Renaming genpairs (#69)

2 files changed, 223 insertions, 222 deletions

diff --git a/lib/keyringer/actions/genkeys b/lib/keyringer/actions/genkeys
new file mode 100755
index 0000000..6fc6dcd
--- /dev/null
+++ b/lib/keyringer/actions/genkeys
@@ -0,0 +1,222 @@
+#!/bin/bash
+#
+# Generate keypairs.
+#
+# This script is just a wrapper to easily generate keys for
+# automated systems.
+# 
+
+# Generate a keypair, ssh version
+function genpair_ssh {
+  echo "Make sure that $KEYDIR is atop of an encrypted volume."
+  read -p "Hit ENTER to continue." prompt
+
+  # We're using empty passphrases
+  ssh-keygen -t rsa -b 4096 -P '' -f "$TMPWORK/id_rsa" -C "root@$NODE"
+
+  # Encrypt the result
+  echo "Encrypting secret key into keyringer..."
+  cat "$TMPWORK/id_rsa"     | keyringer_exec encrypt "$BASEDIR" "$FILE"
+  echo "Encrypting public key into keyringer..."
+  cat "$TMPWORK/id_rsa.pub" | keyringer_exec encrypt "$BASEDIR" "$FILE.pub"
+
+  if [ ! -z "$OUTFILE" ]; then
+    mkdir -p `dirname $OUTFILE`
+    printf "Saving copies at %s and %s.pub\n" "$OUTFILE" "$OUTFILE"
+    cat "$TMPWORK/id_rsa"     > "$OUTFILE"
+    cat "$TMPWORK/id_rsa.pub" > "$OUTFILE.pub"
+  fi
+
+  echo "Done"  
+}
+
+# Generate a keypair, gpg version
+function genpair_gpg {
+  echo "Make sure that $KEYDIR is atop of an encrypted volume."
+
+  passphrase="no"
+  passphrase_confirm="confirm"
+
+  while [ "$passphrase" != "$passphrase_confirm" ]; do
+    read -s -p "Enter password for the private key: " passphrase
+    printf "\n"
+    read -s -p "Enter password again: " passphrase_confirm
+    printf "\n"
+
+    if [ "$passphrase" != "$passphrase_confirm" ]; then
+      echo "Password don't match."
+    fi
+  done
+  
+  # TODO: insert random bytes
+  # TODO: custom Name-Comment and Name-Email
+  # TODO: allow for empty passphrases
+  $GPG --homedir "$TMPWORK" --gen-key --batch <<EOF
+    Key-Type: RSA
+    Key-Length: 4096
+    Subkey-Type: ELG-E
+    Subkey-Length: 4096
+    Name-Real: $NODE
+    Name-Email: root@$NODE
+    Expire-Date: 0
+    Passphrase: $passphrase
+    %commit
+EOF
+
+  # Encrypt the result
+  echo "Encrypting secret key into keyringer..."
+  $GPG --armor --homedir "$TMPWORK" --export-secret-keys | keyringer_exec encrypt "$BASEDIR" "$FILE"
+  echo "Encrypting public key into keyringer..."
+  $GPG --armor --homedir "$TMPWORK" --export             | keyringer_exec encrypt "$BASEDIR" "$FILE.pub"
+  echo "Encrypting passphrase into keyringer..."
+  echo "Passphrase for $FILE: $passphrase"               | keyringer_exec encrypt "$BASEDIR" "$FILE.passwd"
+
+  if [ ! -z "$OUTFILE" ]; then
+    mkdir -p `dirname $OUTFILE`
+    printf "Saving copies at %s and %s.pub\n" "$OUTFILE" "$OUTFILE"
+    $GPG --armor --homedir "$TMPWORK" --export-secret-keys > "$OUTFILE"
+    $GPG --armor --homedir "$TMPWORK" --export             > "$OUTFILE.pub"
+  fi
+
+  echo "Done"  
+}
+
+# Generate a keypair, ssl version
+function genpair_ssl {
+  echo "Make sure that $KEYDIR is atop of an encrypted volume."
+  read -p "Hit ENTER to continue." prompt
+
+  # Check for wildcard certs
+  if [ "`echo $NODE | cut -d . -f 1`" == "*" ]; then
+    WILDCARD="yes"
+    CNAME="$NODE"
+    NODE="`echo $NODE | sed -e 's/^\*\.//'`"
+  else
+    CNAME="${NODE}"
+  fi
+
+  # Setup
+  cd "$TMPWORK"
+
+  # Generate certificate
+cat <<EOF >> openssl.conf
+[ req ]
+default_keyfile         = ${NODE}_privatekey.pem
+distinguished_name      = req_distinguished_name
+encrypt_key             = no
+req_extensions          = v3_req # Extensions to add to certificate request
+string_mask             = nombstr
+
+[ req_distinguished_name ]
+commonName_default              = ${CNAME}
+organizationName                = Organization Name
+organizationalUnitName          = Organizational Unit Name
+emailAddress                    = Email Address
+localityName                    = Locality
+stateOrProvinceName             = State
+countryName                     = Country Name
+commonName                      = Common Name
+
+[ v3_req ]
+extendedKeyUsage=serverAuth,clientAuth
+EOF
+
+  # Add SubjectAltNames so wildcard certs can work correctly.
+  if [ "$WILDCARD" == "yes" ]; then
+cat <<EOF >> openssl.conf
+subjectAltName=DNS:${NODE}, DNS:${CNAME}
+EOF
+  fi
+
+  echo "Please review your OpenSSL configuration:"
+  cat openssl.conf
+  read -p "Hit ENTER to continue." prompt
+
+  openssl req -batch -nodes -config openssl.conf -newkey rsa:4096 -sha256 \
+          -keyout ${NODE}_privatekey.pem -out ${NODE}_csr.pem
+
+  openssl req -noout -text -in ${NODE}_csr.pem
+
+  # Self-sign
+  if [ "$KEYTYPE" == "ssl-self" ]; then
+    openssl x509 -in "${NODE}_csr.pem" -out "$NODE.crt" -req -signkey "${NODE}_privatekey.pem" -days 365
+    chmod 600 "${NODE}_privatekey.pem"
+  fi
+
+  # Encrypt the result
+  echo "Encrypting private key into keyringer..."
+  cat "${NODE}_privatekey.pem" | keyringer_exec encrypt "$BASEDIR" "$FILE.pem"
+  echo "Encrypting certificate request into keyringer..."
+  cat "${NODE}_csr.pem"        | keyringer_exec encrypt "$BASEDIR" "$FILE.csr"
+  
+  if [ "$KEYTYPE" == "ssl-self" ]; then
+    echo "Encrypting certificate into keyringer..."
+    cat "${NODE}.crt" | keyringer_exec encrypt "$BASEDIR" "$FILE.crt"
+  elif [ -f "$BASEDIR/keys/$FILE.crt.asc" ]; then
+    # Remove any existing crt
+    keyringer_exec del "$BASEDIR" "$FILE.crt"
+  fi
+
+  cd "$CWD"
+
+  if [ ! -z "$OUTFILE" ]; then
+    mkdir -p `dirname $OUTFILE`
+    printf "Saving copies at %s\n" "`dirname $OUTFILE`"
+    cat "$TMPWORK/${NODE}_privatekey.pem" > "$OUTFILE.pem"
+    cat "$TMPWORK/${NODE}_csr.pem"        > "$OUTFILE.csr"
+
+    if [ -f "$TMPWORK/${NODE}.crt" ]; then
+      cat "$TMPWORK/${NODE}.crt" > "$OUTFILE.crt"
+    fi
+  fi
+
+  # Show cert fingerprint
+  if [ "$KEYTYPE" == "ssl-self" ]; then
+    openssl x509 -noout -in "$TMPWORK/${NODE}.crt" -fingerprint
+  fi
+
+  echo "Done"
+}
+
+# Load functions
+LIB="`dirname $0`/../functions"
+source "$LIB" || exit 1
+
+# Aditional parameters
+KEYTYPE="$2"
+FILE="$RELATIVE_PATH/$3"
+NODE="$4"
+OUTFILE="$5"
+CWD="`pwd`"
+
+# Verify
+if [ -z "$NODE" ]; then
+  echo -e "Usage: keyringer <keyring> $BASENAME <gpg|ssh|ssl|ssl-self> <file> <hostname> [outfile]"
+  echo -e "Options:"
+  echo -e "\t gpg|ssh|ssl[-self]: key type."
+  echo -e "\t file                      : base file name for encrypted output (relative to keys folder),"
+  echo -e "\t                             without spaces"
+  echo -e "\t hostname                  : host for the key pair"
+  echo -e "\t outfile                   : optional unencrypted output file, useful for deployment,"
+  echo -e "\t                             without spaces"
+  exit 1
+elif [ ! -e "$KEYDIR" ]; then
+  echo "Folder not found: $KEYDIR, leaving"
+  exit 1
+fi
+
+# Set a tmp file
+keyringer_set_tmpfile genpair -d
+
+# Dispatch
+echo "Generating $KEYTYPE key for $NODE..."
+if [ "$KEYTYPE" == "ssl-self" ]; then
+  genpair_ssl
+else
+  genpair_"$KEYTYPE"
+fi
+
+# Cleanup
+cd "$CWD"
+rm -rf "$TMPWORK"
+trap - EXIT
diff --git a/lib/keyringer/actions/genpair b/lib/keyringer/actions/genpair
index 6fc6dcd..d936499 100755..120000
--- a/lib/keyringer/actions/genpair
+++ b/lib/keyringer/actions/genpair
@@ -1,222 +1 @@
-#!/bin/bash
-#
-# Generate keypairs.
-#
-# This script is just a wrapper to easily generate keys for
-# automated systems.
-# 
-
-# Generate a keypair, ssh version
-function genpair_ssh {
-  echo "Make sure that $KEYDIR is atop of an encrypted volume."
-  read -p "Hit ENTER to continue." prompt
-
-  # We're using empty passphrases
-  ssh-keygen -t rsa -b 4096 -P '' -f "$TMPWORK/id_rsa" -C "root@$NODE"
-
-  # Encrypt the result
-  echo "Encrypting secret key into keyringer..."
-  cat "$TMPWORK/id_rsa"     | keyringer_exec encrypt "$BASEDIR" "$FILE"
-  echo "Encrypting public key into keyringer..."
-  cat "$TMPWORK/id_rsa.pub" | keyringer_exec encrypt "$BASEDIR" "$FILE.pub"
-
-  if [ ! -z "$OUTFILE" ]; then
-    mkdir -p `dirname $OUTFILE`
-    printf "Saving copies at %s and %s.pub\n" "$OUTFILE" "$OUTFILE"
-    cat "$TMPWORK/id_rsa"     > "$OUTFILE"
-    cat "$TMPWORK/id_rsa.pub" > "$OUTFILE.pub"
-  fi
-
-  echo "Done"  
-}
-
-# Generate a keypair, gpg version
-function genpair_gpg {
-  echo "Make sure that $KEYDIR is atop of an encrypted volume."
-
-  passphrase="no"
-  passphrase_confirm="confirm"
-
-  while [ "$passphrase" != "$passphrase_confirm" ]; do
-    read -s -p "Enter password for the private key: " passphrase
-    printf "\n"
-    read -s -p "Enter password again: " passphrase_confirm
-    printf "\n"
-
-    if [ "$passphrase" != "$passphrase_confirm" ]; then
-      echo "Password don't match."
-    fi
-  done
-  
-  # TODO: insert random bytes
-  # TODO: custom Name-Comment and Name-Email
-  # TODO: allow for empty passphrases
-  $GPG --homedir "$TMPWORK" --gen-key --batch <<EOF
-    Key-Type: RSA
-    Key-Length: 4096
-    Subkey-Type: ELG-E
-    Subkey-Length: 4096
-    Name-Real: $NODE
-    Name-Email: root@$NODE
-    Expire-Date: 0
-    Passphrase: $passphrase
-    %commit
-EOF
-
-  # Encrypt the result
-  echo "Encrypting secret key into keyringer..."
-  $GPG --armor --homedir "$TMPWORK" --export-secret-keys | keyringer_exec encrypt "$BASEDIR" "$FILE"
-  echo "Encrypting public key into keyringer..."
-  $GPG --armor --homedir "$TMPWORK" --export             | keyringer_exec encrypt "$BASEDIR" "$FILE.pub"
-  echo "Encrypting passphrase into keyringer..."
-  echo "Passphrase for $FILE: $passphrase"               | keyringer_exec encrypt "$BASEDIR" "$FILE.passwd"
-
-  if [ ! -z "$OUTFILE" ]; then
-    mkdir -p `dirname $OUTFILE`
-    printf "Saving copies at %s and %s.pub\n" "$OUTFILE" "$OUTFILE"
-    $GPG --armor --homedir "$TMPWORK" --export-secret-keys > "$OUTFILE"
-    $GPG --armor --homedir "$TMPWORK" --export             > "$OUTFILE.pub"
-  fi
-
-  echo "Done"  
-}
-
-# Generate a keypair, ssl version
-function genpair_ssl {
-  echo "Make sure that $KEYDIR is atop of an encrypted volume."
-  read -p "Hit ENTER to continue." prompt
-
-  # Check for wildcard certs
-  if [ "`echo $NODE | cut -d . -f 1`" == "*" ]; then
-    WILDCARD="yes"
-    CNAME="$NODE"
-    NODE="`echo $NODE | sed -e 's/^\*\.//'`"
-  else
-    CNAME="${NODE}"
-  fi
-
-  # Setup
-  cd "$TMPWORK"
-
-  # Generate certificate
-cat <<EOF >> openssl.conf
-[ req ]
-default_keyfile         = ${NODE}_privatekey.pem
-distinguished_name      = req_distinguished_name
-encrypt_key             = no
-req_extensions          = v3_req # Extensions to add to certificate request
-string_mask             = nombstr
-
-[ req_distinguished_name ]
-commonName_default              = ${CNAME}
-organizationName                = Organization Name
-organizationalUnitName          = Organizational Unit Name
-emailAddress                    = Email Address
-localityName                    = Locality
-stateOrProvinceName             = State
-countryName                     = Country Name
-commonName                      = Common Name
-
-[ v3_req ]
-extendedKeyUsage=serverAuth,clientAuth
-EOF
-
-  # Add SubjectAltNames so wildcard certs can work correctly.
-  if [ "$WILDCARD" == "yes" ]; then
-cat <<EOF >> openssl.conf
-subjectAltName=DNS:${NODE}, DNS:${CNAME}
-EOF
-  fi
-
-  echo "Please review your OpenSSL configuration:"
-  cat openssl.conf
-  read -p "Hit ENTER to continue." prompt
-
-  openssl req -batch -nodes -config openssl.conf -newkey rsa:4096 -sha256 \
-          -keyout ${NODE}_privatekey.pem -out ${NODE}_csr.pem
-
-  openssl req -noout -text -in ${NODE}_csr.pem
-
-  # Self-sign
-  if [ "$KEYTYPE" == "ssl-self" ]; then
-    openssl x509 -in "${NODE}_csr.pem" -out "$NODE.crt" -req -signkey "${NODE}_privatekey.pem" -days 365
-    chmod 600 "${NODE}_privatekey.pem"
-  fi
-
-  # Encrypt the result
-  echo "Encrypting private key into keyringer..."
-  cat "${NODE}_privatekey.pem" | keyringer_exec encrypt "$BASEDIR" "$FILE.pem"
-  echo "Encrypting certificate request into keyringer..."
-  cat "${NODE}_csr.pem"        | keyringer_exec encrypt "$BASEDIR" "$FILE.csr"
-  
-  if [ "$KEYTYPE" == "ssl-self" ]; then
-    echo "Encrypting certificate into keyringer..."
-    cat "${NODE}.crt" | keyringer_exec encrypt "$BASEDIR" "$FILE.crt"
-  elif [ -f "$BASEDIR/keys/$FILE.crt.asc" ]; then
-    # Remove any existing crt
-    keyringer_exec del "$BASEDIR" "$FILE.crt"
-  fi
-
-  cd "$CWD"
-
-  if [ ! -z "$OUTFILE" ]; then
-    mkdir -p `dirname $OUTFILE`
-    printf "Saving copies at %s\n" "`dirname $OUTFILE`"
-    cat "$TMPWORK/${NODE}_privatekey.pem" > "$OUTFILE.pem"
-    cat "$TMPWORK/${NODE}_csr.pem"        > "$OUTFILE.csr"
-
-    if [ -f "$TMPWORK/${NODE}.crt" ]; then
-      cat "$TMPWORK/${NODE}.crt" > "$OUTFILE.crt"
-    fi
-  fi
-
-  # Show cert fingerprint
-  if [ "$KEYTYPE" == "ssl-self" ]; then
-    openssl x509 -noout -in "$TMPWORK/${NODE}.crt" -fingerprint
-  fi
-
-  echo "Done"
-}
-
-# Load functions
-LIB="`dirname $0`/../functions"
-source "$LIB" || exit 1
-
-# Aditional parameters
-KEYTYPE="$2"
-FILE="$RELATIVE_PATH/$3"
-NODE="$4"
-OUTFILE="$5"
-CWD="`pwd`"
-
-# Verify
-if [ -z "$NODE" ]; then
-  echo -e "Usage: keyringer <keyring> $BASENAME <gpg|ssh|ssl|ssl-self> <file> <hostname> [outfile]"
-  echo -e "Options:"
-  echo -e "\t gpg|ssh|ssl[-self]: key type."
-  echo -e "\t file                      : base file name for encrypted output (relative to keys folder),"
-  echo -e "\t                             without spaces"
-  echo -e "\t hostname                  : host for the key pair"
-  echo -e "\t outfile                   : optional unencrypted output file, useful for deployment,"
-  echo -e "\t                             without spaces"
-  exit 1
-elif [ ! -e "$KEYDIR" ]; then
-  echo "Folder not found: $KEYDIR, leaving"
-  exit 1
-fi
-
-# Set a tmp file
-keyringer_set_tmpfile genpair -d
-
-# Dispatch
-echo "Generating $KEYTYPE key for $NODE..."
-if [ "$KEYTYPE" == "ssl-self" ]; then
-  genpair_ssl
-else
-  genpair_"$KEYTYPE"
-fi
-
-# Cleanup
-cd "$CWD"
-rm -rf "$TMPWORK"
-trap - EXIT
+genkeys
\ No newline at end of file