acmecert: Fix cryptography bugs.

[utils.git] / certreq

#!/bin/bash

commajoin() {
    f=y
    for arg in "$@"; do
        if [ -z "$f" ]; then echo -n ,; fi
        echo -n "$arg"
        f=
    done
}

usage() {
    echo "usage: certreq [-h] [-a ALTNAMES] [-C] SUBJECT KEYFILE"
    echo '        SUBJECT is of the form `/PART1=VALUE1/PART2=VALUE2/...'\'
    echo '        ALTNAMES is of the form `DNS:name1,DNS:name,...'\'
}

declare -A reqexts config
while getopts hCa: OPT; do
    case "$OPT" in
        h)
            usage
            exit 0
            ;;
        a)
            reqexts[SAN]=1
            config[SAN]=1
            config_SAN=("${config_SAN[@]}" "subjectAltName=$OPTARG")
            ;;
        C)
            reqexts[NON_SELF_CA]=1
            config[NON_SELF_CA]=1
            config_NON_SELF_CA=("${config_NONE_SELF_CA[@]}"
                                "basicConstraints = critical,CA:true"
                                "keyUsage = cRLSign, keyCertSign")
            ;;
    esac
done
shift $((OPTIND - 1))
if [ $# -lt 2 ]; then
    usage >&2
    exit 1
fi

args=(openssl req -new)
if [ -n "${!reqexts[*]}" ]; then
    for reqext in "${!reqexts[@]}"; do
        args=("${args[@]}" -reqexts "$reqext")
    done
fi
if [ -n "${!config[*]}" ]; then
    confpath="$(mktemp /tmp/certreq-XXXXXX)"
    cat /etc/ssl/openssl.cnf >>"$confpath"
    for section in "${!config[@]}"; do
        echo "[${section}]" >>"$confpath"
        var="config_${section}[@]"
        for confopt in "${!var}"; do
            echo "$confopt" >>"$confpath"
        done
        echo >>"$confpath"
    done
    trap 'rm -f "$confpath"' EXIT
    args=("${args[@]}" -config "$confpath")
fi
args=("${args[@]}" -subj "$1" -key "$2")

"${args[@]}"