Use SSHFP keyhash-based filename for private key

The same should be used for the public key, but isn't (yet).

1 files changed, 11 insertions, 6 deletions

diff --git a/cryptonomic-vpn b/cryptonomic-vpn
index 68669da..364606c 100755
--- a/cryptonomic-vpn
+++ b/cryptonomic-vpn
@@ -48,11 +48,6 @@ NO_ACT=y
 REMOTE_KEY_TYPE=rsa
 LOCAL_KEY=ssh_host_rsa_key
 
-# Hard-coded private key source and destinations.
-LOCAL_KEY_DEST_BASENAME=ssh_host_rsa_key
-LOCAL_PRIVATE_KEY_DEST=/etc/swanctl/private/$LOCAL_KEY_DEST_BASENAME
-LOCAL_PUBLIC_KEY_DEST=/etc/swanctl/pubkey/$LOCAL_KEY_DEST_BASENAME.pub
-
 die() { printf 'Error: %s\n' "$*" >&2; exit 1; }
 warn() { printf 'Warning: %s\n' "$*" >&2; }
 
@@ -129,12 +124,15 @@ validate_remote_key_type()
 
 validate_local_key()
 {
-    # TODO: check that it is RSA
     case "$LOCAL_KEY" in
         */*) ;;
         *) LOCAL_KEY=/etc/ssh/$LOCAL_KEY ;;
     esac
     [ -f "$LOCAL_KEY" -a -r "$LOCAL_KEY" ] || die "could not read local key (filename=$LOCAL_KEY)"
+
+    LOCAL_KEY_DEST_BASENAME=$(sshfp_filename_string "$LOCAL_KEY") || die "parsing local key (filename=$LOCAL_KEY)"
+    LOCAL_PRIVATE_KEY_DEST=/etc/swanctl/private/$LOCAL_KEY_DEST_BASENAME
+    LOCAL_PUBLIC_KEY_DEST=/etc/swanctl/pubkey/$LOCAL_KEY_DEST_BASENAME.pub
 }
 
 main()
@@ -248,6 +246,13 @@ write_remote_key()
     esac
 }
 
+sshfp_filename_string()
+{
+    local keytype=1 hashtype=2
+    ssh-keygen -r. -f "$1" | sed -ne "/^. IN SSHFP $keytype $hashtype / { s/. IN //; y/ /_/; p; q; }"
+}
+
+
 install_local_private_key()
 {
     private_key_tmp=$(mktemp) || return