| 1 | #! /bin/sh |
| 2 | |
| 3 | set -e |
| 4 | . lib/func.sh |
| 5 | |
| 6 | ## The key types are adorned with bit lengths. Work out the raw key type |
| 7 | ## names. |
| 8 | rawkeytypes="" |
| 9 | for kt in $keytypes; do |
| 10 | rawkeytypes="$rawkeytypes ${kt%:*}" |
| 11 | done |
| 12 | |
| 13 | ## Start a new output directory. |
| 14 | rm -rf publish.new |
| 15 | mkdir publish.new |
| 16 | exec 3<etc/hosts 4>publish.new/hosts.list |
| 17 | echo ":certificate-authority" >&4 |
| 18 | for kt in $rawkeytypes; do |
| 19 | cp ca/ca-$kt.pub publish.new/ |
| 20 | read pub <ca/ca-$kt.pub |
| 21 | echo "@cert-authority $scope $pub" | |
| 22 | tee publish.new/ca-$kt.entry >&4 |
| 23 | ssh-keygen -lv -fca/ca-$kt.pub | sed 's,^,| ,' >&4 |
| 24 | done |
| 25 | |
| 26 | ## Sign the various host keys. |
| 27 | last=%%% |
| 28 | while read line <&3; do |
| 29 | |
| 30 | ## Ignore comments and empty lines. |
| 31 | case "$line" in |
| 32 | "#"* | "") continue ;; |
| 33 | ##*[! ]*) ;; |
| 34 | ##*) continue ;; |
| 35 | esac |
| 36 | |
| 37 | ## Read the host line. |
| 38 | set -- $line |
| 39 | case "$1" in |
| 40 | @domain) domain=$2 ;; |
| 41 | @*) echo >&2 "$0: unknown directive \`$1'"; exit 1 ;; |
| 42 | esac |
| 43 | host=$1 |
| 44 | names="" |
| 45 | nicks="" |
| 46 | |
| 47 | ## If this is a different host, then start a new section of the list. |
| 48 | case "$last" in |
| 49 | "$host") ;; |
| 50 | *) { echo; echo ":host $host"; } >&4 ;; |
| 51 | esac |
| 52 | last=$host |
| 53 | |
| 54 | ## Build a list of names for the host. |
| 55 | for n in "$@"; do |
| 56 | case "$n" in |
| 57 | .*) for h in $nicks; do names=${names:+$names,}$h$n.$domain; done ;; |
| 58 | *.* | *:*) names=${names:+$names,}$n ;; |
| 59 | *) nicks=${nicks:+$nicks }$n names=${names:+$names,}$n.$domain ;; |
| 60 | esac |
| 61 | done |
| 62 | |
| 63 | ## Sign certificates. |
| 64 | for kt in $rawkeytypes; do |
| 65 | if [ ! -f host/$host-$kt.pub ]; then continue; fi |
| 66 | cp host/$host-$kt.pub publish.new/ |
| 67 | ssh-keygen -q -tv00 -sca/ca-$kt \ |
| 68 | -h -I"$cacomment:$host.$domain" -n$names \ |
| 69 | -V$validity \ |
| 70 | publish.new/$host-$kt.pub |
| 71 | mv publish.new/$host-$kt-cert.pub \ |
| 72 | publish.new/$host-$kt.cert |
| 73 | { printf "%s " $names; cat host/$host-$kt.pub; } >&4 |
| 74 | ssh-keygen -lv -fhost/$host-$kt.pub | sed 's,^,| ,' >&4 |
| 75 | done |
| 76 | done |
| 77 | exec 3>&- 4>&- |
| 78 | |
| 79 | ## Sign the list. |
| 80 | run_gpg --armor -o publish.new/hosts.asc \ |
| 81 | --clearsign publish.new/hosts.list |
| 82 | rm publish.new/hosts.list |
| 83 | |
| 84 | ## Include a copy of the public key. |
| 85 | run_gpg --export --armor -o publish.new/ca-gnupg.asc |
| 86 | |
| 87 | ## Done. |
| 88 | if [ -d publish ]; then |
| 89 | rm -rf publish.old |
| 90 | mv publish publish.old |
| 91 | fi |
| 92 | mv publish.new publish |
| 93 | rm -rf publish.old |