summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorU-Z690-A\user <jrayhawk@omgwallhack.org>2022-06-29 20:26:01 -0700
committerU-Z690-A\user <jrayhawk@omgwallhack.org>2022-06-29 20:26:01 -0700
commit585568aa8b851d153fbec0a46769b8f12e1df7f4 (patch)
treefc4d8daee10acdd48f33de0221a4dd31773f5289
parent40e0db376ea51384fc2dbb7feb86d6d83408fe9f (diff)
downloadcash-585568aa8b851d153fbec0a46769b8f12e1df7f4.tar.gz
cash-585568aa8b851d153fbec0a46769b8f12e1df7f4.zip
extendedKeyUsage: decommission ekusub.sh and use environment variables insteadHEADmaster
ekusub.sh has additionally been generalized into inimodify.sh in case I ever need it in the future for anything else.
-rw-r--r--configure.sh2
-rwxr-xr-xekusub.sh32
-rwxr-xr-xgensignedcert.sh3
-rwxr-xr-xinimodify.sh36
-rw-r--r--openssl.cnf1
-rwxr-xr-xsigncsr.sh4
6 files changed, 42 insertions, 36 deletions
diff --git a/configure.sh b/configure.sh
index 54e9577..02043d8 100644
--- a/configure.sh
+++ b/configure.sh
@@ -11,8 +11,8 @@ export CN="Joe Rayhawk" # Common Name
export E="jrayhawk+ssl@omgwallhack.org" # Email; used in certs and for From: and CC: in ./mailcert.sh usage
export OPENSSL_CONFIG="openssl.cnf" # For advanced customization (not suggested)
-#export EKU="clientAuth, serverAuth" # we try to dynamically determine this in signcsr.sh
export EMAIL_DEFAULT_DOMAIN="omgwallhack.org" # ./mailcert.sh uses this as a user's domain if nothing more obvious is available
+export EKU="" # "clientAuth, serverAuth" # we try to dynamically determine this in signcsr.sh
if [ -e ./local.cfg ]; then
. ./local.cfg # dash is finnicky about how paths for sourcing work
diff --git a/ekusub.sh b/ekusub.sh
deleted file mode 100755
index bf1546d..0000000
--- a/ekusub.sh
+++ /dev/null
@@ -1,32 +0,0 @@
-#!/bin/bash
-# Dynamically substitutes extendedKeyUsage in usr_cert in an openssl config file
-# ./ekusub.sh "clientAuth, serverAuth"
-#requires bash 4.0 regexes
-
-set -e
-[ -n "$1" ] || cat # pass through
-
-IFS=$'\n'
-CA_STANZA=0
-EKU_MODIFIED=0
-while read line; do
- if [[ "$line" =~ ^\ *\[\ *usr_cert\ *\] ]]; then
- CA_STANZA=1
- echo "$line"
- elif [ $CA_STANZA == 1 ] && [[ "$line" =~ ^\ *extendedKeyUsage\ *= ]]; then
- echo -n "$line"
- echo ", $1"
- EKU_MODIFIED=1
- elif [ $CA_STANZA == 1 ] && [[ "$line" =~ ^\ *\[\ .+\ \] ]]; then
- if [ $EKU_MODIFIED == 0 ]; then
- echo "extendedKeyUsage = $1"
- echo
- EKU_MODIFIED=1
- fi
- CA_STANZA=0
- echo "$line"
- else
- echo "$line"
- fi
-
-done
diff --git a/gensignedcert.sh b/gensignedcert.sh
index b51f69b..a5a5368 100755
--- a/gensignedcert.sh
+++ b/gensignedcert.sh
@@ -25,7 +25,8 @@ mkdir -pv "$CA"/signed "$CA"/temp "$CA"/certs
openssl req -config "$OPENSSL_CONFIG" -new -nodes -out "$CA"/temp/"$1".csr -keyout "$CA"/temp/"$1".key
chmod 600 "$CA"/temp/"$1".key
SERIAL=$(cat "$CA"/ca/"$CA".serial)
-openssl ca -config <( ./ekusub.sh "serverAuth" < "$OPENSSL_CONFIG" ) -in "$CA"/temp/"$1".csr
+EKU="serverAuth"
+openssl ca -config "$OPENSSL_CONFIG" -in "$CA"/temp/"$1".csr
if [ -e "$CA"/certs/"$SERIAL".pem ]; then # openssl lacks useful exit status codes, so we check to see if it actually did anything instead.
mv -i "$CA"/temp/"$1".csr "$CA"/temp/"$1".key "$CA"/signed/
ln "$CA"/certs/"$SERIAL".pem "$CA"/signed/"$1".crt # so we can find the certificate by name as well as by serial
diff --git a/inimodify.sh b/inimodify.sh
new file mode 100755
index 0000000..939e47a
--- /dev/null
+++ b/inimodify.sh
@@ -0,0 +1,36 @@
+#!/bin/bash
+# Dynamically modifies openssl config file
+# ./inimodify.sh [header] [variable] [value] < openssl.cnf
+# ./inimodify.sh "usr_cert" "extendedKeyUsage" "clientAuth, serverAuth" < openssl.cnf
+#requires bash 4.0 regexes
+
+set -x
+set -e
+[ -n "$1" ] && HEADER="$1" || exit 2
+[ -n "$2" ] && VARIABLE="$2" || exit 3
+[ -n "$3" ] && VALUE="$3" || exit 4
+
+IFS=$'\n'
+HEADER_STANZA=0
+VARIABLE_MODIFIED=0
+while read line; do
+ if [[ "$line" =~ ^\ *\[\ *"$HEADER"\ *\] ]]; then
+ HEADER_STANZA=1
+ echo "$line"
+ elif [ "$HEADER_STANZA" == 1 ] && [[ "$line" =~ ^\ *"$VARIABLE"\ *= ]]; then
+ echo -n "$line"
+ echo ", $VALUE"
+ VARIABLE_MODIFIED=1
+ elif [ "$HEADER_STANZA" == 1 ] && [[ "$line" =~ ^\ *\[\ .+\ \] ]]; then
+ if [ "$VARIABLE_MODIFIED" == 0 ]; then
+ echo "$VARIABLE = $VALUE"
+ echo
+ VARIABLE_MODIFIED=1
+ fi
+ HEADER_STANZA=0
+ echo "$line"
+ else
+ echo "$line"
+ fi
+
+done
diff --git a/openssl.cnf b/openssl.cnf
index 2521f88..2bee755 100644
--- a/openssl.cnf
+++ b/openssl.cnf
@@ -179,6 +179,7 @@ basicConstraints=CA:FALSE
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = $ENV::EKU
# This will be displayed in Netscape's comment listbox.
nsComment = "OpenSSL Generated Certificate"
diff --git a/signcsr.sh b/signcsr.sh
index 910d8d9..0536411 100755
--- a/signcsr.sh
+++ b/signcsr.sh
@@ -32,7 +32,7 @@ SERIAL=$(cat "$CA"/ca/"$CA".serial)
if grep ^SPKAC "$1"; then # SPKAC HTML5 <keygen> standard
[ -n $EKU ] || EKU="clientAuth" # I don't think servers do SPKACs
openssl spkac -in "$1" # print key size
- openssl ca -config <( ./ekusub.sh "$EKU" < $OPENSSL_CONFIG ) -spkac "$1" -notext
+ openssl ca -config $OPENSSL_CONFIG -spkac "$1" -notext
else # x509 CSR
if ! [ -n "$EKU" ]; then
[[ "$( openssl req -in $1 -subject -nameopt multiline | grep -E '^ +commonName += ' | head -n 1 )" =~ ^\ +commonName\ +=\ (.+)$ ]]
@@ -48,7 +48,7 @@ else # x509 CSR
fi
fi
openssl req -in "$1" -text # print key size
- openssl ca -config <( ./ekusub.sh "$EKU" < "$OPENSSL_CONFIG" ) -in "$1" -notext
+ openssl ca -config "$OPENSSL_CONFIG" -in "$1" -notext
fi
if [ -e "$CA"/certs/"$SERIAL".pem ]; then # openssl lacks useful exit status codes, so we check to see if it actually did anything instead.