From f9fa7026603a298c46aea77d753e0a8121e5d71b Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Mon, 7 Jul 2014 03:26:50 +0200
Subject: Add ability to add custom OrganizationalUnits in genkeypair.

Also, it's now possible to reuse an existing private key (with -f).
---
 roles/common/files/usr/local/bin/genkeypair.sh | 105 +++++++++++++------------
 roles/common/tasks/mail.yml                    |   2 +-
 2 files changed, 56 insertions(+), 51 deletions(-)

(limited to 'roles/common')

diff --git a/roles/common/files/usr/local/bin/genkeypair.sh b/roles/common/files/usr/local/bin/genkeypair.sh
index bbf2c9d..bf37686 100755
--- a/roles/common/files/usr/local/bin/genkeypair.sh
+++ b/roles/common/files/usr/local/bin/genkeypair.sh
@@ -27,11 +27,13 @@ type=rsa
 bits=
 hash=
 
-force=
+force=0
 config=
 pubkey=pubkey.pem
 privkey=privkey.pem
 dns=
+ou=
+cn=
 usage=
 chmod=
 chown=
@@ -49,8 +51,12 @@ usage() {
 		    -t type:    key type (default: rsa)
 		    -b bits:    key length or EC curve (default: 2048 for RSA, 1024 for DSA, secp224r1 for ECDSA)
 		    -h digest:  digest algorithm
-		    --dns CN:   common name (default: \$(hostname --fqdn); can be repeated
-		    -f force:   overwrite key files if they exist
+		    --ou:       organizational Unit Name; can be repeated
+		    --cn:       common Name (default: \$(hostname --fqdn)
+		    --dns:      hostname for AltName; can be repeated
+		    -f:         force; can be repeated (0: don't overwrite, default;
+		                                        1: reuse private key if it exists;
+		                                        2: overwrite both keys if they exist)
 		    --config:   configuration file
 		    --pubkey:   public key file (default: pubkey.pem)
 		    --privkey:  private key file (default: privkey.pem; created with og-rwx)
@@ -65,6 +71,18 @@ usage() {
 	EOF
 }
 
+dkiminfo() {
+    echo "Add the following TXT record to your DNS zone:"
+    echo "${cn:-$(date +%Y%m%d)}._domainkey\tIN\tTXT ( "
+    # See https://tools.ietf.org/html/rfc4871#section-3.6.1
+    # t=s:      the "i=" domain in signature headers MUST NOT be a subdomain of "d="
+    # s=email:  limit DKIM signing to email
+    openssl pkey -pubout <"$privkey" | sed '/^--.*--$/d' \
+    | { echo -n "v=DKIM1; k=$type; t=s; s=email; p="; tr -d '\n'; } \
+    | fold -w 250 \
+    | { sed 's/.*/\t"&"/'; echo ' )'; }
+}
+
 [ $# -gt 0 ] || { usage; exit 2; }
 cmd="$1"; shift
 case "$cmd" in
@@ -72,6 +90,7 @@ case "$cmd" in
     *) echo "Unrecognized command: $cmd" >&2; exit 2
 esac
 
+nou=1
 while [ $# -gt 0 ]; do
     case "$1" in
         -t) shift; type="$1";;
@@ -83,12 +102,15 @@ while [ $# -gt 0 ]; do
         -h) shift; hash="$1";;
         -h*) hash="${1#-h}";;
 
+        --dns=?*) dns="${dns:+$dns, }DNS:${1#--dns=}";;
+        --cn=?*) cn="${1#--cn=}";;
+        --ou=?*) ou="${ou:+$ou\n}$nou.organizationalUnitName = ${1#--ou=}"
+                 nou=$(( 1 + $nou ));;
 
-        -f) force=1;;
+        -f) force=$(( 1 + $force ));;
         --pubkey=?*) pubkey="${1#--pubkey=}";;
         --privkey=?*) privkey="${1#--privkey=}";;
 
-        --dns=?*) dns="${dns:+$dns,}${1#--dns=}";;
         --usage=?*) usage="${usage:+$usage,}${1#--usage=}";;
         --config=?*) dns="${1#--config=}";;
 
@@ -116,80 +138,63 @@ case "$type" in
     *) echo "Unrecognized key type: $type" >&2; exit 2
 esac
 
-cn=
 if [ "$cmd" = x509 -o "$cmd" = csr ]; then
     case "$hash" in
         md5|rmd160|sha1|sha224|sha256|sha384|sha512|'') ;;
         *) echo "Invalid digest algorithm: $hash" >&2; exit 2;
     esac
 
-    [ "$dns" ] || dns="$(hostname --fqdn)"
-    cn="${dns%%,*}"
+    [ "$cn" ] || cn="$(hostname --fqdn)"
     [ ${#cn} -le 64 ] || { echo "CommonName too long: $cn" >&2; exit 2; }
 fi
 
-[ -s "$privkey" -a -z "$force" ] && force=0
-if [ "$cmd" != dkim ]; then
-    for file in "$pubkey" "$privkey"; do
-        [ "$force" != 1 -a -s "$file" ] || continue
-        echo "Error: File exists: $file" >&2
-        exit 1
-    done
-fi
-
 if [ -z "$config" -a \( "$cmd" = x509 -o "$cmd" = csr \) ]; then
     config=$(mktemp) || exit 2
     trap 'rm -f "$config"' EXIT
 
-    names=
-    until [ "$dns" = "${dns#*,}" ]; do
-        names=", DNS:${dns##*,}$names"
-        dns="${dns%,*}"
-    done
-
     # see /usr/share/ssl-cert/ssleay.cnf
     cat >"$config" <<- EOF
 		[ req ]
-		distinguished_name  = req_distinguished_name
-		prompt              = no
-		policy              = policy_anything
-		req_extensions      = v3_req
-		x509_extensions     = v3_req
-		default_days        = 3650
+		distinguished_name = req_distinguished_name
+		prompt             = no
+		policy             = policy_anything
+		req_extensions     = v3_req
+		x509_extensions    = v3_req
+		default_days       = 3650
 
 		[ req_distinguished_name ]
-		countryName         = SE
-		organizationName    = Fripost
-		commonName          = $cn
+		organizationName       = Fripost
+		organizationalUnitName = SSLcerts
+		$(echo "$ou")
+		commonName             = $cn
 
 		[ v3_req ]
-		subjectAltName      = email:admin@fripost.org, DNS:$cn$names
-		basicConstraints    = critical, CA:FALSE
+		subjectAltName   = email:admin@fripost.org${dns:+, $dns}
+		basicConstraints = critical, CA:FALSE
 		# https://security.stackexchange.com/questions/24106/which-key-usages-are-required-by-each-key-exchange-method
-		keyUsage            = critical, ${usage:-digitalSignature,keyEncipherment}
+		keyUsage         = critical, ${usage:-digitalSignature, keyEncipherment}
 	EOF
 fi
 
-if [ "$force" != 0 ]; then
+if [ -s "$privkey" -a $force -eq 0 ]; then
+    echo "Error: private key exists: $privkey" >&2
+    [ "$cmd" = dkim ] && dkiminfo
+    exit 1
+elif [ ! -s "$privkey" -o $force -ge 2 ]; then
     # Ensure "$privkey" is created with umask 0077
-    mv "$(mktemp)" "$privkey" || exit 2
+    mv -f "$(mktemp)" "$privkey" || exit 2
     chmod "${chmod:-og-rwx}" "$privkey" || exit 2
     [ -z "$chown" ] || chown "$chown" "$privkey" || exit 2
     openssl $genkey -rand /dev/urandom $genkeyargs >"$privkey" || exit 2
+    [ "$cmd" = dkim ] && { dkiminfo; exit; }
 fi
 
 if [ "$cmd" = x509 -o "$cmd" = csr ]; then
-    [ "$cmd" = x509 ] && x509=-x509 || x509=
-    openssl req -config "$config" -new $x509 ${hash:+-$hash} -key "$privkey" >"$pubkey" || exit 2
-elif [ "$cmd" = dkim ]; then
-    echo "Add the following TXT record to your DNS zone:"
-    echo "${dns:-$(date +%Y%m%d)}._domainkey\tIN\tTXT ( "
-    # See https://tools.ietf.org/html/rfc4871#section-3.6.1
-    # t=s:      the "i=" domain in signature headers MUST NOT be a subdomain of "d="
-    # s=email:  limit DKIM signing to email
-    openssl pkey -pubout <"$privkey" | sed '/^--.*--$/d' \
-    | { echo -n "v=DKIM1; k=$type; t=s; s=email; p="; tr -d '\n'; } \
-    | fold -w 250 \
-    | { sed 's/.*/\t"&"/'; echo ' )'; }
-    [ "$force" != 0 ] || exit 1
+    if [ -s "$pubkey" -a $force -eq 0 ]; then
+        echo "Error: public key exists: $pubkey" >&2
+        exit 1
+    else
+        [ "$cmd" = x509 ] && x509=-x509 || x509=
+        openssl req -config "$config" -new $x509 ${hash:+-$hash} -key "$privkey" >"$pubkey" || exit 2
+    fi
 fi
diff --git a/roles/common/tasks/mail.yml b/roles/common/tasks/mail.yml
index cbec8cf..571b66f 100644
--- a/roles/common/tasks/mail.yml
+++ b/roles/common/tasks/mail.yml
@@ -56,7 +56,7 @@
   command: genkeypair.sh x509
                          --pubkey=/etc/postfix/ssl/{{ ansible_fqdn }}.pem
                          --privkey=/etc/postfix/ssl/{{ ansible_fqdn }}.key
-                         --dns={{ ansible_fqdn }}
+                         --ou=Postfix --cn={{ ansible_fqdn }}
                          -t ecdsa -b secp384r1 -h sha512
   register: r4
   changed_when: r4.rc == 0
-- 
cgit v1.2.3