From 537cb1c3cf10ba3552b03c43fb053bde9cca2440 Mon Sep 17 00:00:00 2001 From: "U-Z690-A\\user" Date: Tue, 28 Jun 2022 18:44:57 -0700 Subject: Add automatic extended key usage detection extendedKeyUsage is needed for some automatic certificate selection on Windows. We attempt to detect either clientAuth or serverAuth based on subjAltName and commonName. --- configure.sh | 2 +- gensignedcert.sh | 7 ++++--- signcsr.sh | 20 +++++++++++++++++--- 3 files changed, 22 insertions(+), 7 deletions(-) diff --git a/configure.sh b/configure.sh index 9d9d156..54e9577 100644 --- a/configure.sh +++ b/configure.sh @@ -11,7 +11,7 @@ export CN="Joe Rayhawk" # Common Name export E="jrayhawk+ssl@omgwallhack.org" # Email; used in certs and for From: and CC: in ./mailcert.sh usage export OPENSSL_CONFIG="openssl.cnf" # For advanced customization (not suggested) - +#export EKU="clientAuth, serverAuth" # we try to dynamically determine this in signcsr.sh export EMAIL_DEFAULT_DOMAIN="omgwallhack.org" # ./mailcert.sh uses this as a user's domain if nothing more obvious is available if [ -e ./local.cfg ]; then diff --git a/gensignedcert.sh b/gensignedcert.sh index 10c909c..b51f69b 100755 --- a/gensignedcert.sh +++ b/gensignedcert.sh @@ -1,6 +1,7 @@ -#!/bin/sh -# ./keygen [name] (configfile) +#!/bin/bash +# ./gensignedcert.sh [name] (configfile) # This is only suggested if you have a secured path to deliver this new key through. +# requires bash 3.0 regexes set -e @@ -24,7 +25,7 @@ mkdir -pv "$CA"/signed "$CA"/temp "$CA"/certs openssl req -config "$OPENSSL_CONFIG" -new -nodes -out "$CA"/temp/"$1".csr -keyout "$CA"/temp/"$1".key chmod 600 "$CA"/temp/"$1".key SERIAL=$(cat "$CA"/ca/"$CA".serial) -openssl ca -config "$OPENSSL_CONFIG" -in "$CA"/temp/"$1".csr +openssl ca -config <( ./ekusub.sh "serverAuth" < "$OPENSSL_CONFIG" ) -in "$CA"/temp/"$1".csr if [ -e "$CA"/certs/"$SERIAL".pem ]; then # openssl lacks useful exit status codes, so we check to see if it actually did anything instead. mv -i "$CA"/temp/"$1".csr "$CA"/temp/"$1".key "$CA"/signed/ ln "$CA"/certs/"$SERIAL".pem "$CA"/signed/"$1".crt # so we can find the certificate by name as well as by serial diff --git a/signcsr.sh b/signcsr.sh index 4c095f5..910d8d9 100755 --- a/signcsr.sh +++ b/signcsr.sh @@ -1,5 +1,5 @@ #!/bin/bash -# requires bash regexes +# requires bash 3.0 regexes SUPPLEMENTARY_CONFIG="$2" @@ -30,11 +30,25 @@ mkdir -pv "$CA"/signed "$CA"/temp "$CA"/certs SERIAL=$(cat "$CA"/ca/"$CA".serial) if grep ^SPKAC "$1"; then # SPKAC HTML5 standard + [ -n $EKU ] || EKU="clientAuth" # I don't think servers do SPKACs openssl spkac -in "$1" # print key size - openssl ca -config "$OPENSSL_CONFIG" -spkac "$1" -notext + openssl ca -config <( ./ekusub.sh "$EKU" < $OPENSSL_CONFIG ) -spkac "$1" -notext else # x509 CSR + if ! [ -n "$EKU" ]; then + [[ "$( openssl req -in $1 -subject -nameopt multiline | grep -E '^ +commonName += ' | head -n 1 )" =~ ^\ +commonName\ +=\ (.+)$ ]] + CN=${BASH_REMATCH[1]} + if openssl req -in "$1" -text | grep -EA1 '^ +X509v3 Subject Alternative Name:' | tail -n 1 | grep -qE '^ +DNS:'; then + EKU="serverAuth" + elif [[ "$CN" =~ \. ]] && ! [[ "$CN" =~ ' ' ]]; then + EKU="serverAuth" + elif [[ "$CN" =~ ' ' ]]; then + EKU="clientAuth" + else + echo Unable to determine if client or server for EKU. + fi + fi openssl req -in "$1" -text # print key size - openssl ca -config "$OPENSSL_CONFIG" -in "$1" -notext + openssl ca -config <( ./ekusub.sh "$EKU" < "$OPENSSL_CONFIG" ) -in "$1" -notext fi if [ -e "$CA"/certs/"$SERIAL".pem ]; then # openssl lacks useful exit status codes, so we check to see if it actually did anything instead. -- cgit v1.2.3