aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSilvio Rhatto <rhatto@riseup.net>2015-03-30 09:04:23 -0300
committerSilvio Rhatto <rhatto@riseup.net>2015-03-30 09:04:23 -0300
commite6f6d21f9955ac7c428d8fe43def599c6bc36a8b (patch)
tree3f7836af002df7bd20b1b4011fa78b95855ec721
parentcffe8137d024091d0f1bee9c2484c28d2986febc (diff)
parent347f255ec06b26a0437b653d87b5753d57d3c998 (diff)
downloadkeyringer-e6f6d21f9955ac7c428d8fe43def599c6bc36a8b.tar.gz
keyringer-e6f6d21f9955ac7c428d8fe43def599c6bc36a8b.tar.bz2
Merge branch 'release/0.3.8'0.3.8
-rw-r--r--ChangeLog9
-rwxr-xr-xcontrib/pass2
-rw-r--r--development.mdwn44
-rwxr-xr-xkeyringer4
-rwxr-xr-xlib/keyringer/actions/append2
-rwxr-xr-xlib/keyringer/actions/check2
-rwxr-xr-xlib/keyringer/actions/commands2
-rwxr-xr-xlib/keyringer/actions/commit2
-rwxr-xr-xlib/keyringer/actions/cp7
-rwxr-xr-xlib/keyringer/actions/decrypt2
-rwxr-xr-xlib/keyringer/actions/del2
-rwxr-xr-xlib/keyringer/actions/edit2
-rwxr-xr-xlib/keyringer/actions/encrypt2
-rwxr-xr-xlib/keyringer/actions/find2
-rwxr-xr-xlib/keyringer/actions/genkeys227
l---------[-rwxr-xr-x]lib/keyringer/actions/genpair223
-rwxr-xr-xlib/keyringer/actions/git2
-rwxr-xr-xlib/keyringer/actions/ls2
-rwxr-xr-xlib/keyringer/actions/mkdir2
-rwxr-xr-xlib/keyringer/actions/mv2
-rwxr-xr-xlib/keyringer/actions/options2
-rwxr-xr-xlib/keyringer/actions/preferences2
-rwxr-xr-xlib/keyringer/actions/recipients2
-rwxr-xr-xlib/keyringer/actions/recrypt2
-rwxr-xr-xlib/keyringer/actions/rmdir2
-rwxr-xr-xlib/keyringer/actions/shell2
-rwxr-xr-xlib/keyringer/actions/teardown2
-rwxr-xr-xlib/keyringer/actions/tree2
-rwxr-xr-xlib/keyringer/actions/usage2
-rwxr-xr-xlib/keyringer/actions/xclip2
-rw-r--r--lib/keyringer/completions/bash/keyringer12
-rw-r--r--lib/keyringer/completions/zsh/_keyringer12
-rwxr-xr-xlib/keyringer/functions2
-rw-r--r--share/man/keyringer.112
-rw-r--r--share/man/keyringer.1.mdwn7
35 files changed, 308 insertions, 299 deletions
diff --git a/ChangeLog b/ChangeLog
index 683c853..2462e45 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,12 @@
+2015-03-30 - 0.3.8 - Silvio Rhatto <rhatto@riseup.net>
+
+ Eliminates hardcoded bash path, reported and fixed by
+ polynomial (closes https://github.com/rhatto/keyringer/pull/1).
+
+ Rename genpair action and option (#69)
+
+ Ensure destination folder exists at 'cp' action
+
2014-08-21 - 0.3.7 - Silvio Rhatto <rhatto@riseup.net>
Init: just set git user/mail if needed
diff --git a/contrib/pass b/contrib/pass
index b4d5954..80eb744 100755
--- a/contrib/pass
+++ b/contrib/pass
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
# Sample wrapper program for simplying the use of keyringer.
# This wrapper assumes you are using one key file with many
diff --git a/development.mdwn b/development.mdwn
index bbc688d..db67119 100644
--- a/development.mdwn
+++ b/development.mdwn
@@ -5,44 +5,11 @@ Index
[[!toc levels=4]]
-Development environment
------------------------
-
-The following steps needs to be run just once for each arch and distro version.
-
-### Create the `debian/` structure
-
- if [ ! -d "debian" ]; then
- dh_make -p keyringer_0.1 --createorig
- fi
-
-### Setup a sid pbuilder chroot
-
- DIST=sid git-pbuilder create
-
-### Setup a sid cowbuilder chroot
-
- DIST=sid sudo cowbuilder --create
-
-Environment maintenance
------------------------
-
-These steps should be run once in a while to ensure we have an up to date packaging environment.
-
-### Pbuilder
-
- DIST=sid git-pbuilder update
-
-### Cowbuilder
-
- DIST=sid sudo cowbuilder --update
-
Coding standards
----------------
- - Respect the existing coding style.
-
- - Be clear: easy audability must be one of keyringer's requirements.
+* Respect the existing coding style.
+* Be clear: easy audability must be one of keyringer's requirements.
Development workflow
--------------------
@@ -86,7 +53,12 @@ Run lintian (or [add it to your pbuilder hooks](http://askubuntu.com/questions/1
Notes:
* `git-import-orig` takes care of running `pristine-tar commit`, of merging of the tag and orig tarball into the upstream branch, and then it merges the result into the debian branch. With the above configuration, it also runs git-dch to do the bulk of the work in `debian/changelog`.
-* To build a development package, checkout the debian branch, merge master, run `git-dch --auto --snapshot` and build.
+* To build a development package, checkout the debian branch, merge master, run `git-dch --auto --snapshot` and build.
+
+Packaging workflow
+------------------
+
+We recommend [this packaging workflow](https://git.sarava.org/?p=debian.git;a=blob;f=README.md;hb=HEAD).
Adding or changing a subcommand
-------------------------------
diff --git a/keyringer b/keyringer
index 059b157..956bb73 100755
--- a/keyringer
+++ b/keyringer
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
#
# Keyringer key management system.
#
@@ -140,7 +140,7 @@ function keyringer_dispatch {
# Config
NAME="keyringer"
-KEYRINGER_VERSION="0.3.7"
+KEYRINGER_VERSION="0.3.8"
CONFIG_VERSION="0.1"
CONFIG_BASE="$HOME/.$NAME"
CONFIG="$CONFIG_BASE/config"
diff --git a/lib/keyringer/actions/append b/lib/keyringer/actions/append
index fbb6c1c..df21e03 100755
--- a/lib/keyringer/actions/append
+++ b/lib/keyringer/actions/append
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
#
# Append information into encrypted files.
#
diff --git a/lib/keyringer/actions/check b/lib/keyringer/actions/check
index c80fa8f..a647e95 100755
--- a/lib/keyringer/actions/check
+++ b/lib/keyringer/actions/check
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
#
# Check a keyring.
#
diff --git a/lib/keyringer/actions/commands b/lib/keyringer/actions/commands
index cb49c02..4888317 100755
--- a/lib/keyringer/actions/commands
+++ b/lib/keyringer/actions/commands
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
#
# Show available commands
#
diff --git a/lib/keyringer/actions/commit b/lib/keyringer/actions/commit
index b124927..84ead14 100755
--- a/lib/keyringer/actions/commit
+++ b/lib/keyringer/actions/commit
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
#
# Git commit wrapper.
#
diff --git a/lib/keyringer/actions/cp b/lib/keyringer/actions/cp
index 0629b61..1f4ccee 100755
--- a/lib/keyringer/actions/cp
+++ b/lib/keyringer/actions/cp
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
#
# Copy secrets.
#
@@ -27,7 +27,10 @@ if ! echo "$ORIG" | grep -q '*' && [ ! -e "$KEYDIR/$RELATIVE_PATH/$ORIG" ]; then
exit 1
fi
-# Run move command
+# Ensure destination folder exists
+mkdir -p `dirname "$KEYDIR/$FILE"`
+
+# Run copy command
cd "$KEYDIR" && cp -a "./$RELATIVE_PATH/$ORIG" "./$FILE"
keyringer_exec git "$BASEDIR" add "keys/$FILE"
cd "$CWD"
diff --git a/lib/keyringer/actions/decrypt b/lib/keyringer/actions/decrypt
index b63b74e..c6510ee 100755
--- a/lib/keyringer/actions/decrypt
+++ b/lib/keyringer/actions/decrypt
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
#
# Decrypt files.
#
diff --git a/lib/keyringer/actions/del b/lib/keyringer/actions/del
index d160ac4..2abc414 100755
--- a/lib/keyringer/actions/del
+++ b/lib/keyringer/actions/del
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
#
# Remove files.
#
diff --git a/lib/keyringer/actions/edit b/lib/keyringer/actions/edit
index c9f3f12..4338518 100755
--- a/lib/keyringer/actions/edit
+++ b/lib/keyringer/actions/edit
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
#
# Edit keys.
#
diff --git a/lib/keyringer/actions/encrypt b/lib/keyringer/actions/encrypt
index 7415267..3818fa3 100755
--- a/lib/keyringer/actions/encrypt
+++ b/lib/keyringer/actions/encrypt
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
#
# Encrypt files to multiple recipients.
#
diff --git a/lib/keyringer/actions/find b/lib/keyringer/actions/find
index 9b18d66..dc9d6d1 100755
--- a/lib/keyringer/actions/find
+++ b/lib/keyringer/actions/find
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
#
# Find secrets.
#
diff --git a/lib/keyringer/actions/genkeys b/lib/keyringer/actions/genkeys
new file mode 100755
index 0000000..f49d6d0
--- /dev/null
+++ b/lib/keyringer/actions/genkeys
@@ -0,0 +1,227 @@
+#!/usr/bin/env bash
+#
+# Generate keypairs.
+#
+# This script is just a wrapper to easily generate keys for
+# automated systems.
+#
+
+# Generate a keypair, ssh version
+function genkeys_ssh {
+ echo "Make sure that $KEYDIR is atop of an encrypted volume."
+ read -p "Hit ENTER to continue." prompt
+
+ # We're using empty passphrases
+ ssh-keygen -t rsa -b 4096 -P '' -f "$TMPWORK/id_rsa" -C "root@$NODE"
+
+ # Encrypt the result
+ echo "Encrypting secret key into keyringer..."
+ cat "$TMPWORK/id_rsa" | keyringer_exec encrypt "$BASEDIR" "$FILE"
+ echo "Encrypting public key into keyringer..."
+ cat "$TMPWORK/id_rsa.pub" | keyringer_exec encrypt "$BASEDIR" "$FILE.pub"
+
+ if [ ! -z "$OUTFILE" ]; then
+ mkdir -p `dirname $OUTFILE`
+ printf "Saving copies at %s and %s.pub\n" "$OUTFILE" "$OUTFILE"
+ cat "$TMPWORK/id_rsa" > "$OUTFILE"
+ cat "$TMPWORK/id_rsa.pub" > "$OUTFILE.pub"
+ fi
+
+ echo "Done"
+}
+
+# Generate a keypair, gpg version
+function genkeys_gpg {
+ echo "Make sure that $KEYDIR is atop of an encrypted volume."
+
+ passphrase="no"
+ passphrase_confirm="confirm"
+
+ while [ "$passphrase" != "$passphrase_confirm" ]; do
+ read -s -p "Enter password for the private key: " passphrase
+ printf "\n"
+ read -s -p "Enter password again: " passphrase_confirm
+ printf "\n"
+
+ if [ "$passphrase" != "$passphrase_confirm" ]; then
+ echo "Password don't match."
+ fi
+ done
+
+ # TODO: insert random bytes
+ # TODO: custom Name-Comment and Name-Email
+ # TODO: allow for empty passphrases
+ $GPG --homedir "$TMPWORK" --gen-key --batch <<EOF
+ Key-Type: RSA
+ Key-Length: 4096
+ Subkey-Type: ELG-E
+ Subkey-Length: 4096
+ Name-Real: $NODE
+ Name-Email: root@$NODE
+ Expire-Date: 0
+ Passphrase: $passphrase
+ %commit
+EOF
+
+ # Encrypt the result
+ echo "Encrypting secret key into keyringer..."
+ $GPG --armor --homedir "$TMPWORK" --export-secret-keys | keyringer_exec encrypt "$BASEDIR" "$FILE"
+ echo "Encrypting public key into keyringer..."
+ $GPG --armor --homedir "$TMPWORK" --export | keyringer_exec encrypt "$BASEDIR" "$FILE.pub"
+ echo "Encrypting passphrase into keyringer..."
+ echo "Passphrase for $FILE: $passphrase" | keyringer_exec encrypt "$BASEDIR" "$FILE.passwd"
+
+ if [ ! -z "$OUTFILE" ]; then
+ mkdir -p `dirname $OUTFILE`
+ printf "Saving copies at %s and %s.pub\n" "$OUTFILE" "$OUTFILE"
+ $GPG --armor --homedir "$TMPWORK" --export-secret-keys > "$OUTFILE"
+ $GPG --armor --homedir "$TMPWORK" --export > "$OUTFILE.pub"
+ fi
+
+ echo "Done"
+}
+
+# Alias
+function genkeys_ssl {
+ genkeys_x509 $*
+}
+
+# Generate a keypair, ssl version
+function genkeys_x509 {
+ echo "Make sure that $KEYDIR is atop of an encrypted volume."
+ read -p "Hit ENTER to continue." prompt
+
+ # Check for wildcard certs
+ if [ "`echo $NODE | cut -d . -f 1`" == "*" ]; then
+ WILDCARD="yes"
+ CNAME="$NODE"
+ NODE="`echo $NODE | sed -e 's/^\*\.//'`"
+ else
+ CNAME="${NODE}"
+ fi
+
+ # Setup
+ cd "$TMPWORK"
+
+ # Generate certificate
+cat <<EOF >> openssl.conf
+[ req ]
+default_keyfile = ${NODE}_privatekey.pem
+distinguished_name = req_distinguished_name
+encrypt_key = no
+req_extensions = v3_req # Extensions to add to certificate request
+string_mask = nombstr
+
+[ req_distinguished_name ]
+commonName_default = ${CNAME}
+organizationName = Organization Name
+organizationalUnitName = Organizational Unit Name
+emailAddress = Email Address
+localityName = Locality
+stateOrProvinceName = State
+countryName = Country Name
+commonName = Common Name
+
+[ v3_req ]
+extendedKeyUsage=serverAuth,clientAuth
+EOF
+
+ # Add SubjectAltNames so wildcard certs can work correctly.
+ if [ "$WILDCARD" == "yes" ]; then
+cat <<EOF >> openssl.conf
+subjectAltName=DNS:${NODE}, DNS:${CNAME}
+EOF
+ fi
+
+ echo "Please review your OpenSSL configuration:"
+ cat openssl.conf
+ read -p "Hit ENTER to continue." prompt
+
+ openssl req -batch -nodes -config openssl.conf -newkey rsa:4096 -sha256 \
+ -keyout ${NODE}_privatekey.pem -out ${NODE}_csr.pem
+
+ openssl req -noout -text -in ${NODE}_csr.pem
+
+ # Self-sign
+ if [ "$KEYTYPE" == "ssl-self" ]; then
+ openssl x509 -in "${NODE}_csr.pem" -out "$NODE.crt" -req -signkey "${NODE}_privatekey.pem" -days 365
+ chmod 600 "${NODE}_privatekey.pem"
+ fi
+
+ # Encrypt the result
+ echo "Encrypting private key into keyringer..."
+ cat "${NODE}_privatekey.pem" | keyringer_exec encrypt "$BASEDIR" "$FILE.pem"
+ echo "Encrypting certificate request into keyringer..."
+ cat "${NODE}_csr.pem" | keyringer_exec encrypt "$BASEDIR" "$FILE.csr"
+
+ if [ "$KEYTYPE" == "ssl-self" ]; then
+ echo "Encrypting certificate into keyringer..."
+ cat "${NODE}.crt" | keyringer_exec encrypt "$BASEDIR" "$FILE.crt"
+ elif [ -f "$BASEDIR/keys/$FILE.crt.asc" ]; then
+ # Remove any existing crt
+ keyringer_exec del "$BASEDIR" "$FILE.crt"
+ fi
+
+ cd "$CWD"
+
+ if [ ! -z "$OUTFILE" ]; then
+ mkdir -p `dirname $OUTFILE`
+ printf "Saving copies at %s\n" "`dirname $OUTFILE`"
+ cat "$TMPWORK/${NODE}_privatekey.pem" > "$OUTFILE.pem"
+ cat "$TMPWORK/${NODE}_csr.pem" > "$OUTFILE.csr"
+
+ if [ -f "$TMPWORK/${NODE}.crt" ]; then
+ cat "$TMPWORK/${NODE}.crt" > "$OUTFILE.crt"
+ fi
+ fi
+
+ # Show cert fingerprint
+ if [ "$KEYTYPE" == "ssl-self" ]; then
+ openssl x509 -noout -in "$TMPWORK/${NODE}.crt" -fingerprint
+ fi
+
+ echo "Done"
+}
+
+# Load functions
+LIB="`dirname $0`/../functions"
+source "$LIB" || exit 1
+
+# Aditional parameters
+KEYTYPE="$2"
+FILE="$RELATIVE_PATH/$3"
+NODE="$4"
+OUTFILE="$5"
+CWD="`pwd`"
+
+# Verify
+if [ -z "$NODE" ]; then
+ echo -e "Usage: keyringer <keyring> $BASENAME <gpg|ssh|x509|x509-self|ssl|ssl-self> <file> <hostname> [outfile]"
+ echo -e "Options:"
+ echo -e "\t gpg|ssh|x509[-self]|ssl|ssl[-self]: key type."
+ echo -e "\t file : base file name for encrypted output (relative to keys folder),"
+ echo -e "\t without spaces"
+ echo -e "\t hostname : host for the key pair"
+ echo -e "\t outfile : optional unencrypted output file, useful for deployment,"
+ echo -e "\t without spaces"
+ exit 1
+elif [ ! -e "$KEYDIR" ]; then
+ echo "Folder not found: $KEYDIR, leaving"
+ exit 1
+fi
+
+# Set a tmp file
+keyringer_set_tmpfile genpair -d
+
+# Dispatch
+echo "Generating $KEYTYPE key for $NODE..."
+if [ "$KEYTYPE" == "ssl-self" ] || [ "$KEYTYPE" == "x509-self" ]; then
+ genkeys_x509
+else
+ genkeys_"$KEYTYPE"
+fi
+
+# Cleanup
+cd "$CWD"
+rm -rf "$TMPWORK"
+trap - EXIT
diff --git a/lib/keyringer/actions/genpair b/lib/keyringer/actions/genpair
index 6fc6dcd..d936499 100755..120000
--- a/lib/keyringer/actions/genpair
+++ b/lib/keyringer/actions/genpair
@@ -1,222 +1 @@
-#!/bin/bash
-#
-# Generate keypairs.
-#
-# This script is just a wrapper to easily generate keys for
-# automated systems.
-#
-
-# Generate a keypair, ssh version
-function genpair_ssh {
- echo "Make sure that $KEYDIR is atop of an encrypted volume."
- read -p "Hit ENTER to continue." prompt
-
- # We're using empty passphrases
- ssh-keygen -t rsa -b 4096 -P '' -f "$TMPWORK/id_rsa" -C "root@$NODE"
-
- # Encrypt the result
- echo "Encrypting secret key into keyringer..."
- cat "$TMPWORK/id_rsa" | keyringer_exec encrypt "$BASEDIR" "$FILE"
- echo "Encrypting public key into keyringer..."
- cat "$TMPWORK/id_rsa.pub" | keyringer_exec encrypt "$BASEDIR" "$FILE.pub"
-
- if [ ! -z "$OUTFILE" ]; then
- mkdir -p `dirname $OUTFILE`
- printf "Saving copies at %s and %s.pub\n" "$OUTFILE" "$OUTFILE"
- cat "$TMPWORK/id_rsa" > "$OUTFILE"
- cat "$TMPWORK/id_rsa.pub" > "$OUTFILE.pub"
- fi
-
- echo "Done"
-}
-
-# Generate a keypair, gpg version
-function genpair_gpg {
- echo "Make sure that $KEYDIR is atop of an encrypted volume."
-
- passphrase="no"
- passphrase_confirm="confirm"
-
- while [ "$passphrase" != "$passphrase_confirm" ]; do
- read -s -p "Enter password for the private key: " passphrase
- printf "\n"
- read -s -p "Enter password again: " passphrase_confirm
- printf "\n"
-
- if [ "$passphrase" != "$passphrase_confirm" ]; then
- echo "Password don't match."
- fi
- done
-
- # TODO: insert random bytes
- # TODO: custom Name-Comment and Name-Email
- # TODO: allow for empty passphrases
- $GPG --homedir "$TMPWORK" --gen-key --batch <<EOF
- Key-Type: RSA
- Key-Length: 4096
- Subkey-Type: ELG-E
- Subkey-Length: 4096
- Name-Real: $NODE
- Name-Email: root@$NODE
- Expire-Date: 0
- Passphrase: $passphrase
- %commit
-EOF
-
- # Encrypt the result
- echo "Encrypting secret key into keyringer..."
- $GPG --armor --homedir "$TMPWORK" --export-secret-keys | keyringer_exec encrypt "$BASEDIR" "$FILE"
- echo "Encrypting public key into keyringer..."
- $GPG --armor --homedir "$TMPWORK" --export | keyringer_exec encrypt "$BASEDIR" "$FILE.pub"
- echo "Encrypting passphrase into keyringer..."
- echo "Passphrase for $FILE: $passphrase" | keyringer_exec encrypt "$BASEDIR" "$FILE.passwd"
-
- if [ ! -z "$OUTFILE" ]; then
- mkdir -p `dirname $OUTFILE`
- printf "Saving copies at %s and %s.pub\n" "$OUTFILE" "$OUTFILE"
- $GPG --armor --homedir "$TMPWORK" --export-secret-keys > "$OUTFILE"
- $GPG --armor --homedir "$TMPWORK" --export > "$OUTFILE.pub"
- fi
-
- echo "Done"
-}
-
-# Generate a keypair, ssl version
-function genpair_ssl {
- echo "Make sure that $KEYDIR is atop of an encrypted volume."
- read -p "Hit ENTER to continue." prompt
-
- # Check for wildcard certs
- if [ "`echo $NODE | cut -d . -f 1`" == "*" ]; then
- WILDCARD="yes"
- CNAME="$NODE"
- NODE="`echo $NODE | sed -e 's/^\*\.//'`"
- else
- CNAME="${NODE}"
- fi
-
- # Setup
- cd "$TMPWORK"
-
- # Generate certificate
-cat <<EOF >> openssl.conf
-[ req ]
-default_keyfile = ${NODE}_privatekey.pem
-distinguished_name = req_distinguished_name
-encrypt_key = no
-req_extensions = v3_req # Extensions to add to certificate request
-string_mask = nombstr
-
-[ req_distinguished_name ]
-commonName_default = ${CNAME}
-organizationName = Organization Name
-organizationalUnitName = Organizational Unit Name
-emailAddress = Email Address
-localityName = Locality
-stateOrProvinceName = State
-countryName = Country Name
-commonName = Common Name
-
-[ v3_req ]
-extendedKeyUsage=serverAuth,clientAuth
-EOF
-
- # Add SubjectAltNames so wildcard certs can work correctly.
- if [ "$WILDCARD" == "yes" ]; then
-cat <<EOF >> openssl.conf
-subjectAltName=DNS:${NODE}, DNS:${CNAME}
-EOF
- fi
-
- echo "Please review your OpenSSL configuration:"
- cat openssl.conf
- read -p "Hit ENTER to continue." prompt
-
- openssl req -batch -nodes -config openssl.conf -newkey rsa:4096 -sha256 \
- -keyout ${NODE}_privatekey.pem -out ${NODE}_csr.pem
-
- openssl req -noout -text -in ${NODE}_csr.pem
-
- # Self-sign
- if [ "$KEYTYPE" == "ssl-self" ]; then
- openssl x509 -in "${NODE}_csr.pem" -out "$NODE.crt" -req -signkey "${NODE}_privatekey.pem" -days 365
- chmod 600 "${NODE}_privatekey.pem"
- fi
-
- # Encrypt the result
- echo "Encrypting private key into keyringer..."
- cat "${NODE}_privatekey.pem" | keyringer_exec encrypt "$BASEDIR" "$FILE.pem"
- echo "Encrypting certificate request into keyringer..."
- cat "${NODE}_csr.pem" | keyringer_exec encrypt "$BASEDIR" "$FILE.csr"
-
- if [ "$KEYTYPE" == "ssl-self" ]; then
- echo "Encrypting certificate into keyringer..."
- cat "${NODE}.crt" | keyringer_exec encrypt "$BASEDIR" "$FILE.crt"
- elif [ -f "$BASEDIR/keys/$FILE.crt.asc" ]; then
- # Remove any existing crt
- keyringer_exec del "$BASEDIR" "$FILE.crt"
- fi
-
- cd "$CWD"
-
- if [ ! -z "$OUTFILE" ]; then
- mkdir -p `dirname $OUTFILE`
- printf "Saving copies at %s\n" "`dirname $OUTFILE`"
- cat "$TMPWORK/${NODE}_privatekey.pem" > "$OUTFILE.pem"
- cat "$TMPWORK/${NODE}_csr.pem" > "$OUTFILE.csr"
-
- if [ -f "$TMPWORK/${NODE}.crt" ]; then
- cat "$TMPWORK/${NODE}.crt" > "$OUTFILE.crt"
- fi
- fi
-
- # Show cert fingerprint
- if [ "$KEYTYPE" == "ssl-self" ]; then
- openssl x509 -noout -in "$TMPWORK/${NODE}.crt" -fingerprint
- fi
-
- echo "Done"
-}
-
-# Load functions
-LIB="`dirname $0`/../functions"
-source "$LIB" || exit 1
-
-# Aditional parameters
-KEYTYPE="$2"
-FILE="$RELATIVE_PATH/$3"
-NODE="$4"
-OUTFILE="$5"
-CWD="`pwd`"
-
-# Verify
-if [ -z "$NODE" ]; then
- echo -e "Usage: keyringer <keyring> $BASENAME <gpg|ssh|ssl|ssl-self> <file> <hostname> [outfile]"
- echo -e "Options:"
- echo -e "\t gpg|ssh|ssl[-self]: key type."
- echo -e "\t file : base file name for encrypted output (relative to keys folder),"
- echo -e "\t without spaces"
- echo -e "\t hostname : host for the key pair"
- echo -e "\t outfile : optional unencrypted output file, useful for deployment,"
- echo -e "\t without spaces"
- exit 1
-elif [ ! -e "$KEYDIR" ]; then
- echo "Folder not found: $KEYDIR, leaving"
- exit 1
-fi
-
-# Set a tmp file
-keyringer_set_tmpfile genpair -d
-
-# Dispatch
-echo "Generating $KEYTYPE key for $NODE..."
-if [ "$KEYTYPE" == "ssl-self" ]; then
- genpair_ssl
-else
- genpair_"$KEYTYPE"
-fi
-
-# Cleanup
-cd "$CWD"
-rm -rf "$TMPWORK"
-trap - EXIT
+genkeys \ No newline at end of file
diff --git a/lib/keyringer/actions/git b/lib/keyringer/actions/git
index 059b20e..218273f 100755
--- a/lib/keyringer/actions/git
+++ b/lib/keyringer/actions/git
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
#
# Git wrapper.
#
diff --git a/lib/keyringer/actions/ls b/lib/keyringer/actions/ls
index 93f5f75..b992ad4 100755
--- a/lib/keyringer/actions/ls
+++ b/lib/keyringer/actions/ls
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
#
# List keys.
#
diff --git a/lib/keyringer/actions/mkdir b/lib/keyringer/actions/mkdir
index b31eb0b..63442a4 100755
--- a/lib/keyringer/actions/mkdir
+++ b/lib/keyringer/actions/mkdir
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
#
# Create folders.
#
diff --git a/lib/keyringer/actions/mv b/lib/keyringer/actions/mv
index daac7b0..2324145 100755
--- a/lib/keyringer/actions/mv
+++ b/lib/keyringer/actions/mv
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
#
# Move secrets.
#
diff --git a/lib/keyringer/actions/options b/lib/keyringer/actions/options
index b210e1a..eea73e8 100755
--- a/lib/keyringer/actions/options
+++ b/lib/keyringer/actions/options
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
#
# Repository options management.
#
diff --git a/lib/keyringer/actions/preferences b/lib/keyringer/actions/preferences
index 114f9ac..6e36ef4 100755
--- a/lib/keyringer/actions/preferences
+++ b/lib/keyringer/actions/preferences
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
#
# Manipulate user preferences.
#
diff --git a/lib/keyringer/actions/recipients b/lib/keyringer/actions/recipients
index 4149786..29f9d38 100755
--- a/lib/keyringer/actions/recipients
+++ b/lib/keyringer/actions/recipients
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
#
# Recipient management.
#
diff --git a/lib/keyringer/actions/recrypt b/lib/keyringer/actions/recrypt
index 30c9254..5dce1ba 100755
--- a/lib/keyringer/actions/recrypt
+++ b/lib/keyringer/actions/recrypt
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
#
# Re-encrypt files to multiple recipients.
#
diff --git a/lib/keyringer/actions/rmdir b/lib/keyringer/actions/rmdir
index 398cf11..da7abe5 100755
--- a/lib/keyringer/actions/rmdir
+++ b/lib/keyringer/actions/rmdir
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
#
# Remove folders.
#
diff --git a/lib/keyringer/actions/shell b/lib/keyringer/actions/shell
index ab170b1..491fe0a 100755
--- a/lib/keyringer/actions/shell
+++ b/lib/keyringer/actions/shell
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
#
# Interactive shell.
#
diff --git a/lib/keyringer/actions/teardown b/lib/keyringer/actions/teardown
index 64da740..5bfb121 100755
--- a/lib/keyringer/actions/teardown
+++ b/lib/keyringer/actions/teardown
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
#
# Remove a keyring.
#
diff --git a/lib/keyringer/actions/tree b/lib/keyringer/actions/tree
index 8f9d7cd..9c09bfc 100755
--- a/lib/keyringer/actions/tree
+++ b/lib/keyringer/actions/tree
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
#
# List keys, tree version.
#
diff --git a/lib/keyringer/actions/usage b/lib/keyringer/actions/usage
index 2ca7639..15096a0 100755
--- a/lib/keyringer/actions/usage
+++ b/lib/keyringer/actions/usage
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
#
# Show available commands
#
diff --git a/lib/keyringer/actions/xclip b/lib/keyringer/actions/xclip
index 7afdf05..0e60bbd 100755
--- a/lib/keyringer/actions/xclip
+++ b/lib/keyringer/actions/xclip
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
#
# Decrypt secret header to clipboard.
#
diff --git a/lib/keyringer/completions/bash/keyringer b/lib/keyringer/completions/bash/keyringer
index 27cf919..fc952eb 100644
--- a/lib/keyringer/completions/bash/keyringer
+++ b/lib/keyringer/completions/bash/keyringer
@@ -93,12 +93,12 @@ _keyringer() {
recipients)
opts="ls edit"
;;
- ls|tree|mkdir|encrypt|encrypt-batch|decrypt|edit|append|append-batch|del|rm|recrypt|open|clip|xclip|find)
+ ls|tree|mkdir|encrypt|encrypt-batch|decrypt|edit|append|append-batch|del|rm|recrypt|open|clip|xclip|find|mv|cp)
cur="`echo ${cur} | sed -e "s|^/*||"`" # avoid leading slash
opts="$(bash -c "set -f && export KEYRINGER_CHECK_RECIPIENTS=false && export KEYRINGER_CHECK_VERSION=false && keyringer $instance ls -p -d ${cur}*" 2> /dev/null)"
;;
- genpair)
- opts="gpg ssh ssl ssl-self"
+ genkeys|genpair)
+ opts="gpg ssh x509 x509-self ssl ssl-self"
;;
git)
opts="$(_keyringer_git_complete ${cur})"
@@ -112,11 +112,15 @@ _keyringer() {
esac
elif [ "${#COMP_WORDS[@]}" == "5" ]; then
case "${command}" in
+ mv|cp)
+ cur="`echo ${cur} | sed -e "s|^/*||"`" # avoid leading slash
+ opts="$(bash -c "set -f && export KEYRINGER_CHECK_RECIPIENTS=false && export KEYRINGER_CHECK_VERSION=false && keyringer $instance ls -p -d ${cur}*" 2> /dev/null)"
+ ;;
recipients)
cur="`echo ${cur} | sed -e "s|^/*||"`" # avoid leading slash
opts="$(cd $path/config/recipients && ls --color=never -p ${cur}* 2> /dev/null)"
;;
- genpair)
+ genkeys|genpair)
cur="`echo ${cur} | sed -e "s|^/*||"`" # avoid leading slash
opts="$(bash -c "set -f && export KEYRINGER_CHECK_RECIPIENTS=false && export KEYRINGER_CHECK_VERSION=false && keyringer $instance ls -p -d ${cur}*" 2> /dev/null)"
;;
diff --git a/lib/keyringer/completions/zsh/_keyringer b/lib/keyringer/completions/zsh/_keyringer
index ab95c3d..d4b89b1 100644
--- a/lib/keyringer/completions/zsh/_keyringer
+++ b/lib/keyringer/completions/zsh/_keyringer
@@ -49,12 +49,12 @@ _keyringer() {
recipients)
compadd "$@" ls edit
;;
- ls|tree|mkdir|encrypt|encrypt-batch|decrypt|edit|append|append-batch|del|rm|recrypt|open|clip|xclip|find)
+ ls|tree|mkdir|encrypt|encrypt-batch|decrypt|edit|append|append-batch|del|rm|recrypt|open|clip|xclip|find|mv|cp)
words[4]="`echo $words[4] | sed -e "s|^/*||"`" # avoid leading slash
compadd "$@" $(KEYRINGER_CHECK_RECIPIENTS=false KEYRINGER_CHECK_VERSION=false keyringer $words[2] ls -p -d $words[4]'*' 2> /dev/null)
;;
- genpair)
- compadd "$@" gpg ssh ssl ssl-self
+ genkeys|genpair)
+ compadd "$@" gpg ssh x509 x509-self ssl ssl-self
;;
git)
compadd "$@" $(_keyringer_git_complete $words[4])
@@ -68,11 +68,15 @@ _keyringer() {
;;
misc)
case "$words[3]" in
+ mv|cp)
+ words[5]="`echo $words[5] | sed -e "s|^/*||"`" # avoid leading slash
+ compadd "$@" $(KEYRINGER_CHECK_RECIPIENTS=false KEYRINGER_CHECK_VERSION=false keyringer $words[2] ls -p -d $words[5]'*' 2> /dev/null)
+ ;;
recipients)
words[5]="$(echo $words[5] | sed -e "s|^/||")" # TODO: avoid leading slash
compadd "$@" $(cd $keyring_path/config/recipients && ls --color=never -p $words[5]* 2> /dev/null)
;;
- genpair)
+ genkeys|genpair)
words[5]="$(echo $words[5] | sed -e "s|^/||")" # TODO: avoid leading slash
compadd "$@" $(KEYRINGER_CHECK_RECIPIENTS=false KEYRINGER_CHECK_VERSION=false keyringer $words[2] ls -p -d $words[5]'*' 2> /dev/null)
;;
diff --git a/lib/keyringer/functions b/lib/keyringer/functions
index 42c047d..ab519b2 100755
--- a/lib/keyringer/functions
+++ b/lib/keyringer/functions
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
#
# Common functions.
#
diff --git a/share/man/keyringer.1 b/share/man/keyringer.1
index 82cb520..13de085 100644
--- a/share/man/keyringer.1
+++ b/share/man/keyringer.1
@@ -201,13 +201,21 @@ Useful inside scripts.
.RS
.RE
.TP
-.B genpair <\f[I]ssh\f[]|\f[I]gpg\f[]|\f[I]ssl\f[]|\f[I]ssl-self\f[]>
+.B genkeys
+<\f[I]ssh\f[]|\f[I]gpg\f[]|\f[I]x509\f[]|\f[I]x509-self\f[]|\f[I]ssl\f[]|\f[I]ssl-self\f[]>
[\f[I]options\f[]]
Wrapper to generate encryption key-pairs, useful for automated key
deployment.
.RS
.RE
.TP
+.B genpair
+<\f[I]ssh\f[]|\f[I]gpg\f[]|\f[I]x509\f[]|\f[I]x509-self\f[]|\f[I]ssl\f[]|\f[I]ssl-self\f[]>
+[\f[I]options\f[]]
+Alias for \f[I]genkeys\f[] action.
+.RS
+.RE
+.TP
.B open <\f[I]secret\f[]>
Decrypt a secret into a temporary folder and open it using xdg-open,
which tries to figure out the file type and then calls the associated
@@ -377,7 +385,7 @@ so be careful when decrypting secrets and writing them to the disk or
other storage media.
.PP
Pay special attention that keyringer outputs data to stdout, which could
-be easilly spotted by any agent looking directly at you computer screen.
+be easily spotted by any agent looking directly at you computer screen.
.PP
The xclip action even copies secret data to the X11 clipboard, which can
be accessed by any application running in the user\[aq]s X11 session, so
diff --git a/share/man/keyringer.1.mdwn b/share/man/keyringer.1.mdwn
index af098a3..55ae216 100644
--- a/share/man/keyringer.1.mdwn
+++ b/share/man/keyringer.1.mdwn
@@ -150,9 +150,12 @@ encrypt-batch <*secret*> [*file*]
: Encrypt content, batch mode. Behavior is identical to *encrypt* action, but less
verbose. Useful inside scripts.
-genpair <*ssh*|*gpg*|*ssl*|*ssl-self*> [*options*]
+genkeys <*ssh*|*gpg*|*x509*|*x509-self*|*ssl*|*ssl-self*> [*options*]
: Wrapper to generate encryption key-pairs, useful for automated key deployment.
+genpair <*ssh*|*gpg*|*x509*|*x509-self*|*ssl*|*ssl-self*> [*options*]
+: Alias for *genkeys* action.
+
open <*secret*>
: Decrypt a secret into a temporary folder and open it using xdg-open, which
tries to figure out the file type and then calls the associated application.
@@ -288,7 +291,7 @@ Keyringer currently has the following limitations:
other storage media.
Pay special attention that keyringer outputs data to stdout, which could
- be easilly spotted by any agent looking directly at you computer screen.
+ be easily spotted by any agent looking directly at you computer screen.
The xclip action even copies secret data to the X11 clipboard, which can
be accessed by any application running in the user's X11 session, so use