diff options
| author | Erich Eckner <git@eckner.net> | 2019-08-29 11:13:36 +0200 |
|---|---|---|
| committer | Erich Eckner <git@eckner.net> | 2019-08-29 11:13:36 +0200 |
| commit | 3c5f739b6d6d86ecb86cf88834b95a8929771c8f (patch) | |
| tree | bfbc74404da56bd568e46281f67756db5abb8aac /sign-request.in | |
| parent | ef01a84a94041987cb952bb1313d33e338818fc4 (diff) | |
| download | simple-pki-3c5f739b6d6d86ecb86cf88834b95a8929771c8f.tar.xz | |
ca stuff done
Diffstat (limited to 'sign-request.in')
| -rwxr-xr-x | sign-request.in | 103 |
1 files changed, 103 insertions, 0 deletions
diff --git a/sign-request.in b/sign-request.in new file mode 100755 index 0000000..f70c99a --- /dev/null +++ b/sign-request.in @@ -0,0 +1,103 @@ +#!/bin/bash + +key_dir='#ETCDIR#/simple-pki/keys' + +if [ -r '#ETCDIR#/simple-pki/ca.conf' ]; then + . '#ETCDIR#/simple-pki/ca.conf' +fi + +cd "${0%/*}" + +remove_leading_spaces() { + sed ' + s/^ \{'"$1"'\}// + t + d + ' +} + +tmp_dir=$(mktemp -d) +trap 'rm -rf --one-file-system "${tmp_dir}"' EXIT + +while read -r csr; do + csr_local="${tmp_dir}/${csr##*/}" + curl -Ss "${csr}" -o "${csr_local}" + if ! content=$( + openssl req -text -noout -verify -in "${csr_local}" 2>/dev/null + ); then + rm "${csr_local}" + continue + fi + content=$( + printf '%s\n' "${content}" \ + | sed -n ' + /^Certificate Request:$/,/^\S/p + ' \ + | remove_leading_spaces 4 \ + | sed -n ' + /^Data:$/,/^\S/p + ' \ + | remove_leading_spaces 4 + ) + cn=$( + printf '%s\n' "${content}" \ + | sed ' + s/^Subject: // + t + d + ' \ + | tr -d ' ' \ + | tr ',' '/' + ) + if [ -n "${cn#${ca_subject_prefix}/CN=*/}" ]; then + continue + fi + cn="${cn#${ca_subject_prefix}/CN=}" + cn="${cn%/}" + sans=$( + printf '%s\n' "${content}" \ + | sed -n ' + /^Requested Extensions:$/,/^\S/ p + ' \ + | remove_leading_spaces 4 \ + | sed -n ' + /^X\S\+ Subject Alternative Name:\s*$/,/^\S/ p + ' \ + | remove_leading_spaces 4 \ + | sed ' + s/, /\n/g + ' + ) + if printf '%s\n' "${sans}" | grep -vq '^\(DNS\|IP\):'; then + continue + fi + sans=$( + printf '%s\n' "${sans}" \ + | sed ' + s/^\(DNS\|IP\):// + ' + ) + ok_sans=$( + printf '%s\n' "${cn}" "${sans}" \ + | while read -r san; do + if ! curl -Ss --insecure 'https://'"${san}/${csr#*//*/}" \ + | diff -q - "${csr_local}"; then + rm "${csr_local}" + break + fi + printf '%s\n' "${san}" + done + ) + if [ ! -f "${csr_local}" ]; then + continue + fi + if [ "$(printf '%s\n' "${cn}" "${sans}")" != "${ok_sans}" ]; then + rm "${csr_local}" + continue + fi + openssl req -x509 -key "${key_dir}/${ca_name}.key" -in "${csr_local}" -out "${csr_local%.csr}.crt" -addext 'basicConstraints = critical, CA:false' + rm "${csr_local}" +done + +cd "${tmp_dir}" +tar -czf - * |