blob: 63960daea8305bfe690ff6a2edc65ec4016fec73 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
|
#!/bin/bash
#
# Generate keypairs.
#
# This script is just a wrapper to easily generate keys for
# automated systems.
#
# Generate a keypair, ssh version
function genpair_ssh {
echo "Make sure that $KEYDIR is atop of an encrypted volume."
read -p "Hit ENTER to continue." prompt
# TODO: programatically enter blank passphrase twice
ssh-keygen -t dsa -f $WORK/id_dsa -C "root@$NODE"
# Encrypt the result
echo "Encrypting secret key into keyringer..."
cat $WORK/id_dsa | keyringer_exec encrypt $BASEDIR $FILE
echo "Encrypting public key into keyringer..."
cat $WORK/id_dsa.pub | keyringer_exec encrypt $BASEDIR $FILE.pub
# TODO: add outfiles into version control
if [ ! -z "$OUTFILE" ]; then
mkdir -p `dirname $OUTFILE`
echo Saving copies at $OUTFILE and $OUTFILE.pub
cat $WORK/id_dsa > $OUTFILE
cat $WORK/id_dsa.pub > $OUTFILE.pub
fi
echo "Done"
}
# Generate a keypair, gpg version
function genpair_gpg {
echo "Make sure that $KEYDIR is atop of an encrypted volume."
read -s -p "Enter password for the private key: " passphrase
# TODO: insert 279 random bytes
# TODO: custom Name-Comment and Name-Email
# TODO: allow for empty passphrases
gpg --homedir $WORK --gen-key --batch <<EOF
Key-Type: DSA
Key-Length: 1024
Subkey-Type: ELG-E
Subkey-Length: 4096
Name-Real: $NODE
Name-Comment: backupninja
Name-Email: root@$NODE
Expire-Date: 0
Passphrase: $passphrase
%commit
EOF
# Encrypt the result
echo "Encrypting secret key into keyringer..."
gpg --armor --homedir $WORK --export-secret-keys | keyringer_exec encrypt $BASEDIR $FILE
echo "Encrypting public key into keyringer..."
gpg --armor --homedir $WORK --export | keyringer_exec encrypt $BASEDIR $FILE.pub
echo "Encrypting passphrase into keyringer..."
echo "Passphrase for $FILE: $passphrase" | keyringer_exec encrypt $BASEDIR $FILE.passwd
# TODO: add outfiles into version control
if [ ! -z "$OUTFILE" ]; then
mkdir -p `dirname $OUTFILE`
echo Saving copies at $OUTFILE and $OUTFILE.pub
gpg --armor --homedir $WORK --export-secret-keys > $OUTFILE
gpg --armor --homedir $WORK --export > $OUTFILE.pub
fi
echo "Done"
}
# Generate a keypair, ssl version
function genpair_ssl {
echo "Make sure that $KEYDIR is atop of an encrypted volume."
read -p "Hit ENTER to continue." prompt
# Setup
cd $WORK
# Generate certificate
$LIB/csr.sh $NODE
# Self-sign
openssl x509 -in $NODE"_csr.pem" -out $NODE.crt -req -signkey $NODE"_privatekey.pem" -days 365
chmod 600 $NODE"_privatekey.pem"
# Encrypt the result
echo "Encrypting private key into keyringer..."
cat $NODE"_privatekey.pem" | keyringer_exec encrypt $BASEDIR $FILE.pem
echo "Encrypting certificate request into keyringer..."
cat $NODE"_csr.pem" | keyringer_exec encrypt $BASEDIR $FILE.csr
echo "Encrypting certificate into keyringer..."
cat $NODE.crt | keyringer_exec encrypt $BASEDIR $FILE.crt
cd $CWD
if [ ! -z "$OUTFILE" ]; then
mkdir -p `dirname $OUTFILE`
echo Saving copies at $OUTFILE.pem, $OUTFILE.csr and $OUTFILE.crt
cat $WORK/$NODE"_privatekey.pem" > $OUTFILE.pem
cat $WORK/$NODE"_csr.pem" > $OUTFILE.csr
cat $WORK/$NODE.crt > $OUTFILE.crt
fi
# Show cert fingerprint
openssl x509 -noout -in $WORK/$NODE.crt -fingerprint
echo "Done"
}
# Load functions
LIB="`dirname $0`/../../lib/keyringer"
source $LIB/functions
# Config
ACTIONS="`dirname $0`"
BASEDIR="$1"
KEYDIR="$BASEDIR/keys"
KEYTYPE="$2"
FILE="$3"
NODE="$4"
OUTFILE="$5"
BASENAME="`basename $0`"
CWD="`pwd`"
# Verify
if [ -z "$NODE" ]; then
echo -e "Usage: keyringer <keyring> $BASENAME <gpg|ssh|ssl> <file> <hostname> [outfile]"
echo -e "Options:"
echo -e "\t gpg|ssh|ssl: key type."
echo -e "\t file : base file name for encrypted output (relative to keys folder)"
echo -e "\t hostname : host for the key pair"
echo -e "\t outfile : optional unencrypted output file, useful for deployment"
exit 1
elif [ ! -e "$KEYDIR" ]; then
echo "Folder not found: $KEYDIR, leaving"
exit 1
fi
# Prepare
mkdir -p $KEYDIR && chmod 700 $KEYDIR
WORK="`mktemp -d $KEYDIR/genpair.XXXXXX`"
if [ "$?" != "0" ]; then
echo "Error setting up $WORK"
exit 1
else
trap "rm -rf $WORK" EXIT
fi
# Dispatch
echo "Generating $KEYTYPE for $NODE..."
genpair_$KEYTYPE
# Cleanup
cd $CWD
rm -rf $WORK
trap - EXIT
|