acmecert: Fix cryptography bugs.

[utils.git] / certreq

diff --git a/certreq b/certreq
index fb7e26c..74e0dd7 100755 (executable)
--- a/certreq
+++ b/certreq
@@ -1,13 +1,22 @@
 #!/bin/bash
 
+commajoin() {
+    f=y
+    for arg in "$@"; do
+       if [ -z "$f" ]; then echo -n ,; fi
+       echo -n "$arg"
+       f=
+    done
+}
+
 usage() {
-    echo "usage: certreq [-h] [-a ALTNAMES] SUBJECT KEYFILE"
+    echo "usage: certreq [-h] [-a ALTNAMES] [-C] SUBJECT KEYFILE"
     echo '        SUBJECT is of the form `/PART1=VALUE1/PART2=VALUE2/...'\'
     echo '        ALTNAMES is of the form `DNS:name1,DNS:name,...'\'
 }
 
 declare -A reqexts config
-while getopts ha: OPT; do
+while getopts hCa: OPT; do
     case "$OPT" in
        h)
            usage
@@ -18,6 +27,13 @@ while getopts ha: OPT; do
            config[SAN]=1
            config_SAN=("${config_SAN[@]}" "subjectAltName=$OPTARG")
            ;;
+       C)
+           reqexts[NON_SELF_CA]=1
+           config[NON_SELF_CA]=1
+           config_NON_SELF_CA=("${config_NONE_SELF_CA[@]}"
+                               "basicConstraints = critical,CA:true"
+                               "keyUsage = cRLSign, keyCertSign")
+           ;;
     esac
 done
 shift $((OPTIND - 1))
@@ -28,7 +44,9 @@ fi
 
 args=(openssl req -new)
 if [ -n "${!reqexts[*]}" ]; then
-    args=("${args[@]}" -reqexts "${!reqexts[@]}")
+    for reqext in "${!reqexts[@]}"; do
+       args=("${args[@]}" -reqexts "$reqext")
+    done
 fi
 if [ -n "${!config[*]}" ]; then
     confpath="$(mktemp /tmp/certreq-XXXXXX)"