bzr branch
http://bzr.recompile.se/loggerhead/mandos/release
73
by Teddy Hogeborn
* Makefile (COVERAGE): Change back to "--coverage". |
1 |
#!/bin/sh -e
|
67
by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on |
2 |
#
|
237.7.510
by Teddy Hogeborn
Add support for using raw public keys in TLS (RFC 7250) |
3 |
# Mandos key generator - create new keys for a Mandos client
|
67
by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on |
4 |
#
|
237.7.517
by Teddy Hogeborn
Update copyright year to 2019 |
5 |
# Copyright © 2008-2019 Teddy Hogeborn
|
6 |
# Copyright © 2008-2019 Björn Påhlsson
|
|
67
by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on |
7 |
#
|
237.7.455
by Teddy Hogeborn
Alter copyright notices slightly. Actual license is unchanged! |
8 |
# This file is part of Mandos.
|
9 |
#
|
|
10 |
# Mandos is free software: you can redistribute it and/or modify it
|
|
11 |
# under the terms of the GNU General Public License as published by
|
|
67
by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on |
12 |
# the Free Software Foundation, either version 3 of the License, or
|
13 |
# (at your option) any later version.
|
|
14 |
#
|
|
237.7.455
by Teddy Hogeborn
Alter copyright notices slightly. Actual license is unchanged! |
15 |
# Mandos is distributed in the hope that it will be useful, but
|
16 |
# WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
67
by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on |
17 |
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
18 |
# GNU General Public License for more details.
|
|
19 |
#
|
|
20 |
# You should have received a copy of the GNU General Public License
|
|
237.7.455
by Teddy Hogeborn
Alter copyright notices slightly. Actual license is unchanged! |
21 |
# along with Mandos. If not, see <http://www.gnu.org/licenses/>.
|
67
by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on |
22 |
#
|
237.11.2
by Teddy Hogeborn
Change "fukt.bsnet.se" to "recompile.se" throughout. |
23 |
# Contact the authors at <mandos@recompile.se>.
|
67
by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on |
24 |
#
|
25 |
||
371
by Teddy Hogeborn
* Makefile (version): Change to 1.8.0. |
26 |
VERSION="1.8.0" |
73
by Teddy Hogeborn
* Makefile (COVERAGE): Change back to "--coverage". |
27 |
|
163
by Teddy Hogeborn
* Makefile (PIDDIR, USER, GROUP): Removed. |
28 |
KEYDIR="/etc/keys/mandos" |
237.7.169
by Teddy Hogeborn
* debian/mandos-client.README.Debian: Update Linux documentation link. |
29 |
KEYTYPE=RSA |
30 |
KEYLENGTH=4096 |
|
31 |
SUBKEYTYPE=RSA |
|
32 |
SUBKEYLENGTH=4096 |
|
196
by Teddy Hogeborn
* mandos-keygen (KEYNAME): Fall back to plain "hostname" if the |
33 |
KEYNAME="`hostname --fqdn 2>/dev/null || hostname`" |
67
by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on |
34 |
KEYEMAIL="" |
237.7.179
by Teddy Hogeborn
* mandos (priority): Bug fix: Add even more magic to make the old |
35 |
KEYCOMMENT="" |
67
by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on |
36 |
KEYEXPIRE=0 |
237.7.510
by Teddy Hogeborn
Add support for using raw public keys in TLS (RFC 7250) |
37 |
TLS_KEYTYPE=ed25519 |
67
by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on |
38 |
FORCE=no |
237.7.256
by Teddy Hogeborn
mandos-keygen: Generate "checker" option to use SSH fingerprints. |
39 |
SSH=yes |
67
by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on |
40 |
KEYCOMMENT_ORIG="$KEYCOMMENT" |
97
by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and |
41 |
mode=keygen |
67
by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on |
42 |
|
179
by Teddy Hogeborn
* INSTALL: New file. |
43 |
if [ ! -d "$KEYDIR" ]; then |
44 |
KEYDIR="/etc/mandos/keys" |
|
45 |
fi
|
|
46 |
||
67
by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on |
47 |
# Parse options
|
237.7.510
by Teddy Hogeborn
Add support for using raw public keys in TLS (RFC 7250) |
48 |
TEMP=`getopt --options vhpF:d:t:l:s:L:n:e:c:x:T:fS \ |
49 |
--longoptions version,help,password,passfile:,dir:,type:,length:,subtype:,sublength:,name:,email:,comment:,expire:,tls-keytype:,force,no-ssh \ |
|
67
by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on |
50 |
--name "$0" -- "$@"` |
51 |
||
73
by Teddy Hogeborn
* Makefile (COVERAGE): Change back to "--coverage". |
52 |
help(){
|
237.7.288
by Teddy Hogeborn
mandos-keygen: Fix some stylistic quoting issues. |
53 |
basename="`basename "$0"`" |
73
by Teddy Hogeborn
* Makefile (COVERAGE): Change back to "--coverage". |
54 |
cat <<EOF |
97
by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and |
55 |
Usage: $basename [ -v | --version ]
|
56 |
$basename [ -h | --help ]
|
|
57 |
Key creation:
|
|
58 |
$basename [ OPTIONS ]
|
|
59 |
Encrypted password creation:
|
|
60 |
$basename { -p | --password } [ --name NAME ] [ --dir DIR]
|
|
198
by Teddy Hogeborn
* mandos-keygen: New "--passfile" option. Confirm entered password. |
61 |
$basename { -F | --passfile } FILE [ --name NAME ] [ --dir DIR]
|
73
by Teddy Hogeborn
* Makefile (COVERAGE): Change back to "--coverage". |
62 |
|
97
by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and |
63 |
Key creation options:
|
73
by Teddy Hogeborn
* Makefile (COVERAGE): Change back to "--coverage". |
64 |
-v, --version Show program's version number and exit
|
65 |
-h, --help Show this help message and exit
|
|
66 |
-d DIR, --dir DIR Target directory for key files
|
|
237.7.510
by Teddy Hogeborn
Add support for using raw public keys in TLS (RFC 7250) |
67 |
-t TYPE, --type TYPE OpenPGP key type. Default is RSA.
|
73
by Teddy Hogeborn
* Makefile (COVERAGE): Change back to "--coverage". |
68 |
-l BITS, --length BITS
|
237.7.510
by Teddy Hogeborn
Add support for using raw public keys in TLS (RFC 7250) |
69 |
OpenPGP key length in bits. Default is 4096.
|
96
by Teddy Hogeborn
* Makefile (PREFIX, CONFDIR, MANDIR): Use $(DESTDIR). |
70 |
-s TYPE, --subtype TYPE
|
237.7.510
by Teddy Hogeborn
Add support for using raw public keys in TLS (RFC 7250) |
71 |
OpenPGP subkey type. Default is RSA.
|
96
by Teddy Hogeborn
* Makefile (PREFIX, CONFDIR, MANDIR): Use $(DESTDIR). |
72 |
-L BITS, --sublength BITS
|
237.7.510
by Teddy Hogeborn
Add support for using raw public keys in TLS (RFC 7250) |
73 |
OpenPGP subkey length in bits. Default 4096.
|
73
by Teddy Hogeborn
* Makefile (COVERAGE): Change back to "--coverage". |
74 |
-n NAME, --name NAME Name of key. Default is the FQDN.
|
97
by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and |
75 |
-e ADDRESS, --email ADDRESS
|
237.7.510
by Teddy Hogeborn
Add support for using raw public keys in TLS (RFC 7250) |
76 |
Email address of OpenPGP key. Default empty.
|
123
by Teddy Hogeborn
* mandos-keygen: Minor help text change. |
77 |
-c TEXT, --comment TEXT
|
237.7.510
by Teddy Hogeborn
Add support for using raw public keys in TLS (RFC 7250) |
78 |
Comment field for OpenPGP key. Default empty.
|
73
by Teddy Hogeborn
* Makefile (COVERAGE): Change back to "--coverage". |
79 |
-x TIME, --expire TIME
|
237.7.510
by Teddy Hogeborn
Add support for using raw public keys in TLS (RFC 7250) |
80 |
OpenPGP key expire time. Default is none.
|
73
by Teddy Hogeborn
* Makefile (COVERAGE): Change back to "--coverage". |
81 |
See gpg(1) for syntax.
|
237.7.510
by Teddy Hogeborn
Add support for using raw public keys in TLS (RFC 7250) |
82 |
-T TYPE, --tls-keytype TYPE
|
83 |
TLS key type. Default is ed25519.
|
|
198
by Teddy Hogeborn
* mandos-keygen: New "--passfile" option. Confirm entered password. |
84 |
-f, --force Force overwriting old key files.
|
97
by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and |
85 |
|
86 |
Password creation options:
|
|
198
by Teddy Hogeborn
* mandos-keygen: New "--passfile" option. Confirm entered password. |
87 |
-p, --password Create an encrypted password using the key in
|
88 |
the key directory. All options other than
|
|
89 |
--dir and --name are ignored.
|
|
90 |
-F FILE, --passfile FILE
|
|
91 |
Encrypt a password from FILE using the key in
|
|
97
by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and |
92 |
the key directory. All options other than
|
123
by Teddy Hogeborn
* mandos-keygen: Minor help text change. |
93 |
--dir and --name are ignored.
|
237.7.256
by Teddy Hogeborn
mandos-keygen: Generate "checker" option to use SSH fingerprints. |
94 |
-S, --no-ssh Don't get SSH key or set "checker" option.
|
73
by Teddy Hogeborn
* Makefile (COVERAGE): Change back to "--coverage". |
95 |
EOF
|
96 |
}
|
|
97 |
||
67
by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on |
98 |
eval set -- "$TEMP" |
99 |
while :; do |
|
100 |
case "$1" in |
|
97
by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and |
101 |
-p|--password) mode=password; shift;; |
198
by Teddy Hogeborn
* mandos-keygen: New "--passfile" option. Confirm entered password. |
102 |
-F|--passfile) mode=password; PASSFILE="$2"; shift 2;; |
67
by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on |
103 |
-d|--dir) KEYDIR="$2"; shift 2;; |
104 |
-t|--type) KEYTYPE="$2"; shift 2;; |
|
96
by Teddy Hogeborn
* Makefile (PREFIX, CONFDIR, MANDIR): Use $(DESTDIR). |
105 |
-s|--subtype) SUBKEYTYPE="$2"; shift 2;; |
67
by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on |
106 |
-l|--length) KEYLENGTH="$2"; shift 2;; |
96
by Teddy Hogeborn
* Makefile (PREFIX, CONFDIR, MANDIR): Use $(DESTDIR). |
107 |
-L|--sublength) SUBKEYLENGTH="$2"; shift 2;; |
67
by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on |
108 |
-n|--name) KEYNAME="$2"; shift 2;; |
109 |
-e|--email) KEYEMAIL="$2"; shift 2;; |
|
110 |
-c|--comment) KEYCOMMENT="$2"; shift 2;; |
|
87
by Teddy Hogeborn
* Makefile: Bug fix: fixed creation of man pages in "plugins.d". |
111 |
-x|--expire) KEYEXPIRE="$2"; shift 2;; |
237.7.510
by Teddy Hogeborn
Add support for using raw public keys in TLS (RFC 7250) |
112 |
-T|--tls-keytype) TLS_KEYTYPE="$2"; shift 2;; |
67
by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on |
113 |
-f|--force) FORCE=yes; shift;; |
237.7.256
by Teddy Hogeborn
mandos-keygen: Generate "checker" option to use SSH fingerprints. |
114 |
-S|--no-ssh) SSH=no; shift;; |
73
by Teddy Hogeborn
* Makefile (COVERAGE): Change back to "--coverage". |
115 |
-v|--version) echo "$0 $VERSION"; exit;; |
116 |
-h|--help) help; exit;; |
|
67
by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on |
117 |
--) shift; break;; |
118 |
*) echo "Internal error" >&2; exit 1;; |
|
119 |
esac |
|
120 |
done
|
|
121 |
if [ "$#" -gt 0 ]; then |
|
237.7.288
by Teddy Hogeborn
mandos-keygen: Fix some stylistic quoting issues. |
122 |
echo "Unknown arguments: '$*'" >&2 |
67
by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on |
123 |
exit 1 |
124 |
fi
|
|
125 |
||
126 |
SECKEYFILE="$KEYDIR/seckey.txt" |
|
127 |
PUBKEYFILE="$KEYDIR/pubkey.txt" |
|
237.7.510
by Teddy Hogeborn
Add support for using raw public keys in TLS (RFC 7250) |
128 |
TLS_PRIVKEYFILE="$KEYDIR/tls-privkey.pem" |
129 |
TLS_PUBKEYFILE="$KEYDIR/tls-pubkey.pem" |
|
67
by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on |
130 |
|
131 |
# Check for some invalid values
|
|
159
by Teddy Hogeborn
* Makefile (run-client): Do not depend on the key ring files. |
132 |
if [ ! -d "$KEYDIR" ]; then |
67
by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on |
133 |
echo "$KEYDIR not a directory" >&2 |
134 |
exit 1 |
|
135 |
fi
|
|
159
by Teddy Hogeborn
* Makefile (run-client): Do not depend on the key ring files. |
136 |
if [ ! -r "$KEYDIR" ]; then |
137 |
echo "Directory $KEYDIR not readable" >&2 |
|
97
by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and |
138 |
exit 1 |
139 |
fi
|
|
140 |
||
141 |
if [ "$mode" = keygen ]; then |
|
159
by Teddy Hogeborn
* Makefile (run-client): Do not depend on the key ring files. |
142 |
if [ ! -w "$KEYDIR" ]; then |
143 |
echo "Directory $KEYDIR not writeable" >&2 |
|
144 |
exit 1 |
|
145 |
fi |
|
97
by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and |
146 |
if [ -z "$KEYTYPE" ]; then |
147 |
echo "Empty key type" >&2 |
|
148 |
exit 1 |
|
149 |
fi |
|
150 |
|
|
151 |
if [ -z "$KEYNAME" ]; then |
|
152 |
echo "Empty key name" >&2 |
|
153 |
exit 1 |
|
154 |
fi |
|
155 |
|
|
156 |
if [ -z "$KEYLENGTH" ] || [ "$KEYLENGTH" -lt 512 ]; then |
|
157 |
echo "Invalid key length" >&2 |
|
158 |
exit 1 |
|
159 |
fi |
|
237.2.37
by Teddy Hogeborn
* mandos-keygen (password): Remove bashism "${PIPESTATUS}". |
160 |
|
97
by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and |
161 |
if [ -z "$KEYEXPIRE" ]; then |
162 |
echo "Empty key expiration" >&2 |
|
163 |
exit 1 |
|
164 |
fi |
|
165 |
|
|
166 |
# Make FORCE be 0 or 1 |
|
167 |
case "$FORCE" in |
|
168 |
[Yy][Ee][Ss]|[Tt][Rr][Uu][Ee]) FORCE=1;; |
|
169 |
[Nn][Oo]|[Ff][Aa][Ll][Ss][Ee]|*) FORCE=0;; |
|
170 |
esac |
|
171 |
|
|
237.7.510
by Teddy Hogeborn
Add support for using raw public keys in TLS (RFC 7250) |
172 |
if { [ -e "$SECKEYFILE" ] || [ -e "$PUBKEYFILE" ] \ |
173 |
|| [ -e "$TLS_PRIVKEYFILE" ] \ |
|
174 |
|| [ -e "$TLS_PUBKEYFILE" ]; } \ |
|
237.7.452
by Teddy Hogeborn
Use || instead of -o in shell scripts. |
175 |
&& [ "$FORCE" -eq 0 ]; then |
97
by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and |
176 |
echo "Refusing to overwrite old key files; use --force" >&2 |
177 |
exit 1 |
|
178 |
fi |
|
179 |
|
|
180 |
# Set lines for GnuPG batch file |
|
181 |
if [ -n "$KEYCOMMENT" ]; then |
|
182 |
KEYCOMMENTLINE="Name-Comment: $KEYCOMMENT" |
|
183 |
fi |
|
184 |
if [ -n "$KEYEMAIL" ]; then |
|
185 |
KEYEMAILLINE="Name-Email: $KEYEMAIL" |
|
186 |
fi |
|
237.2.37
by Teddy Hogeborn
* mandos-keygen (password): Remove bashism "${PIPESTATUS}". |
187 |
|
97
by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and |
188 |
# Create temporary gpg batch file |
159
by Teddy Hogeborn
* Makefile (run-client): Do not depend on the key ring files. |
189 |
BATCHFILE="`mktemp -t mandos-keygen-batch.XXXXXXXXXX`" |
237.7.519
by Teddy Hogeborn
Bug fix: Only create TLS key with certtool, and read correct key file |
190 |
TLS_PRIVKEYTMP="`mktemp -t mandos-keygen-privkey.XXXXXXXXXX`" |
97
by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and |
191 |
fi
|
192 |
||
193 |
if [ "$mode" = password ]; then |
|
194 |
# Create temporary encrypted password file |
|
159
by Teddy Hogeborn
* Makefile (run-client): Do not depend on the key ring files. |
195 |
SECFILE="`mktemp -t mandos-keygen-secfile.XXXXXXXXXX`" |
196 |
fi
|
|
197 |
||
198 |
# Create temporary key ring directory
|
|
199 |
RINGDIR="`mktemp -d -t mandos-keygen-keyrings.XXXXXXXXXX`" |
|
97
by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and |
200 |
|
73
by Teddy Hogeborn
* Makefile (COVERAGE): Change back to "--coverage". |
201 |
# Remove temporary files on exit
|
94
by Teddy Hogeborn
* clients.conf ([DEFAULT]/checker): Update to new default value. |
202 |
trap " |
96
by Teddy Hogeborn
* Makefile (PREFIX, CONFDIR, MANDIR): Use $(DESTDIR). |
203 |
set +e; \
|
159
by Teddy Hogeborn
* Makefile (run-client): Do not depend on the key ring files. |
204 |
test -n \"$SECFILE\" && shred --remove \"$SECFILE\"; \ |
237.7.519
by Teddy Hogeborn
Bug fix: Only create TLS key with certtool, and read correct key file |
205 |
test -n \"$TLS_PRIVKEYTMP\" && shred --remove \"$TLS_PRIVKEYTMP\"; \ |
237.7.256
by Teddy Hogeborn
mandos-keygen: Generate "checker" option to use SSH fingerprints. |
206 |
shred --remove \"$RINGDIR\"/sec* 2>/dev/null; |
159
by Teddy Hogeborn
* Makefile (run-client): Do not depend on the key ring files. |
207 |
test -n \"$BATCHFILE\" && rm --force \"$BATCHFILE\"; \ |
208 |
rm --recursive --force \"$RINGDIR\"; |
|
237.7.42
by Teddy Hogeborn
* mandos-keygen: Loop until passwords match when run interactively. |
209 |
tty --quiet && stty echo; \
|
94
by Teddy Hogeborn
* clients.conf ([DEFAULT]/checker): Update to new default value. |
210 |
" EXIT |
67
by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on |
211 |
|
237.2.215
by teddy at bsnet
* debian/control (Standards-Version): Updated to "3.9.1". |
212 |
set -e |
213 |
||
166
by Teddy Hogeborn
* Makefile (confdir/clients.conf): Tighten permissions to "u=rw". |
214 |
umask 077 |
73
by Teddy Hogeborn
* Makefile (COVERAGE): Change back to "--coverage". |
215 |
|
97
by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and |
216 |
if [ "$mode" = keygen ]; then |
217 |
# Create batch file for GnuPG |
|
218 |
cat >"$BATCHFILE" <<-EOF |
|
219 |
Key-Type: $KEYTYPE
|
|
220 |
Key-Length: $KEYLENGTH
|
|
237.7.175
by Teddy Hogeborn
* mandos-keygen: Bug fix: Specify key usage to avoid creating keys |
221 |
Key-Usage: sign,auth
|
97
by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and |
222 |
Subkey-Type: $SUBKEYTYPE
|
223 |
Subkey-Length: $SUBKEYLENGTH
|
|
237.7.175
by Teddy Hogeborn
* mandos-keygen: Bug fix: Specify key usage to avoid creating keys |
224 |
Subkey-Usage: encrypt
|
97
by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and |
225 |
Name-Real: $KEYNAME
|
226 |
$KEYCOMMENTLINE
|
|
227 |
$KEYEMAILLINE
|
|
228 |
Expire-Date: $KEYEXPIRE
|
|
229 |
#Preferences: <string>
|
|
230 |
#Handle: <no-spaces>
|
|
159
by Teddy Hogeborn
* Makefile (run-client): Do not depend on the key ring files. |
231 |
#%pubring pubring.gpg
|
232 |
#%secring secring.gpg
|
|
237.7.427
by Teddy Hogeborn
Fix bug when generating keys in a chroot environment. |
233 |
%no-protection
|
97
by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and |
234 |
%commit
|
235 |
EOF
|
|
236 |
|
|
237.2.156
by Teddy Hogeborn
* mandos-keygen (keygen): Warn about long key generation time. |
237 |
if tty --quiet; then |
238 |
cat <<-EOF |
|
239 |
Note: Due to entropy requirements, key generation could take
|
|
240 |
anything from a few minutes to SEVERAL HOURS. Please be
|
|
241 |
patient and/or supply the system with more entropy if needed.
|
|
242 |
EOF
|
|
243 |
echo -n "Started: " |
|
244 |
date
|
|
245 |
fi |
|
237.7.519
by Teddy Hogeborn
Bug fix: Only create TLS key with certtool, and read correct key file |
246 |
|
247 |
# Generate TLS private key |
|
248 |
if certtool --generate-privkey --password='' \ |
|
249 |
--outfile "$TLS_PRIVKEYTMP" --sec-param ultra \ |
|
250 |
--key-type="$TLS_KEYTYPE" --pkcs8 --no-text 2>/dev/null; then |
|
251 |
|
|
252 |
# Backup any old key files |
|
253 |
if cp --backup=numbered --force "$TLS_PRIVKEYFILE" "$TLS_PRIVKEYFILE" \ |
|
254 |
2>/dev/null; then |
|
255 |
shred --remove "$TLS_PRIVKEYFILE" |
|
237.7.510
by Teddy Hogeborn
Add support for using raw public keys in TLS (RFC 7250) |
256 |
fi |
237.7.519
by Teddy Hogeborn
Bug fix: Only create TLS key with certtool, and read correct key file |
257 |
if cp --backup=numbered --force "$TLS_PUBKEYFILE" "$TLS_PUBKEYFILE" \ |
258 |
2>/dev/null; then |
|
237.7.510
by Teddy Hogeborn
Add support for using raw public keys in TLS (RFC 7250) |
259 |
rm --force "$TLS_PUBKEYFILE" |
237.7.519
by Teddy Hogeborn
Bug fix: Only create TLS key with certtool, and read correct key file |
260 |
fi |
261 |
cp --archive "$TLS_PRIVKEYTMP" "$TLS_PRIVKEYFILE" |
|
262 |
shred --remove "$TLS_PRIVKEYTMP" |
|
263 |
||
264 |
## TLS public key |
|
265 |
||
266 |
# First try certtool from GnuTLS |
|
267 |
if ! certtool --password='' --load-privkey="$TLS_PRIVKEYFILE" \ |
|
268 |
--outfile="$TLS_PUBKEYFILE" --pubkey-info --no-text \ |
|
269 |
2>/dev/null; then |
|
270 |
# Otherwise try OpenSSL |
|
271 |
if ! openssl pkey -in "$TLS_PRIVKEYFILE" \ |
|
272 |
-out "$TLS_PUBKEYFILE" -pubout; then |
|
273 |
rm --force "$TLS_PUBKEYFILE" |
|
274 |
# None of the commands succeded; give up |
|
275 |
return 1 |
|
276 |
fi |
|
237.7.510
by Teddy Hogeborn
Add support for using raw public keys in TLS (RFC 7250) |
277 |
fi |
278 |
fi |
|
279 |
|
|
237.7.211
by Teddy Hogeborn
* mandos-keygen (keygen): Add workaround for Debian bug #737128. |
280 |
# Make sure trustdb.gpg exists; |
281 |
# this is a workaround for Debian bug #737128 |
|
282 |
gpg --quiet --batch --no-tty --no-options --enable-dsa2 \ |
|
283 |
--homedir "$RINGDIR" \ |
|
284 |
--import-ownertrust < /dev/null |
|
97
by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and |
285 |
# Generate a new key in the key rings |
159
by Teddy Hogeborn
* Makefile (run-client): Do not depend on the key ring files. |
286 |
gpg --quiet --batch --no-tty --no-options --enable-dsa2 \ |
287 |
--homedir "$RINGDIR" --trust-model always \ |
|
97
by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and |
288 |
--gen-key "$BATCHFILE" |
289 |
rm --force "$BATCHFILE" |
|
159
by Teddy Hogeborn
* Makefile (run-client): Do not depend on the key ring files. |
290 |
|
237.2.156
by Teddy Hogeborn
* mandos-keygen (keygen): Warn about long key generation time. |
291 |
if tty --quiet; then |
292 |
echo -n "Finished: " |
|
293 |
date
|
|
294 |
fi |
|
295 |
|
|
97
by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and |
296 |
# Backup any old key files |
297 |
if cp --backup=numbered --force "$SECKEYFILE" "$SECKEYFILE" \ |
|
298 |
2>/dev/null; then |
|
299 |
shred --remove "$SECKEYFILE" |
|
300 |
fi |
|
301 |
if cp --backup=numbered --force "$PUBKEYFILE" "$PUBKEYFILE" \ |
|
302 |
2>/dev/null; then |
|
303 |
rm --force "$PUBKEYFILE" |
|
304 |
fi |
|
305 |
|
|
306 |
FILECOMMENT="Mandos client key for $KEYNAME" |
|
307 |
if [ "$KEYCOMMENT" != "$KEYCOMMENT_ORIG" ]; then |
|
308 |
FILECOMMENT="$FILECOMMENT ($KEYCOMMENT)" |
|
309 |
fi |
|
310 |
|
|
311 |
if [ -n "$KEYEMAIL" ]; then |
|
312 |
FILECOMMENT="$FILECOMMENT <$KEYEMAIL>" |
|
313 |
fi |
|
314 |
|
|
198
by Teddy Hogeborn
* mandos-keygen: New "--passfile" option. Confirm entered password. |
315 |
# Export key from key rings to key files |
159
by Teddy Hogeborn
* Makefile (run-client): Do not depend on the key ring files. |
316 |
gpg --quiet --batch --no-tty --no-options --enable-dsa2 \ |
317 |
--homedir "$RINGDIR" --armor --export-options export-minimal \ |
|
318 |
--comment "$FILECOMMENT" --output "$SECKEYFILE" \ |
|
319 |
--export-secret-keys
|
|
320 |
gpg --quiet --batch --no-tty --no-options --enable-dsa2 \ |
|
321 |
--homedir "$RINGDIR" --armor --export-options export-minimal \ |
|
322 |
--comment "$FILECOMMENT" --output "$PUBKEYFILE" --export |
|
97
by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and |
323 |
fi
|
324 |
||
325 |
if [ "$mode" = password ]; then |
|
237.7.256
by Teddy Hogeborn
mandos-keygen: Generate "checker" option to use SSH fingerprints. |
326 |
|
327 |
# Make SSH be 0 or 1 |
|
328 |
case "$SSH" in |
|
329 |
[Yy][Ee][Ss]|[Tt][Rr][Uu][Ee]) SSH=1;; |
|
330 |
[Nn][Oo]|[Ff][Aa][Ll][Ss][Ee]|*) SSH=0;; |
|
331 |
esac |
|
332 |
|
|
333 |
if [ $SSH -eq 1 ]; then |
|
237.7.396
by Teddy Hogeborn
mandos-keygen: Try to use ECDSA keys with ssh-keyscan(1) by default. |
334 |
for ssh_keytype in ecdsa-sha2-nistp256 ed25519 rsa; do |
237.7.295
by Teddy Hogeborn
mandos-keygen: Bug fix: Only use one SSH key from ssh-keyscan |
335 |
set +e |
336 |
ssh_fingerprint="`ssh-keyscan -t $ssh_keytype localhost 2>/dev/null`" |
|
237.7.451
by Teddy Hogeborn
Bug fix: Detect failure of ssh-keyscan in mandos-keygen --password. |
337 |
err=$? |
237.7.295
by Teddy Hogeborn
mandos-keygen: Bug fix: Only use one SSH key from ssh-keyscan |
338 |
set -e |
237.7.451
by Teddy Hogeborn
Bug fix: Detect failure of ssh-keyscan in mandos-keygen --password. |
339 |
if [ $err -ne 0 ]; then |
237.7.295
by Teddy Hogeborn
mandos-keygen: Bug fix: Only use one SSH key from ssh-keyscan |
340 |
ssh_fingerprint="" |
341 |
continue |
|
342 |
fi |
|
343 |
if [ -n "$ssh_fingerprint" ]; then |
|
344 |
ssh_fingerprint="${ssh_fingerprint#localhost }" |
|
345 |
break |
|
346 |
fi |
|
347 |
done |
|
237.7.256
by Teddy Hogeborn
mandos-keygen: Generate "checker" option to use SSH fingerprints. |
348 |
fi |
349 |
|
|
198
by Teddy Hogeborn
* mandos-keygen: New "--passfile" option. Confirm entered password. |
350 |
# Import key into temporary key rings |
159
by Teddy Hogeborn
* Makefile (run-client): Do not depend on the key ring files. |
351 |
gpg --quiet --batch --no-tty --no-options --enable-dsa2 \ |
352 |
--homedir "$RINGDIR" --trust-model always --armor \ |
|
353 |
--import "$SECKEYFILE" |
|
354 |
gpg --quiet --batch --no-tty --no-options --enable-dsa2 \ |
|
355 |
--homedir "$RINGDIR" --trust-model always --armor \ |
|
356 |
--import "$PUBKEYFILE" |
|
357 |
|
|
97
by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and |
358 |
# Get fingerprint of key |
159
by Teddy Hogeborn
* Makefile (run-client): Do not depend on the key ring files. |
359 |
FINGERPRINT="`gpg --quiet --batch --no-tty --no-options \ |
237.7.288
by Teddy Hogeborn
mandos-keygen: Fix some stylistic quoting issues. |
360 |
--enable-dsa2 --homedir "$RINGDIR" --trust-model always \ |
159
by Teddy Hogeborn
* Makefile (run-client): Do not depend on the key ring files. |
361 |
--fingerprint --with-colons \
|
168
by Teddy Hogeborn
* initramfs-tools-hook: Use long options where available. Use only |
362 |
| sed --quiet \
|
363 |
--expression='/^fpr:/{s/^fpr:.*:\\([0-9A-Z]*\\):\$/\\1/p;q}'`"
|
|
97
by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and |
364 |
|
365 |
test -n "$FINGERPRINT" |
|
366 |
|
|
237.7.519
by Teddy Hogeborn
Bug fix: Only create TLS key with certtool, and read correct key file |
367 |
if [ -r "$TLS_PUBKEYFILE" ]; then |
368 |
KEY_ID="$(certtool --key-id --hash=sha256 \ |
|
237.7.510
by Teddy Hogeborn
Add support for using raw public keys in TLS (RFC 7250) |
369 |
--infile="$TLS_PUBKEYFILE" 2>/dev/null || :)" |
370 |
||
237.7.519
by Teddy Hogeborn
Bug fix: Only create TLS key with certtool, and read correct key file |
371 |
if [ -z "$KEY_ID" ]; then |
372 |
KEY_ID=$(openssl pkey -pubin -in "$TLS_PUBKEYFILE" \ |
|
373 |
-outform der \ |
|
374 |
| openssl sha256 \ |
|
375 |
| sed --expression='s/^.*[^[:xdigit:]]//') |
|
376 |
fi |
|
377 |
test -n "$KEY_ID" |
|
237.7.510
by Teddy Hogeborn
Add support for using raw public keys in TLS (RFC 7250) |
378 |
fi |
379 |
|
|
97
by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and |
380 |
FILECOMMENT="Encrypted password for a Mandos client" |
381 |
|
|
237.7.42
by Teddy Hogeborn
* mandos-keygen: Loop until passwords match when run interactively. |
382 |
while [ ! -s "$SECFILE" ]; do |
383 |
if [ -n "$PASSFILE" ]; then |
|
384 |
cat "$PASSFILE" |
|
198
by Teddy Hogeborn
* mandos-keygen: New "--passfile" option. Confirm entered password. |
385 |
else |
237.7.42
by Teddy Hogeborn
* mandos-keygen: Loop until passwords match when run interactively. |
386 |
tty --quiet && stty -echo |
237.7.428
by Teddy Hogeborn
Output the passphrase prompt to the TTY, not stderr. |
387 |
echo -n "Enter passphrase: " >/dev/tty |
237.7.444
by Teddy Hogeborn
Use "read -r" in shell scripts to avoid backslash escapes |
388 |
read -r first |
237.7.42
by Teddy Hogeborn
* mandos-keygen: Loop until passwords match when run interactively. |
389 |
tty --quiet && echo >&2 |
237.7.428
by Teddy Hogeborn
Output the passphrase prompt to the TTY, not stderr. |
390 |
echo -n "Repeat passphrase: " >/dev/tty |
237.7.444
by Teddy Hogeborn
Use "read -r" in shell scripts to avoid backslash escapes |
391 |
read -r second |
237.7.42
by Teddy Hogeborn
* mandos-keygen: Loop until passwords match when run interactively. |
392 |
if tty --quiet; then |
393 |
echo >&2 |
|
394 |
stty echo |
|
395 |
fi |
|
396 |
if [ "$first" != "$second" ]; then |
|
397 |
echo "Passphrase mismatch" >&2 |
|
398 |
touch "$RINGDIR"/mismatch |
|
399 |
else |
|
400 |
echo -n "$first" |
|
401 |
fi |
|
402 |
fi | gpg --quiet --batch --no-tty --no-options --enable-dsa2 \ |
|
403 |
--homedir "$RINGDIR" --trust-model always --armor \ |
|
404 |
--encrypt --sign --recipient "$FINGERPRINT" --comment \ |
|
405 |
"$FILECOMMENT" > "$SECFILE" |
|
406 |
if [ -e "$RINGDIR"/mismatch ]; then |
|
407 |
rm --force "$RINGDIR"/mismatch |
|
408 |
if tty --quiet; then |
|
409 |
> "$SECFILE" |
|
410 |
else |
|
411 |
exit 1 |
|
412 |
fi |
|
198
by Teddy Hogeborn
* mandos-keygen: New "--passfile" option. Confirm entered password. |
413 |
fi |
237.7.42
by Teddy Hogeborn
* mandos-keygen: Loop until passwords match when run interactively. |
414 |
done |
97
by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and |
415 |
|
416 |
cat <<-EOF |
|
417 |
[$KEYNAME]
|
|
99
by Teddy Hogeborn
* mandos (fingerprint): Bug fix: Check crtverify.value, not crtverify. |
418 |
host = $KEYNAME
|
237.7.519
by Teddy Hogeborn
Bug fix: Only create TLS key with certtool, and read correct key file |
419 |
EOF
|
420 |
if [ -n "$KEY_ID" ]; then |
|
421 |
echo "key_id = $KEY_ID" |
|
422 |
fi |
|
423 |
cat <<-EOF |
|
97
by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and |
424 |
fingerprint = $FINGERPRINT
|
425 |
secret =
|
|
198
by Teddy Hogeborn
* mandos-keygen: New "--passfile" option. Confirm entered password. |
426 |
EOF
|
168
by Teddy Hogeborn
* initramfs-tools-hook: Use long options where available. Use only |
427 |
sed --quiet --expression=' |
97
by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and |
428 |
/^-----BEGIN PGP MESSAGE-----$/,/^-----END PGP MESSAGE-----$/{
|
429 |
/^$/,${
|
|
103
by Teddy Hogeborn
* mandos-keygen: Strip 24-bit checksum of Radix-64 from output to make |
430 |
# Remove 24-bit Radix-64 checksum
|
431 |
s/=....$//
|
|
97
by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and |
432 |
# Indent four spaces
|
433 |
/^[^-]/s/^/ /p
|
|
434 |
}
|
|
435 |
}' < "$SECFILE" |
|
237.7.256
by Teddy Hogeborn
mandos-keygen: Generate "checker" option to use SSH fingerprints. |
436 |
if [ -n "$ssh_fingerprint" ]; then |
237.7.295
by Teddy Hogeborn
mandos-keygen: Bug fix: Only use one SSH key from ssh-keyscan |
437 |
echo 'checker = ssh-keyscan -t '"$ssh_keytype"' %%(host)s 2>/dev/null | grep --fixed-strings --line-regexp --quiet --regexp=%%(host)s" %(ssh_fingerprint)s"' |
237.7.256
by Teddy Hogeborn
mandos-keygen: Generate "checker" option to use SSH fingerprints. |
438 |
echo "ssh_fingerprint = ${ssh_fingerprint}" |
439 |
fi |
|
97
by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and |
440 |
fi
|
73
by Teddy Hogeborn
* Makefile (COVERAGE): Change back to "--coverage". |
441 |
|
442 |
trap - EXIT |
|
443 |
||
97
by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and |
444 |
set +e |
445 |
# Remove the password file, if any
|
|
446 |
if [ -n "$SECFILE" ]; then |
|
447 |
shred --remove "$SECFILE" |
|
448 |
fi
|
|
73
by Teddy Hogeborn
* Makefile (COVERAGE): Change back to "--coverage". |
449 |
# Remove the key rings
|
237.7.256
by Teddy Hogeborn
mandos-keygen: Generate "checker" option to use SSH fingerprints. |
450 |
shred --remove "$RINGDIR"/sec* 2>/dev/null |
159
by Teddy Hogeborn
* Makefile (run-client): Do not depend on the key ring files. |
451 |
rm --recursive --force "$RINGDIR" |