From 585568aa8b851d153fbec0a46769b8f12e1df7f4 Mon Sep 17 00:00:00 2001 From: "U-Z690-A\\user" Date: Wed, 29 Jun 2022 20:26:01 -0700 Subject: extendedKeyUsage: decommission ekusub.sh and use environment variables instead ekusub.sh has additionally been generalized into inimodify.sh in case I ever need it in the future for anything else. --- configure.sh | 2 +- ekusub.sh | 32 -------------------------------- gensignedcert.sh | 3 ++- inimodify.sh | 36 ++++++++++++++++++++++++++++++++++++ openssl.cnf | 1 + signcsr.sh | 4 ++-- 6 files changed, 42 insertions(+), 36 deletions(-) delete mode 100755 ekusub.sh create mode 100755 inimodify.sh diff --git a/configure.sh b/configure.sh index 54e9577..02043d8 100644 --- a/configure.sh +++ b/configure.sh @@ -11,8 +11,8 @@ export CN="Joe Rayhawk" # Common Name export E="jrayhawk+ssl@omgwallhack.org" # Email; used in certs and for From: and CC: in ./mailcert.sh usage export OPENSSL_CONFIG="openssl.cnf" # For advanced customization (not suggested) -#export EKU="clientAuth, serverAuth" # we try to dynamically determine this in signcsr.sh export EMAIL_DEFAULT_DOMAIN="omgwallhack.org" # ./mailcert.sh uses this as a user's domain if nothing more obvious is available +export EKU="" # "clientAuth, serverAuth" # we try to dynamically determine this in signcsr.sh if [ -e ./local.cfg ]; then . ./local.cfg # dash is finnicky about how paths for sourcing work diff --git a/ekusub.sh b/ekusub.sh deleted file mode 100755 index bf1546d..0000000 --- a/ekusub.sh +++ /dev/null @@ -1,32 +0,0 @@ -#!/bin/bash -# Dynamically substitutes extendedKeyUsage in usr_cert in an openssl config file -# ./ekusub.sh "clientAuth, serverAuth" -#requires bash 4.0 regexes - -set -e -[ -n "$1" ] || cat # pass through - -IFS=$'\n' -CA_STANZA=0 -EKU_MODIFIED=0 -while read line; do - if [[ "$line" =~ ^\ *\[\ *usr_cert\ *\] ]]; then - CA_STANZA=1 - echo "$line" - elif [ $CA_STANZA == 1 ] && [[ "$line" =~ ^\ *extendedKeyUsage\ *= ]]; then - echo -n "$line" - echo ", $1" - EKU_MODIFIED=1 - elif [ $CA_STANZA == 1 ] && [[ "$line" =~ ^\ *\[\ .+\ \] ]]; then - if [ $EKU_MODIFIED == 0 ]; then - echo "extendedKeyUsage = $1" - echo - EKU_MODIFIED=1 - fi - CA_STANZA=0 - echo "$line" - else - echo "$line" - fi - -done diff --git a/gensignedcert.sh b/gensignedcert.sh index b51f69b..a5a5368 100755 --- a/gensignedcert.sh +++ b/gensignedcert.sh @@ -25,7 +25,8 @@ mkdir -pv "$CA"/signed "$CA"/temp "$CA"/certs openssl req -config "$OPENSSL_CONFIG" -new -nodes -out "$CA"/temp/"$1".csr -keyout "$CA"/temp/"$1".key chmod 600 "$CA"/temp/"$1".key SERIAL=$(cat "$CA"/ca/"$CA".serial) -openssl ca -config <( ./ekusub.sh "serverAuth" < "$OPENSSL_CONFIG" ) -in "$CA"/temp/"$1".csr +EKU="serverAuth" +openssl ca -config "$OPENSSL_CONFIG" -in "$CA"/temp/"$1".csr if [ -e "$CA"/certs/"$SERIAL".pem ]; then # openssl lacks useful exit status codes, so we check to see if it actually did anything instead. mv -i "$CA"/temp/"$1".csr "$CA"/temp/"$1".key "$CA"/signed/ ln "$CA"/certs/"$SERIAL".pem "$CA"/signed/"$1".crt # so we can find the certificate by name as well as by serial diff --git a/inimodify.sh b/inimodify.sh new file mode 100755 index 0000000..939e47a --- /dev/null +++ b/inimodify.sh @@ -0,0 +1,36 @@ +#!/bin/bash +# Dynamically modifies openssl config file +# ./inimodify.sh [header] [variable] [value] < openssl.cnf +# ./inimodify.sh "usr_cert" "extendedKeyUsage" "clientAuth, serverAuth" < openssl.cnf +#requires bash 4.0 regexes + +set -x +set -e +[ -n "$1" ] && HEADER="$1" || exit 2 +[ -n "$2" ] && VARIABLE="$2" || exit 3 +[ -n "$3" ] && VALUE="$3" || exit 4 + +IFS=$'\n' +HEADER_STANZA=0 +VARIABLE_MODIFIED=0 +while read line; do + if [[ "$line" =~ ^\ *\[\ *"$HEADER"\ *\] ]]; then + HEADER_STANZA=1 + echo "$line" + elif [ "$HEADER_STANZA" == 1 ] && [[ "$line" =~ ^\ *"$VARIABLE"\ *= ]]; then + echo -n "$line" + echo ", $VALUE" + VARIABLE_MODIFIED=1 + elif [ "$HEADER_STANZA" == 1 ] && [[ "$line" =~ ^\ *\[\ .+\ \] ]]; then + if [ "$VARIABLE_MODIFIED" == 0 ]; then + echo "$VARIABLE = $VALUE" + echo + VARIABLE_MODIFIED=1 + fi + HEADER_STANZA=0 + echo "$line" + else + echo "$line" + fi + +done diff --git a/openssl.cnf b/openssl.cnf index 2521f88..2bee755 100644 --- a/openssl.cnf +++ b/openssl.cnf @@ -179,6 +179,7 @@ basicConstraints=CA:FALSE # This is typical in keyUsage for a client certificate. # keyUsage = nonRepudiation, digitalSignature, keyEncipherment +extendedKeyUsage = $ENV::EKU # This will be displayed in Netscape's comment listbox. nsComment = "OpenSSL Generated Certificate" diff --git a/signcsr.sh b/signcsr.sh index 910d8d9..0536411 100755 --- a/signcsr.sh +++ b/signcsr.sh @@ -32,7 +32,7 @@ SERIAL=$(cat "$CA"/ca/"$CA".serial) if grep ^SPKAC "$1"; then # SPKAC HTML5 standard [ -n $EKU ] || EKU="clientAuth" # I don't think servers do SPKACs openssl spkac -in "$1" # print key size - openssl ca -config <( ./ekusub.sh "$EKU" < $OPENSSL_CONFIG ) -spkac "$1" -notext + openssl ca -config $OPENSSL_CONFIG -spkac "$1" -notext else # x509 CSR if ! [ -n "$EKU" ]; then [[ "$( openssl req -in $1 -subject -nameopt multiline | grep -E '^ +commonName += ' | head -n 1 )" =~ ^\ +commonName\ +=\ (.+)$ ]] @@ -48,7 +48,7 @@ else # x509 CSR fi fi openssl req -in "$1" -text # print key size - openssl ca -config <( ./ekusub.sh "$EKU" < "$OPENSSL_CONFIG" ) -in "$1" -notext + openssl ca -config "$OPENSSL_CONFIG" -in "$1" -notext fi if [ -e "$CA"/certs/"$SERIAL".pem ]; then # openssl lacks useful exit status codes, so we check to see if it actually did anything instead. -- cgit v1.2.3