[ssh-ca] / bin / sign

#! /bin/sh

set -e
. lib/func.sh

## The key types are adorned with bit lengths.  Work out the raw key type
## names.
rawkeytypes=""
for kt in $keytypes; do
  rawkeytypes="$rawkeytypes ${kt%:*}"
done

## Start a new output directory.
rm -rf publish.new
mkdir publish.new
exec 3<etc/hosts 4>publish.new/hosts.list
echo ":certificate-authority" >&4
for kt in $rawkeytypes; do
  cp ca/ca-$kt.pub publish.new/
  read pub <ca/ca-$kt.pub
  echo "@cert-authority $scope $pub" |
	tee publish.new/ca-$kt.entry >&4
  ssh-keygen -lv -fca/ca-$kt.pub | sed 's,^,| ,' >&4
done

## Sign the various host keys.
last=%%%
while read line <&3; do

  ## Ignore comments and empty lines.
  case "$line" in
    "#"* | "") continue ;;
    ##*[! 	]*) ;;
    ##*) continue ;;
  esac

  ## Read the host line.
  set -- $line
  case "$1" in
    @domain) domain=$2 ;;
    @*) echo >&2 "$0: unknown directive \`$1'"; exit 1 ;;
  esac
  host=$1
  names=""
  nicks=""

  ## If this is a different host, then start a new section of the list.
  case "$last" in
    "$host") ;;
    *) { echo; echo ":host $host"; } >&4 ;;
  esac
  last=$host

  ## Build a list of names for the host.
  for n in "$@"; do
    case "$n" in
      .*) for h in $nicks; do names=${names:+$names,}$h$n.$domain; done ;;
      *.* | *:*) names=${names:+$names,}$n ;;
      *) nicks=${nicks:+$nicks }$n names=${names:+$names,}$n.$domain ;;
    esac
  done

  ## Sign certificates.
  for kt in $rawkeytypes; do
    if [ ! -f host/$host-$kt.pub ]; then continue; fi
    cp host/$host-$kt.pub publish.new/
    ssh-keygen -q -tv00 -sca/ca-$kt \
      -h -I"$cacomment:$host.$domain" -n$names \
      -V$validity \
      publish.new/$host-$kt.pub
    mv publish.new/$host-$kt-cert.pub \
      publish.new/$host-$kt.cert
    { printf "%s " $names; cat host/$host-$kt.pub; } >&4
    ssh-keygen -lv -fhost/$host-$kt.pub | sed 's,^,| ,' >&4
  done
done
exec 3>&- 4>&-

## Sign the list.
run_gpg --armor -o publish.new/hosts.asc \
  --clearsign publish.new/hosts.list
rm publish.new/hosts.list

## Include a copy of the public key.
run_gpg --export --armor -o publish.new/ca-gnupg.asc

## Done.
if [ -d publish ]; then
  rm -rf publish.old
  mv publish publish.old
fi
mv publish.new publish
rm -rf publish.old
Commit	Line	Data
a91e8fcb MW	1	#! /bin/sh
	2
	3	set -e
	4	. lib/func.sh
	5
	6	## The key types are adorned with bit lengths. Work out the raw key type
	7	## names.
	8	rawkeytypes=""
	9	for kt in $keytypes; do
	10	rawkeytypes="$rawkeytypes ${kt%:*}"
	11	done
	12
	13	## Start a new output directory.
	14	rm -rf publish.new
	15	mkdir publish.new
6e968190 MW	16	exec 3<etc/hosts 4>publish.new/hosts.list
6e968190 MW	17	echo ":certificate-authority" >&4
a91e8fcb	18	for kt in $rawkeytypes; do
50b96dc7	19	cp ca/ca-$kt.pub publish.new/
a91e8fcb	20	read pub <ca/ca-$kt.pub
6e968190 MW	21	echo "@cert-authority $scope $pub" \|
	22	tee publish.new/ca-$kt.entry >&4
	23	ssh-keygen -lv -fca/ca-$kt.pub \| sed 's,^,\| ,' >&4
a91e8fcb MW	24	done
	25
	26	## Sign the various host keys.
a91e8fcb MW	27	last=%%%
	28	while read line <&3; do
	29
	30	## Ignore comments and empty lines.
	31	case "$line" in
	32	"#"* \| "") continue ;;
	33	##[! ]) ;;
	34	##*) continue ;;
	35	esac
	36
	37	## Read the host line.
	38	set -- $line
39415972 MW	39	case "$1" in
	40	@domain) domain=$2 ;;
	41	@*) echo >&2 "$0: unknown directive \`$1'"; exit 1 ;;
	42	esac
a91e8fcb MW	43	host=$1
a91e8fcb MW	44	names=""
58f8f79d	45	nicks=""
a91e8fcb MW	46
a91e8fcb MW	47	## If this is a different host, then start a new section of the list.
fcacefc9	48	case "$last" in
fcacefc9	49	"$host") ;;
6e968190	50	*) { echo; echo ":host $host"; } >&4 ;;
fcacefc9	51	esac
a91e8fcb MW	52	last=$host
	53
	54	## Build a list of names for the host.
	55	for n in "$@"; do
a91e8fcb	56	case "$n" in
6e968190	57	.*) for h in $nicks; do names=${names:+$names,}$h$n.$domain; done ;;
58f8f79d	58	. \| :) names=${names:+$names,}$n ;;
6e968190	59	*) nicks=${nicks:+$nicks }$n names=${names:+$names,}$n.$domain ;;
a91e8fcb MW	60	esac
	61	done
	62
	63	## Sign certificates.
	64	for kt in $rawkeytypes; do
	65	if [ ! -f host/$host-$kt.pub ]; then continue; fi
50b96dc7	66	cp host/$host-$kt.pub publish.new/
8bcf3925	67	ssh-keygen -q -tv00 -sca/ca-$kt \
a91e8fcb MW	68	-h -I"$cacomment:$host.$domain" -n$names \
a91e8fcb MW	69	-V$validity \
50b96dc7 MW	70	publish.new/$host-$kt.pub
	71	mv publish.new/$host-$kt-cert.pub \
	72	publish.new/$host-$kt.cert
6e968190	73	{ printf "%s " $names; cat host/$host-$kt.pub; } >&4
12ee14a5	74	ssh-keygen -lv -fhost/$host-$kt.pub \| sed 's,^,\| ,' >&4
a91e8fcb MW	75	done
	76	done
	77	exec 3>&- 4>&-
	78
	79	## Sign the list.
50b96dc7 MW	80	run_gpg --armor -o publish.new/hosts.asc \
	81	--clearsign publish.new/hosts.list
	82	rm publish.new/hosts.list
a91e8fcb MW	83
a91e8fcb MW	84	## Include a copy of the public key.
50b96dc7	85	run_gpg --export --armor -o publish.new/ca-gnupg.asc
a91e8fcb MW	86
a91e8fcb MW	87	## Done.
1535a6d2 MW	88	if [ -d publish ]; then
	89	rm -rf publish.old
	90	mv publish publish.old
	91	fi
a91e8fcb	92	mv publish.new publish
50b96dc7	93	rm -rf publish.old