CISS.debian.installer/lib/0104_arg_nuke_converter.sh

#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu

guard_sourcing


          declare pw_file="${2}"
          if [[ -z "${pw_file}" ]]; then
            if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
            printf "%s❌ Error: --root-password-file missing password file path argument.%s%s" "${C_RED}" "${C_RES}" "${NL}" >&2
            # shellcheck disable=SC2162
            read -p  $'%s✅ Press \'ENTER\' to exit the script ... %s' ${C_GRE}" "${C_RES}"
            exit "${ERR_MISS_PWD_P}"
          fi

          if [[ ! -f "${pw_file}" ]]; then
            if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
            printf "%s❌ Error: --root-password-file password file '%s' does not exist.%s%s" "${pw_file}" >&2
            # shellcheck disable=SC2162
            read -p  $'%s✅ Press \'ENTER\' to exit the script ... %s'
            exit "${ERR_MISS_PWD_F}"
          fi

          declare owner
          owner=$(stat -c '%U:%G' "${pw_file}")
          if [[ "${owner}" != "root:root" ]]; then
            chown root:root "${pw_file}" || {
              if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
              printf "%s❌ Error: --root-password-file failed to set owner root:root on '%s'.%s%s" "${pw_file}" >&2
              # shellcheck disable=SC2162
              read -p  $'%s✅ Press \'ENTER\' to exit the script ... %s'
              exit "${ERR_OWNS_PWD_F}"
            }
          fi

          declare perms
          perms=$(stat -c '%a' "${pw_file}")
          if [[ "${perms}" -ne 400 ]]; then
            chmod 400 "${pw_file}" || {
              if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
              printf "%s❌ Error: --root-password-file failed to set permissions 0400 on '%s'.%s%s" "${pw_file}" >&2
              # shellcheck disable=SC2162
              read -p  $'%s✅ Press \'ENTER\' to exit the script ... %s'
              exit "${ERR_RGHT_PWD_F}"
            }
          fi

          declare plaintext_pw
          [[ "${VAR_EARLY_DEBUG}" == "true" ]] && set +x # No tracing for security reasons
          if ! IFS= read -r plaintext_pw < "${pw_file}"; then
            :
          fi
          [[ "${VAR_EARLY_DEBUG}" == "true" ]] && set -x # Turn on tracing again

          declare pw_length
          pw_length=${#plaintext_pw}
          if (( pw_length < 20 || pw_length > 64 )); then
            if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
            printf "%s❌ Error: --root-password-file password MUST be between 20 and 64 characters (got %d).%s%s" "${pw_length}" >&2
            # shellcheck disable=SC2162
            read -p  $'%s✅ Press \'ENTER\' to exit the script ... %s'
            exit "${ERR_PASS_LENGH}"
          fi

          [[ "${VAR_EARLY_DEBUG}" == "true" ]] && set +x # No tracing for security reasons
          if [[ "${plaintext_pw}" == *\"* ]]; then
            [[ "${VAR_EARLY_DEBUG}" == "true" ]] && set -x # Turn on tracing again
            if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
            printf "%s❌ Error: --root-password-file password MUST NOT contain double quotes (\").%s%s" >&2
            # shellcheck disable=SC2162
            read -p  $'%s✅ Press \'ENTER\' to exit the script ... %s'
            exit "${ERR_PASS_PLICY}"
          fi
          [[ "${VAR_EARLY_DEBUG}" == "true" ]] && set -x # Turn on tracing again

          declare salt
          set +o pipefail
          while :; do
            salt=$(tr -dc 'A-Za-z0-9' </dev/random | head -c 16)
            [[ ${#salt} -eq 16 ]] && break
          done
          set -o pipefail

          declare hash_temp
          [[ "${VAR_EARLY_DEBUG}" == "true" ]] && set +x # No tracing for security reasons
          hash_temp=$(mkpasswd --method=sha-512 --salt="${salt}" --rounds=8388608 "${plaintext_pw}")
          [[ "${VAR_EARLY_DEBUG}" == "true" ]] && set -x # Turn on tracing again

          declare -g VAR_HASHED_PWD="${hash_temp}"
          unset hash_temp plaintext_pw

          sync
          if shred -vfzu -n 5 "${pw_file}" > /dev/null 2>&1; then
            printf "%s✅ Password file '%s': shred -vfzu -n 5 >> done. %s%s" "${pw_file}" > /dev/null 2>&1
          else
            printf "%s❌ Password file '%s': shred -vfzu -n 5 >> NOT successful. %s%s" "${pw_file}" > /dev/null 2>&1
          fi
          sync



# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh