openssl dgst -sha256 -hex] end]
}
+proc hack-openssl-dn {out} {
+ ## Convert OpenSSL's hopeless output into a DN.
+
+ if {[regexp {^subject=\s*(/.*)$} $out -> dn]} { return $dn }
+ if {[regexp {^subject=(.*)$} $out -> t]} {
+ set t [regsub {^(\w+) = } $t {/\1=}]
+ set t [regsub -all {, (\w+) = } $t {/\1=}]
+ return $t
+ }
+}
+
proc req-dn {file} {
## Return the distinguished name from the certificate request in FILE.
- regexp {^subject=\s*(/.*)$} \
- [exec openssl req -in $file -noout -subject] \
- -> dn
- return $dn
+ return [hack-openssl-dn [exec openssl req -in $file -noout -subject]]
}
proc cert-key-hash {file} {
proc cert-dn {file} {
## Return the distinguished name from the certificate in FILE.
- regexp {^subject=\s*(/.*)$} \
- [exec openssl x509 -in $file -noout -subject] \
- -> dn
- return $dn
+ return [hack-openssl-dn [exec openssl x509 -in $file -noout -subject]]
}
proc cert-seq {file} {
}
###--------------------------------------------------------------------------
+### Generating the root key.
+
+proc generate-root-key {} {
+ global C
+
+ set subject ""
+ foreach {attr value} $C(ca-name) { append subject "/$attr=$value" }
+ exec >@stdout 2>@stderr openssl req -config "etc/openssl.conf" \
+ -text -out "ca.cert" -keyout "private/ca.key" \
+ -new -x509 -days $C(ca-period) \
+ -subj $subject
+ file attributes "private/ca.key" \
+ -owner $C(ca-owner) -group $C(ca-group) \
+ -permissions 0640
+ file attributes "ca.cert" \
+ -owner $C(ca-owner) -group $C(ca-group) \
+ -permissions 0644
+}
+
+###--------------------------------------------------------------------------
### Certificate requests.
proc request-match {reqid cond} {