[darcs-users] Re: openssl keys

Adam Megacz adam at megacz.com
Sun Mar 14 23:51:28 UTC 2004


David Roundy <droundy at abridgegame.org> writes:
>>   (while true; do echo; done) | \
>>   openssl req -new -key ~/.ssh/id_dsa -outform PEM -days 365 | \
>>   openssl x509 -req -extensions v3_ca -signkey ~/.ssh/id_dsa -outform PEM -days 365 2>/dev/null | \
>>   openssl x509 -outform PEM

> Is there any way to do with without pipes, or with fewer pipes?

You could use temp files instead, but that's sort of a kludge...  I
actually tried to avoid them as much as possible; the only problem is
that certificates have to come from files (since stdin is occupied
with the content being signed/verified).


> I guess most of the pain isn't from the piping, but from the fact
> that I need to call openssl four times to verify the signature and
> four times to create the signature.

Sorry, not much of a way around that.  It runs lightning-fast, so
performance really shouldn't be a concern.


> I've implemented this, but not tested it, so I'd definitely appreciate
> testing (probably easiest done by saving the patch bundles to a file).  The
> flags are --verify-ssl=~/.ssh/authorized_keys and
> --sign-ssl=~/.ssh/id_{r,d}sa.  It's not really documented yet, since it
> took a lot longer than I expected to implement, and now I'm tired of
> working on it.  The changes should be in the darcs repo in an hour or so,
> and then you can grab it.

Sweet!  I'll do that right now.  Thanks a bunch for doing this.

  - a


-- 
"It's lucky," he added, after a pause, "that there are such a lot of
islands in the world.  I almost envy you, Mr. Watson."

                                                   -- Mustapha Mond




More information about the darcs-users mailing list