3 # Copyright (C) 2022-2024 Sergey Matveev <stargrave@stargrave.org>
5 setopt ERR_EXIT PIPE_FAIL
10 ~/work/gogost/cmd/cer-selfsigned-example
11 ~/work/gogost/cmd/cer-dane-hash
16 age -R ~/.age/general.pub
20 age -d -i ~/.age/general.age
23 # ------------------------ >8 ------------------------
28 \$ $ZSH_ARGZERO:t ca [ecdsa|gost|eddsa] NAME -- new CA keypair
29 \$ $ZSH_ARGZERO:t list-ca -- list CA keypairs
30 \$ $ZSH_ARGZERO:t list -- list EE ones
31 \$ $ZSH_ARGZERO:t rem -- list certificate expirations
32 \$ $ZSH_ARGZERO:t new KEY -- new EE
33 \$ $ZSH_ARGZERO:t renew KEY -- renew EE
34 \$ $ZSH_ARGZERO:t dane KEY -- show DANE SHA256 hash
35 \$ $ZSH_ARGZERO:t encrypt KEY -- encrypt private key
36 \$ $ZSH_ARGZERO:t keypair KEY -- PEM-encoded full keypair
41 zmodload -F zsh/files b:zf_mkdir
45 if [[ -s $1/key.pem ]] ; then
46 REPLY=`< ${1}/key.pem`
48 REPLY=`key_decrypt < ${1}/key.pem.enc`
53 certtool --generate-privkey ${=1} --no-text
62 trap "rm -f $key $tmpl $cert" HUP PIPE INT QUIT TERM EXIT
64 dn = "cn=$domain,c=$COUNTRY"
65 expiration_days = 3650
69 certtool_genkey "$keytype" > $key
71 --generate-self-signed \
75 reply=(${mapfile[$key]} ${mapfile[$cert]})
79 ca_new_xdsa "--key-type=ecdsa --bits 512" $1
83 certtool_genkey "--key-type=ecdsa --bits 256"
87 ca_new_xdsa "--key-type=ed25519" $1
91 certtool_genkey "--key-type=ed25519"
95 cer-selfsigned-example -cn does-not-matter -ai 256A -only-key
106 trap "rm -f $cakey $key $tmpl $cert" HUP PIPE INT QUIT TERM EXIT
108 mapfile[$cakey]=$REPLY
109 key_get ee/$algo/$ca/$domain
112 dn = "cn=$domain,c=RU"
113 expiration_days = 365
118 --load-ca-certificate ca/$algo/$ca/cer.pem \
119 --load-ca-privkey $cakey \
120 --generate-certificate \
121 --load-privkey $key \
126 ee_renew_xdsa ecdsa "$1" "$2"
130 ee_renew_xdsa eddsa "$1" "$2"
139 trap "rm -f $cakey $key $cert" HUP PIPE INT QUIT TERM EXIT
141 mapfile[$cakey]=$REPLY
143 cat >> $cakey < ca/gost/$ca/cer.pem
144 key_get ee/gost/$ca/$domain
146 cer-selfsigned-example \
149 -cn $domain -country $COUNTRY -ai 256A
156 trap "rm -f $key $cert" HUP PIPE INT QUIT TERM EXIT
157 cer-selfsigned-example \
164 reply=(${mapfile[$key]} ${mapfile[$cert]})
168 certtool --key-id --hash=sha256
181 [[ $# -eq 3 ]] || usage
186 [[ ! -s $dst/key.pem ]] || {
187 print $dst/key.pem already exists >&2
190 ca_new_${algo} $domain
193 mapfile[${dst}/key.pem]=${reply[1]}
195 mapfile[${dst}/cer.pem]=${reply[2]}
199 [[ $# -eq 2 ]] || usage
202 print no $key found >&2
206 key_encrypt < $key > $key.enc
210 [[ $# -eq 2 ]] || usage
215 dst=ee/$algo/$ca/$domain
218 [[ ! -s $dst/key.pem ]] || {
219 print $dst/key.pem already exists >&2
224 ee_key_new_${algo} > $dst/key.pem
226 ee_renew_${algo} $ca $domain > $dst/cer.pem
229 [[ $# -eq 2 ]] || usage
234 ee_renew_${algo} $ca $domain > ee/$algo/$ca/$domain/cer.pem
237 [[ $# -eq 2 ]] || usage
238 dane_${${(s:/:)2}[2]} < $2/cer.pem
241 [[ $# -eq 2 ]] || usage
247 zmodload -F zsh/datetime b:strftime
249 for cer (**/cer.pem) {
250 certtool --certificate-info < $cer | while read line ; do
251 [[ ! $line =~ "^Not After: .*" ]] || break
254 # Not After: Sat Jul 02 10:02:29 UTC 2022
256 strftime -s ts_ugly -r "%b %d %H:%M:%S UTC %Y" ${(j: :)cols[4,-1]}
257 strftime -s ts_good %F $ts_ugly
258 print REM $ts_good +30 MSG $cer
261 (list) print -C1 ee/*/*/*(/on) ;;
262 (list-ca) print -C1 ca/*/*(/on) ;;