Skip to content

Commit

Permalink
Introduce global option --auto-san, use commonName as SAN
Browse files Browse the repository at this point in the history
Command sign-req:
Use --auto-san to add a subjectAltName, based on the commonName.

If commonName matches "four dot delimited numbers" then the SAN will
use "IP:commonName" format. Otherwise, use "DNS:commonName" format.

Signed-off-by: Richard T Bonhomme <[email protected]>
  • Loading branch information
TinCanTech committed Jun 30, 2024
1 parent 5e62047 commit 5c36d44
Showing 1 changed file with 37 additions and 7 deletions.
44 changes: 37 additions & 7 deletions easyrsa3/easyrsa
Original file line number Diff line number Diff line change
Expand Up @@ -611,6 +611,8 @@ Certificate & Request options: (these impact cert/req field values)
--san|--subject-alt-name=SUBJECT_ALT_NAME
: Add a subjectAltName. Can be used multiple times.
For more info and syntax, see: 'easyrsa help altname'
--auto-san : Use commonName as subjectAltName: 'DNS:commonName'
If commonName is 'n.n.n.n' then set 'IP:commonName'

--new-subject='SUBJECT'
: Specify a new subject field to sign a request with.
Expand Down Expand Up @@ -2508,6 +2510,37 @@ basicConstraints is not defined, cannot use 'pathlen'"
unset -v ns_cert_type
esac

# Get request CN
EASYRSA_REQ_CN="$(
"$EASYRSA_OPENSSL" req -utf8 -in "$req_in" -noout \
-subject -nameopt multiline | grep 'commonName'
)" || warn "sign-req - EASYRSA_REQ_CN FAILED"
EASYRSA_REQ_CN="${EASYRSA_REQ_CN##*= }"

# Add auto SAN, if EASYRSA_AUTO_SAN is enabled
if [ -z "$EASYRSA_SAN" ] && [ "$EASYRSA_AUTO_SAN" ]; then
# Set auto_san_type to IP or DNS
octet='[[:digit:]]\+'
if print "$EASYRSA_REQ_CN" | \
grep -q "${octet}\.${octet}\.${octet}\.${octet}"
then
auto_san_type=IP
else
auto_san_type=DNS
fi

# Add auto SAN to EASYRSA_EXTRA_EXTS
EASYRSA_SAN="${auto_san_type}:${EASYRSA_REQ_CN}"
EASYRSA_EXTRA_EXTS="\
$EASYRSA_EXTRA_EXTS
subjectAltName = ${EASYRSA_SAN_CRIT}${EASYRSA_SAN}"

verbose "sign-req: Auto SAN: ${EASYRSA_SAN}"
unset -v octet auto_san_type
else
auto_san_type=
fi

# Generate the extensions file for this cert:
ext_tmp=""
easyrsa_mktemp ext_tmp || \
Expand Down Expand Up @@ -2541,13 +2574,6 @@ Failed to create temp extension file (bad permissions?) at:
* $ext_tmp"
verbose "sign_req: Generated extensions file OK"

# Get request CN
EASYRSA_REQ_CN="$(
"$EASYRSA_OPENSSL" req -utf8 -in "$req_in" -noout \
-subject -nameopt multiline | grep 'commonName'
)" || warn "sign-req - EASYRSA_REQ_CN FAILED"
EASYRSA_REQ_CN="${EASYRSA_REQ_CN##*= }"

# Set confirm CN
confirm_CN=" Requested CN: '$EASYRSA_REQ_CN'"

Expand Down Expand Up @@ -5457,6 +5483,10 @@ while :; do
EASYRSA_SAN="$val"
fi
;;
--auto-san)
empty_ok=1
export EASYRSA_AUTO_SAN=1
;;
--new-subj*)
export EASYRSA_NEW_SUBJECT="$val"
;;
Expand Down

0 comments on commit 5c36d44

Please sign in to comment.