X-Git-Url: https://git.distorted.org.uk/~mdw/ca/blobdiff_plain/1fc4577e10fec57c501d95818e3d062abcb280d2..2244ef69ba751fb58c4655f2cd036a675ce96879:/lib/func.tcl

diff --git a/lib/func.tcl b/lib/func.tcl
index 04bd206..3dd35c3 100644
--- a/lib/func.tcl
+++ b/lib/func.tcl
@@ -326,7 +326,7 @@ proc next-matching-date* {pat refvar i} {
       {^\d+$} {
 	## A numeric literal.  If it's within bounds then set it; otherwise
 	## we'll have to start from the beginning.
-	if {$p < $n || $p > $max} { return step }
+	if {$p < $nn || $p > $max} { return step }
 	set nn $p
       }
 
@@ -425,7 +425,7 @@ proc sync-profiles {} {
 	  UPDATE profile SET
 		  extensions = $d(extensions),
 		  issue_time = $d(issue-time),
-		  start_skew = $(start-skew),
+		  start_skew = $d(start-skew),
 		  expire_interval = $d(expire-interval),
 		  tombstone = 0
 	  WHERE label = $p;
@@ -448,37 +448,42 @@ proc sync-profiles {} {
 proc req-key-hash {file} {
   ## Return the key hash from the certificate request in FILE.
 
-  return [exec \
+  return [lindex [exec \
 	      openssl req -in $file -noout -pubkey | \
 	      openssl rsa 2>/dev/null -pubin -outform der | \
-	      openssl dgst -sha256 -hex]
+	      openssl dgst -sha256 -hex] end]
+}
+
+proc hack-openssl-dn {out} {
+  ## Convert OpenSSL's hopeless output into a DN.
+
+  if {[regexp {^subject=\s*(/.*)$} $out -> dn]} { return $dn }
+  if {[regexp {^subject=(.*)$} $out -> t]} {
+    set t [regsub {^(\w+) = } $t {/\1=}]
+    set t [regsub -all {, (\w+) = } $t {/\1=}]
+    return $t
+  }
 }
 
 proc req-dn {file} {
   ## Return the distinguished name from the certificate request in FILE.
 
-  regexp {^subject=\s*(/.*)$} \
-      [exec openssl req -in $file -noout -subject] \
-      -> dn
-  return $dn
+  return [hack-openssl-dn [exec openssl req -in $file -noout -subject]]
 }
 
 proc cert-key-hash {file} {
   ## Return the key hash from the certificate in FILE.
 
-  return [exec \
+  return [lindex [exec \
 	      openssl x509 -in $file -noout -pubkey | \
 	      openssl rsa 2>/dev/null -pubin -outform der | \
-	      openssl dgst -sha256 -hex]
+	      openssl dgst -sha256 -hex] end]
 }
 
 proc cert-dn {file} {
   ## Return the distinguished name from the certificate in FILE.
 
-  regexp {^subject=\s*(/.*)$} \
-      [exec openssl x509 -in $file -noout -subject] \
-      -> dn
-  return $dn
+  return [hack-openssl-dn [exec openssl x509 -in $file -noout -subject]]
 }
 
 proc cert-seq {file} {