Commit | Line | Data |
---|---|---|
a91e8fcb MW |
1 | #! /bin/sh |
2 | ||
3 | set -e | |
4 | . lib/func.sh | |
5 | ||
6 | ## The key types are adorned with bit lengths. Work out the raw key type | |
7 | ## names. | |
8 | rawkeytypes="" | |
9 | for kt in $keytypes; do | |
10 | rawkeytypes="$rawkeytypes ${kt%:*}" | |
11 | done | |
12 | ||
13 | ## Start a new output directory. | |
14 | rm -rf publish.new | |
15 | mkdir publish.new | |
16 | mkdir publish.new/ssh-ca | |
17 | for kt in $rawkeytypes; do | |
18 | cp ca/ca-$kt.pub publish.new/ssh-ca/ | |
19 | read pub <ca/ca-$kt.pub | |
20 | echo "$@cert-authority $scope $pub" >publish.new/ssh-ca/ca-$kt.entry | |
21 | done | |
22 | ||
23 | ## Sign the various host keys. | |
24 | exec 3<etc/hosts 4>publish.new/ssh-ca/hosts.list | |
25 | last=%%% | |
26 | while read line <&3; do | |
27 | ||
28 | ## Ignore comments and empty lines. | |
29 | case "$line" in | |
30 | "#"* | "") continue ;; | |
31 | ##*[! ]*) ;; | |
32 | ##*) continue ;; | |
33 | esac | |
34 | ||
35 | ## Read the host line. | |
36 | set -- $line | |
37 | host=$1 | |
38 | names="" | |
39 | ||
40 | ## If this is a different host, then start a new section of the list. | |
41 | case "$host" in "$last") ;; *) { echo; echo "$host"; } >&4 ;; esac | |
42 | last=$host | |
43 | ||
44 | ## Build a list of names for the host. | |
45 | for n in "$@"; do | |
46 | names=${names:+$names,}$n | |
47 | case "$n" in | |
48 | *.* | *:*) ;; | |
49 | *) names=${names:+$names,}$n.$domain ;; | |
50 | esac | |
51 | done | |
52 | ||
53 | ## Sign certificates. | |
54 | for kt in $rawkeytypes; do | |
55 | if [ ! -f host/$host-$kt.pub ]; then continue; fi | |
56 | cp host/$host-$kt.pub publish.new/ssh-ca/ | |
57 | ssh-keygen -q -sca/ca-$kt \ | |
58 | -h -I"$cacomment:$host.$domain" -n$names \ | |
59 | -V$validity \ | |
60 | publish.new/ssh-ca/$host-$kt.pub | |
61 | mv publish.new/ssh-ca/$host-$kt-cert.pub \ | |
62 | publish.new/ssh-ca/$host-$kt.cert | |
63 | ssh-keygen -lv -fpublish.new/ssh-ca/$host-$kt.pub | sed 's,^,| ,' >&4 | |
64 | done | |
65 | done | |
66 | exec 3>&- 4>&- | |
67 | ||
68 | ## Sign the list. | |
69 | run_gpg --armor -o publish.new/ssh-ca/hosts.asc \ | |
70 | --clearsign publish.new/ssh-ca/hosts.list | |
71 | rm publish.new/ssh-ca/hosts.list | |
72 | ||
73 | ## Include a copy of the public key. | |
74 | run_gpg --export --armor -o publish.new/ssh-ca/ca-gnupg.asc | |
75 | ||
76 | ## Include a copy of the complete archive. | |
77 | (cd publish.new; tar czf ssh-ca.tar.gz ssh-ca/) | |
78 | mv publish.new/ssh-ca.tar.gz publish.new/ssh-ca/ | |
79 | ||
80 | ## Done. | |
81 | rm -rf publish | |
82 | mv publish.new publish |