/mandos/release

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/release
73 by Teddy Hogeborn
* Makefile (COVERAGE): Change back to "--coverage".
1
#!/bin/sh -e
67 by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on
2
# 
237.7.510 by Teddy Hogeborn
Add support for using raw public keys in TLS (RFC 7250)
3
# Mandos key generator - create new keys for a Mandos client
67 by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on
4
# 
237.7.517 by Teddy Hogeborn
Update copyright year to 2019
5
# Copyright © 2008-2019 Teddy Hogeborn
6
# Copyright © 2008-2019 Björn Påhlsson
67 by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on
7
# 
237.7.455 by Teddy Hogeborn
Alter copyright notices slightly. Actual license is unchanged!
8
# This file is part of Mandos.
9
#
10
# Mandos is free software: you can redistribute it and/or modify it
11
# under the terms of the GNU General Public License as published by
67 by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on
12
# the Free Software Foundation, either version 3 of the License, or
13
# (at your option) any later version.
14
#
237.7.455 by Teddy Hogeborn
Alter copyright notices slightly. Actual license is unchanged!
15
#     Mandos is distributed in the hope that it will be useful, but
16
#     WITHOUT ANY WARRANTY; without even the implied warranty of
67 by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on
17
#     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
18
#     GNU General Public License for more details.
19
# 
20
# You should have received a copy of the GNU General Public License
237.7.455 by Teddy Hogeborn
Alter copyright notices slightly. Actual license is unchanged!
21
# along with Mandos.  If not, see <http://www.gnu.org/licenses/>.
67 by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on
22
# 
237.11.2 by Teddy Hogeborn
Change "fukt.bsnet.se" to "recompile.se" throughout.
23
# Contact the authors at <mandos@recompile.se>.
67 by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on
24
# 
25
371 by Teddy Hogeborn
* Makefile (version): Change to 1.8.0.
26
VERSION="1.8.0"
73 by Teddy Hogeborn
* Makefile (COVERAGE): Change back to "--coverage".
27
163 by Teddy Hogeborn
* Makefile (PIDDIR, USER, GROUP): Removed.
28
KEYDIR="/etc/keys/mandos"
237.7.169 by Teddy Hogeborn
* debian/mandos-client.README.Debian: Update Linux documentation link.
29
KEYTYPE=RSA
30
KEYLENGTH=4096
31
SUBKEYTYPE=RSA
32
SUBKEYLENGTH=4096
196 by Teddy Hogeborn
* mandos-keygen (KEYNAME): Fall back to plain "hostname" if the
33
KEYNAME="`hostname --fqdn 2>/dev/null || hostname`"
67 by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on
34
KEYEMAIL=""
237.7.179 by Teddy Hogeborn
* mandos (priority): Bug fix: Add even more magic to make the old
35
KEYCOMMENT=""
67 by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on
36
KEYEXPIRE=0
237.7.510 by Teddy Hogeborn
Add support for using raw public keys in TLS (RFC 7250)
37
TLS_KEYTYPE=ed25519
67 by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on
38
FORCE=no
237.7.256 by Teddy Hogeborn
mandos-keygen: Generate "checker" option to use SSH fingerprints.
39
SSH=yes
67 by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on
40
KEYCOMMENT_ORIG="$KEYCOMMENT"
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
41
mode=keygen
67 by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on
42
179 by Teddy Hogeborn
* INSTALL: New file.
43
if [ ! -d "$KEYDIR" ]; then
44
    KEYDIR="/etc/mandos/keys"
45
fi
46
67 by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on
47
# Parse options
237.7.510 by Teddy Hogeborn
Add support for using raw public keys in TLS (RFC 7250)
48
TEMP=`getopt --options vhpF:d:t:l:s:L:n:e:c:x:T:fS \
49
    --longoptions version,help,password,passfile:,dir:,type:,length:,subtype:,sublength:,name:,email:,comment:,expire:,tls-keytype:,force,no-ssh \
67 by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on
50
    --name "$0" -- "$@"`
51
73 by Teddy Hogeborn
* Makefile (COVERAGE): Change back to "--coverage".
52
help(){
237.7.288 by Teddy Hogeborn
mandos-keygen: Fix some stylistic quoting issues.
53
basename="`basename "$0"`"
73 by Teddy Hogeborn
* Makefile (COVERAGE): Change back to "--coverage".
54
cat <<EOF
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
55
Usage: $basename [ -v | --version ]
56
       $basename [ -h | --help ]
57
   Key creation:
58
       $basename [ OPTIONS ]
59
   Encrypted password creation:
60
       $basename { -p | --password } [ --name NAME ] [ --dir DIR]
198 by Teddy Hogeborn
* mandos-keygen: New "--passfile" option. Confirm entered password.
61
       $basename { -F | --passfile } FILE [ --name NAME ] [ --dir DIR]
73 by Teddy Hogeborn
* Makefile (COVERAGE): Change back to "--coverage".
62
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
63
Key creation options:
73 by Teddy Hogeborn
* Makefile (COVERAGE): Change back to "--coverage".
64
  -v, --version         Show program's version number and exit
65
  -h, --help            Show this help message and exit
66
  -d DIR, --dir DIR     Target directory for key files
237.7.510 by Teddy Hogeborn
Add support for using raw public keys in TLS (RFC 7250)
67
  -t TYPE, --type TYPE  OpenPGP key type.  Default is RSA.
73 by Teddy Hogeborn
* Makefile (COVERAGE): Change back to "--coverage".
68
  -l BITS, --length BITS
237.7.510 by Teddy Hogeborn
Add support for using raw public keys in TLS (RFC 7250)
69
                        OpenPGP key length in bits.  Default is 4096.
96 by Teddy Hogeborn
* Makefile (PREFIX, CONFDIR, MANDIR): Use $(DESTDIR).
70
  -s TYPE, --subtype TYPE
237.7.510 by Teddy Hogeborn
Add support for using raw public keys in TLS (RFC 7250)
71
                        OpenPGP subkey type.  Default is RSA.
96 by Teddy Hogeborn
* Makefile (PREFIX, CONFDIR, MANDIR): Use $(DESTDIR).
72
  -L BITS, --sublength BITS
237.7.510 by Teddy Hogeborn
Add support for using raw public keys in TLS (RFC 7250)
73
                        OpenPGP subkey length in bits.  Default 4096.
73 by Teddy Hogeborn
* Makefile (COVERAGE): Change back to "--coverage".
74
  -n NAME, --name NAME  Name of key.  Default is the FQDN.
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
75
  -e ADDRESS, --email ADDRESS
237.7.510 by Teddy Hogeborn
Add support for using raw public keys in TLS (RFC 7250)
76
                        Email address of OpenPGP key.  Default empty.
123 by Teddy Hogeborn
* mandos-keygen: Minor help text change.
77
  -c TEXT, --comment TEXT
237.7.510 by Teddy Hogeborn
Add support for using raw public keys in TLS (RFC 7250)
78
                        Comment field for OpenPGP key.  Default empty.
73 by Teddy Hogeborn
* Makefile (COVERAGE): Change back to "--coverage".
79
  -x TIME, --expire TIME
237.7.510 by Teddy Hogeborn
Add support for using raw public keys in TLS (RFC 7250)
80
                        OpenPGP key expire time.  Default is none.
73 by Teddy Hogeborn
* Makefile (COVERAGE): Change back to "--coverage".
81
                        See gpg(1) for syntax.
237.7.510 by Teddy Hogeborn
Add support for using raw public keys in TLS (RFC 7250)
82
  -T TYPE, --tls-keytype TYPE
83
                        TLS key type.  Default is ed25519.
198 by Teddy Hogeborn
* mandos-keygen: New "--passfile" option. Confirm entered password.
84
  -f, --force           Force overwriting old key files.
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
85
86
Password creation options:
198 by Teddy Hogeborn
* mandos-keygen: New "--passfile" option. Confirm entered password.
87
  -p, --password        Create an encrypted password using the key in
88
                        the key directory.  All options other than
89
                        --dir and --name are ignored.
90
  -F FILE, --passfile FILE
91
                        Encrypt a password from FILE using the key in
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
92
                        the key directory.  All options other than
123 by Teddy Hogeborn
* mandos-keygen: Minor help text change.
93
                        --dir and --name are ignored.
237.7.256 by Teddy Hogeborn
mandos-keygen: Generate "checker" option to use SSH fingerprints.
94
  -S, --no-ssh          Don't get SSH key or set "checker" option.
73 by Teddy Hogeborn
* Makefile (COVERAGE): Change back to "--coverage".
95
EOF
96
}
97
67 by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on
98
eval set -- "$TEMP"
99
while :; do
100
    case "$1" in
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
101
	-p|--password) mode=password; shift;;
198 by Teddy Hogeborn
* mandos-keygen: New "--passfile" option. Confirm entered password.
102
	-F|--passfile) mode=password; PASSFILE="$2"; shift 2;;
67 by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on
103
	-d|--dir) KEYDIR="$2"; shift 2;;
104
	-t|--type) KEYTYPE="$2"; shift 2;;
96 by Teddy Hogeborn
* Makefile (PREFIX, CONFDIR, MANDIR): Use $(DESTDIR).
105
	-s|--subtype) SUBKEYTYPE="$2"; shift 2;;
67 by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on
106
	-l|--length) KEYLENGTH="$2"; shift 2;;
96 by Teddy Hogeborn
* Makefile (PREFIX, CONFDIR, MANDIR): Use $(DESTDIR).
107
	-L|--sublength) SUBKEYLENGTH="$2"; shift 2;;
67 by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on
108
	-n|--name) KEYNAME="$2"; shift 2;;
109
	-e|--email) KEYEMAIL="$2"; shift 2;;
110
	-c|--comment) KEYCOMMENT="$2"; shift 2;;
87 by Teddy Hogeborn
* Makefile: Bug fix: fixed creation of man pages in "plugins.d".
111
	-x|--expire) KEYEXPIRE="$2"; shift 2;;
237.7.510 by Teddy Hogeborn
Add support for using raw public keys in TLS (RFC 7250)
112
	-T|--tls-keytype) TLS_KEYTYPE="$2"; shift 2;;
67 by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on
113
	-f|--force) FORCE=yes; shift;;
237.7.256 by Teddy Hogeborn
mandos-keygen: Generate "checker" option to use SSH fingerprints.
114
	-S|--no-ssh) SSH=no; shift;;
73 by Teddy Hogeborn
* Makefile (COVERAGE): Change back to "--coverage".
115
	-v|--version) echo "$0 $VERSION"; exit;;
116
	-h|--help) help; exit;;
67 by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on
117
	--) shift; break;;
118
	*) echo "Internal error" >&2; exit 1;;
119
    esac
120
done
121
if [ "$#" -gt 0 ]; then
237.7.288 by Teddy Hogeborn
mandos-keygen: Fix some stylistic quoting issues.
122
    echo "Unknown arguments: '$*'" >&2
67 by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on
123
    exit 1
124
fi
125
126
SECKEYFILE="$KEYDIR/seckey.txt"
127
PUBKEYFILE="$KEYDIR/pubkey.txt"
237.7.510 by Teddy Hogeborn
Add support for using raw public keys in TLS (RFC 7250)
128
TLS_PRIVKEYFILE="$KEYDIR/tls-privkey.pem"
129
TLS_PUBKEYFILE="$KEYDIR/tls-pubkey.pem"
67 by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on
130
131
# Check for some invalid values
159 by Teddy Hogeborn
* Makefile (run-client): Do not depend on the key ring files.
132
if [ ! -d "$KEYDIR" ]; then
67 by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on
133
    echo "$KEYDIR not a directory" >&2
134
    exit 1
135
fi
159 by Teddy Hogeborn
* Makefile (run-client): Do not depend on the key ring files.
136
if [ ! -r "$KEYDIR" ]; then
137
    echo "Directory $KEYDIR not readable" >&2
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
138
    exit 1
139
fi
140
141
if [ "$mode" = keygen ]; then
159 by Teddy Hogeborn
* Makefile (run-client): Do not depend on the key ring files.
142
    if [ ! -w "$KEYDIR" ]; then
143
	echo "Directory $KEYDIR not writeable" >&2
144
	exit 1
145
    fi
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
146
    if [ -z "$KEYTYPE" ]; then
147
	echo "Empty key type" >&2
148
	exit 1
149
    fi
150
    
151
    if [ -z "$KEYNAME" ]; then
152
	echo "Empty key name" >&2
153
	exit 1
154
    fi
155
    
156
    if [ -z "$KEYLENGTH" ] || [ "$KEYLENGTH" -lt 512 ]; then
157
	echo "Invalid key length" >&2
158
	exit 1
159
    fi
237.2.37 by Teddy Hogeborn
* mandos-keygen (password): Remove bashism "${PIPESTATUS}".
160
    
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
161
    if [ -z "$KEYEXPIRE" ]; then
162
	echo "Empty key expiration" >&2
163
	exit 1
164
    fi
165
    
166
    # Make FORCE be 0 or 1
167
    case "$FORCE" in
168
	[Yy][Ee][Ss]|[Tt][Rr][Uu][Ee]) FORCE=1;;
169
	[Nn][Oo]|[Ff][Aa][Ll][Ss][Ee]|*) FORCE=0;;
170
    esac
171
    
237.7.510 by Teddy Hogeborn
Add support for using raw public keys in TLS (RFC 7250)
172
    if { [ -e "$SECKEYFILE" ] || [ -e "$PUBKEYFILE" ] \
173
	     || [ -e "$TLS_PRIVKEYFILE" ] \
174
	     || [ -e "$TLS_PUBKEYFILE" ]; } \
237.7.452 by Teddy Hogeborn
Use || instead of -o in shell scripts.
175
	&& [ "$FORCE" -eq 0 ]; then
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
176
	echo "Refusing to overwrite old key files; use --force" >&2
177
	exit 1
178
    fi
179
    
180
    # Set lines for GnuPG batch file
181
    if [ -n "$KEYCOMMENT" ]; then
182
	KEYCOMMENTLINE="Name-Comment: $KEYCOMMENT"
183
    fi
184
    if [ -n "$KEYEMAIL" ]; then
185
	KEYEMAILLINE="Name-Email: $KEYEMAIL"
186
    fi
237.2.37 by Teddy Hogeborn
* mandos-keygen (password): Remove bashism "${PIPESTATUS}".
187
    
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
188
    # Create temporary gpg batch file
159 by Teddy Hogeborn
* Makefile (run-client): Do not depend on the key ring files.
189
    BATCHFILE="`mktemp -t mandos-keygen-batch.XXXXXXXXXX`"
237.7.519 by Teddy Hogeborn
Bug fix: Only create TLS key with certtool, and read correct key file
190
    TLS_PRIVKEYTMP="`mktemp -t mandos-keygen-privkey.XXXXXXXXXX`"
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
191
fi
192
193
if [ "$mode" = password ]; then
194
    # Create temporary encrypted password file
159 by Teddy Hogeborn
* Makefile (run-client): Do not depend on the key ring files.
195
    SECFILE="`mktemp -t mandos-keygen-secfile.XXXXXXXXXX`"
196
fi
197
198
# Create temporary key ring directory
199
RINGDIR="`mktemp -d -t mandos-keygen-keyrings.XXXXXXXXXX`"
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
200
73 by Teddy Hogeborn
* Makefile (COVERAGE): Change back to "--coverage".
201
# Remove temporary files on exit
94 by Teddy Hogeborn
* clients.conf ([DEFAULT]/checker): Update to new default value.
202
trap "
96 by Teddy Hogeborn
* Makefile (PREFIX, CONFDIR, MANDIR): Use $(DESTDIR).
203
set +e; \
159 by Teddy Hogeborn
* Makefile (run-client): Do not depend on the key ring files.
204
test -n \"$SECFILE\" && shred --remove \"$SECFILE\"; \
237.7.519 by Teddy Hogeborn
Bug fix: Only create TLS key with certtool, and read correct key file
205
test -n \"$TLS_PRIVKEYTMP\" && shred --remove \"$TLS_PRIVKEYTMP\"; \
237.7.256 by Teddy Hogeborn
mandos-keygen: Generate "checker" option to use SSH fingerprints.
206
shred --remove \"$RINGDIR\"/sec* 2>/dev/null;
159 by Teddy Hogeborn
* Makefile (run-client): Do not depend on the key ring files.
207
test -n \"$BATCHFILE\" && rm --force \"$BATCHFILE\"; \
208
rm --recursive --force \"$RINGDIR\";
237.7.42 by Teddy Hogeborn
* mandos-keygen: Loop until passwords match when run interactively.
209
tty --quiet && stty echo; \
94 by Teddy Hogeborn
* clients.conf ([DEFAULT]/checker): Update to new default value.
210
" EXIT
67 by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on
211
237.2.215 by teddy at bsnet
* debian/control (Standards-Version): Updated to "3.9.1".
212
set -e
213
166 by Teddy Hogeborn
* Makefile (confdir/clients.conf): Tighten permissions to "u=rw".
214
umask 077
73 by Teddy Hogeborn
* Makefile (COVERAGE): Change back to "--coverage".
215
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
216
if [ "$mode" = keygen ]; then
217
    # Create batch file for GnuPG
218
    cat >"$BATCHFILE" <<-EOF
219
	Key-Type: $KEYTYPE
220
	Key-Length: $KEYLENGTH
237.7.175 by Teddy Hogeborn
* mandos-keygen: Bug fix: Specify key usage to avoid creating keys
221
	Key-Usage: sign,auth
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
222
	Subkey-Type: $SUBKEYTYPE
223
	Subkey-Length: $SUBKEYLENGTH
237.7.175 by Teddy Hogeborn
* mandos-keygen: Bug fix: Specify key usage to avoid creating keys
224
	Subkey-Usage: encrypt
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
225
	Name-Real: $KEYNAME
226
	$KEYCOMMENTLINE
227
	$KEYEMAILLINE
228
	Expire-Date: $KEYEXPIRE
229
	#Preferences: <string>
230
	#Handle: <no-spaces>
159 by Teddy Hogeborn
* Makefile (run-client): Do not depend on the key ring files.
231
	#%pubring pubring.gpg
232
	#%secring secring.gpg
237.7.427 by Teddy Hogeborn
Fix bug when generating keys in a chroot environment.
233
	%no-protection
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
234
	%commit
235
	EOF
236
    
237.2.156 by Teddy Hogeborn
* mandos-keygen (keygen): Warn about long key generation time.
237
    if tty --quiet; then
238
	cat <<-EOF
239
	Note: Due to entropy requirements, key generation could take
240
	anything from a few minutes to SEVERAL HOURS.  Please be
241
	patient and/or supply the system with more entropy if needed.
242
	EOF
243
	echo -n "Started: "
244
	date
245
    fi
237.7.519 by Teddy Hogeborn
Bug fix: Only create TLS key with certtool, and read correct key file
246
247
    # Generate TLS private key
248
    if certtool --generate-privkey --password='' \
249
		--outfile "$TLS_PRIVKEYTMP" --sec-param ultra \
250
		--key-type="$TLS_KEYTYPE" --pkcs8 --no-text 2>/dev/null; then
251
	
252
	# Backup any old key files
253
	if cp --backup=numbered --force "$TLS_PRIVKEYFILE" "$TLS_PRIVKEYFILE" \
254
	      2>/dev/null; then
255
	    shred --remove "$TLS_PRIVKEYFILE"
237.7.510 by Teddy Hogeborn
Add support for using raw public keys in TLS (RFC 7250)
256
	fi
237.7.519 by Teddy Hogeborn
Bug fix: Only create TLS key with certtool, and read correct key file
257
	if cp --backup=numbered --force "$TLS_PUBKEYFILE" "$TLS_PUBKEYFILE" \
258
	      2>/dev/null; then
237.7.510 by Teddy Hogeborn
Add support for using raw public keys in TLS (RFC 7250)
259
	    rm --force "$TLS_PUBKEYFILE"
237.7.519 by Teddy Hogeborn
Bug fix: Only create TLS key with certtool, and read correct key file
260
	fi
261
	cp --archive "$TLS_PRIVKEYTMP" "$TLS_PRIVKEYFILE"
262
	shred --remove "$TLS_PRIVKEYTMP"
263
264
	## TLS public key
265
266
	# First try certtool from GnuTLS
267
	if ! certtool --password='' --load-privkey="$TLS_PRIVKEYFILE" \
268
	     --outfile="$TLS_PUBKEYFILE" --pubkey-info --no-text \
269
	     2>/dev/null; then
270
	    # Otherwise try OpenSSL
271
	    if ! openssl pkey -in "$TLS_PRIVKEYFILE" \
272
		 -out "$TLS_PUBKEYFILE" -pubout; then
273
		rm --force "$TLS_PUBKEYFILE"
274
		# None of the commands succeded; give up
275
		return 1
276
	    fi
237.7.510 by Teddy Hogeborn
Add support for using raw public keys in TLS (RFC 7250)
277
	fi
278
    fi
279
    
237.7.211 by Teddy Hogeborn
* mandos-keygen (keygen): Add workaround for Debian bug #737128.
280
    # Make sure trustdb.gpg exists;
281
    # this is a workaround for Debian bug #737128
282
    gpg --quiet --batch --no-tty --no-options --enable-dsa2 \
283
	--homedir "$RINGDIR" \
284
	--import-ownertrust < /dev/null
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
285
    # Generate a new key in the key rings
159 by Teddy Hogeborn
* Makefile (run-client): Do not depend on the key ring files.
286
    gpg --quiet --batch --no-tty --no-options --enable-dsa2 \
287
	--homedir "$RINGDIR" --trust-model always \
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
288
	--gen-key "$BATCHFILE"
289
    rm --force "$BATCHFILE"
159 by Teddy Hogeborn
* Makefile (run-client): Do not depend on the key ring files.
290
    
237.2.156 by Teddy Hogeborn
* mandos-keygen (keygen): Warn about long key generation time.
291
    if tty --quiet; then
292
	echo -n "Finished: "
293
	date
294
    fi
295
    
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
296
    # Backup any old key files
297
    if cp --backup=numbered --force "$SECKEYFILE" "$SECKEYFILE" \
298
	2>/dev/null; then
299
	shred --remove "$SECKEYFILE"
300
    fi
301
    if cp --backup=numbered --force "$PUBKEYFILE" "$PUBKEYFILE" \
302
	2>/dev/null; then
303
	rm --force "$PUBKEYFILE"
304
    fi
305
    
306
    FILECOMMENT="Mandos client key for $KEYNAME"
307
    if [ "$KEYCOMMENT" != "$KEYCOMMENT_ORIG" ]; then
308
	FILECOMMENT="$FILECOMMENT ($KEYCOMMENT)"
309
    fi
310
    
311
    if [ -n "$KEYEMAIL" ]; then
312
	FILECOMMENT="$FILECOMMENT <$KEYEMAIL>"
313
    fi
314
    
198 by Teddy Hogeborn
* mandos-keygen: New "--passfile" option. Confirm entered password.
315
    # Export key from key rings to key files
159 by Teddy Hogeborn
* Makefile (run-client): Do not depend on the key ring files.
316
    gpg --quiet --batch --no-tty --no-options --enable-dsa2 \
317
	--homedir "$RINGDIR" --armor --export-options export-minimal \
318
	--comment "$FILECOMMENT" --output "$SECKEYFILE" \
319
	--export-secret-keys
320
    gpg --quiet --batch --no-tty --no-options --enable-dsa2 \
321
	--homedir "$RINGDIR" --armor --export-options export-minimal \
322
	--comment "$FILECOMMENT" --output "$PUBKEYFILE" --export
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
323
fi
324
325
if [ "$mode" = password ]; then
237.7.256 by Teddy Hogeborn
mandos-keygen: Generate "checker" option to use SSH fingerprints.
326
    
327
    # Make SSH be 0 or 1
328
    case "$SSH" in
329
	[Yy][Ee][Ss]|[Tt][Rr][Uu][Ee]) SSH=1;;
330
	[Nn][Oo]|[Ff][Aa][Ll][Ss][Ee]|*) SSH=0;;
331
    esac
332
    
333
    if [ $SSH -eq 1 ]; then
237.7.396 by Teddy Hogeborn
mandos-keygen: Try to use ECDSA keys with ssh-keyscan(1) by default.
334
	for ssh_keytype in ecdsa-sha2-nistp256 ed25519 rsa; do
237.7.295 by Teddy Hogeborn
mandos-keygen: Bug fix: Only use one SSH key from ssh-keyscan
335
	    set +e
336
	    ssh_fingerprint="`ssh-keyscan -t $ssh_keytype localhost 2>/dev/null`"
237.7.451 by Teddy Hogeborn
Bug fix: Detect failure of ssh-keyscan in mandos-keygen --password.
337
	    err=$?
237.7.295 by Teddy Hogeborn
mandos-keygen: Bug fix: Only use one SSH key from ssh-keyscan
338
	    set -e
237.7.451 by Teddy Hogeborn
Bug fix: Detect failure of ssh-keyscan in mandos-keygen --password.
339
	    if [ $err -ne 0 ]; then
237.7.295 by Teddy Hogeborn
mandos-keygen: Bug fix: Only use one SSH key from ssh-keyscan
340
		ssh_fingerprint=""
341
		continue
342
	    fi
343
	    if [ -n "$ssh_fingerprint" ]; then
344
		ssh_fingerprint="${ssh_fingerprint#localhost }"
345
		break
346
	    fi
347
	done
237.7.256 by Teddy Hogeborn
mandos-keygen: Generate "checker" option to use SSH fingerprints.
348
    fi
349
    
198 by Teddy Hogeborn
* mandos-keygen: New "--passfile" option. Confirm entered password.
350
    # Import key into temporary key rings
159 by Teddy Hogeborn
* Makefile (run-client): Do not depend on the key ring files.
351
    gpg --quiet --batch --no-tty --no-options --enable-dsa2 \
352
	--homedir "$RINGDIR" --trust-model always --armor \
353
	--import "$SECKEYFILE"
354
    gpg --quiet --batch --no-tty --no-options --enable-dsa2 \
355
	--homedir "$RINGDIR" --trust-model always --armor \
356
	--import "$PUBKEYFILE"
357
    
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
358
    # Get fingerprint of key
159 by Teddy Hogeborn
* Makefile (run-client): Do not depend on the key ring files.
359
    FINGERPRINT="`gpg --quiet --batch --no-tty --no-options \
237.7.288 by Teddy Hogeborn
mandos-keygen: Fix some stylistic quoting issues.
360
	--enable-dsa2 --homedir "$RINGDIR" --trust-model always \
159 by Teddy Hogeborn
* Makefile (run-client): Do not depend on the key ring files.
361
	--fingerprint --with-colons \
168 by Teddy Hogeborn
* initramfs-tools-hook: Use long options where available. Use only
362
	| sed --quiet \
363
	--expression='/^fpr:/{s/^fpr:.*:\\([0-9A-Z]*\\):\$/\\1/p;q}'`"
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
364
    
365
    test -n "$FINGERPRINT"
366
    
237.7.519 by Teddy Hogeborn
Bug fix: Only create TLS key with certtool, and read correct key file
367
    if [ -r "$TLS_PUBKEYFILE" ]; then
368
       KEY_ID="$(certtool --key-id --hash=sha256 \
237.7.510 by Teddy Hogeborn
Add support for using raw public keys in TLS (RFC 7250)
369
    		       --infile="$TLS_PUBKEYFILE" 2>/dev/null || :)"
370
237.7.519 by Teddy Hogeborn
Bug fix: Only create TLS key with certtool, and read correct key file
371
       if [ -z "$KEY_ID" ]; then
372
	   KEY_ID=$(openssl pkey -pubin -in "$TLS_PUBKEYFILE" \
373
			    -outform der \
374
			| openssl sha256 \
375
			| sed --expression='s/^.*[^[:xdigit:]]//')
376
       fi
377
       test -n "$KEY_ID"
237.7.510 by Teddy Hogeborn
Add support for using raw public keys in TLS (RFC 7250)
378
    fi
379
    
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
380
    FILECOMMENT="Encrypted password for a Mandos client"
381
    
237.7.42 by Teddy Hogeborn
* mandos-keygen: Loop until passwords match when run interactively.
382
    while [ ! -s "$SECFILE" ]; do
383
	if [ -n "$PASSFILE" ]; then
384
	    cat "$PASSFILE"
198 by Teddy Hogeborn
* mandos-keygen: New "--passfile" option. Confirm entered password.
385
	else
237.7.42 by Teddy Hogeborn
* mandos-keygen: Loop until passwords match when run interactively.
386
	    tty --quiet && stty -echo
237.7.428 by Teddy Hogeborn
Output the passphrase prompt to the TTY, not stderr.
387
	    echo -n "Enter passphrase: " >/dev/tty
237.7.444 by Teddy Hogeborn
Use "read -r" in shell scripts to avoid backslash escapes
388
	    read -r first
237.7.42 by Teddy Hogeborn
* mandos-keygen: Loop until passwords match when run interactively.
389
	    tty --quiet && echo >&2
237.7.428 by Teddy Hogeborn
Output the passphrase prompt to the TTY, not stderr.
390
	    echo -n "Repeat passphrase: " >/dev/tty
237.7.444 by Teddy Hogeborn
Use "read -r" in shell scripts to avoid backslash escapes
391
	    read -r second
237.7.42 by Teddy Hogeborn
* mandos-keygen: Loop until passwords match when run interactively.
392
	    if tty --quiet; then
393
		echo >&2
394
		stty echo
395
	    fi
396
	    if [ "$first" != "$second" ]; then
397
		echo "Passphrase mismatch" >&2
398
		touch "$RINGDIR"/mismatch
399
	    else
400
		echo -n "$first"
401
	    fi
402
	fi | gpg --quiet --batch --no-tty --no-options --enable-dsa2 \
403
	    --homedir "$RINGDIR" --trust-model always --armor \
404
	    --encrypt --sign --recipient "$FINGERPRINT" --comment \
405
	    "$FILECOMMENT" > "$SECFILE"
406
	if [ -e "$RINGDIR"/mismatch ]; then
407
	    rm --force "$RINGDIR"/mismatch
408
	    if tty --quiet; then
409
		> "$SECFILE"
410
	    else
411
		exit 1
412
	    fi
198 by Teddy Hogeborn
* mandos-keygen: New "--passfile" option. Confirm entered password.
413
	fi
237.7.42 by Teddy Hogeborn
* mandos-keygen: Loop until passwords match when run interactively.
414
    done
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
415
    
416
    cat <<-EOF
417
	[$KEYNAME]
99 by Teddy Hogeborn
* mandos (fingerprint): Bug fix: Check crtverify.value, not crtverify.
418
	host = $KEYNAME
237.7.519 by Teddy Hogeborn
Bug fix: Only create TLS key with certtool, and read correct key file
419
	EOF
420
    if [ -n "$KEY_ID" ]; then
421
	echo "key_id = $KEY_ID"
422
    fi
423
    cat <<-EOF
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
424
	fingerprint = $FINGERPRINT
425
	secret =
198 by Teddy Hogeborn
* mandos-keygen: New "--passfile" option. Confirm entered password.
426
	EOF
168 by Teddy Hogeborn
* initramfs-tools-hook: Use long options where available. Use only
427
    sed --quiet --expression='
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
428
	/^-----BEGIN PGP MESSAGE-----$/,/^-----END PGP MESSAGE-----$/{
429
	    /^$/,${
103 by Teddy Hogeborn
* mandos-keygen: Strip 24-bit checksum of Radix-64 from output to make
430
		# Remove 24-bit Radix-64 checksum
431
		s/=....$//
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
432
		# Indent four spaces
433
		/^[^-]/s/^/    /p
434
	    }
435
	}' < "$SECFILE"
237.7.256 by Teddy Hogeborn
mandos-keygen: Generate "checker" option to use SSH fingerprints.
436
    if [ -n "$ssh_fingerprint" ]; then
237.7.295 by Teddy Hogeborn
mandos-keygen: Bug fix: Only use one SSH key from ssh-keyscan
437
	echo 'checker = ssh-keyscan -t '"$ssh_keytype"' %%(host)s 2>/dev/null | grep --fixed-strings --line-regexp --quiet --regexp=%%(host)s" %(ssh_fingerprint)s"'
237.7.256 by Teddy Hogeborn
mandos-keygen: Generate "checker" option to use SSH fingerprints.
438
	echo "ssh_fingerprint = ${ssh_fingerprint}"
439
    fi
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
440
fi
73 by Teddy Hogeborn
* Makefile (COVERAGE): Change back to "--coverage".
441
442
trap - EXIT
443
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
444
set +e
445
# Remove the password file, if any
446
if [ -n "$SECFILE" ]; then
447
    shred --remove "$SECFILE"
448
fi
73 by Teddy Hogeborn
* Makefile (COVERAGE): Change back to "--coverage".
449
# Remove the key rings
237.7.256 by Teddy Hogeborn
mandos-keygen: Generate "checker" option to use SSH fingerprints.
450
shred --remove "$RINGDIR"/sec* 2>/dev/null
159 by Teddy Hogeborn
* Makefile (run-client): Do not depend on the key ring files.
451
rm --recursive --force "$RINGDIR"