path: root/src/subcommands/mh/gen-key

#!/usr/bin/env bash

# Monkeysphere host gen-key subcommand
#
# The monkeysphere scripts are written by:
# Jameson Rollins <jrollins@fifthhorseman.net>
# Jamie McClelland <jm@mayfirst.org>
# Daniel Kahn Gillmor <dkg@fifthhorseman.net>
#
# They are Copyright 2008, and are all released under the GPL, version 3
# or later.

local keyType="RSA"
local keyLength="2048"
local keyUsage="auth"
local keyExpire
local revoker
local hostName=$(hostname -f)
local userID
local keyParameters
local fingerprint

# check for presense of secret key
# FIXME: is this the proper test to be doing here?
fingerprint_server_key >/dev/null \
    && failure "An OpenPGP host key already exists."

# get options
while true ; do
    case "$1" in
        -h|--hostname)
        hostName="$2"
        shift 2
        ;;
        -l|--length)
        keyLength="$2"
        shift 2
        ;;
        -e|--expire)
        keyExpire="$2"
        shift 2
        ;;
        -r|--revoker)
        revoker="$2"
        shift 2
        ;;
        *)
        if [ "$(echo "$1" | cut -c 1)" = '-' ] ; then
            failure "Unknown option '$1'.
Type '$PGRM help' for usage."
        fi
        break
        ;;
    esac
done

userID="ssh://${hostName}"

# prompt about key expiration if not specified
keyExpire=$(get_gpg_expiration "$keyExpire")

# set key parameters
keyParameters=\
"Key-Type: $keyType
Key-Length: $keyLength
Key-Usage: $keyUsage
Name-Real: $userID
Expire-Date: $keyExpire"

# add the revoker field if specified
# FIXME: the "1:" below assumes that $REVOKER's key is an RSA key.
# FIXME: key is marked "sensitive"?  is this appropriate?
if [ "$revoker" ] ; then
    keyParameters=\
"${keyParameters}
Revoker: 1:${revoker} sensitive"
fi

echo "The following key parameters will be used for the host private key:"
echo "$keyParameters"

read -p "Generate key? (Y/n) " OK; OK=${OK:=Y}
if [ ${OK/y/Y} != 'Y' ] ; then
    failure "aborting."
fi

# add commit command
# must include blank line!
keyParameters=\
"${keyParameters}

%commit
%echo done"

log verbose "generating host key..."
echo "$keyParameters" | gpg_host --batch --gen-key

# find the key fingerprint of the newly generated key
fingerprint=$(fingerprint_server_key)

# export host ownertrust to authentication keyring
log verbose "setting ultimate owner trust for host key..."
echo "${fingerprint}:6:" | gpg_authentication "--import-ownertrust"

# translate the private key to ssh format, and export to a file
# for sshs usage.
# NOTE: assumes that the primary key is the proper key to use
(umask 077 && \
    gpg_host --export-secret-key "$fingerprint" | \
    openpgp2ssh "$fingerprint" > "${SYSDATADIR}/ssh_host_rsa_key")
log info "SSH host private key output to file: ${SYSDATADIR}/ssh_host_rsa_key"
ssh-keygen -y -f "${SYSDATADIR}/ssh_host_rsa_key" > "${SYSDATADIR}/ssh_host_rsa_key.pub"
log info "SSH host public key output to file: ${SYSDATADIR}/ssh_host_rsa_key.pub"
gpg_authentication "--export-options export-minimal --armor --export 0x${fingerprint}\!" > "${SYSDATADIR}/ssh_host_rsa_key.pub.gpg"
log info "SSH host public key in OpenPGP form: ${SYSDATADIR}/ssh_host_rsa_key.pub.gpg"

# show info about new key
show_key