diff options
| author | Stuart Henderson <sthen@cvs.openbsd.org> | 2017-01-31 21:35:08 +0000 |
|---|---|---|
| committer | Stuart Henderson <sthen@cvs.openbsd.org> | 2017-01-31 21:35:08 +0000 |
| commit | ac15ef98d977aa26e73597fd839f6510d2fafaee (patch) | |
| tree | a297bd731a96ee99c8915ea131b7afe387d9d3c5 /usr.sbin | |
| parent | 46189931c2f1b8bfb57bafaeb4c7b9b475b41a6c (diff) | |
Teach ikectl to include extensions in the CSR, rather than just adding them
when signing the certificates by the local CA. This can make things easier if
you want to take a CSR from ikectl to another CA for signing, they often copy
extensions from the request. ok reyk@
Diffstat (limited to 'usr.sbin')
| -rw-r--r-- | usr.sbin/ikectl/ikeca.c | 40 | ||||
| -rw-r--r-- | usr.sbin/ikectl/ikeca.cnf | 3 |
2 files changed, 27 insertions, 16 deletions
diff --git a/usr.sbin/ikectl/ikeca.c b/usr.sbin/ikectl/ikeca.c index 401771560e9..2f1144bce81 100644 --- a/usr.sbin/ikectl/ikeca.c +++ b/usr.sbin/ikectl/ikeca.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ikeca.c,v 1.40 2015/11/02 12:21:27 jsg Exp $ */ +/* $OpenBSD: ikeca.c,v 1.41 2017/01/31 21:35:07 sthen Exp $ */ /* * Copyright (c) 2010 Jonathan Gray <jsg@openbsd.org> @@ -101,11 +101,12 @@ const char *ca_env[][2] = { { "$ENV::CERT_ST", NULL }, { "$ENV::EXTCERTUSAGE", NULL }, { "$ENV::NSCERTTYPE", NULL }, + { "$ENV::REQ_EXT", NULL }, { NULL } }; int ca_sign(struct ca *, char *, int); -int ca_request(struct ca *, char *); +int ca_request(struct ca *, char *, int); void ca_newpass(char *, char *); char *ca_readpass(char *, size_t *); int fcopy(char *, char *, mode_t); @@ -198,12 +199,32 @@ ca_delkey(struct ca *ca, char *keyname) } int -ca_request(struct ca *ca, char *keyname) +ca_request(struct ca *ca, char *keyname, int type) { char cmd[PATH_MAX * 2]; + char hostname[HOST_NAME_MAX+1]; + char name[128]; char path[PATH_MAX]; ca_setenv("$ENV::CERT_CN", keyname); + + strlcpy(name, keyname, sizeof(name)); + + if (type == HOST_IPADDR) { + ca_setenv("$ENV::CERTIP", name); + ca_setenv("$ENV::REQ_EXT", "x509v3_IPAddr"); + } else if (type == HOST_FQDN) { + if (!strcmp(keyname, "local")) { + if (gethostname(hostname, sizeof(hostname))) + err(1, "gethostname"); + strlcpy(name, hostname, sizeof(name)); + } + ca_setenv("$ENV::CERTFQDN", name); + ca_setenv("$ENV::REQ_EXT", "x509v3_FQDN"); + } else { + errx(1, "unknown host type %d", type); + } + ca_setcnf(ca, keyname); snprintf(path, sizeof(path), "%s/private/%s.csr", ca->sslpath, keyname); @@ -222,22 +243,11 @@ int ca_sign(struct ca *ca, char *keyname, int type) { char cmd[PATH_MAX * 2]; - char hostname[HOST_NAME_MAX+1]; - char name[128]; const char *extensions = NULL; - strlcpy(name, keyname, sizeof(name)); - if (type == HOST_IPADDR) { - ca_setenv("$ENV::CERTIP", name); extensions = "x509v3_IPAddr"; } else if (type == HOST_FQDN) { - if (!strcmp(keyname, "local")) { - if (gethostname(hostname, sizeof(hostname))) - err(1, "gethostname"); - strlcpy(name, hostname, sizeof(name)); - } - ca_setenv("$ENV::CERTFQDN", name); extensions = "x509v3_FQDN"; } else { errx(1, "unknown host type %d", type); @@ -294,7 +304,7 @@ ca_certificate(struct ca *ca, char *keyname, int type, int action) } ca_key_create(ca, keyname); - ca_request(ca, keyname); + ca_request(ca, keyname, type); ca_sign(ca, keyname, type); return (0); diff --git a/usr.sbin/ikectl/ikeca.cnf b/usr.sbin/ikectl/ikeca.cnf index e884090b442..47207ac7df0 100644 --- a/usr.sbin/ikectl/ikeca.cnf +++ b/usr.sbin/ikectl/ikeca.cnf @@ -1,4 +1,4 @@ -# $OpenBSD: ikeca.cnf,v 1.8 2015/11/02 12:21:27 jsg Exp $ +# $OpenBSD: ikeca.cnf,v 1.9 2017/01/31 21:35:07 sthen Exp $ CERT_C = DE CERT_ST = Lower Saxony @@ -24,6 +24,7 @@ NSCERTTYPE = server,client #default_keyfile = privkey.pem distinguished_name = req_distinguished_name #attributes = req_attributes +req_extensions = $ENV::REQ_EXT [ req_distinguished_name ] countryName = Country Name (2 letter code) |