bin/sign: Include `known_hosts' entries in the signed bundle.
[ssh-ca] / bin / sign
1 #! /bin/sh
2
3 set -e
4 . lib/func.sh
5
6 ## The key types are adorned with bit lengths. Work out the raw key type
7 ## names.
8 rawkeytypes=""
9 for kt in $keytypes; do
10 rawkeytypes="$rawkeytypes ${kt%:*}"
11 done
12
13 ## Start a new output directory.
14 rm -rf publish.new
15 mkdir publish.new
16 exec 3<etc/hosts 4>publish.new/hosts.list
17 echo ":certificate-authority" >&4
18 for kt in $rawkeytypes; do
19 cp ca/ca-$kt.pub publish.new/
20 read pub <ca/ca-$kt.pub
21 echo "@cert-authority $scope $pub" |
22 tee publish.new/ca-$kt.entry >&4
23 ssh-keygen -lv -fca/ca-$kt.pub | sed 's,^,| ,' >&4
24 done
25
26 ## Sign the various host keys.
27 last=%%%
28 while read line <&3; do
29
30 ## Ignore comments and empty lines.
31 case "$line" in
32 "#"* | "") continue ;;
33 ##*[! ]*) ;;
34 ##*) continue ;;
35 esac
36
37 ## Read the host line.
38 set -- $line
39 host=$1
40 names=""
41 nicks=""
42
43 ## If this is a different host, then start a new section of the list.
44 case "$last" in
45 "$host") ;;
46 *) { echo; echo ":host $host"; } >&4 ;;
47 esac
48 last=$host
49
50 ## Build a list of names for the host.
51 for n in "$@"; do
52 case "$n" in
53 .*) for h in $nicks; do names=${names:+$names,}$h$n.$domain; done ;;
54 *.* | *:*) names=${names:+$names,}$n ;;
55 *) nicks=${nicks:+$nicks }$n names=${names:+$names,}$n.$domain ;;
56 esac
57 done
58
59 ## Sign certificates.
60 for kt in $rawkeytypes; do
61 if [ ! -f host/$host-$kt.pub ]; then continue; fi
62 cp host/$host-$kt.pub publish.new/
63 ssh-keygen -q -tv00 -sca/ca-$kt \
64 -h -I"$cacomment:$host.$domain" -n$names \
65 -V$validity \
66 publish.new/$host-$kt.pub
67 mv publish.new/$host-$kt-cert.pub \
68 publish.new/$host-$kt.cert
69 { printf "%s " $names; cat host/$host-$kt.pub; } >&4
70 ssh-keygen -lv -fhost/$host-$kt.pub | sed 's,^,| ,' >&4
71 done
72 done
73 exec 3>&- 4>&-
74
75 ## Sign the list.
76 run_gpg --armor -o publish.new/hosts.asc \
77 --clearsign publish.new/hosts.list
78 rm publish.new/hosts.list
79
80 ## Include a copy of the public key.
81 run_gpg --export --armor -o publish.new/ca-gnupg.asc
82
83 ## Done.
84 if [ -d publish ]; then
85 rm -rf publish.old
86 mv publish publish.old
87 fi
88 mv publish.new publish
89 rm -rf publish.old