/mandos/trunk : revision 1131

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos-keygen

Committer: Teddy Hogeborn
Date: 2019-07-29 16:35:53 UTC
Revision ID: teddy@recompile.se-20190729163553-1i442i2cbx64c537

Make tests and man page examples match

Make the tests test_manual_page_example[1-5] match exactly what is
written in the manual page, and add comments to manual page as
reminders to keep tests and manual page examples in sync.

* mandos-ctl (Test_commands_from_options.test_manual_page_example_1):
  Remove "--verbose" option, since the manual does not have it as the
  first example, and change assertion to match.
* mandos-ctl.xml (EXAMPLE): Add comments to all examples documenting
  which test function they correspond to.  Also remove unnecessary
  quotes from option arguments in fourth example, and clarify language
  slightly in fifth example.

files added:
.bzr-builddeb

.bzr-builddeb/default.conf

DBUS-API

INSTALL

NEWS

bugs.xml

common.ent

dbus-mandos.conf

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.examples

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos-client.templates

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/mandos.templates

debian/po

debian/po/POTFILES.in

debian/po/templates.pot

debian/rules

debian/source

debian/source/format

debian/source/lintian-overrides

debian/source/local-options

debian/tests

debian/tests/control

debian/upstream

debian/upstream/signing-key.asc

debian/watch

dracut-module

dracut-module/ask-password-mandos.path

dracut-module/ask-password-mandos.service

dracut-module/cmdline-mandos.sh

dracut-module/module-setup.sh

dracut-module/password-agent.c

dracut-module/password-agent.xml

initramfs-tools-conf

initramfs-tools-conf-hook

initramfs-tools-script-stop

initramfs-unpack

intro.xml

mandos-ctl

mandos-ctl.xml

mandos-monitor

mandos-monitor.xml

mandos-to-cryptroot-unlock

mandos.lsm

mandos.service

network-hooks.d

network-hooks.d/bridge

network-hooks.d/bridge.conf

network-hooks.d/openvpn

network-hooks.d/openvpn.conf

network-hooks.d/wireless

network-hooks.d/wireless.conf

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

tmpfiles.d-mandos.conf

files removed:
etc-plugins.d-README

initramfs-tools-hook-conf

plugins.d/usplash

files modified:
.bzrignore

Makefile

README

TODO

clients.conf

default-mandos

init.d-mandos

initramfs-tools-hook

initramfs-tools-script

legalnotice.xml

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.conf

plugin-runner.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

mandos-keygen

#!/bin/sh -e

# Mandos key generator - create a new OpenPGP key for a Mandos client

# This program is free software: you can redistribute it and/or modify

# it under the terms of the GNU General Public License as published by

# Mandos key generator - create new keys for a Mandos client

# This file is part of Mandos.

# Mandos is free software: you can redistribute it and/or modify it

# under the terms of the GNU General Public License as published by

# the Free Software Foundation, either version 3 of the License, or

# (at your option) any later version.

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# Mandos is distributed in the hope that it will be useful, but

# WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

# GNU General Public License for more details.

# You should have received a copy of the GNU General Public License

# along with this program. If not, see <http://www.gnu.org/licenses/>.

# along with Mandos. If not, see <http://www.gnu.org/licenses/>.

# Contact the authors at <mandos@fukt.bsnet.se>.

# Contact the authors at <mandos@recompile.se>.

VERSION="1.0"

VERSION="1.8.4"

KEYDIR="/etc/keys/mandos"

KEYTYPE=DSA

KEYLENGTH=2048

SUBKEYTYPE=ELG-E

SUBKEYLENGTH=2048

KEYNAME="`hostname --fqdn`"

KEYTYPE=RSA

KEYLENGTH=4096

SUBKEYTYPE=RSA

SUBKEYLENGTH=4096

KEYNAME="`hostname --fqdn 2>/dev/null || hostname`"

KEYEMAIL=""

KEYCOMMENT="Mandos client key"

KEYCOMMENT=""

KEYEXPIRE=0

TLS_KEYTYPE=ed25519

FORCE=no

SSH=yes

KEYCOMMENT_ORIG="$KEYCOMMENT"

mode=keygen

if [ ! -d "$KEYDIR" ]; then

KEYDIR="/etc/mandos/keys"

# Parse options

TEMP=`getopt --options vhd:t:l:n:e:c:x:f \

--longoptions version,help,password,dir:,type:,length:,subtype:,sublength:,name:,email:,comment:,expire:,force \

TEMP=`getopt --options vhpF:d:t:l:s:L:n:e:c:x:T:fS \

--longoptions version,help,password,passfile:,dir:,type:,length:,subtype:,sublength:,name:,email:,comment:,expire:,tls-keytype:,force,no-ssh \

--name "$0" -- "$@"`

help(){

basename="`basename $0`"

basename="`basename "$0"`"

cat <<EOF

Usage: $basename [ -v | --version ]

$basename [ -h | --help ]

$basename [ OPTIONS ]

Encrypted password creation:

$basename { -p | --password } [ --name NAME ] [ --dir DIR]

$basename { -F | --passfile } FILE [ --name NAME ] [ --dir DIR]

Key creation options:

-v, --version Show program's version number and exit

-h, --help Show this help message and exit

-d DIR, --dir DIR Target directory for key files

-t TYPE, --type TYPE Key type. Default is DSA.

-t TYPE, --type TYPE OpenPGP key type. Default is RSA.

-l BITS, --length BITS

Key length in bits. Default is 2048.

OpenPGP key length in bits. Default is 4096.

-s TYPE, --subtype TYPE

Subkey type. Default is ELG-E.

OpenPGP subkey type. Default is RSA.

-L BITS, --sublength BITS

Subkey length in bits. Default is 2048.

OpenPGP subkey length in bits. Default 4096.

-n NAME, --name NAME Name of key. Default is the FQDN.

-e ADDRESS, --email ADDRESS

Email address of key. Default is empty.

Email address of OpenPGP key. Default empty.

-c TEXT, --comment TEXT

Comment field for key. The default value is

"Mandos client key".

Comment field for OpenPGP key. Default empty.

-x TIME, --expire TIME

Key expire time. Default is no expiration.

OpenPGP key expire time. Default is none.

See gpg(1) for syntax.

-f, --force Force overwriting old keys.

-T TYPE, --tls-keytype TYPE

TLS key type. Default is ed25519.

-f, --force Force overwriting old key files.

Password creation options:

-p, --password Create an encrypted password using the keys in

the key directory. All options other than

--dir and --name are ignored.

-p, --password Create an encrypted password using the key in

the key directory. All options other than

--dir and --name are ignored.

-F FILE, --passfile FILE

Encrypt a password from FILE using the key in

the key directory. All options other than

--dir and --name are ignored.

-S, --no-ssh Don't get SSH key or set "checker" option.

EOF

}

while :; do

100

case "$1" in

101

-p|--password) mode=password; shift;;

102

-F|--passfile) mode=password; PASSFILE="$2"; shift 2;;

103

-d|--dir) KEYDIR="$2"; shift 2;;

104

-t|--type) KEYTYPE="$2"; shift 2;;

105

-s|--subtype) SUBKEYTYPE="$2"; shift 2;;

109

-e|--email) KEYEMAIL="$2"; shift 2;;

110

-c|--comment) KEYCOMMENT="$2"; shift 2;;

111

-x|--expire) KEYEXPIRE="$2"; shift 2;;

112

-T|--tls-keytype) TLS_KEYTYPE="$2"; shift 2;;

113

-f|--force) FORCE=yes; shift;;

114

-S|--no-ssh) SSH=no; shift;;

115

-v|--version) echo "$0 $VERSION"; exit;;

116

-h|--help) help; exit;;

117

--) shift; break;;

100

119

esac

101

120

done

102

121

if [ "$#" -gt 0 ]; then

103

echo "Unknown arguments: '$@'" >&2

122

echo "Unknown arguments: '$*'" >&2

104

123

exit 1

105

124

106

125

107

126

SECKEYFILE="$KEYDIR/seckey.txt"

108

127

PUBKEYFILE="$KEYDIR/pubkey.txt"

128

TLS_PRIVKEYFILE="$KEYDIR/tls-privkey.pem"

129

TLS_PUBKEYFILE="$KEYDIR/tls-pubkey.pem"

109

130

110

131

# Check for some invalid values

111

132

if [ ! -d "$KEYDIR" ]; then

136

157

echo "Invalid key length" >&2

137

158

exit 1

138

159

139

160

140

161

if [ -z "$KEYEXPIRE" ]; then

141

162

echo "Empty key expiration" >&2

142

163

exit 1

148

169

[Nn][Oo]|[Ff][Aa][Ll][Ss][Ee]|*) FORCE=0;;

149

170

esac

150

171

151

if [ $ -e "$SECKEYFILE" -o -e "$PUBKEYFILE" $ \

152

-a "$FORCE" -eq 0 ]; then

172

if { [ -e "$SECKEYFILE" ] || [ -e "$PUBKEYFILE" ] \

173

|| [ -e "$TLS_PRIVKEYFILE" ] \

174

|| [ -e "$TLS_PUBKEYFILE" ]; } \

175

&& [ "$FORCE" -eq 0 ]; then

153

176

echo "Refusing to overwrite old key files; use --force" >&2

154

177

exit 1

155

178

161

184

if [ -n "$KEYEMAIL" ]; then

162

185

KEYEMAILLINE="Name-Email: $KEYEMAIL"

163

186

164

187

165

188

# Create temporary gpg batch file

166

189

BATCHFILE="`mktemp -t mandos-keygen-batch.XXXXXXXXXX`"

190

TLS_PRIVKEYTMP="`mktemp -t mandos-keygen-privkey.XXXXXXXXXX`"

167

191

168

192

169

193

if [ "$mode" = password ]; then

178

202

trap "

179

203

set +e; \

180

204

test -n \"$SECFILE\" && shred --remove \"$SECFILE\"; \

181

shred --remove \"$RINGDIR\"/sec*;

205

test -n \"$TLS_PRIVKEYTMP\" && shred --remove \"$TLS_PRIVKEYTMP\"; \

206

shred --remove \"$RINGDIR\"/sec* 2>/dev/null;

182

207

test -n \"$BATCHFILE\" && rm --force \"$BATCHFILE\"; \

183

208

rm --recursive --force \"$RINGDIR\";

184

stty echo; \

209

tty --quiet && stty echo; \

185

210

" EXIT

186

211

212

set -e

213

187

214

umask 077

188

215

189

216

if [ "$mode" = keygen ]; then

191

218

cat >"$BATCHFILE" <<-EOF

192

219

Key-Type: $KEYTYPE

193

220

Key-Length: $KEYLENGTH

194

#Key-Usage: encrypt,sign,auth

221

Key-Usage: sign,auth

195

222

Subkey-Type: $SUBKEYTYPE

196

223

Subkey-Length: $SUBKEYLENGTH

197

#Subkey-Usage: encrypt,sign,auth

224

Subkey-Usage: encrypt

198

225

Name-Real: $KEYNAME

199

226

$KEYCOMMENTLINE

200

227

$KEYEMAILLINE

203

230

#Handle: <no-spaces>

204

231

#%pubring pubring.gpg

205

232

#%secring secring.gpg

233

%no-protection

206

234

%commit

207

235

EOF

208

236

237

if tty --quiet; then

238

cat <<-EOF

239

Note: Due to entropy requirements, key generation could take

240

anything from a few minutes to SEVERAL HOURS. Please be

241

patient and/or supply the system with more entropy if needed.

242

EOF

243

echo -n "Started: "

244

date

245

246

247

# Generate TLS private key

248

if certtool --generate-privkey --password='' \

249

--outfile "$TLS_PRIVKEYTMP" --sec-param ultra \

250

--key-type="$TLS_KEYTYPE" --pkcs8 --no-text 2>/dev/null; then

251

252

# Backup any old key files

253

if cp --backup=numbered --force "$TLS_PRIVKEYFILE" "$TLS_PRIVKEYFILE" \

254

2>/dev/null; then

255

shred --remove "$TLS_PRIVKEYFILE" 2>/dev/null || :

256

257

if cp --backup=numbered --force "$TLS_PUBKEYFILE" "$TLS_PUBKEYFILE" \

258

2>/dev/null; then

259

rm --force "$TLS_PUBKEYFILE"

260

261

cp --archive "$TLS_PRIVKEYTMP" "$TLS_PRIVKEYFILE"

262

shred --remove "$TLS_PRIVKEYTMP" 2>/dev/null || :

263

264

## TLS public key

265

266

# First try certtool from GnuTLS

267

if ! certtool --password='' --load-privkey="$TLS_PRIVKEYFILE" \

268

--outfile="$TLS_PUBKEYFILE" --pubkey-info --no-text \

269

2>/dev/null; then

270

# Otherwise try OpenSSL

271

if ! openssl pkey -in "$TLS_PRIVKEYFILE" \

272

-out "$TLS_PUBKEYFILE" -pubout; then

273

rm --force "$TLS_PUBKEYFILE"

274

# None of the commands succeded; give up

275

return 1

276

277

278

279

280

# Make sure trustdb.gpg exists;

281

# this is a workaround for Debian bug #737128

282

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

283

--homedir "$RINGDIR" \

284

--import-ownertrust < /dev/null

209

285

# Generate a new key in the key rings

210

286

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

211

287

--homedir "$RINGDIR" --trust-model always \

212

288

--gen-key "$BATCHFILE"

213

289

rm --force "$BATCHFILE"

214

290

291

if tty --quiet; then

292

echo -n "Finished: "

293

date

294

295

215

296

# Backup any old key files

216

297

if cp --backup=numbered --force "$SECKEYFILE" "$SECKEYFILE" \

217

298

2>/dev/null; then

218

shred --remove "$SECKEYFILE"

299

shred --remove "$SECKEYFILE" 2>/dev/null || :

219

300

220

301

if cp --backup=numbered --force "$PUBKEYFILE" "$PUBKEYFILE" \

221

302

2>/dev/null; then

231

312

FILECOMMENT="$FILECOMMENT <$KEYEMAIL>"

232

313

233

314

234

# Export keys from key rings to key files

315

# Export key from key rings to key files

235

316

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

236

317

--homedir "$RINGDIR" --armor --export-options export-minimal \

237

318

--comment "$FILECOMMENT" --output "$SECKEYFILE" \

242

323

243

324

244

325

if [ "$mode" = password ]; then

245

# Import keys into temporary key rings

326

327

# Make SSH be 0 or 1

328

case "$SSH" in

329

[Yy][Ee][Ss]|[Tt][Rr][Uu][Ee]) SSH=1;;

330

[Nn][Oo]|[Ff][Aa][Ll][Ss][Ee]|*) SSH=0;;

331

esac

332

333

if [ $SSH -eq 1 ]; then

334

for ssh_keytype in ecdsa-sha2-nistp256 ed25519 rsa; do

335

set +e

336

ssh_fingerprint="`ssh-keyscan -t $ssh_keytype localhost 2>/dev/null`"

337

err=$?

338

set -e

339

if [ $err -ne 0 ]; then

340

ssh_fingerprint=""

341

continue

342

343

if [ -n "$ssh_fingerprint" ]; then

344

ssh_fingerprint="${ssh_fingerprint#localhost }"

345

break

346

347

done

348

349

350

# Import key into temporary key rings

246

351

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

247

352

--homedir "$RINGDIR" --trust-model always --armor \

248

353

--import "$SECKEYFILE"

252

357

253

358

# Get fingerprint of key

254

359

FINGERPRINT="`gpg --quiet --batch --no-tty --no-options \

255

--enable-dsa2 --homedir \"$RINGDIR\" --trust-model always \

360

--enable-dsa2 --homedir "$RINGDIR" --trust-model always \

256

361

--fingerprint --with-colons \

257

362

| sed --quiet \

258

363

--expression='/^fpr:/{s/^fpr:.*:\$[0-9A-Z]*\$:\$/\\1/p;q}'`"

259

364

260

365

test -n "$FINGERPRINT"

261

366

367

if [ -r "$TLS_PUBKEYFILE" ]; then

368

KEY_ID="$(certtool --key-id --hash=sha256 \

369

--infile="$TLS_PUBKEYFILE" 2>/dev/null || :)"

370

371

if [ -z "$KEY_ID" ]; then

372

KEY_ID=$(openssl pkey -pubin -in "$TLS_PUBKEYFILE" \

373

-outform der \

374

| openssl sha256 \

375

| sed --expression='s/^.*[^[:xdigit:]]//')

376

377

test -n "$KEY_ID"

378

379

262

380

FILECOMMENT="Encrypted password for a Mandos client"

263

381

264

stty -echo

265

echo -n "Enter passphrase: " >&2

266

head --lines=1 | tr --delete '\n' \

267

| gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

268

--homedir "$RINGDIR" --trust-model always --armor --encrypt \

269

--recipient "$FINGERPRINT" --comment "$FILECOMMENT" \

270

> "$SECFILE"

271

echo >&2

272

stty echo

382

while [ ! -s "$SECFILE" ]; do

383

if [ -n "$PASSFILE" ]; then

384

cat -- "$PASSFILE"

385

else

386

tty --quiet && stty -echo

387

echo -n "Enter passphrase: " >/dev/tty

388

read -r first

389

tty --quiet && echo >&2

390

echo -n "Repeat passphrase: " >/dev/tty

391

read -r second

392

if tty --quiet; then

393

echo >&2

394

stty echo

395

396

if [ "$first" != "$second" ]; then

397

echo "Passphrase mismatch" >&2

398

touch "$RINGDIR"/mismatch

399

else

400

echo -n "$first"

401

402

fi | gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

403

--homedir "$RINGDIR" --trust-model always --armor \

404

--encrypt --sign --recipient "$FINGERPRINT" --comment \

405

"$FILECOMMENT" > "$SECFILE"

406

if [ -e "$RINGDIR"/mismatch ]; then

407

rm --force "$RINGDIR"/mismatch

408

if tty --quiet; then

409

> "$SECFILE"

410

else

411

exit 1

412

413

414

done

273

415

274

416

cat <<-EOF

275

417

[$KEYNAME]

276

418

host = $KEYNAME

419

EOF

420

if [ -n "$KEY_ID" ]; then

421

echo "key_id = $KEY_ID"

422

423

cat <<-EOF

277

424

fingerprint = $FINGERPRINT

278

425

secret =

279

EOF

426

EOF

280

427

sed --quiet --expression='

281

428

/^-----BEGIN PGP MESSAGE-----$/,/^-----END PGP MESSAGE-----$/{

282

429

/^$/,${

286

433

/^[^-]/s/^/ /p

287

434

}

288

435

}' < "$SECFILE"

436

if [ -n "$ssh_fingerprint" ]; then

437

echo 'checker = ssh-keyscan -t '"$ssh_keytype"' %%(host)s 2>/dev/null | grep --fixed-strings --line-regexp --quiet --regexp=%%(host)s" %(ssh_fingerprint)s"'

438

echo "ssh_fingerprint = ${ssh_fingerprint}"

439

289

440

290

441

291

442

trap - EXIT

293

444

set +e

294

445

# Remove the password file, if any

295

446

if [ -n "$SECFILE" ]; then

296

shred --remove "$SECFILE"

447

shred --remove "$SECFILE" 2>/dev/null

297

448

298

449

# Remove the key rings

299

shred --remove "$RINGDIR"/sec*

450

shred --remove "$RINGDIR"/sec* 2>/dev/null

300

451

rm --recursive --force "$RINGDIR"

Older »