~mdw / ssh-ca / blame
| Commit | Line | Data |
|---|---|---|
| a91e8fcb MW |
1 | #! /bin/sh |
| 2 | ||
| 3 | set -e | |
| 4 | . lib/func.sh | |
| 5 | ||
| 6 | ## The key types are adorned with bit lengths. Work out the raw key type | |
| 7 | ## names. | |
| 8 | rawkeytypes="" | |
| 9 | for kt in $keytypes; do | |
| 10 | rawkeytypes="$rawkeytypes ${kt%:*}" | |
| 11 | done | |
| 12 | ||
| 13 | ## Start a new output directory. | |
| 14 | rm -rf publish.new | |
| 15 | mkdir publish.new | |
| a91e8fcb | 16 | for kt in $rawkeytypes; do |
| 50b96dc7 | 17 | cp ca/ca-$kt.pub publish.new/ |
| a91e8fcb | 18 | read pub <ca/ca-$kt.pub |
| 1df87dec | 19 | echo "@cert-authority $scope $pub" >publish.new/ca-$kt.entry |
| a91e8fcb MW |
20 | done |
| 21 | ||
| 22 | ## Sign the various host keys. | |
| 50b96dc7 | 23 | exec 3<etc/hosts 4>publish.new/hosts.list |
| a91e8fcb MW |
24 | last=%%% |
| 25 | while read line <&3; do | |
| 26 | ||
| 27 | ## Ignore comments and empty lines. | |
| 28 | case "$line" in | |
| 29 | "#"* | "") continue ;; | |
| 30 | ##*[! ]*) ;; | |
| 31 | ##*) continue ;; | |
| 32 | esac | |
| 33 | ||
| 34 | ## Read the host line. | |
| 35 | set -- $line | |
| 36 | host=$1 | |
| 37 | names="" | |
| 58f8f79d | 38 | nicks="" |
| a91e8fcb MW |
39 | |
| 40 | ## If this is a different host, then start a new section of the list. | |
| fcacefc9 MW |
41 | case "$last" in |
| 42 | "%%%") echo "$host" >&4 ;; | |
| 43 | "$host") ;; | |
| 44 | *) { echo; echo "$host"; } >&4 ;; | |
| 45 | esac | |
| a91e8fcb MW |
46 | last=$host |
| 47 | ||
| 48 | ## Build a list of names for the host. | |
| 49 | for n in "$@"; do | |
| a91e8fcb | 50 | case "$n" in |
| 58f8f79d MW |
51 | .*) for h in $nicks; do names=${names:+$names,}$h$n,$h$n.$domain; done ;; |
| 52 | *.* | *:*) names=${names:+$names,}$n ;; | |
| 53 | *) nicks=${nicks:+$nicks }$n names=${names:+$names,}$n,$n.$domain ;; | |
| a91e8fcb MW |
54 | esac |
| 55 | done | |
| 56 | ||
| 57 | ## Sign certificates. | |
| 58 | for kt in $rawkeytypes; do | |
| 59 | if [ ! -f host/$host-$kt.pub ]; then continue; fi | |
| 50b96dc7 | 60 | cp host/$host-$kt.pub publish.new/ |
| 8bcf3925 | 61 | ssh-keygen -q -tv00 -sca/ca-$kt \ |
| a91e8fcb MW |
62 | -h -I"$cacomment:$host.$domain" -n$names \ |
| 63 | -V$validity \ | |
| 50b96dc7 MW |
64 | publish.new/$host-$kt.pub |
| 65 | mv publish.new/$host-$kt-cert.pub \ | |
| 66 | publish.new/$host-$kt.cert | |
| 67 | ssh-keygen -lv -fpublish.new/$host-$kt.pub | sed 's,^,| ,' >&4 | |
| a91e8fcb MW |
68 | done |
| 69 | done | |
| 70 | exec 3>&- 4>&- | |
| 71 | ||
| 72 | ## Sign the list. | |
| 50b96dc7 MW |
73 | run_gpg --armor -o publish.new/hosts.asc \ |
| 74 | --clearsign publish.new/hosts.list | |
| 75 | rm publish.new/hosts.list | |
| a91e8fcb MW |
76 | |
| 77 | ## Include a copy of the public key. | |
| 50b96dc7 | 78 | run_gpg --export --armor -o publish.new/ca-gnupg.asc |
| a91e8fcb MW |
79 | |
| 80 | ## Done. | |
| 1535a6d2 MW |
81 | if [ -d publish ]; then |
| 82 | rm -rf publish.old | |
| 83 | mv publish publish.old | |
| 84 | fi | |
| a91e8fcb | 85 | mv publish.new publish |
| 50b96dc7 | 86 | rm -rf publish.old |