blob: 331815f5fe5399f1d553729bf528af93f3792e1b (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
|
#!/bin/bash
if [ -r '#ETCDIR#/simple-pki/ca.conf' ]; then
. '#ETCDIR#/simple-pki/ca.conf'
fi
cd "${0%/*}"
remove_leading_spaces() {
sed '
s/^ \{'"$1"'\}//
t
d
'
}
export CA_TYPE='Intermediate'
if [ -f '#ETCDIR#/simple-pki/ca/root-ca.old.crt' ] \
&& [ "$(stat -c%Y '#ETCDIR#/simple-pki/ca/root-ca.old.crt')" -ge "$(($(date +%s)-60*60*24*ca_min_duration))" ]; then
export CA=signing-ca.old
else
export CA=signing-ca
fi
tmp_dir=$(mktemp -d)
trap 'rm -rf --one-file-system "${tmp_dir}"' EXIT
while read -r csr; do
csr_local="${tmp_dir}/${csr##*/}"
curl --connect-timeout 10 -Ss --insecure "${csr}" -o "${csr_local}"
if ! content=$(
openssl req -text -noout -verify -in "${csr_local}" 2>/dev/null
); then
>&2 printf 'verify of %s failed - skipping\n' "${csr_local##*/}"
rm "${csr_local}"
continue
fi
content=$(
printf '%s\n' "${content}" \
| sed -n '
/^Certificate Request:$/,/^\S/p
' \
| remove_leading_spaces 4 \
| sed -n '
/^Data:$/,/^\S/p
' \
| remove_leading_spaces 4
)
cn=$(
printf '%s\n' "${content}" \
| sed '
s/^Subject: //
t
d
' \
| tr -d ' ' \
| tr ',' '/' \
| sed 's@^.*/CN=@@'
)
sans=$(
printf '%s\n' "${content}" \
| sed -n '
/^Requested Extensions:$/,/^\S/ p
' \
| remove_leading_spaces 4 \
| sed -n '
/^X\S\+ Subject Alternative Name:\s*$/,/^\S/ p
' \
| remove_leading_spaces 4 \
| sed '
s/, /\n/g
'
)
if printf '%s\n' "${sans}" | grep -vq '^\(DNS\|IP\):'; then
>&2 echo 'invalid sans - skipping'
rm "${csr_local}"
continue
fi
sans=$(
printf '%s\n' "${sans}" \
| sed '
s/^\(DNS\|IP\)://
'
)
ok_sans=$(
printf '%s\n' "${cn}" "${sans}" \
| while read -r san; do
if ! curl --connect-timeout 10 -Ss --insecure "${csr%%://*}"'://'"${san}/${csr#*//*/}" \
| diff -q - "${csr_local}"; then
>&2 printf 'invalid san "%s" - skipping\n' "${san}"
rm "${csr_local}"
break
fi
printf '%s\n' "${san}"
done
)
if [ ! -f "${csr_local}" ]; then
continue
fi
if [ "$(printf '%s\n' "${cn}" "${sans}")" != "${ok_sans}" ]; then
>&2 echo 'some san was invalid - skipping'
rm "${csr_local}"
continue
fi
if ! openssl ca -batch -name signing_ca \
-config '#ETCDIR#/simple-pki/ca-ssl.conf' \
-in "${csr_local}" \
-out "${csr_local%.csr}.crt" \
-extensions server_ext; then
>&2 echo 'signing failed - skipping'
rm -f "${csr_local}" "${csr_local%.csr}.crt"
continue
fi
cat "${csr_local%.csr}.crt" '#ETCDIR#/simple-pki/ca/signing-ca.crt' '#ETCDIR#/simple-pki/ca/root-ca.crt' \
> "${csr_local%.csr}.chain"
rm "${csr_local}"
done
cd "${tmp_dir}"
tar -czf - *.crt *.chain
|
