diff options
| author | Sebastian Benoit <benno@cvs.openbsd.org> | 2017-01-21 09:00:30 +0000 |
|---|---|---|
| committer | Sebastian Benoit <benno@cvs.openbsd.org> | 2017-01-21 09:00:30 +0000 |
| commit | deae64c670c98abc10be3c1de2f8d36caea9d728 (patch) | |
| tree | cb74f6a56b5a5c5660fac17f3f178d1d791fac7d | |
| parent | e788d2ee8276927e16b7369bbd2d9b59b34b1f6d (diff) | |
add option 'domain full chain certificate "path"',
revokation works, the fullchain file will be unlinked.
ok florian
| -rw-r--r-- | usr.sbin/acme-client/acme-client.conf.5 | 6 | ||||
| -rw-r--r-- | usr.sbin/acme-client/main.c | 18 | ||||
| -rw-r--r-- | usr.sbin/acme-client/parse.h | 3 | ||||
| -rw-r--r-- | usr.sbin/acme-client/parse.y | 23 |
4 files changed, 42 insertions, 8 deletions
diff --git a/usr.sbin/acme-client/acme-client.conf.5 b/usr.sbin/acme-client/acme-client.conf.5 index c203dc3997b..d992a6fec96 100644 --- a/usr.sbin/acme-client/acme-client.conf.5 +++ b/usr.sbin/acme-client/acme-client.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: acme-client.conf.5,v 1.5 2017/01/21 08:57:49 benno Exp $ +.\" $OpenBSD: acme-client.conf.5,v 1.6 2017/01/21 09:00:29 benno Exp $ .\" .\" Copyright (c) 2005 Esben Norby <norby@openbsd.org> .\" Copyright (c) 2004 Claudio Jeker <claudio@openbsd.org> @@ -123,7 +123,9 @@ The private key file for which the certificate will be obtained. .It Ic domain certificate Ar file The filename of the certificate that will be issued. .It Ic domain chain certificate Ar file -The filename of the chain certificate that will be returned by the CA. +The filename in which to store the certificate chain that will be returned by the CA. +.It Ic domain full chain certificate Ar file +The filename in which to store the full certificate chain that will be returned by the CA. .It Ic sign with Ar authority The certificate authority (as declared above in the .Sx AUTHORITIES diff --git a/usr.sbin/acme-client/main.c b/usr.sbin/acme-client/main.c index 1c6067488ca..35c47d4a487 100644 --- a/usr.sbin/acme-client/main.c +++ b/usr.sbin/acme-client/main.c @@ -1,4 +1,4 @@ -/* $Id: main.c,v 1.25 2017/01/21 08:55:09 florian Exp $ */ +/* $Id: main.c,v 1.26 2017/01/21 09:00:29 benno Exp $ */ /* * Copyright (c) 2016 Kristaps Dzonsons <kristaps@bsd.lv> * @@ -36,7 +36,8 @@ int main(int argc, char *argv[]) { const char **alts = NULL; - char *certdir = NULL, *certfile = NULL, *chainfile = NULL; + char *certdir = NULL, *certfile = NULL; + char *chainfile = NULL, *fullchainfile = NULL; char *acctkey = NULL; char *chngdir = NULL, *auth = NULL, *agreement = NULL; char *conffile = CONF_FILE; @@ -129,6 +130,16 @@ main(int argc, char *argv[]) err(EXIT_FAILURE, "strdup"); } + if(domain->fullchain != NULL) { + if ((fullchainfile = strstr(domain->fullchain, certdir)) != NULL) + fullchainfile = domain->fullchain + strlen(certdir); + else + fullchainfile = domain->fullchain; + + if ((fullchainfile = strdup(fullchainfile)) == NULL) + err(EXIT_FAILURE, "strdup"); + } + if ((auth = domain->auth) == NULL) { /* use the first authority from the config as default XXX */ authority = authority_find0(conf); @@ -347,7 +358,8 @@ main(int argc, char *argv[]) free(alts); close(dns_fds[0]); close(rvk_fds[0]); - c = fileproc(file_fds[1], certdir, certfile, chainfile, NULL); + c = fileproc(file_fds[1], certdir, certfile, chainfile, + fullchainfile); /* * This is different from the other processes in that it * can return 2 if the certificates were updated. diff --git a/usr.sbin/acme-client/parse.h b/usr.sbin/acme-client/parse.h index b584e8246c0..d3ba88062f5 100644 --- a/usr.sbin/acme-client/parse.h +++ b/usr.sbin/acme-client/parse.h @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.h,v 1.5 2017/01/21 08:55:09 florian Exp $ */ +/* $OpenBSD: parse.h,v 1.6 2017/01/21 09:00:29 benno Exp $ */ /* * Copyright (c) 2016 Sebastian Benoit <benno@openbsd.org> * @@ -43,6 +43,7 @@ struct domain_c { char *key; char *cert; char *chain; + char *fullchain; char *auth; char *challengedir; }; diff --git a/usr.sbin/acme-client/parse.y b/usr.sbin/acme-client/parse.y index 87ded96a946..b48764abfec 100644 --- a/usr.sbin/acme-client/parse.y +++ b/usr.sbin/acme-client/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.8 2017/01/21 08:55:09 florian Exp $ */ +/* $OpenBSD: parse.y,v 1.9 2017/01/21 09:00:29 benno Exp $ */ /* * Copyright (c) 2016 Kristaps Dzonsons <kristaps@bsd.lv> @@ -93,7 +93,7 @@ typedef struct { %} %token AUTHORITY AGREEMENT URL API ACCOUNT -%token DOMAIN ALTERNATIVE NAMES CERT CHAIN KEY SIGN WITH CHALLENGEDIR +%token DOMAIN ALTERNATIVE NAMES CERT FULL CHAIN KEY SIGN WITH CHALLENGEDIR %token YES NO %token INCLUDE %token ERROR @@ -300,6 +300,21 @@ domainoptsl : ALTERNATIVE NAMES '{' altname_l '}' } domain->chain = s; } + | DOMAIN FULL CHAIN CERT STRING { + char *s; + if (domain->fullchain != NULL) { + yyerror("duplicate chain"); + YYERROR; + } + if ((s = strdup($5)) == NULL) + err(EXIT_FAILURE, "strdup"); + if ((conf_new_keyfile(conf, s)) == NULL) { + free(s); + yyerror("domain full chain file already used"); + YYERROR; + } + domain->fullchain = s; + } | SIGN WITH STRING { char *s; if (domain->auth != NULL) { @@ -395,6 +410,7 @@ lookup(char *s) {"chain", CHAIN}, {"challengedir", CHALLENGEDIR}, {"domain", DOMAIN}, + {"full", FULL}, {"include", INCLUDE}, {"key", KEY}, {"names", NAMES}, @@ -970,6 +986,9 @@ print_config(struct acme_conf *xconf) printf("\tdomain certificate \"%s\"\n", d->cert); if (d->chain != NULL) printf("\tdomain certificate chain \"%s\"\n", d->chain); + if (d->fullchain != NULL) + printf("\tdomain full certificate chain \"%s\"\n", + d->fullchain); if (d->auth != NULL) printf("\tsign with \"%s\"\n", d->auth); if (d->challengedir != NULL) |