diff options
Diffstat (limited to 'signcsr.sh')
| -rwxr-xr-x | signcsr.sh | 20 |
1 files changed, 17 insertions, 3 deletions
@@ -1,5 +1,5 @@ #!/bin/bash -# requires bash regexes +# requires bash 3.0 regexes SUPPLEMENTARY_CONFIG="$2" @@ -30,11 +30,25 @@ mkdir -pv "$CA"/signed "$CA"/temp "$CA"/certs SERIAL=$(cat "$CA"/ca/"$CA".serial) if grep ^SPKAC "$1"; then # SPKAC HTML5 <keygen> standard + [ -n $EKU ] || EKU="clientAuth" # I don't think servers do SPKACs openssl spkac -in "$1" # print key size - openssl ca -config "$OPENSSL_CONFIG" -spkac "$1" -notext + openssl ca -config <( ./ekusub.sh "$EKU" < $OPENSSL_CONFIG ) -spkac "$1" -notext else # x509 CSR + if ! [ -n "$EKU" ]; then + [[ "$( openssl req -in $1 -subject -nameopt multiline | grep -E '^ +commonName += ' | head -n 1 )" =~ ^\ +commonName\ +=\ (.+)$ ]] + CN=${BASH_REMATCH[1]} + if openssl req -in "$1" -text | grep -EA1 '^ +X509v3 Subject Alternative Name:' | tail -n 1 | grep -qE '^ +DNS:'; then + EKU="serverAuth" + elif [[ "$CN" =~ \. ]] && ! [[ "$CN" =~ ' ' ]]; then + EKU="serverAuth" + elif [[ "$CN" =~ ' ' ]]; then + EKU="clientAuth" + else + echo Unable to determine if client or server for EKU. + fi + fi openssl req -in "$1" -text # print key size - openssl ca -config "$OPENSSL_CONFIG" -in "$1" -notext + openssl ca -config <( ./ekusub.sh "$EKU" < "$OPENSSL_CONFIG" ) -in "$1" -notext fi if [ -e "$CA"/certs/"$SERIAL".pem ]; then # openssl lacks useful exit status codes, so we check to see if it actually did anything instead. |