import_key() {
+local sshKeyFile
local hostName
+local domain
local userID
-# check for presense of a key
-[ "$HOST_FINGERPRINT" ] && \
- failure "An OpenPGP host key already exists."
+sshKeyFile="$1"
+hostName="$2"
-hostName=${1:-$(hostname -f)}
+# check that key file specified
+if [ -z "$sshKeyFile" ] ; then
+ failure "Must specify ssh key file to import, or specify '-' for stdin."
+fi
+
+# use the default hostname if not specified
+if [ -z "$hostName" ] ; then
+ hostName=$(hostname -f) || failure "Could not determine hostname."
+ # test that the domain is not obviously illegitimate
+ domain=${foo##*.}
+ case $domain in
+ 'local'|'localdomain')
+ failure "Host domain '$domain' is not legitimate. Aborting key import."
+ ;;
+ esac
+ # test that there are at least two parts
+ if (( $(echo "$hostName" | tr . ' ' | wc -w) < 2 )) ; then
+ failure "Host name '$hostName' is not legitimate. Aborting key import."
+ fi
+fi
userID="ssh://${hostName}"
+if [ "$PROMPT" = "true" ] ; then
+ cat <<EOF
+The ssh key will be imported and an OpenPGP certificate for this host
+will be generated with the following user ID:
+ $userID
+EOF
+ read -p "Are you sure you would like to create certificate? [Y/n] " OK; OK=${OK:-Y}
+ if [ "${OK/y/Y}" != 'Y' ] ; then
+ failure "ssh key not imported."
+ fi
+else
+ log debug "importing key without prompting."
+fi
+
+
# create host home
-mkdir -p "$GNUPGHOME_HOST"
-chmod 700 "$GNUPGHOME_HOST"
+mkdir -p "${MHDATADIR}"
+mkdir -p "${GNUPGHOME_HOST}"
+chmod 700 "${GNUPGHOME_HOST}"
+
+# import ssh key to a private key
+if [ "$sshKeyFile" = '-' ] ; then
+ log verbose "importing ssh key from stdin..."
+ PEM2OPENPGP_USAGE_FLAGS=authenticate pem2openpgp "$userID" \
+ | gpg_host --import
+else
+ log verbose "importing ssh key from file '$sshKeyFile'..."
+ PEM2OPENPGP_USAGE_FLAGS=authenticate pem2openpgp "$userID" \
+ <"$sshKeyFile" \
+ | gpg_host --import
+fi
-log verbose "importing ssh key..."
-# translate ssh key to a private key
-PEM2OPENPGP_USAGE_FLAGS=authenticate pem2openpgp "$userID" | \
- gpg_host --import
+# load the new host fpr into the fpr variable. this is so we can
+# create the gpg pub key file. we have to do this from the secret key
+# ring since we obviously don't have the gpg pub key file yet, since
+# that's what we're trying to produce (see below).
+load_fingerprint_secret
-# find the key fingerprint of the newly converted key
-HOST_FINGERPRINT=$(get_host_fingerprint)
-export HOST_FINGERPRINT
+# export to gpg public key to file
+update_gpg_pub_file
-# export public key to file
-gpg_host_export_to_ssh_file
+log info "host key imported:"
# show info about new key
show_key