X-Git-Url: https://git.distorted.org.uk/~mdw/ca/blobdiff_plain/92c78e4a0cb5e237850ed13ec52684f78471bf0e..d811166df9c753aa43e9c6e6449b6c0a383ae2bf:/lib/func.tcl diff --git a/lib/func.tcl b/lib/func.tcl index 9e03b5b..1b53f2f 100644 --- a/lib/func.tcl +++ b/lib/func.tcl @@ -454,13 +454,21 @@ proc req-key-hash {file} { openssl dgst -sha256 -hex] end] } +proc hack-openssl-dn {out} { + ## Convert OpenSSL's hopeless output into a DN. + + if {[regexp {^subject=\s*(/.*)$} $out -> dn]} { return $dn } + if {[regexp {^subject=(.*)$} $out -> t]} { + set t [regsub {^(\w+) = } $t {/\1=}] + set t [regsub -all {, (\w+) = } $t {/\1=}] + return $t + } +} + proc req-dn {file} { ## Return the distinguished name from the certificate request in FILE. - regexp {^subject=\s*(/.*)$} \ - [exec openssl req -in $file -noout -subject] \ - -> dn - return $dn + return [hack-openssl-dn [exec openssl req -in $file -noout -subject]] } proc cert-key-hash {file} { @@ -475,10 +483,7 @@ proc cert-key-hash {file} { proc cert-dn {file} { ## Return the distinguished name from the certificate in FILE. - regexp {^subject=\s*(/.*)$} \ - [exec openssl x509 -in $file -noout -subject] \ - -> dn - return $dn + return [hack-openssl-dn [exec openssl x509 -in $file -noout -subject]] } proc cert-seq {file} { @@ -491,6 +496,26 @@ proc cert-seq {file} { } ###-------------------------------------------------------------------------- +### Generating the root key. + +proc generate-root-key {} { + global C + + set subject "" + foreach {attr value} $C(ca-name) { append subject "/$attr=$value" } + exec >@stdout 2>@stderr openssl req -config "etc/openssl.conf" \ + -text -out "ca.cert" -keyout "private/ca.key" \ + -new -x509 -days $C(ca-period) \ + -subj $subject + file attributes "private/ca.key" \ + -owner $C(ca-owner) -group $C(ca-group) \ + -permissions 0640 + file attributes "ca.cert" \ + -owner $C(ca-owner) -group $C(ca-group) \ + -permissions 0644 +} + +###-------------------------------------------------------------------------- ### Certificate requests. proc request-match {reqid cond} {