Merge branch 'master' of git://git.distorted.org.uk/~mdw/ca

* 'master' of git://git.distorted.org.uk/~mdw/ca:
  lib/func.tcl: Hack output of `openssl dgst -hex'.
  etc/openssl.conf: Allow `keyEncipherment' for TLS clients.

diff --git a/etc/openssl.conf b/etc/openssl.conf
index 1accc80..1fe673a 100644 (file)
--- a/etc/openssl.conf
+++ b/etc/openssl.conf
@@ -103,7 +103,7 @@ crlDistributionPoints = URI:http://www.distorted.org.uk/ca/crl
 
 [tls-client-extensions]
 basicConstraints = critical, CA:FALSE
-keyUsage = critical, digitalSignature
+keyUsage = critical, digitalSignature, keyEncipherment
 extendedKeyUsage = clientAuth
 subjectKeyIdentifier = hash
 authorityKeyIdentifier = keyid:always,issuer:always

diff --git a/lib/func.tcl b/lib/func.tcl
index 04bd206..1f73008 100644 (file)
--- a/lib/func.tcl
+++ b/lib/func.tcl
@@ -448,10 +448,10 @@ proc sync-profiles {} {
 proc req-key-hash {file} {
   ## Return the key hash from the certificate request in FILE.
 
-  return [exec \
+  return [lindex [exec \
              openssl req -in $file -noout -pubkey | \
              openssl rsa 2>/dev/null -pubin -outform der | \
-             openssl dgst -sha256 -hex]
+             openssl dgst -sha256 -hex] end]
 }
 
 proc req-dn {file} {
@@ -466,10 +466,10 @@ proc req-dn {file} {
 proc cert-key-hash {file} {
   ## Return the key hash from the certificate in FILE.
 
-  return [exec \
+  return [lindex [exec \
              openssl x509 -in $file -noout -pubkey | \
              openssl rsa 2>/dev/null -pubin -outform der | \
-             openssl dgst -sha256 -hex]
+             openssl dgst -sha256 -hex] end]
 }
 
 proc cert-dn {file} {