3 # Copyright (C) 2022-2023 Sergey Matveev <stargrave@stargrave.org>
10 ~/work/gogost/cmd/cer-selfsigned-example
11 ~/work/gogost/cmd/cer-dane-hash
16 age -R ~/.age/general.pub
20 age -d -i ~/.age/general.age
23 # ------------------------ >8 ------------------------
28 \$ $ZSH_ARGZERO:t ca [ecdsa|gost|eddsa] NAME -- new CA keypair
29 \$ $ZSH_ARGZERO:t list-ca -- list CA keypairs
30 \$ $ZSH_ARGZERO:t list -- list EE ones
31 \$ $ZSH_ARGZERO:t rem -- list certificate expirations
32 \$ $ZSH_ARGZERO:t new KEY -- new EE
33 \$ $ZSH_ARGZERO:t renew KEY -- renew EE
34 \$ $ZSH_ARGZERO:t dane KEY -- show DANE SHA256 hash
35 \$ $ZSH_ARGZERO:t encrypt KEY -- encrypt private key
36 \$ $ZSH_ARGZERO:t keypair KEY -- PEM-encoded full keypair
41 zmodload -F zsh/files b:zf_mkdir
45 [[ -s $1/key.pem ]] &&
46 REPLY=`< ${1}/key.pem` ||
47 REPLY=`key_decrypt < ${1}/key.pem.enc`
51 certtool --generate-privkey ${=1} --no-text
60 trap "rm -f $key $tmpl $cert" HUP PIPE INT QUIT TERM EXIT
62 dn = "cn=$domain,c=$COUNTRY"
63 expiration_days = 3650
67 certtool_genkey "$keytype" > $key
69 --generate-self-signed \
73 reply=(${mapfile[$key]} ${mapfile[$cert]})
77 ca_new_xdsa "--key-type=ecdsa --bits 512" $1
81 certtool_genkey "--key-type=ecdsa --bits 256"
85 ca_new_xdsa "--key-type=ed25519" $1
89 certtool_genkey "--key-type=ed25519"
93 cer-selfsigned-example -cn does-not-matter -ai 256A -only-key
104 trap "rm -f $cakey $key $tmpl $cert" HUP PIPE INT QUIT TERM EXIT
106 mapfile[$cakey]=$REPLY
107 key_get ee/$algo/$ca/$domain
110 dn = "cn=$domain,c=RU"
111 expiration_days = 365
116 --load-ca-certificate ca/$algo/$ca/cer.pem \
117 --load-ca-privkey $cakey \
118 --generate-certificate \
119 --load-privkey $key \
124 ee_renew_xdsa ecdsa "$1" "$2"
128 ee_renew_xdsa eddsa "$1" "$2"
137 trap "rm -f $cakey $key $cert" HUP PIPE INT QUIT TERM EXIT
139 mapfile[$cakey]=$REPLY
141 cat >> $cakey < ca/gost/$ca/cer.pem
142 key_get ee/gost/$ca/$domain
144 cer-selfsigned-example \
147 -cn $domain -country $COUNTRY -ai 256A
154 trap "rm -f $key $cert" HUP PIPE INT QUIT TERM EXIT
155 cer-selfsigned-example \
162 reply=(${mapfile[$key]} ${mapfile[$cert]})
166 certtool --key-id --hash=sha256
179 [[ $# -eq 3 ]] || usage
184 [[ -s $dst/key.pem ]] && {
185 print $dst/key.pem already exists >&2
188 ca_new_${algo} $domain
191 mapfile[${dst}/key.pem]=${reply[1]}
193 mapfile[${dst}/cer.pem]=${reply[2]}
197 [[ $# -eq 2 ]] || usage
200 print no $key found >&2
204 key_encrypt < $key > $key.enc
208 [[ $# -eq 2 ]] || usage
213 dst=ee/$algo/$ca/$domain
216 [[ -s $dst/key.pem ]] && {
217 print $dst/key.pem already exists >&2
222 ee_key_new_${algo} > $dst/key.pem
224 ee_renew_${algo} $ca $domain > $dst/cer.pem
227 [[ $# -eq 2 ]] || usage
232 ee_renew_${algo} $ca $domain > ee/$algo/$ca/$domain/cer.pem
235 [[ $# -eq 2 ]] || usage
236 dane_${${(s:/:)2}[2]} < $2/cer.pem
239 [[ $# -eq 2 ]] || usage
245 zmodload -F zsh/datetime b:strftime
247 for cer (**/cer.pem) {
248 certtool --certificate-info < $cer | while read line ; do
249 [[ $line =~ "^Not After: .*" ]] && break
252 # Not After: Sat Jul 02 10:02:29 UTC 2022
254 strftime -s ts_ugly -r "%b %d %H:%M:%S UTC %Y" ${(j: :)cols[4,-1]}
255 strftime -s ts_good %F $ts_ugly
256 print REM $ts_good +30 MSG $cer
259 (list) print -C1 ee/*/*/*(/on) ;;
260 (list-ca) print -C1 ca/*/*(/on) ;;