diff options
| author | Guilhem Moulin <guilhem@fripost.org> | 2016-07-12 15:40:12 +0200 |
|---|---|---|
| committer | Guilhem Moulin <guilhem@fripost.org> | 2016-07-12 15:40:12 +0200 |
| commit | d2ddf22d53fdc0c6da0566d68092fc433bf28d25 (patch) | |
| tree | 8312c1b05dc229d8ed8002ef96e212e47ef7ae4a | |
| parent | b3ca9b22c47b1369ac5bb2fa946b84247c4b81ff (diff) | |
gencerts: base64-encode the SHA256 digests.
Also, include the backup pins in the .asc.
| -rwxr-xr-x | certs/gencerts.sh | 40 |
1 files changed, 28 insertions, 12 deletions
diff --git a/certs/gencerts.sh b/certs/gencerts.sh index f20bba5..18dc100 100755 --- a/certs/gencerts.sh +++ b/certs/gencerts.sh @@ -1,67 +1,83 @@ #!/bin/sh set -ue PATH=/usr/bin:/bin if [ -n "${GNUPGBIN:-}" ]; then GPG="$GNUPGBIN" elif [ -x /usr/bin/gpg2 ]; then GPG=/usr/bin/gpg2 else GPG=gpg fi GPG_OPTS='--no-auto-check-trustdb --batch --no-verbose --yes' usage() { echo "Usage: $0 /path/to/certs.asc" >&2 exit 1 } x509fpr() { - local msg="$1" host cert h spki + local msg="$1" host pub h spki host="${msg%%,*}"; host="${host%% *}"; host="${host#\`}" - cert="$DIR/${host%%:*}.pub" - spki=$(openssl pkey -pubin -outform DER <"$cert" | openssl dgst -sha256 | sed -nr 's/^[^=]+=\s*//p') + pub="$DIR/${host%%:*}.pub" + spki=$(openssl pkey -pubin -outform DER <"$pub" | openssl dgst -sha256 | sed -nr 's/^[^=]+=\s*//p') [ "$typ" = mdwn ] && printf '\n [%s](https://crt.sh/?spkisha256=%s&iCAID=16418&exclude=expired)\n\n' "$msg" "$spki" \ || printf ' %s\n X.509: https://crt.sh/?spkisha256=%s&iCAID=16418&exclude=expired\n SPKI:\n' \ - "$( echo "$msg" | tr -d '`' )" "$spki" + "$(printf '%s' "$msg" | tr -d '`' )" "$spki" for h in sha1 sha256; do - [ "$typ" = mdwn ] || echo -n ' ' - echo -n "$h" | tr '[a-z]' '[A-Z]' - for i in $(seq 1 $((7 - ${#h}))); do echo -n ' '; done - openssl pkey -pubin -outform DER <"$cert" | openssl dgst -"$h" -c | sed -nr 's/^[^=]+=\s*//p' - done | sed -r "s/(\S+)(.*)/$indent\1\U\2/" + x509fpr2 "$h" "$pub" + done + + local backup=$(find "$DIR" -maxdepth 1 -type f -name "${host%%:*}.pub.back*") + if [ "$backup" -a "$typ" != mdwn ]; then + echo " Backup SPKI:" + for pub in $backup; do + x509fpr2 "$h" "$pub" + done + fi +} +x509fpr2() { + local h="$1" pub="$2" str dgst + + [ "$typ" = mdwn ] && str= || str=' ' + str="$str$(printf '%-6s' "$h" | tr '[a-z]' '[A-Z]')" + dgst="$(openssl pkey -pubin -outform DER <"$pub" | openssl dgst -"$h" -binary | base64)" + hd=$(printf '%s' "$dgst" | base64 -d | xxd -c256 -p | tr '[a-f]' '[A-F]' | sed -e 's/../&:/g' -e 's/:$//') + if [ $((${#indent} + ${#str} + 1 + ${#hd})) -le 72 ]; then + printf '%s %s\n' "$indent$str" "$hd" + else + printf '%s %s\n' "$indent$str" "$dgst" + fi } sshfpr() { local msg="$1" host t h fpr host="${msg%%,*}"; host="${host%% *}"; host="${host#*@}"; host="${host#\`}"; host="${host%\`}" [ "$typ" = mdwn ] && { echo; echo " $msg"; echo; } || { echo " $msg" | tr -d '`'; } [ "${host#*:}" != 22 ] || host="${host%%:*}" for h in MD5 SHA256; do ssh-keygen -E "$h" -f "$DIR/../ssh_known_hosts" -lF "${host#*@}" done | sed -nr 's/^[^ #]+\s+//p' | sed -r 's/^(\S+)\s+(MD5|SHA256):/\1 \2 /' | while read t h fpr; do - echo -n "$indent$t" - for i in $(seq 1 $((7 - ${#h}))); do echo -n ' '; done - echo "$h:$fpr" + printf '%s %6s:%s\n' "$indent$t" "$h" "$fpr" done } allfpr() { local typ="$1" [ "$typ" = mdwn ] && indent=' ' || indent=' ' cat <<- EOF * IMAP server $(x509fpr '`imap.fripost.org:993` (IMAP over SSL), `sieve.fripost.org:4190` (ManageSieve, `STARTTLS`)') * SMTP servers $(x509fpr '`smtp.fripost.org:587` (Mail Submission Agent, `STARTTLS`)') $(x509fpr '`mx1.fripost.org:25` (1st Mail eXchange, `STARTTLS`)') $(x509fpr '`mx2.fripost.org:25` (2nd Mail eXchange, `STARTTLS`)') * Web servers $(x509fpr '`fripost.org:443` (website), `wiki.fripost.org:443` (wiki)') |