added: renew command

2023-02-22 14:56:01 +01:00 · 2023-02-22 14:56:01 +01:00 · e3b920fcd5
commit e3b920fcd5
parent 02fbc55d93
1 changed files with 35 additions and 1 deletions
--- a/server/src/api.rs
+++ b/server/src/api.rs
@ -18,7 +18,7 @@ use jwt_compact::alg::{Hs256, Hs256Key};
 use jwt_compact::{AlgorithmExt, Token, UntrustedToken};
 use rand::{thread_rng, Rng};
 use serde::{Deserialize, Serialize};
-use ssh_key::{Certificate, PublicKey};
+use ssh_key::{Certificate, Fingerprint, PublicKey};
 use tokio::sync::Mutex;
 use tower::ServiceBuilder;
 use tower_http::{trace::TraceLayer, ServiceBuilderExt};
@ -255,19 +255,53 @@ async fn get_certs_identifier(
 struct CertInfo {
    principals: Vec<String>,
    ca: PublicKey,
+    ca_hash: Fingerprint,
    identity: PublicKey,
+    identity_hash: Fingerprint,
    key_id: String,
    expiry: SystemTime,
+    renew_command: String,
 }

 impl From<&Certificate> for CertInfo {
    fn from(cert: &Certificate) -> Self {
+        let validity = cert
+            .valid_after_time()
+            .duration_since(cert.valid_before_time())
+            .unwrap();
+        let validity_days = validity.as_secs() / ((60 * 60) * 24);
+        let host_key = if cert.cert_type().is_host() {
+            " -h"
+        } else {
+            ""
+        };
+        let opts = cert
+            .critical_options()
+            .iter()
+            .map(|(opt, val)| {
+                if val.is_empty() {
+                    opt.clone()
+                } else {
+                    format!("{opt}={val}")
+                }
+            })
+            .map(|arg| format!("-O {arg}"))
+            .collect::<Vec<_>>()
+            .join(" ");
+        let renew_command = format!(
+            "ssh-keygen -s ./ca_key {host_key} -I {} -n {} -V {validity_days}d {opts}",
+            cert.key_id(),
+            cert.valid_principals().join(",")
+        );
        CertInfo {
            principals: cert.valid_principals().to_vec(),
            ca: cert.signature_key().clone().into(),
+            ca_hash: cert.signature_key().fingerprint(ssh_key::HashAlg::Sha256),
            identity: cert.public_key().clone().into(),
+            identity_hash: cert.public_key().fingerprint(ssh_key::HashAlg::Sha256),
            key_id: cert.key_id().to_string(),
            expiry: cert.valid_before_time(),
+            renew_command,
        }
    }
 }