do frame=$((frame + 1)) done - - # closing niceties echo - echo $hr + echo "$hr" echo - - # exit with last failcode exit "$exit_code" } -# clean da fuck up on exit -trap exit_cleanup EXIT - -# handleerrorz trap error_handle ERR -audit_passphrase "it was always you who i despised, redd fPGuXrWrP9WBWbW1xhSTwgBD :3" "it was always you who i despised, redd fPGuXrWrP9WBWbW1xhSTwgBD :3" - -# and clean da fuck up on start -printf "setting up environment..." +require_dependencies +printf 'Setting up environment...\n' reset -# wait for keypress -echo -echo +printf '\n\n' read -n 1 -s -r -p "In another terminal/window, fill $inner_dir with whatever you please then press any key to continue..." +printf '\n' -printf "ssh-keygen: makin new key: ${key_path}..." -ssh-keygen -t ed25519 -f "$key_path" -C "anonymous" -N "" > /dev/null 2>&1 +printf 'ssh-keygen: creating new key: %s...\n' "$key_path" +ssh-keygen -t ed25519 -f "$key_path" -C 'anonymous' -N '' >/dev/null 2>&1 checkcode $? -printf "ssh-keygen: changing ownership on $key_path and $key_path.pub..." -chown $USER:$USER "$key_path" "$key_path.pub" > /dev/null 2>&1 +printf 'ssh-keygen: fixing permissions on %s and %s...\n' "$key_path" "${key_path}.pub" +chmod 600 "$key_path" "${key_path}.pub" checkcode $? -printf "ssh-keygen: fixing perms on $key_path and $key_path.pub..." -chmod 600 "$key_path" "$key_path.pub" > /dev/null 2>&1 -checkcode $? - -printf "ssh-keygen: creating $out_dir/anonymous_signer..." +printf 'ssh-keygen: creating %s/anonymous_signer...\n' "$out_dir" echo "anonymous namespaces=\"$signature_tag\" $(cat "${key_path}.pub")" > "$out_dir/anonymous_signer" checkcode $? -echo "inject random data y/n (default n)" -read random -#why dafuck is this opposite world? -if [[ "$random" == "" || "$random" =~ ^[nN]{1}$ ]]; then - echo -e 'no random... \e[1;32mOK!\e[0m\n' +printf 'Inject random data? (y/N): ' +read -r random +if [[ -z "$random" || "$random" =~ ^[nN]$ ]]; then + echo -e "No random data added. ${GREEN}OK!${RESET}\n" else - printf "random: adding 1/2 random blocks of data (1024 bits, 128 bytes) to outer archive..." - openssl rand -out "$out_dir/.$RANDOM" 128 > /dev/null 2>&1 + printf 'random: adding 1/2 random blocks of data (128 bytes) to outer archive...\n' + openssl rand -out "$out_dir/.$RANDOM" 128 >/dev/null 2>&1 checkcode $? - printf "random: adding 2/2 random blocks of data (1024 bits, 128 bytes) to inner archive..." - openssl rand -out "$inner_dir/.$RANDOM" 128 > /dev/null 2>&1 + printf 'random: adding 2/2 random blocks of data (128 bytes) to inner archive...\n' + openssl rand -out "$inner_dir/.$RANDOM" 128 >/dev/null 2>&1 checkcode $? fi -printf "7z: compressing inner volume..." -7z a "$out_dir/contents.7z" "$inner_dir" > /dev/null 2>&1 +printf '7z: compressing inner volume...\n' +7z a "$out_dir/contents.7z" "$inner_dir" >/dev/null 2>&1 checkcode $? -printf "deleting ${inner_dir}..." -rm -rf "$inner_dir" > /dev/null 2>&1 +printf 'Deleting %s...\n' "$inner_dir" +rm -rf "$inner_dir" checkcode $? -printf "ssh: signing out/contents.7z..." -ssh-keygen -Y sign -f "$key_path" -n "$signature_tag" "$out_dir/contents.7z" > /dev/null 2>&1 +printf 'ssh: signing %s...\n' "$out_dir/contents.7z" +ssh-keygen -Y sign -f "$key_path" -n "$signature_tag" "$out_dir/contents.7z" >/dev/null 2>&1 checkcode $? -printf "changing directory to ${out_dir}..." -cd "$out_dir" > /dev/null 2>&1 +printf 'Changing directory to %s...\n' "$out_dir" +cd "$out_dir" checkcode $? -printf "sha512: generating sha512 checksums of files in out..." -sha512sum * > "checksums.sha512" +printf 'sha512: generating checksums...\n' +sha512sum * > checksums.sha512 checkcode $? -printf "changing directory back..." -cd .. > /dev/null 2>&1 +printf 'Changing directory back...\n' +cd .. checkcode $? -echo -echo "Enter attribution passphrase:" +printf 'Enter attribution passphrase:\n' read -r -s attribution_passphrase -echo -echo "Enter attribution passphrase again:" +printf '\nEnter attribution passphrase again:\n' read -r -s attribution_passphrase_check -echo +printf '\n' -printf "auditing attribution passphrase" +printf 'Auditing attribution passphrase...\n' ret=$(audit_passphrase "$attribution_passphrase" "$attribution_passphrase_check") -echo $ret +echo "$ret" -printf "unsetting attribution_passphrase_check" -unset attribution_passphrase_check > /dev/null 2>&1 -checkcode $? +printf 'Unsetting attribution_passphrase_check...\n' +unset attribution_passphrase_check -printf "calculating attribution passphrase and hash, then placing it" +printf 'Calculating attribution checksum...\n' { - printf "$attribution_passphrase" + printf '%s' "$attribution_passphrase" cat "$out_dir/contents.7z" } | sha512sum | awk '{print $1}' > "$out_dir/attribution-checksum.sha512" checkcode $? -printf "sanity checking: changing working directory to ${out_dir}..." -cd "$out_dir" > /dev/null 2>&1 +printf 'Sanity checking: changing working directory to %s...\n' "$out_dir" +cd "$out_dir" checkcode $? -printf "sanity checking: verification..." +printf 'Sanity checking: verification...\n' bash verify-everything.sh "$attribution_passphrase" checkcode $? -printf "sanity checking: validate attribution passphrase..." +printf 'Sanity checking: validate attribution passphrase...\n' bash test_validate_passphrase.sh "$attribution_passphrase" checkcode $? -printf "sanity checking: returning..." +printf 'Returning to project root...\n' cd .. checkcode $? -printf "unsetting attribution_passphrase" -unset attribution_passphrase > /dev/null 2>&1 +printf 'Unsetting attribution_passphrase...\n' +unset attribution_passphrase + +printf '7z archiving outer dir...\n' +7z a ./out.7z "$out_dir" >/dev/null 2>&1 checkcode $? -printf "7z archiving outer dir..." -7z a "./out.7z" "$out_dir" > /dev/null 2>&1 +printf 'Moving out.7z to archives...\n' +mv out.7z "archives/verifiable_archive_${unix_seconds}.7z" checkcode $? -printf "moving out.7z to archives..." -mv out.7z "archives/verifiable_archive_${unix_seconds}.7z" > /dev/null 2>&1 -checkcode $? - -echo -echo "input keystore passphrase:" +printf 'Enter keystore passphrase:\n' read -r -s keystore_passphrase -echo -echo "input keystore passphrase (again):" +printf '\nEnter keystore passphrase again:\n' read -r -s keystore_passphrase_check -echo +printf '\n' -printf "auditing keystore passphrase..." +printf 'Auditing keystore passphrase...\n' ret=$(audit_passphrase "$keystore_passphrase" "$keystore_passphrase_check") -echo -e "$ret" +echo "$ret" -printf "unsetting keystore passphrase check" -unset keystore_passphrase_check > /dev/null 2>&1 +printf 'Unsetting keystore_passphrase_check...\n' +unset keystore_passphrase_check + +printf 'Archiving keys...\n' +set +u +shopt -s nullglob +private_files=(private_*) +passphrase_files=(attribution_passphrase_*) +shopt -u nullglob +set -u +if [[ ${#private_files[@]} -eq 0 && ${#passphrase_files[@]} -eq 0 ]]; then + echo 'No key or attribution passphrase files found to archive.' >&2 + exit 1 +fi +7z a "keystore/keystore_${unix_seconds}.7z" "${private_files[@]}" "${passphrase_files[@]}" -p"$keystore_passphrase" -mhe=on >/dev/null 2>&1 checkcode $? -printf "archiving keys..." -7z a "keystore/keystore_${unix_seconds}.7z" "private_*" "attribution_passphrase_*" -p"$keystore_passphrase" -mhe=on > /dev/null 2>&1 +printf 'Testing key archive...\n' +7z t "keystore/keystore_${unix_seconds}.7z" -p"$keystore_passphrase" >/dev/null 2>&1 checkcode $? - -printf "testing key archive..." -7z t "keystore/keystore_${unix_seconds}.7z" -p"$keystore_passphrase" > /dev/null 2>&1 -checkcode $? - -printf "unsetting keystore passphrase..." -unset keystore_passphrase > /dev/null 2>&1 -checkcode $? - -echo -e "\033[0;32mdone :3\033[0m" diff --git a/create-attributable-archive.sh.bak b/create-attributable-archive.sh.bak new file mode 100644 index 0000000..a14dc1e --- /dev/null +++ b/create-attributable-archive.sh.bak @@ -0,0 +1,405 @@ +#!/bin/bash +# packages: 7zip, shred, secure-delete, cracklib-runtime, openssl, curl + +# set safety optinonz +set -o errexit # fail on error +set -o errtrace # run trace on error +set -o pipefail # fail on pipe fail +set -o nounset # fail on unset var + +# aset ya globals +unix_seconds=$(date +%s) +key_path="./private_ed25519_${unix_seconds}" +signature_tag="file-integrity" +out_dir="./out" +inner_dir="$out_dir/contents" + +# COLORZ +RED='\e[31m' +GREEN='\e[32m' +RESET='\e[0m' + +# save here to use in error_handle function +num_of_args="$#" +all_args="$@" + +checkcode() { + local retcode + if [ -z "$1" ]; then + echo -e "\n\e[31mERROR!\033[0m checkcode missing return code parameter\n" + exit 1 + else + retcode=$1 + fi + + if [ $retcode -ne 0 ]; then + echo -e "\e[31mERROR!\033[0m Response Code: $retcode" + else + printf ' \e[1;32mOK!\e[0m\n' + fi +} + +reset() { + printf "autoshredding these files..." + find . \( -path "./.git" -o -path "./keystore" -o -path "./archives" \) -prune -o -type f \( -name "*.sha512" -o -name "checksums*" -o -name "private_*" -o -name ".*" -o -name "*.sig" -o -name "*.7z" -o -name "anonymous_signer" \) -print -exec shred -uz {} \; + checkcode $? + + if compgen -G "private_*"; then + printf "nuking errant priv key files..." + shred -uz private_* + checkcode $? + fi + + if compgen -G "attribution_passphrase_*" > /dev/null; then + printf "nuking errant attribution passphrase files" + shred -uz attribution_passphrase_* + checkcode $? + fi + + echo "autoshredding out..." + srm -r -z -l -l "$out_dir" > /dev/null 2>&1 + checkcode $? + + echo "rebuilding out..." + printf "making out dir structure..." + mkdir -p "$inner_dir" > /dev/null 2>&1 + checkcode $? + + printf "updating $inner_dir/README.md..." + echo "put files to verifiably archive in here" > "$inner_dir/README.md" + checkcode $? + + printf "updating $out_dir/README.md..." + echo "# todo: make this nice" > "$out_dir/README.md" + checkcode $? + + printf "making $out_dir/test_validate_passphrase.sh..." + cp test_validate_passphrase.txt "$out_dir/test_validate_passphrase.sh" > /dev/null 2>&1 + checkcode $? + + printf "making $out_dir/test_validate_passphrase.sh executable..." + chmod +x "$out_dir/test_validate_passphrase.sh" > /dev/null 2>&1 + checkcode $? + + printf "making $out_dir/verify-everything.sh..." + cp verify-everything.txt "$out_dir"/verify-everything.sh > /dev/null 2>&1 + checkcode $? + + printf "making $out_dir/verify-everything.sh executable..." + chmod +x "$out_dir/verify-everything.sh" > /dev/null 2>&1 + checkcode $? + + housekeeping_dirs=("archives" "keystore") + for dir in "${housekeeping_dirs[@]}"; do + printf "changing ownership of $dir to ${USER}..." + chown $USER:$USER -R "$dir" > /dev/null 2>&1 + checkcode $? + + printf "changing permissions on $dir to 700..." + chmod 700 "$dir" > /dev/null 2>&1 + checkcode $? + + printf "finding and shredding erroneous dirs in ${dir}..." + find "$dir" -mindepth 1 -type d -exec srm -r -z -l -l "{}" \; > /dev/null 2>&1 + checkcode $? + + printf "finding and shredding erroneous files in ${dir}..." + find "$dir" -type f \( -name "private_ed25519_*" -o -name "attribution_passphrase_*" \) -exec shred -uz "{}" \; > /dev/null 2>&1 + checkcode $? + + printf "changing perms of files in $dir to 600..." + find "$dir" -type f -exec chmod 600 "{}" \; > /dev/null 2>&1 + checkcode $? + done +} + +# some heinously vibe coded shit pls forgiv +audit_passphrase() { + local raw_password="$1" + local check_password="$2" + + if [[ -z "$raw_password" ]]; then + echo "[ERROR] No passphrase provided for validation." >&2 + exit 2 + fi + + if [[ -z "$check_password" ]]; then + echo "[ERROR] No check passphrase provided for validation." >&2 + exit 2 + fi + + if [[ "$raw_password" != "$check_password" ]]; then + echo "[ERROR] Passphrases do not match!" >&2 + exit 2 + fi + + unset check_password + + # -------------------------------------------------------------------------- + # GATE 1: Minimum Length Verification (35+ Characters) + # -------------------------------------------------------------------------- + local pass_len="${#raw_password}" + if [ "$pass_len" -lt 35 ]; then + echo "❌ REJECTED: Passphrase is too short ($pass_len characters). Minimum length required is 35." + exit 1 + fi + echo "[PASS] Length verification satisfied ($pass_len characters)." + + # -------------------------------------------------------------------------- + # GATE 2: Local Dictionary Check (cracklib-check) + # -------------------------------------------------------------------------- + # cracklib-check reads from stdin and outputs 'password: status' + # If secure, the status string reads "OK" + if ! command -v cracklib-check &> /dev/null; then + echo "[ERROR] cracklib-check binary not found. Skipping dictionary audit." >&2 + exit 1 + else + local cracklib_result + cracklib_result="$(echo -n 'it was always you who i despised, redd fPGuXrWrP9WBWbW1xhSTwgBD :3' | cracklib-check | grep -q 'OK'; echo $?)" + + if [[ "$cracklib_result" != "0" ]]; then + echo "❌ REJECTED by cracklib-check: $cracklib_result" + exit 1 + fi + echo "[PASS] Local dictionary and structural complexity audit clear." + fi + + # -------------------------------------------------------------------------- + # GATE 3: Remote Anonymized Leak Check (HIBP API via k-Anonymity) + # -------------------------------------------------------------------------- + local full_hash + full_hash=$(echo -n "$raw_password" | openssl dgst -sha1 | awk '{print toupper($2)}') + + local prefix="${full_hash:0:5}" + local suffix="${full_hash:5}" + local raw_password='it was always you who i despised, redd fPGuXrWrP9WBWbW1xhSTwgBD :3' && api_url="https://api.pwnedpasswords.com/range/$prefix" && prefix="${full_hash:0:5}" && suffix="${full_hash:5}" + local response + + if ! response=$(curl -s -H "User-Agent: Bash-Passphrase-Audit-Script" "$api_url"); then + echo -e "${RED}[FATAL]${RESET} Failed to communicate with HIBP API." >&2 + exit 3 + fi + + full_hash=$(echo -n "$raw_password" | openssl dgst -sha1 | awk '{print toupper($2)}') + prefix="${full_hash:0:5}" + suffix="${full_hash:5}" + api_url="https://api.pwnedpasswords.com/range/$prefix" + if ! response=$(curl -s -H "User-Agent: Bash-Passphrase-Audit-Script" "$api_url"); then + echo -e "${RED}[FATAL]${RESET} Failed to communicate with HIBP API." >&2 + exit 3 + fi + + if $(echo -e "$response" | grep -q -i "^$suffix"); then + echo "${RED}[FATAL]${RESET} Passphrase has been leaked!" >2& + exit 1 + else + echo -e "not leaked! (via hibp)... ${GREEN}OK${RESET}" + fi +} + +exit_cleanup() { + printf "antiforensics: cleaning up" + reset > /dev/null 2>&1 + checkcode $? + + # for var in $(compgen -v); do + # printf "unsetting $var" + # sudo unset "$var" 2>/dev/null + # checkcode $? + # done +} + +# Define the cleanup function +error_handle() { + # CRITICAL: Capture the exit status code before ANY other command runs + local exit_code=$? + local script_path="$(realpath $0)" + local hr='====================================================' + echo + echo $hr + echo -e "🚨 \033[0;31m FATAL ERROR DETECTED \033[0m" + echo $hr + echo "-> Script : $0" + echo "-> Num Script Args : $num_of_args" + echo "-> Script Args : $all_args" + echo "-> Shell : $SHELL" + echo "-> Script Path : $script_path" + echo "-> Script (full) : $SHELL $script_path $all_args" + echo "-> User : $USER" + echo "-> Working Directory : $PWD" + echo "-> Failed Command : $BASH_COMMAND" + echo "-> Line Number : $LINENO" + echo "-> Exit Status : $exit_code" + echo "-> Seconds Elapsed : $SECONDS" + echo "-> Date Failed : $(date)" + # Generate a professional, clean stack traceback + echo "-> Stack Trace" + printf "\t" # to intent da stack trace + local frame=0 + # Loop backwards through the function execution stack array + while caller $frame; do + printf "\t" # to indenet da stack trace + frame=$((frame + 1)) + done + + # closing niceties + echo + echo $hr + echo + + # exit with last failcode + exit "$exit_code" +} + +# clean da fuck up on exit +trap exit_cleanup EXIT + +# handleerrorz +trap error_handle ERR + +audit_passphrase "it was always you who i despised, redd fPGuXrWrP9WBWbW1xhSTwgBD :3" "it was always you who i despised, redd fPGuXrWrP9WBWbW1xhSTwgBD :3" + +# and clean da fuck up on start +printf "setting up environment..." +reset + +# wait for keypress +echo +echo +read -n 1 -s -r -p "In another terminal/window, fill $inner_dir with whatever you please then press any key to continue..." + +printf "ssh-keygen: makin new key: ${key_path}..." +ssh-keygen -t ed25519 -f "$key_path" -C "anonymous" -N "" > /dev/null 2>&1 +checkcode $? + +printf "ssh-keygen: changing ownership on $key_path and $key_path.pub..." +chown $USER:$USER "$key_path" "$key_path.pub" > /dev/null 2>&1 +checkcode $? + +printf "ssh-keygen: fixing perms on $key_path and $key_path.pub..." +chmod 600 "$key_path" "$key_path.pub" > /dev/null 2>&1 +checkcode $? + +printf "ssh-keygen: creating $out_dir/anonymous_signer..." +echo "anonymous namespaces=\"$signature_tag\" $(cat "${key_path}.pub")" > "$out_dir/anonymous_signer" +checkcode $? + +echo "inject random data y/n (default n)" +read random +#why dafuck is this opposite world? +if [[ "$random" == "" || "$random" =~ ^[nN]{1}$ ]]; then + echo -e 'no random... \e[1;32mOK!\e[0m\n' +else + printf "random: adding 1/2 random blocks of data (1024 bits, 128 bytes) to outer archive..." + openssl rand -out "$out_dir/.$RANDOM" 128 > /dev/null 2>&1 + checkcode $? + + printf "random: adding 2/2 random blocks of data (1024 bits, 128 bytes) to inner archive..." + openssl rand -out "$inner_dir/.$RANDOM" 128 > /dev/null 2>&1 + checkcode $? +fi + +printf "7z: compressing inner volume..." +7z a "$out_dir/contents.7z" "$inner_dir" > /dev/null 2>&1 +checkcode $? + +printf "deleting ${inner_dir}..." +rm -rf "$inner_dir" > /dev/null 2>&1 +checkcode $? + +printf "ssh: signing out/contents.7z..." +ssh-keygen -Y sign -f "$key_path" -n "$signature_tag" "$out_dir/contents.7z" > /dev/null 2>&1 +checkcode $? + +printf "changing directory to ${out_dir}..." +cd "$out_dir" > /dev/null 2>&1 +checkcode $? + +printf "sha512: generating sha512 checksums of files in out..." +sha512sum * > "checksums.sha512" +checkcode $? + +printf "changing directory back..." +cd .. > /dev/null 2>&1 +checkcode $? + +echo +echo "Enter attribution passphrase:" +read -r -s attribution_passphrase +echo +echo "Enter attribution passphrase again:" +read -r -s attribution_passphrase_check +echo + +printf "auditing attribution passphrase" +ret=$(audit_passphrase "$attribution_passphrase" "$attribution_passphrase_check") +echo $ret + +printf "unsetting attribution_passphrase_check" +unset attribution_passphrase_check > /dev/null 2>&1 +checkcode $? + +printf "calculating attribution passphrase and hash, then placing it" +{ + printf "$attribution_passphrase" + cat "$out_dir/contents.7z" +} | sha512sum | awk '{print $1}' > "$out_dir/attribution-checksum.sha512" +checkcode $? + +printf "sanity checking: changing working directory to ${out_dir}..." +cd "$out_dir" > /dev/null 2>&1 +checkcode $? + +printf "sanity checking: verification..." +bash verify-everything.sh "$attribution_passphrase" +checkcode $? + +printf "sanity checking: validate attribution passphrase..." +bash test_validate_passphrase.sh "$attribution_passphrase" +checkcode $? + +printf "sanity checking: returning..." +cd .. +checkcode $? + +printf "unsetting attribution_passphrase" +unset attribution_passphrase > /dev/null 2>&1 +checkcode $? + +printf "7z archiving outer dir..." +7z a "./out.7z" "$out_dir" > /dev/null 2>&1 +checkcode $? + +printf "moving out.7z to archives..." +mv out.7z "archives/verifiable_archive_${unix_seconds}.7z" > /dev/null 2>&1 +checkcode $? + +echo +echo "input keystore passphrase:" +read -r -s keystore_passphrase +echo +echo "input keystore passphrase (again):" +read -r -s keystore_passphrase_check +echo + +printf "auditing keystore passphrase..." +ret=$(audit_passphrase "$keystore_passphrase" "$keystore_passphrase_check") +echo -e "$ret" + +printf "unsetting keystore passphrase check" +unset keystore_passphrase_check > /dev/null 2>&1 +checkcode $? + +printf "archiving keys..." +7z a "keystore/keystore_${unix_seconds}.7z" "private_*" "attribution_passphrase_*" -p"$keystore_passphrase" -mhe=on > /dev/null 2>&1 +checkcode $? + +printf "testing key archive..." +7z t "keystore/keystore_${unix_seconds}.7z" -p"$keystore_passphrase" > /dev/null 2>&1 +checkcode $? + +printf "unsetting keystore passphrase..." +unset keystore_passphrase > /dev/null 2>&1 +checkcode $? + +echo -e "\033[0;32mdone :3\033[0m" diff --git a/scratch.sh b/scratch.sh index 49ede3d..23d0a7b 100644 --- a/scratch.sh +++ b/scratch.sh @@ -9,7 +9,7 @@ if ! response=$(curl -s -H "User-Agent: Bash-Passphrase-Audit-Script" "$api_url" fi if $(echo -e "$response" | grep -q -i "^$suffix"); then - echo "match!" + exit 1 else - echo "no match" + echo -e "no match" fi \ No newline at end of file