blob: ca51832a2d50803350c68b27f7e5113b73f0e595 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
|
#!/bin/sh
export GNUPGHOME=$ROOT/gpg/gnupghome
pem_to_onion_url()
{
perl -MMIME::Base64 -MDigest::SHA=sha1 -MMIME::Base32=RFC -e '
$key=decode_base64(join "", grep {!/[-:]/} qx(ssh-keygen -m PEM -e -f $ARGV[0]));
printf "%s.onion\n", lc MIME::Base32::encode(substr(sha1($key), 0, 10))' "$1"
}
makepub () {
tag="$1"
path="$2"
[ -f $path ] || {
mkdir -p "$(dirname $path)"
kiki --show-pem "$tag" | ssh-keygen -f /dev/stdin -i -m PKCS8 > "$path"
echo "$path": exported >&2
}
}
# External commands invoked by kiki in order to generate keys.
# Notice that $file will not be interpolated until kiki runs the command.
ssh='mkdir -p "$(dirname $file)" && ssh-keygen -P "" -q -f $file -b 2048'
ssl='mkdir -p "$(dirname $file)" && openssl genrsa -out $file 1024'
# TODO: This probably shouldn't be hard coded here.
export GNUPGHOME=/gpg/gnupghome
#####
##### GENERATE GPG KEY
#####
gpg2 --gen-key
echo "What is the keygrip of the new key? (paste it here from scroll)"
read keygrip
[ -f $GNUPGHOME/gpg.conf ] && mv $GNUPGHOME/gpg.conf $GNUPGHOME/gpg.conf.bak
echo "default-key $keygrip" > $GNUPGHOME/gpg.conf
tty -s && echo -n 'Passphrase: '
read passphrase
# First, we ensure that the tor key does not exist
# so that it will be created new.
torkey="$ROOT"/var/lib/tor/samizdat/private_key
[ -f $torkey ] && rm -rvf $torkey
echo "$passphrase" | \
kiki --keypairs tor="$torkey{$ssl}" \
--passphrase-fd 0 || exit
onion_url=$(pem_to_onion_url "$torkey") || exit
key_sw="$ROOT"/etc/ipsec.d/private/"$onion_url".pem
key_cl="$ROOT"/root/.ssh/id_rsa
key_sv="$ROOT"/etc/ssh/ssh_host_rsa_key
[ -f $key_sw ] && rm -rvf $key_sw
[ -f $key_cl ] && rm -rvf $key_cl
# [ -f $key_sv ] && rm -rvf $key_sv #### XXX: not deleting ssh host key
# Now import, export, or generate the remaining secret keys.
echo "$passphrase" | \
kiki --keypairs \
strongswan="$ROOT"/etc/ipsec.d/private/"$onion_url".pem{"$ssl"} \
ssh-client="$ROOT"/root/.ssh/id_rsa{"$ssh"} \
ssh-host="$ROOT"/etc/ssh/ssh_host_rsa_key{"$ssh"} \
--passphrase-fd 0 || exit
# Finally, export public keys if they do not exist.
makepub ssh-client "$ROOT/root/.ssh/id_rsa.pub"
makepub ssh-host "$ROOT/etc/ssh/ssh_host_rsa_key.pub"
# TODO: makepub can be made obsolete by implementing something like this:
# kiki --public ssh-client=$ROOT$HOME/.ssh/id_rsa.pub \
# ssh-host="$ROOT"/etc/ssh/ssh_host_rsa_key.pub
|
