export ipsec secret key to /var/cache/kiki

1 files changed, 16 insertions, 2 deletions

diff --git a/lib/Kiki.hs b/lib/Kiki.hs
index 333369f..b1f7ad7 100644
--- a/lib/Kiki.hs
+++ b/lib/Kiki.hs
@@ -233,8 +233,22 @@ refreshCache rt rootdir = do
 
     callCommand ("rm -rf "++ mkpath "*") -- clean up, in case gpg altered the keyring.
 
+    flip (maybe $ warn "missing working key?") (rtWorkingKey rt) $ \wk -> do
+
+    let grip = fingerprint wk
+        wkkd = rtKeyDB rt Map.! keykey wk
+
+    either warn (write $ mkpath "ipsec.d/private/" ++ Char8.unpack oname++".pem") $ do
+        -- Note: no sig check here. That may be incautious...
+        let my_ipsecs :: [Packet]
+            my_ipsecs = sortOn (Down . timestamp)
+                         $ getSubkeys Unsigned wk (keySubKeys wkkd) "ipsec"
+        case my_ipsecs of
+            ipsec:_ -> maybe (Left "unsupported ipsec key type") Right
+                            $ secretPemFromPacket ipsec
+            _       -> Left "missing ipsec key?"
+
     -- Finally, export public keys if they do not exist.
-    flip (maybe $ warn "missing working key?") (rtGrip rt) $ \grip -> do
     either warn (write $ mkpath "root/.ssh/id_rsa.pub")
             $ show_ssh' "ssh-client" grip (rtKeyDB rt)
     either warn (write $ mkpath "ssh_host_rsa_key.pub")
@@ -259,7 +273,7 @@ refreshCache rt rootdir = do
                 -- We find all cross-certified ipsec keys for the given cross-certified onion name.
                 ipsecs :: [Packet]
                 ipsecs = sortOn (Down . timestamp)
-                         $ getCrossSignedSubkeys their_master (keySubKeys kd) "ipsec"
+                         $ getSubkeys CrossSigned their_master (keySubKeys kd) "ipsec"
             bss <- forM (take 1 ipsecs) $ \k -> do
                 let warn' x = warn x >> return Char8.empty
                 flip (either warn') (pemFromPacket k :: Either String String) $ \pem -> do