Add automatic extended key usage detection

extendedKeyUsage is needed for some automatic certificate selection on
Windows. We attempt to detect either clientAuth or serverAuth based on
subjAltName and commonName.

1 files changed, 17 insertions, 3 deletions

diff --git a/signcsr.sh b/signcsr.sh
index 4c095f5..910d8d9 100755
--- a/signcsr.sh
+++ b/signcsr.sh
@@ -1,5 +1,5 @@
 #!/bin/bash
-# requires bash regexes
+# requires bash 3.0 regexes
 
 SUPPLEMENTARY_CONFIG="$2"
 
@@ -30,11 +30,25 @@ mkdir -pv "$CA"/signed "$CA"/temp "$CA"/certs
 SERIAL=$(cat "$CA"/ca/"$CA".serial)
 
 if grep ^SPKAC "$1"; then # SPKAC HTML5 <keygen> standard
+  [ -n $EKU ] || EKU="clientAuth" # I don't think servers do SPKACs
   openssl spkac -in "$1" # print key size
-  openssl ca -config "$OPENSSL_CONFIG" -spkac "$1" -notext
+  openssl ca -config <( ./ekusub.sh "$EKU" < $OPENSSL_CONFIG ) -spkac "$1" -notext
 else # x509 CSR
+  if ! [ -n "$EKU" ]; then
+    [[ "$( openssl req -in $1 -subject -nameopt multiline | grep -E '^ +commonName += ' | head -n 1 )" =~ ^\ +commonName\ +=\ (.+)$ ]]
+    CN=${BASH_REMATCH[1]}
+    if openssl req -in "$1" -text | grep -EA1 '^ +X509v3 Subject Alternative Name:' | tail -n 1 | grep -qE '^ +DNS:'; then
+      EKU="serverAuth"
+    elif [[ "$CN" =~ \. ]] && ! [[ "$CN" =~ ' ' ]]; then
+      EKU="serverAuth"
+    elif [[ "$CN" =~ ' ' ]]; then
+      EKU="clientAuth"
+    else
+      echo Unable to determine if client or server for EKU.
+    fi
+  fi
   openssl req -in "$1" -text # print key size
-  openssl ca -config "$OPENSSL_CONFIG" -in "$1" -notext
+  openssl ca -config <( ./ekusub.sh "$EKU" < "$OPENSSL_CONFIG" ) -in "$1" -notext
 fi
 
 if [ -e "$CA"/certs/"$SERIAL".pem ]; then # openssl lacks useful exit status codes, so we check to see if it actually did anything instead.