This is helper script for managing X.509 TLS PKI.
ECDSA keypairs are handled with GnuTLS'es certtool.
-GOST keypairs are handled with PyGOST'es utilities
-(http://www.pygost.cypherpunks.ru).
+GOST keypairs are handled with GoGOST'es utilities
+(http://www.gogost.cypherpunks.ru).
CA certificates have 10 years validity lifetime.
EE certificates have 365 days one.
EE certificates contain only domain name and a country.
-Edit zeasypki to suit your needs and working environment. Probably you
-want to change goston(), that activates PyGOST venv and key encryption
-procedures.
+Edit zeasypki to suit your needs and working environment. Probably you want
+to change path-variable setting, that points to GoGOST'es built utilities.
* Create CA keypairs:
$ mkdir mypki && cd mypki
KEY_ENCRYPT_RECIPIENT=${KEY_ENCRYPT_RECIPIENT:-12AD32689C660D426967FD75CB8205632107AD8A}
COUNTRY=${COUNTRY:-RU}
-# Turn on PyGOST utilities
-path=(~/local/stow/py310/bin ~/work/pygost/pygost/asn1schemas $path)
-export -TU PYTHONPATH pythonpath
-pythonpath=(~/work/pygost ~/work/pyderasn)
+path=(
+ ~/work/gogost/cmd/cer-selfsigned-example
+ ~/work/gogost/cmd/cer-dane-hash
+ $path
+)
key_encrypt() {
gpg --encrypt --recipient $KEY_ENCRYPT_RECIPIENT
}
ee_key_new_gost() {
- cert-selfsigned-example.py --cn does-not-matter --ai 256A --only-key
+ cer-selfsigned-example -cn does-not-matter -ai 256A -only-key
}
ee_renew_xdsa() {
trap "rm -f $cakey $key $cert" HUP PIPE INT QUIT TERM EXIT
key_get ca/gost/$ca
mapfile[$cakey]=$REPLY
+ print >> $cakey
cat >> $cakey < ca/gost/$ca/cer.pem
key_get ee/gost/$ca/$domain
mapfile[$key]=$REPLY
- cert-selfsigned-example.py \
- --issue-with $cakey \
- --reuse-key $key \
- --cn $domain --country $COUNTRY --ai 256A
+ cer-selfsigned-example \
+ -issue-with $cakey \
+ -reuse-key $key \
+ -cn $domain -country $COUNTRY -ai 256A
}
ca_new_gost() {
local key=`mktemp`
local cert=`mktemp`
trap "rm -f $key $cert" HUP PIPE INT QUIT TERM EXIT
- cert-selfsigned-example.py \
- --ca \
- --cn $domain \
- --country $COUNTRY \
- --serial 1 \
- --ai 512C \
- --out-key $key \
- --out-cert $cert
+ cer-selfsigned-example \
+ -ca \
+ -cn $domain \
+ -country $COUNTRY \
+ -serial 1 \
+ -ai 512C \
+ -out-key $key \
+ -out-cert $cert
reply=(${mapfile[$key]} ${mapfile[$cert]})
}
}
dane_gost() {
- cert-dane-hash.py
+ cer-dane-hash
}
case $1 in