~mdw / ssh-ca / blame
| Commit | Line | Data |
|---|---|---|
| a91e8fcb MW |
1 | #! /bin/sh |
| 2 | ||
| 3 | set -e | |
| 4 | . lib/func.sh | |
| 5 | ||
| 6 | ## The key types are adorned with bit lengths. Work out the raw key type | |
| 7 | ## names. | |
| 8 | rawkeytypes="" | |
| 9 | for kt in $keytypes; do | |
| 10 | rawkeytypes="$rawkeytypes ${kt%:*}" | |
| 11 | done | |
| 12 | ||
| 13 | ## Start a new output directory. | |
| 14 | rm -rf publish.new | |
| 15 | mkdir publish.new | |
| 16 | mkdir publish.new/ssh-ca | |
| 17 | for kt in $rawkeytypes; do | |
| 18 | cp ca/ca-$kt.pub publish.new/ssh-ca/ | |
| 19 | read pub <ca/ca-$kt.pub | |
| 20 | echo "$@cert-authority $scope $pub" >publish.new/ssh-ca/ca-$kt.entry | |
| 21 | done | |
| 22 | ||
| 23 | ## Sign the various host keys. | |
| 24 | exec 3<etc/hosts 4>publish.new/ssh-ca/hosts.list | |
| 25 | last=%%% | |
| 26 | while read line <&3; do | |
| 27 | ||
| 28 | ## Ignore comments and empty lines. | |
| 29 | case "$line" in | |
| 30 | "#"* | "") continue ;; | |
| 31 | ##*[! ]*) ;; | |
| 32 | ##*) continue ;; | |
| 33 | esac | |
| 34 | ||
| 35 | ## Read the host line. | |
| 36 | set -- $line | |
| 37 | host=$1 | |
| 38 | names="" | |
| 39 | ||
| 40 | ## If this is a different host, then start a new section of the list. | |
| 41 | case "$host" in "$last") ;; *) { echo; echo "$host"; } >&4 ;; esac | |
| 42 | last=$host | |
| 43 | ||
| 44 | ## Build a list of names for the host. | |
| 45 | for n in "$@"; do | |
| 46 | names=${names:+$names,}$n | |
| 47 | case "$n" in | |
| 48 | *.* | *:*) ;; | |
| 49 | *) names=${names:+$names,}$n.$domain ;; | |
| 50 | esac | |
| 51 | done | |
| 52 | ||
| 53 | ## Sign certificates. | |
| 54 | for kt in $rawkeytypes; do | |
| 55 | if [ ! -f host/$host-$kt.pub ]; then continue; fi | |
| 56 | cp host/$host-$kt.pub publish.new/ssh-ca/ | |
| 57 | ssh-keygen -q -sca/ca-$kt \ | |
| 58 | -h -I"$cacomment:$host.$domain" -n$names \ | |
| 59 | -V$validity \ | |
| 60 | publish.new/ssh-ca/$host-$kt.pub | |
| 61 | mv publish.new/ssh-ca/$host-$kt-cert.pub \ | |
| 62 | publish.new/ssh-ca/$host-$kt.cert | |
| 63 | ssh-keygen -lv -fpublish.new/ssh-ca/$host-$kt.pub | sed 's,^,| ,' >&4 | |
| 64 | done | |
| 65 | done | |
| 66 | exec 3>&- 4>&- | |
| 67 | ||
| 68 | ## Sign the list. | |
| 69 | run_gpg --armor -o publish.new/ssh-ca/hosts.asc \ | |
| 70 | --clearsign publish.new/ssh-ca/hosts.list | |
| 71 | rm publish.new/ssh-ca/hosts.list | |
| 72 | ||
| 73 | ## Include a copy of the public key. | |
| 74 | run_gpg --export --armor -o publish.new/ssh-ca/ca-gnupg.asc | |
| 75 | ||
| 76 | ## Include a copy of the complete archive. | |
| 77 | (cd publish.new; tar czf ssh-ca.tar.gz ssh-ca/) | |
| 78 | mv publish.new/ssh-ca.tar.gz publish.new/ssh-ca/ | |
| 79 | ||
| 80 | ## Done. | |
| 81 | rm -rf publish | |
| 82 | mv publish.new publish |