import_key() {
+local sshKeyFile
local hostName
+local domain
local userID
-local fingerprint
-# check for presence of secret key
-# FIXME: is this the proper test to be doing here?
-fingerprint_host_key >/dev/null \
- && failure "An OpenPGP host key already exists."
+sshKeyFile="$1"
+hostName="$2"
-hostName=${1:-$(hostname -f)}
+# check that key file specified
+if [ -z "$sshKeyFile" ] ; then
+ failure "Must specify ssh key file to import, or specify '-' for stdin."
+fi
+
+# use the default hostname if not specified
+if [ -z "$hostName" ] ; then
+ hostName=$(hostname -f) || failure "Could not determine hostname."
+ # test that the domain is not obviously illegitimate
+ domain=${foo##*.}
+ case $domain in
+ 'local'|'localdomain')
+ failure "Host domain '$domain' is not legitimate. Aborting key import."
+ ;;
+ esac
+ # test that there are at least two parts
+ if (( $(echo "$hostName" | tr . ' ' | wc -w) < 2 )) ; then
+ failure "Host name '$hostName' is not legitimate. Aborting key import."
+ fi
+fi
userID="ssh://${hostName}"
+if [ "$PROMPT" = "true" ] ; then
+ cat <<EOF
+The ssh key will be imported and an OpenPGP certificate for this host
+will be generated with the following user ID:
+ $userID
+EOF
+ read -p "Are you sure you would like to create certificate? [Y/n] " OK; OK=${OK:-Y}
+ if [ "${OK/y/Y}" != 'Y' ] ; then
+ failure "ssh key not imported."
+ fi
+else
+ log debug "importing key without prompting."
+fi
+
+
# create host home
-mkdir -p "$GNUPGHOME_HOST"
-chmod 700 "$GNUPGHOME_HOST"
+mkdir -p "${MHDATADIR}"
+mkdir -p "${GNUPGHOME_HOST}"
+chmod 700 "${GNUPGHOME_HOST}"
+
+# import ssh key to a private key
+if [ "$sshKeyFile" = '-' ] ; then
+ log verbose "importing ssh key from stdin..."
+ PEM2OPENPGP_USAGE_FLAGS=authenticate pem2openpgp "$userID" \
+ | gpg_host --import
+else
+ log verbose "importing ssh key from file '$sshKeyFile'..."
+ PEM2OPENPGP_USAGE_FLAGS=authenticate pem2openpgp "$userID" \
+ <"$sshKeyFile" \
+ | gpg_host --import
+fi
-log verbose "importing ssh key..."
-# translate ssh key to a private key
-PEM2OPENPGP_USAGE_FLAGS=authenticate pem2openpgp "$userID" | gpg_host --import
+# load the new host fpr into the fpr variable. this is so we can
+# create the gpg pub key file. we have to do this from the secret key
+# ring since we obviously don't have the gpg pub key file yet, since
+# that's what we're trying to produce (see below).
+load_fingerprint_secret
-# find the key fingerprint of the newly converted key
-fingerprint=$(fingerprint_host_key)
+# export to gpg public key to file
+update_gpg_pub_file
-# export public key to file
-log debug "exporting openpgp public key..."
-gpg_host --export-options export-minimal --armor --export "0x${fingerprint}!" > "${MHDATADIR}/ssh_host_rsa_key.pub.gpg"
-log info "SSH host public key in OpenPGP form: ${MHDATADIR}/ssh_host_rsa_key.pub.gpg"
+log info "host key imported:"
# show info about new key
show_key