bin/sign: Force use of v00 certificates.

[ssh-ca] / bin / sign

#! /bin/sh

set -e
. lib/func.sh

## The key types are adorned with bit lengths.  Work out the raw key type
## names.
rawkeytypes=""
for kt in $keytypes; do
  rawkeytypes="$rawkeytypes ${kt%:*}"
done

## Start a new output directory.
rm -rf publish.new
mkdir publish.new
for kt in $rawkeytypes; do
  cp ca/ca-$kt.pub publish.new/
  read pub <ca/ca-$kt.pub
  echo "$@cert-authority $scope $pub" >publish.new/ca-$kt.entry
done

## Sign the various host keys.
exec 3<etc/hosts 4>publish.new/hosts.list
last=%%%
while read line <&3; do

  ## Ignore comments and empty lines.
  case "$line" in
    "#"* | "") continue ;;
    ##*[!       ]*) ;;
    ##*) continue ;;
  esac

  ## Read the host line.
  set -- $line
  host=$1
  names=""

  ## If this is a different host, then start a new section of the list.
  case "$host" in "$last") ;; *) { echo; echo "$host"; } >&4 ;; esac
  last=$host

  ## Build a list of names for the host.
  for n in "$@"; do
    names=${names:+$names,}$n
    case "$n" in
      *.* | *:*) ;;
      *) names=${names:+$names,}$n.$domain ;;
    esac
  done

  ## Sign certificates.
  for kt in $rawkeytypes; do
    if [ ! -f host/$host-$kt.pub ]; then continue; fi
    cp host/$host-$kt.pub publish.new/
    ssh-keygen -q -tv00 -sca/ca-$kt \
      -h -I"$cacomment:$host.$domain" -n$names \
      -V$validity \
      publish.new/$host-$kt.pub
    mv publish.new/$host-$kt-cert.pub \
      publish.new/$host-$kt.cert
    ssh-keygen -lv -fpublish.new/$host-$kt.pub | sed 's,^,| ,' >&4
  done
done
exec 3>&- 4>&-

## Sign the list.
run_gpg --armor -o publish.new/hosts.asc \
  --clearsign publish.new/hosts.list
rm publish.new/hosts.list

## Include a copy of the public key.
run_gpg --export --armor -o publish.new/ca-gnupg.asc

## Done.
if [ -d publish ]; then
  rm -rf publish.old
  mv publish publish.old
fi
mv publish.new publish
rm -rf publish.old