IPSec: replace (self-signed) X.509 certs by their raw pubkey for authentication.

There is no need to bother with X.509 cruft here.
author: Guilhem Moulin <guilhem@fripost.org> 2016-05-24 17:11:11 +0200
committer: Guilhem Moulin <guilhem@fripost.org> 2016-05-24 17:12:10 +0200
commit: 1af3c572eedb0eaddcdc5c9c41d98ff59bb7b2c9 (patch)
tree: 6af69fd639a051b483528b03959985ab806b2c1c /roles/common/files/usr/local/bin
parent: 61ee02ffb5402d93eae59001b91197957a8dcfe2 (diff)
1 files changed, 4 insertions, 1 deletions
diff --git a/roles/common/files/usr/local/bin/genkeypair.sh b/roles/common/files/usr/local/bin/genkeypair.sh
index 45e2181..01b279a 100755
--- a/roles/common/files/usr/local/bin/genkeypair.sh
+++ b/roles/common/files/usr/local/bin/genkeypair.sh
@@ -47,6 +47,7 @@ usage() {
 		    x509:       generate a self-signed X.509 server certificate
 		    csr:        generate a Certificate Signing Request
 		    dkim:       generate a private key (to use for DKIM signing)
+		    keypair:    generate a key pair
 
 		Options:
 		    -t type:    key type (default: rsa)
@@ -88,7 +89,7 @@ dkiminfo() {
 [ $# -gt 0 ] || { usage; exit 2; }
 cmd="$1"; shift
 case "$cmd" in
-    x509|csr|dkim) ;;
+    x509|csr|dkim|keypair) ;;
     *) echo "Unrecognized command: $cmd" >&2; exit 2
 esac
 
@@ -201,4 +202,6 @@ elif [ "$cmd" = x509 -o "$cmd" = csr ]; then
         [ "$cmd" = x509 ] && x509=-x509 || x509=
         openssl req -config "$config" -new $x509 ${hash:+-$hash} -days 3650 -key "$privkey" >"$pubkey" || exit 2
     fi
+elif [ "$cmd" = keypair -a "$pubkey" ]; then
+    openssl pkey -pubout <"$privkey" >"$pubkey"
 fi
author	Guilhem Moulin <guilhem@fripost.org>	2016-05-24 17:11:11 +0200
committer	Guilhem Moulin <guilhem@fripost.org>	2016-05-24 17:12:10 +0200
commit	1af3c572eedb0eaddcdc5c9c41d98ff59bb7b2c9 (patch)
tree	6af69fd639a051b483528b03959985ab806b2c1c /roles/common/files/usr/local/bin
parent	61ee02ffb5402d93eae59001b91197957a8dcfe2 (diff)