#!/usr/bin/env zsh
# zeasypki -- easy PKI
-# Copyright (C) 2022-2023 Sergey Matveev <stargrave@stargrave.org>
+# Copyright (C) 2022-2025 Sergey Matveev <stargrave@stargrave.org>
-set -e
+setopt ERR_EXIT PIPE_FAIL
-KEY_ENCRYPT_RECIPIENT=${KEY_ENCRYPT_RECIPIENT:-12AD32689C660D426967FD75CB8205632107AD8A}
COUNTRY=${COUNTRY:-RU}
path=(
)
key_encrypt() {
- gpg --encrypt --recipient $KEY_ENCRYPT_RECIPIENT
+ cmenctool 4<~/.cm/general.pub
}
key_decrypt() {
- gpg --decrypt
+ cmenctool -d 8<~/.cm/general.prv
}
# ------------------------ >8 ------------------------
zmodload zsh/mapfile
key_get() {
- [[ -s $1/key.pem ]] &&
- REPLY=`< ${1}/key.pem` ||
- REPLY=`key_decrypt < ${1}/key.pem.enc`
+ if [[ -s $1/key.pem ]] ; then
+ REPLY=`< ${1}/key.pem`
+ else
+ REPLY=`key_decrypt <${1}/key.pem.enc`
+ fi
}
certtool_genkey() {
local tmpl=`mktemp`
local cert=`mktemp`
trap "rm -f $key $tmpl $cert" HUP PIPE INT QUIT TERM EXIT
- cat > $tmpl <<EOF
+ cat >$tmpl <<EOF
dn = "cn=$domain,c=$COUNTRY"
-serial = 1
expiration_days = 3650
ca
cert_signing_key
EOF
- certtool_genkey "$keytype" > $key
+ certtool_genkey "$keytype" >$key
certtool \
--generate-self-signed \
--load-privkey $key \
mapfile[$cakey]=$REPLY
key_get ee/$algo/$ca/$domain
mapfile[$key]=$REPLY
- cat > $tmpl <<EOF
+ cat >$tmpl <<EOF
dn = "cn=$domain,c=RU"
expiration_days = 365
signing_key
trap "rm -f $cakey $key $cert" HUP PIPE INT QUIT TERM EXIT
key_get ca/gost/$ca
mapfile[$cakey]=$REPLY
- print >> $cakey
- cat >> $cakey < ca/gost/$ca/cer.pem
+ print >>$cakey
+ cat >>$cakey <ca/gost/$ca/cer.pem
key_get ee/gost/$ca/$domain
mapfile[$key]=$REPLY
cer-selfsigned-example \
-ca \
-cn $domain \
-country $COUNTRY \
- -serial 1 \
-ai 512C \
-out-key $key \
-out-cert $cert
domain=$3
dst=ca/$algo/$domain
zf_mkdir -p $dst
- [[ -s $dst/key.pem ]] && {
+ [[ ! -s $dst/key.pem ]] || {
print $dst/key.pem already exists >&2
exit 1
}
exit 1
}
umask 077
- key_encrypt < $key > $key.enc
+ key_encrypt <$key >$key.enc
rm $key
;;
(new)
dst=ee/$algo/$ca/$domain
[[ $dst = $2 ]]
zf_mkdir -p $dst
- [[ -s $dst/key.pem ]] && {
+ [[ ! -s $dst/key.pem ]] || {
print $dst/key.pem already exists >&2
exit 1
}
_umask=`umask`
umask 077
- ee_key_new_${algo} > $dst/key.pem
+ ee_key_new_${algo} >$dst/key.pem
umask $_umask
- ee_renew_${algo} $ca $domain > $dst/cer.pem
+ ee_renew_${algo} $ca $domain >$dst/cer.pem
;;
(renew)
[[ $# -eq 2 ]] || usage
algo=${cols[2]}
ca=${cols[3]}
domain=${cols[4]}
- ee_renew_${algo} $ca $domain > ee/$algo/$ca/$domain/cer.pem
+ ee_renew_${algo} $ca $domain >ee/$algo/$ca/$domain/cer.pem
;;
(dane)
[[ $# -eq 2 ]] || usage
- dane_${${(s:/:)2}[2]} < $2/cer.pem
+ dane_${${(s:/:)2}[2]} <$2/cer.pem
;;
(keypair)
[[ $# -eq 2 ]] || usage
zmodload -F zsh/datetime b:strftime
export LC_ALL=C
for cer (**/cer.pem) {
- certtool --certificate-info < $cer | while read line ; do
- [[ $line =~ "^\s*Not After: .*" ]] && break
+ certtool --certificate-info <$cer | while read line ; do
+ [[ ! $line =~ "^Not After: .*" ]] || break
done
[[ $MATCH ]]
# Not After: Sat Jul 02 10:02:29 UTC 2022