From 82e6e9cacbcbd6fa7d5f7941671bc686d8282c14 Mon Sep 17 00:00:00 2001 From: tuto193 Date: Tue, 11 Aug 2020 14:08:03 +0200 Subject: [PATCH 1/4] gvm-manage-certs: Added SAN parsing (Closes: #0134801) --- tools/gvm-manage-certs.in | 51 ++++++++++++++++++++++++++++++++++++++- 1 file changed, 50 insertions(+), 1 deletion(-) diff --git a/tools/gvm-manage-certs.in b/tools/gvm-manage-certs.in index d809d119e..cbd7a7d48 100644 --- a/tools/gvm-manage-certs.in +++ b/tools/gvm-manage-certs.in @@ -78,6 +78,8 @@ set_defaults () { GVM_CERTIFICATE_ORG=${GVM_CERTIFICATE_ORG:-"GVM Users"} # (Organization unit) GVM_CERTIFICATE_ORG_UNIT=${GVM_CERTIFICATE_ORG_UNIT:-""} + # Subject Alternative Name(s) + GVM_CERTIFICATE_SAN=${GVM_CERTIFICATE_SAN:-"localhost"} # Hostname if [ -z "$GVM_CERTIFICATE_HOSTNAME" ] @@ -102,7 +104,8 @@ set_defaults () { GVM_CA_CERTIFICATE_ORG=${GVM_CA_CERTIFICATE_ORG:-"$GVM_CERTIFICATE_ORG"} # (Organization unit) GVM_CA_CERTIFICATE_ORG_UNIT=${GVM_CA_CERTIFICATE_ORG_UNIT:-"Certificate Authority for $GVM_CERTIFICATE_HOSTNAME"} - + # The array with all the SANs + GVM_CA_CERTIFICATE_SAN=${GVM_CA_CERTIFICATE_SAN:-"$GVM_CERTIFICATE_SAN"} # Key size if [ -z "$GVM_CERTIFICATE_KEYSIZE" ] then @@ -330,6 +333,29 @@ create_certificate () then echo "cn = \"$GVM_CA_CERTIFICATE_HOSTNAME\"" >> $GVM_CERT_TEMPLATE_FILENAME fi + if [ -n "$GVM_CA_CERTIFICATE_SAN" ] + then + for i in $GVM_CA_CERTIFICATE_SAN + do + case "$i" in + *.*.*.*) + echo "ip_address = \"$i\"" >> $GVM_CERT_TEMPLATE_FILENAME + ;; + http*) + echo "uri = \"$i\"" >> $GVM_CERT_TEMPLATE_FILENAME + ;; + *.*) + echo "dns_name = \"$i\"" >> $GVM_CERT_TEMPLATE_FILENAME + ;; + localhost ) + echo "dns_name = \"localhost\"" >> $GVM_CERT_TEMPLATE_FILENAME + ;; + *) + log_verbose "Invalid formatting for SAN: $i" + ;; + esac + done + fi else if [ -n "$GVM_CERTIFICATE_LIFETIME" ] then @@ -359,6 +385,29 @@ create_certificate () then echo "cn = \"$GVM_CERTIFICATE_HOSTNAME\"" >> $GVM_CERT_TEMPLATE_FILENAME fi + if [ -n "$GVM_CERTIFICATE_SAN" ] + then + for i in $GVM_CERTIFICATE_SAN + do + case "$i" in + *.*.*.*) + echo "ip_address = \"$i\"" >> $GVM_CERT_TEMPLATE_FILENAME + ;; + http*) + echo "uri = \"$i\"" >> $GVM_CERT_TEMPLATE_FILENAME + ;; + *.*) + echo "dns_name = \"$i\"" >> $GVM_CERT_TEMPLATE_FILENAME + ;; + localhost ) + echo "dns_name = \"localhost\"" >> $GVM_CERT_TEMPLATE_FILENAME + ;; + *) + log_verbose "Invalid formatting for SAN: $i" + ;; + esac + done + fi fi # Add key usage constraints if the certificate type is known From a9ee89e9e3cff4e691f3c2ad550ebaf977a3f9c3 Mon Sep 17 00:00:00 2001 From: tuto193 Date: Tue, 11 Aug 2020 16:00:05 +0200 Subject: [PATCH 2/4] Default value is empty to avoid unexpected behaviour. --- tools/gvm-manage-certs.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/gvm-manage-certs.in b/tools/gvm-manage-certs.in index cbd7a7d48..d7bac162c 100644 --- a/tools/gvm-manage-certs.in +++ b/tools/gvm-manage-certs.in @@ -79,7 +79,7 @@ set_defaults () { # (Organization unit) GVM_CERTIFICATE_ORG_UNIT=${GVM_CERTIFICATE_ORG_UNIT:-""} # Subject Alternative Name(s) - GVM_CERTIFICATE_SAN=${GVM_CERTIFICATE_SAN:-"localhost"} + GVM_CERTIFICATE_SAN=${GVM_CERTIFICATE_SAN:-""} # Hostname if [ -z "$GVM_CERTIFICATE_HOSTNAME" ] From eb52ad83dde957bd32166a35a0be30af9e4a1c49 Mon Sep 17 00:00:00 2001 From: tuto193 Date: Wed, 12 Aug 2020 09:20:40 +0200 Subject: [PATCH 3/4] Added changelog entry. --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index f00182a6a..7020baaac 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). ## [20.8.1] (unreleased) ### Added +- Added ability to enter Subject Alternative Names (SAN) when generating a CSR [#1246](https://github.com/greenbone/gvmd/pull/1246) ### Changed - Extended the output of invalid / missing --feed parameter given to greenbone-feed-sync [#1255](https://github.com/greenbone/gvmd/pull/1255) From 4dbfb241639f53e43223345c2c16a93a24167a3a Mon Sep 17 00:00:00 2001 From: tuto193 Date: Mon, 17 Aug 2020 09:44:46 +0200 Subject: [PATCH 4/4] Created dedicated function for modularity --- tools/gvm-manage-certs.in | 67 ++++++++++++++++----------------------- 1 file changed, 27 insertions(+), 40 deletions(-) diff --git a/tools/gvm-manage-certs.in b/tools/gvm-manage-certs.in index d7bac162c..652299803 100644 --- a/tools/gvm-manage-certs.in +++ b/tools/gvm-manage-certs.in @@ -293,6 +293,31 @@ create_private_key () log_write "Generated private key in $1." } +# Add SAN settings +add_san_settings () +{ + for i in $1 + do + case "$i" in + *.*.*.*) + echo "ip_address = \"$i\"" >> $GVM_CERT_TEMPLATE_FILENAME + ;; + http*) + echo "uri = \"$i\"" >> $GVM_CERT_TEMPLATE_FILENAME + ;; + *.*) + echo "dns_name = \"$i\"" >> $GVM_CERT_TEMPLATE_FILENAME + ;; + localhost ) + echo "dns_name = \"localhost\"" >> $GVM_CERT_TEMPLATE_FILENAME + ;; + *) + log_verbose "Invalid formatting for SAN: $i" + ;; + esac + done +} + # Create a certificate create_certificate () { @@ -335,26 +360,7 @@ create_certificate () fi if [ -n "$GVM_CA_CERTIFICATE_SAN" ] then - for i in $GVM_CA_CERTIFICATE_SAN - do - case "$i" in - *.*.*.*) - echo "ip_address = \"$i\"" >> $GVM_CERT_TEMPLATE_FILENAME - ;; - http*) - echo "uri = \"$i\"" >> $GVM_CERT_TEMPLATE_FILENAME - ;; - *.*) - echo "dns_name = \"$i\"" >> $GVM_CERT_TEMPLATE_FILENAME - ;; - localhost ) - echo "dns_name = \"localhost\"" >> $GVM_CERT_TEMPLATE_FILENAME - ;; - *) - log_verbose "Invalid formatting for SAN: $i" - ;; - esac - done + add_san_settings GVM_CA_CERTIFICATE_SAN fi else if [ -n "$GVM_CERTIFICATE_LIFETIME" ] @@ -387,26 +393,7 @@ create_certificate () fi if [ -n "$GVM_CERTIFICATE_SAN" ] then - for i in $GVM_CERTIFICATE_SAN - do - case "$i" in - *.*.*.*) - echo "ip_address = \"$i\"" >> $GVM_CERT_TEMPLATE_FILENAME - ;; - http*) - echo "uri = \"$i\"" >> $GVM_CERT_TEMPLATE_FILENAME - ;; - *.*) - echo "dns_name = \"$i\"" >> $GVM_CERT_TEMPLATE_FILENAME - ;; - localhost ) - echo "dns_name = \"localhost\"" >> $GVM_CERT_TEMPLATE_FILENAME - ;; - *) - log_verbose "Invalid formatting for SAN: $i" - ;; - esac - done + add_san_settings GVM_CERTIFICATE_SAN fi fi