/mandos/trunk

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/trunk
73 by Teddy Hogeborn
* Makefile (COVERAGE): Change back to "--coverage".
1
#!/bin/sh -e
67 by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on
2
# 
962 by Teddy Hogeborn
Add support for using raw public keys in TLS (RFC 7250)
3
# Mandos key generator - create new keys for a Mandos client
67 by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on
4
# 
969 by Teddy Hogeborn
Update copyright year to 2019
5
# Copyright © 2008-2019 Teddy Hogeborn
6
# Copyright © 2008-2019 Björn Påhlsson
67 by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on
7
# 
907 by Teddy Hogeborn
Alter copyright notices slightly. Actual license is unchanged!
8
# This file is part of Mandos.
9
#
10
# Mandos is free software: you can redistribute it and/or modify it
11
# under the terms of the GNU General Public License as published by
67 by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on
12
# the Free Software Foundation, either version 3 of the License, or
13
# (at your option) any later version.
14
#
907 by Teddy Hogeborn
Alter copyright notices slightly. Actual license is unchanged!
15
#     Mandos is distributed in the hope that it will be useful, but
16
#     WITHOUT ANY WARRANTY; without even the implied warranty of
67 by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on
17
#     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
18
#     GNU General Public License for more details.
19
# 
20
# You should have received a copy of the GNU General Public License
907 by Teddy Hogeborn
Alter copyright notices slightly. Actual license is unchanged!
21
# along with Mandos.  If not, see <http://www.gnu.org/licenses/>.
67 by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on
22
# 
505.1.2 by Teddy Hogeborn
Change "fukt.bsnet.se" to "recompile.se" throughout.
23
# Contact the authors at <mandos@recompile.se>.
67 by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on
24
# 
25
237.4.142 by Teddy Hogeborn
Version 1.8.17-1
26
VERSION="1.8.17"
73 by Teddy Hogeborn
* Makefile (COVERAGE): Change back to "--coverage".
27
163 by Teddy Hogeborn
* Makefile (PIDDIR, USER, GROUP): Removed.
28
KEYDIR="/etc/keys/mandos"
621 by Teddy Hogeborn
* debian/mandos-client.README.Debian: Update Linux documentation link.
29
KEYTYPE=RSA
30
KEYLENGTH=4096
31
SUBKEYTYPE=RSA
32
SUBKEYLENGTH=4096
196 by Teddy Hogeborn
* mandos-keygen (KEYNAME): Fall back to plain "hostname" if the
33
KEYNAME="`hostname --fqdn 2>/dev/null || hostname`"
67 by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on
34
KEYEMAIL=""
631 by Teddy Hogeborn
* mandos (priority): Bug fix: Add even more magic to make the old
35
KEYCOMMENT=""
67 by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on
36
KEYEXPIRE=0
962 by Teddy Hogeborn
Add support for using raw public keys in TLS (RFC 7250)
37
TLS_KEYTYPE=ed25519
67 by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on
38
FORCE=no
708 by Teddy Hogeborn
mandos-keygen: Generate "checker" option to use SSH fingerprints.
39
SSH=yes
67 by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on
40
KEYCOMMENT_ORIG="$KEYCOMMENT"
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
41
mode=keygen
67 by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on
42
179 by Teddy Hogeborn
* INSTALL: New file.
43
if [ ! -d "$KEYDIR" ]; then
44
    KEYDIR="/etc/mandos/keys"
45
fi
46
67 by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on
47
# Parse options
962 by Teddy Hogeborn
Add support for using raw public keys in TLS (RFC 7250)
48
TEMP=`getopt --options vhpF:d:t:l:s:L:n:e:c:x:T:fS \
49
    --longoptions version,help,password,passfile:,dir:,type:,length:,subtype:,sublength:,name:,email:,comment:,expire:,tls-keytype:,force,no-ssh \
67 by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on
50
    --name "$0" -- "$@"`
51
73 by Teddy Hogeborn
* Makefile (COVERAGE): Change back to "--coverage".
52
help(){
740 by Teddy Hogeborn
mandos-keygen: Fix some stylistic quoting issues.
53
basename="`basename "$0"`"
73 by Teddy Hogeborn
* Makefile (COVERAGE): Change back to "--coverage".
54
cat <<EOF
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
55
Usage: $basename [ -v | --version ]
56
       $basename [ -h | --help ]
57
   Key creation:
58
       $basename [ OPTIONS ]
59
   Encrypted password creation:
60
       $basename { -p | --password } [ --name NAME ] [ --dir DIR]
198 by Teddy Hogeborn
* mandos-keygen: New "--passfile" option. Confirm entered password.
61
       $basename { -F | --passfile } FILE [ --name NAME ] [ --dir DIR]
73 by Teddy Hogeborn
* Makefile (COVERAGE): Change back to "--coverage".
62
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
63
Key creation options:
73 by Teddy Hogeborn
* Makefile (COVERAGE): Change back to "--coverage".
64
  -v, --version         Show program's version number and exit
65
  -h, --help            Show this help message and exit
66
  -d DIR, --dir DIR     Target directory for key files
962 by Teddy Hogeborn
Add support for using raw public keys in TLS (RFC 7250)
67
  -t TYPE, --type TYPE  OpenPGP key type.  Default is RSA.
73 by Teddy Hogeborn
* Makefile (COVERAGE): Change back to "--coverage".
68
  -l BITS, --length BITS
962 by Teddy Hogeborn
Add support for using raw public keys in TLS (RFC 7250)
69
                        OpenPGP key length in bits.  Default is 4096.
96 by Teddy Hogeborn
* Makefile (PREFIX, CONFDIR, MANDIR): Use $(DESTDIR).
70
  -s TYPE, --subtype TYPE
962 by Teddy Hogeborn
Add support for using raw public keys in TLS (RFC 7250)
71
                        OpenPGP subkey type.  Default is RSA.
96 by Teddy Hogeborn
* Makefile (PREFIX, CONFDIR, MANDIR): Use $(DESTDIR).
72
  -L BITS, --sublength BITS
962 by Teddy Hogeborn
Add support for using raw public keys in TLS (RFC 7250)
73
                        OpenPGP subkey length in bits.  Default 4096.
73 by Teddy Hogeborn
* Makefile (COVERAGE): Change back to "--coverage".
74
  -n NAME, --name NAME  Name of key.  Default is the FQDN.
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
75
  -e ADDRESS, --email ADDRESS
962 by Teddy Hogeborn
Add support for using raw public keys in TLS (RFC 7250)
76
                        Email address of OpenPGP key.  Default empty.
123 by Teddy Hogeborn
* mandos-keygen: Minor help text change.
77
  -c TEXT, --comment TEXT
962 by Teddy Hogeborn
Add support for using raw public keys in TLS (RFC 7250)
78
                        Comment field for OpenPGP key.  Default empty.
73 by Teddy Hogeborn
* Makefile (COVERAGE): Change back to "--coverage".
79
  -x TIME, --expire TIME
962 by Teddy Hogeborn
Add support for using raw public keys in TLS (RFC 7250)
80
                        OpenPGP key expire time.  Default is none.
73 by Teddy Hogeborn
* Makefile (COVERAGE): Change back to "--coverage".
81
                        See gpg(1) for syntax.
962 by Teddy Hogeborn
Add support for using raw public keys in TLS (RFC 7250)
82
  -T TYPE, --tls-keytype TYPE
83
                        TLS key type.  Default is ed25519.
198 by Teddy Hogeborn
* mandos-keygen: New "--passfile" option. Confirm entered password.
84
  -f, --force           Force overwriting old key files.
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
85
86
Password creation options:
198 by Teddy Hogeborn
* mandos-keygen: New "--passfile" option. Confirm entered password.
87
  -p, --password        Create an encrypted password using the key in
88
                        the key directory.  All options other than
89
                        --dir and --name are ignored.
90
  -F FILE, --passfile FILE
91
                        Encrypt a password from FILE using the key in
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
92
                        the key directory.  All options other than
123 by Teddy Hogeborn
* mandos-keygen: Minor help text change.
93
                        --dir and --name are ignored.
708 by Teddy Hogeborn
mandos-keygen: Generate "checker" option to use SSH fingerprints.
94
  -S, --no-ssh          Don't get SSH key or set "checker" option.
73 by Teddy Hogeborn
* Makefile (COVERAGE): Change back to "--coverage".
95
EOF
96
}
97
67 by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on
98
eval set -- "$TEMP"
99
while :; do
100
    case "$1" in
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
101
	-p|--password) mode=password; shift;;
198 by Teddy Hogeborn
* mandos-keygen: New "--passfile" option. Confirm entered password.
102
	-F|--passfile) mode=password; PASSFILE="$2"; shift 2;;
67 by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on
103
	-d|--dir) KEYDIR="$2"; shift 2;;
104
	-t|--type) KEYTYPE="$2"; shift 2;;
96 by Teddy Hogeborn
* Makefile (PREFIX, CONFDIR, MANDIR): Use $(DESTDIR).
105
	-s|--subtype) SUBKEYTYPE="$2"; shift 2;;
67 by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on
106
	-l|--length) KEYLENGTH="$2"; shift 2;;
96 by Teddy Hogeborn
* Makefile (PREFIX, CONFDIR, MANDIR): Use $(DESTDIR).
107
	-L|--sublength) SUBKEYLENGTH="$2"; shift 2;;
67 by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on
108
	-n|--name) KEYNAME="$2"; shift 2;;
109
	-e|--email) KEYEMAIL="$2"; shift 2;;
110
	-c|--comment) KEYCOMMENT="$2"; shift 2;;
87 by Teddy Hogeborn
* Makefile: Bug fix: fixed creation of man pages in "plugins.d".
111
	-x|--expire) KEYEXPIRE="$2"; shift 2;;
962 by Teddy Hogeborn
Add support for using raw public keys in TLS (RFC 7250)
112
	-T|--tls-keytype) TLS_KEYTYPE="$2"; shift 2;;
67 by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on
113
	-f|--force) FORCE=yes; shift;;
708 by Teddy Hogeborn
mandos-keygen: Generate "checker" option to use SSH fingerprints.
114
	-S|--no-ssh) SSH=no; shift;;
73 by Teddy Hogeborn
* Makefile (COVERAGE): Change back to "--coverage".
115
	-v|--version) echo "$0 $VERSION"; exit;;
116
	-h|--help) help; exit;;
67 by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on
117
	--) shift; break;;
118
	*) echo "Internal error" >&2; exit 1;;
119
    esac
120
done
121
if [ "$#" -gt 0 ]; then
740 by Teddy Hogeborn
mandos-keygen: Fix some stylistic quoting issues.
122
    echo "Unknown arguments: '$*'" >&2
67 by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on
123
    exit 1
124
fi
125
126
SECKEYFILE="$KEYDIR/seckey.txt"
127
PUBKEYFILE="$KEYDIR/pubkey.txt"
962 by Teddy Hogeborn
Add support for using raw public keys in TLS (RFC 7250)
128
TLS_PRIVKEYFILE="$KEYDIR/tls-privkey.pem"
129
TLS_PUBKEYFILE="$KEYDIR/tls-pubkey.pem"
67 by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on
130
131
# Check for some invalid values
159 by Teddy Hogeborn
* Makefile (run-client): Do not depend on the key ring files.
132
if [ ! -d "$KEYDIR" ]; then
67 by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on
133
    echo "$KEYDIR not a directory" >&2
134
    exit 1
135
fi
159 by Teddy Hogeborn
* Makefile (run-client): Do not depend on the key ring files.
136
if [ ! -r "$KEYDIR" ]; then
137
    echo "Directory $KEYDIR not readable" >&2
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
138
    exit 1
139
fi
140
141
if [ "$mode" = keygen ]; then
159 by Teddy Hogeborn
* Makefile (run-client): Do not depend on the key ring files.
142
    if [ ! -w "$KEYDIR" ]; then
143
	echo "Directory $KEYDIR not writeable" >&2
144
	exit 1
145
    fi
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
146
    if [ -z "$KEYTYPE" ]; then
147
	echo "Empty key type" >&2
148
	exit 1
149
    fi
1263 by Teddy Hogeborn
White space fixes only
150
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
151
    if [ -z "$KEYNAME" ]; then
152
	echo "Empty key name" >&2
153
	exit 1
154
    fi
1263 by Teddy Hogeborn
White space fixes only
155
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
156
    if [ -z "$KEYLENGTH" ] || [ "$KEYLENGTH" -lt 512 ]; then
157
	echo "Invalid key length" >&2
158
	exit 1
159
    fi
1263 by Teddy Hogeborn
White space fixes only
160
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
161
    if [ -z "$KEYEXPIRE" ]; then
162
	echo "Empty key expiration" >&2
163
	exit 1
164
    fi
1263 by Teddy Hogeborn
White space fixes only
165
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
166
    # Make FORCE be 0 or 1
167
    case "$FORCE" in
168
	[Yy][Ee][Ss]|[Tt][Rr][Uu][Ee]) FORCE=1;;
169
	[Nn][Oo]|[Ff][Aa][Ll][Ss][Ee]|*) FORCE=0;;
170
    esac
1263 by Teddy Hogeborn
White space fixes only
171
962 by Teddy Hogeborn
Add support for using raw public keys in TLS (RFC 7250)
172
    if { [ -e "$SECKEYFILE" ] || [ -e "$PUBKEYFILE" ] \
173
	     || [ -e "$TLS_PRIVKEYFILE" ] \
174
	     || [ -e "$TLS_PUBKEYFILE" ]; } \
904 by Teddy Hogeborn
Use || instead of -o in shell scripts.
175
	&& [ "$FORCE" -eq 0 ]; then
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
176
	echo "Refusing to overwrite old key files; use --force" >&2
177
	exit 1
178
    fi
1263 by Teddy Hogeborn
White space fixes only
179
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
180
    # Set lines for GnuPG batch file
181
    if [ -n "$KEYCOMMENT" ]; then
182
	KEYCOMMENTLINE="Name-Comment: $KEYCOMMENT"
183
    fi
184
    if [ -n "$KEYEMAIL" ]; then
185
	KEYEMAILLINE="Name-Email: $KEYEMAIL"
186
    fi
1263 by Teddy Hogeborn
White space fixes only
187
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
188
    # Create temporary gpg batch file
159 by Teddy Hogeborn
* Makefile (run-client): Do not depend on the key ring files.
189
    BATCHFILE="`mktemp -t mandos-keygen-batch.XXXXXXXXXX`"
971 by Teddy Hogeborn
Bug fix: Only create TLS key with certtool, and read correct key file
190
    TLS_PRIVKEYTMP="`mktemp -t mandos-keygen-privkey.XXXXXXXXXX`"
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
191
fi
192
193
if [ "$mode" = password ]; then
194
    # Create temporary encrypted password file
159 by Teddy Hogeborn
* Makefile (run-client): Do not depend on the key ring files.
195
    SECFILE="`mktemp -t mandos-keygen-secfile.XXXXXXXXXX`"
196
fi
197
198
# Create temporary key ring directory
199
RINGDIR="`mktemp -d -t mandos-keygen-keyrings.XXXXXXXXXX`"
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
200
73 by Teddy Hogeborn
* Makefile (COVERAGE): Change back to "--coverage".
201
# Remove temporary files on exit
94 by Teddy Hogeborn
* clients.conf ([DEFAULT]/checker): Update to new default value.
202
trap "
96 by Teddy Hogeborn
* Makefile (PREFIX, CONFDIR, MANDIR): Use $(DESTDIR).
203
set +e; \
159 by Teddy Hogeborn
* Makefile (run-client): Do not depend on the key ring files.
204
test -n \"$SECFILE\" && shred --remove \"$SECFILE\"; \
971 by Teddy Hogeborn
Bug fix: Only create TLS key with certtool, and read correct key file
205
test -n \"$TLS_PRIVKEYTMP\" && shred --remove \"$TLS_PRIVKEYTMP\"; \
708 by Teddy Hogeborn
mandos-keygen: Generate "checker" option to use SSH fingerprints.
206
shred --remove \"$RINGDIR\"/sec* 2>/dev/null;
159 by Teddy Hogeborn
* Makefile (run-client): Do not depend on the key ring files.
207
test -n \"$BATCHFILE\" && rm --force \"$BATCHFILE\"; \
208
rm --recursive --force \"$RINGDIR\";
494 by Teddy Hogeborn
* mandos-keygen: Loop until passwords match when run interactively.
209
tty --quiet && stty echo; \
94 by Teddy Hogeborn
* clients.conf ([DEFAULT]/checker): Update to new default value.
210
" EXIT
67 by Teddy Hogeborn
* mandos-keygen: New program to generate new client keys on
211
452 by teddy at bsnet
* debian/control (Standards-Version): Updated to "3.9.1".
212
set -e
213
166 by Teddy Hogeborn
* Makefile (confdir/clients.conf): Tighten permissions to "u=rw".
214
umask 077
73 by Teddy Hogeborn
* Makefile (COVERAGE): Change back to "--coverage".
215
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
216
if [ "$mode" = keygen ]; then
217
    # Create batch file for GnuPG
218
    cat >"$BATCHFILE" <<-EOF
219
	Key-Type: $KEYTYPE
220
	Key-Length: $KEYLENGTH
627 by Teddy Hogeborn
* mandos-keygen: Bug fix: Specify key usage to avoid creating keys
221
	Key-Usage: sign,auth
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
222
	Subkey-Type: $SUBKEYTYPE
223
	Subkey-Length: $SUBKEYLENGTH
627 by Teddy Hogeborn
* mandos-keygen: Bug fix: Specify key usage to avoid creating keys
224
	Subkey-Usage: encrypt
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
225
	Name-Real: $KEYNAME
226
	$KEYCOMMENTLINE
227
	$KEYEMAILLINE
228
	Expire-Date: $KEYEXPIRE
229
	#Preferences: <string>
230
	#Handle: <no-spaces>
159 by Teddy Hogeborn
* Makefile (run-client): Do not depend on the key ring files.
231
	#%pubring pubring.gpg
232
	#%secring secring.gpg
879 by Teddy Hogeborn
Fix bug when generating keys in a chroot environment.
233
	%no-protection
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
234
	%commit
235
	EOF
1263 by Teddy Hogeborn
White space fixes only
236
393 by Teddy Hogeborn
* mandos-keygen (keygen): Warn about long key generation time.
237
    if tty --quiet; then
238
	cat <<-EOF
239
	Note: Due to entropy requirements, key generation could take
240
	anything from a few minutes to SEVERAL HOURS.  Please be
241
	patient and/or supply the system with more entropy if needed.
242
	EOF
243
	echo -n "Started: "
244
	date
245
    fi
971 by Teddy Hogeborn
Bug fix: Only create TLS key with certtool, and read correct key file
246
247
    # Generate TLS private key
248
    if certtool --generate-privkey --password='' \
249
		--outfile "$TLS_PRIVKEYTMP" --sec-param ultra \
250
		--key-type="$TLS_KEYTYPE" --pkcs8 --no-text 2>/dev/null; then
251
	
252
	# Backup any old key files
253
	if cp --backup=numbered --force "$TLS_PRIVKEYFILE" "$TLS_PRIVKEYFILE" \
254
	      2>/dev/null; then
973 by Teddy Hogeborn
Bug fix: Ignore some failures to remove files.
255
	    shred --remove "$TLS_PRIVKEYFILE" 2>/dev/null || :
962 by Teddy Hogeborn
Add support for using raw public keys in TLS (RFC 7250)
256
	fi
971 by Teddy Hogeborn
Bug fix: Only create TLS key with certtool, and read correct key file
257
	if cp --backup=numbered --force "$TLS_PUBKEYFILE" "$TLS_PUBKEYFILE" \
258
	      2>/dev/null; then
962 by Teddy Hogeborn
Add support for using raw public keys in TLS (RFC 7250)
259
	    rm --force "$TLS_PUBKEYFILE"
971 by Teddy Hogeborn
Bug fix: Only create TLS key with certtool, and read correct key file
260
	fi
261
	cp --archive "$TLS_PRIVKEYTMP" "$TLS_PRIVKEYFILE"
973 by Teddy Hogeborn
Bug fix: Ignore some failures to remove files.
262
	shred --remove "$TLS_PRIVKEYTMP" 2>/dev/null || :
971 by Teddy Hogeborn
Bug fix: Only create TLS key with certtool, and read correct key file
263
264
	## TLS public key
265
266
	# First try certtool from GnuTLS
267
	if ! certtool --password='' --load-privkey="$TLS_PRIVKEYFILE" \
268
	     --outfile="$TLS_PUBKEYFILE" --pubkey-info --no-text \
269
	     2>/dev/null; then
270
	    # Otherwise try OpenSSL
271
	    if ! openssl pkey -in "$TLS_PRIVKEYFILE" \
272
		 -out "$TLS_PUBKEYFILE" -pubout; then
273
		rm --force "$TLS_PUBKEYFILE"
274
		# None of the commands succeded; give up
275
		return 1
276
	    fi
962 by Teddy Hogeborn
Add support for using raw public keys in TLS (RFC 7250)
277
	fi
278
    fi
1263 by Teddy Hogeborn
White space fixes only
279
663 by Teddy Hogeborn
* mandos-keygen (keygen): Add workaround for Debian bug #737128.
280
    # Make sure trustdb.gpg exists;
281
    # this is a workaround for Debian bug #737128
282
    gpg --quiet --batch --no-tty --no-options --enable-dsa2 \
283
	--homedir "$RINGDIR" \
284
	--import-ownertrust < /dev/null
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
285
    # Generate a new key in the key rings
159 by Teddy Hogeborn
* Makefile (run-client): Do not depend on the key ring files.
286
    gpg --quiet --batch --no-tty --no-options --enable-dsa2 \
287
	--homedir "$RINGDIR" --trust-model always \
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
288
	--gen-key "$BATCHFILE"
289
    rm --force "$BATCHFILE"
1263 by Teddy Hogeborn
White space fixes only
290
393 by Teddy Hogeborn
* mandos-keygen (keygen): Warn about long key generation time.
291
    if tty --quiet; then
292
	echo -n "Finished: "
293
	date
294
    fi
1263 by Teddy Hogeborn
White space fixes only
295
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
296
    # Backup any old key files
297
    if cp --backup=numbered --force "$SECKEYFILE" "$SECKEYFILE" \
298
	2>/dev/null; then
973 by Teddy Hogeborn
Bug fix: Ignore some failures to remove files.
299
	shred --remove "$SECKEYFILE" 2>/dev/null || :
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
300
    fi
301
    if cp --backup=numbered --force "$PUBKEYFILE" "$PUBKEYFILE" \
302
	2>/dev/null; then
303
	rm --force "$PUBKEYFILE"
304
    fi
1263 by Teddy Hogeborn
White space fixes only
305
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
306
    FILECOMMENT="Mandos client key for $KEYNAME"
307
    if [ "$KEYCOMMENT" != "$KEYCOMMENT_ORIG" ]; then
308
	FILECOMMENT="$FILECOMMENT ($KEYCOMMENT)"
309
    fi
1263 by Teddy Hogeborn
White space fixes only
310
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
311
    if [ -n "$KEYEMAIL" ]; then
312
	FILECOMMENT="$FILECOMMENT <$KEYEMAIL>"
313
    fi
1263 by Teddy Hogeborn
White space fixes only
314
198 by Teddy Hogeborn
* mandos-keygen: New "--passfile" option. Confirm entered password.
315
    # Export key from key rings to key files
159 by Teddy Hogeborn
* Makefile (run-client): Do not depend on the key ring files.
316
    gpg --quiet --batch --no-tty --no-options --enable-dsa2 \
317
	--homedir "$RINGDIR" --armor --export-options export-minimal \
318
	--comment "$FILECOMMENT" --output "$SECKEYFILE" \
319
	--export-secret-keys
320
    gpg --quiet --batch --no-tty --no-options --enable-dsa2 \
321
	--homedir "$RINGDIR" --armor --export-options export-minimal \
322
	--comment "$FILECOMMENT" --output "$PUBKEYFILE" --export
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
323
fi
324
325
if [ "$mode" = password ]; then
1263 by Teddy Hogeborn
White space fixes only
326
708 by Teddy Hogeborn
mandos-keygen: Generate "checker" option to use SSH fingerprints.
327
    # Make SSH be 0 or 1
328
    case "$SSH" in
329
	[Yy][Ee][Ss]|[Tt][Rr][Uu][Ee]) SSH=1;;
330
	[Nn][Oo]|[Ff][Aa][Ll][Ss][Ee]|*) SSH=0;;
331
    esac
1263 by Teddy Hogeborn
White space fixes only
332
708 by Teddy Hogeborn
mandos-keygen: Generate "checker" option to use SSH fingerprints.
333
    if [ $SSH -eq 1 ]; then
1309 by Teddy Hogeborn
mandos-keygen: Avoid comment lines from ssh-keyscan
334
	# The -q option is new in OpenSSH 9.8
335
	for ssh_keyscan_quiet in "-q " ""; do
336
	    for ssh_keytype in ecdsa-sha2-nistp256 ed25519 rsa; do
337
		set +e
338
		ssh_fingerprint="`ssh-keyscan ${ssh_keyscan_quiet}-t $ssh_keytype localhost 2>/dev/null`"
339
		err=$?
340
		set -e
341
		if [ $err -ne 0 ]; then
342
		    ssh_fingerprint=""
343
		    continue
344
		fi
345
		if [ -n "$ssh_fingerprint" ]; then
346
		    ssh_fingerprint="${ssh_fingerprint#localhost }"
347
		    break 2
348
		fi
349
	    done
747 by Teddy Hogeborn
mandos-keygen: Bug fix: Only use one SSH key from ssh-keyscan
350
	done
708 by Teddy Hogeborn
mandos-keygen: Generate "checker" option to use SSH fingerprints.
351
    fi
1263 by Teddy Hogeborn
White space fixes only
352
198 by Teddy Hogeborn
* mandos-keygen: New "--passfile" option. Confirm entered password.
353
    # Import key into temporary key rings
159 by Teddy Hogeborn
* Makefile (run-client): Do not depend on the key ring files.
354
    gpg --quiet --batch --no-tty --no-options --enable-dsa2 \
355
	--homedir "$RINGDIR" --trust-model always --armor \
356
	--import "$SECKEYFILE"
357
    gpg --quiet --batch --no-tty --no-options --enable-dsa2 \
358
	--homedir "$RINGDIR" --trust-model always --armor \
359
	--import "$PUBKEYFILE"
1263 by Teddy Hogeborn
White space fixes only
360
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
361
    # Get fingerprint of key
159 by Teddy Hogeborn
* Makefile (run-client): Do not depend on the key ring files.
362
    FINGERPRINT="`gpg --quiet --batch --no-tty --no-options \
740 by Teddy Hogeborn
mandos-keygen: Fix some stylistic quoting issues.
363
	--enable-dsa2 --homedir "$RINGDIR" --trust-model always \
159 by Teddy Hogeborn
* Makefile (run-client): Do not depend on the key ring files.
364
	--fingerprint --with-colons \
168 by Teddy Hogeborn
* initramfs-tools-hook: Use long options where available. Use only
365
	| sed --quiet \
366
	--expression='/^fpr:/{s/^fpr:.*:\\([0-9A-Z]*\\):\$/\\1/p;q}'`"
1263 by Teddy Hogeborn
White space fixes only
367
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
368
    test -n "$FINGERPRINT"
1263 by Teddy Hogeborn
White space fixes only
369
971 by Teddy Hogeborn
Bug fix: Only create TLS key with certtool, and read correct key file
370
    if [ -r "$TLS_PUBKEYFILE" ]; then
371
       KEY_ID="$(certtool --key-id --hash=sha256 \
962 by Teddy Hogeborn
Add support for using raw public keys in TLS (RFC 7250)
372
    		       --infile="$TLS_PUBKEYFILE" 2>/dev/null || :)"
373
971 by Teddy Hogeborn
Bug fix: Only create TLS key with certtool, and read correct key file
374
       if [ -z "$KEY_ID" ]; then
375
	   KEY_ID=$(openssl pkey -pubin -in "$TLS_PUBKEYFILE" \
376
			    -outform der \
377
			| openssl sha256 \
378
			| sed --expression='s/^.*[^[:xdigit:]]//')
379
       fi
380
       test -n "$KEY_ID"
962 by Teddy Hogeborn
Add support for using raw public keys in TLS (RFC 7250)
381
    fi
1263 by Teddy Hogeborn
White space fixes only
382
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
383
    FILECOMMENT="Encrypted password for a Mandos client"
1263 by Teddy Hogeborn
White space fixes only
384
494 by Teddy Hogeborn
* mandos-keygen: Loop until passwords match when run interactively.
385
    while [ ! -s "$SECFILE" ]; do
386
	if [ -n "$PASSFILE" ]; then
1119 by Teddy Hogeborn
mandos-keygen: Allow dashes at start of --passfile file names
387
	    cat -- "$PASSFILE"
198 by Teddy Hogeborn
* mandos-keygen: New "--passfile" option. Confirm entered password.
388
	else
494 by Teddy Hogeborn
* mandos-keygen: Loop until passwords match when run interactively.
389
	    tty --quiet && stty -echo
880 by Teddy Hogeborn
Output the passphrase prompt to the TTY, not stderr.
390
	    echo -n "Enter passphrase: " >/dev/tty
896 by Teddy Hogeborn
Use "read -r" in shell scripts to avoid backslash escapes
391
	    read -r first
494 by Teddy Hogeborn
* mandos-keygen: Loop until passwords match when run interactively.
392
	    tty --quiet && echo >&2
880 by Teddy Hogeborn
Output the passphrase prompt to the TTY, not stderr.
393
	    echo -n "Repeat passphrase: " >/dev/tty
896 by Teddy Hogeborn
Use "read -r" in shell scripts to avoid backslash escapes
394
	    read -r second
494 by Teddy Hogeborn
* mandos-keygen: Loop until passwords match when run interactively.
395
	    if tty --quiet; then
396
		echo >&2
397
		stty echo
398
	    fi
399
	    if [ "$first" != "$second" ]; then
400
		echo "Passphrase mismatch" >&2
401
		touch "$RINGDIR"/mismatch
402
	    else
1250 by Teddy Hogeborn
Bug fix in mandos-ctl: handle backslashes in password
403
		printf "%s" "$first"
494 by Teddy Hogeborn
* mandos-keygen: Loop until passwords match when run interactively.
404
	    fi
405
	fi | gpg --quiet --batch --no-tty --no-options --enable-dsa2 \
406
	    --homedir "$RINGDIR" --trust-model always --armor \
407
	    --encrypt --sign --recipient "$FINGERPRINT" --comment \
408
	    "$FILECOMMENT" > "$SECFILE"
409
	if [ -e "$RINGDIR"/mismatch ]; then
410
	    rm --force "$RINGDIR"/mismatch
411
	    if tty --quiet; then
412
		> "$SECFILE"
413
	    else
414
		exit 1
415
	    fi
198 by Teddy Hogeborn
* mandos-keygen: New "--passfile" option. Confirm entered password.
416
	fi
494 by Teddy Hogeborn
* mandos-keygen: Loop until passwords match when run interactively.
417
    done
1263 by Teddy Hogeborn
White space fixes only
418
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
419
    cat <<-EOF
420
	[$KEYNAME]
99 by Teddy Hogeborn
* mandos (fingerprint): Bug fix: Check crtverify.value, not crtverify.
421
	host = $KEYNAME
971 by Teddy Hogeborn
Bug fix: Only create TLS key with certtool, and read correct key file
422
	EOF
423
    if [ -n "$KEY_ID" ]; then
424
	echo "key_id = $KEY_ID"
425
    fi
426
    cat <<-EOF
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
427
	fingerprint = $FINGERPRINT
428
	secret =
198 by Teddy Hogeborn
* mandos-keygen: New "--passfile" option. Confirm entered password.
429
	EOF
168 by Teddy Hogeborn
* initramfs-tools-hook: Use long options where available. Use only
430
    sed --quiet --expression='
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
431
	/^-----BEGIN PGP MESSAGE-----$/,/^-----END PGP MESSAGE-----$/{
432
	    /^$/,${
103 by Teddy Hogeborn
* mandos-keygen: Strip 24-bit checksum of Radix-64 from output to make
433
		# Remove 24-bit Radix-64 checksum
434
		s/=....$//
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
435
		# Indent four spaces
436
		/^[^-]/s/^/    /p
437
	    }
438
	}' < "$SECFILE"
708 by Teddy Hogeborn
mandos-keygen: Generate "checker" option to use SSH fingerprints.
439
    if [ -n "$ssh_fingerprint" ]; then
1315 by Teddy Hogeborn
mandos-keygen: Show warning about old OpenSSH versions
440
	if [ -n "$ssh_keyscan_quiet" ]; then
441
	    echo "# Note: if the Mandos server has OpenSSH older than 9.8, the ${ssh_keyscan_quiet}"
442
	    echo "# option *must* be removed from the 'checker' setting below"
443
	fi
1309 by Teddy Hogeborn
mandos-keygen: Avoid comment lines from ssh-keyscan
444
	echo 'checker = ssh-keyscan '"$ssh_keyscan_quiet"'-t '"$ssh_keytype"' %%(host)s 2>/dev/null | grep --fixed-strings --line-regexp --quiet --regexp=%%(host)s" %(ssh_fingerprint)s"'
708 by Teddy Hogeborn
mandos-keygen: Generate "checker" option to use SSH fingerprints.
445
	echo "ssh_fingerprint = ${ssh_fingerprint}"
446
    fi
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
447
fi
73 by Teddy Hogeborn
* Makefile (COVERAGE): Change back to "--coverage".
448
449
trap - EXIT
450
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
451
set +e
452
# Remove the password file, if any
453
if [ -n "$SECFILE" ]; then
973 by Teddy Hogeborn
Bug fix: Ignore some failures to remove files.
454
    shred --remove "$SECFILE" 2>/dev/null
97 by Teddy Hogeborn
* mandos-keygen: Bug fix: Recognize new options --subtype and
455
fi
73 by Teddy Hogeborn
* Makefile (COVERAGE): Change back to "--coverage".
456
# Remove the key rings
708 by Teddy Hogeborn
mandos-keygen: Generate "checker" option to use SSH fingerprints.
457
shred --remove "$RINGDIR"/sec* 2>/dev/null
159 by Teddy Hogeborn
* Makefile (run-client): Do not depend on the key ring files.
458
rm --recursive --force "$RINGDIR"