diff options
Diffstat (limited to 'sign-request')
| -rwxr-xr-x | sign-request | 90 |
1 files changed, 90 insertions, 0 deletions
diff --git a/sign-request b/sign-request new file mode 100755 index 0000000..cf3442e --- /dev/null +++ b/sign-request @@ -0,0 +1,90 @@ +#!/bin/bash + +cd "${0%/*}" + +remove_leading_spaces() { + sed ' + s/^ \{'"$1"'\}// + t + d + ' +} + +tmp_dir=$(mktemp -d) +trap 'rm -rf --one-file-system "${tmp_dir}"' EXIT + +while read -r csr; do + csr_local="${tmp_dir}/${csr##*/}" + curl -Ss "${csr}" -o "${csr_local}" + if ! content=$( + openssl req -text -noout -verify -in "${csr_local}" 2>/dev/null + ); then + rm "${csr_local}" + continue + fi + content=$( + printf '%s\n' "${content}" \ + | sed -n ' + /^Certificate Request:$/,/^\S/p + ' \ + | remove_leading_spaces 4 \ + | sed -n ' + /^Data:$/,/^\S/p + ' \ + | remove_leading_spaces 4 + ) + cn=$( + printf '%s\n' "${content}" \ + | sed ' + s/^Subject: .*, CN = \(\S\+\)$/\1/ + t + d + ' + ) + sans=$( + printf '%s\n' "${content}" \ + | sed -n ' + /^Requested Extensions:$/,/^\S/ p + ' \ + | remove_leading_spaces 4 \ + | sed -n ' + /^X\S\+ Subject Alternative Name:\s*$/,/^\S/ p + ' \ + | remove_leading_spaces 4 \ + | sed ' + s/, /\n/g + ' + ) + if printf '%s\n' "${sans}" | grep -vq '^\(DNS\|IP\):'; then + continue + fi + sans=$( + printf '%s\n' "${sans}" \ + | sed ' + s/^\(DNS\|IP\):// + ' + ) + ok_sans=$( + printf '%s\n' "${cn}" "${sans}" \ + | while read -r san; do + if ! curl -Ss --insecure 'https://'"${san}/${csr#*//*/}" \ + | diff -q - "${csr_local}"; then + rm "${csr_local}" + break + fi + printf '%s\n' "${san}" + done + ) + if [ ! -f "${csr_local}" ]; then + continue + fi + if [ "$(printf '%s\n' "${cn}" "${sans}")" != "${ok_sans}" ]; then + rm "${csr_local}" + continue + fi + openssl req -x509 -key eckner-ca.key -in "${csr_local}" -out "${csr_local%.csr}.crt" -addext 'basicConstraints = critical, CA:false' + rm "${csr_local}" +done + +cd "${tmp_dir}" +tar -czf - * |