diff options
| author | Guilhem Moulin <guilhem@fripost.org> | 2018-12-05 15:47:34 +0100 |
|---|---|---|
| committer | Guilhem Moulin <guilhem@fripost.org> | 2018-12-05 16:24:12 +0100 |
| commit | 9722d50b9b6c5ccd81892a00bdd3023399b004fb (patch) | |
| tree | 10ff7840e4c924d51217a122ac5f4a7bcb56a476 /roles/common | |
| parent | c21b92d9b79a80a27607618666b56fbc5cd26ac8 (diff) | |
DKIM: also include the "d=" tag in key filenames, not only the "s=" tag.
While the combination of "s=" tag (selector) & "d=" tag signing domain
maps to a unique key, the selector alone doesn't necessarily.
Diffstat (limited to 'roles/common')
| -rwxr-xr-x | roles/common/files/usr/local/bin/genkeypair.sh | 16 |
1 files changed, 2 insertions, 14 deletions
diff --git a/roles/common/files/usr/local/bin/genkeypair.sh b/roles/common/files/usr/local/bin/genkeypair.sh index 01b279a..ad65aef 100755 --- a/roles/common/files/usr/local/bin/genkeypair.sh +++ b/roles/common/files/usr/local/bin/genkeypair.sh @@ -4,40 +4,41 @@ # certificates or Certificate Signing Requests, or DKIM private keys. # Inspired from make-ssl-cert(8) and opendkim-genkey(8). # # Copyright © 2014 Guilhem Moulin <guilhem@fripost.org> # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. set -ue PATH=/usr/bin:/bin +export PATH # Default values type=rsa bits= hash= force=0 config= pubkey=pubkey.pem privkey=privkey.pem dns= ou= cn= usage= mode= owner= group= usage() { cat >&2 <<- EOF @@ -57,52 +58,40 @@ usage() { --cn: common Name (default: \$(hostname --fqdn) --dns: hostname for AltName; can be repeated -f: force; can be repeated (0: don't overwrite, default; 1: reuse private key if it exists; 2: overwrite both keys if they exist) --config: configuration file --pubkey: public key file (default: pubkey.pem) --privkey: private key file (default: privkey.pem) --usage: key usage (default: digitalSignature,keyEncipherment,keyCertSign) --mode: set privkey's permission mode (default: 0600) --owner: set privkey's owner (default: the process' current owner) --group: set privkey's group (default: the process' current group) Return values: 0 The key pair was successfully generated 1 The public or private key file exists, and -f is not set 2 The key generation failed EOF } -dkiminfo() { - echo "Add the following TXT record to your DNS zone:" - echo "${cn:-$(date +%Y%m%d)}._domainkey\tIN\tTXT ( " - # See https://tools.ietf.org/html/rfc4871#section-3.6.1 - # t=s: the "i=" domain in signature headers MUST NOT be a subdomain of "d=" - # s=email: limit DKIM signing to email - openssl pkey -pubout <"$privkey" | sed '/^--.*--$/d' \ - | { echo -n "v=DKIM1; k=$type; t=s; s=email; p="; tr -d '\n'; } \ - | fold -w 250 \ - | { sed 's/.*/\t"&"/'; echo ' )'; } -} - [ $# -gt 0 ] || { usage; exit 2; } cmd="$1"; shift case "$cmd" in x509|csr|dkim|keypair) ;; *) echo "Unrecognized command: $cmd" >&2; exit 2 esac nou=1 while [ $# -gt 0 ]; do case "$1" in -t) shift; type="$1";; -t*) type="${1#-t}";; -b) shift; bits="$1";; -b*) bits="${1#-b}";; -h) shift; hash="$1";; -h*) hash="${1#-h}";; --dns=?*) dns="${dns:+$dns, }DNS:${1#--dns=}";; @@ -164,44 +153,43 @@ if [ -z "$config" -a \( "$cmd" = x509 -o "$cmd" = csr \) ]; then req_extensions = v3_req x509_extensions = v3_req [ req_distinguished_name ] organizationName = Fripost organizationalUnitName = SSLcerts $(echo "$ou") commonName = ${cn:-/} [ v3_req ] subjectAltName = email:admin@fripost.org${dns:+, $dns} basicConstraints = critical, CA:FALSE # https://security.stackexchange.com/questions/24106/which-key-usages-are-required-by-each-key-exchange-method keyUsage = critical, ${usage:-digitalSignature, keyEncipherment, keyCertSign} subjectKeyIdentifier = hash EOF fi if [ -s "$privkey" -a $force -eq 0 ]; then echo "Error: private key exists: $privkey" >&2 - [ "$cmd" = dkim ] && dkiminfo exit 1 elif [ ! -s "$privkey" -o $force -ge 2 ]; then install --mode="${mode:-0600}" ${owner:+--owner="$owner"} ${group:+--group="$group"} /dev/null "$privkey" || exit 2 openssl $genkey -rand /dev/urandom $genkeyargs >"$privkey" || exit 2 - [ "$cmd" = dkim ] && { dkiminfo; exit; } + [ "$cmd" = dkim ] && exit fi if [ "$cmd" = x509 -a "$pubkey" = "$privkey" ]; then pubkey=$(mktemp) openssl req -config "$config" -new -x509 ${hash:+-$hash} -days 3650 -key "$privkey" >"$pubkey" || exit 2 cat "$pubkey" >>"$privkey" || exit 2 rm -f "$pubkey" elif [ "$cmd" = x509 -o "$cmd" = csr ]; then if [ -s "$pubkey" -a $force -eq 0 ]; then echo "Error: public key exists: $pubkey" >&2 exit 1 else [ "$cmd" = x509 ] && x509=-x509 || x509= openssl req -config "$config" -new $x509 ${hash:+-$hash} -days 3650 -key "$privkey" >"$pubkey" || exit 2 fi elif [ "$cmd" = keypair -a "$pubkey" ]; then openssl pkey -pubout <"$privkey" >"$pubkey" fi |