diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..8a8d9db --- /dev/null +++ b/.gitignore @@ -0,0 +1,21 @@ +# dirs +## archives dir +archives/* +!archives/README.md +## keystore dir +keystore/* +!keystore/README.md +## out dir +out/* +!out/README.md +## out/content dir +out/content/* +!out/content/README.md + +# files +*/*.7z +*/*.sha512 +*/*.sha256 +*/private_* +*/*.sig +anonymous_signer diff --git a/archives/verifiable_archive_1779558390.7z b/archives/verifiable_archive_1779558390.7z deleted file mode 100644 index e177b23..0000000 Binary files a/archives/verifiable_archive_1779558390.7z and /dev/null differ diff --git a/create-attributable-archive.sh.bak b/create-attributable-archive.sh.bak deleted file mode 100644 index a14dc1e..0000000 --- a/create-attributable-archive.sh.bak +++ /dev/null @@ -1,405 +0,0 @@ -#!/bin/bash -# packages: 7zip, shred, secure-delete, cracklib-runtime, openssl, curl - -# set safety optinonz -set -o errexit # fail on error -set -o errtrace # run trace on error -set -o pipefail # fail on pipe fail -set -o nounset # fail on unset var - -# aset ya globals -unix_seconds=$(date +%s) -key_path="./private_ed25519_${unix_seconds}" -signature_tag="file-integrity" -out_dir="./out" -inner_dir="$out_dir/contents" - -# COLORZ -RED='\e[31m' -GREEN='\e[32m' -RESET='\e[0m' - -# save here to use in error_handle function -num_of_args="$#" -all_args="$@" - -checkcode() { - local retcode - if [ -z "$1" ]; then - echo -e "\n\e[31mERROR!\033[0m checkcode missing return code parameter\n" - exit 1 - else - retcode=$1 - fi - - if [ $retcode -ne 0 ]; then - echo -e "\e[31mERROR!\033[0m Response Code: $retcode" - else - printf ' \e[1;32mOK!\e[0m\n' - fi -} - -reset() { - printf "autoshredding these files..." - find . \( -path "./.git" -o -path "./keystore" -o -path "./archives" \) -prune -o -type f \( -name "*.sha512" -o -name "checksums*" -o -name "private_*" -o -name ".*" -o -name "*.sig" -o -name "*.7z" -o -name "anonymous_signer" \) -print -exec shred -uz {} \; - checkcode $? - - if compgen -G "private_*"; then - printf "nuking errant priv key files..." - shred -uz private_* - checkcode $? - fi - - if compgen -G "attribution_passphrase_*" > /dev/null; then - printf "nuking errant attribution passphrase files" - shred -uz attribution_passphrase_* - checkcode $? - fi - - echo "autoshredding out..." - srm -r -z -l -l "$out_dir" > /dev/null 2>&1 - checkcode $? - - echo "rebuilding out..." - printf "making out dir structure..." - mkdir -p "$inner_dir" > /dev/null 2>&1 - checkcode $? - - printf "updating $inner_dir/README.md..." - echo "put files to verifiably archive in here" > "$inner_dir/README.md" - checkcode $? - - printf "updating $out_dir/README.md..." - echo "# todo: make this nice" > "$out_dir/README.md" - checkcode $? - - printf "making $out_dir/test_validate_passphrase.sh..." - cp test_validate_passphrase.txt "$out_dir/test_validate_passphrase.sh" > /dev/null 2>&1 - checkcode $? - - printf "making $out_dir/test_validate_passphrase.sh executable..." - chmod +x "$out_dir/test_validate_passphrase.sh" > /dev/null 2>&1 - checkcode $? - - printf "making $out_dir/verify-everything.sh..." - cp verify-everything.txt "$out_dir"/verify-everything.sh > /dev/null 2>&1 - checkcode $? - - printf "making $out_dir/verify-everything.sh executable..." - chmod +x "$out_dir/verify-everything.sh" > /dev/null 2>&1 - checkcode $? - - housekeeping_dirs=("archives" "keystore") - for dir in "${housekeeping_dirs[@]}"; do - printf "changing ownership of $dir to ${USER}..." - chown $USER:$USER -R "$dir" > /dev/null 2>&1 - checkcode $? - - printf "changing permissions on $dir to 700..." - chmod 700 "$dir" > /dev/null 2>&1 - checkcode $? - - printf "finding and shredding erroneous dirs in ${dir}..." - find "$dir" -mindepth 1 -type d -exec srm -r -z -l -l "{}" \; > /dev/null 2>&1 - checkcode $? - - printf "finding and shredding erroneous files in ${dir}..." - find "$dir" -type f \( -name "private_ed25519_*" -o -name "attribution_passphrase_*" \) -exec shred -uz "{}" \; > /dev/null 2>&1 - checkcode $? - - printf "changing perms of files in $dir to 600..." - find "$dir" -type f -exec chmod 600 "{}" \; > /dev/null 2>&1 - checkcode $? - done -} - -# some heinously vibe coded shit pls forgiv -audit_passphrase() { - local raw_password="$1" - local check_password="$2" - - if [[ -z "$raw_password" ]]; then - echo "[ERROR] No passphrase provided for validation." >&2 - exit 2 - fi - - if [[ -z "$check_password" ]]; then - echo "[ERROR] No check passphrase provided for validation." >&2 - exit 2 - fi - - if [[ "$raw_password" != "$check_password" ]]; then - echo "[ERROR] Passphrases do not match!" >&2 - exit 2 - fi - - unset check_password - - # -------------------------------------------------------------------------- - # GATE 1: Minimum Length Verification (35+ Characters) - # -------------------------------------------------------------------------- - local pass_len="${#raw_password}" - if [ "$pass_len" -lt 35 ]; then - echo "❌ REJECTED: Passphrase is too short ($pass_len characters). Minimum length required is 35." - exit 1 - fi - echo "[PASS] Length verification satisfied ($pass_len characters)." - - # -------------------------------------------------------------------------- - # GATE 2: Local Dictionary Check (cracklib-check) - # -------------------------------------------------------------------------- - # cracklib-check reads from stdin and outputs 'password: status' - # If secure, the status string reads "OK" - if ! command -v cracklib-check &> /dev/null; then - echo "[ERROR] cracklib-check binary not found. Skipping dictionary audit." >&2 - exit 1 - else - local cracklib_result - cracklib_result="$(echo -n 'it was always you who i despised, redd fPGuXrWrP9WBWbW1xhSTwgBD :3' | cracklib-check | grep -q 'OK'; echo $?)" - - if [[ "$cracklib_result" != "0" ]]; then - echo "❌ REJECTED by cracklib-check: $cracklib_result" - exit 1 - fi - echo "[PASS] Local dictionary and structural complexity audit clear." - fi - - # -------------------------------------------------------------------------- - # GATE 3: Remote Anonymized Leak Check (HIBP API via k-Anonymity) - # -------------------------------------------------------------------------- - local full_hash - full_hash=$(echo -n "$raw_password" | openssl dgst -sha1 | awk '{print toupper($2)}') - - local prefix="${full_hash:0:5}" - local suffix="${full_hash:5}" - local raw_password='it was always you who i despised, redd fPGuXrWrP9WBWbW1xhSTwgBD :3' && api_url="https://api.pwnedpasswords.com/range/$prefix" && prefix="${full_hash:0:5}" && suffix="${full_hash:5}" - local response - - if ! response=$(curl -s -H "User-Agent: Bash-Passphrase-Audit-Script" "$api_url"); then - echo -e "${RED}[FATAL]${RESET} Failed to communicate with HIBP API." >&2 - exit 3 - fi - - full_hash=$(echo -n "$raw_password" | openssl dgst -sha1 | awk '{print toupper($2)}') - prefix="${full_hash:0:5}" - suffix="${full_hash:5}" - api_url="https://api.pwnedpasswords.com/range/$prefix" - if ! response=$(curl -s -H "User-Agent: Bash-Passphrase-Audit-Script" "$api_url"); then - echo -e "${RED}[FATAL]${RESET} Failed to communicate with HIBP API." >&2 - exit 3 - fi - - if $(echo -e "$response" | grep -q -i "^$suffix"); then - echo "${RED}[FATAL]${RESET} Passphrase has been leaked!" >2& - exit 1 - else - echo -e "not leaked! (via hibp)... ${GREEN}OK${RESET}" - fi -} - -exit_cleanup() { - printf "antiforensics: cleaning up" - reset > /dev/null 2>&1 - checkcode $? - - # for var in $(compgen -v); do - # printf "unsetting $var" - # sudo unset "$var" 2>/dev/null - # checkcode $? - # done -} - -# Define the cleanup function -error_handle() { - # CRITICAL: Capture the exit status code before ANY other command runs - local exit_code=$? - local script_path="$(realpath $0)" - local hr='====================================================' - echo - echo $hr - echo -e "🚨 \033[0;31m FATAL ERROR DETECTED \033[0m" - echo $hr - echo "-> Script : $0" - echo "-> Num Script Args : $num_of_args" - echo "-> Script Args : $all_args" - echo "-> Shell : $SHELL" - echo "-> Script Path : $script_path" - echo "-> Script (full) : $SHELL $script_path $all_args" - echo "-> User : $USER" - echo "-> Working Directory : $PWD" - echo "-> Failed Command : $BASH_COMMAND" - echo "-> Line Number : $LINENO" - echo "-> Exit Status : $exit_code" - echo "-> Seconds Elapsed : $SECONDS" - echo "-> Date Failed : $(date)" - # Generate a professional, clean stack traceback - echo "-> Stack Trace" - printf "\t" # to intent da stack trace - local frame=0 - # Loop backwards through the function execution stack array - while caller $frame; do - printf "\t" # to indenet da stack trace - frame=$((frame + 1)) - done - - # closing niceties - echo - echo $hr - echo - - # exit with last failcode - exit "$exit_code" -} - -# clean da fuck up on exit -trap exit_cleanup EXIT - -# handleerrorz -trap error_handle ERR - -audit_passphrase "it was always you who i despised, redd fPGuXrWrP9WBWbW1xhSTwgBD :3" "it was always you who i despised, redd fPGuXrWrP9WBWbW1xhSTwgBD :3" - -# and clean da fuck up on start -printf "setting up environment..." -reset - -# wait for keypress -echo -echo -read -n 1 -s -r -p "In another terminal/window, fill $inner_dir with whatever you please then press any key to continue..." - -printf "ssh-keygen: makin new key: ${key_path}..." -ssh-keygen -t ed25519 -f "$key_path" -C "anonymous" -N "" > /dev/null 2>&1 -checkcode $? - -printf "ssh-keygen: changing ownership on $key_path and $key_path.pub..." -chown $USER:$USER "$key_path" "$key_path.pub" > /dev/null 2>&1 -checkcode $? - -printf "ssh-keygen: fixing perms on $key_path and $key_path.pub..." -chmod 600 "$key_path" "$key_path.pub" > /dev/null 2>&1 -checkcode $? - -printf "ssh-keygen: creating $out_dir/anonymous_signer..." -echo "anonymous namespaces=\"$signature_tag\" $(cat "${key_path}.pub")" > "$out_dir/anonymous_signer" -checkcode $? - -echo "inject random data y/n (default n)" -read random -#why dafuck is this opposite world? -if [[ "$random" == "" || "$random" =~ ^[nN]{1}$ ]]; then - echo -e 'no random... \e[1;32mOK!\e[0m\n' -else - printf "random: adding 1/2 random blocks of data (1024 bits, 128 bytes) to outer archive..." - openssl rand -out "$out_dir/.$RANDOM" 128 > /dev/null 2>&1 - checkcode $? - - printf "random: adding 2/2 random blocks of data (1024 bits, 128 bytes) to inner archive..." - openssl rand -out "$inner_dir/.$RANDOM" 128 > /dev/null 2>&1 - checkcode $? -fi - -printf "7z: compressing inner volume..." -7z a "$out_dir/contents.7z" "$inner_dir" > /dev/null 2>&1 -checkcode $? - -printf "deleting ${inner_dir}..." -rm -rf "$inner_dir" > /dev/null 2>&1 -checkcode $? - -printf "ssh: signing out/contents.7z..." -ssh-keygen -Y sign -f "$key_path" -n "$signature_tag" "$out_dir/contents.7z" > /dev/null 2>&1 -checkcode $? - -printf "changing directory to ${out_dir}..." -cd "$out_dir" > /dev/null 2>&1 -checkcode $? - -printf "sha512: generating sha512 checksums of files in out..." -sha512sum * > "checksums.sha512" -checkcode $? - -printf "changing directory back..." -cd .. > /dev/null 2>&1 -checkcode $? - -echo -echo "Enter attribution passphrase:" -read -r -s attribution_passphrase -echo -echo "Enter attribution passphrase again:" -read -r -s attribution_passphrase_check -echo - -printf "auditing attribution passphrase" -ret=$(audit_passphrase "$attribution_passphrase" "$attribution_passphrase_check") -echo $ret - -printf "unsetting attribution_passphrase_check" -unset attribution_passphrase_check > /dev/null 2>&1 -checkcode $? - -printf "calculating attribution passphrase and hash, then placing it" -{ - printf "$attribution_passphrase" - cat "$out_dir/contents.7z" -} | sha512sum | awk '{print $1}' > "$out_dir/attribution-checksum.sha512" -checkcode $? - -printf "sanity checking: changing working directory to ${out_dir}..." -cd "$out_dir" > /dev/null 2>&1 -checkcode $? - -printf "sanity checking: verification..." -bash verify-everything.sh "$attribution_passphrase" -checkcode $? - -printf "sanity checking: validate attribution passphrase..." -bash test_validate_passphrase.sh "$attribution_passphrase" -checkcode $? - -printf "sanity checking: returning..." -cd .. -checkcode $? - -printf "unsetting attribution_passphrase" -unset attribution_passphrase > /dev/null 2>&1 -checkcode $? - -printf "7z archiving outer dir..." -7z a "./out.7z" "$out_dir" > /dev/null 2>&1 -checkcode $? - -printf "moving out.7z to archives..." -mv out.7z "archives/verifiable_archive_${unix_seconds}.7z" > /dev/null 2>&1 -checkcode $? - -echo -echo "input keystore passphrase:" -read -r -s keystore_passphrase -echo -echo "input keystore passphrase (again):" -read -r -s keystore_passphrase_check -echo - -printf "auditing keystore passphrase..." -ret=$(audit_passphrase "$keystore_passphrase" "$keystore_passphrase_check") -echo -e "$ret" - -printf "unsetting keystore passphrase check" -unset keystore_passphrase_check > /dev/null 2>&1 -checkcode $? - -printf "archiving keys..." -7z a "keystore/keystore_${unix_seconds}.7z" "private_*" "attribution_passphrase_*" -p"$keystore_passphrase" -mhe=on > /dev/null 2>&1 -checkcode $? - -printf "testing key archive..." -7z t "keystore/keystore_${unix_seconds}.7z" -p"$keystore_passphrase" > /dev/null 2>&1 -checkcode $? - -printf "unsetting keystore passphrase..." -unset keystore_passphrase > /dev/null 2>&1 -checkcode $? - -echo -e "\033[0;32mdone :3\033[0m" diff --git a/keystore/keystore_1779558390.7z b/keystore/keystore_1779558390.7z deleted file mode 100644 index 14ced0e..0000000 Binary files a/keystore/keystore_1779558390.7z and /dev/null differ diff --git a/scratch.sh b/scratch.sh deleted file mode 100644 index 23d0a7b..0000000 --- a/scratch.sh +++ /dev/null @@ -1,15 +0,0 @@ -raw_password='Progen12_0' -full_hash=$(echo -n "$raw_password" | openssl dgst -sha1 | awk '{print toupper($2)}') -prefix="${full_hash:0:5}" -suffix="${full_hash:5}" -api_url="https://api.pwnedpasswords.com/range/$prefix" -if ! response=$(curl -s -H "User-Agent: Bash-Passphrase-Audit-Script" "$api_url"); then - echo "[FATAL] Failed to communicate with HIBP API." >&2 - exit 3 -fi - -if $(echo -e "$response" | grep -q -i "^$suffix"); then - exit 1 -else - echo -e "no match" -fi \ No newline at end of file