Added signature support (based on OpenSSL)

config-bits/01-signatures.vim

@@ -0,0 +1,128 @@
+" Manage keys used for signing local configuration files
+"
+" * Can be disabled completely by setting VIM_NOCRYPTO in the environment
+" * Will disable itself silently if openssl is unavailable
+" * Keys will be looked up in g:vim_vardata/keys by default, unless
+"   g:vim_keys is set
+
+
+" Register no-operation functions for signing and checking signatures
+
+function! SignFile(filename,sigfile)
+	if !empty( glob( a:sigfile ) )
+		call delete( a:sigfile )
+	endif
+	return 0
+endfunction
+
+function! CheckSignature(filename,sigfile)
+	echoerr "Signature checking is disabled."
+	return 0
+endfunction
+
+
+" Get configured directory / use default. Make sure global configuration
+" is cleared.
+if exists( "g:vim_keys" )
+	if $VIM_NOCRYPTO == ""
+		let s:keys_dir = g:vim_keys
+	endif
+	unlet g:vim_keys
+elseif $VIM_NOCRYPTO == "" && g:vim_vardata != ""
+	let s:keys_dir = g:vim_vardata . "/keys"
+endif
+if !exists( "s:keys_dir" ) || !executable( "openssl" ) || !has( "cryptv" )
+	finish
+endif
+
+" Try creating the directory
+if ! CreateDirectoryIfNecessary( s:keys_dir )
+	echoerr "Could not create" s:keys_dir
+		\ "; signed configuration support disabled"
+	finish
+endif
+
+" Create the key if necessary
+if !filereadable( s:keys_dir . "/vim.key" )
+	let s:key_bits = exists( "g:vim_key_bits" ) ? g:vim_key_bits : 4096
+	echo "Generating configuration signing key (" . s:key_bits
+		\ . " bits)..."
+	let s:genrsa = system( "openssl genrsa -out "
+		\ . shellescape( s:keys_dir . "/vim.key" )
+		\ . " " . s:key_bits . " >/dev/null 2>&1; echo $?" )
+	if s:genrsa
+		echoerr "Key generation failed!"
+		finish
+	endif
+endif
+
+" Set global configuration variable and define actual signature functions
+let g:vim_keys = s:keys_dir
+
+function! SignFile(filename,sigfile)
+	if !empty( glob( a:sigfile ) )
+		if delete( a:sigfile )
+			echoerr "Could not delete old signature file"
+				\ a:sigfile
+			return 0
+		endif
+	endif
+	
+	" Load the file
+	if !filereadable( a:filename )
+		echoerr "File" a:filename "is not readable"
+		return 0
+	endif
+	try
+		let file_contents = readfile( a:filename , "b" )
+	catch /.*/
+		echoerr "Could not load" a:filename
+		return 0
+	endtry
+
+	" Compute checksum
+	let checksum = sha256( join( l:file_contents , "\n" ) )
+
+	" Sign and store checksum
+	let command = "echo " . l:checksum
+		\ . " | openssl rsautl -sign -inkey "
+		\ . shellescape( g:vim_keys . "/vim.key" )
+		\ . " -out " . shellescape( a:sigfile )
+		\ . " >/dev/null 2>&1; echo $?"
+	let rv = system( l:command )
+	if l:rv
+		echoerr "Signature failed for" a:filename
+		echoerr "Command was:" l:command
+	endif
+	return !l:rv
+endfunction
+
+function! CheckSignature(filename,sigfile)
+	let signed_sum = system( "openssl rsautl -verify -inkey "
+		\ . shellescape( g:vim_keys . "/vim.key" )
+		\ . " -in " . shellescape( a:sigfile )
+		\ . " 2>/dev/null" )
+	if signed_sum == ""
+		echoerr "Signature verification failed for" a:filename
+		return 0
+	endif
+
+	" Load the file
+	try
+		let file_contents = readfile( a:filename , "b" )
+	catch /.*/
+		echoerr "Could not load" a:filename
+		return 0
+	endtry
+
+	" Verify checksum
+	let computed = sha256( join( l:file_contents , "\n" ) )
+	if len( l:signed_sum ) > len( l:computed )
+		let l:signed_sum = l:signed_sum[ 0 : len( l:computed ) - 1 ]
+	endif
+	if l:computed != l:signed_sum
+		echoerr "Checksum mismatch for" a:filename
+		return 0
+	endif
+	return 1
+endfunction