From bf5b13dcf28fd74510d10ada387d4e1c65e2e171 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Tue, 22 Nov 2011 12:44:28 -0200 Subject: Removing old puppet docs --- README | 9 --------- 1 file changed, 9 deletions(-) diff --git a/README b/README index 534044e..8353610 100644 --- a/README +++ b/README @@ -118,15 +118,6 @@ Keyringer comes with a simple git wrapper to ease common management tasks: keyringer git push keyringer master keyringer git pull -Managing puppet node keys -------------------------- - -Keyringer is able to manage node keys for puppet nodes. First add the puppet -main and key folders into your keyring configuration: - - keyringer preferences add PUPPET=/path/to/puppet/config - keyringer preferences add PUPPET_KEYS=/path/to/puppet/keys - Configuration files, preferences and options -------------------------------------------- -- cgit v1.2.3 From 4d5b7821417d853b6a86fc794cc684ecc846ad6a Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Tue, 22 Nov 2011 12:50:18 -0200 Subject: Guessing a common mistake on init --- keyringer | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/keyringer b/keyringer index d057975..391646a 100755 --- a/keyringer +++ b/keyringer @@ -44,6 +44,12 @@ function keyringer_init { if [ -e "$BASEDIR" ]; then if [ ! -d "$BASEDIR/keys" ] || [ ! -e "$RECIPIENTS" ]; then echo "Invalid keyring $BASEDIR: incomplete installation" + + # A common mistake + if [ -d "$BASEDIR/../keys" ]; then + echo "You might try `cd $BASEDIR/.. && pwd` instead" + fi + exit 1 fi else -- cgit v1.2.3 From ff19dbc8518d5e7f7a6535f7bf651a245de51d35 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Tue, 22 Nov 2011 13:05:22 -0200 Subject: Custom keyid support --- README | 8 ++++++++ lib/keyringer/functions | 6 ++++++ share/keyringer/decrypt | 2 +- share/keyringer/edit | 4 ++-- share/keyringer/encrypt | 2 +- share/keyringer/genpair | 10 +++++----- share/keyringer/recrypt | 2 +- 7 files changed, 24 insertions(+), 10 deletions(-) diff --git a/README b/README index 8353610..585550a 100644 --- a/README +++ b/README @@ -130,6 +130,14 @@ Configuration files, preferences and options 3. Custom keyring options: $KEYRING_FOLDER/config/options: managed by "keyringer options". +Using a non-default OpenPGP key +------------------------------- + +If you want to use a different key other than your default for a given +keyringer, use + + keyringer preferences add KEYID=FINGERPRINT + Notes ----- diff --git a/lib/keyringer/functions b/lib/keyringer/functions index 11d1b86..58f7ad1 100644 --- a/lib/keyringer/functions +++ b/lib/keyringer/functions @@ -204,6 +204,12 @@ function keyringer_set_env { exit 1 fi + if [ ! -z "$KEYID" ]; then + GPG="gpg -u $KEYID" + else + GPG="gpg" + fi + # Check recipients file keyringer_check_recipients $SUBCOMMAND diff --git a/share/keyringer/decrypt b/share/keyringer/decrypt index c0584f2..adc1134 100755 --- a/share/keyringer/decrypt +++ b/share/keyringer/decrypt @@ -11,4 +11,4 @@ source "$LIB" || exit 1 keyringer_get_file "$2" # Decrypt -gpg --quiet --use-agent -d "$KEYDIR/$FILE" +$GPG --quiet --use-agent -d "$KEYDIR/$FILE" diff --git a/share/keyringer/edit b/share/keyringer/edit index 47945f3..73a59d9 100755 --- a/share/keyringer/edit +++ b/share/keyringer/edit @@ -17,7 +17,7 @@ echo "Make sure that $BASEDIR is atop of an encrypted volume." keyringer_set_tmpfile edit # Decrypt the information to the file -gpg --yes -o "$TMPWORK" --use-agent -d "$KEYDIR/$FILE" +$GPG --yes -o "$TMPWORK" --use-agent -d "$KEYDIR/$FILE" # Prompt echo "Press any key to open the decrypted data in $EDITOR, Ctrl-C to abort" @@ -25,7 +25,7 @@ read key "$EDITOR" "$TMPWORK" # Encrypt again -gpg --yes -o "$KEYDIR/$FILE" --use-agent --armor -e -s $(keyringer_recipients "$RECIPIENTS") "$TMPWORK" +$GPG --yes -o "$KEYDIR/$FILE" --use-agent --armor -e -s $(keyringer_recipients "$RECIPIENTS") "$TMPWORK" # Remove temp file keyringer_unset_tmpfile "$TMPWORK" diff --git a/share/keyringer/encrypt b/share/keyringer/encrypt index 8cbf72a..709aac3 100755 --- a/share/keyringer/encrypt +++ b/share/keyringer/encrypt @@ -18,7 +18,7 @@ if [ "$BASENAME" == "encrypt" ]; then echo "Type your message and finish your input with EOF (Ctrl-D)." fi -gpg --use-agent --armor -e -s $(keyringer_recipients "$RECIPIENTS") - > "$KEYDIR/$FILE" +$GPG --use-agent --armor -e -s $(keyringer_recipients "$RECIPIENTS") - > "$KEYDIR/$FILE" # Stage if [ -d "$BASEDIR/.git" ]; then diff --git a/share/keyringer/genpair b/share/keyringer/genpair index 065111e..a5b06cc 100755 --- a/share/keyringer/genpair +++ b/share/keyringer/genpair @@ -52,7 +52,7 @@ function genpair_gpg { # TODO: insert random bytes # TODO: custom Name-Comment and Name-Email # TODO: allow for empty passphrases - gpg --homedir "$TMPWORK" --gen-key --batch < "$OUTFILE" - gpg --armor --homedir "$TMPWORK" --export > "$OUTFILE.pub" + $GPG --armor --homedir "$TMPWORK" --export-secret-keys > "$OUTFILE" + $GPG --armor --homedir "$TMPWORK" --export > "$OUTFILE.pub" fi echo "Done" diff --git a/share/keyringer/recrypt b/share/keyringer/recrypt index dac703a..a8f5267 100755 --- a/share/keyringer/recrypt +++ b/share/keyringer/recrypt @@ -12,7 +12,7 @@ function keyringer_recrypt { keyringer_get_file "$1" # Recrypt - gpg --use-agent -d "$KEYDIR/$FILE" | gpg --use-agent --armor -e -s $(keyringer_recipients "$RECIPIENTS") > "$KEYDIR/$FILE" + $GPG --use-agent -d "$KEYDIR/$FILE" | $GPG --use-agent --armor -e -s $(keyringer_recipients "$RECIPIENTS") > "$KEYDIR/$FILE" } if [ ! -z "$2" ]; then -- cgit v1.2.3 From 1d9651516753307463ee581fd5012e46d3f5593a Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Wed, 30 Nov 2011 11:22:01 -0200 Subject: SSL Wildcard with SubjectAltNames support for genpair --- share/keyringer/genpair | 50 ++++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 47 insertions(+), 3 deletions(-) diff --git a/share/keyringer/genpair b/share/keyringer/genpair index a5b06cc..76683d2 100755 --- a/share/keyringer/genpair +++ b/share/keyringer/genpair @@ -84,20 +84,64 @@ EOF } # Generate a keypair, ssl version -# TODO: add the possibility of SubjectAltNames also for ssl-self and ssl modes -# so wildcard certs can work correctly. function genpair_ssl { echo "Make sure that $KEYDIR is atop of an encrypted volume." read -p "Hit ENTER to continue." prompt + # Check for wildcard certs + if [ "`echo $NODE | cut -d . -f 1`" == "*" ]; then + WILDCARD="yes" + CNAME="$NODE" + NODE="`echo $NODE | sed -e 's/^\*\.//'`" + else + CNAME="${NODE}" + fi + # Setup cd "$TMPWORK" # Generate certificate if [ "$KEYTYPE" == "ssl-cacert" ]; then + # We use a custom script for CaCert "$LIB/csr.sh" "$NODE" else - openssl req -nodes -newkey rsa:2048 -keyout ${NODE}_privatekey.pem -out ${NODE}_csr.pem +cat <> openssl.conf +[ req ] +default_keyfile = ${NODE}_privatekey.pem +distinguished_name = req_distinguished_name +encrypt_key = no +req_extensions = v3_req # Extensions to add to certificate request +string_mask = nombstr + +[ req_distinguished_name ] +commonName_default = ${CNAME} +organizationName = Organization Name +organizationalUnitName = Organizational Unit Name +emailAddress = Email Address +localityName = Locality +stateOrProvinceName = State +countryName = Country Name +commonName = Common Name + +[ v3_req ] +extendedKeyUsage=serverAuth,clientAuth +EOF + + # Add SubjectAltNames so wildcard certs can work correctly. + if [ "$WILDCARD" == "yes" ]; then +cat <> openssl.conf +subjectAltName=DNS:${NODE}, DNS:${CNAME} +EOF + fi + + echo "Please review your OpenSSL configuration:" + cat openssl.conf + read -p "Hit ENTER to continue." prompt + + openssl req -batch -nodes -config openssl.conf -newkey rsa:2048 -sha256 \ + -keyout ${NODE}_privatekey.pem -out ${NODE}_csr.pem + + openssl req -noout -text -in ${NODE}_csr.pem fi # Self-sign -- cgit v1.2.3 From 21f45aae3dd8d1a2aecacb3a7307e03b26bfae70 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Wed, 30 Nov 2011 11:29:32 -0200 Subject: TODO --- share/keyringer/genpair | 1 + 1 file changed, 1 insertion(+) diff --git a/share/keyringer/genpair b/share/keyringer/genpair index 76683d2..140361a 100755 --- a/share/keyringer/genpair +++ b/share/keyringer/genpair @@ -167,6 +167,7 @@ EOF cd "$CWD" if [ ! -z "$OUTFILE" ]; then + # TODO: add outfiles into version control mkdir -p `dirname $OUTFILE` printf "Saving copies at %s.pem, %s.csr and %s.crt\n" "$OUTFILE" "$OUTFILE" "$OUTFILE" cat "$TMPWORK/${NODE}_privatekey.pem" > "$OUTFILE.pem" -- cgit v1.2.3 From eb9fc837e97d4be9275a6ec07ebcab1a660bbcd8 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Thu, 22 Dec 2011 16:47:45 -0200 Subject: Abort recryption on error --- share/keyringer/recrypt | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/share/keyringer/recrypt b/share/keyringer/recrypt index a8f5267..438039d 100755 --- a/share/keyringer/recrypt +++ b/share/keyringer/recrypt @@ -13,6 +13,10 @@ function keyringer_recrypt { # Recrypt $GPG --use-agent -d "$KEYDIR/$FILE" | $GPG --use-agent --armor -e -s $(keyringer_recipients "$RECIPIENTS") > "$KEYDIR/$FILE" + + if [ "$?" != "0" ]; then + exit 1 + fi } if [ ! -z "$2" ]; then -- cgit v1.2.3