| 1 | #! /bin/sh |
| 2 | |
| 3 | set -e |
| 4 | . lib/func.sh |
| 5 | |
| 6 | ## The key types are adorned with bit lengths. Work out the raw key type |
| 7 | ## names. |
| 8 | rawkeytypes="" |
| 9 | for kt in $keytypes; do |
| 10 | rawkeytypes="$rawkeytypes ${kt%:*}" |
| 11 | done |
| 12 | |
| 13 | ## Start a new output directory. |
| 14 | rm -rf publish.new |
| 15 | mkdir publish.new |
| 16 | for kt in $rawkeytypes; do |
| 17 | cp ca/ca-$kt.pub publish.new/ |
| 18 | read pub <ca/ca-$kt.pub |
| 19 | echo "$@cert-authority $scope $pub" >publish.new/ca-$kt.entry |
| 20 | done |
| 21 | |
| 22 | ## Sign the various host keys. |
| 23 | exec 3<etc/hosts 4>publish.new/hosts.list |
| 24 | last=%%% |
| 25 | while read line <&3; do |
| 26 | |
| 27 | ## Ignore comments and empty lines. |
| 28 | case "$line" in |
| 29 | "#"* | "") continue ;; |
| 30 | ##*[! ]*) ;; |
| 31 | ##*) continue ;; |
| 32 | esac |
| 33 | |
| 34 | ## Read the host line. |
| 35 | set -- $line |
| 36 | host=$1 |
| 37 | names="" |
| 38 | |
| 39 | ## If this is a different host, then start a new section of the list. |
| 40 | case "$host" in "$last") ;; *) { echo; echo "$host"; } >&4 ;; esac |
| 41 | last=$host |
| 42 | |
| 43 | ## Build a list of names for the host. |
| 44 | for n in "$@"; do |
| 45 | names=${names:+$names,}$n |
| 46 | case "$n" in |
| 47 | *.* | *:*) ;; |
| 48 | *) names=${names:+$names,}$n.$domain ;; |
| 49 | esac |
| 50 | done |
| 51 | |
| 52 | ## Sign certificates. |
| 53 | for kt in $rawkeytypes; do |
| 54 | if [ ! -f host/$host-$kt.pub ]; then continue; fi |
| 55 | cp host/$host-$kt.pub publish.new/ |
| 56 | ssh-keygen -q -tv00 -sca/ca-$kt \ |
| 57 | -h -I"$cacomment:$host.$domain" -n$names \ |
| 58 | -V$validity \ |
| 59 | publish.new/$host-$kt.pub |
| 60 | mv publish.new/$host-$kt-cert.pub \ |
| 61 | publish.new/$host-$kt.cert |
| 62 | ssh-keygen -lv -fpublish.new/$host-$kt.pub | sed 's,^,| ,' >&4 |
| 63 | done |
| 64 | done |
| 65 | exec 3>&- 4>&- |
| 66 | |
| 67 | ## Sign the list. |
| 68 | run_gpg --armor -o publish.new/hosts.asc \ |
| 69 | --clearsign publish.new/hosts.list |
| 70 | rm publish.new/hosts.list |
| 71 | |
| 72 | ## Include a copy of the public key. |
| 73 | run_gpg --export --armor -o publish.new/ca-gnupg.asc |
| 74 | |
| 75 | ## Done. |
| 76 | if [ -d publish ]; then |
| 77 | rm -rf publish.old |
| 78 | mv publish publish.old |
| 79 | fi |
| 80 | mv publish.new publish |
| 81 | rm -rf publish.old |