[ssh-ca] / bin / sign

#! /bin/sh

set -e
. lib/func.sh
orig_domain=$domain date=$(date +%Y-%m-%d)

## The key types are adorned with bit lengths.  Work out the raw key type
## names.
rawkeytypes=""
for kt in $keytypes; do
  rawkeytypes="$rawkeytypes ${kt%:*}"
done

## Start a new output directory.
rm -rf publish.new
mkdir publish.new
exec 3<etc/hosts 4>publish.new/hosts.list 5>publish.new/known_hosts
echo ":certificate-authority" >&4
for kt in $rawkeytypes; do
  cp ca/ca-$kt.pub publish.new/
  read pub <ca/ca-$kt.pub
  echo "@cert-authority $scope $pub" |
	tee publish.new/ca-$kt.entry >&4
  ssh-keygen -lv -fca/ca-$kt.pub | sed 's,^,| ,' >&4
done

## Sign the various host keys.
last=%%%
idomain=$domain
echo >&5 "### BEGIN $idomain KEYS (generated $date)"
while read line <&3; do

  ## Ignore comments and empty lines.
  case "$line" in
    "#"* | "") continue ;;
    ##*[! 	]*) ;;
    ##*) continue ;;
  esac

  ## Read the host line.
  set -- $line
  case "$1" in
    @domain) domain=$2 ;;
    @*) echo >&2 "$0: unknown directive \`$1'"; exit 1 ;;
  esac
  host=$1
  names=""
  nicks=""

  ## If this is a different host, then start a new section of the list.
  case "$last" in
    "$host") ;;
    *) { echo; echo ":host $host"; } >&4 ;;
  esac
  last=$host

  ## Build a list of names for the host.
  for n in "$@"; do
    case "$n" in
      .*) for h in $nicks; do names=${names:+$names,}$h$n.$domain; done ;;
      *.* | *:*) names=${names:+$names,}$n ;;
      *) nicks=${nicks:+$nicks }$n names=${names:+$names,}$n.$domain ;;
    esac
  done

  ## Sign certificates.
  for kt in $rawkeytypes; do
    if [ ! -f host/$host-$kt.pub ]; then continue; fi
    cp host/$host-$kt.pub publish.new/
    ssh-keygen -q -tv00 -sca/ca-$kt \
      -h -I"$cacomment:$host.$domain" -n$names \
      -V$validity \
      publish.new/$host-$kt.pub
    mv publish.new/$host-$kt-cert.pub \
      publish.new/$host-$kt.cert
    for fd in 4 5; do
      { printf "%s " $names; cat host/$host-$kt.pub; } >&$fd
    done
    ssh-keygen -lv -fhost/$host-$kt.pub | sed 's,^,| ,' >&4
  done
done
echo >&5 "### END $idomain KEYS"
exec 3>&- 4>&- 5>&-

## Sign the list.
run_gpg --armor -o publish.new/hosts.asc \
  --clearsign publish.new/hosts.list
rm publish.new/hosts.list

## Include a copy of the public key.
run_gpg --export --armor -o publish.new/ca-gnupg.asc

## Done.
if [ -d publish ]; then
  rm -rf publish.old
  mv publish publish.old
fi
mv publish.new publish
rm -rf publish.old
Commit	Line	Data
a91e8fcb MW	1	#! /bin/sh
	2
	3	set -e
	4	. lib/func.sh
e91c736e	5	orig_domain=$domain date=$(date +%Y-%m-%d)
a91e8fcb MW	6
	7	## The key types are adorned with bit lengths. Work out the raw key type
	8	## names.
	9	rawkeytypes=""
	10	for kt in $keytypes; do
	11	rawkeytypes="$rawkeytypes ${kt%:*}"
	12	done
	13
	14	## Start a new output directory.
	15	rm -rf publish.new
	16	mkdir publish.new
e91c736e	17	exec 3<etc/hosts 4>publish.new/hosts.list 5>publish.new/known_hosts
6e968190	18	echo ":certificate-authority" >&4
a91e8fcb	19	for kt in $rawkeytypes; do
50b96dc7	20	cp ca/ca-$kt.pub publish.new/
a91e8fcb	21	read pub <ca/ca-$kt.pub
6e968190 MW	22	echo "@cert-authority $scope $pub" \|
	23	tee publish.new/ca-$kt.entry >&4
	24	ssh-keygen -lv -fca/ca-$kt.pub \| sed 's,^,\| ,' >&4
a91e8fcb MW	25	done
	26
	27	## Sign the various host keys.
a91e8fcb	28	last=%%%
83e706f9 MW	29	idomain=$domain
83e706f9 MW	30	echo >&5 "### BEGIN $idomain KEYS (generated $date)"
a91e8fcb MW	31	while read line <&3; do
	32
	33	## Ignore comments and empty lines.
	34	case "$line" in
	35	"#"* \| "") continue ;;
	36	##[! ]) ;;
	37	##*) continue ;;
	38	esac
	39
	40	## Read the host line.
	41	set -- $line
39415972 MW	42	case "$1" in
	43	@domain) domain=$2 ;;
	44	@*) echo >&2 "$0: unknown directive \`$1'"; exit 1 ;;
	45	esac
a91e8fcb MW	46	host=$1
a91e8fcb MW	47	names=""
58f8f79d	48	nicks=""
a91e8fcb MW	49
a91e8fcb MW	50	## If this is a different host, then start a new section of the list.
fcacefc9	51	case "$last" in
fcacefc9	52	"$host") ;;
6e968190	53	*) { echo; echo ":host $host"; } >&4 ;;
fcacefc9	54	esac
a91e8fcb MW	55	last=$host
	56
	57	## Build a list of names for the host.
	58	for n in "$@"; do
a91e8fcb	59	case "$n" in
6e968190	60	.*) for h in $nicks; do names=${names:+$names,}$h$n.$domain; done ;;
58f8f79d	61	. \| :) names=${names:+$names,}$n ;;
6e968190	62	*) nicks=${nicks:+$nicks }$n names=${names:+$names,}$n.$domain ;;
a91e8fcb MW	63	esac
	64	done
	65
	66	## Sign certificates.
	67	for kt in $rawkeytypes; do
	68	if [ ! -f host/$host-$kt.pub ]; then continue; fi
50b96dc7	69	cp host/$host-$kt.pub publish.new/
8bcf3925	70	ssh-keygen -q -tv00 -sca/ca-$kt \
a91e8fcb MW	71	-h -I"$cacomment:$host.$domain" -n$names \
a91e8fcb MW	72	-V$validity \
50b96dc7 MW	73	publish.new/$host-$kt.pub
	74	mv publish.new/$host-$kt-cert.pub \
	75	publish.new/$host-$kt.cert
e91c736e MW	76	for fd in 4 5; do
	77	{ printf "%s " $names; cat host/$host-$kt.pub; } >&$fd
	78	done
12ee14a5	79	ssh-keygen -lv -fhost/$host-$kt.pub \| sed 's,^,\| ,' >&4
a91e8fcb MW	80	done
a91e8fcb MW	81	done
83e706f9	82	echo >&5 "### END $idomain KEYS"
e91c736e	83	exec 3>&- 4>&- 5>&-
a91e8fcb MW	84
a91e8fcb MW	85	## Sign the list.
50b96dc7 MW	86	run_gpg --armor -o publish.new/hosts.asc \
	87	--clearsign publish.new/hosts.list
	88	rm publish.new/hosts.list
a91e8fcb MW	89
a91e8fcb MW	90	## Include a copy of the public key.
50b96dc7	91	run_gpg --export --armor -o publish.new/ca-gnupg.asc
a91e8fcb MW	92
a91e8fcb MW	93	## Done.
1535a6d2 MW	94	if [ -d publish ]; then
	95	rm -rf publish.old
	96	mv publish publish.old
	97	fi
a91e8fcb	98	mv publish.new publish
50b96dc7	99	rm -rf publish.old