/mandos/trunk : revision 1131

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos-keygen

Committer: Teddy Hogeborn
Date: 2019-07-29 16:35:53 UTC
Revision ID: teddy@recompile.se-20190729163553-1i442i2cbx64c537

Make tests and man page examples match

Make the tests test_manual_page_example[1-5] match exactly what is
written in the manual page, and add comments to manual page as
reminders to keep tests and manual page examples in sync.

* mandos-ctl (Test_commands_from_options.test_manual_page_example_1):
  Remove "--verbose" option, since the manual does not have it as the
  first example, and change assertion to match.
* mandos-ctl.xml (EXAMPLE): Add comments to all examples documenting
  which test function they correspond to.  Also remove unnecessary
  quotes from option arguments in fourth example, and clarify language
  slightly in fifth example.

files added:
debian/po/POTFILES.in

debian/po/templates.pot

debian/source/lintian-overrides

debian/tests

debian/tests/control

dracut-module

dracut-module/ask-password-mandos.path

dracut-module/ask-password-mandos.service

dracut-module/cmdline-mandos.sh

dracut-module/module-setup.sh

dracut-module/password-agent.c

dracut-module/password-agent.xml

initramfs-tools-conf-hook

files modified:
.bzrignore

INSTALL

Makefile

NEWS

TODO

common.ent

debian/changelog

debian/control

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.templates

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.templates

debian/rules

debian/watch

initramfs-unpack

intro.xml

mandos

mandos-ctl

mandos-ctl.xml

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos-options.xml

mandos-to-cryptroot-unlock

mandos.conf.xml

mandos.lsm

mandos.xml

plugin-runner.c

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.xml

plugins.d/usplash.xml

Show diffs side-by-side

added added

removed removed

mandos-keygen

# Contact the authors at <mandos@recompile.se>.

VERSION="1.7.20"

VERSION="1.8.4"

KEYDIR="/etc/keys/mandos"

KEYTYPE=RSA

187

188

# Create temporary gpg batch file

189

BATCHFILE="`mktemp -t mandos-keygen-batch.XXXXXXXXXX`"

190

TLS_PRIVKEYTMP="`mktemp -t mandos-keygen-privkey.XXXXXXXXXX`"

190

191

192

193

if [ "$mode" = password ]; then

201

202

trap "

202

203

set +e; \

203

204

test -n \"$SECFILE\" && shred --remove \"$SECFILE\"; \

205

test -n \"$TLS_PRIVKEYTMP\" && shred --remove \"$TLS_PRIVKEYTMP\"; \

204

206

shred --remove \"$RINGDIR\"/sec* 2>/dev/null;

205

207

test -n \"$BATCHFILE\" && rm --force \"$BATCHFILE\"; \

206

208

rm --recursive --force \"$RINGDIR\";

241

243

echo -n "Started: "

242

244

date

243

245

244

245

# Backup any old key files

246

if cp --backup=numbered --force "$TLS_PRIVKEYFILE" "$TLS_PRIVKEYFILE" \

247

2>/dev/null; then

248

shred --remove "$TLS_PRIVKEYFILE"

249

250

if cp --backup=numbered --force "$TLS_PUBKEYFILE" "$TLS_PUBKEYFILE" \

251

2>/dev/null; then

252

rm --force "$TLS_PUBKEYFILE"

253

254

255

## Generate TLS private key

256

257

# First try certtool from GnuTLS

258

if ! certtool --generate-privkey --password='' \

259

--outfile "$TLS_PRIVKEYFILE" --sec-param ultra \

260

--key-type="$TLS_KEYTYPE" --pkcs8 --no-text 2>/dev/null; then

261

# Otherwise try OpenSSL

262

if ! openssl genpkey -algorithm X25519 -out \

263

/etc/keys/mandos/tls-privkey.pem; then

264

rm --force /etc/keys/mandos/tls-privkey.pem

265

# None of the commands succeded; give up

266

return 1

246

247

# Generate TLS private key

248

if certtool --generate-privkey --password='' \

249

--outfile "$TLS_PRIVKEYTMP" --sec-param ultra \

250

--key-type="$TLS_KEYTYPE" --pkcs8 --no-text 2>/dev/null; then

251

252

# Backup any old key files

253

if cp --backup=numbered --force "$TLS_PRIVKEYFILE" "$TLS_PRIVKEYFILE" \

254

2>/dev/null; then

255

shred --remove "$TLS_PRIVKEYFILE" 2>/dev/null || :

267

256

268

269

270

## TLS public key

271

272

# First try certtool from GnuTLS

273

if ! certtool --password='' --load-privkey="$TLS_PRIVKEYFILE" \

274

--outfile="$TLS_PUBKEYFILE" --pubkey-info --no-text \

275

2>/dev/null; then

276

# Otherwise try OpenSSL

277

if ! openssl pkey -in "$TLS_PRIVKEYFILE" \

278

-out "$TLS_PUBKEYFILE" -pubout; then

257

if cp --backup=numbered --force "$TLS_PUBKEYFILE" "$TLS_PUBKEYFILE" \

258

2>/dev/null; then

279

259

rm --force "$TLS_PUBKEYFILE"

280

# None of the commands succeded; give up

281

return 1

260

261

cp --archive "$TLS_PRIVKEYTMP" "$TLS_PRIVKEYFILE"

262

shred --remove "$TLS_PRIVKEYTMP" 2>/dev/null || :

263

264

## TLS public key

265

266

# First try certtool from GnuTLS

267

if ! certtool --password='' --load-privkey="$TLS_PRIVKEYFILE" \

268

--outfile="$TLS_PUBKEYFILE" --pubkey-info --no-text \

269

2>/dev/null; then

270

# Otherwise try OpenSSL

271

if ! openssl pkey -in "$TLS_PRIVKEYFILE" \

272

-out "$TLS_PUBKEYFILE" -pubout; then

273

rm --force "$TLS_PUBKEYFILE"

274

# None of the commands succeded; give up

275

return 1

276

282

277

283

278

284

279

301

296

# Backup any old key files

302

297

if cp --backup=numbered --force "$SECKEYFILE" "$SECKEYFILE" \

303

298

2>/dev/null; then

304

shred --remove "$SECKEYFILE"

299

shred --remove "$SECKEYFILE" 2>/dev/null || :

305

300

306

301

if cp --backup=numbered --force "$PUBKEYFILE" "$PUBKEYFILE" \

307

302

2>/dev/null; then

369

364

370

365

test -n "$FINGERPRINT"

371

366

372

KEY_ID="$(certtool --key-id --hash=sha256 \

367

if [ -r "$TLS_PUBKEYFILE" ]; then

368

KEY_ID="$(certtool --key-id --hash=sha256 \

373

369

--infile="$TLS_PUBKEYFILE" 2>/dev/null || :)"

374

370

375

if [ -z "$KEY_ID" ]; then

376

KEY_ID=$(openssl pkey -pubin -in /tmp/tls-pubkey.pem \

377

-outform der \

378

| openssl sha256 \

379

| sed --expression='s/^.*[^[:xdigit:]]//')

371

if [ -z "$KEY_ID" ]; then

372

KEY_ID=$(openssl pkey -pubin -in "$TLS_PUBKEYFILE" \

373

-outform der \

374

| openssl sha256 \

375

| sed --expression='s/^.*[^[:xdigit:]]//')

376

377

test -n "$KEY_ID"

380

378

381

test -n "$KEY_ID"

382

379

383

380

FILECOMMENT="Encrypted password for a Mandos client"

384

381

385

382

while [ ! -s "$SECFILE" ]; do

386

383

if [ -n "$PASSFILE" ]; then

387

cat "$PASSFILE"

384

cat -- "$PASSFILE"

388

385

else

389

386

tty --quiet && stty -echo

390

387

echo -n "Enter passphrase: " >/dev/tty

419

416

cat <<-EOF

420

417

[$KEYNAME]

421

418

host = $KEYNAME

422

key_id = $KEY_ID

419

EOF

420

if [ -n "$KEY_ID" ]; then

421

echo "key_id = $KEY_ID"

422

423

cat <<-EOF

423

424

fingerprint = $FINGERPRINT

424

425

secret =

425

426

EOF

443

444

set +e

444

445

# Remove the password file, if any

445

446

if [ -n "$SECFILE" ]; then

446

shred --remove "$SECFILE"

447

shred --remove "$SECFILE" 2>/dev/null

447

448

449

# Remove the key rings

449

450

shred --remove "$RINGDIR"/sec* 2>/dev/null

Older »