WIP user cert

This commit is contained in:
Meutel 2024-02-12 11:05:40 +00:00
parent 6759155194
commit 4a16f7567a

View File

@ -7,11 +7,26 @@ USER_CA_PRIV=${DIR_ETC}private/user/meutel_user_ca
HOST_CONFIG_ROOT=${DIR_ETC}public/host/ HOST_CONFIG_ROOT=${DIR_ETC}public/host/
USER_CONFIG_ROOT=${DIR_ETC}public/user/ USER_CONFIG_ROOT=${DIR_ETC}public/user/
TYPE=$1 # public key file
NAME=$2 PUBKEY=$1
PRINCIPALS=$3 # certificate type: user/host
TYPE=$2
# config name
NAME=$3
# certificate validity duration
VALIDITY=$4 VALIDITY=$4
OPTS=$5 # principals for user cert
PRINCIPALS=$5
# certificate options
OPTS=$6
check_pubkey()
{
if [ ! -f $PUBKEY ]; then
echo "missing public key: $PUBKEY" >&2
exit 2
fi
}
check_ca_key() check_ca_key()
{ {
@ -33,7 +48,6 @@ check_config()
user_cert() user_cert()
{ {
echo "user certificate"
check_ca_key $USER_CA_PRIV check_ca_key $USER_CA_PRIV
USER_CONFIG=${USER_CONFIG_ROOT}${NAME} USER_CONFIG=${USER_CONFIG_ROOT}${NAME}
check_config $USER_CONFIG check_config $USER_CONFIG
@ -45,21 +59,37 @@ user_cert()
echo "missing validity duration" >&2 echo "missing validity duration" >&2
exit 4 exit 4
fi fi
# ssh-keygen -I certificate_identity -s ca_key [-hU] [-D pkcs11_provider] if ls $USER_CONFIG/*-cert.pub 2>/dev/null > /dev/null ; then
# [-n principals] [-O option] [-V validity_interval] SERIAL=$(( $( ls $USER_CONFIG/*-cert.pub | wc -l ) + 1 ))
# [-z serial_number] file ... else
SERIAL=1
fi
TS=$( date '+%Y%m%d%H%M.%S' )
CERT_ID="Cert $NAME for $PRINCIPALS generated $TS"
USER_PUB_KEY="$USER_CONFIG/key-${TS}.pub"
# copy key
cp -f "$PUBKEY" "$USER_PUB_KEY"
ssh-keygen echo "Generate user certificate"
echo " key: $PUBKEY"
echo " serial: $SERIAL"
echo " ID: $CERT_ID"
echo " principals: $PRINCIPALS"
echo " validity: $VALIDITY"
ssh-keygen -I "$CERT_ID" -s "$USER_CA_PRIV" -n "$PRINCIPALS" -O "$OPTS" -V "$VALIDITY" -z "$SERIAL" "$USER_PUB_KEY"
# TODO copy cert
# TODO displqy certificate
} }
host_cert() host_cert()
{ {
echo "host certificate"
check_ca_key $HOST_CA_PRIV check_ca_key $HOST_CA_PRIV
HOST_CONFIG=${HOST_CONFIG_ROOT}${NAME} HOST_CONFIG=${HOST_CONFIG_ROOT}${NAME}
check_config $HOST_CONFIG check_config $HOST_CONFIG
} }
check_pubkey
case $TYPE in case $TYPE in
"user") "user")
user_cert user_cert