/mandos/release : revision 237.7.510

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to mandos-keygen

Committer: Teddy Hogeborn
Date: 2019-02-09 23:23:26 UTC
mto: (237.7.594 trunk)
mto: This revision was merged to the branch mainline in revision 370.
Revision ID: teddy@recompile.se-20190209232326-z1z2kzpgfixz7iaj

Add support for using raw public keys in TLS (RFC 7250)

Since GnuTLS removed support for OpenPGP keys in TLS (RFC 6091), and
no other library supports it, we have to change the protocol to use
something else.  We choose to use "raw public keys" (RFC 7250).  Since
we still use OpenPGP keys to decrypt the secret password, this means
that each client will have two keys: One OpenPGP key and one TLS
public/private key, and the key ID of the latter key is used to
identify clients instead of the fingerprint of the OpenPGP key.

Note that this code is still compatible with GnuTLS before version
3.6.0 (when OpenPGP key support was removed).  This commit merely adds
support for using raw pulic keys instead with GnuTLS 3.6.6. or later.

* DBUS-API (Signals/ClientNotFound): Change name of first parameter
                                     from "Fingerprint" to "KeyID".
  (Mandos Client Interface/Properties/KeyID): New.
* INSTALL: Document conflict with GnuTLS 3.6.0 (which removed OpenPGP
           key support) up until 3.6.6, when support for raw public
           keys was added.  Also document new dependency of client on
           "gnutls-bin" package (for certtool).
* Makefile (run-client): Depend on TLS key files, and also pass them
                         as arguments to client.
  (keydir/tls-privkey.pem, keydir/tls-pubkey.pem): New.
  (confdir/clients.conf): Add dependency on TLS public key.
  (purge-client): Add removal of TLS key files.
* clients.conf ([foo]/key_id, [bar]/key_id): New.
* debian/control (Source: mandos/Build-Depends): Also allow
                                                 libgnutls30 (>= 3.6.6)
  (Package: mandos/Depends): - '' -
  (Package: mandos/Description): Alter description to match new
                                 design.
  (Package: mandos-client/Description): - '' -
  (Package: mandos-client/Depends): Move "gnutls-bin | openssl" to
                                    here from "Recommends".
* debian/mandos-client.README.Debian: Add --tls-privkey and
                                      --tls-pubkey options to test
                                      command.
* debian/mandos-client.postinst (create_key): Renamed to "create_keys"
                                             (all callers changed),
                                             and also create TLS key.
* debian/mandos-client.postrm (purge): Also remove TLS key files.
* intro.xml (DESCRIPTION): Describe new dual-key design.
* mandos (GnuTLS): Define different functions depending on whether
                   support for raw public keys is detected.
  (Client.key_id): New attribute.
  (ClientDBus.KeyID_dbus_property): New method.
  (ProxyClient.__init__): Take new "key_id" parameter.
  (ClientHandler.handle): Use key IDs when using raw public keys and
                          use fingerprints when using OpenPGP keys.
  (ClientHandler.peer_certificate): Also handle raw public keys.
  (ClientHandler.key_id): New.
  (MandosServer.handle_ipc): Pass key ID over the pipe IPC.  Also
                             check for key ID matches when looking up
                             clients.
  (main): Default GnuTLS priority string depends on whether we are
          using raw public keys or not.  When unpickling clients, set
          key_id if not set in the pickle.
  (main/MandosDBusService.ClientNotFound): Change name of first
                                           parameter from
                                           "Fingerprint" to "KeyID".
* mandos-clients.conf.xml (OPTIONS): Document new "key_id" option.
  (OPTIONS/secret): Mention new key ID matchning.
  (EXPANSION/RUNTIME EXPANSION): Add new "key_id" option.
  (EXAMPLE): - '' -
* mandos-ctl (tablewords, main/keywords): Add new "KeyID" property.
* mandos-keygen: Create TLS key files.  New "--tls-keytype" (-T)
                 option.  Alter help text to be more clear about key
                 types.  When in password mode, also output "key_id"
                 option.
* mandos-keygen.xml (SYNOPSIS): Add new "--tls-keytype" (-T) option.
  (DESCRIPTION): Alter to match new dual-key design.
  (OVERVIEW): - '' -
  (FILES): Add TLS key files.
* mandos-options.xml (priority): Document new default priority string
                                 when using raw public keys.
* mandos.xml (NETWORK PROTOCOL): Describe new protocol using key ID.
  (BUGS): Remove issue about checking expire times of OpenPGP keys,
          since TLS public keys do not have expiration times.
  (SECURITY/CLIENT): Alter description to match new design.
  (SEE ALSO/GnuTLS): - '' -
  (SEE ALSO): Add reference to RFC 7250, and alter description of when
              RFC 6091 is used.
* overview.xml: Alter text to match new design.
* plugin-runner.xml (EXAMPLE): Add --tls-pubkey and --tls-privkey
                               options to mandos-client options.
* plugins.d/mandos-client.c: Use raw public keys when compiling with
                             supporting GnuTLS versions. Add new
                             "--tls-pubkey" and "--tls-privkey"
                             options (which do nothing if GnuTLS
                             library does not support raw public
                             keys).  Alter text throughout to reflect
                             new design.  Only generate new DH
                             parameters (based on size of OpenPGP key)
                             when using OpenPGP in TLS.  Default
                             GnuTLS priority string depends on whether
                             we are using raw public keys or not.
* plugins.d/mandos-client.xml (SYNOPSIS): Add new "--tls-privkey" (-t)
                                          and "--tls-pubkey" (-T)
                                          options.
  (DESCRIPTION): Describe new dual-key design.
  (OPTIONS): Document new "--tls-privkey" (-t) and "--tls-pubkey" (-T)
             options.
  (OPTIONS/--dh-bits): No longer necessarily depends on OpenPGP key
                       size.
  (FILES): Add default locations for TLS public and private key files.
  (EXAMPLE): Use new --tls-pubkey and --tls-privkey options.
  (SECURITY): Alter wording slightly to reflect new dual-key design.
  (SEE ALSO/GnuTLS): Alter description to match new design.
  (SEE ALSO): Add reference to RFC 7250, and alter description of when
              RFC 6091 is used.

files added:
.bzr-builddeb

.bzr-builddeb/default.conf

DBUS-API

INSTALL

NEWS

bugs.xml

common.ent

dbus-mandos.conf

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.examples

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

debian/source

debian/source/format

debian/source/local-options

debian/upstream

debian/upstream/signing-key.asc

debian/watch

default-mandos

init.d-mandos

initramfs-tools-conf

initramfs-tools-script-stop

initramfs-unpack

intro.xml

mandos-ctl

mandos-ctl.xml

mandos-monitor

mandos-monitor.xml

mandos-to-cryptroot-unlock

mandos.lsm

mandos.service

network-hooks.d

network-hooks.d/bridge

network-hooks.d/bridge.conf

network-hooks.d/openvpn

network-hooks.d/openvpn.conf

network-hooks.d/wireless

network-hooks.d/wireless.conf

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

plugin-runner.conf

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

tmpfiles.d-mandos.conf

files removed:
initramfs-tools-hook-conf

plugins.d/usplash

files renamed:
plugins.d/password-request.c => plugins.d/mandos-client.c

plugins.d/password-request.xml => plugins.d/mandos-client.xml

files modified:
.bzrignore

Makefile

README

TODO

clients.conf

initramfs-tools-hook

initramfs-tools-script

legalnotice.xml

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

mandos-keygen

#!/bin/sh -e

# Mandos key generator - create a new OpenPGP key for a Mandos client

# This program is free software: you can redistribute it and/or modify

# it under the terms of the GNU General Public License as published by

# Mandos key generator - create new keys for a Mandos client

# This file is part of Mandos.

# Mandos is free software: you can redistribute it and/or modify it

# under the terms of the GNU General Public License as published by

# the Free Software Foundation, either version 3 of the License, or

# (at your option) any later version.

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# Mandos is distributed in the hope that it will be useful, but

# WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

# GNU General Public License for more details.

# You should have received a copy of the GNU General Public License

# along with this program. If not, see <http://www.gnu.org/licenses/>.

# Contact the authors at <mandos@fukt.bsnet.se>.

VERSION="1.0"

KEYDIR="/etc/mandos"

KEYTYPE=DSA

KEYLENGTH=2048

SUBKEYTYPE=ELG-E

SUBKEYLENGTH=2048

KEYNAME="`hostname --fqdn`"

# along with Mandos. If not, see <http://www.gnu.org/licenses/>.

# Contact the authors at <mandos@recompile.se>.

VERSION="1.7.20"

KEYDIR="/etc/keys/mandos"

KEYTYPE=RSA

KEYLENGTH=4096

SUBKEYTYPE=RSA

SUBKEYLENGTH=4096

KEYNAME="`hostname --fqdn 2>/dev/null || hostname`"

KEYEMAIL=""

KEYCOMMENT="Mandos client key"

KEYCOMMENT=""

KEYEXPIRE=0

TLS_KEYTYPE=ed25519

FORCE=no

SSH=yes

KEYCOMMENT_ORIG="$KEYCOMMENT"

mode=keygen

if [ ! -d "$KEYDIR" ]; then

KEYDIR="/etc/mandos/keys"

# Parse options

TEMP=`getopt --options vhd:t:l:n:e:c:x:f \

--longoptions version,help,password,dir:,type:,length:,subtype:,sublength:,name:,email:,comment:,expire:,force \

TEMP=`getopt --options vhpF:d:t:l:s:L:n:e:c:x:T:fS \

--longoptions version,help,password,passfile:,dir:,type:,length:,subtype:,sublength:,name:,email:,comment:,expire:,tls-keytype:,force,no-ssh \

--name "$0" -- "$@"`

help(){

basename="`basename $0`"

basename="`basename "$0"`"

cat <<EOF

Usage: $basename [ -v | --version ]

$basename [ -h | --help ]

$basename [ OPTIONS ]

Encrypted password creation:

$basename { -p | --password } [ --name NAME ] [ --dir DIR]

$basename { -F | --passfile } FILE [ --name NAME ] [ --dir DIR]

Key creation options:

-v, --version Show program's version number and exit

-h, --help Show this help message and exit

-d DIR, --dir DIR Target directory for key files

-t TYPE, --type TYPE Key type. Default is DSA.

-t TYPE, --type TYPE OpenPGP key type. Default is RSA.

-l BITS, --length BITS

Key length in bits. Default is 2048.

OpenPGP key length in bits. Default is 4096.

-s TYPE, --subtype TYPE

Subkey type. Default is ELG-E.

OpenPGP subkey type. Default is RSA.

-L BITS, --sublength BITS

Subkey length in bits. Default is 2048.

OpenPGP subkey length in bits. Default 4096.

-n NAME, --name NAME Name of key. Default is the FQDN.

-e ADDRESS, --email ADDRESS

Email address of key. Default is empty.

Email address of OpenPGP key. Default empty.

-c TEXT, --comment TEXT

Comment field for key. The default value is

"Mandos client key".

Comment field for OpenPGP key. Default empty.

-x TIME, --expire TIME

Key expire time. Default is no expiration.

OpenPGP key expire time. Default is none.

See gpg(1) for syntax.

-f, --force Force overwriting old keys.

-T TYPE, --tls-keytype TYPE

TLS key type. Default is ed25519.

-f, --force Force overwriting old key files.

Password creation options:

-p, --password Create an encrypted password using the keys in

the key directory. All options other than

--dir and --name are ignored.

-p, --password Create an encrypted password using the key in

the key directory. All options other than

--dir and --name are ignored.

-F FILE, --passfile FILE

Encrypt a password from FILE using the key in

the key directory. All options other than

--dir and --name are ignored.

-S, --no-ssh Don't get SSH key or set "checker" option.

EOF

}

while :; do

100

case "$1" in

101

-p|--password) mode=password; shift;;

102

-F|--passfile) mode=password; PASSFILE="$2"; shift 2;;

103

-d|--dir) KEYDIR="$2"; shift 2;;

104

-t|--type) KEYTYPE="$2"; shift 2;;

105

-s|--subtype) SUBKEYTYPE="$2"; shift 2;;

109

-e|--email) KEYEMAIL="$2"; shift 2;;

110

-c|--comment) KEYCOMMENT="$2"; shift 2;;

111

-x|--expire) KEYEXPIRE="$2"; shift 2;;

112

-T|--tls-keytype) TLS_KEYTYPE="$2"; shift 2;;

113

-f|--force) FORCE=yes; shift;;

114

-S|--no-ssh) SSH=no; shift;;

115

-v|--version) echo "$0 $VERSION"; exit;;

116

-h|--help) help; exit;;

117

--) shift; break;;

100

119

esac

101

120

done

102

121

if [ "$#" -gt 0 ]; then

103

echo "Unknown arguments: '$@'" >&2

122

echo "Unknown arguments: '$*'" >&2

104

123

exit 1

105

124

106

125

107

126

SECKEYFILE="$KEYDIR/seckey.txt"

108

127

PUBKEYFILE="$KEYDIR/pubkey.txt"

128

TLS_PRIVKEYFILE="$KEYDIR/tls-privkey.pem"

129

TLS_PUBKEYFILE="$KEYDIR/tls-pubkey.pem"

109

130

110

131

# Check for some invalid values

111

if [ -d "$KEYDIR" ]; then :; else

132

if [ ! -d "$KEYDIR" ]; then

112

133

echo "$KEYDIR not a directory" >&2

113

134

exit 1

114

135

115

if [ -w "$KEYDIR" ]; then :; else

116

echo "Directory $KEYDIR not writeable" >&2

117

exit 1

118

119

120

if [ "$mode" = password -a -e "$KEYDIR/trustdb.gpg.lock" ]; then

121

echo "Key directory has locked trustdb; aborting." >&2

136

if [ ! -r "$KEYDIR" ]; then

137

echo "Directory $KEYDIR not readable" >&2

122

138

exit 1

123

139

124

140

125

141

if [ "$mode" = keygen ]; then

142

if [ ! -w "$KEYDIR" ]; then

143

echo "Directory $KEYDIR not writeable" >&2

144

exit 1

145

126

146

if [ -z "$KEYTYPE" ]; then

127

147

echo "Empty key type" >&2

128

148

exit 1

137

157

echo "Invalid key length" >&2

138

158

exit 1

139

159

140

160

141

161

if [ -z "$KEYEXPIRE" ]; then

142

162

echo "Empty key expiration" >&2

143

163

exit 1

149

169

[Nn][Oo]|[Ff][Aa][Ll][Ss][Ee]|*) FORCE=0;;

150

170

esac

151

171

152

if { [ -e "$SECKEYFILE" ] || [ -e "$PUBKEYFILE" ]; } \

172

if { [ -e "$SECKEYFILE" ] || [ -e "$PUBKEYFILE" ] \

173

|| [ -e "$TLS_PRIVKEYFILE" ] \

174

|| [ -e "$TLS_PUBKEYFILE" ]; } \

153

175

&& [ "$FORCE" -eq 0 ]; then

154

176

echo "Refusing to overwrite old key files; use --force" >&2

155

177

exit 1

162

184

if [ -n "$KEYEMAIL" ]; then

163

185

KEYEMAILLINE="Name-Email: $KEYEMAIL"

164

186

165

187

166

188

# Create temporary gpg batch file

167

BATCHFILE="`mktemp -t mandos-gpg-batch.XXXXXXXXXX`"

189

BATCHFILE="`mktemp -t mandos-keygen-batch.XXXXXXXXXX`"

168

190

169

191

170

192

if [ "$mode" = password ]; then

171

193

# Create temporary encrypted password file

172

SECFILE="`mktemp -t mandos-gpg-secfile.XXXXXXXXXX`"

173

174

175

# Create temporary key rings

176

SECRING="`mktemp -t mandos-gpg-secring.XXXXXXXXXX`"

177

PUBRING="`mktemp -t mandos-gpg-pubring.XXXXXXXXXX`"

178

179

if [ "$mode" = password ]; then

180

# If a trustdb.gpg file does not already exist, schedule it for

181

# deletion when we are done.

182

if ! [ -e "$KEYDIR/trustdb.gpg" ]; then

183

TRUSTDB="$KEYDIR/trustdb.gpg"

184

185

194

SECFILE="`mktemp -t mandos-keygen-secfile.XXXXXXXXXX`"

195

196

197

# Create temporary key ring directory

198

RINGDIR="`mktemp -d -t mandos-keygen-keyrings.XXXXXXXXXX`"

186

199

187

200

# Remove temporary files on exit

188

201

trap "

189

202

set +e; \

190

rm --force $PUBRING ${PUBRING}~ $BATCHFILE $TRUSTDB; \

191

shred --remove $SECRING $SECFILE; \

192

stty echo; \

203

test -n \"$SECFILE\" && shred --remove \"$SECFILE\"; \

204

shred --remove \"$RINGDIR\"/sec* 2>/dev/null;

205

test -n \"$BATCHFILE\" && rm --force \"$BATCHFILE\"; \

206

rm --recursive --force \"$RINGDIR\";

207

tty --quiet && stty echo; \

193

208

" EXIT

194

209

195

umask 027

210

set -e

211

212

umask 077

196

213

197

214

if [ "$mode" = keygen ]; then

198

215

# Create batch file for GnuPG

199

216

cat >"$BATCHFILE" <<-EOF

200

217

Key-Type: $KEYTYPE

201

218

Key-Length: $KEYLENGTH

202

#Key-Usage: encrypt,sign,auth

219

Key-Usage: sign,auth

203

220

Subkey-Type: $SUBKEYTYPE

204

221

Subkey-Length: $SUBKEYLENGTH

205

#Subkey-Usage: encrypt,sign,auth

222

Subkey-Usage: encrypt

206

223

Name-Real: $KEYNAME

207

224

$KEYCOMMENTLINE

208

225

$KEYEMAILLINE

209

226

Expire-Date: $KEYEXPIRE

210

227

#Preferences: <string>

211

228

#Handle: <no-spaces>

212

%pubring $PUBRING

213

%secring $SECRING

229

#%pubring pubring.gpg

230

#%secring secring.gpg

231

%no-protection

214

232

%commit

215

233

EOF

216

234

235

if tty --quiet; then

236

cat <<-EOF

237

Note: Due to entropy requirements, key generation could take

238

anything from a few minutes to SEVERAL HOURS. Please be

239

patient and/or supply the system with more entropy if needed.

240

EOF

241

echo -n "Started: "

242

date

243

244

245

# Backup any old key files

246

if cp --backup=numbered --force "$TLS_PRIVKEYFILE" "$TLS_PRIVKEYFILE" \

247

2>/dev/null; then

248

shred --remove "$TLS_PRIVKEYFILE"

249

250

if cp --backup=numbered --force "$TLS_PUBKEYFILE" "$TLS_PUBKEYFILE" \

251

2>/dev/null; then

252

rm --force "$TLS_PUBKEYFILE"

253

254

255

## Generate TLS private key

256

257

# First try certtool from GnuTLS

258

if ! certtool --generate-privkey --password='' \

259

--outfile "$TLS_PRIVKEYFILE" --sec-param ultra \

260

--key-type="$TLS_KEYTYPE" --pkcs8 --no-text 2>/dev/null; then

261

# Otherwise try OpenSSL

262

if ! openssl genpkey -algorithm X25519 -out \

263

/etc/keys/mandos/tls-privkey.pem; then

264

rm --force /etc/keys/mandos/tls-privkey.pem

265

# None of the commands succeded; give up

266

return 1

267

268

269

270

## TLS public key

271

272

# First try certtool from GnuTLS

273

if ! certtool --password='' --load-privkey="$TLS_PRIVKEYFILE" \

274

--outfile="$TLS_PUBKEYFILE" --pubkey-info --no-text \

275

2>/dev/null; then

276

# Otherwise try OpenSSL

277

if ! openssl pkey -in "$TLS_PRIVKEYFILE" \

278

-out "$TLS_PUBKEYFILE" -pubout; then

279

rm --force "$TLS_PUBKEYFILE"

280

# None of the commands succeded; give up

281

return 1

282

283

284

285

# Make sure trustdb.gpg exists;

286

# this is a workaround for Debian bug #737128

287

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

288

--homedir "$RINGDIR" \

289

--import-ownertrust < /dev/null

217

290

# Generate a new key in the key rings

218

gpg --no-random-seed-file --quiet --batch --no-tty \

219

--no-default-keyring --no-options --enable-dsa2 \

220

--secret-keyring "$SECRING" --keyring "$PUBRING" \

291

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

292

--homedir "$RINGDIR" --trust-model always \

221

293

--gen-key "$BATCHFILE"

222

294

rm --force "$BATCHFILE"

223

295

296

if tty --quiet; then

297

echo -n "Finished: "

298

date

299

300

224

301

# Backup any old key files

225

302

if cp --backup=numbered --force "$SECKEYFILE" "$SECKEYFILE" \

226

303

2>/dev/null; then

240

317

FILECOMMENT="$FILECOMMENT <$KEYEMAIL>"

241

318

242

319

243

# Export keys from key rings to key files

244

gpg --no-random-seed-file --quiet --batch --no-tty --armor \

245

--no-default-keyring --no-options --enable-dsa2 \

246

--secret-keyring "$SECRING" --keyring "$PUBRING" \

247

--export-options export-minimal --comment "$FILECOMMENT" \

248

--output "$SECKEYFILE" --export-secret-keys

249

gpg --no-random-seed-file --quiet --batch --no-tty --armor \

250

--no-default-keyring --no-options --enable-dsa2 \

251

--secret-keyring "$SECRING" --keyring "$PUBRING" \

252

--export-options export-minimal --comment "$FILECOMMENT" \

253

--output "$PUBKEYFILE" --export

320

# Export key from key rings to key files

321

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

322

--homedir "$RINGDIR" --armor --export-options export-minimal \

323

--comment "$FILECOMMENT" --output "$SECKEYFILE" \

324

--export-secret-keys

325

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

326

--homedir "$RINGDIR" --armor --export-options export-minimal \

327

--comment "$FILECOMMENT" --output "$PUBKEYFILE" --export

254

328

255

329

256

330

if [ "$mode" = password ]; then

257

# Import keys into temporary key rings

258

gpg --no-random-seed-file --quiet --batch --no-tty --armor \

259

--no-default-keyring --no-options --enable-dsa2 \

260

--homedir "$KEYDIR" --no-permission-warning \

261

--secret-keyring "$SECRING" --keyring "$PUBRING" \

262

--trust-model always --import "$SECKEYFILE"

263

gpg --no-random-seed-file --quiet --batch --no-tty --armor \

264

--no-default-keyring --no-options --enable-dsa2 \

265

--homedir "$KEYDIR" --no-permission-warning \

266

--secret-keyring "$SECRING" --keyring "$PUBRING" \

267

--trust-model always --import "$PUBKEYFILE"

268

331

332

# Make SSH be 0 or 1

333

case "$SSH" in

334

[Yy][Ee][Ss]|[Tt][Rr][Uu][Ee]) SSH=1;;

335

[Nn][Oo]|[Ff][Aa][Ll][Ss][Ee]|*) SSH=0;;

336

esac

337

338

if [ $SSH -eq 1 ]; then

339

for ssh_keytype in ecdsa-sha2-nistp256 ed25519 rsa; do

340

set +e

341

ssh_fingerprint="`ssh-keyscan -t $ssh_keytype localhost 2>/dev/null`"

342

err=$?

343

set -e

344

if [ $err -ne 0 ]; then

345

ssh_fingerprint=""

346

continue

347

348

if [ -n "$ssh_fingerprint" ]; then

349

ssh_fingerprint="${ssh_fingerprint#localhost }"

350

break

351

352

done

353

354

355

# Import key into temporary key rings

356

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

357

--homedir "$RINGDIR" --trust-model always --armor \

358

--import "$SECKEYFILE"

359

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

360

--homedir "$RINGDIR" --trust-model always --armor \

361

--import "$PUBKEYFILE"

362

269

363

# Get fingerprint of key

270

FINGERPRINT="`gpg --no-random-seed-file --quiet --batch --no-tty \

271

--armor --no-default-keyring --no-options --enable-dsa2 \

272

--homedir \"$KEYDIR\" --no-permission-warning \

273

--secret-keyring \"$SECRING\" --keyring \"$PUBRING\" \

274

--trust-model always --fingerprint --with-colons \

275

| sed -n -e '/^fpr:/{s/^fpr:.*:\$[0-9A-Z]*\$:\$/\\1/p;q}'`"

364

FINGERPRINT="`gpg --quiet --batch --no-tty --no-options \

365

--enable-dsa2 --homedir "$RINGDIR" --trust-model always \

366

--fingerprint --with-colons \

367

| sed --quiet \

368

--expression='/^fpr:/{s/^fpr:.*:\$[0-9A-Z]*\$:\$/\\1/p;q}'`"

276

369

277

370

test -n "$FINGERPRINT"

278

371

372

KEY_ID="$(certtool --key-id --hash=sha256 \

373

--infile="$TLS_PUBKEYFILE" 2>/dev/null || :)"

374

375

if [ -z "$KEY_ID" ]; then

376

KEY_ID=$(openssl pkey -pubin -in /tmp/tls-pubkey.pem \

377

-outform der \

378

| openssl sha256 \

379

| sed --expression='s/^.*[^[:xdigit:]]//')

380

381

test -n "$KEY_ID"

382

279

383

FILECOMMENT="Encrypted password for a Mandos client"

280

384

281

stty -echo

282

echo -n "Enter passphrase: " >&2

283

sed -e '1q' \

284

| gpg --no-random-seed-file --batch --no-tty --armor \

285

--no-default-keyring --no-options --enable-dsa2 \

286

--homedir "$KEYDIR" --no-permission-warning \

287

--secret-keyring "$SECRING" --keyring "$PUBRING" \

288

--trust-model always --encrypt --recipient "$FINGERPRINT" \

289

--comment "$FILECOMMENT" \

290

> "$SECFILE"

291

echo >&2

292

stty echo

385

while [ ! -s "$SECFILE" ]; do

386

if [ -n "$PASSFILE" ]; then

387

cat "$PASSFILE"

388

else

389

tty --quiet && stty -echo

390

echo -n "Enter passphrase: " >/dev/tty

391

read -r first

392

tty --quiet && echo >&2

393

echo -n "Repeat passphrase: " >/dev/tty

394

read -r second

395

if tty --quiet; then

396

echo >&2

397

stty echo

398

399

if [ "$first" != "$second" ]; then

400

echo "Passphrase mismatch" >&2

401

touch "$RINGDIR"/mismatch

402

else

403

echo -n "$first"

404

405

fi | gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

406

--homedir "$RINGDIR" --trust-model always --armor \

407

--encrypt --sign --recipient "$FINGERPRINT" --comment \

408

"$FILECOMMENT" > "$SECFILE"

409

if [ -e "$RINGDIR"/mismatch ]; then

410

rm --force "$RINGDIR"/mismatch

411

if tty --quiet; then

412

> "$SECFILE"

413

else

414

exit 1

415

416

417

done

293

418

294

419

cat <<-EOF

295

420

[$KEYNAME]

296

421

host = $KEYNAME

422

key_id = $KEY_ID

297

423

fingerprint = $FINGERPRINT

298

424

secret =

299

EOF

300

sed -n -e '

425

EOF

426

sed --quiet --expression='

301

427

/^-----BEGIN PGP MESSAGE-----$/,/^-----END PGP MESSAGE-----$/{

302

428

/^$/,${

303

429

# Remove 24-bit Radix-64 checksum

306

432

/^[^-]/s/^/ /p

307

433

}

308

434

}' < "$SECFILE"

435

if [ -n "$ssh_fingerprint" ]; then

436

echo 'checker = ssh-keyscan -t '"$ssh_keytype"' %%(host)s 2>/dev/null | grep --fixed-strings --line-regexp --quiet --regexp=%%(host)s" %(ssh_fingerprint)s"'

437

echo "ssh_fingerprint = ${ssh_fingerprint}"

438

309

439

310

440

311

441

trap - EXIT

316

446

shred --remove "$SECFILE"

317

447

318

448

# Remove the key rings

319

shred --remove "$SECRING"

320

rm --force "$PUBRING" "${PUBRING}~"

321

# Remove the trustdb, if one did not exist when we started

322

if [ -n "$TRUSTDB" ]; then

323

rm --force "$TRUSTDB"

324

449

shred --remove "$RINGDIR"/sec* 2>/dev/null

450

rm --recursive --force "$RINGDIR"

Older »