X-Git-Url: https://git.distorted.org.uk/~mdw/ca/blobdiff_plain/92c78e4a0cb5e237850ed13ec52684f78471bf0e..d811166df9c753aa43e9c6e6449b6c0a383ae2bf:/lib/func.tcl

diff --git a/lib/func.tcl b/lib/func.tcl
index 9e03b5b..1b53f2f 100644
--- a/lib/func.tcl
+++ b/lib/func.tcl
@@ -454,13 +454,21 @@ proc req-key-hash {file} {
 	      openssl dgst -sha256 -hex] end]
 }
 
+proc hack-openssl-dn {out} {
+  ## Convert OpenSSL's hopeless output into a DN.
+
+  if {[regexp {^subject=\s*(/.*)$} $out -> dn]} { return $dn }
+  if {[regexp {^subject=(.*)$} $out -> t]} {
+    set t [regsub {^(\w+) = } $t {/\1=}]
+    set t [regsub -all {, (\w+) = } $t {/\1=}]
+    return $t
+  }
+}
+
 proc req-dn {file} {
   ## Return the distinguished name from the certificate request in FILE.
 
-  regexp {^subject=\s*(/.*)$} \
-      [exec openssl req -in $file -noout -subject] \
-      -> dn
-  return $dn
+  return [hack-openssl-dn [exec openssl req -in $file -noout -subject]]
 }
 
 proc cert-key-hash {file} {
@@ -475,10 +483,7 @@ proc cert-key-hash {file} {
 proc cert-dn {file} {
   ## Return the distinguished name from the certificate in FILE.
 
-  regexp {^subject=\s*(/.*)$} \
-      [exec openssl x509 -in $file -noout -subject] \
-      -> dn
-  return $dn
+  return [hack-openssl-dn [exec openssl x509 -in $file -noout -subject]]
 }
 
 proc cert-seq {file} {
@@ -491,6 +496,26 @@ proc cert-seq {file} {
 }
 
 ###--------------------------------------------------------------------------
+### Generating the root key.
+
+proc generate-root-key {} {
+  global C
+
+  set subject ""
+  foreach {attr value} $C(ca-name) { append subject "/$attr=$value" }
+  exec >@stdout 2>@stderr openssl req -config "etc/openssl.conf"  \
+      -text -out "ca.cert" -keyout "private/ca.key" \
+      -new -x509 -days $C(ca-period) \
+      -subj $subject
+  file attributes "private/ca.key" \
+      -owner $C(ca-owner) -group $C(ca-group) \
+      -permissions 0640
+  file attributes "ca.cert" \
+      -owner $C(ca-owner) -group $C(ca-group) \
+      -permissions 0644
+}
+
+###--------------------------------------------------------------------------
 ### Certificate requests.
 
 proc request-match {reqid cond} {