53
# Create client key pair
55
if [ -r /etc/keys/mandos/pubkey.txt \
56
-a -r /etc/keys/mandos/seckey.txt ]; then
55
# Create client key pairs
57
# If the OpenPGP key files do not exist, generate all keys using
59
if ! [ -r /etc/keys/mandos/pubkey.txt \
60
-a -r /etc/keys/mandos/seckey.txt ]; then
62
gpg-connect-agent KILLAGENT /bye || :
66
# Remove any bad TLS keys by 1.8.0-1
67
if dpkg --compare-versions "$2" eq "1.8.0-1" \
68
|| dpkg --compare-versions "$2" eq "1.8.0-1~bpo9+1"; then
70
if ! certtool --password='' \
71
--load-privkey=/etc/keys/mandos/tls-privkey.pem \
72
--outfile=/dev/null --pubkey-info --no-text \
74
shred --remove -- /etc/keys/mandos/tls-privkey.pem
75
rm -- /etc/keys/mandos/tls-pubkey.pem
79
# If the TLS keys already exists, do nothing
80
if [ -r /etc/keys/mandos/tls-privkey.pem \
81
-a -r /etc/keys/mandos/tls-pubkey.pem ]; then
85
# Try to create the TLS keys
87
TLS_PRIVKEYTMP="`mktemp -t mandos-client-privkey.XXXXXXXXXX`"
89
if certtool --generate-privkey --password='' \
90
--outfile "$TLS_PRIVKEYTMP" --sec-param ultra \
91
--key-type=ed25519 --pkcs8 --no-text 2>/dev/null; then
95
cp --archive "$TLS_PRIVKEYTMP" /etc/keys/mandos/tls-privkey.pem
96
shred --remove -- "$TLS_PRIVKEYTMP"
98
# First try certtool from GnuTLS
99
if ! certtool --password='' \
100
--load-privkey=/etc/keys/mandos/tls-privkey.pem \
101
--outfile=/etc/keys/mandos/tls-pubkey.pem --pubkey-info \
102
--no-text 2>/dev/null; then
103
# Otherwise try OpenSSL
104
if ! openssl pkey -in /etc/keys/mandos/tls-privkey.pem \
105
-out /etc/keys/mandos/tls-pubkey.pem -pubout; then
106
rm --force /etc/keys/mandos/tls-pubkey.pem
107
# None of the commands succeded; give up
114
key_id=$(mandos-keygen --passfile=/dev/null \
115
| grep --regexp="^key_id[ =]")
118
db_fset mandos-client/key_id seen false
119
db_reset mandos-client/key_id
120
db_subst mandos-client/key_id key_id $key_id
121
db_input critical mandos-client/key_id || true
125
shred --remove -- "$TLS_PRIVKEYTMP"
62
129
create_dh_params(){