To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to debian/mandos-client.postinst
- browse files at revision 237.4.103
- compare with another revision
- compare with revision 61
- download diff
- download tarball
- view history from revision 237.4.103
- Committer: Teddy Hogeborn
- Date: 2019-02-10 08:42:12 UTC
- mfrom: (971 trunk)
- mto: This revision was merged to the branch mainline in revision 972.
- Revision ID: teddy@recompile.se-20190210084212-03amy0lli8p0s79o
MergeĀ fromĀ trunk
added
removed
debian/mandos-client.postinst
63
63
return 0
64
64
fi
65
65
66
# Remove any bad TLS keys by 1.8.0-1
67
if dpkg --compare-versions "$2" eq "1.8.0-1" \
68
|| dpkg --compare-versions "$2" eq "1.8.0-1~bpo9+1"; then
69
# Is the key bad?
70
if ! certtool --password='' \
71
--load-privkey=/etc/keys/mandos/tls-privkey.pem \
72
--outfile=/dev/null --pubkey-info --no-text \
73
2>/dev/null; then
74
shred --remove -- /etc/keys/mandos/tls-privkey.pem
75
rm -- /etc/keys/mandos/tls-pubkey.pem
76
fi
77
fi
78
66
79
# If the TLS keys already exists, do nothing
67
80
if [ -r /etc/keys/mandos/tls-privkey.pem \
68
81
-a -r /etc/keys/mandos/tls-pubkey.pem ]; then
69
82
return 0
70
83
fi
71
84
72
# If this is an upgrade from an old installation, the TLS keys
73
# will not exist; create them.
74
75
# First try certtool from GnuTLS
76
if ! certtool --generate-privkey --password='' \
77
--outfile /etc/keys/mandos/tls-privkey.pem \
78
--sec-param ultra --key-type=ed25519 --pkcs8 --no-text \
79
2>/dev/null; then
80
# Otherwise try OpenSSL
81
if ! openssl genpkey -algorithm X25519 \
82
-out /etc/keys/mandos/tls-privkey.pem; then
83
rm --force /etc/keys/mandos/tls-privkey.pem
84
# None of the commands succeded; give up
85
return 1
86
fi
87
fi
88
89
local umask=$(umask)
90
umask 077
91
# First try certtool from GnuTLS
92
if ! certtool --password='' \
93
--load-privkey=/etc/keys/mandos/tls-privkey.pem \
94
--outfile=/etc/keys/mandos/tls-pubkey.pem --pubkey-info \
95
--no-text 2>/dev/null; then
96
# Otherwise try OpenSSL
97
if ! openssl pkey -in /etc/keys/mandos/tls-privkey.pem \
98
-out /etc/keys/mandos/tls-pubkey.pem -pubout; then
99
rm --force /etc/keys/mandos/tls-pubkey.pem
100
# None of the commands succeded; give up
101
umask $umask
102
return 1
103
fi
104
fi
105
umask $umask
106
107
key_id=$(mandos-keygen --passfile=/dev/null \
108
| grep --regexp="^key_id[ =]")
109
110
db_version 2.0
111
db_fset mandos-client/key_id seen false
112
db_reset mandos-client/key_id
113
db_subst mandos-client/key_id key_id $key_id
114
db_input critical mandos-client/key_id || true
115
db_go
116
db_stop
85
# Try to create the TLS keys
86
87
TLS_PRIVKEYTMP="`mktemp -t mandos-client-privkey.XXXXXXXXXX`"
88
89
if certtool --generate-privkey --password='' \
90
--outfile "$TLS_PRIVKEYTMP" --sec-param ultra \
91
--key-type=ed25519 --pkcs8 --no-text 2>/dev/null; then
92
93
local umask=$(umask)
94
umask 077
95
cp --archive "$TLS_PRIVKEYTMP" /etc/keys/mandos/tls-privkey.pem
96
shred --remove -- "$TLS_PRIVKEYTMP"
97
98
# First try certtool from GnuTLS
99
if ! certtool --password='' \
100
--load-privkey=/etc/keys/mandos/tls-privkey.pem \
101
--outfile=/etc/keys/mandos/tls-pubkey.pem --pubkey-info \
102
--no-text 2>/dev/null; then
103
# Otherwise try OpenSSL
104
if ! openssl pkey -in /etc/keys/mandos/tls-privkey.pem \
105
-out /etc/keys/mandos/tls-pubkey.pem -pubout; then
106
rm --force /etc/keys/mandos/tls-pubkey.pem
107
# None of the commands succeded; give up
108
umask $umask
109
return 1
110
fi
111
fi
112
umask $umask
113
114
key_id=$(mandos-keygen --passfile=/dev/null \
115
| grep --regexp="^key_id[ =]")
116
117
db_version 2.0
118
db_fset mandos-client/key_id seen false
119
db_reset mandos-client/key_id
120
db_subst mandos-client/key_id key_id $key_id
121
db_input critical mandos-client/key_id || true
122
db_go
123
db_stop
124
else
125
shred --remove -- "$TLS_PRIVKEYTMP"
126
fi
117
127
}
118
128
119
129
create_dh_params(){
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0