easy-rsa/6436eaf.patch
Stefan Jakobs 7d41c58ae5 Accepting request 511298 from home:oreinert:branches:network:vpn
Include upstream patches:
 + Add CN as SAN (if none requested) on server certs by default
 + Moved @ValdikSS's serial randomization to sign_req

OBS-URL: https://build.opensuse.org/request/show/511298
OBS-URL: https://build.opensuse.org/package/show/network:vpn/easy-rsa?expand=0&rev=8
2017-07-24 19:37:33 +00:00

50 lines
1.4 KiB
Diff

commit 6436eaf8c1e5e3c44d23c1c7a0a5fef14f19d375
Author: Martin Schmitt <mas@scsy.de>
Date: Fri Jun 30 16:12:13 2017 +0200
Add CN as SAN (if none requested) on server certs by default
diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
index 088faeb..f5ec797 100755
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@@ -627,6 +627,15 @@ $(display_dn req "$req_in")
esac
fi
+ # If type is server and no subjectAltName was requested,
+ # add one to the extensions file
+ if [[ "$crt_type" == 'server' ]]
+ then
+ echo "$EASYRSA_EXTRA_EXTS" |
+ grep -q subjectAltName ||
+ print $(default_server_san "$req_in")
+ fi
+
# Add any advanced extensions supplied by env-var:
[ -n "$EASYRSA_EXTRA_EXTS" ] && print "$EASYRSA_EXTRA_EXTS"
@@ -923,6 +932,22 @@ display_dn() {
print "$("$EASYRSA_OPENSSL" $format -in "$path" -noout -subject -nameopt multiline)"
} # => display_dn()
+# generate default SAN from req/X509, passed by full pathname
+default_server_san() {
+ local path="$1"
+ local cn=$(
+ "$EASYRSA_OPENSSL" req -in "$path" -noout -subject -nameopt sep_multiline |
+ awk -F'=' '/^ *CN=/{print $2}'
+ )
+ echo "$cn" | egrep -q '^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$'
+ if [[ $? -eq 0 ]]
+ then
+ print "subjectAltName = IP:$cn"
+ else
+ print "subjectAltName = DNS:$cn"
+ fi
+} # => default_server_san()
+
# verify a file seems to be a valid req/X509
verify_file() {
local format="$1" path="$2"