diff options
Diffstat (limited to 'share/keyringer/genpair')
-rwxr-xr-x | share/keyringer/genpair | 61 |
1 files changed, 53 insertions, 8 deletions
diff --git a/share/keyringer/genpair b/share/keyringer/genpair index 405dd9e..aa27ad5 100755 --- a/share/keyringer/genpair +++ b/share/keyringer/genpair @@ -52,7 +52,7 @@ function genpair_gpg { # TODO: insert random bytes # TODO: custom Name-Comment and Name-Email # TODO: allow for empty passphrases - gpg --homedir "$TMPWORK" --gen-key --batch <<EOF + $GPG --homedir "$TMPWORK" --gen-key --batch <<EOF Key-Type: RSA Key-Length: 4096 Subkey-Type: ELG-E @@ -66,9 +66,9 @@ EOF # Encrypt the result echo "Encrypting secret key into keyringer..." - gpg --armor --homedir "$TMPWORK" --export-secret-keys | keyringer_exec encrypt "$BASEDIR" "$FILE" + $GPG --armor --homedir "$TMPWORK" --export-secret-keys | keyringer_exec encrypt "$BASEDIR" "$FILE" echo "Encrypting public key into keyringer..." - gpg --armor --homedir "$TMPWORK" --export | keyringer_exec encrypt "$BASEDIR" "$FILE.pub" + $GPG --armor --homedir "$TMPWORK" --export | keyringer_exec encrypt "$BASEDIR" "$FILE.pub" echo "Encrypting passphrase into keyringer..." echo "Passphrase for $FILE: $passphrase" | keyringer_exec encrypt "$BASEDIR" "$FILE.passwd" @@ -76,28 +76,72 @@ EOF if [ ! -z "$OUTFILE" ]; then mkdir -p `dirname $OUTFILE` printf "Saving copies at %s and %s.pub\n" "$OUTFILE" "$OUTFILE" - gpg --armor --homedir "$TMPWORK" --export-secret-keys > "$OUTFILE" - gpg --armor --homedir "$TMPWORK" --export > "$OUTFILE.pub" + $GPG --armor --homedir "$TMPWORK" --export-secret-keys > "$OUTFILE" + $GPG --armor --homedir "$TMPWORK" --export > "$OUTFILE.pub" fi echo "Done" } # Generate a keypair, ssl version -# TODO: add the possibility of SubjectAltNames also for ssl-self and ssl modes -# so wildcard certs can work correctly. function genpair_ssl { echo "Make sure that $KEYDIR is atop of an encrypted volume." read -p "Hit ENTER to continue." prompt + # Check for wildcard certs + if [ "`echo $NODE | cut -d . -f 1`" == "*" ]; then + WILDCARD="yes" + CNAME="$NODE" + NODE="`echo $NODE | sed -e 's/^\*\.//'`" + else + CNAME="${NODE}" + fi + # Setup cd "$TMPWORK" # Generate certificate if [ "$KEYTYPE" == "ssl-cacert" ]; then + # We use a custom script for CaCert "$LIB/csr.sh" "$NODE" else - openssl req -nodes -newkey rsa:2048 -keyout ${NODE}_privatekey.pem -out ${NODE}_csr.pem +cat <<EOF >> openssl.conf +[ req ] +default_keyfile = ${NODE}_privatekey.pem +distinguished_name = req_distinguished_name +encrypt_key = no +req_extensions = v3_req # Extensions to add to certificate request +string_mask = nombstr + +[ req_distinguished_name ] +commonName_default = ${CNAME} +organizationName = Organization Name +organizationalUnitName = Organizational Unit Name +emailAddress = Email Address +localityName = Locality +stateOrProvinceName = State +countryName = Country Name +commonName = Common Name + +[ v3_req ] +extendedKeyUsage=serverAuth,clientAuth +EOF + + # Add SubjectAltNames so wildcard certs can work correctly. + if [ "$WILDCARD" == "yes" ]; then +cat <<EOF >> openssl.conf +subjectAltName=DNS:${NODE}, DNS:${CNAME} +EOF + fi + + echo "Please review your OpenSSL configuration:" + cat openssl.conf + read -p "Hit ENTER to continue." prompt + + openssl req -batch -nodes -config openssl.conf -newkey rsa:2048 -sha256 \ + -keyout ${NODE}_privatekey.pem -out ${NODE}_csr.pem + + openssl req -noout -text -in ${NODE}_csr.pem fi # Self-sign @@ -123,6 +167,7 @@ function genpair_ssl { cd "$CWD" if [ ! -z "$OUTFILE" ]; then + # TODO: add outfiles into version control mkdir -p `dirname $OUTFILE` printf "Saving copies at %s.pem, %s.csr and %s.crt\n" "$OUTFILE" "$OUTFILE" "$OUTFILE" cat "$TMPWORK/${NODE}_privatekey.pem" > "$OUTFILE.pem" |