Skip to content

Commit

Permalink
Merge pull request #1503 from lhannigbrinck/subject_alt_name_update
Browse files Browse the repository at this point in the history
Allow multilevel DNS names in SAN
  • Loading branch information
nichtsfrei authored Apr 21, 2021
2 parents da532c7 + 303f1e1 commit b2429d2
Show file tree
Hide file tree
Showing 2 changed files with 65 additions and 27 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
### Fixed
- Improve VT version handling for CVE & OVAL results [#1496](https://github.com/greenbone/gvmd/pull/1496)
- Fix migration to DB version 242 from gvmd 20.08 [#1498](https://github.com/greenbone/gvmd/pull/1498)
- Update subject alternative name in certificate generation [#1503](https://github.com/greenbone/gvmd/pull/1503)

[21.4.0]: https://github.com/greenbone/gvmd/compare/v21.4.0...gvmd-21.04

Expand Down
91 changes: 64 additions & 27 deletions tools/gvm-manage-certs.in
Original file line number Diff line number Diff line change
Expand Up @@ -79,7 +79,11 @@ set_defaults () {
# (Organization unit)
GVM_CERTIFICATE_ORG_UNIT=${GVM_CERTIFICATE_ORG_UNIT:-""}
# Subject Alternative Name(s)
GVM_CERTIFICATE_SAN=${GVM_CERTIFICATE_SAN:-""}
GVM_CERTIFICATE_SAN_DNS=${GVM_CERTIFICATE_SAN_DNS:-""}
GVM_CERTIFICATE_SAN_URI=${GVM_CERTIFICATE_SAN_URI:-""}
GVM_CERTIFICATE_SAN_EMAIL=${GVM_CERTIFICATE_SAN_EMAIL:-""}
GVM_CERTIFICATE_SAN_IP_ADDRESS=${GVM_CERTIFICATE_SAN_IP_ADDRESS:-""}
GVM_CERTIFICATE_SAN_OTHER_NAME_UTF8=${GVM_CERTIFICATE_SAN_OTHER_NAME_UTF8:-""}

# Hostname
if [ -z "$GVM_CERTIFICATE_HOSTNAME" ]
Expand All @@ -104,8 +108,12 @@ set_defaults () {
GVM_CA_CERTIFICATE_ORG=${GVM_CA_CERTIFICATE_ORG:-"$GVM_CERTIFICATE_ORG"}
# (Organization unit)
GVM_CA_CERTIFICATE_ORG_UNIT=${GVM_CA_CERTIFICATE_ORG_UNIT:-"Certificate Authority for $GVM_CERTIFICATE_HOSTNAME"}
# The array with all the SANs
GVM_CA_CERTIFICATE_SAN=${GVM_CA_CERTIFICATE_SAN:-"$GVM_CERTIFICATE_SAN"}
# Subject Alternative Name(s)
GVM_CA_CERTIFICATE_SAN_DNS=${GVM_CA_CERTIFICATE_SAN_DNS:-"$GVM_CERTIFICATE_SAN_DNS"}
GVM_CA_CERTIFICATE_SAN_URI=${GVM_CA_CERTIFICATE_SAN_URI:-"$GVM_CERTIFICATE_SAN_URI"}
GVM_CA_CERTIFICATE_SAN_EMAIL=${GVM_CA_CERTIFICATE_SAN_EMAIL:-"$GVM_CERTIFICATE_SAN_EMAIL"}
GVM_CA_CERTIFICATE_SAN_IP_ADDRESS=${GVM_CA_CERTIFICATE_SAN_IP_ADDRESS:-"$GVM_CERTIFICATE_SAN_IP_ADDRESS"}
GVM_CA_CERTIFICATE_SAN_OTHER_NAME_UTF8=${GVM_CA_CERTIFICATE_SAN_OTHER_NAME_UTF8:-"$GVM_CERTIFICATE_SAN_OTHER_NAME_UTF8"}
# Key size
if [ -z "$GVM_CERTIFICATE_KEYSIZE" ]
then
Expand Down Expand Up @@ -293,29 +301,26 @@ create_private_key ()
log_write "Generated private key in $1."
}

# Add SAN settings
add_san_settings ()
# Split SAN settings by ';'
split_san_value ()
{
for i in $1
TEMPLATE_VARIABLE=$1
ENVIRONMENT_VALUE=$2
log_debug "Split SAN environment: '$ENVIRONMENT_VALUE'."

OIFS=$IFS
IFS=';'

read -r VALUES <<EOF
$ENVIRONMENT_VALUE
EOF

for VALUE in $VALUES
do
case "$i" in
*.*.*.*)
echo "ip_address = \"$i\"" >> $GVM_CERT_TEMPLATE_FILENAME
;;
http*)
echo "uri = \"$i\"" >> $GVM_CERT_TEMPLATE_FILENAME
;;
*.*)
echo "dns_name = \"$i\"" >> $GVM_CERT_TEMPLATE_FILENAME
;;
localhost )
echo "dns_name = \"localhost\"" >> $GVM_CERT_TEMPLATE_FILENAME
;;
*)
log_verbose "Invalid formatting for SAN: $i"
;;
esac
echo "$TEMPLATE_VARIABLE = \"$VALUE\"" >> "$GVM_CERT_TEMPLATE_FILENAME"
done

IFS=$OIFS
}

# Create a certificate
Expand Down Expand Up @@ -358,9 +363,25 @@ create_certificate ()
then
echo "cn = \"$GVM_CA_CERTIFICATE_HOSTNAME\"" >> $GVM_CERT_TEMPLATE_FILENAME
fi
if [ -n "$GVM_CA_CERTIFICATE_SAN" ]
if [ -n "$GVM_CA_CERTIFICATE_SAN_DNS" ]
then
split_san_value "dns_name" "$GVM_CA_CERTIFICATE_SAN_DNS"
fi
if [ -n "$GVM_CA_CERTIFICATE_SAN_URI" ]
then
split_san_value "uri" "$GVM_CA_CERTIFICATE_SAN_URI"
fi
if [ -n "$GVM_CA_CERTIFICATE_SAN_EMAIL" ]
then
split_san_value "email" "$GVM_CA_CERTIFICATE_SAN_EMAIL"
fi
if [ -n "$GVM_CA_CERTIFICATE_SAN_IP_ADDRESS" ]
then
add_san_settings $GVM_CA_CERTIFICATE_SAN
split_san_value "ip_address" "$GVM_CA_CERTIFICATE_SAN_IP_ADDRESS"
fi
if [ -n "$GVM_CA_CERTIFICATE_SAN_OTHER_NAME_UTF8" ]
then
split_san_value "other_name_utf8" "$GVM_CA_CERTIFICATE_SAN_OTHER_NAME_UTF8"
fi
else
if [ -n "$GVM_CERTIFICATE_LIFETIME" ]
Expand Down Expand Up @@ -391,9 +412,25 @@ create_certificate ()
then
echo "cn = \"$GVM_CERTIFICATE_HOSTNAME\"" >> $GVM_CERT_TEMPLATE_FILENAME
fi
if [ -n "$GVM_CERTIFICATE_SAN" ]
if [ -n "$GVM_CERTIFICATE_SAN_DNS" ]
then
split_san_value "dns_name" "$GVM_CERTIFICATE_SAN_DNS"
fi
if [ -n "$GVM_CERTIFICATE_SAN_URI" ]
then
split_san_value "uri" "$GVM_CERTIFICATE_SAN_URI"
fi
if [ -n "$GVM_CERTIFICATE_SAN_EMAIL" ]
then
split_san_value "email" "$GVM_CERTIFICATE_SAN_EMAIL"
fi
if [ -n "$GVM_CERTIFICATE_SAN_IP_ADDRESS" ]
then
split_san_value "ip_address" "$GVM_CERTIFICATE_SAN_IP_ADDRESS"
fi
if [ -n "$GVM_CERTIFICATE_SAN_OTHER_NAME_UTF8" ]
then
add_san_settings $GVM_CERTIFICATE_SAN
split_san_value "other_name_utf8" "$GVM_CERTIFICATE_SAN_OTHER_NAME_UTF8"
fi
fi

Expand Down

0 comments on commit b2429d2

Please sign in to comment.