Add support for CSR and subjectAltName in genkeypair.sh.

2 files changed, 53 insertions, 29 deletions

diff --git a/roles/common/files/usr/local/bin/genkeypair.sh b/roles/common/files/usr/local/bin/genkeypair.sh
index 2af24cf..6c75fa4 100755
--- a/roles/common/files/usr/local/bin/genkeypair.sh
+++ b/roles/common/files/usr/local/bin/genkeypair.sh
@@ -8,121 +8,145 @@
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 set -ue
 PATH=/usr/bin:/bin
 
 # Default values
 type=rsa
 bits=
-hash=sha1
+hash=
 
 force=
+x509=-x509
+config=
 pubkey=pubkey.pem
 privkey=privkey.pem
+dns=
 
 usage() {
     cat >&2 <<- EOF
 		Usage: $0 [OPTIONS]
 		Generate self-signed server certificates
 
 		Options:
 		    -t type:    key type (default: rsa)
 		    -b bits:    key length or EC curve (default: 2048 for RSA, 1024 for DSA, secp224r1 for ECDSA)
-		    -h digest:  digest algorithm (default: sha1)
-		    -n CN:      common name (default: \$(hostname --fqdn)
+		    -h digest:  digest algorithm
+		    --dns CN:   common name (default: \$(hostname --fqdn); can be repeated
 		    -f force:   overwrite key files if they exist
+		    --csr:      generate a Certificate Signing Request instead
+		    --config:   configuration file
 		    --pubkey:   public key file (default: pubkey.pem)
 		    --privkey:  private key file (default: privkey.pem; created with og-rwx)
 
 		Return values:
 		    0  The key pair was successfully generated
 		    1  The public or private key file exists, and -f is not set
 		    2  The key generation failed
 	EOF
 }
 
-name=$(hostname --fqdn)
 while [ $# -gt 0 ]; do
     case "$1" in
         -t) shift; type="$1";;
         -t*) type="${1#-t}";;
 
         -b) shift; bits="$1";;
         -b*) bits="${1#-b}";;
 
         -h) shift; hash="$1";;
         -h*) hash="${1#-h}";;
 
-        -n) shift; name="$1";;
-        -n*) name="${1#-n}";;
 
         -f) force=1;;
-        --pubkey=*) pubkey="${1#--pubkey=}";;
-        --privkey=*) privkey="${1#--privkey=}";;
+        --pubkey=?*) pubkey="${1#--pubkey=}";;
+        --privkey=?*) privkey="${1#--privkey=}";;
+
+        --csr) x509=;;
+        --dns=?*) dns="${dns:+$dns,}${1#--dns=}";;
+        --config=?*) dns="${1#--config=}";;
 
         --help) usage; exit;;
         *) echo "Unrecognized argument: $1" >&2; exit 2
     esac
     shift;
 done
 
 rand=/dev/urandom
 case "$type" in
+    # XXX: genrsa and dsaparam have been deprecated in favor of genpkey.
+    # genpkey can also create explicit EC parameters, but not named.
     rsa) genkey=genrsa; genkeyargs="-f4 ${bits:-2048}";;
     dsa) genkey=dsaparam; genkeyargs="-noout -genkey ${bits:-1024}";;
     # See 'openssl ecparam -list_curves' for the list of supported
     # curves. StrongSwan doesn't support explicit curve parameters
     # (however explicit parameters might be required to make exotic
     # curves work with some clients.)
     ecdsa) genkey=ecparam
            genkeyargs="-noout -name ${bits:-secp224r1} -param_enc named_curve -genkey";;
     *) echo "Unrecognized key type: $type" >&2; exit 2
 esac
 
 case "$hash" in
-    md5|rmd160|sha1|sha224|sha256|sha384|sha512) ;;
+    md5|rmd160|sha1|sha224|sha256|sha384|sha512|'') ;;
     *) echo "Invalid digest algorithm: $hash" >&2; exit 2;
 esac
 
-[ ${#name} -le 64 ] || { echo "Hostname too long: $name" >&2; exit 2; }
+[ "$dns" ] || dns="$(hostname --fqdn)"
+cn="${dns%%,*}"
+[ ${#cn} -le 64 ] || { echo "CommonName too long: $cn" >&2; exit 2; }
+
 for file in "$pubkey" "$privkey"; do
     [ -z "$force" -a -s "$file" ] || continue
     echo "Error: File exists: $file" >&2
     exit 1
 done
 
-config=$(mktemp) || exit 2
-trap 'rm -f "$config"' EXIT
-# see /usr/share/ssl-cert/ssleay.cnf
-cat >"$config" <<- EOF
-	[ req ]
-	distinguished_name  = req_distinguished_name
-	prompt              = no
-	policy			    = policy_anything
-	req_extensions      = v3_req
-	x509_extensions     = v3_req
-
-	[ req_distinguished_name ]
-	commonName          = $name
-
-	[ v3_req ]
-	basicConstraints    = critical, CA:FALSE
-EOF
+if [ -z "$config" ]; then
+    config=$(mktemp) || exit 2
+    trap 'rm -f "$config"' EXIT
+
+    names=
+    until [ "$dns" = "${dns#*,}" ]; do
+        names=", DNS:${dns##*,}$names"
+        dns="${dns%,*}"
+    done
+
+    # see /usr/share/ssl-cert/ssleay.cnf
+    cat >"$config" <<- EOF
+		[ req ]
+		distinguished_name  = req_distinguished_name
+		prompt              = no
+		policy              = policy_anything
+		req_extensions      = v3_req
+		x509_extensions     = v3_req
+		default_days        = 3650
+
+		[ req_distinguished_name ]
+		countryName         = SE
+		organizationName    = Fripost
+		commonName          = $cn
+
+		[ v3_req ]
+		subjectAltName      = email:admin@fripost.org, DNS:$cn$names
+		basicConstraints    = critical, CA:FALSE
+	EOF
+fi
 
 # Ensure "$privkey" is created with umask 0077
 mv "$(mktemp)" "$privkey" || exit 2
 chmod og-rwx "$privkey" || exit 2
 
 openssl $genkey -rand /dev/urandom $genkeyargs >"$privkey" || exit 2
-openssl req -config "$config" -new -x509 -days 3650 -"$hash" -key "$privkey" >"$pubkey" || exit 2
+openssl req -config "$config" -new $x509 ${hash:+-$hash} -key "$privkey" >"$pubkey" || exit 2
diff --git a/roles/common/tasks/ipsec.yml b/roles/common/tasks/ipsec.yml
index 6b97ddb..5e0115e 100644
--- a/roles/common/tasks/ipsec.yml
+++ b/roles/common/tasks/ipsec.yml
@@ -1,27 +1,27 @@
 - name: Install strongSwan
   apt: pkg=strongswan-ikev2
 
 - name: Generate a key pair for IPSec
   command: genkeypair.sh --pubkey=/etc/ipsec.d/certs/{{ inventory_hostname }}.pem
                          --privkey=/etc/ipsec.d/private/{{ inventory_hostname }}.key
-                         -n {{ inventory_hostname }}
+                         --dns {{ inventory_hostname }}
                          -t ecdsa -b secp521r1 -h sha512
   register: r1
   failed_when: r1.rc > 1
   changed_when: r1.rc == 0
   notify:
     - Restart IPSec
 
 - name: Fetch the public part of IPSec's host key
   sudo: False
   # Ensure we don't fetch private data
   fetch: src=/etc/ipsec.d/certs/{{ inventory_hostname }}.pem
          dest=certs/ipsec/
          fail_on_missing=yes
          flat=yes
 
 # Don't copy our pubkey due to a possible race condition.  Only the
 # remote machine has authority regarding its key.
 - name: Copy IPSec host pubkeys (except ours)
   copy: src=certs/ipsec/{{ item }}.pem
         dest=/etc/ipsec.d/certs/{{ item }}.pem