/mandos/trunk : revision 951

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos-keygen

Committer: Teddy Hogeborn
Date: 2018-08-15 09:26:02 UTC
Revision ID: teddy@recompile.se-20180815092602-xoyb5s6gf8376i7u

http://bugs.debian.org/894495

mandos-client: Set system clock if necessary

* plugins.d/mandos-client.c (init_gpgme/import_key): If the system
  clock is not set, or set to january 1970, set the system clock to
  the more plausible value that is the mtime of the key file.  This is
  required by GnuPG to be able to import the keys.  (We can't pass the
  --ignore-time-conflict or the --ignore-valid-from options though
  GPGME.)

files added:
initramfs-tools-hook-conf

files removed:
debian/mandos-client.templates

debian/mandos.templates

debian/po/POTFILES.in

debian/po/de.po

debian/po/en_US.po

debian/po/fr.po

debian/po/nl.po

debian/po/pt.po

debian/po/sv.po

debian/po/templates.pot

debian/source/lintian-overrides

debian/tests

debian/tests/control

debian/upstream/metadata

dracut-module

dracut-module/ask-password-mandos.path

dracut-module/ask-password-mandos.service

dracut-module/cmdline-mandos.sh

dracut-module/module-setup.sh

dracut-module/password-agent.c

dracut-module/password-agent.xml

initramfs-tools-conf

initramfs-tools-conf-hook

initramfs-tools-script-stop

mandos-to-cryptroot-unlock

sysusers.d-mandos.conf

files modified:
.bzrignore

DBUS-API

INSTALL

Makefile

NEWS

TODO

clients.conf

common.ent

debian/changelog

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.dirs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/rules

debian/watch

initramfs-tools-hook

initramfs-tools-script

initramfs-unpack

intro.xml

mandos

mandos-clients.conf.xml

mandos-ctl

mandos-ctl.xml

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos.conf.xml

mandos.lsm

mandos.service

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.xml

plugins.d/usplash.xml

Show diffs side-by-side

added added

removed removed

mandos-keygen

#!/bin/sh -e

# Mandos key generator - create new keys for a Mandos client

# Mandos key generator - create a new OpenPGP key for a Mandos client

# This file is part of Mandos.

# Contact the authors at <mandos@recompile.se>.

VERSION="1.8.10"

VERSION="1.7.19"

KEYDIR="/etc/keys/mandos"

KEYTYPE=RSA

KEYEMAIL=""

KEYCOMMENT=""

KEYEXPIRE=0

TLS_KEYTYPE=ed25519

FORCE=no

SSH=yes

KEYCOMMENT_ORIG="$KEYCOMMENT"

# Parse options

TEMP=`getopt --options vhpF:d:t:l:s:L:n:e:c:x:T:fS \

--longoptions version,help,password,passfile:,dir:,type:,length:,subtype:,sublength:,name:,email:,comment:,expire:,tls-keytype:,force,no-ssh \

TEMP=`getopt --options vhpF:d:t:l:s:L:n:e:c:x:fS \

--longoptions version,help,password,passfile:,dir:,type:,length:,subtype:,sublength:,name:,email:,comment:,expire:,force,no-ssh \

--name "$0" -- "$@"`

help(){

-v, --version Show program's version number and exit

-h, --help Show this help message and exit

-d DIR, --dir DIR Target directory for key files

-t TYPE, --type TYPE OpenPGP key type. Default is RSA.

-t TYPE, --type TYPE Key type. Default is RSA.

-l BITS, --length BITS

OpenPGP key length in bits. Default is 4096.

Key length in bits. Default is 4096.

-s TYPE, --subtype TYPE

OpenPGP subkey type. Default is RSA.

Subkey type. Default is RSA.

-L BITS, --sublength BITS

OpenPGP subkey length in bits. Default 4096.

Subkey length in bits. Default is 4096.

-n NAME, --name NAME Name of key. Default is the FQDN.

-e ADDRESS, --email ADDRESS

Email address of OpenPGP key. Default empty.

Email address of key. Default is empty.

-c TEXT, --comment TEXT

Comment field for OpenPGP key. Default empty.

Comment field for key. The default is empty.

-x TIME, --expire TIME

OpenPGP key expire time. Default is none.

Key expire time. Default is no expiration.

See gpg(1) for syntax.

-T TYPE, --tls-keytype TYPE

TLS key type. Default is ed25519.

-f, --force Force overwriting old key files.

Password creation options:

109

106

-e|--email) KEYEMAIL="$2"; shift 2;;

110

107

-c|--comment) KEYCOMMENT="$2"; shift 2;;

111

108

-x|--expire) KEYEXPIRE="$2"; shift 2;;

112

-T|--tls-keytype) TLS_KEYTYPE="$2"; shift 2;;

113

109

-f|--force) FORCE=yes; shift;;

114

110

-S|--no-ssh) SSH=no; shift;;

115

111

-v|--version) echo "$0 $VERSION"; exit;;

125

121

126

122

SECKEYFILE="$KEYDIR/seckey.txt"

127

123

PUBKEYFILE="$KEYDIR/pubkey.txt"

128

TLS_PRIVKEYFILE="$KEYDIR/tls-privkey.pem"

129

TLS_PUBKEYFILE="$KEYDIR/tls-pubkey.pem"

130

124

131

125

# Check for some invalid values

132

126

if [ ! -d "$KEYDIR" ]; then

169

163

[Nn][Oo]|[Ff][Aa][Ll][Ss][Ee]|*) FORCE=0;;

170

164

esac

171

165

172

if { [ -e "$SECKEYFILE" ] || [ -e "$PUBKEYFILE" ] \

173

|| [ -e "$TLS_PRIVKEYFILE" ] \

174

|| [ -e "$TLS_PUBKEYFILE" ]; } \

166

if { [ -e "$SECKEYFILE" ] || [ -e "$PUBKEYFILE" ]; } \

175

167

&& [ "$FORCE" -eq 0 ]; then

176

168

echo "Refusing to overwrite old key files; use --force" >&2

177

169

exit 1

187

179

188

180

# Create temporary gpg batch file

189

181

BATCHFILE="`mktemp -t mandos-keygen-batch.XXXXXXXXXX`"

190

TLS_PRIVKEYTMP="`mktemp -t mandos-keygen-privkey.XXXXXXXXXX`"

191

182

192

183

193

184

if [ "$mode" = password ]; then

202

193

trap "

203

194

set +e; \

204

195

test -n \"$SECFILE\" && shred --remove \"$SECFILE\"; \

205

test -n \"$TLS_PRIVKEYTMP\" && shred --remove \"$TLS_PRIVKEYTMP\"; \

206

196

shred --remove \"$RINGDIR\"/sec* 2>/dev/null;

207

197

test -n \"$BATCHFILE\" && rm --force \"$BATCHFILE\"; \

208

198

rm --recursive --force \"$RINGDIR\";

243

233

echo -n "Started: "

244

234

date

245

235

246

247

# Generate TLS private key

248

if certtool --generate-privkey --password='' \

249

--outfile "$TLS_PRIVKEYTMP" --sec-param ultra \

250

--key-type="$TLS_KEYTYPE" --pkcs8 --no-text 2>/dev/null; then

251

252

# Backup any old key files

253

if cp --backup=numbered --force "$TLS_PRIVKEYFILE" "$TLS_PRIVKEYFILE" \

254

2>/dev/null; then

255

shred --remove "$TLS_PRIVKEYFILE" 2>/dev/null || :

256

257

if cp --backup=numbered --force "$TLS_PUBKEYFILE" "$TLS_PUBKEYFILE" \

258

2>/dev/null; then

259

rm --force "$TLS_PUBKEYFILE"

260

261

cp --archive "$TLS_PRIVKEYTMP" "$TLS_PRIVKEYFILE"

262

shred --remove "$TLS_PRIVKEYTMP" 2>/dev/null || :

263

264

## TLS public key

265

266

# First try certtool from GnuTLS

267

if ! certtool --password='' --load-privkey="$TLS_PRIVKEYFILE" \

268

--outfile="$TLS_PUBKEYFILE" --pubkey-info --no-text \

269

2>/dev/null; then

270

# Otherwise try OpenSSL

271

if ! openssl pkey -in "$TLS_PRIVKEYFILE" \

272

-out "$TLS_PUBKEYFILE" -pubout; then

273

rm --force "$TLS_PUBKEYFILE"

274

# None of the commands succeded; give up

275

return 1

276

277

278

279

236

280

237

# Make sure trustdb.gpg exists;

281

238

# this is a workaround for Debian bug #737128

296

253

# Backup any old key files

297

254

if cp --backup=numbered --force "$SECKEYFILE" "$SECKEYFILE" \

298

255

2>/dev/null; then

299

shred --remove "$SECKEYFILE" 2>/dev/null || :

256

shred --remove "$SECKEYFILE"

300

257

301

258

if cp --backup=numbered --force "$PUBKEYFILE" "$PUBKEYFILE" \

302

259

2>/dev/null; then

364

321

365

322

test -n "$FINGERPRINT"

366

323

367

if [ -r "$TLS_PUBKEYFILE" ]; then

368

KEY_ID="$(certtool --key-id --hash=sha256 \

369

--infile="$TLS_PUBKEYFILE" 2>/dev/null || :)"

370

371

if [ -z "$KEY_ID" ]; then

372

KEY_ID=$(openssl pkey -pubin -in "$TLS_PUBKEYFILE" \

373

-outform der \

374

| openssl sha256 \

375

| sed --expression='s/^.*[^[:xdigit:]]//')

376

377

test -n "$KEY_ID"

378

379

380

324

FILECOMMENT="Encrypted password for a Mandos client"

381

325

382

326

while [ ! -s "$SECFILE" ]; do

383

327

if [ -n "$PASSFILE" ]; then

384

cat -- "$PASSFILE"

328

cat "$PASSFILE"

385

329

else

386

330

tty --quiet && stty -echo

387

331

echo -n "Enter passphrase: " >/dev/tty

416

360

cat <<-EOF

417

361

[$KEYNAME]

418

362

host = $KEYNAME

419

EOF

420

if [ -n "$KEY_ID" ]; then

421

echo "key_id = $KEY_ID"

422

423

cat <<-EOF

424

363

fingerprint = $FINGERPRINT

425

364

secret =

426

365

EOF

444

383

set +e

445

384

# Remove the password file, if any

446

385

if [ -n "$SECFILE" ]; then

447

shred --remove "$SECFILE" 2>/dev/null

386

shred --remove "$SECFILE"

448

387

449

388

# Remove the key rings

450

389

shred --remove "$RINGDIR"/sec* 2>/dev/null

Older »