blob: 1fde8d126730b77bab9cdbe0502b8215a9e422db (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
|
#!/bin/sh
export GNUPGHOME=$ROOT/gpg/gnupghome
pem_to_onion_url()
{
perl -MMIME::Base64 -MDigest::SHA=sha1 -MMIME::Base32=RFC -e '
$key=decode_base64(join "", grep {!/[-:]/} qx(ssh-keygen -m PEM -e -f $ARGV[0]));
printf "%s.onion\n", lc MIME::Base32::encode(substr(sha1($key), 0, 10))' "$1"
}
makepub () {
tag="$1"
path="$2"
[ -f $path ] || {
mkdir -p "$(dirname $path)"
kiki --show-pem "$tag" | ssh-keygen -f /dev/stdin -i -m PKCS8 > "$path"
echo "$path": exported >&2
}
}
# External commands invoked by kiki in order to generate keys.
# Notice that $file will not be interpolated until kiki runs the command.
ssh='mkdir -p "$(dirname $file)" && ssh-keygen -P "" -q -f $file -b 2048'
ssl='mkdir -p "$(dirname $file)" && openssl genrsa -out $file 1024'
tty -s && echo -n 'Passphrase: '
read passphrase
# First, we ensure that the tor key exists and is imported
# so that we know where to put the strongswan key.
torkey="$ROOT"/var/lib/tor/samizdat/private_key
echo "$passphrase" | \
kiki --keypairs tor="$torkey{$ssl}" \
--passphrase-fd 0 || exit
onion_url=$(pem_to_onion_url "$torkey") || exit
# Now import, export, or generate the remaining secret keys.
echo "$passphrase" | \
kiki --keypairs \
strongswan="$ROOT"/etc/ipsec.d/private/"$onion_url".pem{"$ssl"} \
ssh-client="$ROOT"/root/.ssh/id_rsa{"$ssh"} \
ssh-host="$ROOT"/etc/ssh/ssh_host_rsa_key{"$ssh"} \
--passphrase-fd 0 || exit
# Finally, export public keys if they do not exist.
makepub ssh-client "$ROOT/root/.ssh/id_rsa.pub"
makepub ssh-host "$ROOT/etc/ssh/ssh_host_rsa_key.pub"
# TODO: makepub can be made obsolete by implementing something like this:
# kiki --public ssh-client=$ROOT$HOME/.ssh/id_rsa.pub \
# ssh-host="$ROOT"/etc/ssh/ssh_host_rsa_key.pub
|
