usage() {
cat >&2 <<EOF
Usage:
- \$ $ZSH_ARGZERO:t ca [ecdsa|gost] NAME -- new CA keypair
- \$ $ZSH_ARGZERO:t list-ca -- list CA keypairs
- \$ $ZSH_ARGZERO:t list -- list EE ones
- \$ $ZSH_ARGZERO:t rem -- list certificate expirations
- \$ $ZSH_ARGZERO:t new KEY -- new EE
- \$ $ZSH_ARGZERO:t renew KEY -- renew EE
- \$ $ZSH_ARGZERO:t dane KEY -- show DANE SHA256 hash
- \$ $ZSH_ARGZERO:t encrypt KEY -- encrypt private key
- \$ $ZSH_ARGZERO:t keypair KEY -- PEM-encoded full keypair
+ \$ $ZSH_ARGZERO:t ca [ecdsa|gost|eddsa] NAME -- new CA keypair
+ \$ $ZSH_ARGZERO:t list-ca -- list CA keypairs
+ \$ $ZSH_ARGZERO:t list -- list EE ones
+ \$ $ZSH_ARGZERO:t rem -- list certificate expirations
+ \$ $ZSH_ARGZERO:t new KEY -- new EE
+ \$ $ZSH_ARGZERO:t renew KEY -- renew EE
+ \$ $ZSH_ARGZERO:t dane KEY -- show DANE SHA256 hash
+ \$ $ZSH_ARGZERO:t encrypt KEY -- encrypt private key
+ \$ $ZSH_ARGZERO:t keypair KEY -- PEM-encoded full keypair
EOF
exit 1
}
}
certtool_genkey() {
- certtool --generate-privkey --ecc --bits $1 --no-text
+ certtool --generate-privkey ${=1} --no-text
}
-ca_new_ecdsa() {
- local domain=$1
+ca_new_xdsa() {
+ local keytype=$1
+ local domain=$2
local key=`mktemp`
local tmpl=`mktemp`
local cert=`mktemp`
ca
cert_signing_key
EOF
- certtool_genkey 512 > $key
+ certtool_genkey "$keytype" > $key
certtool \
--generate-self-signed \
--load-privkey $key \
reply=(${mapfile[$key]} ${mapfile[$cert]})
}
+ca_new_ecdsa() {
+ ca_new_xdsa "--key-type=ecdsa --bits 512" $1
+}
+
ee_key_new_ecdsa() {
- certtool_genkey 256
+ certtool_genkey "--key-type=ecdsa --bits 256"
+}
+
+ca_new_eddsa() {
+ ca_new_xdsa "--key-type=ed25519" $1
+}
+
+ee_key_new_eddsa() {
+ certtool_genkey "--key-type=ed25519"
}
ee_key_new_gost() {
cert-selfsigned-example.py --cn does-not-matter --ai 256A --only-key
}
-ee_renew_ecdsa() {
- local ca=$1
- local domain=$2
+ee_renew_xdsa() {
+ local algo=$1
+ local ca=$2
+ local domain=$3
local cakey=`mktemp`
local key=`mktemp`
local tmpl=`mktemp`
local cert=`mktemp`
trap "rm -f $cakey $key $tmpl $cert" HUP PIPE INT QUIT TERM EXIT
- key_get ca/ecdsa/$ca
+ key_get ca/$algo/$ca
mapfile[$cakey]=$REPLY
- key_get ee/ecdsa/$ca/$domain
+ key_get ee/$algo/$ca/$domain
mapfile[$key]=$REPLY
cat > $tmpl <<EOF
dn = "cn=$domain,c=RU"
dns_name = "$domain"
EOF
certtool \
- --load-ca-certificate ca/ecdsa/$ca/cer.pem \
+ --load-ca-certificate ca/$algo/$ca/cer.pem \
--load-ca-privkey $cakey \
--generate-certificate \
--load-privkey $key \
--template $tmpl
}
+ee_renew_ecdsa() {
+ ee_renew_xdsa ecdsa "$1" "$2"
+}
+
+ee_renew_eddsa() {
+ ee_renew_xdsa eddsa "$1" "$2"
+}
+
ee_renew_gost() {
local ca=$1
local domain=$2
certtool --key-id --hash=sha256
}
+dane_eddsa() {
+ dane_ecdsa
+}
+
dane_gost() {
cert-dane-hash.py
}