Commit f62a01ad authored by Vincent Pelletier's avatar Vincent Pelletier

shell: Embed openssl configuration file.

Also, remove irrelevant key usage extension, as during certificate renewal
the extensions of the existing certificate are used, not the ones of the
certificate signing request.
parent ef3ecfec
...@@ -342,10 +342,23 @@ renewCertificate () { ...@@ -342,10 +342,23 @@ renewCertificate () {
# If created, key file permissions will be set so group and other have no # If created, key file permissions will be set so group and other have no
# access. # access.
# shellcheck disable=SC2039 # shellcheck disable=SC2039
local url="$1" oldkey="$2" bits="$3" newcrt="$4" newkey="$5" local url="$1" oldkey="$2" bits="$3" newcrt="$4" newkey="$5" emptyreqcnf
# shellcheck disable=SC2039 # shellcheck disable=SC2039
local newkeydata newcrtdata local newkeydata newcrtdata
emptyreqcnf="$(mktemp --suffix=emptyreq.cnf)"
cat > "$emptyreqcnf" << EOF
[ req ]
distinguished_name = req_distinguished_name
string_mask = utf8only
req_extensions = v3_req
[ req_distinguished_name ]
CN = Common Name
[ v3_req ]
basicConstraints = CA:FALSE
EOF
newkeydata="$( newkeydata="$(
openssl genpkey \ openssl genpkey \
-algorithm rsa \ -algorithm rsa \
...@@ -361,7 +374,7 @@ renewCertificate () { ...@@ -361,7 +374,7 @@ renewCertificate () {
-new \ -new \
-key - \ -key - \
-subj "/CN=dummy" \ -subj "/CN=dummy" \
-config emptyreq.cnf \ -config "$emptyreqcnf" \
| str2json | str2json
)" \ )" \
| wrap "$oldkey" "sha256" \ | wrap "$oldkey" "sha256" \
...@@ -376,6 +389,7 @@ renewCertificate () { ...@@ -376,6 +389,7 @@ renewCertificate () {
]; then ]; then
if checkCertificateMatchesKey "$newcrtdata" "$newkeydata"; then if checkCertificateMatchesKey "$newcrtdata" "$newkeydata"; then
writeCertKey "$newcrt" "$newcrtdata" "$newkey" "$newkeydata" writeCertKey "$newcrt" "$newcrtdata" "$newkey" "$newkeydata"
rm "$emptyreqcnf"
return 0 return 0
fi fi
printf "Certificate does not match private key\\n" >&2 printf "Certificate does not match private key\\n" >&2
...@@ -383,6 +397,7 @@ renewCertificate () { ...@@ -383,6 +397,7 @@ renewCertificate () {
printf "%s" "$newcrtdata" >&2 printf "%s" "$newcrtdata" >&2
fi fi
fi fi
rm "$emptyreqcnf"
return 1 return 1
} }
......
[ req ]
distinguished_name = req_distinguished_name
string_mask = utf8only
req_extensions = v3_req
[ req_distinguished_name ]
commonName = Common Name
commonName_max = 64
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment