drop long-deprecated gpgsm-gencert.sh

* tools/gpgsm-gencert.sh: remove deprecated script entirely. It is fully replaced by gpgsm --gen-key * doc/tools.texi: remove gpgsm-gencert.sh documentation * .gitignore: no longer ignore gpgsm-gencert.sh manpage * doc/Makefile.am: quit making the manpage * tools/Makefile.am: quit distributing the script * doc/howto-create-a-server-cert.texi: overhaul documentation to use gpgsm --gen-key and tweak explanations -- The commit deprecating gpgsm-gencert.sh (81972ca7d53ff1996e0086702a09d4405bdc2a7e) dates back exactly 6 years. https://codesearch.debian.net/results/gpgsm-gencert.sh suggests that in all of debian it is only referenced in documentation (for poldi and scute) and example files (libept), and isn't actually used directly anywhere. Furthermore, trying to use gpgsm-gencert.sh to make a simple webserver certificate-signing request failed for me, following the examples in doc/howto-create-a-server-cert.texi exactly. It's time we ripped off this band-aid :) Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2024-12-22 10:19:57 +01:00 · 2015-07-02 15:10:49 -04:00 · 2015-07-02 15:10:49 -04:00 · 1be2cebf7f
commit 1be2cebf7f
parent 3502b3cc0f
7 changed files with 85 additions and 339 deletions
--- a/.gitignore
+++ b/.gitignore
@ -67,7 +67,6 @@ doc/gpg-zip.1
 doc/gpg2.1
 doc/gpgconf.1
 doc/gpgparsemail.1
 doc/gpgsm-gencert.sh.1
 doc/gpgsm.1
 doc/gpgv2.1
 doc/scdaemon.1
--- a/1
+++ b/1
@ -1,6 +1,7 @@
 Noteworthy changes in version 2.1.7 (unreleased)
 ------------------------------------------------
 * dropped deprecated gpgsm-gencert.sh
 Noteworthy changes in version 2.1.6 (2015-07-01)
 ------------------------------------------------
--- a/doc/Makefile.am
+++ b/doc/Makefile.am
@ -71,7 +71,7 @@ myman_sources = gnupg7.texi gpg.texi gpgsm.texi gpg-agent.texi \
 myman_pages   = gpg2.1 gpgsm.1 gpg-agent.1 dirmngr.8 scdaemon.1 gpgv2.1 \
                watchgnupg.1 gpgconf.1 addgnupghome.8 gpg-preset-passphrase.1 \
 		gpg-connect-agent.1 gpgparsemail.1 symcryptrun.1 \
-		gpgsm-gencert.sh.1 applygnupgdefaults.8 gpg-zip.1 \
+		applygnupgdefaults.8 gpg-zip.1 \
 		dirmngr-client.1
 man_MANS = $(myman_pages) gnupg.7
--- a/doc/howto-create-a-server-cert.texi
+++ b/doc/howto-create-a-server-cert.texi
@ -7,18 +7,17 @@ actually been done this way to get a certificate from CAcert to be used
 on a real server.  It has only been tested with this CA, but there
 shouldn't be any problem to run this against any other CA.
-Before you start, make sure that gpg-agent is running.  As there is no
+We start by generating an X.509 certificate signing request. As there
-need for a configuration file, you may simply enter:
+is no need for a configuration file, you may simply enter:
@cartouche
@example
-  $ gpgsm-gencert.sh >a.p10
+  $ gpgsm --gen-key >example.com.cert-req.pem
-  Key type
+  Please select what kind of key you want:
-   [1] RSA
+     (1) RSA
-   [2] Existing key
+     (2) Existing key
-   [3] Direct from card
+     (3) Existing key from card
-  Your selection: 1
+  Your selection? 1
  You selected: RSA
@end example
@end cartouche
@ -32,39 +31,36 @@ Let's continue:
@cartouche
@example
-  Key length
+  What keysize do you want? (2048)
-   [1] 1024
+  Requested keysize is 2048 bits
   [2] 2048
  Your selection: 1
  You selected: 1024
@end example
@end cartouche
-The script offers  two common key sizes. With the current setup of
+Hitting enter chooses the default RSA key size of 2048 bits.  Smaller
-CAcert, it does not make much sense to use a 2k key; their policies need
+keys are too weak on the modern Internet.  If you choose a larger
-to be revised anyway (a CA root key valid for 30 years is not really
+(stronger) key, your server will need to do more work.
 serious).
@cartouche
@example
-  Key usage
+  Possible actions for a RSA key:
-   [1] sign, encrypt
+     (1) sign, encrypt
-   [2] sign
+     (2) sign
-   [3] encrypt
+     (3) encrypt
-  Your selection: 1
+  Your selection? 1
  You selected: sign, encrypt
@end example
@end cartouche
-We want to sign and encrypt using this key. This is just a suggestion
+Selecting ``sign'' enables use of the key for Diffie-Hellman key
-and the CA may actually assign other key capabilities.
+exchange mechanisms (DHE and ECDHE) in TLS, which are preferred
 because they offer forward secrecy.  Selecting ``encrypt'' enables RSA
 key exchange mechanisms, which are still common in some places.
 Selecting both enables both key exchange mechanisms.
 Now for some real data:
@cartouche
@example
-  Name (DN)
+  Enter the X.509 subject name: CN=example.com
  > CN=kerckhoffs.g10code.com
@end example
@end cartouche
@ -74,13 +70,13 @@ server names later.
@cartouche
@example
-  E-Mail addresses (end with an empty line)
+  E-Mail addresses (end with an empty line):
  > 
@end example
@end cartouche
-We don't need email addresses in a server certificate and CAcert would
+We don't need email addresses in a TLS server certificate and CAcert
-anyway ignore such a request. Thus just hit enter.
+would anyway ignore such a request. Thus just hit enter.
 If you want to create a client certificate for email encryption, this
 would be the place to enter your mail address
@ -89,22 +85,21 @@ however the CA may not accept them all or reject the entire request.
@cartouche
@example
-  DNS Names (optional; end with an empty line)
+  Enter DNS names (optional; end with an empty line):
-  > www.g10code.com
+  > example.com
-  DNS Names (optional; end with an empty line)
+  > www.example.com
  > ftp.g10code.com
  DNS Names (optional; end with an empty line)
  > 
@end example
@end cartouche
-Here I entered the names of the servers which actually run on the
+Here I entered the names of the services which the machine actually
-machine given in the DN above. The browser will accept a certificate for
+provides.  You almost always want to include the canonical name here
-any of these names. As usual the CA must approve all of these names.
+too. The browser will accept a certificate for any of these names. As
 usual the CA must approve all of these names.
@cartouche
@example
-  URIs (optional; end with an empty line)
+  URIs (optional; end with an empty line):
  >
@end example
@end cartouche
@ -112,25 +107,30 @@ any of these names. As usual the CA must approve all of these names.
 It is possible to insert arbitrary URIs into a certificate; for a server
 certificate this does not make sense.
@cartouche
@example
  Create self-signed certificate? (y/N)
@end example
@end cartouche
 Since we are creating a certificate signing request, and not a full
 certificate, we answer no here, or just hit enter for the default.
 We have now entered all required information and @command{gpgsm} will
 display what it has gathered and ask whether to create the certificate
 request:
@cartouche
@example
-  Parameters for certificate request to create:
+  These parameters are used:
-       1	Key-Type: RSA
+      Key-Type: RSA
-       2	Key-Length: 1024
+      Key-Length: 2048
-       3	Key-Usage: sign, encrypt
+      Key-Usage: sign, encrypt
-       4	Name-DN: CN=kerckhoffs.g10code.com
+      Name-DN: CN=example.com
-       5	Name-DNS: www.g10code.com
+      Name-DNS: example.com
-       6	Name-DNS: ftp.g10code.com
+      Name-DNS: www.example.com
-  
+
-  Really create such a CSR?
+  Proceed with creation? (y/N) y
   [1] yes
   [2] no
  Your selection: 1
  You selected: yes
@end example
@end cartouche
@ -146,6 +146,7 @@ When it is ready, you should see the final notice:
@cartouche
@example
  gpgsm: certificate request created
  Ready.  You should now send this request to your CA.
@end example
@end cartouche
@ -153,17 +154,22 @@ Now, you may look at the created request:
@cartouche
@example
-  $ cat a.p10
+  $ cat example.com.cert-req.pem
  -----BEGIN CERTIFICATE REQUEST-----
-  MIIBnzCCAQgCAQAwITEfMB0GA1UEAxMWa2VyY2tob2Zmcy5nMTBjb2RlLmNvbTCB
+  MIIClTCCAX0CAQAwFjEUMBIGA1UEAxMLZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3
-  nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA5h+uKRenpvbe+BnMY6siPO50LVyg
+  DQEBAQUAA4IBDwAwggEKAoIBAQDP1QEcbTvOLLCX4gAoOzH9AW7jNOMj7OSOL0uW
-  HtB7kr+YISlPJ5JAFO12yQFz9Y0sBLHbjR+V+TOawwP1dZhGjlgnEBkMdWKuEBlS
+  h2bCdkK5YVpnX212Z6COTC3ZG0pJiCeGt1TbbDJUlTa4syQ6JXavjK66N8ASZsyC
-  wFTALLX78GAyvAYAmPqSPDEYXkMECyUXVX/bbGI1bY8Y2OGy4w4D+v7e+xD2NBkm
+  Rwcl0m6hbXp541t1dbgt2VgeGk25okWw3j+brw6zxLD2TnthJxOatID0lDIG47HW
-  Bj5cNy+YMbGVldECAwEAAaA+MDwGCSqGSIb3DQEJDjEvMC0wKwYDVR0RBCQwIoIP
+  GqzZmA6WHbIBIONmGnReIHTpPAPCDm92vUkpKG1xLPszuRmsQbwEl870W/FHrsvm
-  d3d3LmcxMGNvZGUuY29tgg9mdHAuZzEwY29kZS5jb20wDQYJKoZIhvcNAQEFBQAD
+  DPvVUUSdIvTV9NuRt7/WY6G4nPp9QlIuTf1ESPzIuIE91gKPdrRCAx0yuT708S1n
-  gYEAzBRIi8KTfKyebOlMtDN6oDYBOv+r9A4w3u/Z1ikjffaiN1Bmd2o9Ez9KXKHA
+  xCv3ETQ/bKPoAQ67eE3mPBqkcVwv9SE/2/36Lz06kAizRgs5AgMBAAGgOjA4Bgkq
-  IezLeSEA/rGUPN5Ur5qIJnRNQ8xrS+iLftr8msWQSZppVnA/vnqMrtqBUpitqAr0
+  hkiG9w0BCQ4xKzApMCcGA1UdEQQgMB6CC2V4YW1wbGUuY29tgg93d3cuZXhhbXBs
-  eYBmt1Uem2Y3UFABrKPglv2xzgGkrKX6AqmFoOnJWQ0QcTw=
+  ZS5jb20wDQYJKoZIhvcNAQELBQADggEBAEWD0Qqz4OENLYp6yyO/KqF0ig9FDsLN
  b5/R+qhms5qlhdB5+Dh+j693Sj0UgbcNKc6JT86IuBqEBZmRCJuXRoKoo5aMS1cJ
  hXga7N9IA3qb4VBUzBWvlL92U2Iptr/cEbikFlYZF2Zv3PBv8RfopVlI3OLbKV9D
  bJJTt/6kuoydXKo/Vx4G0DFzIKNdFdJk86o/Ziz8NOs9JjZxw9H9VY5sHKFM5LKk
  VcLwnnLRlNjBGB+9VK/Tze575eG0cJomTp7UGIB+1xzIQVAhUZOizRDv9tHDeaK3
  k+tUhV0kuJcYHucpJycDSrP/uAY5zuVJ0rs2QSjdnav62YrRgEsxJrU=
  -----END CERTIFICATE REQUEST-----
  $
@end example
@ -189,26 +195,7 @@ followed by a Ctrl-D
@example
  -----BEGIN CERTIFICATE-----
  MIIEIjCCAgqgAwIBAgIBTDANBgkqhkiG9w0BAQQFADBUMRQwEgYDVQQKEwtDQWNl
-  cnQgSW5jLjEeMBwGA1UECxMVaHR0cDovL3d3dy5DQWNlcnQub3JnMRwwGgYDVQQD
+   [...]
  ExNDQWNlcnQgQ2xhc3MgMyBSb290MB4XDTA1MTAyODE2MjA1MVoXDTA3MTAyODE2
  MjA1MVowITEfMB0GA1UEAxMWa2VyY2tob2Zmcy5nMTBjb2RlLmNvbTCBnzANBgkq
  hkiG9w0BAQEFAAOBjQAwgYkCgYEA5h+uKRenpvbe+BnMY6siPO50LVygHtB7kr+Y
  ISlPJ5JAFO12yQFz9Y0sBLHbjR+V+TOawwP1dZhGjlgnEBkMdWKuEBlSwFTALLX7
  8GAyvAYAmPqSPDEYXkMECyUXVX/bbGI1bY8Y2OGy4w4D+v7e+xD2NBkmBj5cNy+Y
  MbGVldECAwEAAaOBtTCBsjAMBgNVHRMBAf8EAjAAMDQGA1UdJQQtMCsGCCsGAQUF
  BwMCBggrBgEFBQcDAQYJYIZIAYb4QgQBBgorBgEEAYI3CgMDMAsGA1UdDwQEAwIF
  oDAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9vY3NwLmNhY2Vy
  dC5vcmcwKwYDVR0RBCQwIoIPd3d3LmcxMGNvZGUuY29tgg9mdHAuZzEwY29kZS5j
  b20wDQYJKoZIhvcNAQEEBQADggIBAAj5XAHCtzQR8PV6PkQBgZqUCbcfxGO/ZIp9
  aIT6J2z0Jo1OZI6KmConbqnZG9WyDlV5P7msQXW/Z9nBfoj4KSmNR8G/wtb8ClJn
  W8s75+K3ZLq1UgEyxBDrS7GjtbVaj7gsfZsuiQzxmk9lbl1gbkpJ3VEMjwVCTMlM
  fpjp8etyPhUZqOZaoKVaq//KTOsjhPMwz7TcfOkHvXketPrWTcefJQU7NKLH16D3
  mZAwnBxp3P51H6E6VG8AoJO8xCBuVwsbXKEf/FW+tmKG9pog6CaZQ9WibROTtnKj
  NJjSBsrUk5C+JowO/EyZRGm6R1tlok8iFXj+2aimyeBqDcxozNmFgh9F3S5u0wK0
  6cfYgkPVMHxgwV3f3Qh+tJkgLExN7KfO9hvpZqAh+CLQtxVmvpxEVEXKR6nwBI5U
  BaseulvVy3wUfg2daPkG17kDDBzQlsWC0BRF8anH+FWSrvseC3nS0a9g3sXF1Ic3
  gIqeAMhkant1Ac3RR6YCWtJKr2rcQNdDAxXK35/gUSQNCi9dclEzoOgjziuA1Mha
  94jYcvGKcwThn0iITVS5hOsCfaySBLxTzfIruLbPxXlpWuCW/6I/7YyivppKgEZU
  rUTFlNElRXCwIl0YcJkIaYYqWf7+A/aqYJCi8+51usZwMy3Jsq3hJ6MA3h1BgwZs
  Rtct3tIX
  -----END CERTIFICATE-----
@ -229,19 +216,19 @@ To see the content of your certificate, you may now enter:
@cartouche
@example
-  $ gpgsm -K kerckhoffs.g10code.com
+  $ gpgsm -K example.com
  /home/foo/.gnupg/pubring.kbx
  ---------------------------
  Serial number: 4C
         Issuer: /CN=CAcert Class 3 Root/OU=http:\x2f\x2fwww.[...]
-        Subject: /CN=kerckhoffs.g10code.com
+        Subject: /CN=example.com
-            aka: (dns-name www.g10code.com)
+            aka: (dns-name example.com)
-            aka: (dns-name ftp.g10code.com)
+            aka: (dns-name www.example.com)
-       validity: 2005-10-28 16:20:51 through 2007-10-28 16:20:51
+       validity: 2015-07-01 16:20:51 through 2016-07-01 16:20:51
-       key type: 1024 bit RSA
+       key type: 2048 bit RSA
      key usage: digitalSignature keyEncipherment
  ext key usage: clientAuth (suggested), serverAuth (suggested), [...]
-    fingerprint: 0F:9C:27:B2:DA:05:5F:CB:33:19:D8:E9:65:B9:BD:4F:B1:98:CC:57
+    fingerprint: 0F:9C:27:B2:DA:05:5F:CB:33:D8:19:E9:65:B9:4F:BD:B1:98:CC:57
@end example
@end cartouche
@ -256,7 +243,7 @@ certificate. To create such a file, run:
@cartouche
@example
-  $ gpgsm --export-secret-key-p12 -a >kerckhoffs-cert.pem
+  $ gpgsm --export-secret-key-p12 -a >example.com-cert.pem
@end example
@end cartouche
@ -266,12 +253,12 @@ certificate as well as the private key:
@cartouche
@example
-  $ cat kerckhoffs-cert.pem
+  $ cat example-cert.pem
  Issuer ...: /CN=CAcert Class 3 Root/OU=http:\x2f\x2fwww.CA[...]
  Serial ...: 4C
-  Subject ..: /CN=kerckhoffs.g10code.com
+  Subject ..: /CN=example.com
-      aka ..: (dns-name www.g10code.com)
+      aka ..: (dns-name example.com)
-      aka ..: (dns-name ftp.g10code.com)
+      aka ..: (dns-name www.example.com)
  -----BEGIN PKCS12-----
  MIIHlwIBAzCCB5AGCSqGSIb37QdHAaCCB4EEggd9MIIHeTk1BJ8GCSqGSIb3DQEu
--- a/doc/tools.texi
+++ b/doc/tools.texi
@ -15,7 +15,6 @@ GnuPG comes with a couple of smaller tools:
 * addgnupghome::          Create .gnupg home directories.
 * gpgconf::               Modify .gnupg home directories.
 * applygnupgdefaults::    Run gpgconf for all users.
 * gpgsm-gencert.sh::      Generate an X.509 certificate request.
 * gpg-preset-passphrase:: Put a passphrase into the cache.
 * gpg-connect-agent::     Communicate with a running agent.
 * dirmngr-client::        How to use the Dirmngr client tool.
@ -1000,42 +999,6 @@ applygnupgdefaults
@end example
@c
@c    GPGSM-GENCERT.SH
@c
@node gpgsm-gencert.sh
@section Generate an X.509 certificate request
@manpage gpgsm-gencert.sh.1
@ifset manverb
 .B gpgsm-gencert.sh
 \- Generate an X.509 certificate request
@end ifset
@mansect synopsis
@ifset manverb
 .B  gpgsm-gencert.sh
@end ifset
@mansect description
 This is a simple tool to interactively generate a certificate request
 which will be printed to stdout.
@manpause
@noindent
@command{gpgsm-gencert.sh} is invoked as:
@samp{gpgsm-cencert.sh}
@mansect see also
@ifset isman
@command{gpgsm}(1),
@command{gpg-agent}(1),
@command{scdaemon}(1)
@end ifset
@include see-also-note.texi
@c
@c   GPG-PRESET-PASSPHRASE
@c
--- a/tools/Makefile.am
+++ b/tools/Makefile.am
@ -18,7 +18,7 @@
 EXTRA_DIST = \
 	Manifest watchgnupg.c \
-	addgnupghome applygnupgdefaults gpgsm-gencert.sh \
+	addgnupghome applygnupgdefaults \
 	lspgpot mail-signed-keys convert-from-106 sockprox.c \
 	ccidmon.c ChangeLog-2011 gpg-connect-agent-w32info.rc
@ -34,7 +34,6 @@ AM_CFLAGS = $(LIBGCRYPT_CFLAGS) $(GPG_ERROR_CFLAGS) $(LIBASSUAN_CFLAGS)
 sbin_SCRIPTS = addgnupghome applygnupgdefaults
 bin_SCRIPTS = gpgsm-gencert.sh
 if HAVE_USTAR
 # bin_SCRIPTS += gpg-zip
 noinst_SCRIPTS = gpg-zip
--- a/tools/gpgsm-gencert.sh
+++ b/tools/gpgsm-gencert.sh
@ -1,203 +0,0 @@
 #!/bin/sh
 #                                                              -*- sh -*-
 # gpgsm-gencert.c - Generate X.509 certificates through GPGSM.  
 #	Copyright (C) 2004, 2005 Free Software Foundation, Inc.
 #
 # This file is part of GnuPG.
 #
 # GnuPG is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation; either version 3 of the License, or
 # (at your option) any later version.
 #
 # GnuPG is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program; if not, see <http://www.gnu.org/licenses/>.
 set -e
 ASSUAN_FP_IN=4
 ASSUAN_FP_OUT=5
 ASSUAN_COMMANDS="\
 INPUT FD=$ASSUAN_FP_IN\n\
 OUTPUT FD=$ASSUAN_FP_OUT --armor\n\
 GENKEY\n\
 BYE\n"
 ANSWER=""
 query_user()
 {
    message=$1; shift
    echo "$message" >&2
    echo -n "> " >&2
    read answer
    ANSWER=$answer;
 }
 query_user_menu()
 {
    message=$1; shift
    i=0
    echo "$message" >&2
    for choice in "$@"; do
 	i=$(expr $i + 1)
 	echo " [$i] $choice" >&2
    done
    while true; do
 	j=1
 	echo -n "Your selection: " >&2
 	read idx
 	while [ $j -lt $i -o $j -eq $i ]; do
 	    if [ "$idx" = $j ]; then
 		break
 	    fi
 	    j=$(expr $j + 1)
 	done
 	if [ $j -lt $i -o $j -eq $i ]; then
 	    break
 	fi
    done
    i=0
    for choice in "$@"; do
 	i=$(expr $i + 1)
 	if [ $i -eq $idx ]; then
 	    ANSWER=$1
 	    break;
 	fi
 	shift
    done
    echo "You selected: $ANSWER" >&2
 }
 echo "WARNING: This script is deprecated; please use" >&2
 echo "           gpgsm --gen-key" >&2
 echo "         instead." >&2
 KEY_TYPE=""
 while [ -z "$KEY_TYPE" ]; do
  query_user_menu "Key type" "RSA" "Existing key" "Direct from card"
  case "$ANSWER" in
    RSA)
      KEY_TYPE=$ANSWER
      query_user_menu "Key length" "1024" "2048"
      KEY_LENGTH=$ANSWER
      KEY_GRIP=
      ;;
    Existing*)
      # User requested to use an existing key; need to set some dummy defaults
      query_user "Keygrip "
      if [ -n "$ANSWER" ]; then
        KEY_TYPE=RSA 
        KEY_LENGTH=1024
        KEY_GRIP=$ANSWER
      fi
      ;;
    Direct*)
      tmp=$(echo 'SCD SERIALNO' | gpg-connect-agent | \
            awk '$2 == "SERIALNO" {print $3}') 
      if [ -z "$tmp" ]; then
          echo "No card found" >&2
      else
        echo "Card with S/N $tmp found" >&2
        tmp=$(echo 'SCD LEARN --force' | gpg-connect-agent | \
              awk '$2 == "KEYPAIRINFO" {printf " %s", $4}')
        sshid=$(echo 'SCD GETATTR $AUTHKEYID' | gpg-connect-agent | \
                awk '$2 == "$AUTHKEYID" {print $3}') 
        [ -n "$sshid" ] && echo "gpg-agent uses $sshid as ssh key" >&2
        query_user_menu "Select key " $tmp "back"
        if [ "$ANSWER" != "back" ]; then
          KEY_TYPE="card:$ANSWER"
          KEY_LENGTH=
          KEY_GRIP=
        fi
      fi
      ;;
    *)
      exit 1
      ;;   
  esac
 done
 query_user_menu "Key usage" "sign, encrypt" "sign" "encrypt"
 KEY_USAGE=$ANSWER
 query_user "Name (DN)"
 NAME=$ANSWER
 EMAIL_ADDRESSES=
 LF=
 while : ; do
  query_user "E-Mail addresses (end with an empty line)"
  [ -z "$ANSWER" ] && break
  EMAIL_ADDRESSES="${EMAIL_ADDRESSES}${LF}Name-Email: $ANSWER"
  LF='
 '
 done
 DNS_ADDRESSES=
 LF=
 while : ; do
  query_user "DNS Names (optional; end with an empty line)"
  [ -z "$ANSWER" ] && break
  DNS_ADDRESSES="${DNS_ADDRESSES}${LF}Name-DNS: $ANSWER"
  LF='
 '
 done
 URI_ADDRESSES=
 LF=
 while : ; do
  query_user "URIs (optional; end with an empty line)"
  [ -z "$ANSWER" ] && break
  URI_ADDRESSES="${URI_ADDRESSES}${LF}Name-URI: $ANSWER"
  LF='
 '
 done
 file_parameter=$(mktemp "/tmp/gpgsm.XXXXXX")
 outfile=$(mktemp "/tmp/gpgsm.XXXXXX")
 (
 cat <<EOF
 Key-Type: $KEY_TYPE
 Key-Length: $KEY_LENGTH
 Key-Usage: $KEY_USAGE
 Name-DN: $NAME
 EOF
 [ -n "$KEY_GRIP" ] && echo "Key-Grip: $KEY_GRIP"
 [ -n "$EMAIL_ADDRESSES" ] && echo "$EMAIL_ADDRESSES"
 [ -n "$DNS_ADDRESSES" ] && echo "$DNS_ADDRESSES"
 [ -n "$URI_ADDRESSES" ] && echo "$URI_ADDRESSES"
 ) > "$file_parameter"
 echo 'Parameters for certificate request to create:' >&2
 cat -n "$file_parameter" >&2
 echo  >&2
 query_user_menu "Really create such a CSR?" "yes" "no"
 [ "$ANSWER" != "yes" ] && exit 1
 printf "$ASSUAN_COMMANDS" | \
     gpgsm --no-log-file --debug-level none --debug-none \
           --server 4< "$file_parameter" 5>"$outfile" >/dev/null
 cat "$outfile"
 rm "$file_parameter" "$outfile"
 exit 0