kek generation

2025-09-19 14:54:58 +03:00 · 2025-09-19 14:54:58 +03:00 · 2759a72710
parent f7c5b4ea8c
commit 2759a72710
1 changed files with 71 additions and 0 deletions
--- a/start.sh
+++ b/start.sh
@ -87,6 +87,77 @@ update_env HANDSHAKE_INTERVAL_SEC "$HANDSHAKE_INTERVAL_SEC"
 update_env TELEGRAM_API_KEY "$TELEGRAM_API_KEY"
 update_env CLIENT_TELEGRAM_API_KEY "$CLIENT_TELEGRAM_API_KEY"

+generate_kek() {
+  if command -v openssl >/dev/null 2>&1; then
+    openssl rand -base64 32 | tr -d '\n'
+  elif command -v python3 >/dev/null 2>&1; then
+    python3 - <<'PY'
+import os, base64
+print(base64.b64encode(os.urandom(32)).decode())
+PY
+  elif command -v python >/dev/null 2>&1; then
+    python - <<'PY'
+import os, base64
+print(base64.b64encode(os.urandom(32)).decode())
+PY
+  else
+    echo "Need openssl or python to generate CONTENT_KEY_KEK_B64" >&2
+    exit 1
+  fi
+}
+
+ensure_content_key_kek() {
+  local current
+  current=$(ini_val CONTENT_KEY_KEK_B64)
+  local valid=0
+  if [[ -n "$current" ]]; then
+    if command -v python3 >/dev/null 2>&1; then
+      if python3 - "$current" <<'PY' >/dev/null 2>&1
+import base64, sys
+try:
+    raw = base64.b64decode(sys.argv[1], validate=False)
+except Exception:
+    raise SystemExit(1)
+if len(raw) == 32:
+    raise SystemExit(0)
+raise SystemExit(1)
+PY
+      then
+        valid=1
+      fi
+    elif command -v python >/dev/null 2>&1; then
+      if python - "$current" <<'PY' >/dev/null 2>&1
+import base64, sys
+try:
+    raw = base64.b64decode(sys.argv[1], validate=False)
+except Exception:
+    raise SystemExit(1)
+if len(raw) == 32:
+    raise SystemExit(0)
+raise SystemExit(1)
+PY
+      then
+        valid=1
+      fi
+    fi
+    if [[ $valid -eq 1 ]]; then
+      echo "Using existing CONTENT_KEY_KEK_B64 from .env"
+      update_env CONTENT_KEY_KEK_B64 "$current"
+      return
+    else
+      echo "Existing CONTENT_KEY_KEK_B64 is invalid; generating a new key"
+    fi
+  else
+    echo "Generating CONTENT_KEY_KEK_B64 ..."
+  fi
+
+  local new_kek
+  new_kek=$(generate_kek)
+  update_env CONTENT_KEY_KEK_B64 "$new_kek"
+}
+
+ensure_content_key_kek
+
 # Ensure IPFS swarm key exists for private swarm by default
 SWARM_KEY_FILE_DEFAULT="$BASE_DIR/configs/ipfs/swarm.key"
 if [[ ! -f "$SWARM_KEY_FILE_DEFAULT" ]]; then