Olav Reinert
c80756a98c
* spec-cleaner -i easy-rsa.spec * osc service localrun download_files OBS-URL: https://build.opensuse.org/package/show/network:vpn/easy-rsa?expand=0&rev=11
53 lines
1.5 KiB
Diff
53 lines
1.5 KiB
Diff
From 6436eaf8c1e5e3c44d23c1c7a0a5fef14f19d375 Mon Sep 17 00:00:00 2001
|
|
From: Martin Schmitt <mas@scsy.de>
|
|
Date: Fri, 30 Jun 2017 16:12:13 +0200
|
|
Subject: [PATCH] Add CN as SAN (if none requested) on server certs by default
|
|
|
|
---
|
|
easyrsa3/easyrsa | 25 +++++++++++++++++++++++++
|
|
1 file changed, 25 insertions(+)
|
|
|
|
diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
|
|
index 088faeb..f5ec797 100755
|
|
--- a/easyrsa3/easyrsa
|
|
+++ b/easyrsa3/easyrsa
|
|
@@ -627,6 +627,15 @@ $(display_dn req "$req_in")
|
|
esac
|
|
fi
|
|
|
|
+ # If type is server and no subjectAltName was requested,
|
|
+ # add one to the extensions file
|
|
+ if [[ "$crt_type" == 'server' ]]
|
|
+ then
|
|
+ echo "$EASYRSA_EXTRA_EXTS" |
|
|
+ grep -q subjectAltName ||
|
|
+ print $(default_server_san "$req_in")
|
|
+ fi
|
|
+
|
|
# Add any advanced extensions supplied by env-var:
|
|
[ -n "$EASYRSA_EXTRA_EXTS" ] && print "$EASYRSA_EXTRA_EXTS"
|
|
|
|
@@ -923,6 +932,22 @@ display_dn() {
|
|
print "$("$EASYRSA_OPENSSL" $format -in "$path" -noout -subject -nameopt multiline)"
|
|
} # => display_dn()
|
|
|
|
+# generate default SAN from req/X509, passed by full pathname
|
|
+default_server_san() {
|
|
+ local path="$1"
|
|
+ local cn=$(
|
|
+ "$EASYRSA_OPENSSL" req -in "$path" -noout -subject -nameopt sep_multiline |
|
|
+ awk -F'=' '/^ *CN=/{print $2}'
|
|
+ )
|
|
+ echo "$cn" | egrep -q '^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$'
|
|
+ if [[ $? -eq 0 ]]
|
|
+ then
|
|
+ print "subjectAltName = IP:$cn"
|
|
+ else
|
|
+ print "subjectAltName = DNS:$cn"
|
|
+ fi
|
|
+} # => default_server_san()
|
|
+
|
|
# verify a file seems to be a valid req/X509
|
|
verify_file() {
|
|
local format="$1" path="$2"
|