/mandos/trunk : revision 951

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos-keygen

Committer: Teddy Hogeborn
Date: 2018-08-15 09:26:02 UTC
Revision ID: teddy@recompile.se-20180815092602-xoyb5s6gf8376i7u

http://bugs.debian.org/894495

mandos-client: Set system clock if necessary

* plugins.d/mandos-client.c (init_gpgme/import_key): If the system
  clock is not set, or set to january 1970, set the system clock to
  the more plausible value that is the mtime of the key file.  This is
  required by GnuPG to be able to import the keys.  (We can't pass the
  --ignore-time-conflict or the --ignore-valid-from options though
  GPGME.)

files added:
initramfs-tools-hook-conf

files removed:
debian/mandos-client.templates

debian/mandos.maintscript

debian/mandos.templates

debian/po/POTFILES.in

debian/po/de.po

debian/po/en_US.po

debian/po/es.po

debian/po/fr.po

debian/po/nl.po

debian/po/pt.po

debian/po/pt_BR.po

debian/po/sv.po

debian/po/templates.pot

debian/source/lintian-overrides

debian/tests

debian/tests/control

debian/upstream/metadata

dracut-module

dracut-module/ask-password-mandos.path

dracut-module/ask-password-mandos.service

dracut-module/cmdline-mandos.sh

dracut-module/module-setup.sh

dracut-module/password-agent.c

dracut-module/password-agent.xml

initramfs-tools-conf

initramfs-tools-conf-hook

initramfs-tools-script-stop

mandos-to-cryptroot-unlock

sysusers.d-mandos.conf

files modified:
.bzrignore

DBUS-API

INSTALL

Makefile

NEWS

TODO

clients.conf

common.ent

debian/changelog

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.dirs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/rules

debian/watch

initramfs-tools-hook

initramfs-tools-script

initramfs-unpack

intro.xml

mandos

mandos-clients.conf.xml

mandos-ctl

mandos-ctl.xml

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos.conf.xml

mandos.lsm

mandos.service

mandos.xml

overview.xml

plugin-helpers/mandos-client-iprouteadddel.c

plugin-runner.c

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

Show diffs side-by-side

added added

removed removed

mandos-keygen

#!/bin/sh -e

# Mandos key generator - create new keys for a Mandos client

# Mandos key generator - create a new OpenPGP key for a Mandos client

# This file is part of Mandos.

# Contact the authors at <mandos@recompile.se>.

VERSION="1.8.16"

VERSION="1.7.19"

KEYDIR="/etc/keys/mandos"

KEYTYPE=RSA

KEYEMAIL=""

KEYCOMMENT=""

KEYEXPIRE=0

TLS_KEYTYPE=ed25519

FORCE=no

SSH=yes

KEYCOMMENT_ORIG="$KEYCOMMENT"

# Parse options

TEMP=`getopt --options vhpF:d:t:l:s:L:n:e:c:x:T:fS \

--longoptions version,help,password,passfile:,dir:,type:,length:,subtype:,sublength:,name:,email:,comment:,expire:,tls-keytype:,force,no-ssh \

TEMP=`getopt --options vhpF:d:t:l:s:L:n:e:c:x:fS \

--longoptions version,help,password,passfile:,dir:,type:,length:,subtype:,sublength:,name:,email:,comment:,expire:,force,no-ssh \

--name "$0" -- "$@"`

help(){

-v, --version Show program's version number and exit

-h, --help Show this help message and exit

-d DIR, --dir DIR Target directory for key files

-t TYPE, --type TYPE OpenPGP key type. Default is RSA.

-t TYPE, --type TYPE Key type. Default is RSA.

-l BITS, --length BITS

OpenPGP key length in bits. Default is 4096.

Key length in bits. Default is 4096.

-s TYPE, --subtype TYPE

OpenPGP subkey type. Default is RSA.

Subkey type. Default is RSA.

-L BITS, --sublength BITS

OpenPGP subkey length in bits. Default 4096.

Subkey length in bits. Default is 4096.

-n NAME, --name NAME Name of key. Default is the FQDN.

-e ADDRESS, --email ADDRESS

Email address of OpenPGP key. Default empty.

Email address of key. Default is empty.

-c TEXT, --comment TEXT

Comment field for OpenPGP key. Default empty.

Comment field for key. The default is empty.

-x TIME, --expire TIME

OpenPGP key expire time. Default is none.

Key expire time. Default is no expiration.

See gpg(1) for syntax.

-T TYPE, --tls-keytype TYPE

TLS key type. Default is ed25519.

-f, --force Force overwriting old key files.

Password creation options:

109

106

-e|--email) KEYEMAIL="$2"; shift 2;;

110

107

-c|--comment) KEYCOMMENT="$2"; shift 2;;

111

108

-x|--expire) KEYEXPIRE="$2"; shift 2;;

112

-T|--tls-keytype) TLS_KEYTYPE="$2"; shift 2;;

113

109

-f|--force) FORCE=yes; shift;;

114

110

-S|--no-ssh) SSH=no; shift;;

115

111

-v|--version) echo "$0 $VERSION"; exit;;

125

121

126

122

SECKEYFILE="$KEYDIR/seckey.txt"

127

123

PUBKEYFILE="$KEYDIR/pubkey.txt"

128

TLS_PRIVKEYFILE="$KEYDIR/tls-privkey.pem"

129

TLS_PUBKEYFILE="$KEYDIR/tls-pubkey.pem"

130

124

131

125

# Check for some invalid values

132

126

if [ ! -d "$KEYDIR" ]; then

147

141

echo "Empty key type" >&2

148

142

exit 1

149

143

150

144

151

145

if [ -z "$KEYNAME" ]; then

152

146

echo "Empty key name" >&2

153

147

exit 1

154

148

155

149

156

150

if [ -z "$KEYLENGTH" ] || [ "$KEYLENGTH" -lt 512 ]; then

157

151

echo "Invalid key length" >&2

158

152

exit 1

159

153

160

154

161

155

if [ -z "$KEYEXPIRE" ]; then

162

156

echo "Empty key expiration" >&2

163

157

exit 1

164

158

165

159

166

160

# Make FORCE be 0 or 1

167

161

case "$FORCE" in

168

162

[Yy][Ee][Ss]|[Tt][Rr][Uu][Ee]) FORCE=1;;

169

163

[Nn][Oo]|[Ff][Aa][Ll][Ss][Ee]|*) FORCE=0;;

170

164

esac

171

172

if { [ -e "$SECKEYFILE" ] || [ -e "$PUBKEYFILE" ] \

173

|| [ -e "$TLS_PRIVKEYFILE" ] \

174

|| [ -e "$TLS_PUBKEYFILE" ]; } \

165

166

if { [ -e "$SECKEYFILE" ] || [ -e "$PUBKEYFILE" ]; } \

175

167

&& [ "$FORCE" -eq 0 ]; then

176

168

echo "Refusing to overwrite old key files; use --force" >&2

177

169

exit 1

178

170

179

171

180

172

# Set lines for GnuPG batch file

181

173

if [ -n "$KEYCOMMENT" ]; then

182

174

KEYCOMMENTLINE="Name-Comment: $KEYCOMMENT"

184

176

if [ -n "$KEYEMAIL" ]; then

185

177

KEYEMAILLINE="Name-Email: $KEYEMAIL"

186

178

187

179

188

180

# Create temporary gpg batch file

189

181

BATCHFILE="`mktemp -t mandos-keygen-batch.XXXXXXXXXX`"

190

TLS_PRIVKEYTMP="`mktemp -t mandos-keygen-privkey.XXXXXXXXXX`"

191

182

192

183

193

184

if [ "$mode" = password ]; then

202

193

trap "

203

194

set +e; \

204

195

test -n \"$SECFILE\" && shred --remove \"$SECFILE\"; \

205

test -n \"$TLS_PRIVKEYTMP\" && shred --remove \"$TLS_PRIVKEYTMP\"; \

206

196

shred --remove \"$RINGDIR\"/sec* 2>/dev/null;

207

197

test -n \"$BATCHFILE\" && rm --force \"$BATCHFILE\"; \

208

198

rm --recursive --force \"$RINGDIR\";

233

223

%no-protection

234

224

%commit

235

225

EOF

236

226

237

227

if tty --quiet; then

238

228

cat <<-EOF

239

229

Note: Due to entropy requirements, key generation could take

243

233

echo -n "Started: "

244

234

date

245

235

246

247

# Generate TLS private key

248

if certtool --generate-privkey --password='' \

249

--outfile "$TLS_PRIVKEYTMP" --sec-param ultra \

250

--key-type="$TLS_KEYTYPE" --pkcs8 --no-text 2>/dev/null; then

251

252

# Backup any old key files

253

if cp --backup=numbered --force "$TLS_PRIVKEYFILE" "$TLS_PRIVKEYFILE" \

254

2>/dev/null; then

255

shred --remove "$TLS_PRIVKEYFILE" 2>/dev/null || :

256

257

if cp --backup=numbered --force "$TLS_PUBKEYFILE" "$TLS_PUBKEYFILE" \

258

2>/dev/null; then

259

rm --force "$TLS_PUBKEYFILE"

260

261

cp --archive "$TLS_PRIVKEYTMP" "$TLS_PRIVKEYFILE"

262

shred --remove "$TLS_PRIVKEYTMP" 2>/dev/null || :

263

264

## TLS public key

265

266

# First try certtool from GnuTLS

267

if ! certtool --password='' --load-privkey="$TLS_PRIVKEYFILE" \

268

--outfile="$TLS_PUBKEYFILE" --pubkey-info --no-text \

269

2>/dev/null; then

270

# Otherwise try OpenSSL

271

if ! openssl pkey -in "$TLS_PRIVKEYFILE" \

272

-out "$TLS_PUBKEYFILE" -pubout; then

273

rm --force "$TLS_PUBKEYFILE"

274

# None of the commands succeded; give up

275

return 1

276

277

278

279

236

280

237

# Make sure trustdb.gpg exists;

281

238

# this is a workaround for Debian bug #737128

282

239

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

287

244

--homedir "$RINGDIR" --trust-model always \

288

245

--gen-key "$BATCHFILE"

289

246

rm --force "$BATCHFILE"

290

247

291

248

if tty --quiet; then

292

249

echo -n "Finished: "

293

250

date

294

251

295

252

296

253

# Backup any old key files

297

254

if cp --backup=numbered --force "$SECKEYFILE" "$SECKEYFILE" \

298

255

2>/dev/null; then

299

shred --remove "$SECKEYFILE" 2>/dev/null || :

256

shred --remove "$SECKEYFILE"

300

257

301

258

if cp --backup=numbered --force "$PUBKEYFILE" "$PUBKEYFILE" \

302

259

2>/dev/null; then

303

260

rm --force "$PUBKEYFILE"

304

261

305

262

306

263

FILECOMMENT="Mandos client key for $KEYNAME"

307

264

if [ "$KEYCOMMENT" != "$KEYCOMMENT_ORIG" ]; then

308

265

FILECOMMENT="$FILECOMMENT ($KEYCOMMENT)"

309

266

310

267

311

268

if [ -n "$KEYEMAIL" ]; then

312

269

FILECOMMENT="$FILECOMMENT <$KEYEMAIL>"

313

270

314

271

315

272

# Export key from key rings to key files

316

273

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

317

274

--homedir "$RINGDIR" --armor --export-options export-minimal \

323

280

324

281

325

282

if [ "$mode" = password ]; then

326

283

327

284

# Make SSH be 0 or 1

328

285

case "$SSH" in

329

286

[Yy][Ee][Ss]|[Tt][Rr][Uu][Ee]) SSH=1;;

330

287

[Nn][Oo]|[Ff][Aa][Ll][Ss][Ee]|*) SSH=0;;

331

288

esac

332

289

333

290

if [ $SSH -eq 1 ]; then

334

291

for ssh_keytype in ecdsa-sha2-nistp256 ed25519 rsa; do

335

292

set +e

346

303

347

304

done

348

305

349

306

350

307

# Import key into temporary key rings

351

308

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

352

309

--homedir "$RINGDIR" --trust-model always --armor \

354

311

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

355

312

--homedir "$RINGDIR" --trust-model always --armor \

356

313

--import "$PUBKEYFILE"

357

314

358

315

# Get fingerprint of key

359

316

FINGERPRINT="`gpg --quiet --batch --no-tty --no-options \

360

317

--enable-dsa2 --homedir "$RINGDIR" --trust-model always \

361

318

--fingerprint --with-colons \

362

319

| sed --quiet \

363

320

--expression='/^fpr:/{s/^fpr:.*:\$[0-9A-Z]*\$:\$/\\1/p;q}'`"

364

321

365

322

test -n "$FINGERPRINT"

366

367

if [ -r "$TLS_PUBKEYFILE" ]; then

368

KEY_ID="$(certtool --key-id --hash=sha256 \

369

--infile="$TLS_PUBKEYFILE" 2>/dev/null || :)"

370

371

if [ -z "$KEY_ID" ]; then

372

KEY_ID=$(openssl pkey -pubin -in "$TLS_PUBKEYFILE" \

373

-outform der \

374

| openssl sha256 \

375

| sed --expression='s/^.*[^[:xdigit:]]//')

376

377

test -n "$KEY_ID"

378

379

323

380

324

FILECOMMENT="Encrypted password for a Mandos client"

381

325

382

326

while [ ! -s "$SECFILE" ]; do

383

327

if [ -n "$PASSFILE" ]; then

384

cat -- "$PASSFILE"

328

cat "$PASSFILE"

385

329

else

386

330

tty --quiet && stty -echo

387

331

echo -n "Enter passphrase: " >/dev/tty

397

341

echo "Passphrase mismatch" >&2

398

342

touch "$RINGDIR"/mismatch

399

343

else

400

printf "%s" "$first"

344

echo -n "$first"

401

345

402

346

fi | gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

403

347

--homedir "$RINGDIR" --trust-model always --armor \

412

356

413

357

414

358

done

415

359

416

360

cat <<-EOF

417

361

[$KEYNAME]

418

362

host = $KEYNAME

419

EOF

420

if [ -n "$KEY_ID" ]; then

421

echo "key_id = $KEY_ID"

422

423

cat <<-EOF

424

363

fingerprint = $FINGERPRINT

425

364

secret =

426

365

EOF

444

383

set +e

445

384

# Remove the password file, if any

446

385

if [ -n "$SECFILE" ]; then

447

shred --remove "$SECFILE" 2>/dev/null

386

shred --remove "$SECFILE"

448

387

449

388

# Remove the key rings

450

389

shred --remove "$RINGDIR"/sec* 2>/dev/null

Older »