From: Thierry Parmentelat <thierry.parmentelat@inria.fr>
Date: Thu, 21 Nov 2024 14:26:29 +0000 (+0100)
Subject: superficial cleanup of plc.d/ssl
X-Git-Url: http://git.onelab.eu/?a=commitdiff_plain;h=7afa01dc619ad6bb0cdff893fc25b8697e42baa0;p=myplc.git

superficial cleanup of plc.d/ssl
---

diff --git a/plc.d/ssl b/plc.d/ssl
index 432ea31..4e35e41 100755
--- a/plc.d/ssl
+++ b/plc.d/ssl
@@ -19,8 +19,45 @@ set -x
 function ssl_cname() {
 	local crt=$1; shift
     openssl x509 -noout -in $crt -subject | \
-	sed -e 's|.*CN *= *\([-_a-zA-Z0-9.]*\).*|\1|' | \
-	lower
+		sed -e 's|.*CN *= *\([-_a-zA-Z0-9.]*\).*|\1|' | \
+		lower
+}
+
+function ssl_alt_names() {
+	local crt=$1; shift
+	openssl x509 -noout -in $crt -ext subjectAltName | \
+		tail -1 | \
+		sed -e 's|DNS:||g' -e 's|,||' | \
+		lower
+}
+
+function name_in_cert() {
+	local name=$1; shift
+	local crt=$1; shift
+	local cname=$(ssl_cname $crt)
+	local alt_names=$(ssl_alt_names $crt)
+	if [ "$name" = "$cname" ] ; then
+		return 0
+	fi
+	for alt_name in $alt_names; do
+		if [ "$name" = "$alt_name" ] ; then
+			return 0
+		fi
+	done
+	return 1
+}
+
+function cert_is_valid_and_about() {
+	local crt="$1"; shift
+	local ca="$1"; shift
+	local cname="$1"; shift
+
+	# needs to be about the right name
+	name_in_cert $cname $crt || return 1
+	# needs to be signed by CA
+	openssl verify -CAfile $ca $crt >& /dev/null || return 1
+	return 0
+
 }
 
 function backup_file() {
@@ -45,14 +82,12 @@ function verify_or_generate_certificate() {
     fi
 
     if [ -f $crt ] ; then
-		# Check if certificate is valid
-		# Backup if invalid or if the subject has changed
-		if openssl verify -CAfile $ca $crt | grep -q "error" || \
-			[ "$(ssl_cname $crt)" != "$cname" ] ; then
-				backup_file $crt
-				backup_file $ca
-				backup_file $key
-		fi
+		# Backup (i.e. move under other name) if invalid or if cname is not in that cert
+		cert_is_valid_and_about $crt $ca $cname || {
+			backup_file $crt
+			backup_file $ca
+			backup_file $key
+		}
     fi
 
     if [ ! -f $crt ] ; then
@@ -140,8 +175,8 @@ case "$1" in
 	    symlink ${!ssl_crt} /etc/pki/tls/certs/localhost.crt
 	    symlink ${!ssl_key} /etc/pki/tls/private/localhost.key
 	    symlink ${!ssl_ca_crt} /etc/pki/tls/certs/server-chain.crt
-	    symlink ${!ssl_crt} /etc/httpd/conf/ssl.crt/server.crt
-	    symlink ${!ssl_key} /etc/httpd/conf/ssl.key/server.key
+	    # symlink ${!ssl_crt} /etc/httpd/conf/ssl.crt/server.crt
+	    # symlink ${!ssl_key} /etc/httpd/conf/ssl.key/server.key
 	done
 
 	# Ensure that the server-chain gets used, as it is off by