Commit | Line | Data |
---|---|---|
a91e8fcb MW |
1 | #! /bin/sh |
2 | ||
3 | set -e | |
4 | . lib/func.sh | |
e91c736e | 5 | orig_domain=$domain date=$(date +%Y-%m-%d) |
a91e8fcb MW |
6 | |
7 | ## The key types are adorned with bit lengths. Work out the raw key type | |
8 | ## names. | |
9 | rawkeytypes="" | |
10 | for kt in $keytypes; do | |
11 | rawkeytypes="$rawkeytypes ${kt%:*}" | |
12 | done | |
13 | ||
14 | ## Start a new output directory. | |
15 | rm -rf publish.new | |
16 | mkdir publish.new | |
e91c736e | 17 | exec 3<etc/hosts 4>publish.new/hosts.list 5>publish.new/known_hosts |
6e968190 | 18 | echo ":certificate-authority" >&4 |
a91e8fcb | 19 | for kt in $rawkeytypes; do |
50b96dc7 | 20 | cp ca/ca-$kt.pub publish.new/ |
a91e8fcb | 21 | read pub <ca/ca-$kt.pub |
6e968190 MW |
22 | echo "@cert-authority $scope $pub" | |
23 | tee publish.new/ca-$kt.entry >&4 | |
24 | ssh-keygen -lv -fca/ca-$kt.pub | sed 's,^,| ,' >&4 | |
a91e8fcb MW |
25 | done |
26 | ||
27 | ## Sign the various host keys. | |
a91e8fcb | 28 | last=%%% |
83e706f9 MW |
29 | idomain=$domain |
30 | echo >&5 "### BEGIN $idomain KEYS (generated $date)" | |
a91e8fcb MW |
31 | while read line <&3; do |
32 | ||
33 | ## Ignore comments and empty lines. | |
34 | case "$line" in | |
35 | "#"* | "") continue ;; | |
36 | ##*[! ]*) ;; | |
37 | ##*) continue ;; | |
38 | esac | |
39 | ||
40 | ## Read the host line. | |
41 | set -- $line | |
39415972 MW |
42 | case "$1" in |
43 | @domain) domain=$2 ;; | |
44 | @*) echo >&2 "$0: unknown directive \`$1'"; exit 1 ;; | |
45 | esac | |
a91e8fcb MW |
46 | host=$1 |
47 | names="" | |
58f8f79d | 48 | nicks="" |
a91e8fcb MW |
49 | |
50 | ## If this is a different host, then start a new section of the list. | |
fcacefc9 | 51 | case "$last" in |
fcacefc9 | 52 | "$host") ;; |
6e968190 | 53 | *) { echo; echo ":host $host"; } >&4 ;; |
fcacefc9 | 54 | esac |
a91e8fcb MW |
55 | last=$host |
56 | ||
57 | ## Build a list of names for the host. | |
58 | for n in "$@"; do | |
a91e8fcb | 59 | case "$n" in |
6e968190 | 60 | .*) for h in $nicks; do names=${names:+$names,}$h$n.$domain; done ;; |
58f8f79d | 61 | *.* | *:*) names=${names:+$names,}$n ;; |
6e968190 | 62 | *) nicks=${nicks:+$nicks }$n names=${names:+$names,}$n.$domain ;; |
a91e8fcb MW |
63 | esac |
64 | done | |
65 | ||
66 | ## Sign certificates. | |
67 | for kt in $rawkeytypes; do | |
68 | if [ ! -f host/$host-$kt.pub ]; then continue; fi | |
50b96dc7 | 69 | cp host/$host-$kt.pub publish.new/ |
8bcf3925 | 70 | ssh-keygen -q -tv00 -sca/ca-$kt \ |
a91e8fcb MW |
71 | -h -I"$cacomment:$host.$domain" -n$names \ |
72 | -V$validity \ | |
50b96dc7 MW |
73 | publish.new/$host-$kt.pub |
74 | mv publish.new/$host-$kt-cert.pub \ | |
75 | publish.new/$host-$kt.cert | |
e91c736e MW |
76 | for fd in 4 5; do |
77 | { printf "%s " $names; cat host/$host-$kt.pub; } >&$fd | |
78 | done | |
12ee14a5 | 79 | ssh-keygen -lv -fhost/$host-$kt.pub | sed 's,^,| ,' >&4 |
a91e8fcb MW |
80 | done |
81 | done | |
83e706f9 | 82 | echo >&5 "### END $idomain KEYS" |
e91c736e | 83 | exec 3>&- 4>&- 5>&- |
a91e8fcb MW |
84 | |
85 | ## Sign the list. | |
50b96dc7 MW |
86 | run_gpg --armor -o publish.new/hosts.asc \ |
87 | --clearsign publish.new/hosts.list | |
88 | rm publish.new/hosts.list | |
a91e8fcb MW |
89 | |
90 | ## Include a copy of the public key. | |
50b96dc7 | 91 | run_gpg --export --armor -o publish.new/ca-gnupg.asc |
a91e8fcb MW |
92 | |
93 | ## Done. | |
1535a6d2 MW |
94 | if [ -d publish ]; then |
95 | rm -rf publish.old | |
96 | mv publish publish.old | |
97 | fi | |
a91e8fcb | 98 | mv publish.new publish |
50b96dc7 | 99 | rm -rf publish.old |