diff options
| author | U-Z690-A\user <jrayhawk@omgwallhack.org> | 2022-06-28 18:44:57 -0700 |
|---|---|---|
| committer | U-Z690-A\user <jrayhawk@omgwallhack.org> | 2022-06-28 18:44:57 -0700 |
| commit | 537cb1c3cf10ba3552b03c43fb053bde9cca2440 (patch) | |
| tree | 098778a7f6ed8ce8a4f62302725ecfe58fe75a2a | |
| parent | 49fe6c0218d58f4c62e8b7adfe278b52d7975eab (diff) | |
| download | cash-537cb1c3cf10ba3552b03c43fb053bde9cca2440.tar.gz cash-537cb1c3cf10ba3552b03c43fb053bde9cca2440.zip | |
Add automatic extended key usage detection
extendedKeyUsage is needed for some automatic certificate selection on
Windows. We attempt to detect either clientAuth or serverAuth based on
subjAltName and commonName.
| -rw-r--r-- | configure.sh | 2 | ||||
| -rwxr-xr-x | gensignedcert.sh | 7 | ||||
| -rwxr-xr-x | signcsr.sh | 20 |
3 files changed, 22 insertions, 7 deletions
diff --git a/configure.sh b/configure.sh index 9d9d156..54e9577 100644 --- a/configure.sh +++ b/configure.sh @@ -11,7 +11,7 @@ export CN="Joe Rayhawk" # Common Name export E="jrayhawk+ssl@omgwallhack.org" # Email; used in certs and for From: and CC: in ./mailcert.sh usage export OPENSSL_CONFIG="openssl.cnf" # For advanced customization (not suggested) - +#export EKU="clientAuth, serverAuth" # we try to dynamically determine this in signcsr.sh export EMAIL_DEFAULT_DOMAIN="omgwallhack.org" # ./mailcert.sh uses this as a user's domain if nothing more obvious is available if [ -e ./local.cfg ]; then diff --git a/gensignedcert.sh b/gensignedcert.sh index 10c909c..b51f69b 100755 --- a/gensignedcert.sh +++ b/gensignedcert.sh @@ -1,6 +1,7 @@ -#!/bin/sh -# ./keygen [name] (configfile) +#!/bin/bash +# ./gensignedcert.sh [name] (configfile) # This is only suggested if you have a secured path to deliver this new key through. +# requires bash 3.0 regexes set -e @@ -24,7 +25,7 @@ mkdir -pv "$CA"/signed "$CA"/temp "$CA"/certs openssl req -config "$OPENSSL_CONFIG" -new -nodes -out "$CA"/temp/"$1".csr -keyout "$CA"/temp/"$1".key chmod 600 "$CA"/temp/"$1".key SERIAL=$(cat "$CA"/ca/"$CA".serial) -openssl ca -config "$OPENSSL_CONFIG" -in "$CA"/temp/"$1".csr +openssl ca -config <( ./ekusub.sh "serverAuth" < "$OPENSSL_CONFIG" ) -in "$CA"/temp/"$1".csr if [ -e "$CA"/certs/"$SERIAL".pem ]; then # openssl lacks useful exit status codes, so we check to see if it actually did anything instead. mv -i "$CA"/temp/"$1".csr "$CA"/temp/"$1".key "$CA"/signed/ ln "$CA"/certs/"$SERIAL".pem "$CA"/signed/"$1".crt # so we can find the certificate by name as well as by serial @@ -1,5 +1,5 @@ #!/bin/bash -# requires bash regexes +# requires bash 3.0 regexes SUPPLEMENTARY_CONFIG="$2" @@ -30,11 +30,25 @@ mkdir -pv "$CA"/signed "$CA"/temp "$CA"/certs SERIAL=$(cat "$CA"/ca/"$CA".serial) if grep ^SPKAC "$1"; then # SPKAC HTML5 <keygen> standard + [ -n $EKU ] || EKU="clientAuth" # I don't think servers do SPKACs openssl spkac -in "$1" # print key size - openssl ca -config "$OPENSSL_CONFIG" -spkac "$1" -notext + openssl ca -config <( ./ekusub.sh "$EKU" < $OPENSSL_CONFIG ) -spkac "$1" -notext else # x509 CSR + if ! [ -n "$EKU" ]; then + [[ "$( openssl req -in $1 -subject -nameopt multiline | grep -E '^ +commonName += ' | head -n 1 )" =~ ^\ +commonName\ +=\ (.+)$ ]] + CN=${BASH_REMATCH[1]} + if openssl req -in "$1" -text | grep -EA1 '^ +X509v3 Subject Alternative Name:' | tail -n 1 | grep -qE '^ +DNS:'; then + EKU="serverAuth" + elif [[ "$CN" =~ \. ]] && ! [[ "$CN" =~ ' ' ]]; then + EKU="serverAuth" + elif [[ "$CN" =~ ' ' ]]; then + EKU="clientAuth" + else + echo Unable to determine if client or server for EKU. + fi + fi openssl req -in "$1" -text # print key size - openssl ca -config "$OPENSSL_CONFIG" -in "$1" -notext + openssl ca -config <( ./ekusub.sh "$EKU" < "$OPENSSL_CONFIG" ) -in "$1" -notext fi if [ -e "$CA"/certs/"$SERIAL".pem ]; then # openssl lacks useful exit status codes, so we check to see if it actually did anything instead. |