From 520c9380ffe1fd16edf106ffca36a64a845a2c92 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Eystein=20M=C3=A5l=C3=B8y=20Stenberg?= <eystein@mender.io>
Date: Tue, 1 May 2018 15:16:24 -0700
Subject: [PATCH] Initial script for generating Mender client keys, especially
 useful for preauthorizing devices.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

ChangeLog: Mender client key generator script

Signed-off-by: Eystein Måløy Stenberg <eystein@mender.io>
(cherry picked from commit 5d8be7d981085528583ba50a4c9ec8fdad16c9c9)
---
 support/keygen-client | 35 +++++++++++++++++++++++++++++++++++
 1 file changed, 35 insertions(+)
 create mode 100755 support/keygen-client

diff --git a/support/keygen-client b/support/keygen-client
new file mode 100755
index 000000000..10b7a99e0
--- /dev/null
+++ b/support/keygen-client
@@ -0,0 +1,35 @@
+#!/bin/bash
+set -e
+
+FILE_NAME_PRIVATE_KEY="private.key"
+FILE_NAME_PUBLIC_KEY="public.key"
+
+# verify openssl is present and sufficiently recent (genpkey seems to require openssl 1.0+)
+command -v openssl >/dev/null 2>&1 || { echo >&2 "ERROR: Please install the openssl utility version 1.0.0 or newer to generate keys."; exit 1; }
+
+OPENSSL_VERSION_REGEX_MAJOR_BACKREF="OpenSSL ([0-9]+).*"
+OPENSSL_VERSION_STRING=$(openssl version)
+OPENSSL_VERSION_MAJOR=$(echo "$OPENSSL_VERSION_STRING" | sed -En "s/$OPENSSL_VERSION_REGEX_MAJOR_BACKREF/\1/p")
+
+if [ "$OPENSSL_VERSION_MAJOR" != "1" ]; then
+  echo "ERROR: openssl is too old, need version 1.0.0 or newer"
+  echo "ERROR: OPENSSL_VERSION_STRING=$OPENSSL_VERSION_STRING"
+  exit 1
+fi
+
+CLIENT_KEYS_DIR=$(pwd)/keys-client-generated
+
+mkdir -p "$CLIENT_KEYS_DIR"
+cd "$CLIENT_KEYS_DIR"
+
+openssl genpkey -algorithm RSA -out $FILE_NAME_PRIVATE_KEY -pkeyopt rsa_keygen_bits:3072
+
+# convert to RSA private key format
+openssl rsa -in $FILE_NAME_PRIVATE_KEY -out $FILE_NAME_PRIVATE_KEY
+
+# extract public key (e.g. for preauthorization)
+openssl rsa -in $FILE_NAME_PRIVATE_KEY -out $FILE_NAME_PUBLIC_KEY -pubout
+
+echo "A Mender client keypair has been generated in $CLIENT_KEYS_DIR."
+echo "You can use the public key ($FILE_NAME_PUBLIC_KEY) to preauthorize the device in the Mender server."
+echo "For more information please see https://docs.mender.io/server-integration/preauthorizing-devices."