Commit | Line | Data |
---|---|---|
a91e8fcb MW |
1 | #! /bin/sh |
2 | ||
3 | set -e | |
4 | . lib/func.sh | |
5 | ||
6 | ## The key types are adorned with bit lengths. Work out the raw key type | |
7 | ## names. | |
8 | rawkeytypes="" | |
9 | for kt in $keytypes; do | |
10 | rawkeytypes="$rawkeytypes ${kt%:*}" | |
11 | done | |
12 | ||
13 | ## Start a new output directory. | |
14 | rm -rf publish.new | |
15 | mkdir publish.new | |
a91e8fcb | 16 | for kt in $rawkeytypes; do |
50b96dc7 | 17 | cp ca/ca-$kt.pub publish.new/ |
a91e8fcb | 18 | read pub <ca/ca-$kt.pub |
1df87dec | 19 | echo "@cert-authority $scope $pub" >publish.new/ca-$kt.entry |
a91e8fcb MW |
20 | done |
21 | ||
22 | ## Sign the various host keys. | |
50b96dc7 | 23 | exec 3<etc/hosts 4>publish.new/hosts.list |
a91e8fcb MW |
24 | last=%%% |
25 | while read line <&3; do | |
26 | ||
27 | ## Ignore comments and empty lines. | |
28 | case "$line" in | |
29 | "#"* | "") continue ;; | |
30 | ##*[! ]*) ;; | |
31 | ##*) continue ;; | |
32 | esac | |
33 | ||
34 | ## Read the host line. | |
35 | set -- $line | |
36 | host=$1 | |
37 | names="" | |
58f8f79d | 38 | nicks="" |
a91e8fcb MW |
39 | |
40 | ## If this is a different host, then start a new section of the list. | |
fcacefc9 MW |
41 | case "$last" in |
42 | "%%%") echo "$host" >&4 ;; | |
43 | "$host") ;; | |
44 | *) { echo; echo "$host"; } >&4 ;; | |
45 | esac | |
a91e8fcb MW |
46 | last=$host |
47 | ||
48 | ## Build a list of names for the host. | |
49 | for n in "$@"; do | |
a91e8fcb | 50 | case "$n" in |
58f8f79d MW |
51 | .*) for h in $nicks; do names=${names:+$names,}$h$n,$h$n.$domain; done ;; |
52 | *.* | *:*) names=${names:+$names,}$n ;; | |
53 | *) nicks=${nicks:+$nicks }$n names=${names:+$names,}$n,$n.$domain ;; | |
a91e8fcb MW |
54 | esac |
55 | done | |
56 | ||
57 | ## Sign certificates. | |
58 | for kt in $rawkeytypes; do | |
59 | if [ ! -f host/$host-$kt.pub ]; then continue; fi | |
50b96dc7 | 60 | cp host/$host-$kt.pub publish.new/ |
8bcf3925 | 61 | ssh-keygen -q -tv00 -sca/ca-$kt \ |
a91e8fcb MW |
62 | -h -I"$cacomment:$host.$domain" -n$names \ |
63 | -V$validity \ | |
50b96dc7 MW |
64 | publish.new/$host-$kt.pub |
65 | mv publish.new/$host-$kt-cert.pub \ | |
66 | publish.new/$host-$kt.cert | |
67 | ssh-keygen -lv -fpublish.new/$host-$kt.pub | sed 's,^,| ,' >&4 | |
a91e8fcb MW |
68 | done |
69 | done | |
70 | exec 3>&- 4>&- | |
71 | ||
72 | ## Sign the list. | |
50b96dc7 MW |
73 | run_gpg --armor -o publish.new/hosts.asc \ |
74 | --clearsign publish.new/hosts.list | |
75 | rm publish.new/hosts.list | |
a91e8fcb MW |
76 | |
77 | ## Include a copy of the public key. | |
50b96dc7 | 78 | run_gpg --export --armor -o publish.new/ca-gnupg.asc |
a91e8fcb MW |
79 | |
80 | ## Done. | |
1535a6d2 MW |
81 | if [ -d publish ]; then |
82 | rm -rf publish.old | |
83 | mv publish publish.old | |
84 | fi | |
a91e8fcb | 85 | mv publish.new publish |
50b96dc7 | 86 | rm -rf publish.old |