added: renew command

server/src/api.rs

@@ -18,7 +18,7 @@ use jwt_compact::alg::{Hs256, Hs256Key};
 use jwt_compact::{AlgorithmExt, Token, UntrustedToken};
 use rand::{thread_rng, Rng};
 use serde::{Deserialize, Serialize};
-use ssh_key::{Certificate, PublicKey};
+use ssh_key::{Certificate, Fingerprint, PublicKey};
 use tokio::sync::Mutex;
 use tower::ServiceBuilder;
 use tower_http::{trace::TraceLayer, ServiceBuilderExt};
@@ -255,19 +255,53 @@ async fn get_certs_identifier(
 struct CertInfo {
     principals: Vec<String>,
     ca: PublicKey,
+    ca_hash: Fingerprint,
     identity: PublicKey,
+    identity_hash: Fingerprint,
     key_id: String,
     expiry: SystemTime,
+    renew_command: String,
 }
 
 impl From<&Certificate> for CertInfo {
     fn from(cert: &Certificate) -> Self {
+        let validity = cert
+            .valid_after_time()
+            .duration_since(cert.valid_before_time())
+            .unwrap();
+        let validity_days = validity.as_secs() / ((60 * 60) * 24);
+        let host_key = if cert.cert_type().is_host() {
+            " -h"
+        } else {
+            ""
+        };
+        let opts = cert
+            .critical_options()
+            .iter()
+            .map(|(opt, val)| {
+                if val.is_empty() {
+                    opt.clone()
+                } else {
+                    format!("{opt}={val}")
+                }
+            })
+            .map(|arg| format!("-O {arg}"))
+            .collect::<Vec<_>>()
+            .join(" ");
+        let renew_command = format!(
+            "ssh-keygen -s ./ca_key {host_key} -I {} -n {} -V {validity_days}d {opts}",
+            cert.key_id(),
+            cert.valid_principals().join(",")
+        );
         CertInfo {
             principals: cert.valid_principals().to_vec(),
             ca: cert.signature_key().clone().into(),
+            ca_hash: cert.signature_key().fingerprint(ssh_key::HashAlg::Sha256),
             identity: cert.public_key().clone().into(),
+            identity_hash: cert.public_key().fingerprint(ssh_key::HashAlg::Sha256),
             key_id: cert.key_id().to_string(),
             expiry: cert.valid_before_time(),
+            renew_command,
         }
     }
 }