Author: Diane Trout <diane@ghic.org>
Subject: Delete keys that are too small
Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=898969

--- a/dnssec-trigger-control-setup.sh.in
+++ b/dnssec-trigger-control-setup.sh.in
@@ -172,6 +172,22 @@
 	exit 0
 fi
 
+# remove (to regenerate) keys that are too small)
+debian_get_x509_bits () {
+    openssl x509 -in $1 -text | \
+        grep 'Public-Key:'  |
+        awk 'match($0,/[0-9]+/) {print substr($0, RSTART, RLENGTH)}';
+}
+debian_remove_small_keys () {
+    if test -f $1.pem; then
+        if [ $(debian_get_x509_bits $1.pem) -lt $BITS ]; then
+            rm $1.key $1.pem;
+        fi
+    fi
+}
+debian_remove_small_keys $SVR_BASE
+debian_remove_small_keys $CTL_BASE
+
 # create certificate keys; do not recreate if they already exist.
 if test -f $SVR_BASE.key; then
 	echo "$SVR_BASE.key exists"
@@ -186,8 +202,11 @@
 	openssl genrsa -out $CTL_BASE.key $BITS || error "could not genrsa"
 fi
 
-# create self-signed cert for server
-cat >request.cfg <<EOF
+if test -f $SVR_BASE.pem; then
+    echo "$SVR_BASE.pem exists"
+else
+    # create self-signed cert for server
+    cat >request.cfg <<EOF
 [req]
 default_bits=$BITS
 default_md=$HASH
@@ -197,15 +216,19 @@
 [req_distinguished_name]
 commonName=$SERVERNAME
 EOF
-test -f request.cfg || error "could not create request.cfg"
+    test -f request.cfg || error "could not create request.cfg"
 
-echo "create $SVR_BASE.pem (self signed certificate)"
-openssl req -key $SVR_BASE.key -config request.cfg  -new -x509 -days $DAYS -out $SVR_BASE.pem || error "could not create $SVR_BASE.pem"
-# create trusted usage pem
-openssl x509 -in $SVR_BASE.pem -addtrust serverAuth -out $SVR_BASE"_trust.pem"
+    echo "create $SVR_BASE.pem (self signed certificate)"
+    openssl req -key $SVR_BASE.key -config request.cfg  -new -x509 -days $DAYS -out $SVR_BASE.pem || error "could not create $SVR_BASE.pem"
+    # create trusted usage pem
+    openssl x509 -in $SVR_BASE.pem -addtrust serverAuth -out $SVR_BASE"_trust.pem"
+fi
 
-# create client request and sign it, piped
-cat >request.cfg <<EOF
+if test -f $CTL_BASE.pem; then
+    echo "$CTL_BASE.pem already exists"
+else
+    # create client request and sign it, piped
+    cat >request.cfg <<EOF
 [req]
 default_bits=$BITS
 default_md=$HASH
@@ -215,11 +238,13 @@
 [req_distinguished_name]
 commonName=$CLIENTNAME
 EOF
-test -f request.cfg || error "could not create request.cfg"
+    test -f request.cfg || error "could not create request.cfg"
+
+    echo "create $CTL_BASE.pem (signed client certificate)"
+    openssl req -key $CTL_BASE.key -config request.cfg -new | openssl x509 -req -days $DAYS -CA $SVR_BASE"_trust.pem" -CAkey $SVR_BASE.key -CAcreateserial -$HASH -out $CTL_BASE.pem
+    test -f $CTL_BASE.pem || error "could not create $CTL_BASE.pem"
+fi
 
-echo "create $CTL_BASE.pem (signed client certificate)"
-openssl req -key $CTL_BASE.key -config request.cfg -new | openssl x509 -req -days $DAYS -CA $SVR_BASE"_trust.pem" -CAkey $SVR_BASE.key -CAcreateserial -$HASH -out $CTL_BASE.pem
-test -f $CTL_BASE.pem || error "could not create $CTL_BASE.pem"
 # create trusted usage pem
 # openssl x509 -in $CTL_BASE.pem -addtrust clientAuth -out $CTL_BASE"_trust.pem"