diff options
| author | Jonathan Gray <jsg@cvs.openbsd.org> | 2015-11-02 12:01:29 +0000 |
|---|---|---|
| committer | Jonathan Gray <jsg@cvs.openbsd.org> | 2015-11-02 12:01:29 +0000 |
| commit | b93cd2dfe8a3974854d7d78a5a129de8d8d966bd (patch) | |
| tree | 144a3e7c0ab881ad25a92e44b042ca5d84fb3aaf /usr.sbin/ikectl/ikeca.c | |
| parent | 40d7eafa4e28a2c68adaa06696ca614e43689704 (diff) | |
sign csrs with openssl ca instead of x509 -req
This way openssl will add valid signed certs to the index file
which is required to use the builtin openssl OCSP server.
This change requires installing a new ikeca.cnf or updating
the default cnf files with equivalent sections.
Requested by and ok reyk@
Diffstat (limited to 'usr.sbin/ikectl/ikeca.c')
| -rw-r--r-- | usr.sbin/ikectl/ikeca.c | 83 |
1 files changed, 59 insertions, 24 deletions
diff --git a/usr.sbin/ikectl/ikeca.c b/usr.sbin/ikectl/ikeca.c index 90ef087e5c3..53d60312c38 100644 --- a/usr.sbin/ikectl/ikeca.c +++ b/usr.sbin/ikectl/ikeca.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ikeca.c,v 1.38 2015/11/02 10:27:44 jsg Exp $ */ +/* $OpenBSD: ikeca.c,v 1.39 2015/11/02 12:01:28 jsg Exp $ */ /* * Copyright (c) 2010 Jonathan Gray <jsg@openbsd.org> @@ -64,6 +64,8 @@ struct ca { char sslpath[PATH_MAX]; char passfile[PATH_MAX]; + char index[PATH_MAX]; + char serial[PATH_MAX]; char sslcnf[PATH_MAX]; char extcnf[PATH_MAX]; char batch[PATH_MAX]; @@ -85,6 +87,7 @@ struct { /* explicitly list allowed variables */ const char *ca_env[][2] = { { "$ENV::CADB", NULL }, + { "$ENV::CASERIAL", NULL }, { "$ENV::CERTFQDN", NULL }, { "$ENV::CERTIP", NULL }, { "$ENV::CERTPATHLEN", NULL }, @@ -112,6 +115,7 @@ void ca_hier(char *); void ca_setenv(const char *, const char *); void ca_clrenv(void); void ca_setcnf(struct ca *, const char *); +void ca_create_index(struct ca *); /* util.c */ int expand_string(char *, size_t, const char *, const char *); @@ -239,16 +243,23 @@ ca_sign(struct ca *ca, char *keyname, int type) errx(1, "unknown host type %d", type); } + ca_create_index(ca); + + ca_setenv("$ENV::CADB", ca->index); + ca_setenv("$ENV::CASERIAL", ca->serial); ca_setcnf(ca, keyname); - snprintf(cmd, sizeof(cmd), "%s x509 -req" - " -days 365 -in %s/private/%s.csr" - " -CA %s/ca.crt -CAkey %s/private/ca.key -CAcreateserial" + snprintf(cmd, sizeof(cmd), + "%s ca -config %s -keyfile %s/private/ca.key" + " -cert %s/ca.crt" " -extfile %s -extensions %s -out %s/%s.crt" - " -passin file:%s", - PATH_OPENSSL, - ca->sslpath, keyname, ca->sslpath, ca->sslpath, - ca->extcnf, extensions, ca->sslpath, keyname, ca->passfile); + " -in %s/private/%s.csr" + " -passin file:%s -outdir %s -batch", + PATH_OPENSSL, ca->sslcnf, ca->sslpath, + ca->sslpath, + ca->extcnf, extensions, ca->sslpath, keyname, + ca->sslpath, keyname, + ca->passfile, ca->sslpath); system(cmd); @@ -813,14 +824,49 @@ ca_readpass(char *path, size_t *len) return (r); } +/* create index if it doesn't already exist */ +void +ca_create_index(struct ca *ca) +{ + struct stat st; + int fd; + + if (snprintf(ca->index, sizeof(ca->index), "%s/index.txt", + ca->sslpath) < 0) + err(1, "snprintf"); + if (stat(ca->index, &st) != 0) { + if (errno == ENOENT) { + if ((fd = open(ca->index, O_WRONLY | O_CREAT, 0644)) + == -1) + err(1, "could not create file %s", ca->index); + close(fd); + } else + err(1, "could not access %s", ca->index); + } + + if (snprintf(ca->serial, sizeof(ca->serial), "%s/serial.txt", + ca->sslpath) < 0) + err(1, "snprintf"); + if (stat(ca->serial, &st) != 0) { + if (errno == ENOENT) { + if ((fd = open(ca->serial, O_WRONLY | O_CREAT, 0644)) + == -1) + err(1, "could not create file %s", ca->serial); + /* serial file must be created with a number */ + if (write(fd, "01\n", 3) != 3) + err(1, "write %s", ca->serial); + close(fd); + } else + err(1, "could not access %s", ca->serial); + } +} + int ca_revoke(struct ca *ca, char *keyname) { struct stat st; char cmd[PATH_MAX * 2]; char path[PATH_MAX]; - char cadb[PATH_MAX]; - int fd; char *pass; size_t len; @@ -838,19 +884,10 @@ ca_revoke(struct ca *ca, char *keyname) if (pass == NULL) errx(1, "could not open passphrase file"); - /* create index if it doesn't already exist */ - snprintf(path, sizeof(path), "%s/index.txt", ca->sslpath); - if (stat(path, &st) != 0) { - if (errno == ENOENT) { - if ((fd = open(path, O_WRONLY | O_CREAT, 0644)) == -1) - err(1, "could not create file %s", path); - close(fd); - } else - err(1, "could not access %s", path); - } + ca_create_index(ca); - snprintf(cadb, sizeof(cadb), "%s/index.txt", ca->sslpath); - ca_setenv("$ENV::CADB", cadb); + ca_setenv("$ENV::CADB", ca->index); + ca_setenv("$ENV::CASERIAL", ca->serial); ca_setcnf(ca, "ca-revoke"); if (keyname) { @@ -858,7 +895,6 @@ ca_revoke(struct ca *ca, char *keyname) "%s ca %s-config %s -keyfile %s/private/ca.key" " -key %s" " -cert %s/ca.crt" - " -md sha1" " -revoke %s/%s.crt", PATH_OPENSSL, ca->batch, ca->sslcnf, ca->sslpath, pass, ca->sslpath, ca->sslpath, keyname); @@ -870,7 +906,6 @@ ca_revoke(struct ca *ca, char *keyname) " -key %s" " -gencrl" " -cert %s/ca.crt" - " -md sha1" " -crldays 365" " -out %s/ca.crl", PATH_OPENSSL, ca->batch, ca->sslcnf, ca->sslpath, |