commit 819cc613df6ec263b6aed13ab426ded2749ac46c
parent f0e48b15d39467d081e26442037e9a907f3cdd0e
Author: Hayden Hamilton <hayden@hhvn.uk>
Date: Sun, 24 May 2026 21:28:17 +0100
Add ed25519 capability to dkim/ scripts
Diffstat:
| M | dkim/mkcert | | | 71 | +++++++++++++++++++++++++++++++++++++++++++---------------------------- |
| M | dkim/rmcert | | | 16 | ++++++++++++---- |
2 files changed, 55 insertions(+), 32 deletions(-)
diff --git a/dkim/mkcert b/dkim/mkcert
@@ -1,24 +1,30 @@
#!/bin/rc
# This script generates and stores DKIM keypair, using the correct user
-# It outputs all paths generated in the following order:
+# It outputs all paths generated in the following order for each algorithm:
# - privkey
-# - pubkey
# - txt record to be used in dns
#
# Example/intended usage:
# dkimfiles = `$nl{dkim/mkcert <selector>}
-# privkey = $dkimfiles(1)
-# txtfile = $dkimfiles(2)
-#
-# There is no real need for the pubkey to be stored as its own file.
+# rsakey = $dkimfiles(1)
+# rsatxt = $dkimfiles(2)
+# edkey = $dkimfiles(3)
+# edtxt = $dkimfiles(4)
+
+dir = /etc/mail/dkim
+user =_dkimsign_
+selector = $1
+ed = ed25519
+rsaprivkey = $dir/$selector.rsa.priv.key
+rsapubkey = $dir/$selector.rsa.pub.key
+rsatxt = $dir/$selector.rsa.txt
+edprivkey = $dir/$selector.$ed.priv.key
+edpubkey = $dir/$selector.$ed.pub.key
+edtxt = $dir/$selector.$ed.txt
-dir = /etc/mail/dkim
-user =_dkimsign_
-selector = $1
-privkey = $dir/$selector.priv.key
-pubkey = $dir/$selector.pub.key
-txt = $dir/$selector.txt
+files = ( $rsaprivkey $rsapubkey $rsatxt \
+ $edprivkey $edpubkey $edtxt )
fn err {
echo $* >[1=2]
@@ -38,9 +44,9 @@ fn mustsucceed {
}
fn cleanupfailed {
- as rm $privkey
- as rm $pubkey
- as rm $txt
+ for (f in $files) {
+ as rm $f [2]>/dev/null
+ }
}
fn as {
@@ -52,21 +58,30 @@ if (!~ $#* 1) {
exit 2
}
-
-as test -e $privkey && die $privkey already exists
-as test -e $pubkey && die $pubkey already exists
-as test -e $txt && die $txt already exists
+for (f in $files) {
+ as test -e $f && die $f already exists
+}
mustsucceed as mkdir -p $dir
-mustsucceed as openssl genrsa -out $privkey
-mustsucceed as openssl rsa -in $privkey -pubout | \
- mustsucceed as tee $pubkey >/dev/null
-mustsucceed as cat $pubkey | \
+# RSA
+mustsucceed as openssl genrsa -out $rsaprivkey
+mustsucceed as openssl rsa -in $rsaprivkey -pubout | \
+ mustsucceed as tee $rsapubkey >/dev/null
+mustsucceed as cat $rsapubkey | \
mustsucceed as sed '1s/.*/v=DKIM1;p=/;:nl;${s/-----.*//;q;};N;s/\n//g;b nl;' | \
- mustsucceed as tee $txt >/dev/null
+ mustsucceed as tee $rsatxt >/dev/null
+
+# ED25519
+mustsucceed as openssl genpkey -algorithm $ed -out $edprivkey
+mustsucceed as openssl pkey -outform DER -pubout -in $edprivkey | \
+ mustsucceed tail -c +13 | mustsucceed openssl base64 | \
+ mustsucceed as tee $edpubkey >/dev/null
+mustsucceed printf 'v=DKIM1;k=%s;p=%s\n' $ed `$nl{mustsucceed as cat $edpubkey} | \
+ mustsucceed as tee $edtxt >/dev/null
-err 'Paths generated (privkey, pubkey, txt dns record):'
-echo $privkey
-echo $pubkey
-echo $txt
+err 'Paths generated (rsa privkey, rsa dns record, ed25519 privkey, ed25519 dns record):'
+echo $rsaprivkey
+echo $rsatxt
+echo $edprivkey
+echo $edtxt
diff --git a/dkim/rmcert b/dkim/rmcert
@@ -5,10 +5,18 @@
dir = /etc/mail/dkim
user = _dkimsign
selector = $1
-privkey = $dir/$selector.priv.key
+ed = ed25519
+rsaprivkey = $dir/$selector.priv.key
pubkey = $dir/$selector.pub.key
txt = $dir/$selector.txt
+files = ( $dir/$selector.rsa.priv.key \
+ $dir/$selector.rsa.pub.key \
+ $dir/$selector.rsa.txt \
+ $dir/$selector.$ed.priv.key \
+ $dir/$selector.$ed.pub.key \
+ $dir/$selector.$ed.txt )
+
fn err {
echo $* >[1=2]
}
@@ -32,9 +40,9 @@ if (!~ $#* 1) {
exit 2
}
-removeif-e $privkey
-removeif-e $pubkey
-removeif-e $txt
+for (f in $files) {
+ removeif-e $f
+}
if (~ $removed () && ~ $failed ()) {
err no such selector: $selector
