diff options
| author | Silvio Rhatto <rhatto@riseup.net> | 2012-01-03 19:50:51 -0200 |
|---|---|---|
| committer | Silvio Rhatto <rhatto@riseup.net> | 2012-01-03 19:50:51 -0200 |
| commit | e32f88eaea694f7f0befa283df128a4dcd94aaa4 (patch) | |
| tree | e725dec17443f4deba5b5ff4cd7d0700e5199b3a | |
| parent | fc4741eb7f96d94ce8de70d9e5082a294cc30202 (diff) | |
| parent | eb9fc837e97d4be9275a6ec07ebcab1a660bbcd8 (diff) | |
| download | keyringer-e32f88eaea694f7f0befa283df128a4dcd94aaa4.tar.gz keyringer-e32f88eaea694f7f0befa283df128a4dcd94aaa4.tar.bz2 | |
Merge branch 'master' into ruby
| -rw-r--r-- | README | 17 | ||||
| -rwxr-xr-x | keyringer | 6 | ||||
| -rw-r--r-- | lib/bash/functions | 6 | ||||
| -rwxr-xr-x | share/keyringer/decrypt | 2 | ||||
| -rwxr-xr-x | share/keyringer/edit | 4 | ||||
| -rwxr-xr-x | share/keyringer/encrypt | 2 | ||||
| -rwxr-xr-x | share/keyringer/genpair | 61 | ||||
| -rwxr-xr-x | share/keyringer/recrypt | 6 |
8 files changed, 82 insertions, 22 deletions
@@ -118,15 +118,6 @@ Keyringer comes with a simple git wrapper to ease common management tasks: keyringer <keyring> git push keyringer master keyringer <keyring> git pull -Managing puppet node keys -------------------------- - -Keyringer is able to manage node keys for puppet nodes. First add the puppet -main and key folders into your keyring configuration: - - keyringer <keyring> preferences add PUPPET=/path/to/puppet/config - keyringer <keyring> preferences add PUPPET_KEYS=/path/to/puppet/keys - Configuration files, preferences and options -------------------------------------------- @@ -139,6 +130,14 @@ Configuration files, preferences and options 3. Custom keyring options: $KEYRING_FOLDER/config/options: managed by "keyringer <keyring> options". +Using a non-default OpenPGP key +------------------------------- + +If you want to use a different key other than your default for a given +keyringer, use + + keyringer <keyring> preferences add KEYID=FINGERPRINT + Notes ----- @@ -44,6 +44,12 @@ function keyringer_init { if [ -e "$BASEDIR" ]; then if [ ! -d "$BASEDIR/keys" ] || [ ! -e "$RECIPIENTS" ]; then echo "Invalid keyring $BASEDIR: incomplete installation" + + # A common mistake + if [ -d "$BASEDIR/../keys" ]; then + echo "You might try `cd $BASEDIR/.. && pwd` instead" + fi + exit 1 fi else diff --git a/lib/bash/functions b/lib/bash/functions index 11d1b86..58f7ad1 100644 --- a/lib/bash/functions +++ b/lib/bash/functions @@ -204,6 +204,12 @@ function keyringer_set_env { exit 1 fi + if [ ! -z "$KEYID" ]; then + GPG="gpg -u $KEYID" + else + GPG="gpg" + fi + # Check recipients file keyringer_check_recipients $SUBCOMMAND diff --git a/share/keyringer/decrypt b/share/keyringer/decrypt index c316e8d..fbc5fe3 100755 --- a/share/keyringer/decrypt +++ b/share/keyringer/decrypt @@ -11,4 +11,4 @@ source "$LIB" || exit 1 keyringer_get_file "$2" # Decrypt -gpg --quiet --use-agent -d "$KEYDIR/$FILE" +$GPG --quiet --use-agent -d "$KEYDIR/$FILE" diff --git a/share/keyringer/edit b/share/keyringer/edit index d729aa6..729c24b 100755 --- a/share/keyringer/edit +++ b/share/keyringer/edit @@ -17,7 +17,7 @@ echo "Make sure that $BASEDIR is atop of an encrypted volume." keyringer_set_tmpfile edit # Decrypt the information to the file -gpg --yes -o "$TMPWORK" --use-agent -d "$KEYDIR/$FILE" +$GPG --yes -o "$TMPWORK" --use-agent -d "$KEYDIR/$FILE" # Prompt echo "Press any key to open the decrypted data in $EDITOR, Ctrl-C to abort" @@ -25,7 +25,7 @@ read key "$EDITOR" "$TMPWORK" # Encrypt again -gpg --yes -o "$KEYDIR/$FILE" --use-agent --armor -e -s $(keyringer_recipients "$RECIPIENTS") "$TMPWORK" +$GPG --yes -o "$KEYDIR/$FILE" --use-agent --armor -e -s $(keyringer_recipients "$RECIPIENTS") "$TMPWORK" # Remove temp file keyringer_unset_tmpfile "$TMPWORK" diff --git a/share/keyringer/encrypt b/share/keyringer/encrypt index 915af3c..bbba2c4 100755 --- a/share/keyringer/encrypt +++ b/share/keyringer/encrypt @@ -18,7 +18,7 @@ if [ "$BASENAME" == "encrypt" ]; then echo "Type your message and finish your input with EOF (Ctrl-D)." fi -gpg --use-agent --armor -e -s $(keyringer_recipients "$RECIPIENTS") - > "$KEYDIR/$FILE" +$GPG --use-agent --armor -e -s $(keyringer_recipients "$RECIPIENTS") - > "$KEYDIR/$FILE" # Stage if [ -d "$BASEDIR/.git" ]; then diff --git a/share/keyringer/genpair b/share/keyringer/genpair index 405dd9e..aa27ad5 100755 --- a/share/keyringer/genpair +++ b/share/keyringer/genpair @@ -52,7 +52,7 @@ function genpair_gpg { # TODO: insert random bytes # TODO: custom Name-Comment and Name-Email # TODO: allow for empty passphrases - gpg --homedir "$TMPWORK" --gen-key --batch <<EOF + $GPG --homedir "$TMPWORK" --gen-key --batch <<EOF Key-Type: RSA Key-Length: 4096 Subkey-Type: ELG-E @@ -66,9 +66,9 @@ EOF # Encrypt the result echo "Encrypting secret key into keyringer..." - gpg --armor --homedir "$TMPWORK" --export-secret-keys | keyringer_exec encrypt "$BASEDIR" "$FILE" + $GPG --armor --homedir "$TMPWORK" --export-secret-keys | keyringer_exec encrypt "$BASEDIR" "$FILE" echo "Encrypting public key into keyringer..." - gpg --armor --homedir "$TMPWORK" --export | keyringer_exec encrypt "$BASEDIR" "$FILE.pub" + $GPG --armor --homedir "$TMPWORK" --export | keyringer_exec encrypt "$BASEDIR" "$FILE.pub" echo "Encrypting passphrase into keyringer..." echo "Passphrase for $FILE: $passphrase" | keyringer_exec encrypt "$BASEDIR" "$FILE.passwd" @@ -76,28 +76,72 @@ EOF if [ ! -z "$OUTFILE" ]; then mkdir -p `dirname $OUTFILE` printf "Saving copies at %s and %s.pub\n" "$OUTFILE" "$OUTFILE" - gpg --armor --homedir "$TMPWORK" --export-secret-keys > "$OUTFILE" - gpg --armor --homedir "$TMPWORK" --export > "$OUTFILE.pub" + $GPG --armor --homedir "$TMPWORK" --export-secret-keys > "$OUTFILE" + $GPG --armor --homedir "$TMPWORK" --export > "$OUTFILE.pub" fi echo "Done" } # Generate a keypair, ssl version -# TODO: add the possibility of SubjectAltNames also for ssl-self and ssl modes -# so wildcard certs can work correctly. function genpair_ssl { echo "Make sure that $KEYDIR is atop of an encrypted volume." read -p "Hit ENTER to continue." prompt + # Check for wildcard certs + if [ "`echo $NODE | cut -d . -f 1`" == "*" ]; then + WILDCARD="yes" + CNAME="$NODE" + NODE="`echo $NODE | sed -e 's/^\*\.//'`" + else + CNAME="${NODE}" + fi + # Setup cd "$TMPWORK" # Generate certificate if [ "$KEYTYPE" == "ssl-cacert" ]; then + # We use a custom script for CaCert "$LIB/csr.sh" "$NODE" else - openssl req -nodes -newkey rsa:2048 -keyout ${NODE}_privatekey.pem -out ${NODE}_csr.pem +cat <<EOF >> openssl.conf +[ req ] +default_keyfile = ${NODE}_privatekey.pem +distinguished_name = req_distinguished_name +encrypt_key = no +req_extensions = v3_req # Extensions to add to certificate request +string_mask = nombstr + +[ req_distinguished_name ] +commonName_default = ${CNAME} +organizationName = Organization Name +organizationalUnitName = Organizational Unit Name +emailAddress = Email Address +localityName = Locality +stateOrProvinceName = State +countryName = Country Name +commonName = Common Name + +[ v3_req ] +extendedKeyUsage=serverAuth,clientAuth +EOF + + # Add SubjectAltNames so wildcard certs can work correctly. + if [ "$WILDCARD" == "yes" ]; then +cat <<EOF >> openssl.conf +subjectAltName=DNS:${NODE}, DNS:${CNAME} +EOF + fi + + echo "Please review your OpenSSL configuration:" + cat openssl.conf + read -p "Hit ENTER to continue." prompt + + openssl req -batch -nodes -config openssl.conf -newkey rsa:2048 -sha256 \ + -keyout ${NODE}_privatekey.pem -out ${NODE}_csr.pem + + openssl req -noout -text -in ${NODE}_csr.pem fi # Self-sign @@ -123,6 +167,7 @@ function genpair_ssl { cd "$CWD" if [ ! -z "$OUTFILE" ]; then + # TODO: add outfiles into version control mkdir -p `dirname $OUTFILE` printf "Saving copies at %s.pem, %s.csr and %s.crt\n" "$OUTFILE" "$OUTFILE" "$OUTFILE" cat "$TMPWORK/${NODE}_privatekey.pem" > "$OUTFILE.pem" diff --git a/share/keyringer/recrypt b/share/keyringer/recrypt index f25450a..f3d7be7 100755 --- a/share/keyringer/recrypt +++ b/share/keyringer/recrypt @@ -12,7 +12,11 @@ function keyringer_recrypt { keyringer_get_file "$1" # Recrypt - gpg --use-agent -d "$KEYDIR/$FILE" | gpg --use-agent --armor -e -s $(keyringer_recipients "$RECIPIENTS") > "$KEYDIR/$FILE" + $GPG --use-agent -d "$KEYDIR/$FILE" | $GPG --use-agent --armor -e -s $(keyringer_recipients "$RECIPIENTS") > "$KEYDIR/$FILE" + + if [ "$?" != "0" ]; then + exit 1 + fi } if [ ! -z "$2" ]; then |