Allow to have multiple domain ... {} sextions with the same domain

name, by adding a new (optional) config option "domain name".
This can be used to create a rsa and an ecdsa key for the same domain
name.
The old domain name in the 'title' line continues to be used as domain
name in the abscence of the domain name argument, i.e. the change is
backward compatible with current config files.
tested by sthen@
ok florian@ sthen@

5 files changed, 48 insertions, 22 deletions

diff --git a/usr.sbin/acme-client/acme-client.1 b/usr.sbin/acme-client/acme-client.1
index 9f6784a9fa2..100ffc173e4 100644
--- a/usr.sbin/acme-client/acme-client.1
+++ b/usr.sbin/acme-client/acme-client.1
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: acme-client.1,v 1.33 2020/04/15 03:24:08 millert Exp $
+.\"	$OpenBSD: acme-client.1,v 1.34 2020/05/10 12:06:18 benno Exp $
 .\"
 .\" Copyright (c) 2016 Kristaps Dzonsons <kristaps@bsd.lv>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: April 15 2020 $
+.Dd $Mdocdate: May 10 2020 $
 .Dt ACME-CLIENT 1
 .Os
 .Sh NAME
@@ -24,14 +24,14 @@
 .Nm acme-client
 .Op Fl Fnrv
 .Op Fl f Ar configfile
-.Ar domain
+.Ar handle
 .Sh DESCRIPTION
 .Nm
 is an
 Automatic Certificate Management Environment (ACME) client:
 it looks in its configuration for a domain section
 corresponding to the
-.Ar domain
+.Ar handle
 given as command line argument
 and uses that configuration to retrieve an X.509 certificate
 which can be used to provide domain name validation
@@ -77,8 +77,9 @@ Revoke the X.509 certificate.
 .It Fl v
 Verbose operation.
 Specify twice to also trace communication and data transfers.
-.It Ar domain
-The domain name.
+.It Ar handle
+The handle of the domain section of the configuration that contains the
+details of the certificate to be created, renewed or revoked.
 .El
 .Sh FILES
 .Bl -tag -width "/etc/acme-client.conf" -compact
diff --git a/usr.sbin/acme-client/acme-client.conf.5 b/usr.sbin/acme-client/acme-client.conf.5
index 4d382228d2f..b7e93e8d8f5 100644
--- a/usr.sbin/acme-client/acme-client.conf.5
+++ b/usr.sbin/acme-client/acme-client.conf.5
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: acme-client.conf.5,v 1.22 2020/02/10 13:18:21 schwarze Exp $
+.\"	$OpenBSD: acme-client.conf.5,v 1.23 2020/05/10 12:06:18 benno Exp $
 .\"
 .\" Copyright (c) 2005 Esben Norby <norby@openbsd.org>
 .\" Copyright (c) 2004 Claudio Jeker <claudio@openbsd.org>
@@ -17,7 +17,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: February 10 2020 $
+.Dd $Mdocdate: May 10 2020 $
 .Dt ACME-CLIENT.CONF 5
 .Os
 .Sh NAME
@@ -102,15 +102,22 @@ under which the ACME API is reachable.
 .Sh DOMAINS
 The certificates to be obtained through ACME.
 .Bl -tag -width Ds
-.It Ic domain Ar name Brq ...
+.It Ic domain Ar handle Brq ...
 Each domain section begins with the
 .Ic domain
-keyword followed by the name to be used as the common name component
-of the subject of the X.509 certificate.
+keyword followed by an identifier for this domain block.
 .El
 .Pp
 It is followed by a block of options enclosed in curly brackets:
 .Bl -tag -width Ds
+.It Ic domain name Ar name
+The
+.Ar name
+to be used as the common name component of the subject of the
+X.509 certificate.
+This is optional. If not specified, the
+.Ar handle
+of the domain block will be used as common name.
 .It Ic alternative names Brq ...
 Specify a list of alternative names for which the certificate will be valid.
 The common name is included automatically if this option is present,
diff --git a/usr.sbin/acme-client/main.c b/usr.sbin/acme-client/main.c
index 49ff1ae659a..65ea2cf3ac3 100644
--- a/usr.sbin/acme-client/main.c
+++ b/usr.sbin/acme-client/main.c
@@ -1,4 +1,4 @@
-/*	$Id: main.c,v 1.53 2020/02/07 14:34:15 florian Exp $ */
+/*	$Id: main.c,v 1.54 2020/05/10 12:06:18 benno Exp $ */
 /*
  * Copyright (c) 2016 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -91,7 +91,7 @@ main(int argc, char *argv[])
 	if (argc != 1)
 		goto usage;
 
-	if ((domain = domain_find(conf, argv[0])) == NULL)
+	if ((domain = domain_find_handle(conf, argv[0])) == NULL)
 		errx(EXIT_FAILURE, "domain %s not found", argv[0]);
 
 	argc--;
@@ -376,6 +376,6 @@ main(int argc, char *argv[])
 	return rc != COMP__MAX ? EXIT_FAILURE : (c == 2 ? EXIT_SUCCESS : 2);
 usage:
 	fprintf(stderr,
-	    "usage: acme-client [-Fnrv] [-f configfile] domain\n");
+	    "usage: acme-client [-Fnrv] [-f configfile] handle\n");
 	return EXIT_FAILURE;
 }
diff --git a/usr.sbin/acme-client/parse.h b/usr.sbin/acme-client/parse.h
index 382aa684f9e..9de5a490f69 100644
--- a/usr.sbin/acme-client/parse.h
+++ b/usr.sbin/acme-client/parse.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: parse.h,v 1.13 2019/06/17 12:42:52 florian Exp $ */
+/*	$OpenBSD: parse.h,v 1.14 2020/05/10 12:06:18 benno Exp $ */
 /*
  * Copyright (c) 2016 Sebastian Benoit <benno@openbsd.org>
  *
@@ -45,6 +45,7 @@ struct domain_c {
 	TAILQ_HEAD(, altname_c)	 altname_list;
 	int			 altname_count;
 	enum keytype		 keytype;
+	char			*handle;
 	char			*domain;
 	char			*key;
 	char			*cert;
@@ -80,7 +81,7 @@ int			 cmdline_symset(char *);
 /* use these to find a authority or domain by name */
 struct authority_c	*authority_find(struct acme_conf *, char *);
 struct authority_c	*authority_find0(struct acme_conf *);
-struct domain_c		*domain_find(struct acme_conf *, char *);
+struct domain_c		*domain_find_handle(struct acme_conf *, char *);
 
 int			 domain_valid(const char *);
 
diff --git a/usr.sbin/acme-client/parse.y b/usr.sbin/acme-client/parse.y
index 98f45a382ec..873d73d8e00 100644
--- a/usr.sbin/acme-client/parse.y
+++ b/usr.sbin/acme-client/parse.y
@@ -1,4 +1,4 @@
-/*	$OpenBSD: parse.y,v 1.39 2019/12/27 16:56:40 benno Exp $ */
+/*	$OpenBSD: parse.y,v 1.40 2020/05/10 12:06:18 benno Exp $ */
 
 /*
  * Copyright (c) 2016 Kristaps Dzonsons <kristaps@bsd.lv>
@@ -247,6 +247,11 @@ domain		: DOMAIN STRING {
 				YYERROR;
 			}
 		} '{' optnl domainopts_l '}' {
+			if (domain->domain == NULL) {
+				if ((domain->domain = strdup(domain->handle))
+				    == NULL)
+					err(EXIT_FAILURE, "strdup");
+			}
 			/* enforce minimum config here */
 			if (domain->key == NULL) {
 				yyerror("no domain key file specified for "
@@ -273,6 +278,16 @@ domainopts_l	: domainopts_l domainoptsl nl
 		;
 
 domainoptsl	: ALTERNATIVE NAMES '{' altname_l '}'
+		| DOMAIN NAME STRING {
+			char *s;
+			if (domain->domain != NULL) {
+				yyerror("duplicate domain name");
+				YYERROR;
+			}
+			if ((s = strdup($3)) == NULL)
+				err(EXIT_FAILURE, "strdup");
+			domain->domain = s;
+		}
 		| DOMAIN KEY STRING keytype {
 			char *s;
 			if (domain->key != NULL) {
@@ -932,26 +947,26 @@ conf_new_domain(struct acme_conf *c, char *s)
 {
 	struct domain_c *d;
 
-	d = domain_find(c, s);
+	d = domain_find_handle(c, s);
 	if (d != NULL)
 		return (NULL);
 	if ((d = calloc(1, sizeof(struct domain_c))) == NULL)
 		err(EXIT_FAILURE, "%s", __func__);
 	TAILQ_INSERT_TAIL(&c->domain_list, d, entry);
 
-	d->domain = s;
+	d->handle = s;
 	TAILQ_INIT(&d->altname_list);
 
 	return d;
 }
 
 struct domain_c *
-domain_find(struct acme_conf *c, char *s)
+domain_find_handle(struct acme_conf *c, char *s)
 {
 	struct domain_c	*d;
 
 	TAILQ_FOREACH(d, &c->domain_list, entry) {
-		if (strncmp(d->domain, s, DOMAIN_MAXLEN) == 0) {
+		if (strncmp(d->handle, s, DOMAIN_MAXLEN) == 0) {
 			return d;
 		}
 	}
@@ -1031,7 +1046,9 @@ print_config(struct acme_conf *xconf)
 	}
 	TAILQ_FOREACH(d, &xconf->domain_list, entry) {
 		f = 0;
-		printf("domain %s {\n", d->domain);
+		printf("domain %s {\n", d->handle);
+		if (d->domain != NULL)
+			printf("\tdomain name \"%s\"\n", d->domain);
 		TAILQ_FOREACH(ac, &d->altname_list, entry) {
 			if (!f)
 				printf("\talternative names {");