/mandos/release

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/release
73 by Teddy Hogeborn
* Makefile (COVERAGE): Change back to "--coverage".
1
#!/bin/sh -e
67 by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on
2
# 
237.7.510 by Teddy Hogeborn
Add support for using raw public keys in TLS (RFC 7250)
3
# Mandos key generator - create new keys for a Mandos client
67 by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on
4
# 
237.7.517 by Teddy Hogeborn
Update copyright year to 2019
5
# Copyright © 2008-2019 Teddy Hogeborn
6
# Copyright © 2008-2019 Björn Påhlsson
67 by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on
7
# 
237.7.455 by Teddy Hogeborn
Alter copyright notices slightly. Actual license is unchanged!
8
# This file is part of Mandos.
9
#
10
# Mandos is free software: you can redistribute it and/or modify it
11
# under the terms of the GNU General Public License as published by
67 by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on
12
# the Free Software Foundation, either version 3 of the License, or
13
# (at your option) any later version.
14
#
237.7.455 by Teddy Hogeborn
Alter copyright notices slightly. Actual license is unchanged!
15
#     Mandos is distributed in the hope that it will be useful, but
16
#     WITHOUT ANY WARRANTY; without even the implied warranty of
67 by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on
17
#     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
18
#     GNU General Public License for more details.
19
# 
20
# You should have received a copy of the GNU General Public License
237.7.455 by Teddy Hogeborn
Alter copyright notices slightly. Actual license is unchanged!
21
# along with Mandos.  If not, see <http://www.gnu.org/licenses/>.
67 by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on
22
# 
237.11.2 by Teddy Hogeborn
Change "fukt.bsnet.se" to "recompile.se" throughout.
23
# Contact the authors at <mandos@recompile.se>.
67 by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on
24
# 
25
409 by Teddy Hogeborn
Version 1.8.16-1
26
VERSION="1.8.16"
73 by Teddy Hogeborn
* Makefile (COVERAGE): Change back to "--coverage".
27
163 by Teddy Hogeborn
* Makefile (PIDDIR, USER, GROUP): Removed.
28
KEYDIR="/etc/keys/mandos"
237.7.169 by Teddy Hogeborn
* debian/mandos-client.README.Debian: Update Linux documentation link.
29
KEYTYPE=RSA
30
KEYLENGTH=4096
31
SUBKEYTYPE=RSA
32
SUBKEYLENGTH=4096
196 by Teddy Hogeborn
* mandos-keygen (KEYNAME): Fall back to plain "hostname" if the
33
KEYNAME="`hostname --fqdn 2>/dev/null || hostname`"
67 by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on
34
KEYEMAIL=""
237.7.179 by Teddy Hogeborn
* mandos (priority): Bug fix: Add even more magic to make the old
35
KEYCOMMENT=""
67 by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on
36
KEYEXPIRE=0
237.7.510 by Teddy Hogeborn
Add support for using raw public keys in TLS (RFC 7250)
37
TLS_KEYTYPE=ed25519
67 by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on
38
FORCE=no
237.7.256 by Teddy Hogeborn
mandos-keygen: Generate "checker" option to use SSH fingerprints.
39
SSH=yes
67 by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on
40
KEYCOMMENT_ORIG="$KEYCOMMENT"
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
41
mode=keygen
67 by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on
42
179 by Teddy Hogeborn
* INSTALL: New file.
43
if [ ! -d "$KEYDIR" ]; then
44
    KEYDIR="/etc/mandos/keys"
45
fi
46
67 by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on
47
# Parse options
237.7.510 by Teddy Hogeborn
Add support for using raw public keys in TLS (RFC 7250)
48
TEMP=`getopt --options vhpF:d:t:l:s:L:n:e:c:x:T:fS \
49
    --longoptions version,help,password,passfile:,dir:,type:,length:,subtype:,sublength:,name:,email:,comment:,expire:,tls-keytype:,force,no-ssh \
67 by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on
50
    --name "$0" -- "$@"`
51
73 by Teddy Hogeborn
* Makefile (COVERAGE): Change back to "--coverage".
52
help(){
237.7.288 by Teddy Hogeborn
mandos-keygen: Fix some stylistic quoting issues.
53
basename="`basename "$0"`"
73 by Teddy Hogeborn
* Makefile (COVERAGE): Change back to "--coverage".
54
cat <<EOF
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
55
Usage: $basename [ -v | --version ]
56
       $basename [ -h | --help ]
57
   Key creation:
58
       $basename [ OPTIONS ]
59
   Encrypted password creation:
60
       $basename { -p | --password } [ --name NAME ] [ --dir DIR]
198 by Teddy Hogeborn
* mandos-keygen: New "--passfile" option. Confirm entered password.
61
       $basename { -F | --passfile } FILE [ --name NAME ] [ --dir DIR]
73 by Teddy Hogeborn
* Makefile (COVERAGE): Change back to "--coverage".
62
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
63
Key creation options:
73 by Teddy Hogeborn
* Makefile (COVERAGE): Change back to "--coverage".
64
  -v, --version         Show program's version number and exit
65
  -h, --help            Show this help message and exit
66
  -d DIR, --dir DIR     Target directory for key files
237.7.510 by Teddy Hogeborn
Add support for using raw public keys in TLS (RFC 7250)
67
  -t TYPE, --type TYPE  OpenPGP key type.  Default is RSA.
73 by Teddy Hogeborn
* Makefile (COVERAGE): Change back to "--coverage".
68
  -l BITS, --length BITS
237.7.510 by Teddy Hogeborn
Add support for using raw public keys in TLS (RFC 7250)
69
                        OpenPGP key length in bits.  Default is 4096.
96 by Teddy Hogeborn
* Makefile (PREFIX, CONFDIR, MANDIR): Use $(DESTDIR).
70
  -s TYPE, --subtype TYPE
237.7.510 by Teddy Hogeborn
Add support for using raw public keys in TLS (RFC 7250)
71
                        OpenPGP subkey type.  Default is RSA.
96 by Teddy Hogeborn
* Makefile (PREFIX, CONFDIR, MANDIR): Use $(DESTDIR).
72
  -L BITS, --sublength BITS
237.7.510 by Teddy Hogeborn
Add support for using raw public keys in TLS (RFC 7250)
73
                        OpenPGP subkey length in bits.  Default 4096.
73 by Teddy Hogeborn
* Makefile (COVERAGE): Change back to "--coverage".
74
  -n NAME, --name NAME  Name of key.  Default is the FQDN.
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
75
  -e ADDRESS, --email ADDRESS
237.7.510 by Teddy Hogeborn
Add support for using raw public keys in TLS (RFC 7250)
76
                        Email address of OpenPGP key.  Default empty.
123 by Teddy Hogeborn
* mandos-keygen: Minor help text change.
77
  -c TEXT, --comment TEXT
237.7.510 by Teddy Hogeborn
Add support for using raw public keys in TLS (RFC 7250)
78
                        Comment field for OpenPGP key.  Default empty.
73 by Teddy Hogeborn
* Makefile (COVERAGE): Change back to "--coverage".
79
  -x TIME, --expire TIME
237.7.510 by Teddy Hogeborn
Add support for using raw public keys in TLS (RFC 7250)
80
                        OpenPGP key expire time.  Default is none.
73 by Teddy Hogeborn
* Makefile (COVERAGE): Change back to "--coverage".
81
                        See gpg(1) for syntax.
237.7.510 by Teddy Hogeborn
Add support for using raw public keys in TLS (RFC 7250)
82
  -T TYPE, --tls-keytype TYPE
83
                        TLS key type.  Default is ed25519.
198 by Teddy Hogeborn
* mandos-keygen: New "--passfile" option. Confirm entered password.
84
  -f, --force           Force overwriting old key files.
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
85
86
Password creation options:
198 by Teddy Hogeborn
* mandos-keygen: New "--passfile" option. Confirm entered password.
87
  -p, --password        Create an encrypted password using the key in
88
                        the key directory.  All options other than
89
                        --dir and --name are ignored.
90
  -F FILE, --passfile FILE
91
                        Encrypt a password from FILE using the key in
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
92
                        the key directory.  All options other than
123 by Teddy Hogeborn
* mandos-keygen: Minor help text change.
93
                        --dir and --name are ignored.
237.7.256 by Teddy Hogeborn
mandos-keygen: Generate "checker" option to use SSH fingerprints.
94
  -S, --no-ssh          Don't get SSH key or set "checker" option.
73 by Teddy Hogeborn
* Makefile (COVERAGE): Change back to "--coverage".
95
EOF
96
}
97
67 by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on
98
eval set -- "$TEMP"
99
while :; do
100
    case "$1" in
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
101
	-p|--password) mode=password; shift;;
198 by Teddy Hogeborn
* mandos-keygen: New "--passfile" option. Confirm entered password.
102
	-F|--passfile) mode=password; PASSFILE="$2"; shift 2;;
67 by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on
103
	-d|--dir) KEYDIR="$2"; shift 2;;
104
	-t|--type) KEYTYPE="$2"; shift 2;;
96 by Teddy Hogeborn
* Makefile (PREFIX, CONFDIR, MANDIR): Use $(DESTDIR).
105
	-s|--subtype) SUBKEYTYPE="$2"; shift 2;;
67 by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on
106
	-l|--length) KEYLENGTH="$2"; shift 2;;
96 by Teddy Hogeborn
* Makefile (PREFIX, CONFDIR, MANDIR): Use $(DESTDIR).
107
	-L|--sublength) SUBKEYLENGTH="$2"; shift 2;;
67 by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on
108
	-n|--name) KEYNAME="$2"; shift 2;;
109
	-e|--email) KEYEMAIL="$2"; shift 2;;
110
	-c|--comment) KEYCOMMENT="$2"; shift 2;;
87 by Teddy Hogeborn
* Makefile: Bug fix: fixed creation of man pages in "plugins.d".
111
	-x|--expire) KEYEXPIRE="$2"; shift 2;;
237.7.510 by Teddy Hogeborn
Add support for using raw public keys in TLS (RFC 7250)
112
	-T|--tls-keytype) TLS_KEYTYPE="$2"; shift 2;;
67 by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on
113
	-f|--force) FORCE=yes; shift;;
237.7.256 by Teddy Hogeborn
mandos-keygen: Generate "checker" option to use SSH fingerprints.
114
	-S|--no-ssh) SSH=no; shift;;
73 by Teddy Hogeborn
* Makefile (COVERAGE): Change back to "--coverage".
115
	-v|--version) echo "$0 $VERSION"; exit;;
116
	-h|--help) help; exit;;
67 by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on
117
	--) shift; break;;
118
	*) echo "Internal error" >&2; exit 1;;
119
    esac
120
done
121
if [ "$#" -gt 0 ]; then
237.7.288 by Teddy Hogeborn
mandos-keygen: Fix some stylistic quoting issues.
122
    echo "Unknown arguments: '$*'" >&2
67 by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on
123
    exit 1
124
fi
125
126
SECKEYFILE="$KEYDIR/seckey.txt"
127
PUBKEYFILE="$KEYDIR/pubkey.txt"
237.7.510 by Teddy Hogeborn
Add support for using raw public keys in TLS (RFC 7250)
128
TLS_PRIVKEYFILE="$KEYDIR/tls-privkey.pem"
129
TLS_PUBKEYFILE="$KEYDIR/tls-pubkey.pem"
67 by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on
130
131
# Check for some invalid values
159 by Teddy Hogeborn
* Makefile (run-client): Do not depend on the key ring files.
132
if [ ! -d "$KEYDIR" ]; then
67 by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on
133
    echo "$KEYDIR not a directory" >&2
134
    exit 1
135
fi
159 by Teddy Hogeborn
* Makefile (run-client): Do not depend on the key ring files.
136
if [ ! -r "$KEYDIR" ]; then
137
    echo "Directory $KEYDIR not readable" >&2
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
138
    exit 1
139
fi
140
141
if [ "$mode" = keygen ]; then
159 by Teddy Hogeborn
* Makefile (run-client): Do not depend on the key ring files.
142
    if [ ! -w "$KEYDIR" ]; then
143
	echo "Directory $KEYDIR not writeable" >&2
144
	exit 1
145
    fi
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
146
    if [ -z "$KEYTYPE" ]; then
147
	echo "Empty key type" >&2
148
	exit 1
149
    fi
237.7.811 by Teddy Hogeborn
White space fixes only
150
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
151
    if [ -z "$KEYNAME" ]; then
152
	echo "Empty key name" >&2
153
	exit 1
154
    fi
237.7.811 by Teddy Hogeborn
White space fixes only
155
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
156
    if [ -z "$KEYLENGTH" ] || [ "$KEYLENGTH" -lt 512 ]; then
157
	echo "Invalid key length" >&2
158
	exit 1
159
    fi
237.7.811 by Teddy Hogeborn
White space fixes only
160
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
161
    if [ -z "$KEYEXPIRE" ]; then
162
	echo "Empty key expiration" >&2
163
	exit 1
164
    fi
237.7.811 by Teddy Hogeborn
White space fixes only
165
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
166
    # Make FORCE be 0 or 1
167
    case "$FORCE" in
168
	[Yy][Ee][Ss]|[Tt][Rr][Uu][Ee]) FORCE=1;;
169
	[Nn][Oo]|[Ff][Aa][Ll][Ss][Ee]|*) FORCE=0;;
170
    esac
237.7.811 by Teddy Hogeborn
White space fixes only
171
237.7.510 by Teddy Hogeborn
Add support for using raw public keys in TLS (RFC 7250)
172
    if { [ -e "$SECKEYFILE" ] || [ -e "$PUBKEYFILE" ] \
173
	     || [ -e "$TLS_PRIVKEYFILE" ] \
174
	     || [ -e "$TLS_PUBKEYFILE" ]; } \
237.7.452 by Teddy Hogeborn
Use || instead of -o in shell scripts.
175
	&& [ "$FORCE" -eq 0 ]; then
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
176
	echo "Refusing to overwrite old key files; use --force" >&2
177
	exit 1
178
    fi
237.7.811 by Teddy Hogeborn
White space fixes only
179
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
180
    # Set lines for GnuPG batch file
181
    if [ -n "$KEYCOMMENT" ]; then
182
	KEYCOMMENTLINE="Name-Comment: $KEYCOMMENT"
183
    fi
184
    if [ -n "$KEYEMAIL" ]; then
185
	KEYEMAILLINE="Name-Email: $KEYEMAIL"
186
    fi
237.7.811 by Teddy Hogeborn
White space fixes only
187
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
188
    # Create temporary gpg batch file
159 by Teddy Hogeborn
* Makefile (run-client): Do not depend on the key ring files.
189
    BATCHFILE="`mktemp -t mandos-keygen-batch.XXXXXXXXXX`"
237.7.519 by Teddy Hogeborn
Bug fix: Only create TLS key with certtool, and read correct key file
190
    TLS_PRIVKEYTMP="`mktemp -t mandos-keygen-privkey.XXXXXXXXXX`"
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
191
fi
192
193
if [ "$mode" = password ]; then
194
    # Create temporary encrypted password file
159 by Teddy Hogeborn
* Makefile (run-client): Do not depend on the key ring files.
195
    SECFILE="`mktemp -t mandos-keygen-secfile.XXXXXXXXXX`"
196
fi
197
198
# Create temporary key ring directory
199
RINGDIR="`mktemp -d -t mandos-keygen-keyrings.XXXXXXXXXX`"
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
200
73 by Teddy Hogeborn
* Makefile (COVERAGE): Change back to "--coverage".
201
# Remove temporary files on exit
94 by Teddy Hogeborn
* clients.conf ([DEFAULT]/checker): Update to new default value.
202
trap "
96 by Teddy Hogeborn
* Makefile (PREFIX, CONFDIR, MANDIR): Use $(DESTDIR).
203
set +e; \
159 by Teddy Hogeborn
* Makefile (run-client): Do not depend on the key ring files.
204
test -n \"$SECFILE\" && shred --remove \"$SECFILE\"; \
237.7.519 by Teddy Hogeborn
Bug fix: Only create TLS key with certtool, and read correct key file
205
test -n \"$TLS_PRIVKEYTMP\" && shred --remove \"$TLS_PRIVKEYTMP\"; \
237.7.256 by Teddy Hogeborn
mandos-keygen: Generate "checker" option to use SSH fingerprints.
206
shred --remove \"$RINGDIR\"/sec* 2>/dev/null;
159 by Teddy Hogeborn
* Makefile (run-client): Do not depend on the key ring files.
207
test -n \"$BATCHFILE\" && rm --force \"$BATCHFILE\"; \
208
rm --recursive --force \"$RINGDIR\";
237.7.42 by Teddy Hogeborn
* mandos-keygen: Loop until passwords match when run interactively.
209
tty --quiet && stty echo; \
94 by Teddy Hogeborn
* clients.conf ([DEFAULT]/checker): Update to new default value.
210
" EXIT
67 by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on
211
237.2.215 by teddy at bsnet
* debian/control (Standards-Version): Updated to "3.9.1".
212
set -e
213
166 by Teddy Hogeborn
* Makefile (confdir/clients.conf): Tighten permissions to "u=rw".
214
umask 077
73 by Teddy Hogeborn
* Makefile (COVERAGE): Change back to "--coverage".
215
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
216
if [ "$mode" = keygen ]; then
217
    # Create batch file for GnuPG
218
    cat >"$BATCHFILE" <<-EOF
219
	Key-Type: $KEYTYPE
220
	Key-Length: $KEYLENGTH
237.7.175 by Teddy Hogeborn
* mandos-keygen: Bug fix: Specify key usage to avoid creating keys
221
	Key-Usage: sign,auth
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
222
	Subkey-Type: $SUBKEYTYPE
223
	Subkey-Length: $SUBKEYLENGTH
237.7.175 by Teddy Hogeborn
* mandos-keygen: Bug fix: Specify key usage to avoid creating keys
224
	Subkey-Usage: encrypt
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
225
	Name-Real: $KEYNAME
226
	$KEYCOMMENTLINE
227
	$KEYEMAILLINE
228
	Expire-Date: $KEYEXPIRE
229
	#Preferences: <string>
230
	#Handle: <no-spaces>
159 by Teddy Hogeborn
* Makefile (run-client): Do not depend on the key ring files.
231
	#%pubring pubring.gpg
232
	#%secring secring.gpg
237.7.427 by Teddy Hogeborn
Fix bug when generating keys in a chroot environment.
233
	%no-protection
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
234
	%commit
235
	EOF
237.7.811 by Teddy Hogeborn
White space fixes only
236
237.2.156 by Teddy Hogeborn
* mandos-keygen (keygen): Warn about long key generation time.
237
    if tty --quiet; then
238
	cat <<-EOF
239
	Note: Due to entropy requirements, key generation could take
240
	anything from a few minutes to SEVERAL HOURS.  Please be
241
	patient and/or supply the system with more entropy if needed.
242
	EOF
243
	echo -n "Started: "
244
	date
245
    fi
237.7.519 by Teddy Hogeborn
Bug fix: Only create TLS key with certtool, and read correct key file
246
247
    # Generate TLS private key
248
    if certtool --generate-privkey --password='' \
249
		--outfile "$TLS_PRIVKEYTMP" --sec-param ultra \
250
		--key-type="$TLS_KEYTYPE" --pkcs8 --no-text 2>/dev/null; then
251
	
252
	# Backup any old key files
253
	if cp --backup=numbered --force "$TLS_PRIVKEYFILE" "$TLS_PRIVKEYFILE" \
254
	      2>/dev/null; then
237.7.521 by Teddy Hogeborn
Bug fix: Ignore some failures to remove files.
255
	    shred --remove "$TLS_PRIVKEYFILE" 2>/dev/null || :
237.7.510 by Teddy Hogeborn
Add support for using raw public keys in TLS (RFC 7250)
256
	fi
237.7.519 by Teddy Hogeborn
Bug fix: Only create TLS key with certtool, and read correct key file
257
	if cp --backup=numbered --force "$TLS_PUBKEYFILE" "$TLS_PUBKEYFILE" \
258
	      2>/dev/null; then
237.7.510 by Teddy Hogeborn
Add support for using raw public keys in TLS (RFC 7250)
259
	    rm --force "$TLS_PUBKEYFILE"
237.7.519 by Teddy Hogeborn
Bug fix: Only create TLS key with certtool, and read correct key file
260
	fi
261
	cp --archive "$TLS_PRIVKEYTMP" "$TLS_PRIVKEYFILE"
237.7.521 by Teddy Hogeborn
Bug fix: Ignore some failures to remove files.
262
	shred --remove "$TLS_PRIVKEYTMP" 2>/dev/null || :
237.7.519 by Teddy Hogeborn
Bug fix: Only create TLS key with certtool, and read correct key file
263
264
	## TLS public key
265
266
	# First try certtool from GnuTLS
267
	if ! certtool --password='' --load-privkey="$TLS_PRIVKEYFILE" \
268
	     --outfile="$TLS_PUBKEYFILE" --pubkey-info --no-text \
269
	     2>/dev/null; then
270
	    # Otherwise try OpenSSL
271
	    if ! openssl pkey -in "$TLS_PRIVKEYFILE" \
272
		 -out "$TLS_PUBKEYFILE" -pubout; then
273
		rm --force "$TLS_PUBKEYFILE"
274
		# None of the commands succeded; give up
275
		return 1
276
	    fi
237.7.510 by Teddy Hogeborn
Add support for using raw public keys in TLS (RFC 7250)
277
	fi
278
    fi
237.7.811 by Teddy Hogeborn
White space fixes only
279
237.7.211 by Teddy Hogeborn
* mandos-keygen (keygen): Add workaround for Debian bug #737128.
280
    # Make sure trustdb.gpg exists;
281
    # this is a workaround for Debian bug #737128
282
    gpg --quiet --batch --no-tty --no-options --enable-dsa2 \
283
	--homedir "$RINGDIR" \
284
	--import-ownertrust < /dev/null
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
285
    # Generate a new key in the key rings
159 by Teddy Hogeborn
* Makefile (run-client): Do not depend on the key ring files.
286
    gpg --quiet --batch --no-tty --no-options --enable-dsa2 \
287
	--homedir "$RINGDIR" --trust-model always \
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
288
	--gen-key "$BATCHFILE"
289
    rm --force "$BATCHFILE"
237.7.811 by Teddy Hogeborn
White space fixes only
290
237.2.156 by Teddy Hogeborn
* mandos-keygen (keygen): Warn about long key generation time.
291
    if tty --quiet; then
292
	echo -n "Finished: "
293
	date
294
    fi
237.7.811 by Teddy Hogeborn
White space fixes only
295
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
296
    # Backup any old key files
297
    if cp --backup=numbered --force "$SECKEYFILE" "$SECKEYFILE" \
298
	2>/dev/null; then
237.7.521 by Teddy Hogeborn
Bug fix: Ignore some failures to remove files.
299
	shred --remove "$SECKEYFILE" 2>/dev/null || :
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
300
    fi
301
    if cp --backup=numbered --force "$PUBKEYFILE" "$PUBKEYFILE" \
302
	2>/dev/null; then
303
	rm --force "$PUBKEYFILE"
304
    fi
237.7.811 by Teddy Hogeborn
White space fixes only
305
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
306
    FILECOMMENT="Mandos client key for $KEYNAME"
307
    if [ "$KEYCOMMENT" != "$KEYCOMMENT_ORIG" ]; then
308
	FILECOMMENT="$FILECOMMENT ($KEYCOMMENT)"
309
    fi
237.7.811 by Teddy Hogeborn
White space fixes only
310
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
311
    if [ -n "$KEYEMAIL" ]; then
312
	FILECOMMENT="$FILECOMMENT <$KEYEMAIL>"
313
    fi
237.7.811 by Teddy Hogeborn
White space fixes only
314
198 by Teddy Hogeborn
* mandos-keygen: New "--passfile" option. Confirm entered password.
315
    # Export key from key rings to key files
159 by Teddy Hogeborn
* Makefile (run-client): Do not depend on the key ring files.
316
    gpg --quiet --batch --no-tty --no-options --enable-dsa2 \
317
	--homedir "$RINGDIR" --armor --export-options export-minimal \
318
	--comment "$FILECOMMENT" --output "$SECKEYFILE" \
319
	--export-secret-keys
320
    gpg --quiet --batch --no-tty --no-options --enable-dsa2 \
321
	--homedir "$RINGDIR" --armor --export-options export-minimal \
322
	--comment "$FILECOMMENT" --output "$PUBKEYFILE" --export
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
323
fi
324
325
if [ "$mode" = password ]; then
237.7.811 by Teddy Hogeborn
White space fixes only
326
237.7.256 by Teddy Hogeborn
mandos-keygen: Generate "checker" option to use SSH fingerprints.
327
    # Make SSH be 0 or 1
328
    case "$SSH" in
329
	[Yy][Ee][Ss]|[Tt][Rr][Uu][Ee]) SSH=1;;
330
	[Nn][Oo]|[Ff][Aa][Ll][Ss][Ee]|*) SSH=0;;
331
    esac
237.7.811 by Teddy Hogeborn
White space fixes only
332
237.7.256 by Teddy Hogeborn
mandos-keygen: Generate "checker" option to use SSH fingerprints.
333
    if [ $SSH -eq 1 ]; then
237.7.396 by Teddy Hogeborn
mandos-keygen: Try to use ECDSA keys with ssh-keyscan(1) by default.
334
	for ssh_keytype in ecdsa-sha2-nistp256 ed25519 rsa; do
237.7.295 by Teddy Hogeborn
mandos-keygen: Bug fix: Only use one SSH key from ssh-keyscan
335
	    set +e
336
	    ssh_fingerprint="`ssh-keyscan -t $ssh_keytype localhost 2>/dev/null`"
237.7.451 by Teddy Hogeborn
Bug fix: Detect failure of ssh-keyscan in mandos-keygen --password.
337
	    err=$?
237.7.295 by Teddy Hogeborn
mandos-keygen: Bug fix: Only use one SSH key from ssh-keyscan
338
	    set -e
237.7.451 by Teddy Hogeborn
Bug fix: Detect failure of ssh-keyscan in mandos-keygen --password.
339
	    if [ $err -ne 0 ]; then
237.7.295 by Teddy Hogeborn
mandos-keygen: Bug fix: Only use one SSH key from ssh-keyscan
340
		ssh_fingerprint=""
341
		continue
342
	    fi
343
	    if [ -n "$ssh_fingerprint" ]; then
344
		ssh_fingerprint="${ssh_fingerprint#localhost }"
345
		break
346
	    fi
347
	done
237.7.256 by Teddy Hogeborn
mandos-keygen: Generate "checker" option to use SSH fingerprints.
348
    fi
237.7.811 by Teddy Hogeborn
White space fixes only
349
198 by Teddy Hogeborn
* mandos-keygen: New "--passfile" option. Confirm entered password.
350
    # Import key into temporary key rings
159 by Teddy Hogeborn
* Makefile (run-client): Do not depend on the key ring files.
351
    gpg --quiet --batch --no-tty --no-options --enable-dsa2 \
352
	--homedir "$RINGDIR" --trust-model always --armor \
353
	--import "$SECKEYFILE"
354
    gpg --quiet --batch --no-tty --no-options --enable-dsa2 \
355
	--homedir "$RINGDIR" --trust-model always --armor \
356
	--import "$PUBKEYFILE"
237.7.811 by Teddy Hogeborn
White space fixes only
357
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
358
    # Get fingerprint of key
159 by Teddy Hogeborn
* Makefile (run-client): Do not depend on the key ring files.
359
    FINGERPRINT="`gpg --quiet --batch --no-tty --no-options \
237.7.288 by Teddy Hogeborn
mandos-keygen: Fix some stylistic quoting issues.
360
	--enable-dsa2 --homedir "$RINGDIR" --trust-model always \
159 by Teddy Hogeborn
* Makefile (run-client): Do not depend on the key ring files.
361
	--fingerprint --with-colons \
168 by Teddy Hogeborn
* initramfs-tools-hook: Use long options where available. Use only
362
	| sed --quiet \
363
	--expression='/^fpr:/{s/^fpr:.*:\\([0-9A-Z]*\\):\$/\\1/p;q}'`"
237.7.811 by Teddy Hogeborn
White space fixes only
364
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
365
    test -n "$FINGERPRINT"
237.7.811 by Teddy Hogeborn
White space fixes only
366
237.7.519 by Teddy Hogeborn
Bug fix: Only create TLS key with certtool, and read correct key file
367
    if [ -r "$TLS_PUBKEYFILE" ]; then
368
       KEY_ID="$(certtool --key-id --hash=sha256 \
237.7.510 by Teddy Hogeborn
Add support for using raw public keys in TLS (RFC 7250)
369
    		       --infile="$TLS_PUBKEYFILE" 2>/dev/null || :)"
370
237.7.519 by Teddy Hogeborn
Bug fix: Only create TLS key with certtool, and read correct key file
371
       if [ -z "$KEY_ID" ]; then
372
	   KEY_ID=$(openssl pkey -pubin -in "$TLS_PUBKEYFILE" \
373
			    -outform der \
374
			| openssl sha256 \
375
			| sed --expression='s/^.*[^[:xdigit:]]//')
376
       fi
377
       test -n "$KEY_ID"
237.7.510 by Teddy Hogeborn
Add support for using raw public keys in TLS (RFC 7250)
378
    fi
237.7.811 by Teddy Hogeborn
White space fixes only
379
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
380
    FILECOMMENT="Encrypted password for a Mandos client"
237.7.811 by Teddy Hogeborn
White space fixes only
381
237.7.42 by Teddy Hogeborn
* mandos-keygen: Loop until passwords match when run interactively.
382
    while [ ! -s "$SECFILE" ]; do
383
	if [ -n "$PASSFILE" ]; then
237.7.667 by Teddy Hogeborn
mandos-keygen: Allow dashes at start of --passfile file names
384
	    cat -- "$PASSFILE"
198 by Teddy Hogeborn
* mandos-keygen: New "--passfile" option. Confirm entered password.
385
	else
237.7.42 by Teddy Hogeborn
* mandos-keygen: Loop until passwords match when run interactively.
386
	    tty --quiet && stty -echo
237.7.428 by Teddy Hogeborn
Output the passphrase prompt to the TTY, not stderr.
387
	    echo -n "Enter passphrase: " >/dev/tty
237.7.444 by Teddy Hogeborn
Use "read -r" in shell scripts to avoid backslash escapes
388
	    read -r first
237.7.42 by Teddy Hogeborn
* mandos-keygen: Loop until passwords match when run interactively.
389
	    tty --quiet && echo >&2
237.7.428 by Teddy Hogeborn
Output the passphrase prompt to the TTY, not stderr.
390
	    echo -n "Repeat passphrase: " >/dev/tty
237.7.444 by Teddy Hogeborn
Use "read -r" in shell scripts to avoid backslash escapes
391
	    read -r second
237.7.42 by Teddy Hogeborn
* mandos-keygen: Loop until passwords match when run interactively.
392
	    if tty --quiet; then
393
		echo >&2
394
		stty echo
395
	    fi
396
	    if [ "$first" != "$second" ]; then
397
		echo "Passphrase mismatch" >&2
398
		touch "$RINGDIR"/mismatch
399
	    else
237.7.798 by Teddy Hogeborn
Bug fix in mandos-ctl: handle backslashes in password
400
		printf "%s" "$first"
237.7.42 by Teddy Hogeborn
* mandos-keygen: Loop until passwords match when run interactively.
401
	    fi
402
	fi | gpg --quiet --batch --no-tty --no-options --enable-dsa2 \
403
	    --homedir "$RINGDIR" --trust-model always --armor \
404
	    --encrypt --sign --recipient "$FINGERPRINT" --comment \
405
	    "$FILECOMMENT" > "$SECFILE"
406
	if [ -e "$RINGDIR"/mismatch ]; then
407
	    rm --force "$RINGDIR"/mismatch
408
	    if tty --quiet; then
409
		> "$SECFILE"
410
	    else
411
		exit 1
412
	    fi
198 by Teddy Hogeborn
* mandos-keygen: New "--passfile" option. Confirm entered password.
413
	fi
237.7.42 by Teddy Hogeborn
* mandos-keygen: Loop until passwords match when run interactively.
414
    done
237.7.811 by Teddy Hogeborn
White space fixes only
415
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
416
    cat <<-EOF
417
	[$KEYNAME]
99 by Teddy Hogeborn
* mandos (fingerprint): Bug fix: Check crtverify.value, not crtverify.
418
	host = $KEYNAME
237.7.519 by Teddy Hogeborn
Bug fix: Only create TLS key with certtool, and read correct key file
419
	EOF
420
    if [ -n "$KEY_ID" ]; then
421
	echo "key_id = $KEY_ID"
422
    fi
423
    cat <<-EOF
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
424
	fingerprint = $FINGERPRINT
425
	secret =
198 by Teddy Hogeborn
* mandos-keygen: New "--passfile" option. Confirm entered password.
426
	EOF
168 by Teddy Hogeborn
* initramfs-tools-hook: Use long options where available. Use only
427
    sed --quiet --expression='
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
428
	/^-----BEGIN PGP MESSAGE-----$/,/^-----END PGP MESSAGE-----$/{
429
	    /^$/,${
103 by Teddy Hogeborn
* mandos-keygen: Strip 24-bit checksum of Radix-64 from output to make
430
		# Remove 24-bit Radix-64 checksum
431
		s/=....$//
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
432
		# Indent four spaces
433
		/^[^-]/s/^/    /p
434
	    }
435
	}' < "$SECFILE"
237.7.256 by Teddy Hogeborn
mandos-keygen: Generate "checker" option to use SSH fingerprints.
436
    if [ -n "$ssh_fingerprint" ]; then
237.7.295 by Teddy Hogeborn
mandos-keygen: Bug fix: Only use one SSH key from ssh-keyscan
437
	echo 'checker = ssh-keyscan -t '"$ssh_keytype"' %%(host)s 2>/dev/null | grep --fixed-strings --line-regexp --quiet --regexp=%%(host)s" %(ssh_fingerprint)s"'
237.7.256 by Teddy Hogeborn
mandos-keygen: Generate "checker" option to use SSH fingerprints.
438
	echo "ssh_fingerprint = ${ssh_fingerprint}"
439
    fi
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
440
fi
73 by Teddy Hogeborn
* Makefile (COVERAGE): Change back to "--coverage".
441
442
trap - EXIT
443
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
444
set +e
445
# Remove the password file, if any
446
if [ -n "$SECFILE" ]; then
237.7.521 by Teddy Hogeborn
Bug fix: Ignore some failures to remove files.
447
    shred --remove "$SECFILE" 2>/dev/null
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
448
fi
73 by Teddy Hogeborn
* Makefile (COVERAGE): Change back to "--coverage".
449
# Remove the key rings
237.7.256 by Teddy Hogeborn
mandos-keygen: Generate "checker" option to use SSH fingerprints.
450
shred --remove "$RINGDIR"/sec* 2>/dev/null
159 by Teddy Hogeborn
* Makefile (run-client): Do not depend on the key ring files.
451
rm --recursive --force "$RINGDIR"