/mandos/trunk : revision 971

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos-keygen

Committer: Teddy Hogeborn
Date: 2019-02-10 08:41:14 UTC
Revision ID: teddy@recompile.se-20190210084114-u91mijrxtifvzra5

Bug fix: Only create TLS key with certtool, and read correct key file

* debian/mandos-client.postinst (create_keys): Remove any bad keys
                                               created by 1.8.0-1.
                                               Only create TLS keys if
                                               certtool succeeds.
* debian/mandos.postinst (configure): Remove any bad keys from
                                      clients.conf, and inform the
                                      user if any were found.
* debian/mandos.templates (mandos/removed_bad_key_ids): New message.
* mandos (MandosServer.handle_ipc): Do not trust a key_id with a known
                                    bad key ID.
* mandos-keygen (keygen): Only create TLS keys if certtool succeeds.
  (password): Bug fix: Generate key_id correctly, and only output
              key_id if TLS key exists.

files modified:
debian/mandos-client.postinst

debian/mandos.postinst

debian/mandos.templates

mandos

mandos-keygen

Show diffs side-by-side

added added

removed removed

mandos-keygen

187

188

# Create temporary gpg batch file

189

BATCHFILE="`mktemp -t mandos-keygen-batch.XXXXXXXXXX`"

190

TLS_PRIVKEYTMP="`mktemp -t mandos-keygen-privkey.XXXXXXXXXX`"

190

191

192

193

if [ "$mode" = password ]; then

201

202

trap "

202

203

set +e; \

203

204

test -n \"$SECFILE\" && shred --remove \"$SECFILE\"; \

205

test -n \"$TLS_PRIVKEYTMP\" && shred --remove \"$TLS_PRIVKEYTMP\"; \

204

206

shred --remove \"$RINGDIR\"/sec* 2>/dev/null;

205

207

test -n \"$BATCHFILE\" && rm --force \"$BATCHFILE\"; \

206

208

rm --recursive --force \"$RINGDIR\";

241

243

echo -n "Started: "

242

244

date

243

245

244

245

# Backup any old key files

246

if cp --backup=numbered --force "$TLS_PRIVKEYFILE" "$TLS_PRIVKEYFILE" \

247

2>/dev/null; then

248

shred --remove "$TLS_PRIVKEYFILE"

249

250

if cp --backup=numbered --force "$TLS_PUBKEYFILE" "$TLS_PUBKEYFILE" \

251

2>/dev/null; then

252

rm --force "$TLS_PUBKEYFILE"

253

254

255

## Generate TLS private key

256

257

# First try certtool from GnuTLS

258

if ! certtool --generate-privkey --password='' \

259

--outfile "$TLS_PRIVKEYFILE" --sec-param ultra \

260

--key-type="$TLS_KEYTYPE" --pkcs8 --no-text 2>/dev/null; then

261

# Otherwise try OpenSSL

262

if ! openssl genpkey -algorithm X25519 -out \

263

/etc/keys/mandos/tls-privkey.pem; then

264

rm --force /etc/keys/mandos/tls-privkey.pem

265

# None of the commands succeded; give up

266

return 1

246

247

# Generate TLS private key

248

if certtool --generate-privkey --password='' \

249

--outfile "$TLS_PRIVKEYTMP" --sec-param ultra \

250

--key-type="$TLS_KEYTYPE" --pkcs8 --no-text 2>/dev/null; then

251

252

# Backup any old key files

253

if cp --backup=numbered --force "$TLS_PRIVKEYFILE" "$TLS_PRIVKEYFILE" \

254

2>/dev/null; then

255

shred --remove "$TLS_PRIVKEYFILE"

267

256

268

269

270

## TLS public key

271

272

# First try certtool from GnuTLS

273

if ! certtool --password='' --load-privkey="$TLS_PRIVKEYFILE" \

274

--outfile="$TLS_PUBKEYFILE" --pubkey-info --no-text \

275

2>/dev/null; then

276

# Otherwise try OpenSSL

277

if ! openssl pkey -in "$TLS_PRIVKEYFILE" \

278

-out "$TLS_PUBKEYFILE" -pubout; then

257

if cp --backup=numbered --force "$TLS_PUBKEYFILE" "$TLS_PUBKEYFILE" \

258

2>/dev/null; then

279

259

rm --force "$TLS_PUBKEYFILE"

280

# None of the commands succeded; give up

281

return 1

260

261

cp --archive "$TLS_PRIVKEYTMP" "$TLS_PRIVKEYFILE"

262

shred --remove "$TLS_PRIVKEYTMP"

263

264

## TLS public key

265

266

# First try certtool from GnuTLS

267

if ! certtool --password='' --load-privkey="$TLS_PRIVKEYFILE" \

268

--outfile="$TLS_PUBKEYFILE" --pubkey-info --no-text \

269

2>/dev/null; then

270

# Otherwise try OpenSSL

271

if ! openssl pkey -in "$TLS_PRIVKEYFILE" \

272

-out "$TLS_PUBKEYFILE" -pubout; then

273

rm --force "$TLS_PUBKEYFILE"

274

# None of the commands succeded; give up

275

return 1

276

282

277

283

278

284

279

369

364

370

365

test -n "$FINGERPRINT"

371

366

372

KEY_ID="$(certtool --key-id --hash=sha256 \

367

if [ -r "$TLS_PUBKEYFILE" ]; then

368

KEY_ID="$(certtool --key-id --hash=sha256 \

373

369

--infile="$TLS_PUBKEYFILE" 2>/dev/null || :)"

374

370

375

if [ -z "$KEY_ID" ]; then

376

KEY_ID=$(openssl pkey -pubin -in /tmp/tls-pubkey.pem \

377

-outform der \

378

| openssl sha256 \

379

| sed --expression='s/^.*[^[:xdigit:]]//')

371

if [ -z "$KEY_ID" ]; then

372

KEY_ID=$(openssl pkey -pubin -in "$TLS_PUBKEYFILE" \

373

-outform der \

374

| openssl sha256 \

375

| sed --expression='s/^.*[^[:xdigit:]]//')

376

377

test -n "$KEY_ID"

380

378

381

test -n "$KEY_ID"

382

379

383

380

FILECOMMENT="Encrypted password for a Mandos client"

384

381

419

416

cat <<-EOF

420

417

[$KEYNAME]

421

418

host = $KEYNAME

422

key_id = $KEY_ID

419

EOF

420

if [ -n "$KEY_ID" ]; then

421

echo "key_id = $KEY_ID"

422

423

cat <<-EOF

423

424

fingerprint = $FINGERPRINT

424

425

secret =

425

426

EOF

Older »