diff --git a/CHANGELOG.md b/CHANGELOG.md index 7f378c1ad..cdba4c3d7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,6 +9,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). ### Fixed - Improve VT version handling for CVE & OVAL results [#1496](https://github.com/greenbone/gvmd/pull/1496) - Fix migration to DB version 242 from gvmd 20.08 [#1498](https://github.com/greenbone/gvmd/pull/1498) +- Update subject alternative name in certificate generation [#1503](https://github.com/greenbone/gvmd/pull/1503) [21.4.0]: https://github.com/greenbone/gvmd/compare/v21.4.0...gvmd-21.04 diff --git a/tools/gvm-manage-certs.in b/tools/gvm-manage-certs.in index dd986c028..dc2a56435 100644 --- a/tools/gvm-manage-certs.in +++ b/tools/gvm-manage-certs.in @@ -79,7 +79,11 @@ set_defaults () { # (Organization unit) GVM_CERTIFICATE_ORG_UNIT=${GVM_CERTIFICATE_ORG_UNIT:-""} # Subject Alternative Name(s) - GVM_CERTIFICATE_SAN=${GVM_CERTIFICATE_SAN:-""} + GVM_CERTIFICATE_SAN_DNS=${GVM_CERTIFICATE_SAN_DNS:-""} + GVM_CERTIFICATE_SAN_URI=${GVM_CERTIFICATE_SAN_URI:-""} + GVM_CERTIFICATE_SAN_EMAIL=${GVM_CERTIFICATE_SAN_EMAIL:-""} + GVM_CERTIFICATE_SAN_IP_ADDRESS=${GVM_CERTIFICATE_SAN_IP_ADDRESS:-""} + GVM_CERTIFICATE_SAN_OTHER_NAME_UTF8=${GVM_CERTIFICATE_SAN_OTHER_NAME_UTF8:-""} # Hostname if [ -z "$GVM_CERTIFICATE_HOSTNAME" ] @@ -104,8 +108,12 @@ set_defaults () { GVM_CA_CERTIFICATE_ORG=${GVM_CA_CERTIFICATE_ORG:-"$GVM_CERTIFICATE_ORG"} # (Organization unit) GVM_CA_CERTIFICATE_ORG_UNIT=${GVM_CA_CERTIFICATE_ORG_UNIT:-"Certificate Authority for $GVM_CERTIFICATE_HOSTNAME"} - # The array with all the SANs - GVM_CA_CERTIFICATE_SAN=${GVM_CA_CERTIFICATE_SAN:-"$GVM_CERTIFICATE_SAN"} + # Subject Alternative Name(s) + GVM_CA_CERTIFICATE_SAN_DNS=${GVM_CA_CERTIFICATE_SAN_DNS:-"$GVM_CERTIFICATE_SAN_DNS"} + GVM_CA_CERTIFICATE_SAN_URI=${GVM_CA_CERTIFICATE_SAN_URI:-"$GVM_CERTIFICATE_SAN_URI"} + GVM_CA_CERTIFICATE_SAN_EMAIL=${GVM_CA_CERTIFICATE_SAN_EMAIL:-"$GVM_CERTIFICATE_SAN_EMAIL"} + GVM_CA_CERTIFICATE_SAN_IP_ADDRESS=${GVM_CA_CERTIFICATE_SAN_IP_ADDRESS:-"$GVM_CERTIFICATE_SAN_IP_ADDRESS"} + GVM_CA_CERTIFICATE_SAN_OTHER_NAME_UTF8=${GVM_CA_CERTIFICATE_SAN_OTHER_NAME_UTF8:-"$GVM_CERTIFICATE_SAN_OTHER_NAME_UTF8"} # Key size if [ -z "$GVM_CERTIFICATE_KEYSIZE" ] then @@ -293,29 +301,26 @@ create_private_key () log_write "Generated private key in $1." } -# Add SAN settings -add_san_settings () +# Split SAN settings by ';' +split_san_value () { - for i in $1 + TEMPLATE_VARIABLE=$1 + ENVIRONMENT_VALUE=$2 + log_debug "Split SAN environment: '$ENVIRONMENT_VALUE'." + + OIFS=$IFS + IFS=';' + + read -r VALUES <> $GVM_CERT_TEMPLATE_FILENAME - ;; - http*) - echo "uri = \"$i\"" >> $GVM_CERT_TEMPLATE_FILENAME - ;; - *.*) - echo "dns_name = \"$i\"" >> $GVM_CERT_TEMPLATE_FILENAME - ;; - localhost ) - echo "dns_name = \"localhost\"" >> $GVM_CERT_TEMPLATE_FILENAME - ;; - *) - log_verbose "Invalid formatting for SAN: $i" - ;; - esac + echo "$TEMPLATE_VARIABLE = \"$VALUE\"" >> "$GVM_CERT_TEMPLATE_FILENAME" done + + IFS=$OIFS } # Create a certificate @@ -358,9 +363,25 @@ create_certificate () then echo "cn = \"$GVM_CA_CERTIFICATE_HOSTNAME\"" >> $GVM_CERT_TEMPLATE_FILENAME fi - if [ -n "$GVM_CA_CERTIFICATE_SAN" ] + if [ -n "$GVM_CA_CERTIFICATE_SAN_DNS" ] + then + split_san_value "dns_name" "$GVM_CA_CERTIFICATE_SAN_DNS" + fi + if [ -n "$GVM_CA_CERTIFICATE_SAN_URI" ] + then + split_san_value "uri" "$GVM_CA_CERTIFICATE_SAN_URI" + fi + if [ -n "$GVM_CA_CERTIFICATE_SAN_EMAIL" ] + then + split_san_value "email" "$GVM_CA_CERTIFICATE_SAN_EMAIL" + fi + if [ -n "$GVM_CA_CERTIFICATE_SAN_IP_ADDRESS" ] then - add_san_settings $GVM_CA_CERTIFICATE_SAN + split_san_value "ip_address" "$GVM_CA_CERTIFICATE_SAN_IP_ADDRESS" + fi + if [ -n "$GVM_CA_CERTIFICATE_SAN_OTHER_NAME_UTF8" ] + then + split_san_value "other_name_utf8" "$GVM_CA_CERTIFICATE_SAN_OTHER_NAME_UTF8" fi else if [ -n "$GVM_CERTIFICATE_LIFETIME" ] @@ -391,9 +412,25 @@ create_certificate () then echo "cn = \"$GVM_CERTIFICATE_HOSTNAME\"" >> $GVM_CERT_TEMPLATE_FILENAME fi - if [ -n "$GVM_CERTIFICATE_SAN" ] + if [ -n "$GVM_CERTIFICATE_SAN_DNS" ] + then + split_san_value "dns_name" "$GVM_CERTIFICATE_SAN_DNS" + fi + if [ -n "$GVM_CERTIFICATE_SAN_URI" ] + then + split_san_value "uri" "$GVM_CERTIFICATE_SAN_URI" + fi + if [ -n "$GVM_CERTIFICATE_SAN_EMAIL" ] + then + split_san_value "email" "$GVM_CERTIFICATE_SAN_EMAIL" + fi + if [ -n "$GVM_CERTIFICATE_SAN_IP_ADDRESS" ] + then + split_san_value "ip_address" "$GVM_CERTIFICATE_SAN_IP_ADDRESS" + fi + if [ -n "$GVM_CERTIFICATE_SAN_OTHER_NAME_UTF8" ] then - add_san_settings $GVM_CERTIFICATE_SAN + split_san_value "other_name_utf8" "$GVM_CERTIFICATE_SAN_OTHER_NAME_UTF8" fi fi