WIP SSH CA

signer.sh

@@ -0,0 +1,74 @@
+#!/bin/sh
+
+DIR_ETC=./etc/
+
+HOST_CA_PRIV=${DIR_ETC}private/host/meutel_host_ca
+USER_CA_PRIV=${DIR_ETC}private/user/meutel_user_ca
+HOST_CONFIG_ROOT=${DIR_ETC}public/host/
+USER_CONFIG_ROOT=${DIR_ETC}public/user/
+
+TYPE=$1
+NAME=$2
+PRINCIPALS=$3
+VALIDITY=$4
+OPTS=$5
+
+check_ca_key()
+{
+	CA_PRIV=$1
+	if [ ! -f $CA_PRIV ]; then
+		echo "missing private CA key: $CA_PRIV" >&2
+		exit 2
+	fi
+}
+
+check_config()
+{
+	CONFIG_DIR=$1
+	if [ ! -d $CONFIG_DIR ]; then
+		echo "missing config: $CONFIG_DIR" >&2
+		exit 3
+	fi
+}
+
+user_cert()
+{
+	echo "user certificate"
+	check_ca_key $USER_CA_PRIV
+	USER_CONFIG=${USER_CONFIG_ROOT}${NAME}
+	check_config $USER_CONFIG
+	if [ -z "$PRINCIPALS" ]; then
+		echo "missing principals" >&2
+		exit 4
+	fi
+	if [ -z "$VALIDITY" ]; then
+		echo "missing validity duration" >&2
+		exit 4
+	fi
+# ssh-keygen -I certificate_identity -s ca_key [-hU] [-D pkcs11_provider]
+#                [-n principals] [-O option] [-V validity_interval]
+#                [-z serial_number] file ...
+
+	ssh-keygen 
+}
+
+host_cert()
+{
+	echo "host certificate"
+	check_ca_key $HOST_CA_PRIV
+	HOST_CONFIG=${HOST_CONFIG_ROOT}${NAME}
+	check_config $HOST_CONFIG
+}
+
+case $TYPE in
+	"user")
+		user_cert
+		;;
+	"host")
+		host_cert
+		;;
+	*)
+		echo "unknown certificate type" >&2
+		exit 1
+		;;
+esac