[ssh-ca] / bin / sign

#! /bin/sh

set -e
. lib/func.sh
orig_domain=$domain date=$(date +%Y-%m-%d)

## The key types are adorned with bit lengths.  Work out the raw key type
## names.
rawkeytypes=""
for kt in $keytypes; do
  rawkeytypes="$rawkeytypes ${kt%:*}"
done

## Start a new output directory.
rm -rf publish.new
mkdir publish.new
exec 3<etc/hosts 4>publish.new/hosts.list 5>publish.new/known_hosts
echo ":certificate-authority" >&4
for kt in $rawkeytypes; do
  cp ca/ca-$kt.pub publish.new/
  read pub <ca/ca-$kt.pub
  echo "@cert-authority $scope $pub" |
	tee publish.new/ca-$kt.entry >&4
  ssh-keygen -lv -fca/ca-$kt.pub | sed 's,^,| ,' >&4
done

## Sign the various host keys.
last=%%%
echo >&5 "### BEGIN $domain KEYS (generated $date)"
while read line <&3; do

  ## Ignore comments and empty lines.
  case "$line" in
    "#"* | "") continue ;;
    ##*[! 	]*) ;;
    ##*) continue ;;
  esac

  ## Read the host line.
  set -- $line
  case "$1" in
    @domain) domain=$2 ;;
    @*) echo >&2 "$0: unknown directive \`$1'"; exit 1 ;;
  esac
  host=$1
  names=""
  nicks=""

  ## If this is a different host, then start a new section of the list.
  case "$last" in
    "$host") ;;
    *) { echo; echo ":host $host"; } >&4 ;;
  esac
  last=$host

  ## Build a list of names for the host.
  for n in "$@"; do
    case "$n" in
      .*) for h in $nicks; do names=${names:+$names,}$h$n.$domain; done ;;
      *.* | *:*) names=${names:+$names,}$n ;;
      *) nicks=${nicks:+$nicks }$n names=${names:+$names,}$n.$domain ;;
    esac
  done

  ## Sign certificates.
  for kt in $rawkeytypes; do
    if [ ! -f host/$host-$kt.pub ]; then continue; fi
    cp host/$host-$kt.pub publish.new/
    ssh-keygen -q -tv00 -sca/ca-$kt \
      -h -I"$cacomment:$host.$domain" -n$names \
      -V$validity \
      publish.new/$host-$kt.pub
    mv publish.new/$host-$kt-cert.pub \
      publish.new/$host-$kt.cert
    for fd in 4 5; do
      { printf "%s " $names; cat host/$host-$kt.pub; } >&$fd
    done
    ssh-keygen -lv -fhost/$host-$kt.pub | sed 's,^,| ,' >&4
  done
done
echo >&5 "### END $domain KEYS"
exec 3>&- 4>&- 5>&-

## Sign the list.
run_gpg --armor -o publish.new/hosts.asc \
  --clearsign publish.new/hosts.list
rm publish.new/hosts.list

## Include a copy of the public key.
run_gpg --export --armor -o publish.new/ca-gnupg.asc

## Done.
if [ -d publish ]; then
  rm -rf publish.old
  mv publish publish.old
fi
mv publish.new publish
rm -rf publish.old
Commit	Line	Data
a91e8fcb MW	1	#! /bin/sh
	2
	3	set -e
	4	. lib/func.sh
e91c736e	5	orig_domain=$domain date=$(date +%Y-%m-%d)
a91e8fcb MW	6
	7	## The key types are adorned with bit lengths. Work out the raw key type
	8	## names.
	9	rawkeytypes=""
	10	for kt in $keytypes; do
	11	rawkeytypes="$rawkeytypes ${kt%:*}"
	12	done
	13
	14	## Start a new output directory.
	15	rm -rf publish.new
	16	mkdir publish.new
e91c736e	17	exec 3<etc/hosts 4>publish.new/hosts.list 5>publish.new/known_hosts
6e968190	18	echo ":certificate-authority" >&4
a91e8fcb	19	for kt in $rawkeytypes; do
50b96dc7	20	cp ca/ca-$kt.pub publish.new/
a91e8fcb	21	read pub <ca/ca-$kt.pub
6e968190 MW	22	echo "@cert-authority $scope $pub" \|
	23	tee publish.new/ca-$kt.entry >&4
	24	ssh-keygen -lv -fca/ca-$kt.pub \| sed 's,^,\| ,' >&4
a91e8fcb MW	25	done
	26
	27	## Sign the various host keys.
a91e8fcb	28	last=%%%
e91c736e	29	echo >&5 "### BEGIN $domain KEYS (generated $date)"
a91e8fcb MW	30	while read line <&3; do
	31
	32	## Ignore comments and empty lines.
	33	case "$line" in
	34	"#"* \| "") continue ;;
	35	##[! ]) ;;
	36	##*) continue ;;
	37	esac
	38
	39	## Read the host line.
	40	set -- $line
39415972 MW	41	case "$1" in
	42	@domain) domain=$2 ;;
	43	@*) echo >&2 "$0: unknown directive \`$1'"; exit 1 ;;
	44	esac
a91e8fcb MW	45	host=$1
a91e8fcb MW	46	names=""
58f8f79d	47	nicks=""
a91e8fcb MW	48
a91e8fcb MW	49	## If this is a different host, then start a new section of the list.
fcacefc9	50	case "$last" in
fcacefc9	51	"$host") ;;
6e968190	52	*) { echo; echo ":host $host"; } >&4 ;;
fcacefc9	53	esac
a91e8fcb MW	54	last=$host
	55
	56	## Build a list of names for the host.
	57	for n in "$@"; do
a91e8fcb	58	case "$n" in
6e968190	59	.*) for h in $nicks; do names=${names:+$names,}$h$n.$domain; done ;;
58f8f79d	60	. \| :) names=${names:+$names,}$n ;;
6e968190	61	*) nicks=${nicks:+$nicks }$n names=${names:+$names,}$n.$domain ;;
a91e8fcb MW	62	esac
	63	done
	64
	65	## Sign certificates.
	66	for kt in $rawkeytypes; do
	67	if [ ! -f host/$host-$kt.pub ]; then continue; fi
50b96dc7	68	cp host/$host-$kt.pub publish.new/
8bcf3925	69	ssh-keygen -q -tv00 -sca/ca-$kt \
a91e8fcb MW	70	-h -I"$cacomment:$host.$domain" -n$names \
a91e8fcb MW	71	-V$validity \
50b96dc7 MW	72	publish.new/$host-$kt.pub
	73	mv publish.new/$host-$kt-cert.pub \
	74	publish.new/$host-$kt.cert
e91c736e MW	75	for fd in 4 5; do
	76	{ printf "%s " $names; cat host/$host-$kt.pub; } >&$fd
	77	done
12ee14a5	78	ssh-keygen -lv -fhost/$host-$kt.pub \| sed 's,^,\| ,' >&4
a91e8fcb MW	79	done
a91e8fcb MW	80	done
e91c736e MW	81	echo >&5 "### END $domain KEYS"
e91c736e MW	82	exec 3>&- 4>&- 5>&-
a91e8fcb MW	83
a91e8fcb MW	84	## Sign the list.
50b96dc7 MW	85	run_gpg --armor -o publish.new/hosts.asc \
	86	--clearsign publish.new/hosts.list
	87	rm publish.new/hosts.list
a91e8fcb MW	88
a91e8fcb MW	89	## Include a copy of the public key.
50b96dc7	90	run_gpg --export --armor -o publish.new/ca-gnupg.asc
a91e8fcb MW	91
a91e8fcb MW	92	## Done.
1535a6d2 MW	93	if [ -d publish ]; then
	94	rm -rf publish.old
	95	mv publish publish.old
	96	fi
a91e8fcb	97	mv publish.new publish
50b96dc7	98	rm -rf publish.old