From 9692d409658ce552ab3e0d9f41aadca1c7bcb407 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Sat, 28 Jun 2014 22:37:14 +0200
Subject: Make genkeypair.sh able to display TXT record for DKIM signatures.

---
 roles/common/files/usr/local/bin/genkeypair.sh | 82 ++++++++++++++++++--------
 1 file changed, 56 insertions(+), 26 deletions(-)

(limited to 'roles/common/files/usr')

diff --git a/roles/common/files/usr/local/bin/genkeypair.sh b/roles/common/files/usr/local/bin/genkeypair.sh
index 6c75fa4..16f9658 100755
--- a/roles/common/files/usr/local/bin/genkeypair.sh
+++ b/roles/common/files/usr/local/bin/genkeypair.sh
@@ -1,8 +1,8 @@
 #!/bin/sh
 
-# Generate self-signed server certificates.  Inspired from
-# make-ssl-cert(8).
-# XXX: add support for DKIM and OpenSSH
+# Wrapper around openssl to generate self-signed X.509 server
+# certificates or Certificate Signing Requests, or DKIM private keys.
+# Inspired from make-ssl-cert(8) and opendkim-genkey(8).
 #
 # Copyright © 2014 Guilhem Moulin <guilhem@fripost.org>
 #
@@ -28,7 +28,6 @@ bits=
 hash=
 
 force=
-x509=-x509
 config=
 pubkey=pubkey.pem
 privkey=privkey.pem
@@ -36,8 +35,12 @@ dns=
 
 usage() {
     cat >&2 <<- EOF
-		Usage: $0 [OPTIONS]
-		Generate self-signed server certificates
+		Usage: $0 command [OPTIONS]
+
+		Command:
+		    x509:       generate a self-signed X.509 server certificate
+		    csr:        generate a Certificate Signing Request
+		    dkim:       generate a DKIM private key
 
 		Options:
 		    -t type:    key type (default: rsa)
@@ -45,7 +48,6 @@ usage() {
 		    -h digest:  digest algorithm
 		    --dns CN:   common name (default: \$(hostname --fqdn); can be repeated
 		    -f force:   overwrite key files if they exist
-		    --csr:      generate a Certificate Signing Request instead
 		    --config:   configuration file
 		    --pubkey:   public key file (default: pubkey.pem)
 		    --privkey:  private key file (default: privkey.pem; created with og-rwx)
@@ -57,6 +59,13 @@ usage() {
 	EOF
 }
 
+[ $# -gt 0 ] || { usage; exit 2; }
+cmd="$1"; shift
+case "$cmd" in
+    x509|csr|dkim) ;;
+    *) echo "Unrecognized command: $cmd" >&2; exit 2
+esac
+
 while [ $# -gt 0 ]; do
     case "$1" in
         -t) shift; type="$1";;
@@ -73,7 +82,6 @@ while [ $# -gt 0 ]; do
         --pubkey=?*) pubkey="${1#--pubkey=}";;
         --privkey=?*) privkey="${1#--privkey=}";;
 
-        --csr) x509=;;
         --dns=?*) dns="${dns:+$dns,}${1#--dns=}";;
         --config=?*) dns="${1#--config=}";;
 
@@ -98,22 +106,28 @@ case "$type" in
     *) echo "Unrecognized key type: $type" >&2; exit 2
 esac
 
-case "$hash" in
-    md5|rmd160|sha1|sha224|sha256|sha384|sha512|'') ;;
-    *) echo "Invalid digest algorithm: $hash" >&2; exit 2;
-esac
+cn=
+if [ "$cmd" = x509 -o "$cmd" = csr ]; then
+    case "$hash" in
+        md5|rmd160|sha1|sha224|sha256|sha384|sha512|'') ;;
+        *) echo "Invalid digest algorithm: $hash" >&2; exit 2;
+    esac
 
-[ "$dns" ] || dns="$(hostname --fqdn)"
-cn="${dns%%,*}"
-[ ${#cn} -le 64 ] || { echo "CommonName too long: $cn" >&2; exit 2; }
+    [ "$dns" ] || dns="$(hostname --fqdn)"
+    cn="${dns%%,*}"
+    [ ${#cn} -le 64 ] || { echo "CommonName too long: $cn" >&2; exit 2; }
+fi
 
-for file in "$pubkey" "$privkey"; do
-    [ -z "$force" -a -s "$file" ] || continue
-    echo "Error: File exists: $file" >&2
-    exit 1
-done
+[ -s "$privkey" -a -z "$force" ] && force=0
+if [ "$cmd" != dkim ]; then
+    for file in "$pubkey" "$privkey"; do
+        [ "$force" != 1 -a -s "$file" ] || continue
+        echo "Error: File exists: $file" >&2
+        exit 1
+    done
+fi
 
-if [ -z "$config" ]; then
+if [ -z "$config" -a \( "$cmd" = x509 -o "$cmd" = csr \) ]; then
     config=$(mktemp) || exit 2
     trap 'rm -f "$config"' EXIT
 
@@ -144,9 +158,25 @@ if [ -z "$config" ]; then
 	EOF
 fi
 
-# Ensure "$privkey" is created with umask 0077
-mv "$(mktemp)" "$privkey" || exit 2
-chmod og-rwx "$privkey" || exit 2
+if [ "$force" != 0 ]; then
+    # Ensure "$privkey" is created with umask 0077
+    mv "$(mktemp)" "$privkey" || exit 2
+    chmod og-rwx "$privkey" || exit 2
+    openssl $genkey -rand /dev/urandom $genkeyargs >"$privkey" || exit 2
+fi
 
-openssl $genkey -rand /dev/urandom $genkeyargs >"$privkey" || exit 2
-openssl req -config "$config" -new $x509 ${hash:+-$hash} -key "$privkey" >"$pubkey" || exit 2
+if [ "$cmd" = x509 -o "$cmd" = csr ]; then
+    [ "$cmd" = x509 ] && x509=-x509 || x509=
+    openssl req -config "$config" -new $x509 ${hash:+-$hash} -key "$privkey" >"$pubkey" || exit 2
+elif [ "$cmd" = dkim ]; then
+    echo "Add the following TXT record to your DNS zone:" >&2
+    echo "${dns:-$(date +%Y%m%d)}._domainkey\tIN\tTXT ( "
+    # See https://tools.ietf.org/html/rfc4871#section-3.6.1
+    # t=s:      the "i=" domain in signature headers MUST NOT be a subdomain of "d="
+    # s=email:  limit DKIM signing to email
+    openssl pkey -pubout <"$privkey" | sed '/^--.*--$/d' \
+    | { echo -n "v=DKIM1; k=$type; t=s; s=email; p="; tr -d '\n'; } \
+    | fold -w 250 \
+    | { sed 's/.*/\t"&"/'; echo ' )'; }
+    [ "$force" != 0 ] || exit 1
+fi
-- 
cgit v1.2.3