3 # Copyright (C) 2022 Sergey Matveev <stargrave@stargrave.org>
7 CERTTOOL=${CERTTOOL:-certtool}
9 KEY_ENCRYPT_RECIPIENT=${KEY_ENCRYPT_RECIPIENT:-CF60E89A59231E76E2636422AE1A8109E49857EF}
10 COUNTRY=${COUNTRY:-RU}
13 path=(~/local/stow/py310/bin ~/work/pygost/pygost/asn1schemas $path)
14 export -TU PYTHONPATH pythonpath
15 pythonpath=(~/work/pygost ~/work/pyderasn)
19 ${=GPG} --encrypt --recipient $KEY_ENCRYPT_RECIPIENT
26 # ------------------------ >8 ------------------------
31 \$ $0:t ca [ecdsa|gost] NAME -- new CA keypair
32 \$ $0:t list-ca -- list CA keypairs
33 \$ $0:t list -- list EE ones
34 \$ $0:t rem -- list certificate expirations
35 \$ $0:t new KEY -- new EE
36 \$ $0:t renew KEY -- renew EE
37 \$ $0:t dane KEY -- show DANE SHA256 hash
38 \$ $0:t encrypt KEY -- encrypt private key
39 \$ $0:t keypair KEY -- PEM-encoded full keypair
44 zmodload -F zsh/files b:zf_mkdir
48 [[ -s $1/key.pem ]] &&
49 REPLY=`< ${1}/key.pem` ||
50 REPLY=`key_decrypt < ${1}/key.pem.enc`
55 ${=CERTTOOL} --generate-privkey --ecc --bits $bits --no-text
63 trap "rm -f $key $tmpl $cert" HUP PIPE INT QUIT TERM EXIT
65 dn = "cn=$domain,c=$COUNTRY"
67 expiration_days = 3650
71 certtool_genkey 512 > $key
73 --generate-self-signed \
77 reply=(${mapfile[$key]} ${mapfile[$cert]})
86 cert-selfsigned-example.py --cn does-not-matter --ai 256A --only-key
96 trap "rm -f $cakey $key $tmpl $cert" HUP PIPE INT QUIT TERM EXIT
98 mapfile[$cakey]=$REPLY
99 key_get ee/ecdsa/$ca/$domain
102 dn = "cn=$domain,c=RU"
103 expiration_days = 365
108 --load-ca-certificate ca/ecdsa/$ca/cer.pem \
109 --load-ca-privkey $cakey \
110 --generate-certificate \
111 --load-privkey $key \
122 trap "rm -f $cakey $key $cert" HUP PIPE INT QUIT TERM EXIT
124 mapfile[$cakey]=$REPLY
125 >> $cakey < ca/gost/$ca/cer.pem
126 key_get ee/gost/$ca/$domain
128 cert-selfsigned-example.py \
129 --issue-with $cakey \
131 --cn $domain --country $COUNTRY --ai 256A
139 trap "rm -f $key $cert" HUP PIPE INT QUIT TERM EXIT
140 cert-selfsigned-example.py \
148 reply=(${mapfile[$key]} ${mapfile[$cert]})
152 ${=CERTTOOL} --key-id --hash=sha256
162 [[ $# -eq 3 ]] || usage
165 local dst=ca/$algo/$domain
167 [[ -s $dst/key.pem ]] && {
168 print $dst/key.pem already exists >&2
171 ca_new_${algo} $domain
174 mapfile[${dst}/key.pem]=${reply[1]}
176 mapfile[${dst}/cer.pem]=${reply[2]}
180 [[ $# -eq 2 ]] || usage
183 print no $key found >&2
187 key_encrypt < $key > $key.enc
191 [[ $# -eq 2 ]] || usage
192 local cols=(${(s:/:)2})
193 local algo=${cols[2]}
195 local domain=${cols[4]}
196 local dst=ee/$algo/$ca/$domain
199 [[ -s $dst/key.pem ]] && {
200 print $dst/key.pem already exists >&2
205 ee_key_new_${algo} > $dst/key.pem
207 ee_renew_${algo} $ca $domain > $dst/cer.pem
210 [[ $# -eq 2 ]] || usage
211 local cols=(${(s:/:)2})
212 local algo=${cols[2]}
214 local domain=${cols[4]}
215 ee_renew_${algo} $ca $domain > ee/$algo/$ca/$domain/cer.pem
218 [[ $# -eq 2 ]] || usage
219 dane_${${(s:/:)2}[2]} < $2/cer.pem
222 [[ $# -eq 2 ]] || usage
228 setopt GLOB_STAR_SHORT
230 for cer (**/cer.pem) {
231 date_bad_format=`certtool -i < $cer |
232 perl -ne '/Not After: \w+ (\w+ \d+ \d+:\d+):\d+ UTC (\d+)/ && print "$1 $2"'`
233 date_good_format=`date -j -f "%b %d %H:%M %Y" "$date_bad_format" +"%Y-%m-%d"`
234 print REM $date_good_format +30 MSG $cer
237 (list) print -C1 ee/*/*/*(/on) ;;
238 (list-ca) print -C1 ca/*/*(/on) ;;