/mandos/trunk : contents of mandos-keygen at revision 67

: (revision 67)

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

#!/bin/sh
# 
# Mandos key generator - create new OpenPGP keys for Mandos clients
# 
# Copyright © 2007-2008 Teddy Hogeborn & Björn Påhlsson
# 
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
#     This program is distributed in the hope that it will be useful,
#     but WITHOUT ANY WARRANTY; without even the implied warranty of
#     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#     GNU General Public License for more details.
# 
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.
# 
# Contact the authors at <mandos@fukt.bsnet.se>.
# 

KEYDIR="/etc/mandos"
KEYTYPE=DSA
KEYLENGTH=1024
KEYNAME="`hostname --fqdn`"
KEYEMAIL=""
KEYCOMMENT="Mandos client key"
KEYEXPIRE=0
FORCE=no
KEYCOMMENT_ORIG="$KEYCOMMENT"

# Parse options
TEMP=`getopt --options d:t:l:n:e:c:x:f \
    --longoptions dir:,type:,length:,name:,email:,comment:,expire:,force \
    --name "$0" -- "$@"`

eval set -- "$TEMP"
while :; do
    case "$1" in
	-d|--dir) KEYDIR="$2"; shift 2;;
	-t|--type) KEYTYPE="$2"; shift 2;;
	-l|--length) KEYLENGTH="$2"; shift 2;;
	-n|--name) KEYNAME="$2"; shift 2;;
	-e|--email) KEYEMAIL="$2"; shift 2;;
	-c|--comment) KEYCOMMENT="$2"; shift 2;;
	-x|--expire) KEYCOMMENT="$2"; shift 2;;
	-f|--force) FORCE=yes; shift;;
	--) shift; break;;
	*) echo "Internal error" >&2; exit 1;;
    esac
done
if [ "$#" -gt 0 ]; then
    echo "Unknown arguments: '$@'" >&2
    exit 1
fi

SECKEYFILE="$KEYDIR/seckey.txt"
PUBKEYFILE="$KEYDIR/pubkey.txt"

# Check for some invalid values
if [ -d "$KEYDIR" ]; then :; else
    echo "$KEYDIR not a directory" >&2
    exit 1
fi
if [ -w "$KEYDIR" ]; then :; else
    echo "Directory $KEYDIR not writeable" >&2
    exit 1
fi

if [ -z "$KEYTYPE" ]; then
    echo "Empty key type" >&2
    exit 1
fi

if [ -z "$KEYNAME" ]; then
    echo "Empty key name" >&2
    exit 1
fi

if [ -z "$KEYLENGTH" ] || [ "$KEYLENGTH" -lt 512 ]; then
    echo "Invalid key length" >&2
    exit 1
fi

if [ -z "$KEYEXPIRE" ]; then
    echo "Empty key expiration" >&2
    exit 1
fi

# Make FORCE be 0 or 1
case "$FORCE" in
    [Yy][Ee][Ss]|[Tt][Rr][Uu][Ee]) FORCE=1;;
    [Nn][Oo]|[Ff][Aa][Ll][Ss][Ee]|*) FORCE=0;;
esac

if { [ -e "$SECKEYFILE" ] || [ -e "$PUBKEYFILE" ]; } \
    && [ "$FORCE" -eq 0 ]; then
    echo "Refusing to overwrite old key files; use --force" >&2
    exit 1
fi

# Set lines for GPG batch file
if [ -n "$KEYCOMMENT" ]; then
    KEYCOMMENTLINE="Name-Comment: $KEYCOMMENT"
fi
if [ -n "$KEYEMAIL" ]; then
    KEYEMAILLINE="Name-Email: $KEYEMAIL"
fi

# Create temp files
BATCHFILE="`mktemp -t mandos-gpg-batch.XXXXXXXXXX`"
SECRING="`mktemp -t mandos-gpg-secring.XXXXXXXXXX`"
PUBRING="`mktemp -t mandos-gpg-pubring.XXXXXXXXXX`"

trap "rm --force $PUBRING $BATCHFILE; shred --remove $SECRING" EXIT

# Create batch file for GPG
cat >"$BATCHFILE" <<EOF
Key-Type: $KEYTYPE
Key-Length: $KEYLENGTH
#Key-Usage: encrypt,sign,auth
Name-Real: $KEYNAME
$KEYCOMMENTLINE
$KEYEMAILLINE
Expire-Date: $KEYEXPIRE
%pubring $PUBRING
%secring $SECRING
%commit
EOF

umask 027
gpg --no-random-seed-file --quiet --batch --no-tty \
    --no-default-keyring --batch --secret-keyring "$SECRING" \
    --keyring "$PUBRING" --gen-key "$BATCHFILE"
rm --force "$BATCHFILE"

if cp --backup=numbered --force "$SECKEYFILE" "$SECKEYFILE" \
    2>/dev/null; then
    shred --remove "$SECKEYFILE"
fi
if cp --backup=numbered --force "$PUBKEYFILE" "$PUBKEYFILE" \
    2>/dev/null; then
    rm --force "$PUBKEYFILE"
fi

FILECOMMENT="Mandos client key for $KEYNAME"
if [ "$KEYCOMMENT" != "$KEYCOMMENT_ORIG" ]; then
    FILECOMMENT="$FILECOMMENT ($KEYCOMMENT)"
fi

if [ -n "$KEYEMAIL" ]; then
    FILECOMMENT="$FILECOMMENT <$KEYEMAIL>"
fi

gpg --no-random-seed-file --quiet --batch --no-tty --armor \
    --no-default-keyring --secret-keyring "$SECRING" \
    --keyring "$PUBRING" --export-options export-minimal \
    --comment "$FILECOMMENT" --output "$SECKEYFILE" \
    --export-secret-keys
gpg --no-random-seed-file --quiet --batch --no-tty --armor \
    --no-default-keyring --secret-keyring "$SECRING" \
    --keyring "$PUBRING" --export-options export-minimal \
    --comment "$FILECOMMENT" --output "$PUBKEYFILE" \
    --export

67 by Teddy Hogeborn * mandos-keygen: New program to generate new client keys on	1	#!/bin/sh
	2	#
	3	# Mandos key generator - create new OpenPGP keys for Mandos clients
	4	#
	5	# Copyright © 2007-2008 Teddy Hogeborn & Björn Påhlsson
	6	#
	7	# This program is free software: you can redistribute it and/or modify
	8	# it under the terms of the GNU General Public License as published by
	9	# the Free Software Foundation, either version 3 of the License, or
	10	# (at your option) any later version.
	11	#
	12	# This program is distributed in the hope that it will be useful,
	13	# but WITHOUT ANY WARRANTY; without even the implied warranty of
	14	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	15	# GNU General Public License for more details.
	16	#
	17	# You should have received a copy of the GNU General Public License
	18	# along with this program. If not, see <http://www.gnu.org/licenses/>.
	19	#
	20	# Contact the authors at <mandos@fukt.bsnet.se>.
	21	#
	22
	23	KEYDIR="/etc/mandos"
	24	KEYTYPE=DSA
	25	KEYLENGTH=1024
	26	KEYNAME="`hostname --fqdn`"
	27	KEYEMAIL=""
	28	KEYCOMMENT="Mandos client key"
	29	KEYEXPIRE=0
	30	FORCE=no
	31	KEYCOMMENT_ORIG="$KEYCOMMENT"
	32
	33	# Parse options
	34	TEMP=`getopt --options d:t:l:n:e:c:x:f \
	35	--longoptions dir:,type:,length:,name:,email:,comment:,expire:,force \
	36	--name "$0" -- "$@"`
	37
	38	eval set -- "$TEMP"
	39	while :; do
	40	case "$1" in
	41	-d\|--dir) KEYDIR="$2"; shift 2;;
	42	-t\|--type) KEYTYPE="$2"; shift 2;;
	43	-l\|--length) KEYLENGTH="$2"; shift 2;;
	44	-n\|--name) KEYNAME="$2"; shift 2;;
	45	-e\|--email) KEYEMAIL="$2"; shift 2;;
	46	-c\|--comment) KEYCOMMENT="$2"; shift 2;;
	47	-x\|--expire) KEYCOMMENT="$2"; shift 2;;
	48	-f\|--force) FORCE=yes; shift;;
	49	--) shift; break;;
	50	*) echo "Internal error" >&2; exit 1;;
	51	esac
	52	done
	53	if [ "$#" -gt 0 ]; then
	54	echo "Unknown arguments: '$@'" >&2
	55	exit 1
	56	fi
	57
	58	SECKEYFILE="$KEYDIR/seckey.txt"
	59	PUBKEYFILE="$KEYDIR/pubkey.txt"
	60
	61	# Check for some invalid values
	62	if [ -d "$KEYDIR" ]; then :; else
	63	echo "$KEYDIR not a directory" >&2
	64	exit 1
65	fi
66	if [ -w "$KEYDIR" ]; then :; else
67	echo "Directory $KEYDIR not writeable" >&2
68	exit 1
69	fi
70
71	if [ -z "$KEYTYPE" ]; then
72	echo "Empty key type" >&2
73	exit 1
74	fi
75
76	if [ -z "$KEYNAME" ]; then
77	echo "Empty key name" >&2
78	exit 1
79	fi
80
81	if [ -z "$KEYLENGTH" ] \|\| [ "$KEYLENGTH" -lt 512 ]; then
82	echo "Invalid key length" >&2
83	exit 1
84	fi
85
86	if [ -z "$KEYEXPIRE" ]; then
87	echo "Empty key expiration" >&2
88	exit 1
89	fi
90
91	# Make FORCE be 0 or 1
92	case "$FORCE" in
93	[Yy][Ee][Ss]\|[Tt][Rr][Uu][Ee]) FORCE=1;;
94	[Nn][Oo]\|[Ff][Aa][Ll][Ss][Ee]\|*) FORCE=0;;
95	esac
96
97	if { [ -e "$SECKEYFILE" ] \|\| [ -e "$PUBKEYFILE" ]; } \
98	&& [ "$FORCE" -eq 0 ]; then
99	echo "Refusing to overwrite old key files; use --force" >&2
100	exit 1
101	fi
102
103	# Set lines for GPG batch file
104	if [ -n "$KEYCOMMENT" ]; then
105	KEYCOMMENTLINE="Name-Comment: $KEYCOMMENT"
106	fi
107	if [ -n "$KEYEMAIL" ]; then
108	KEYEMAILLINE="Name-Email: $KEYEMAIL"
109	fi
110
111	# Create temp files
112	BATCHFILE="`mktemp -t mandos-gpg-batch.XXXXXXXXXX`"
113	SECRING="`mktemp -t mandos-gpg-secring.XXXXXXXXXX`"
114	PUBRING="`mktemp -t mandos-gpg-pubring.XXXXXXXXXX`"
115
116	trap "rm --force $PUBRING $BATCHFILE; shred --remove $SECRING" EXIT
117
118	# Create batch file for GPG
119	cat >"$BATCHFILE" <<EOF
120	Key-Type: $KEYTYPE
121	Key-Length: $KEYLENGTH
122	#Key-Usage: encrypt,sign,auth
123	Name-Real: $KEYNAME
124	$KEYCOMMENTLINE
125	$KEYEMAILLINE
126	Expire-Date: $KEYEXPIRE
127	%pubring $PUBRING
128	%secring $SECRING
129	%commit
130	EOF
131
132	umask 027
133	gpg --no-random-seed-file --quiet --batch --no-tty \
134	--no-default-keyring --batch --secret-keyring "$SECRING" \
135	--keyring "$PUBRING" --gen-key "$BATCHFILE"
136	rm --force "$BATCHFILE"
137
138	if cp --backup=numbered --force "$SECKEYFILE" "$SECKEYFILE" \
139	2>/dev/null; then
140	shred --remove "$SECKEYFILE"
141	fi
142	if cp --backup=numbered --force "$PUBKEYFILE" "$PUBKEYFILE" \
143	2>/dev/null; then
144	rm --force "$PUBKEYFILE"
145	fi
146
147	FILECOMMENT="Mandos client key for $KEYNAME"
148	if [ "$KEYCOMMENT" != "$KEYCOMMENT_ORIG" ]; then
149	FILECOMMENT="$FILECOMMENT ($KEYCOMMENT)"
150	fi
151
152	if [ -n "$KEYEMAIL" ]; then
153	FILECOMMENT="$FILECOMMENT <$KEYEMAIL>"
154	fi
155
156	gpg --no-random-seed-file --quiet --batch --no-tty --armor \
157	--no-default-keyring --secret-keyring "$SECRING" \
158	--keyring "$PUBRING" --export-options export-minimal \
159	--comment "$FILECOMMENT" --output "$SECKEYFILE" \
160	--export-secret-keys
161	gpg --no-random-seed-file --quiet --batch --no-tty --armor \
162	--no-default-keyring --secret-keyring "$SECRING" \
163	--keyring "$PUBRING" --export-options export-minimal \
164	--comment "$FILECOMMENT" --output "$PUBKEYFILE" \
165	--export