~mdw / ssh-ca / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Major change of approach and rewrite.
[ssh-ca] / bin / sign
diff --git a/bin/sign b/bin/sign
new file mode 100755 (executable)
index 0000000..e3ac0c9
--- /dev/null
+++ b/bin/sign
@@ -0,0 +1,82 @@
+#! /bin/sh
+
+set -e
+. lib/func.sh
+
+## The key types are adorned with bit lengths.  Work out the raw key type
+## names.
+rawkeytypes=""
+for kt in $keytypes; do
+  rawkeytypes="$rawkeytypes ${kt%:*}"
+done
+
+## Start a new output directory.
+rm -rf publish.new
+mkdir publish.new
+mkdir publish.new/ssh-ca
+for kt in $rawkeytypes; do
+  cp ca/ca-$kt.pub publish.new/ssh-ca/
+  read pub <ca/ca-$kt.pub
+  echo "$@cert-authority $scope $pub" >publish.new/ssh-ca/ca-$kt.entry
+done
+
+## Sign the various host keys.
+exec 3<etc/hosts 4>publish.new/ssh-ca/hosts.list
+last=%%%
+while read line <&3; do
+
+  ## Ignore comments and empty lines.
+  case "$line" in
+    "#"* | "") continue ;;
+    ##*[!      ]*) ;;
+    ##*) continue ;;
+  esac
+
+  ## Read the host line.
+  set -- $line
+  host=$1
+  names=""
+
+  ## If this is a different host, then start a new section of the list.
+  case "$host" in "$last") ;; *) { echo; echo "$host"; } >&4 ;; esac
+  last=$host
+
+  ## Build a list of names for the host.
+  for n in "$@"; do
+    names=${names:+$names,}$n
+    case "$n" in
+      *.* | *:*) ;;
+      *) names=${names:+$names,}$n.$domain ;;
+    esac
+  done
+
+  ## Sign certificates.
+  for kt in $rawkeytypes; do
+    if [ ! -f host/$host-$kt.pub ]; then continue; fi
+    cp host/$host-$kt.pub publish.new/ssh-ca/
+    ssh-keygen -q -sca/ca-$kt \
+      -h -I"$cacomment:$host.$domain" -n$names \
+      -V$validity \
+      publish.new/ssh-ca/$host-$kt.pub
+    mv publish.new/ssh-ca/$host-$kt-cert.pub \
+      publish.new/ssh-ca/$host-$kt.cert
+    ssh-keygen -lv -fpublish.new/ssh-ca/$host-$kt.pub | sed 's,^,| ,' >&4
+  done
+done
+exec 3>&- 4>&-
+
+## Sign the list.
+run_gpg --armor -o publish.new/ssh-ca/hosts.asc \
+  --clearsign publish.new/ssh-ca/hosts.list
+rm publish.new/ssh-ca/hosts.list
+
+## Include a copy of the public key.
+run_gpg --export --armor -o publish.new/ssh-ca/ca-gnupg.asc
+
+## Include a copy of the complete archive.
+(cd publish.new; tar czf ssh-ca.tar.gz ssh-ca/)
+mv publish.new/ssh-ca.tar.gz publish.new/ssh-ca/
+
+## Done.
+rm -rf publish
+mv publish.new publish
A simple SSH certificate authority.