149 lines
2.7 KiB
Bash
Executable File
149 lines
2.7 KiB
Bash
Executable File
#!/bin/sh
|
|
|
|
DIR_ETC=./etc/
|
|
|
|
HOST_CA_PRIV=${DIR_ETC}private/host/meutel_host_ca
|
|
USER_CA_PRIV=${DIR_ETC}private/user/meutel_user_ca
|
|
HOST_CONFIG_ROOT=${DIR_ETC}public/host/
|
|
USER_CONFIG_ROOT=${DIR_ETC}public/user/
|
|
|
|
ARGS_COUNT=$#
|
|
# public key file
|
|
PUBKEY=$1
|
|
# certificate type: user/host
|
|
TYPE=$2
|
|
# config name
|
|
NAME=$3
|
|
# certificate validity duration
|
|
VALIDITY=$4
|
|
# principals for user cert
|
|
PRINCIPALS=$5
|
|
if [ "$ARGS_COUNT" -gt 5 ]
|
|
then
|
|
shift 5
|
|
# certificate options
|
|
OPTS=$@
|
|
echo "options: $OPTS"
|
|
fi
|
|
|
|
usage()
|
|
{
|
|
echo "signer.sh <pubkey_file> <user|host> <name> <validity> (<principals> <options...>)"
|
|
}
|
|
|
|
check_pubkey()
|
|
{
|
|
if [ ! -f $PUBKEY ]; then
|
|
echo "missing public key: $PUBKEY" >&2
|
|
usage
|
|
exit 1
|
|
fi
|
|
}
|
|
|
|
check_ca_key()
|
|
{
|
|
CA_PRIV=$1
|
|
if [ ! -f $CA_PRIV ]; then
|
|
echo "missing private CA key: $CA_PRIV" >&2
|
|
exit 2
|
|
fi
|
|
}
|
|
|
|
check_config()
|
|
{
|
|
CONFIG_DIR=$1
|
|
if [ ! -d $CONFIG_DIR ]; then
|
|
echo "missing config: $CONFIG_DIR" >&2
|
|
exit 3
|
|
fi
|
|
}
|
|
|
|
user_cert()
|
|
{
|
|
check_ca_key $USER_CA_PRIV
|
|
USER_CONFIG=${USER_CONFIG_ROOT}${NAME}
|
|
check_config $USER_CONFIG
|
|
if [ -z "$PRINCIPALS" ]; then
|
|
echo "missing principals" >&2
|
|
usage
|
|
exit 1
|
|
fi
|
|
if [ -z "$VALIDITY" ]; then
|
|
echo "missing validity duration" >&2
|
|
usage
|
|
exit 1
|
|
fi
|
|
if ls $USER_CONFIG/*-cert.pub 2>/dev/null > /dev/null ; then
|
|
SERIAL=$(( $( ls $USER_CONFIG/*-cert.pub | wc -l ) + 1 ))
|
|
else
|
|
SERIAL=1
|
|
fi
|
|
TS=$( date '+%Y%m%d%H%M.%S' )
|
|
CERT_ID="Cert $NAME for $PRINCIPALS generated $TS"
|
|
USER_PUB_KEY="$USER_CONFIG/key-${TS}.pub"
|
|
# copy key
|
|
cp -f "$PUBKEY" "$USER_PUB_KEY"
|
|
|
|
echo "Generate user certificate"
|
|
echo " key: $PUBKEY"
|
|
echo " serial: $SERIAL"
|
|
echo " ID: $CERT_ID"
|
|
echo " principals: $PRINCIPALS"
|
|
echo " validity: $VALIDITY"
|
|
|
|
|
|
#ssh-keygen -I "$CERT_ID" -s "$USER_CA_PRIV" -n "$PRINCIPALS" $OPT_PARAMS -V "$VALIDITY" -z "$SERIAL" "$USER_PUB_KEY"
|
|
# declare -a PARAMS
|
|
# PARAMS=( "-I" "$CERT_ID" "-s" "$USER_CA_PRIV" "-n" "$PRINCIPALS" "-V" "$VALIDITY" "-z" "$SERIAL" "$USER_PUB_KEY" )
|
|
# for opt in "$OPTS"
|
|
# do
|
|
# PARAMS+=( $opt )
|
|
# done
|
|
# echo "${PARAMS[@]}"
|
|
|
|
# ssh-keygen "${PARAMS[@]}"
|
|
|
|
gen_cert
|
|
if [ "$?" -eq 0 ] ; then
|
|
cp "${USER_PUB_KEY%.pub}-cert.pub" "${PUBKEY%.pub}-cert.pub"
|
|
ssh-keygen -L -f "${PUBKEY%.pub}-cert.pub"
|
|
fi
|
|
}
|
|
|
|
gen_cert()
|
|
{
|
|
for opt in $OPTS
|
|
do
|
|
set -- "$@" "-O"
|
|
set -- "$@" "$opt"
|
|
done
|
|
|
|
ssh-keygen -I "$CERT_ID" -s "$USER_CA_PRIV" -n "$PRINCIPALS" -V "$VALIDITY" -z "$SERIAL" $@ "${USER_PUB_KEY}"
|
|
}
|
|
|
|
host_cert()
|
|
{
|
|
check_ca_key $HOST_CA_PRIV
|
|
HOST_CONFIG=${HOST_CONFIG_ROOT}${NAME}
|
|
check_config $HOST_CONFIG
|
|
}
|
|
|
|
if [ "$ARGS_COUNT" -lt 4 ]; then
|
|
usage
|
|
exit 1
|
|
fi
|
|
check_pubkey
|
|
case $TYPE in
|
|
"user")
|
|
user_cert
|
|
;;
|
|
"host")
|
|
host_cert
|
|
;;
|
|
*)
|
|
echo "unknown certificate type" >&2
|
|
usage
|
|
exit 1
|
|
;;
|
|
esac
|