#!/usr/bin/env zsh
# zeasypki -- easy PKI
-# Copyright (C) 2022-2023 Sergey Matveev <stargrave@stargrave.org>
+# Copyright (C) 2022-2024 Sergey Matveev <stargrave@stargrave.org>
-set -e
+setopt ERR_EXIT PIPE_FAIL
-KEY_ENCRYPT_RECIPIENT=${KEY_ENCRYPT_RECIPIENT:-12AD32689C660D426967FD75CB8205632107AD8A}
COUNTRY=${COUNTRY:-RU}
-# Turn on PyGOST utilities
-path=(~/local/stow/py310/bin ~/work/pygost/pygost/asn1schemas $path)
-export -TU PYTHONPATH pythonpath
-pythonpath=(~/work/pygost ~/work/pyderasn)
+path=(
+ ~/work/gogost/cmd/cer-selfsigned-example
+ ~/work/gogost/cmd/cer-dane-hash
+ $path
+)
key_encrypt() {
- gpg --encrypt --recipient $KEY_ENCRYPT_RECIPIENT
+ age -R ~/.age/general.pub
}
key_decrypt() {
- gpg --decrypt
+ age -d -i ~/.age/general.age
}
# ------------------------ >8 ------------------------
zmodload zsh/mapfile
key_get() {
- [[ -s $1/key.pem ]] &&
- REPLY=`< ${1}/key.pem` ||
+ if [[ -s $1/key.pem ]] ; then
+ REPLY=`< ${1}/key.pem`
+ else
REPLY=`key_decrypt < ${1}/key.pem.enc`
+ fi
}
certtool_genkey() {
trap "rm -f $key $tmpl $cert" HUP PIPE INT QUIT TERM EXIT
cat > $tmpl <<EOF
dn = "cn=$domain,c=$COUNTRY"
-serial = 1
expiration_days = 3650
ca
cert_signing_key
}
ee_key_new_gost() {
- cert-selfsigned-example.py --cn does-not-matter --ai 256A --only-key
+ cer-selfsigned-example -cn does-not-matter -ai 256A -only-key
}
ee_renew_xdsa() {
trap "rm -f $cakey $key $cert" HUP PIPE INT QUIT TERM EXIT
key_get ca/gost/$ca
mapfile[$cakey]=$REPLY
+ print >> $cakey
cat >> $cakey < ca/gost/$ca/cer.pem
key_get ee/gost/$ca/$domain
mapfile[$key]=$REPLY
- cert-selfsigned-example.py \
- --issue-with $cakey \
- --reuse-key $key \
- --cn $domain --country $COUNTRY --ai 256A
+ cer-selfsigned-example \
+ -issue-with $cakey \
+ -reuse-key $key \
+ -cn $domain -country $COUNTRY -ai 256A
}
ca_new_gost() {
local key=`mktemp`
local cert=`mktemp`
trap "rm -f $key $cert" HUP PIPE INT QUIT TERM EXIT
- cert-selfsigned-example.py \
- --ca \
- --cn $domain \
- --country $COUNTRY \
- --serial 1 \
- --ai 512C \
- --out-key $key \
- --out-cert $cert
+ cer-selfsigned-example \
+ -ca \
+ -cn $domain \
+ -country $COUNTRY \
+ -ai 512C \
+ -out-key $key \
+ -out-cert $cert
reply=(${mapfile[$key]} ${mapfile[$cert]})
}
}
dane_gost() {
- cert-dane-hash.py
+ cer-dane-hash
}
case $1 in
domain=$3
dst=ca/$algo/$domain
zf_mkdir -p $dst
- [[ -s $dst/key.pem ]] && {
+ [[ ! -s $dst/key.pem ]] || {
print $dst/key.pem already exists >&2
exit 1
}
dst=ee/$algo/$ca/$domain
[[ $dst = $2 ]]
zf_mkdir -p $dst
- [[ -s $dst/key.pem ]] && {
+ [[ ! -s $dst/key.pem ]] || {
print $dst/key.pem already exists >&2
exit 1
}
export LC_ALL=C
for cer (**/cer.pem) {
certtool --certificate-info < $cer | while read line ; do
- [[ $line =~ "^\s*Not After: .*" ]] && break
+ [[ ! $line =~ "^Not After: .*" ]] || break
done
[[ $MATCH ]]
# Not After: Sat Jul 02 10:02:29 UTC 2022